Introduction: This Policy outlines the responsibilities of Technical Professionals Limited (“the Company”) concerning data protection and the rights of individuals, including clients, candidates, and suppliers (“data subjects”), in relation to their personal data under the General Data Protection Regulation (“the Regulation”).

According to the Regulation, “personal data” refers to any information that pertains to an identified or identifiable natural person (a data subject). An identifiable natural person is someone who can be directly or indirectly identified through an identifier such as a name, identification number, location data, online identifier, or other factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity.

This Policy establishes the necessary procedures for handling personal data. It applies to all employees, agents, contractors, or other parties working on behalf of the Company, who must adhere to the principles and procedures outlined herein.

The Company is dedicated not only to complying with the law but also to upholding its spirit. It places great importance on the proper, lawful, and equitable treatment of all personal data, while respecting the legal rights, privacy, and trust of every individual it interacts with.

Data Protection Principles: The purpose of this Policy is to ensure conformity with the Regulation. The Regulation sets forth the following principles that any entity handling personal data must adhere to. All personal data must be:

Processed lawfully, fairly, and transparently in relation to the data subject.

Collected for specific, explicit, and legitimate purposes, and not further processed in a manner incompatible with those purposes. However, further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes does not contradict the initial purposes.

Adequate, relevant, and limited to what is necessary for the purposes for which it is processed.

Accurate, and when necessary, kept up to date. Reasonable measures should be taken to promptly rectify or erase inaccurate personal data, considering the purposes for which it is processed.

Retained in a form that allows the identification of data subjects only for the necessary duration required for the purposes for which the personal data is processed. Personal data may be stored for longer periods if it will be processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes. In such cases, appropriate technical and organizational measures mandated by the Regulation must be implemented to safeguard the rights and freedoms of the data subject.

Processed in a manner that ensures adequate security of the personal data, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage. This entails utilizing suitable technical or organizational measures.

Lawful, Fair, and Transparent Data Processing:

The Regulation strives to ensure that personal data is processed in a lawful, fair, and transparent manner, while safeguarding the rights of the data subject. According to the Regulation, the processing of personal data is considered lawful if at least one of the following conditions is met:

The data subject has given explicit consent for the processing of their personal data for one or more specific purposes.

The processing is necessary for the performance of a contract in which the data subject is involved or to take steps at the data subject’s request before entering into a contract.

The processing is necessary to comply with a legal obligation imposed on the data controller.

The processing is necessary to protect the vital interests of the data subject or another individual.

The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller.

The processing is necessary for the legitimate interests pursued by the data controller or a third party, except when overridden by the fundamental rights and freedoms of the data subject, particularly if the data subject is a child.

Processed for Specified, Explicit, and Legitimate Purposes:

The Company collects and processes personal data as outlined in Part 21 of this Policy. This may include personal data obtained directly from data subjects (such as contact details provided during communication) or received from third parties (such as job boards, CV databases, websites, etc.).

The Company only processes personal data for the specific purposes stated in Part 21 of this Policy (or for other purposes expressly permitted by the Regulation). Data subjects will be informed of the purposes for which their personal data is processed at the time of collection if obtained directly from them, or within a reasonable timeframe (not exceeding one calendar month) if obtained from a third party.

Adequate, Relevant, and Limited Data Processing:

The Company ensures that personal data is collected and processed only to the extent necessary for the specific purpose(s) communicated to data subjects, as mentioned in Part 4 above.

Accuracy of Data and Keeping Data Up To Date:

The Company is responsible for ensuring the accuracy and currency of all collected and processed personal data. Data accuracy shall be verified during collection and periodically thereafter. If any inaccurate or outdated data is identified, appropriate steps will be taken promptly to rectify or erase the data.

Timely Processing:

Personal data shall not be retained for longer than necessary, considering the original purposes for which it was collected and processed. When the data is no longer required, it will be promptly erased following reasonable procedures.

Secure Processing:

The Company guarantees the security and protection of all collected and processed personal data, preventing unauthorized or unlawful processing, as well as accidental loss, destruction, or damage. Detailed information about the data protection measures and organizational safeguards can be found in Parts 22 and 23 of this Policy.

