UK GDPR & Data Protection Policy

Last updated: 20 January 2026

This UK GDPR & Data Protection Policy explains in detail how TAS Partnership Ltd complies with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and related data protection legislation.

This document is intended to provide transparency regarding our data protection governance, principles, controls, and procedures. It supplements our Privacy Policy and Cookie Policy.

1. Data Controller details

Organisation: TAS Partnership Ltd
Registered / Trading Address: Guildhall House, 59–61 Guildhall Street, Preston, Lancashire, PR1 3NU, United Kingdom
Email: info@taspartnership.co.uk
Telephone: 01772 204 988
Website: https://taspartnership.co.uk

TAS Partnership Ltd acts as the Data Controller for all personal data processed in the course of its business unless otherwise stated.

2. Purpose of this policy

This policy sets out:

  • How we comply with the UK GDPR principles
  • Our lawful bases for processing personal data
  • How personal data is collected, stored, used, and shared
  • How we protect personal data
  • How individuals can exercise their rights
  • How data protection risks are managed

3. UK GDPR principles

We process personal data in accordance with the seven principles set out in Article 5 UK GDPR:

  1. Lawfulness, fairness and transparency
  2. Purpose limitation
  3. Data minimisation
  4. Accuracy
  5. Storage limitation
  6. Integrity and confidentiality (security)
  7. Accountability

We are responsible for, and able to demonstrate, compliance with these principles.

4. Lawful bases for processing (Article 6)

We only process personal data where at least one lawful basis applies. Depending on the activity, these include:

  • Consent – where the individual has given clear, informed, and freely given consent
  • Contract – where processing is necessary for the performance of a contract or pre-contractual steps
  • Legal obligation – where processing is required by law
  • Vital interests – where processing is necessary to protect life (rare)
  • Public task – where processing is carried out in the public interest (where applicable)
  • Legitimate interests – where processing is necessary for our legitimate business interests and does not override individual rights

Where legitimate interests are relied upon, a Legitimate Interests Assessment (LIA) is undertaken where appropriate.

5. Special category data (Article 9)

Special category data includes information about health, race, ethnicity, religion, sexual orientation, biometric data, and similar sensitive data.

We do not routinely process special category data. Where it is processed, we ensure:

  • A valid Article 6 lawful basis applies
  • An Article 9 condition applies (e.g. explicit consent, employment obligations)
  • Enhanced security and access controls are implemented
  • Processing is strictly limited and documented

6. Criminal offence data (Article 10)

We do not routinely process criminal conviction or offence data. Where required by law or contract, such data is processed only with appropriate safeguards in place.

7. Data protection by design and by default

We embed data protection into the design of systems, services, and processes. This includes:

  • Collecting only the minimum data necessary
  • Restricting access on a need-to-know basis
  • Applying privacy-friendly default settings
  • Assessing privacy risks before new processing begins

8. Data Protection Impact Assessments (DPIAs)

Where processing is likely to result in a high risk to individuals’ rights and freedoms, we conduct a Data Protection Impact Assessment (DPIA).

DPIAs assess:

  • The necessity and proportionality of processing
  • Risks to individuals
  • Measures to mitigate those risks

9. Data security measures

We implement appropriate technical and organisational measures to protect personal data, including:

  • Access controls and role-based permissions
  • Password policies and secure authentication
  • Encryption where appropriate
  • Secure storage and backups
  • Patch management and system updates
  • Staff confidentiality obligations

10. Data breaches

A personal data breach includes unauthorised access, loss, disclosure, or destruction of personal data.

We maintain procedures to:

  • Identify and contain breaches promptly
  • Assess risk to individuals
  • Notify the ICO within 72 hours where required
  • Notify affected individuals where there is a high risk
  • Document all breaches and remedial actions

11. Data retention and disposal

Personal data is retained only for as long as necessary for its purpose and legal requirements.

We apply documented retention periods and ensure secure disposal through deletion, anonymisation, or destruction.

12. Individual rights

Individuals have the following rights under UK GDPR:

  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restrict processing
  • Right to data portability
  • Right to object
  • Rights related to automated decision-making

Requests can be made to info@taspartnership.co.uk. We respond within statutory timeframes.

13. International data transfers

Where personal data is transferred outside the UK, we ensure appropriate safeguards, including adequacy regulations or approved contractual clauses.

14. Data processors and third parties

Where third parties process personal data on our behalf, we ensure:

  • Written data processing agreements are in place
  • Processors provide sufficient guarantees
  • Processing is limited to documented instructions

15. Training and awareness

Staff and contractors handling personal data are required to understand data protection responsibilities and comply with internal procedures.

16. Governance and accountability

We maintain documentation demonstrating compliance, including:

  • Records of processing activities
  • Policies and procedures
  • Risk assessments
  • Contractual controls

17. Complaints

Concerns about data protection can be raised with us directly. Individuals also have the right to complain to the Information Commissioner’s Office (ICO).

18. Policy review

This policy is reviewed regularly and updated to reflect changes in law, guidance, or our processing activities.

19. Contact details

TAS Partnership Ltd
Guildhall House, 59–61 Guildhall Street, Preston, Lancashire, PR1 3NU
Email: info@taspartnership.co.uk
Telephone: 01772 204 988

IMPRINT

The TAS Partnership Limited
Guildhall House
59–61 Guildhall Street
Preston
Lancashire
PR1 3NU

Tel:
01772 204 988

Email:
info@taspartnership.co.uk

The TAS Partnership Limited is a limited company registered in England and Wales.
Company number: 02929880

DISCLAIMER

The information contained on this website is provided for general information purposes only. While The TAS Partnership Limited endeavours to ensure that the information on this website is accurate and up to date, we make no representations or warranties of any kind, express or implied, regarding the completeness, accuracy, reliability, suitability, or availability of the information, services, or related content contained on the website.

Any reliance you place on such information is strictly at your own risk. The TAS Partnership Limited will not be liable for any loss or damage, including without limitation indirect or consequential loss or damage, arising from the use of, or reliance upon, this website.

COOKIES

We use cookies to ensure that we give you the best experience on our website. By continuing to use this site, you agree to our use of cookies.

About | Contact | Privacy PolicyCookie Policy | GDPR

© 2026 The TAS Partnership Limited. All rights reserved.