Data Protection Policy
1 Applicable Legislation
1.1 United Kingdom
1.1.1 Where Azets has an establishment in the UK or offers goods or services to UK data subjects it is subject to UK data protection legislation, namely:
• The UK General Data Protection Regulation (UK GDPR); that is, the EU GDPR (679/2016/EU) merged with the UK’s applied GDPR as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419), together with the further amendments made by the Data Protection, Privacy and Electronic Communications (Amendments) (EU Exit) Regulations 2020.
• The Data Protection Act 2018 (DPA 2018).
• The Privacy and Electronic Communications Regulations 2003 (SI 2426/2003), based on the e-Privacy Directive (2002/58/EC).
1.2 European Economic Area
1.2.1 Where Azets has an establishment in the EEA or offers goods or services to EEA data subjects it is subject to EU data protection legislation, namely:
• The EU GDPR (679/2016/EU)
• The Privacy and Electronic Communications Regulations 2003, based on the e-Privacy Directive (2002/58/EC).
1.3 Sources of additional guidance
1.3.1 This policy contains guidance from the European Data Protection Board and its predecessor body the Article 29 Working Group although guidance published since 31st January 2020 is no longer binding in the United Kingdom.
2.1 This policy defines the intention of Azets as formally approved by the Board of Directors for managing compliance with data protection legislation.
2.2 The policy allocates organisational roles and responsibilities and identifies in overall terms the structure of policies, procedures and practices that are the mechanisms through which compliance is planned, executed, measured and reported.
3 Scope of this Policy
3.1 Material scope: Unless otherwise stated, this policy and others that comprise the Information Governance Framework apply to all personal data processed by Azets in whatever form including by automated means (computerised), as part of a filing system or in an unstructured manual format.
3.2 Organisational scope: This policy applies to any natural or legal person who process personal data for or on behalf of Azets including: employees, volunteers, casual and temporary employees, directors and officers, external organisations employed as processors and any external organisations or individuals (other controllers) with whom Azets shares or discloses personal data.
3.3 This policy applies where Azets acts as a controller.
3.4 Where Azets acts as a joint controller this policy applies unless overridden by mutually agreed obligations with the other joint controller(s).
3.5 Where Azets acts as a processor a different policy applies which is described in clause 13 below.
4 Leadership statement by the Chief Executive Officer of Azets:
4.1 Azets is committed to compliance with data protection legislation and the achievement of best practice in the protection of the “rights and freedoms” of data subjects whose personal data Azets processes.
4.2 Azets achieves compliance with these requirements by approving this policy which is the key component in its Information Governance Framework.
4.3 Azets constantly reviews all relevant regulatory and industry compliance frameworks to which it is subject. When new regulations emerge or existing regulations change Azets modifies its policies, procedure and training plans accordingly to ensure continued compliance.
4.4 Azets is not obliged to appoint a Data Protection Officer as a statutory appointment. However, a Data Protection Officer is appointed on a voluntary basis. This position is held by the Group Chief Risk and Compliance Officer, whose role has no conflicts that would invalidate or compromise the independence required of a Data Protection Officer. This appointment is made in full compliance with the Article 29 Data Protection Working Party advice on the appointment of a Data Protection Officer .
4.5 The Data Protection Officer is supported by the Group Data Protection and Security Assurance Manager whose role is also independent and free from conflicts with the business.
4.6 The Data Protection Officer is further supported by a team of Data Protection Managers in each of the territories of the European Economic Area where Azets has a presence. These Data Protection Managers are skilled and experienced in the local data protection legislation and Supervisory Authority guidance in their jurisdictions.
4.7 On an annual basis the Data Protection Officer reviews this policy and the Information Governance Framework to ensure that:
4.7.1 Its approach to privacy is fully aligned with the strategic direction of the organisation, its stakeholder expectations and the regulatory environment;
4.7.2 That the resources required to operate the Information Governance Framework effectively are available;
4.7.3 The approach to data protection and the Information Governance Framework is fully integrated into Azets’ business processes in particular in relation to risk and performance management;
4.7.4 The objectives of the Information Governance Framework are being achieved and that data protection is a key element in continuous improvement;
4.7.5 The importance of compliance with data protection requirements and best practice is communicated appropriately and understood across the organisation.