Accountability:

Although the Company has not appointed a formal data protection officer, it has designated a data protection contact who, under the supervision of the Board of Directors, oversees GDPR implementation and compliance by the Company and its employees.

The Company maintains written internal records of all personal data collection, retention, and processing. These records include the following information:

Name and details of the Company and any applicable third-party data controllers.

Purposes for processing personal data by the Company.

Categories of personal data collected, held, and processed, as well as the relevant data subjects.

Details (and categories) of any third parties receiving personal data from the Company.

Information about transfers of personal data to non-EEA countries, including security measures and safeguards.

Data retention period determined by the Company.

Comprehensive descriptions of technical and organizational measures implemented by the Company to ensure data security.

Legitimate Interests Assessment:

The Company has conducted a Legitimate Interests Assessment in accordance with the Regulation. This assessment, overseen by the Company’s Accountant, addresses the following key areas:

Purpose(s) and processing operations carried out on personal data.

Legitimate interests pursued by the Company.

Assessment of necessity and proportionality of data processing for the stated purpose(s).

Evaluation of risks to individual data subjects.

Measures and mechanisms in place to minimize and manage risks, including safeguards, data security, and compliance with the Regulation.

The Rights of Data Subjects:

The Regulation grants data subjects various rights, including:

The right to be informed.

The right of access.

The right to rectification.

The right to erasure (also known as the ‘right to be forgotten’).

The right to restrict processing.

The right to data portability.

The right to object.

Rights related to automated decision-making and profiling.

Keeping Data Subjects Informed:

The Company ensures that the following information is provided to every data subject when collecting personal data:

Company details, including those responsible for data protection compliance.

Purpose(s) for collecting and processing personal data (as specified in Part 21 of this Policy) and the legal basis for such processing.

Where applicable, the legitimate interests justifying the collection and processing of personal data by the Company.

Categories of personal data collected and processed if obtained from a source other than the data subject.

Details of any third parties to whom the personal data will be transferred.

Information regarding transfers of personal data to non-EEA countries, including safeguards (refer to Part 24 of this Policy for more details on such transfers).

Data retention period determined by the Company.

Data subject’s rights under the Regulation.

Data subject’s right to withdraw consent to the Company’s processing of their personal data.

Information about lodging complaints with the Information Commissioner’s Office (the ‘supervisory authority’ under the Regulation).

If applicable, any legal or contractual requirements necessitating the collection and processing of personal data,

Data Subject Access:

At any time, data subjects have the right to submit a subject access request (SAR) to obtain information about the personal data held by the Company. The Company typically responds to SARs within one month of receipt, with the possibility of a two-month extension for complex or numerous requests. In such cases, the data subject will be notified about the need for the extension.

All subject access requests received should be directed to datasubject@learn-tech.com.

The Company does not charge a fee for handling normal SARs. However, reasonable fees may be charged for additional copies of previously provided information or for requests that are deemed manifestly unfounded, excessive, or repetitive.

Rectification of Personal Data:

If a data subject notifies the Company about inaccurate or incomplete personal data held by the Company, requesting rectification, the identified personal data will be rectified within one month of receiving the data subject’s notice. In complex cases, this timeframe may be extended by up to two months, with the data subject being informed about the extension.

In cases where the rectification affects personal data disclosed to third parties, those parties will be informed of the rectification.

Erasure of Personal Data:

Data subjects may request the erasure of personal data held by the Company in the following circumstances:

The personal data is no longer necessary for its original purpose of collection or processing.

The data subject withdraws their consent for the Company to hold and process their personal data.

The data subject objects to the Company holding and processing their personal data (without overriding legitimate interests).

The personal data has been processed unlawfully.

The personal data needs to be erased to comply with a specific legal obligation.

Unless the Company has valid grounds to refuse erasure, all requests for erasure will be fulfilled within one month of receiving the data subject’s request. Complex cases may be granted a two-month extension, with the data subject being informed about the extension.

If personal data that is to be erased has been disclosed to third parties, those parties will be informed of the erasure, except in cases where it is impossible or would require disproportionate effort to do so.

Restriction of Personal Data Processing:

Data subjects have the right to request that the Company ceases processing their personal data. Upon receiving such a request, the Company will retain only the necessary amount of personal data to ensure no further processing occurs.

