Processing purpose Legal basis Retention period
Administrative enquiries 6(1)(f) – it’s in our legitimate interest (Business operations and due Diligence) Until consent withdrawn
Communications, marketing and intelligence 6(1)(f) – it’s in our legitimate interest (Business operations and due Diligence) Until consent withdrawn
Fraud detection and prevention 6(1)(f) – it’s in our legitimate interest (Fraud detection and prevention) Until consent withdrawn
Identity verification 6(1)(f) – it’s in our legitimate interest (Fraud detection and prevention) Until consent withdrawn
Information, system, network and cyber security 6(1)(f) – it’s in our legitimate interest (Information, system, network and cyber security) Until consent withdrawn
Personalisation and customisation of the online experience 6(1)(f) – it’s in our legitimate interest (Communications, marketing and intelligence) Until consent withdrawn
Product development and enhancement 6(1)(f) – it’s in our legitimate interest (Product development and enhancement) Until consent withdrawn
Sales and Distribution of Products and Services 6(1)(f) – it’s in our legitimate interest (Communications, marketing and intelligence) Until consent withdrawn
Service delivery 6(1)(b) – we have a contract with the data subject 1 Year unless otherwise required by customer contract
Site management and security 6(1)(f) – it’s in our legitimate interest (Fraud detection and prevention) Until consent withdrawn
Video surveillance 6(1)(f) – it’s in our legitimate interest (Information, system, network and cyber security) 1 month
Location Information 6(1)(f) – it’s in our legitimate interest (Business operations and due Diligence) Until consent withdrawn
Audio Recordings 6(1)(f) – it’s in our legitimate interest (Fraud detection and prevention) 1 year
Customer analysis 6(1)(f) – it’s in our legitimate interest (Business operations and due Diligence) Until consent withdrawn
Contact management 6(1)(f) – it’s in our legitimate interest (Business operations and due Diligence) Until consent withdrawn
Debt management 6(1)(b) – we have a contract with the data subject As long as validly required
Payment Card Processing 6(1)(b) – we have a contract with the data subject 1 Year unless otherwise required by customer contract
Customer support 6(1)(b) – we have a contract with the data subject 1 Year unless otherwise required by customer contract

From our Governing Body we process and retain personal data for the following purposes and periods, with the applicable legal basis.

Processing purpose Legal basis Retention period
Organisation’s administration and management 6(1)(f) – it’s in our legitimate interest (Legal and regulatory compliance) Until tax or other retention period expires
Industry specific regulation, standards and intelligence 6(1)(c) – we have to comply with a legal obligation Until tax or other retention period expires
Service delivery 6(1)(f) – it’s in our legitimate interest (Legal and regulatory compliance) Until tax or other retention period expires

From our Site Visitors we process and retain personal data for the following purposes and periods, with the applicable legal basis.

Processing purpose Legal basis Retention period
Identity verification 6(1)(f) – it’s in our legitimate interest (Fraud detection and prevention) Until consent withdrawn
Personalisation and customisation of the online experience 6(1)(f) – it’s in our legitimate interest (Communications, marketing and intelligence) Until consent withdrawn
Site management and security 6(1)(f) – it’s in our legitimate interest (Information, system, network and cyber security) Until consent withdrawn
Information, system, network and cyber security 6(1)(f) – it’s in our legitimate interest (Information, system, network and cyber security) Until consent withdrawn

From our Children we process and retain personal data for the following purposes and periods, with the applicable legal basis.

Processing purpose Legal basis Retention period
Employee Recruitment and Employment 6(1)(f) – it’s in our legitimate interest (Employment data processing) Until consent withdrawn
Identity verification 6(1)(f) – it’s in our legitimate interest (Employment data processing) Until consent withdrawn

From our Suppliers we process and retain personal data for the following purposes and periods, with the applicable legal basis.