4.8 The report of the Data Protection Officer shall include:
4.8.1 the status of actions from previous management reviews;
4.8.2 changes in external and internal issues that are relevant to data governance;
4.8.3 information on performance;
4.8.4 feedback from users of the Information Governance Framework;
4.8.5 records of procedural reviews;
4.8.6 results of technology upgrades and/or replacements;
4.8.7 formal requests for assessment by regulatory bodies;
4.8.8 complaints handling; and
4.8.9 Personal Data Breaches that have occurred.
5 Employees’ Responsibilities under the Information Governance Framework
5.1 The Data Protection Officer is the strategic lead for compliance with data protection legislation. The Data Protection Officer is the primary point of contact for liaison with the Board of Directors.
5.2 Information assets are identified in an Information Asset Register which is maintained by the Data Protection Team.
5.3 The Data Protection Officer liaises with the Commissioner and relevant Supervisory Authorities when required and oversees the operation of Azets’ Personal Data Breach Notification Procedure. The Data Protection Officer is responsible for administering the Data Subject Rights (DSR) Procedure and the Complaints Procedure, responding to complaints about the exercise of data protection rights and obligations, reporting with recommendations for management action, where necessary. The Data Protection Officer provides advice on data protection by design principles and comments on Data Protection Impact Assessments undertaken as defined in the Risk Based Approach to Information Governance.
5.4 The Data Protection Officer is supported by the Information Governance Steering Group. The Data Protection Officer convenes quarterly meetings of the Information Governance Steering Group made up of members who represent service lines of the business and other subject-matter experts.
5.5 The Head of Human Resources has operational responsibility for compliance with data protection policies in relation to HR policies and procedures including recruitment and retention.
5.6 The Head of Talent Development has operational responsibility for ensuring that appropriate data protection awareness and training is provided, measured and reported.
5.7 The Head of IT has operational responsibility for compliance with data protection legislation in respect of Azets’ IT estate. The Head of IT’s responsibilities concerning the IT estate are set out in more detail in the Information Security Management Policy (ISMP).
5.8 The Security Director has operational responsibility for compliance with best practice for information security, cyber security and operational resilience. The Security Director’s responsibilities are set out in more detail in the Information Security Management Policy (ISMP).
5.9 All employees are responsible for complying with data protection legislation and respecting confidentiality and the privacy of data subjects including their colleagues, customers, suppliers and other stakeholders. Data protection responsibilities of employees are reinforced through regular awareness raising and training.
5.10 Employees’ responsibilities are defined in their job descriptions. Azets’ Data Protection Training Policy defines specific training and awareness requirements in relation to specific roles and employees of Azets. Compliance with training requirements is measured and reported as part of the performance management framework.
6 Commitment and Accountability for Compliance with Data Protection Principles
6.1 Azets processes personal data in accordance with the data protection principles defined in Article 5 of the GDPR as described below and demonstrates compliance with those principles, the requirements of data protection legislation and good practice by applying the policies and procedures set out in the Information Governance Framework.
7 Data Protection by Design and Default and Risk Management
7.1 Azets recognises that the processing of personal data poses a potential risk to the “rights and freedoms” of data subjects whose personal data Azets collects and processes.
7.2 Azets analyses, quantifies and documents data protection risks in the Corporate Risk Register. Each processing activity is recorded in the Register Of Processing Activities (ROPA). The Register allows for the explicit identification and documentation of any high-risk categories of personal data processed by Azets including but not limited to special category data. The Register Of Processing Activities (ROPA) is designed so that completion satisfies the record-keeping requirements defined in Article 30 of the General Data Protection Regulation as defined in the Records of Processing Activities Policy. Further information on Azets’ approach to risk management is described in the Risk-Based Approach to Information Governance.
7.3 Azets upholds the principles of data protection by design and default. Any new processing activities involving personal data are subject to a screening process that establishes whether a Data Protection Impact Assessment is required as specified in the Data Protection Impact Assessment (DPIA) Policy and the Data Protection Impact Assessment (DPIA) Procedure. The Data Protection Impact Assessment (DPIA) Policy specifies that a full Data Protection Impact Assessment shall be undertaken where there is a high risk to the rights and freedoms of data subjects.
