Privacy Notice – Gough & Kelly Group Limited

Effective Date: 29/08/2025

Changes to This Notice

We may update this Privacy Notice from time to time. The latest version will always be available on our website.

When appropriate we will provide a ‘just in time’ notice to cover any additional processing activities not mentioned in this privacy notice.

Introduction

Gough & Kelly Group Limited (“we”, “us”, “our”) is committed to protecting the privacy and security of your personal data. This Privacy Notice explains how we collect, use, disclose, and safeguard your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and other UK data protection and privacy legislation.

Gough & Kelly Group Limited is registered with  Information Commissioner's Office (ICO)  - Z1585966

Who We Are

We are the data controller responsible for your personal data. If you have any questions about this notice or how we handle your data, please contact our Data Protection Officer (DPO):

Name: Steve Fielder

Email: steve.fielder@gough-kelly.co.uk

Acting as a Data Processor

In certain circumstances, Gough & Kelly Group Limited may act as a data processor on behalf of another party or organisation. Where we process personal data under the instructions of a third-party data controller, we do so in accordance with the terms of a written contract that complies with Article 28 of the UK GDPR.

When acting as a data processor, we:
- Only process personal data on documented instructions from the data controller.
- Ensure that personnel authorised to process the personal data are subject to confidentiality obligations.
- Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
- Assist the data controller in fulfilling their obligations with respect to data subject rights, data breach notifications, and data protection impact assessments.
- Delete or return all personal data to the controller at the end of the contract, unless otherwise required by law.
- Make available to the controller all information necessary to demonstrate compliance with our obligations and allow for audits and inspections.

We take our responsibilities as a data processor seriously and ensure that all processing activities are carried out in accordance with applicable data protection laws and contractual obligations.

What Personal Data We Collect

We may collect and process the following categories of personal data:

- Identity data (e.g. name, date of birth)

- Contact data (e.g. address, email, phone number)

- Employment data (e.g. job title, CV, references)

- Financial data (e.g. bank details for payments)

We may also collect and process special category data such as  health information, but only where necessary and with appropriate safeguards

- Criminal convictions data (where legally required or permitted)

How We Collect Your Data

We collect personal data:

- Directly from you (e.g. when you contact us, apply for a job, or use our services)

- From third parties (e.g. recruitment agencies, public sources)

Legal Basis for Processing

Any personal data, special category data and criminal offence data that we process about individuals is done so in accordance with one or more of the following Articles 6, 9 and 10 of the UK GDPR and Schedule 1 of the Data Protection Act 2018 (DPA 2018).

Article 6(1)

(a) Consent: the individual has given clear consent for the council to process their personal data for a specific purpose.

(b) Contract: the processing is necessary for a contract the council has with the individual, or because they have asked the council to take specific steps before entering into a contract.

(c) Legal obligation: the processing is necessary for the council to comply with the law (not including contractual obligations).

(d) Vital interests: the processing is necessary to protect someone’s life.

(e) Public task: the processing is necessary for the council to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.

(f) Legitimate interests: the processing is necessary for the council’s legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

Article 9(2)

(a) Explicit consent
(b) Employment, social security and social protection (if authorised by law)
(c) Vital interests
(g) Reasons of substantial public interest (with a basis in law)

Where we process information relating to criminal convictions and offences, this is under Article 10 UK GDPR that covers processing in relation to criminal convictions and offences or related security measures. In addition, section 11(2) of the DPA 2018 specifically confirms that this includes personal data relating to the alleged commission of offences, or proceedings for an offence committed or alleged to have been committed, including sentencing.

How We Use Your Data

We use your personal data to:

- Provide and manage our services

- provide and manage our contracted services where we are a data processor 

- Communicate with you

- Comply with legal obligations

- Improve our operations and customer experience

- Conduct marketing (with appropriate consent or soft opt-in)

Sharing Your Data

We may share your data with:

- Our group companies and authorised personnel

- Service providers and contractors

- Legal and regulatory authorities

- Third parties where required by law or with your consent

All third parties are required to maintain appropriate data protection standards.

International Transfers

We may transfer your data outside the UK. Where we do, we ensure appropriate safeguards are in place, such as:

- Adequacy decisions

- Standard contractual clauses

- Explicit consent (where applicable)

Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, including to meet legal, accounting, or reporting requirements. Retention periods are outlined in our internal policies.

Data Security

We implement appropriate technical and organisational measures to protect your data, including:

- Access controls

- Encryption

- Secure storage

- Regular audits and staff training

Your Rights

You can find out more about your data protection rights and the exemptions which may apply on the ICO’s website:

• Your right of access - You have the right to ask us for copies of your personal information. You can request other information such as details about where we get personal information from and who we share personal information with. There are some exemptions which means you may not receive all the information you ask for. Read more about the right of access.
• Your right to rectification - You have the right to ask us to correct or delete personal information you think is inaccurate or incomplete. Read more about the right to rectification.
• Your right to erasure - You have the right to ask us to delete your personal information. Read more about the right to erasure.
• Your right to restriction of processing - You have the right to ask us to limit how we can use your personal information. Read more about the right to restriction of processing.
• Your right to object to processing - You have the right to object to the processing of your personal data. Read more about the right to object to processing.
• Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you. Read more about the right to data portability.
• Your right to withdraw consent – When we use consent as our lawful basis you have the right to withdraw your consent at any time. Read more about the right to withdraw consent.

If you make a request, we must respond to you without undue delay and in any event within one month. To make a data protection rights request, please contact us using the contact details at the top of this privacy notice.

Automated Decision-Making and Profiling

We may use automated processing, including profiling, in limited circumstances. Where this occurs, you will be informed and have the right to request human intervention.

Marketing

You can opt out of direct marketing at any time. We honour all opt-out requests promptly and maintain suppression lists to ensure preferences are respected.

How to complain

If you have any concerns about our use of your personal data, you can make a complaint to us using the contact details at the top of this privacy notice.

If you remain unhappy with how we’ve used your data after raising a complaint with us, you can also complain to the ICO.

The ICO’s address:          

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline number: 0303 123 1113

Website: https://www.ico.org.uk/make-a-complaint