Processing purpose Legal basis Retention period
Identity verification 6(1)(f) – it’s in our legitimate interest (Business operations and due Diligence) Until consent withdrawn
Information, system, network and cyber security 6(1)(f) – it’s in our legitimate interest (Business operations and due Diligence) Until consent withdrawn
Organisation’s administration and management 6(1)(f) – it’s in our legitimate interest (Business operations and due Diligence) Until consent withdrawn
Personalisation and customisation of the online experience 6(1)(f) – it’s in our legitimate interest (Communications, marketing and intelligence) Until consent withdrawn
Supplier Management 6(1)(b) – we have a contract with the data subject As long as validly required
Service delivery 6(1)(b) – we have a contract with the data subject As long as validly required

From our Consultants we process and retain personal data for the following purposes and periods, with the applicable legal basis.

Processing purpose Legal basis Retention period
Administrative enquiries 6(1)(f) – it’s in our legitimate interest (Business operations and due Diligence) Until consent withdrawn
Archiving 6(1)(f) – it’s in our legitimate interest (Business operations and due Diligence) Until consent withdrawn
Budget management 6(1)(f) – it’s in our legitimate interest (Business operations and due Diligence) Until consent withdrawn
Contact management 6(1)(f) – it’s in our legitimate interest (Business operations and due Diligence) Until consent withdrawn
Fraud detection and prevention 6(1)(f) – it’s in our legitimate interest (Fraud detection and prevention) Until consent withdrawn
Identity verification 6(1)(f) – it’s in our legitimate interest (Information, system, network and cyber security) Until consent withdrawn
Industry specific regulation, standards and intelligence 6(1)(f) – it’s in our legitimate interest (Industry specific regulation, standards and intelligence) Until consent withdrawn
Information, system, network and cyber security 6(1)(f) – it’s in our legitimate interest (Information, system, network and cyber security) Until consent withdrawn
Legal and regulatory compliance 6(1)(c) – we have to comply with a legal obligation Until tax or other retention period expires
Organisation’s administration and management 6(1)(f) – it’s in our legitimate interest (Business operations and due Diligence) Until consent withdrawn
Personalisation and customisation of the online experience 6(1)(f) – it’s in our legitimate interest (Communications, marketing and intelligence) Until consent withdrawn
Supplier Management 6(1)(b) – we have a contract with the data subject As long as validly required
Video surveillance 6(1)(f) – it’s in our legitimate interest (Information, system, network and cyber security) 1 month

From our Contractors we process and retain personal data for the following purposes and periods, with the applicable legal basis.

Processing purpose Legal basis Retention period
Administrative enquiries 6(1)(f) – it’s in our legitimate interest (Business operations and due Diligence) Until consent withdrawn
Archiving 6(1)(f) – it’s in our legitimate interest (Business operations and due Diligence) Until consent withdrawn
Budget management 6(1)(f) – it’s in our legitimate interest (Business operations and due Diligence) Until consent withdrawn
Business operations and due diligence 6(1)(f) – it’s in our legitimate interest (Business operations and due Diligence) Until consent withdrawn
Contact management 6(1)(f) – it’s in our legitimate interest (Business operations and due Diligence) Until consent withdrawn
Fraud detection and prevention 6(1)(f) – it’s in our legitimate interest (Fraud detection and prevention) Until consent withdrawn
Identity verification 6(1)(f) – it’s in our legitimate interest (Fraud detection and prevention) Until consent withdrawn
Industry specific regulation, standards and intelligence 6(1)(f) – it’s in our legitimate interest (Business operations and due Diligence) Until consent withdrawn
Information, system, network and cyber security 6(1)(f) – it’s in our legitimate interest (Information, system, network and cyber security) Until consent withdrawn
Legal and regulatory compliance 6(1)(f) – it’s in our legitimate interest (Legal and regulatory compliance) Until consent withdrawn
Organisation’s administration and management 6(1)(f) – it’s in our legitimate interest (Business operations and due Diligence) Until consent withdrawn
Personalisation and customisation of the online experience 6(1)(f) – it’s in our legitimate interest (Business operations and due Diligence) Until consent withdrawn
Service delivery 6(1)(f) – it’s in our legitimate interest (Business operations and due Diligence) Until consent withdrawn
Site management and security 6(1)(f) – it’s in our legitimate interest (Information, system, network and cyber security) Until consent withdrawn
Supplier Management 6(1)(f) – it’s in our legitimate interest (Business operations and due Diligence) Until consent withdrawn
Video surveillance 6(1)(f) – it’s in our legitimate interest (Information, system, network and cyber security) 1 month
Audio Recordings 6(1)(f) – it’s in our legitimate interest (Fraud detection and prevention) 1 year
Travel and events management 6(1)(f) – it’s in our legitimate interest (Business operations and due Diligence) Until consent withdrawn
Escalation Details 6(1)(f) – it’s in our legitimate interest (Business operations and due Diligence) Until consent withdrawn
Location Information 6(1)(f) – it’s in our legitimate interest (Business operations and due Diligence) Until consent withdrawn