8 Fair, Lawful and Transparent Processing
8.1 Azets processes personal data in a fair, lawful and transparent manner meaning:
8.1.4 Azets ensures that its Register Of Processing Activities (ROPA) cross-references to the transparency information communicated to data subjects in connection with the relevant purpose.
8.1.5 The Data Protection Officer has an important role to play in promoting and advising on best practice in transparency including the use of layered and just-in time notices and visualisation where appropriate.
8.1.6 Fair: Azets understands that fairness is about maximising data subjects’ autonomy and choice about how and whether their personal data are used. For this to happen data subjects are never misled to any extent about how their data shall be used and they are given clear and unbundled choices where processing is voluntary and made fully aware of the risks, rules, safeguards and rights attached to that processing and how to exercise their rights in relation to such processing.
8.1.7 Azets recognises the rights of data subjects to opt out of marketing messages in accordance with both the General Data Protection Regulation and the Privacy and Electronic Communication Regulation. Data subjects can exercise their rights by using the “unsubscribe” function which is present on all email marketing communications or by telephoning or emailing the organisation with a similar request.
8.1.8 Lawful: Azets ensures that no data collection activities are undertaken or commissioned without an Article 6 lawful basis for processing having been identified and, in the case of special category personal data additionally an Article 9 lawful basis and the relevant Data Protection Act 2018 Schedule 1 lawful basis for the data processing activities intended to be applied to the personal data.
8.1.9 The Data Protection Officer shall in all cases document the lawful basis for processing and ensure that processing complies with all relevant policies. Where the lawful basis for processing is legitimate interest a Legitimate Interest Assessment (LIA) is undertaken following the Legitimate Interest Assessment (LIA) Procedure and documented in the Register of Legitimate Interests Assessments (LIAs).
8.1.10 Data Processing purposes – Azets ensures that personal data are not used for purposes other than those recorded in the Register Of Processing Activities (ROPA) and, except where an exemption applies in accordance with either Schedule 2 or 3 of the Data Protection Act 2018, and specifies this in the transparency information communicated to the data subject in accordance with GDPR Articles 13 and 14.
8.1.11 Where further processing of the personal data is compatible with the original purpose in accordance with Article 6(4) or is otherwise permitted by law, the required transparency information is communicated to the data subject.
8.1.13 The rights of data subjects to object to profiling in its various forms are set out in the Data Subject Right to Object to Processing, Including Marketing, Automated Decisions and profiling Procedure.
8.1.14 Data Minimisation Azets uses a minimum of personal data in its processing activities at the same time ensures that the personal data it collects are adequate for the identified purpose and undertakes periodic reviews to ensure that personal data remain adequate, relevant and limited to what is necessary as defined in the Data Minimisation Policy.
8.1.15 Azets ensures that data collected is fit for purpose and that no unnecessary, irrelevant or unjustifiable personal data are collected or created either directly or indirectly through processing activities. All new or altered processing is subject to the Risk-Based Approach to Information Governance and is subject to a Data Protection Impact Assessment where appropriate.
8.1.16 The Data Protection Officer provides advice regarding the justification for personal data collected or created and ensures that data collected is reviewed on a periodic basis.
8.1.17 Data Quality – Azets recognises that personal data must be accurate and where necessary kept up-to-date and that where personal data are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay as defined in the Data Quality Policy.
8.1.18 Employees apply the Data Quality Procedure and ensure that personal data for which they are responsible are accurate and up-to-date. The Data Protection Officer ensures that all employees are aware of the importance of accurate and up-to-date personal data and have written instructions on how this is to be achieved.
8.1.19 Data subjects’ right to rectification and complaint are important ways in which the accuracy of personal data can be challenged and corrected, and the Data Subject Rights (DSR) Policy provides for how claims for inaccuracy are dealt with and how any measures taken in consequence are recorded and reported.
8.1.20 These measures include how processors and joint controllers are informed about inaccurate or out-of-date personal data that has been corrected.
8.1.21 The Risk-based Approach to Information Governance and Data Protection Impact Assessment (DPIA) Policy ensure that issues of data quality and accuracy are taken into account when new processing is initiated and are reviewed periodically.
