Privacy Policy

Data Protection Consulting Limited Privacy Notice

Data Protection Consulting Limited is a UK based company.  You can contact our business and our Data Protection Specialist at 28, Hawthorne Avenue, Willerby, Hull, HU10 2JQ and at

We provide data protection consulting services to other businesses and our activities include communication with clients’ human representatives to facilitate the provision of services and relationship management.  This is processing necessary to fulfil a contract with the client and it is in our legitimate business interests to build a relationship with client representatives.   For this purpose we have records of representatives’ name and work contact details, job title, and employer’s name; basically the information you might provide to us on a business card.  In fact, you are the most likely source of this information although we might receive information about your colleagues from your “out of office” email response.

Most of this information is in Microsoft Exchange and we routinely hold emails for 12 months minimum, so we might have records going back a maximum of 18 months.  Where client representatives are named in documents, we retain these for the duration of the contract with the client and for six years thereafter.  Information held in invoices (contact name and work email address) is retained for seven years for tax purposes in a hosted accounting system, Xero.

Where Xero transfers personal data outside of the EEA, it only transfers to countries that have been identified as providing adequate protection or by entering into agreements using the EU Model Clauses.  See Xero’s privacy notice here

Information in our accounting records will be shared with HMRC, the courts and our accountants as necessary to meet our legal obligations.

Use of personal data for marketing

We undertake some limited marketing activity.  We may take a stand at an exhibition or conference to promote our products and services and to obtain consent to receive our newsletter.  Our newsletters are mainly editorial with information about how we might be able to help clients with data protection compliance. Marketing is in our legitimate business interests to promote and sell our products and services.  We have records of the client or prospect name, the individual’s job title, name and work contact details, and in future for our newsletter we will obtain a double opt-in.  we know that we have consent to send our newsletter but, under data protection legislation, we need to be able to demonstrate that consent.  We use a third party, iContact, to store email addresses and send out our newsletters.  iContact maintains data that is provided by us called “Customer Message Recipient Data” including name and email address which may also reveal the company where you work.  We use this information to send you our newsletter and we use the statistics generated by you opening and reading messages to check out which articles are most read and, by inference, most useful.  iContact holds data in the US and subscribes to the Privacy Shield Framework.  You can read their privacy policy here:

We hold some of this information in Microsoft Exchange and we routinely hold emails for 12 months minimum, so we might have records going back a maximum of 18 months.   If we receive a request to unsubscribe from our newsletter we action that request before the next mailing but the hosted system we use retains the email address to ensure that we don’t accidentally add you back onto the mailing list. Rejected newsletters may be followed up with an email from us and the email address is unsubscribed after three bounces.  The newsletter is sent either from our own website or using a third party service provider, icontact, a UK based company.

Our online training data capture

Users of our online training are required to create an account by registering, creating a log-in and supplying some basic details.  This information is required to provide access to the training and provide a record to evidence that the training has been completed.  The processing is necessary to fulfil a contract with the trainee or his or her employer.  Where the contract is with the employer, it is in our legitimate business interests to hold the record and share it with the employer on request to evidence fulfilment of the contract.

The online training record consists of the following details of trainees: full name, email address, business geographic address, date of registration, progress showing completed elements of the course and dates, whether the course was “passed” and the overall grade.  This information is held for a period of 24 months and then it is deleted.

Acting as a data processor

Providing advice and consulting services to clients we are a data controller.  Occasionally we may be asked to act on client instructions as a data processor to assist in responding to a subject access request they have received.


Our website is an advertisement for our products and services and you have the facility to make purchases online.  We use the data that you provide for marketing purposes to promote and sell our products.  Some of the data we collect is derived from information about your activities on our website provided to us by Google Analytics as described below.

Payments for products are collected via Paypal and we hold no record of payment card details.  We hold name, email address, geographic address and details of the transaction as necessary to fulfil the contract between ourselves and our customer.  This information is stored in the UK and retained for seven years to meet HMRC requirements.

Google services

The insights provided by Google Analytics help us to better understand who our users are and to understand the factors that influence whether a user will make a purchase or not.

The kind of information that Google provides to us includes:

  • traffic source data or information about where website users originate whether it is organic traffic, paid search traffic, or display traffic.
  • content data or information about your behaviour on our website including the URLs of pages that you look at, and how you interact with page content.

Due to the nature of the Google Analytics service, the information we are provided by Google is also used by that company to inform its services to us and other business users.

We do not share our marketing data except as described with Google and that is restricted to data derived from your use of our website.  Note also that Google is located in the US and records will be held there however Google publicly promotes the fact that it subscribes to Privacy Shield in the US which provides data protection similar to our European laws.

All of our marketing activity, including Google services is undertaken in our legitimate business interests in promoting and selling our products.


When you visit our website we place a tracking pixel on your browser.  This allows us to follow up your interest by showing you an advertisement if and when you visit Facebook.  It is known as a “follow-me” advertisement.  This is a non-essential cookie that will not be used unless you consented to the use of non-essential cookies on our website.

Your data protection rights

You have the right to ask for a copy of the personal data we hold that relates to you.  If you think that information about you which we hold is incorrect or misleading you have the right to have the information corrected provided you can demonstrate that it is incorrect.  You can also request the erasure of personal data relating to you in certain circumstances, where we do not require it to meet a legal obligation.  You can also request or restriction of processing so that your records are maintained beyond our usual retention period.  You have the right to object to processing on the grounds that it causes you damage or distress and the right to take away a copy of your personal data in electronic format in certain circumstances.

If you are unhappy about the way we use your personal data or the way in which we respond to your request to exercise your data protection rights, you can contact the Data Protection Specialist at 28, Hawthorne Avenue, Willerby, Hull, HU10 2JQ but you also have the right to lodge a complaint with a supervisory authority, the Information Commissioner at the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.