If personal data subject to restriction has been disclosed to third parties, those parties will be informed of the applicable processing restrictions, unless it is impossible or would require disproportionate effort to do so.

Data Portability:

The Company processes personal data using automated means.

If data subjects have provided consent for the Company to process their personal data in this manner or if processing is necessary for the performance of a contract between the Company and the data subject, they have the right under the Regulation to receive a copy of their personal data and use it for other purposes, such as transmitting it to other data controllers (e.g., other organizations).

To facilitate data portability, the Company will provide data subjects with all applicable personal data in a database record format.

If requested by a data subject and technically feasible, personal data will be directly sent to another data controller.

All requests for personal data copies will be fulfilled within one month of the data subject’s request. Complex cases or numerous requests may be granted a two-month extension, with the data subject being informed about the extension.

Objections to Personal Data Processing:

Data subjects have the right to object to the processing of their personal data by the Company based on legitimate interests (including profiling) and direct marketing (including profiling).

If a data subject objects to the processing of their personal data based on the Company’s legitimate interests, the Company will immediately cease such processing, unless it can demonstrate that its legitimate grounds for processing override the data subject’s interests, rights, and freedoms, or if the processing is necessary for legal claims.

If a data subject objects to the processing of their personal data for direct marketing purposes, the Company will immediately cease such processing.

If a data subject objects to the processing of their personal data for scientific, historical research, and statistical purposes, they must demonstrate grounds related to their particular situation under the Regulation. The Company is not obligated to comply if the research is necessary for performing a task of public interest.

Automated Decision-Making:

If the Company uses personal data for automated decision-making that significantly affects data subjects’ rights or has a similarly significant effect, data subjects have the right to challenge such decisions. They can request human intervention, express their own point of view, and obtain an explanation of the decision from the Company.

The right described in Part 19.1 does not apply in the following circumstances:

The decision is necessary for entering into or performing a contract between the Company and the data subject.

The decision is authorized by law.

The data subject has given explicit consent.

Profiling:

When the Company uses personal data for profiling purposes, the following measures shall apply:

Clear information will be provided, explaining the profiling, including its significance and likely consequences.

Appropriate mathematical or statistical procedures will be used.

Technical and organizational measures necessary to minimize the risk of errors and enable easy correction of such errors will be implemented.

All personal data processed for profiling purposes will be secured to prevent discriminatory effects arising from profiling. (Refer to Parts 22 and 23 of this Policy for more details on data security.)

Personal Data:

The Company may collect, hold, and process the following personal data:

Information that identifies a person, such as name, address, telephone number, and email address. This information is used to differentiate candidates and compile profiles for job vacancies.

Employment history and work skills of candidates, along with current remuneration details. This information is used to create candidate profiles for marketing purposes.

Identification documents as required by The Conduct of Employment Agencies and Employment Businesses Regulations 2003.

Data Protection Measures:

The Company ensures that all employees, agents, contractors, or other parties working on its behalf comply with the following data protection measures:

All emails containing personal data should be encrypted whenever possible and practical.

When personal data needs to be erased or disposed of, it should be securely deleted. Hardcopies should be shredded, and electronic copies should be securely deleted.

Personal data should only be transmitted over secure networks, and transmission over unsecured networks is not allowed under any circumstances.

When transferring personal data in hardcopy form, it should be directly passed to the recipient or sent using secure and insured postal services.

Personal data should not be shared informally. If someone requires access to personal data, they should formally request it from the Company.

All hardcopies and electronic copies of personal data should be securely stored in locked boxes, drawers, cabinets, or similar secure storage.

Personal data should not be transferred to any employees, agents, contractors, or other parties without authorization from the board of Directors, whether they work on behalf of the Company or not.

Personal data must be handled with care at all times, ensuring it is not left unattended or visible to unauthorized individuals, including employees, agents, sub-contractors, or any other parties.

If personal data is being viewed on a computer screen and the computer will be left unattended, the user must lock both the computer and the screen before leaving.

Personal data should not be stored on any mobile devices, such as laptops, tablets, or smartphones, whether they belong to the Company or not, for longer than necessary to perform an employee’s duties in connection to their employment, whether inside or outside of their regular workplace.

Personal data should not be transferred to employees’ personal devices. It may only be transferred to devices belonging to authorized agents, contractors, or other parties working on behalf of the Company who have agreed to fully comply with this Policy and the Regulation. They may need to demonstrate that appropriate technical and organizational measures have been implemented.