8.1.22 Data Retention – Through its Data Retention Policy Azets ensures that it does not retain personal data for any longer than is necessary for legal or regulatory reasons or for its legitimate organisational purposes and ensures timely and appropriate disposal at the end of data’s useful life through risk assessed measures such as erasure or anonymisation.
8.1.23 Where personal data are to be transferred for long-term preservation (for example where it is of value for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes) Azets ensures that appropriate technical and organisational measures safeguard the rights and freedoms of data subjects.
8.1.24 Confidentiality, Integrity and Security – Azets ensures that any personal data that it processes or commissions the processing of are processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
8.1.25 Any Personal Data Breaches are managed in accordance with the Personal Data Breach Notification Procedure.
8.1.26 All disclosures of personal data to other controllers are managed in accordance with the Data Sharing Policy (controller-to-controller) and the Data Sharing Procedure (controller-to controller). The procedure provides for a Data Sharing Agreement in the case of ongoing disclosures. Ad-hoc disclosures requested in accordance with the exemptions provided at Schedules 3 and 4 of the Data Protection Act 2018 are processed under the Procedure – ad hoc Data Sharing.
8.1.27 Azets maintains an Information Security Management Policy (ISMP) which defines specific policies in relation to keeping personal data secure, confidential, available and with integrity. The Information Security Management Policy (ISMP) covers matters such as information security policies, human resource security, physical and environmental security, asset management and access control, communications security and cryptology, operations security, secure disposal of end-of-life equipment and business continuity.
8.1.28 The Security Director formulates the ISMP and consults the Data Protection Officer in regard to it. The Data Protection Officer challenges the ISMP when appropriate and reports any concerns to the Board of Directors.
8.1.29 Training and Awareness – Azets ensures that employees and other workers are competent in and understand the data protection responsibilities assigned to them though its Data Protection Training Policy.
8.1.30 The Data Protection Officer monitors that the elements of the data protection training programme are kept up-to-date and in liaison with the Head of Talent Development ensures that employees and other workers are kept up-to-date through appropriate awareness briefings.
9 Data subjects’ rights
9.1 Azets recognises the legal rights of the data subjects whose personal data it is processing or intends to process and ensures that appropriate information is provided to them advising them of their rights, and that policies and procedures are maintained to give effect to those rights.
9.2 The Data Subject Rights (DSR) Policy sets out the division of responsibilities and the general modalities for responding to data subject rights requests. It also includes a table indicating how the various rights apply in respect of the different lawful bases for processing.
9.3 The exercise of each individual right is governed by a specific procedure, as set out below
Article 15 Right of access by the data subject Data Subject Access Request (DSAR) Procedure
Article 16 Right of Rectification Data Subject Request for Rectification Procedure
Article 17 Right of Erasure Data Subject Request for Erasure Procedure
Article 18 Right to Restriction Data Subject Request for Restriction of Processing Procedure
Article 20 Right to Data Portability Data Subject Right to Data Portability Procedure
Article 21 Right to Object Data Subject Right to Object to Processing including Direct Marketing, Automated Decision Making and profiling Procedure
Article 22 Right to Object to Automated Decision Making, including profiling Data Subject Right to Object to Processing including Direct Marketing, Automated Decision Making and profiling Procedure
Article 77 Right to Lodge a Complaint with the Commissioner or Supervisory Authority Complaints Procedure
10 Contractual Arrangements with Processors
10.1 In accordance with the requirement in Article 28 of the General Data Protection Regulation Azets ensures through the Engaging Suppliers as Processors Policy (controller-to-processor) and associated procedures that only processors providing sufficient guarantees of technical, physical and organisation security and subject to a written contract including specified terms are engaged.
10.2 The Engaging Suppliers as Processors Policy (controller-to-processor) also provides that an assessment of appropriate security is undertaken as part of due diligence before any processor is engaged and that where specified in the policy, an audit of those security arrangements is conducted before entering into the contract.
10.3 The Engaging Suppliers as Processors Policy (controller-to-processor) provides that primary responsibility for compliance with the policy and with the Selecting and Appointing Processors Procedure is allocated to the Data Protection Officer.
10.4 The Decommissioning Processors Procedure ensures that personal data is treated in compliance with GDPR Article 28.3(g) when a processor is decommissioned.
