Privacy Policy

How we collect, use, and protect your personal data in line with GDPR and UK data protection law.

Data Privacy & GDPR Policy

Definitions

In this policy, the following words and phrases have the following meanings:

  • Consent means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which they, by a statement or by a clear affirmative action, signify their agreement to the processing of personal data relating to them.
  • Criminal records personal data means personal data relating to criminal convictions and offences and personal data relating to criminal allegations and proceedings.
  • Data protection legislation means the EU General Data Protection Regulation (GDPR), the Data Protection Act 2018 and any other applicable primary or secondary legislation as may be in force in the UK from time to time.
  • Data subject means a living identified or identifiable individual about whom the Company holds personal data, for example employees, temporary workers, job applicants, contractors, students, host families etc.
  • Member of staff is any director, employee, worker, agency worker, apprentice, intern, volunteer, contractor and consultant employed or engaged by the Company.
  • Personal data is any information relating to a data subject who can be identified (directly or indirectly) either from the data alone or by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that data subject.
  • Processing is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collecting, recording, organising, structuring, storing, adapting, altering, retrieving, using, disclosing, disseminating, restricting, erasing or destroying.
  • Special categories of personal data means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, genetic data, biometric data, data concerning physical or mental health, or data concerning sex life or sexual orientation.
Introduction

This policy sets out how the Company processes the personal data of data subjects, including the personal data of job applicants and the personal data of current and former directors, employees, workers, agency workers, contractors, consultants, clients, students, suppliers and other third parties. It applies to all personal data that we collect and process, regardless of the media on which the personal data is stored.

Welwin Infotech is committed to being clear and transparent about how we collect and use personal data and to complying with our data protection obligations. Protecting the confidentiality, security and integrity of the personal data that we process is also of paramount importance.

This policy applies to all members of staff. It is non-contractual and does not form part of any employment contract, casual worker agreement, consultancy agreement or any other contract for services.

The Data Protection Principles

Under the data protection legislation, there are six data protection principles that the Company and all members of staff must comply with at all times in their personal data processing activities. In brief, personal data must be:

  1. Processed lawfully, fairly and in a transparent manner in relation to the data subject.
  2. Collected only for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
  3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
  4. Accurate and, where necessary, kept up to date.
  5. Not kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the personal data are processed.
  6. Processed in a manner that ensures appropriate security of the personal data.
1. Lawfulness, Fairness and Transparency

Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject. Processing is lawful only in certain circumstances, including consent, contractual necessity, legal obligations, vital interests, and legitimate interests where applicable.

Where consent is relied upon, it must be a positive, specific and informed action. Data subjects can withdraw consent at any time and it must be as easy to withdraw as to give.

Transparency requires that privacy notices are concise, transparent, intelligible and accessible, and provided at the appropriate point of data collection or first communication.

2. Purpose Limitation

Personal data must be collected only for specified, explicit and legitimate purposes and not further processed in a way that is incompatible with those purposes, unless an appropriate lawful basis applies.

3. Data Minimization

Personal data must be adequate, relevant and limited to what is necessary. Staff must only process data that is required for proper job responsibilities and in line with notified purposes.

4. Accuracy

Personal data must be accurate and kept up to date where necessary. Reasonable steps must be taken to rectify or erase inaccurate data without delay.

5. Storage Limitation

Personal data must not be kept longer than necessary. The Company retains personal data for lawful and legitimate business purposes and then securely destroys, erases, or anonymises data where retention is no longer required.

Retention highlights:

  • Unsuccessful job applicants: generally 6 months (longer in limited legal-risk situations).
  • Members of staff: generally for employment duration, then post-employment retention in line with legal and business needs.
  • Other third parties (clients/customers/suppliers): generally for relationship duration, then limited retention as required by law or legal-risk protection.
6. Integrity and Confidentiality

Personal data must be processed securely using appropriate technical and organizational measures to protect against unauthorized or unlawful processing and against accidental loss, destruction or damage.

Where third-party service providers process personal data, contractual and security safeguards must be in place, and only authorized sharing is permitted.

Accountability

The Company is responsible for, and must be able to demonstrate, compliance with the data protection principles. This includes appointing appropriate roles, maintaining processing records, training staff, conducting reviews and assessments, and applying privacy-by-design controls.

Data Subject Rights

Under data protection legislation, data subjects may exercise rights including access, rectification, erasure, restriction, objection, portability, and rights related to automated decision-making and direct marketing.

Requests such as a Data Subject Access Request (DSAR) should be handled promptly and in accordance with legal timelines and verification steps.

Your Obligations in Relation to Personal Data

All staff must comply with this policy and the data protection principles when processing personal data on behalf of the Company. Unauthorized obtaining or disclosure of personal data may amount to misconduct and can also be a criminal offence.

  • Only access data where authorized and necessary for your role.
  • Do not disclose personal data informally or to unauthorized parties.
  • Use secure systems and approved methods when transferring or storing data.
  • Report suspected personal data breaches immediately.
  • Attend required data protection training and follow Company procedures.