From our Parents we process and retain personal data for the following purposes and periods, with the applicable legal basis.

Processing purpose Legal basis Retention period
Employee Recruitment and Employment 6(1)(f) – it’s in our legitimate interest (Employment data processing) Until consent withdrawn

From our Service Providers we process and retain personal data for the following purposes and periods, with the applicable legal basis.

Processing purpose Legal basis Retention period
Administrative enquiries 6(1)(f) – it’s in our legitimate interest (Business operations and due Diligence) Until consent withdrawn
Archiving 6(1)(f) – it’s in our legitimate interest (Business operations and due Diligence) Until consent withdrawn
Budget management 6(1)(f) – it’s in our legitimate interest (Business operations and due Diligence) Until consent withdrawn
Contact management 6(1)(f) – it’s in our legitimate interest (Business operations and due Diligence) Until consent withdrawn
Fraud detection and prevention 6(1)(f) – it’s in our legitimate interest (Fraud detection and prevention) Until consent withdrawn
Identity verification 6(1)(f) – it’s in our legitimate interest (Fraud detection and prevention) Until consent withdrawn
Industry specific regulation, standards and intelligence 6(1)(f) – it’s in our legitimate interest (Industry specific regulation, standards and intelligence) Until consent withdrawn
Service delivery 6(1)(b) – we have a contract with the data subject As long as validly required
Supplier Management 6(1)(b) – we have a contract with the data subject As long as validly required

From our Lone Worker End Users we process and retain personal data for the following purposes and periods, with the applicable legal basis.

Processing purpose Legal basis Retention period
Administrative enquiries 6(1)(f) – it’s in our legitimate interest (Business operations and due Diligence) Until consent withdrawn
Archiving 6(1)(f) – it’s in our legitimate interest (Business operations and due Diligence) Until consent withdrawn
Audio Recordings 6(1)(b) – we have a contract with the data subject 1 Year unless otherwise required by customer contract
Escalation Details 6(1)(f) – it’s in our legitimate interest (Business operations and due Diligence) Until contract completed
Contact management 6(1)(f) – it’s in our legitimate interest (Business operations and due Diligence) Until consent withdrawn
Customer support 6(1)(f) – it’s in our legitimate interest (Business operations and due Diligence) Until consent withdrawn
Location Information 6(1)(f) – it’s in our legitimate interest (Business operations and due Diligence) 1 Year unless otherwise required by customer contract


What personal data do we collect?

The personal data we collect depends on whether you just visit our website or use our services. If you visit our website, you do not need to provide us with any personal data. However, your browser transmits some data automatically, such as the date and time of retrieval of one of our web pages, your browser type and settings, your operating system, the last web page you visited, the data transmitted and the access status, and your IP address.

If you use our services, personal data is required to fulfill the requirements of a contractual or service relationship, which may exist between you and our organisation.