11 Transfers of Personal Data to Third Countries
11.1 As defined by UK GDPR all exports of data from within the United Kingdom to a ‘third country” are unlawful unless one or more of the safeguards specified in UK GDPR Articles 44-50 inclusive applies. Azets ensures compliance with these requirements through the Transfers of Personal Data to Third Countries or International Organisations Procedure.
11.2 As defined by EU GDPR all exports of data from within the European Economic Area (EEA) to a ‘third country’ are unlawful unless one or more of the safeguards specified in EU GDPR Articles 44-50 inclusive applies. Azets ensures compliance with these requirements through the Transfers of Personal Data to Third Countries or International Organisations Procedure.
12 Appointment of EU representative and UK Representative
12.1 Azets has appointed as its EU Representative :
The EU Representative
Postboks 342 Sentrum
Tel +47 40 10 40 18
12.2 Azets has appointed as its UK Representative :
The UK Representative
Azets Holdings Limited
45 King William Street
London EC4R 9AN
Tel +44 (0) 20 7403 1877
13 Obligations when Azets is acting as a Processor
13.1 Where processing personal data as a processor on behalf of a controller Azets shall:
13.1.1 taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk and take all measures required pursuant to Article 32 of the GDPR (Security of Processing); and
13.1.2 ensure the protection of the rights of data subjects.
13.2 Azets and any person acting under the authority of the controller or of Azets, who has access to personal data, shall not process those data except on written instructions from the controller, unless required to do so by domestic law and shall not process the Personal Data for any purposes other than those expressly authorised by the controller in writing.
13.3 Azets shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, Azets shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.
13.4 Processing by Azets as a processor shall be governed by a written contract or other legal act that is binding on Azets with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. That contract or other legal act shall stipulate, in particular, that Azets:
13.4.1 processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by domestic to which Azets is subject; in such a case, Azets shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
13.4.2 ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
13.4.3 respects the conditions referred to in clause 13.1 above for engaging another processor;
13.4.4 taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the General Data Protection Regulation;
13.4.5 taking into account the nature of processing and the information available to Azets it shall assist the controller in ensuring compliance with the obligations pursuant to Articles 32 (Security of processing), Article 33 (Notification of a Personal Data Breach to the Commissioner or Supervisory Authority), Article 34 (Communication of a Personal Data Breach to the data subject), Article 35 (Data protection impact assessment) and Article 36 (Prior consultation) of the General Data Protection Legislation;
13.4.6 at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless domestic law requires storage of the personal data; and
13.4.7 makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the General Data Protection Regulation and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
13.5 Azets shall immediately inform the controller if, in its opinion, an instruction infringes the General Data Protection Regulation.
13.6 Where Azets engages another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the controller and Azets as referred to in 13.4 above shall be imposed on that other processor by way of a written contract or other legal act, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing shall meet the requirements of the General Data Protection Regulation. Where that other processor fails to fulfil its data protection obligations, Azets shall remain fully liable to the controller for the performance of that other processor's obligations.
13.7 Azets shall notify the controller within 24 hours after having become aware of a Personal Data Breach relevant to its processing or its processors’ processing. Such notification shall:
13.7.1 describe the nature of the Personal Data Breach, including where possible the categories and approximate number of Data Subjects concerned and the categories and approximate number of the Personal Data records concerned;
13.7.2 describe the measures taken or proposed to be taken by Azets to address the Personal Data Breach, including where appropriate measures to mitigate its possible adverse effects.
13.8 Provided that where, and in so far as, it is not possible for Azets to provide the above information at the same time, the information shall be provided in phases without undue further delay.
13.9 Azets shall cooperate with the controller and take such reasonable commercial steps as are directed by the controller to assist the investigation, mitigation and remediation of each such Personal Data Breach.
14 Continuous Improvement
14.1 Management reviews contribute to a culture of continuous improvement in data protection. The Data Protection Officer assists in this by analysing data protection complaints, Personal Data Breaches, Data Subject Rights Requests and by horizon scanning technological and policy advances with colleagues across the organisation.
1. Article 29 Data Protection Woking Party. Guidelines on Data Protection Officers (“DPOs”). Adopted 16 December 2016.
2. As required by EU GDPR Article 27.
3. As required by EU GDPR Article 27.
Effective 23 January 2023