All electronically stored personal data should be backed up daily, with backups stored offsite. These backups should be encrypted in accordance with the IT supplier’s encryption policies.

All electronic copies of personal data should be securely stored using passwords and secure data encryption.

Passwords used to protect personal data must be changed regularly and should not be easily guessable or compromised. They must include a combination of uppercase and lowercase letters, numbers, and symbols. The Company’s software is designed to enforce these password requirements.

Under no circumstances should passwords be written down or shared among employees, agents, contractors, or any other parties working on behalf of the Company, regardless of their position or department. If a password is forgotten, it should be reset using the appropriate method.

Organizational Measures:

The Company will ensure the implementation of the following measures for the collection, storage, and processing of personal data:

All employees, agents, contractors, or other parties working on behalf of the Company will receive comprehensive awareness of their individual responsibilities and the Company’s obligations under the Regulation and this Policy. They will also be provided with a copy of this Policy.

Only authorized employees, agents, sub-contractors, or other relevant parties who require access to personal data for the proper performance of their assigned duties will be granted access to such data.

Adequate training will be provided to all employees, agents, contractors, or other parties involved in handling personal data.

The handling of personal data by employees, agents, contractors, or other parties working on behalf of the Company will be appropriately supervised.

Methods for collecting, storing, and processing personal data will be regularly assessed and reviewed.

The performance of employees, agents, contractors, or other parties handling personal data on behalf of the Company will be regularly evaluated and reviewed.

All employees, agents, contractors, or other parties handling personal data on behalf of the Company will be legally bound by contract to adhere to the principles outlined in the Regulation and this Policy.

Any agents, contractors, or other parties handling personal data on behalf of the Company must ensure that their employees involved in data processing follow the same conditions stipulated in this Policy and the Regulation.

If any agent, contractor, or other party handling personal data on behalf of the Company fails to fulfill their obligations under this Policy, they shall indemnify and hold the Company harmless from any costs, liability, damages, losses, claims, or legal proceedings arising from such failure.

The Company will provide ongoing training to its employees to ensure compliance with regulatory changes, emphasizing the importance of confidentiality, integrity, and security in relation to Data Protection and regulations.

Transferring Personal Data to a Country Outside the EEA:

When transferring personal data to countries outside the European Economic Area (EEA), the Company will adhere to the following guidelines:

Personal data will only be transferred to countries, territories, or specific sectors in those countries (or international organizations) that have been deemed by the European Commission to provide an adequate level of protection for personal data.

If the transfer is to a country (or international organization) without an adequacy decision, appropriate safeguards will be in place. These safeguards may include legally binding agreements between public authorities, binding corporate rules, standard data protection clauses approved by the European Commission, compliance with approved codes of conduct, certifications under approved mechanisms, or contractual clauses authorized by supervisory authorities.

Personal data transfer may also occur with the informed consent of the data subject(s), for the performance of a contract, for important public interest reasons, to conduct legal claims, to protect vital interests when consent is not possible, or when transferring data from a public register accessible to the public or those with legitimate interest under UK or EU law.

Data Breach Notification:

Any personal data breaches must be promptly reported to the designated data protection contact within the Company.

If a personal data breach occurs and it is likely to pose a risk to the rights and freedoms of data subjects (such as financial loss, breach of confidentiality, discrimination, reputational damage, or other significant social or economic harm), the data protection contact must immediately notify the Information Commissioner’s Office about the breach. This notification should be made within 72 hours of becoming aware of the breach.

If a personal data breach is expected to result in a high risk to the rights and freedoms of data subjects (higher than described in Part 25.2), the data protection contact must directly and promptly inform all affected data subjects about the breach.

Data breach notifications should include the following information:

Categories and approximate number of affected data subjects

Categories and approximate number of personal data records involved

Name and contact details of the Company’s data protection contact (or another point of contact for obtaining further information)

Likely consequences of the breach

Details of measures taken or planned by the Company to address the breach, including any mitigation measures to minimize potential adverse effects.

Implementation of Policy:

This Policy will be effective as of May 14th, 2018. It does not have retroactive effect and applies only to matters occurring on or after this date.