Personal data is information relating to an identifiable living
individual. Whenever personal data is processed, collected, recorded, stored or disposed of it must be done
within the terms of the General Data Protection Regulation (GDPR).
Data must be collected under one of six lawful reasons:
Consent: the individual has given
consent for you to process their personal data for a specific purpose.
Contract: the processing is necessary for a contract you have with
the individual, or because they have asked you to take specific steps before entering into a contract.
Legal obligation: the processing is necessary for you to comply
with the law (not including contractual obligations).
Vital interests: the processing is necessary to protect someone's
Public task: the processing is necessary for you to perform a task
the public interest or for your official functions, and the task or function has a clear basis in law.
Legitimate interests: the processing is necessary for your
legitimate interests or the legitimate interests of a third party.
As a normal part of our activities StuntRocket Ltd has to keep personal data, the
data we collect is limited to:
- Data relating to the contracts and projects we undertake with our customers.
This data will be held and processed in accordance with the requirements of the
The information we hold on our customers, will be collected under the following
- Contract: information necessary for us to identify a suitable temporary or
permanent employment contract to be formed such as name, address, contact telephone numbers, qualifications.
- Legal obligations: information necessary to comply with legislation, for
example for immigration, payroll and HMRC records.
How we will do it:
When requesting data we will ensure we are compliant with the GDPR, and we
undertake the following principles:
- Personal data shall be processed fairly and lawfully.
- Personal data shall be obtained only for necessary and lawful purposes and shall not be further processed
in any manner incompatible with that purpose.
- Where we want to process your data for a reason not falling under a necessary and lawful purpose, we will
seek your consent for the processing of your data.
- Personal data shall be adequate, relevant and not excessive.
- Personal data shall be accurate and, where necessary and appropriate, kept up to date.
- Personal data processed for any purpose shall not be kept for longer than is necessary for the purpose it
- We shall take appropriate measures against unauthorised or unlawful processing of personal data, and
against accidental loss or destruction of, or damage to, personal data. This might include disciplinary action
if the breach was internal.
- Individuals have the right to be informed about the collection and use of their personal data and so we
will provide details of why we are collecting the data, how long we need to keep it, and who we will share it
with. This information will be given to the individual when we ask for the personal data.
- If we change the use of your personal data we will let you know beforehand.
Whilst we will apply the same principals to all data, we have defined procedures
on how we deal with the data according to the reason we need to have / use it. We will therefore identify:
- What we need the data for.
- What data we actually need.
- How we will use it.
- How we will keep it safe.
- Who it needs to be shared with.
- How long we must keep it.
- How we will destroy it once it is no longer lawful or necessary to keep it.
In collecting and processing data, we will consider and comply with the following
- The right to be informed - we will provide you with 'privacy information'. This will include our purposes
for processing your personal data, our retention periods for that personal data, and who it will be shared
- The right of access - access to your personal data so that you are aware of and can verify the lawfulness
of the processing.
- The right to rectification - a right for you to have inaccurate personal data rectified, or completed if it
- The right to erasure - also known as the 'right to be forgotten', this gives you the right to have your
data erased (where circumstances allow).
- The right to restrict processing - gives individuals the right to restrict the processing of their personal
data (in certain circumstances).
- The right to data portability - allows individuals to obtain and reuse their personal data for their own
purposes across different services, allowing data to be moved, copied or transferred easily from one IT
environment to another in a safe and secure way.
- The right to object - a right for you to object to certain processing and marketing.
- Rights in relation to automated decision making and profiling.
Subject Access Request (SAR)
All customers are entitled to ask for, in writing, what information on them the
company holds, and ask to see it (subject access request).
The Management (or any other nominated 'Data Controller') will usually provide the
information without delay and in any case within 28 days. If the request or data is complex and we cannot do
this within that timescale then we will advise you in writing as to the reason for the delay and provide the
information not later than a further 2 months in duration.
Customers may challenge the accuracy of the information and also update
information where it is found to be incorrect.
We will not usually charge you for any information, however we may charge a
"reasonable fee" based on the actual administrative cost of providing you with the information where your
request is 'manifestly unfounded, excessive or repetitive'.
Where our employees collect, process or use personal information about our
customers they must follow these guidelines:
- Our procedures must be followed.
- Proposals to collect or use personal data in a new way should always be discussed with management before
- Any personal data that they hold is kept securely i.e. so that access is restricted to those authorised and
is protected from loss or damage - this means by physical means such as a locked office or filing cabinet and
by electronic means such as computer passwords and access systems.
- Personal information must not be disclosed to any unauthorised third party. Great care must be taken not to
discuss such information face-to-face or over the telephone nor to disclose information in writing or in other
ways such as via email.
- Personal information should be collected or used with the approval of the subject. In many cases this is
obtained through general consent but in the case of sensitive data such as information concerning health or
race, express consent must be obtained to use the data.
Destroying data (the right to be forgotten)
We will always keep track of where any data has been shared or stored (or made
public) enabling us to destroy that data effectively when it is no longer appropriate to keep.
We will only share data with suitable, trustworthy and necessary persons or
When a request is made to destroy data, or that data is no longer valid to keep,
we will ensure it is destroyed from all the places it was shared. We will advise any third party that had
access to that data to also destroy it.
This will apply to all forms of data including electronic data.
We will only share data with other persons who also have a legitimate reason for
requiring that data. In sharing data we will ensure that the person(s) / organisations requiring the data can
also provide details to us on:
- What they need the data for.
- The extent of the data they need.
- How they will use it.
- How they will keep it safe.
- That they will not further share it.
- How they will destroy it once it is no longer lawful or necessary to keep it.
Controlling the Data
We have appointed a Data Controller, this person
determines the purposes for which, and the manner in which any personal data is to be processed. This person
within our organisation is: Daniel Harding. He may take advice and support from any professional person or
organisation in fulfilling his duties in this role.
Currently our processing of data does not warrant the appointment of a Data
Information Notice For Customers
Under the new General Data Protection Regulation (GDPR) you (our customer) are entitled to be informed about
the processing of personal data we request from you, hold on you, use or need to share. The following is
intended as a full explanation to satisfy this requirement.
Document updated: 10th June 2018