We collect:

  • Audio Recordings
  • Employment History
  • Location Information
  • Online Identifiers
  • Family
  • Education History
  • Financial Details
  • Identification Number
  • Name
  • Name and contact details
  • Photographs together with Identifiers
  • Telephone contact details
  • Banking Details
  • Visual Images
  • Confidential Correspondence
  • Credit History
  • Digital Images
  • Email, Social Networks
  • Employee Performance Data

We collect sensitive personal data and do so under the following legal basis:

  • Health
    • 9(2)(a) – Explicit consent of the data subject

We collect your personal data from the following indirect sources

Data subject type Personal data type Indirect source name
Customers / Clients Location Information Credit Agency
Customers / Clients Location Information Data Broker
Customers / Clients Name Data Broker

Who might we share your personal data with?

To maintain and improve our services, your personal data may need to be shared with or disclosed to service providers, other Controllers or, in some cases, public authorities. We may be mandated to disclose your personal data in response to requests from a court, police services or other regulatory bodies. Where feasible, we will consult with you prior to making such disclosure and, in order to protect your privacy, we will ensure that we will disclose only the minimum amount of your information necessary for the required purpose.

We transfer personal data to the following organisations and countries:

Data subject type Organisation name Type Country
Service Providers Banking Provider Controller United Kingdom
Service Providers Companies House Controller United Kingdom
Service Providers Disclosure Scotland Controller United Kingdom
Service Providers HMRC Controller United Kingdom
Suppliers Banking Provider Controller United Kingdom
Suppliers HMRC Controller United Kingdom
Children Private Healthcare Provider Controller United Kingdom
Consultants Banking Provider Controller United Kingdom
Consultants Commercial Finance Provider Controller United Kingdom
Consultants Companies House Controller United Kingdom
Consultants Disclosure Scotland Controller United Kingdom
Consultants Financial Auditor Controller United Kingdom
Consultants HMRC Controller United Kingdom
Consultants Insurance Provider Controller United Kingdom
Contractors Banking Provider Controller United Kingdom
Contractors Commercial Finance Provider Controller United Kingdom
Contractors Corporate Travel Provider Controller United Kingdom
Contractors Disclosure Scotland Controller United Kingdom
Contractors Financial Auditor Controller United Kingdom
Contractors HMRC Controller United Kingdom
Contractors SIA Controller United Kingdom
Contractors SSAIB Controller United Kingdom
Customers / Clients Banking Provider Controller United Kingdom
Customers / Clients Commercial Finance Provider Controller United Kingdom
Customers / Clients Companies House Controller United Kingdom
Customers / Clients Financial Auditor Controller United Kingdom
Customers / Clients HMRC Controller United Kingdom

How do we look after personal data?

We limit the amount of personal data collected only to what is fit for the purpose, as described above. We restrict, secure and control all of our information assets against unauthorised access, damage, loss or destruction; whether physical or electronic. We retain personal data only for as long as is described above, to respond to your requests, or longer if required by law. If we retain your personal data for historical or statistical purposes we ensure that the personal data cannot be used further. While in our possession, together with your assistance, we try to maintain the accuracy of your personal data.

How can you access your personal data?

You have the right to request access to any of your personal data we may hold. If any of that information is incorrect, you may request that we correct it. If we are improperly using your information, you may request that we stop using it or even delete it completely.

If you would like to make a request to see what personal data of yours we might hold, you may make a request from our company website or . here.

Where you have previously given your consent to process your personal data, you also have the right to request that we port or transfer your personal data to a different service provider or to yourself, if you so wish.

Where it may have been necessary to get your consent to use your personal data, at any moment, you have the right to withdraw that consent. If you withdraw your consent, we will cease using your personal data without affecting the lawfulness of processing based on consent before your withdrawal.

Our Data Protection Officer

Shaun Wilcock
shaun.wilcock@orbisprotect.com
Telephone: +08000 830 850

Our Supervisory Authority

You have the right to lodge a complaint with any Supervisory Authority. See our Supervisory Authority contact details below

The Information Commissioner’s Office
Water Lane, Wycliffe House
Wilmslow – Cheshire SK9 5AF
United Kingdom
international.team@ico.org.uk
+44 1625 545 745
www.ico.org.uk