Data Protection Policy

Company Name: OffType Ltd
Date of Issue: 1 September 2025
Review Date: 30 August 2026
Approved by: Mariam Aslam-Digger, Managing Director

1. Purpose

OffType Ltd collects, stores, and processes personal data about clients, suppliers, contractors, and employees as part of its business operations.

This policy sets out our commitment to protecting that data and complying fully with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Our objectives are to:

  • Handle personal data lawfully, fairly, and transparently.
  • Protect individuals’ privacy and rights.
  • Maintain data security across all systems and devices.
  • Demonstrate accountability and compliance to regulators, clients, and data subjects.

2. Scope

This policy applies to all employees, freelancers, contractors, and partners who handle personal data on behalf of OffType Ltd, whether held electronically or in paper form.

It covers:

  • Client and supplier information.
  • Employee and contractor records.
  • Marketing and communication data.
  • Any personal data collected through our website or events.

3. Legal Framework

OffType Ltd operates under:

  • The UK General Data Protection Regulation (UK GDPR);
  • The Data Protection Act 2018; and
  • The Privacy and Electronic Communications Regulations (PECR) for electronic marketing.

4. Data Protection Principles

We follow the six key principles of the UK GDPR:

  1. Lawfulness, fairness, and transparency — data will be processed legally, fairly, and clearly.
  2. Purpose limitation — data will be collected for specific, explicit, and legitimate purposes only.
  3. Data minimisation — only the minimum necessary data will be collected and processed.
  4. Accuracy — data will be kept accurate and up to date.
  5. Storage limitation — data will be retained only for as long as necessary.
  6. Integrity and confidentiality — data will be processed securely to prevent unauthorised or unlawful access, loss, or damage.

OffType Ltd also recognises the accountability principle, meaning we take responsibility for, and can demonstrate compliance with, all six principles above.

5. Lawful Bases for Processing

We process personal data on one or more of the following lawful bases:

  • Consent — when individuals have given clear permission.
  • Contract — when processing is necessary to perform a contract or take pre-contract steps.
  • Legal obligation — when required to comply with the law.
  • Legitimate interests — when processing is necessary for our business operations and does not override individual rights.

6. Individual Rights

Under the UK GDPR, individuals have the right to:

  • Be informed about how their data is used.
  • Access the data we hold about them.
  • Request correction of inaccurate data.
  • Request erasure of their data (“right to be forgotten”).
  • Restrict or object to processing.
  • Data portability.
  • Not be subject to automated decision-making or profiling.

Requests to exercise these rights should be sent to hello@weareofftype.com.

7. Data Security

OffType Ltd applies appropriate technical and organisational measures to protect data, including:

  • Encrypted and password-protected systems.
  • Secure cloud storage and access controls.
  • Up-to-date anti-virus and anti-malware protection.
  • Restricted access to personal data based on job role.
  • Regular data security training for employees and contractors.

Any suspected data breach must be reported immediately to the Managing Director or Data Protection Lead.

8. Data Breaches

A personal data breach is any event that leads to accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access to personal data.

In the event of a breach:

  1. It must be reported internally within 24 hours.
  2. A record will be made in the Data Breach Register.
  3. If there is a risk to individuals’ rights or freedoms, the ICO will be notified within 72 hours.
  4. Affected individuals will be informed where legally required.

9. Data Retention and Disposal

Personal data will be retained only for as long as necessary to fulfil the purpose it was collected for.

When data is no longer required, it will be securely deleted or destroyed. Retention periods are reviewed annually and set out in our internal Data Retention Schedule.

10. Data Sharing and Third Parties

OffType Ltd will only share personal data with third parties where it is necessary and lawful to do so — for example, with:

  • Service providers (e.g. IT support, email platforms, accountants).
  • Professional advisers (e.g. legal or financial).
  • Regulatory or government bodies where legally required.

All third-party processors must sign a Data Processing Agreement (DPA) confirming compliance with the UK GDPR and our data security standards.

11. International Data Transfers

If data is transferred outside the UK or EEA, OffType Ltd will ensure adequate safeguards are in place, such as:

  • Standard Contractual Clauses approved by the ICO; or
  • Certification under the UK Extension to the EU–US Data Privacy Framework.

12. Data Protection Roles & Responsibilities

  • Managing Director / Data Protection Lead: overall responsibility for compliance, risk management, and responding to data subject requests.
  • All Staff & Contractors: must follow this policy and attend training as required.
  • Third-Party Processors: must comply with contractual data protection obligations.

Contact for all data protection matters: hello@weareofftype.com

13. Training & Awareness

All staff and regular contractors will receive data protection training during induction and refresher training annually or when significant changes occur.

14. Monitoring & Review

This policy will be reviewed annually or sooner if there are major changes in legislation or OffType Ltd’s operations. Updates will be communicated to all relevant parties.

Signed:

Mariam Aslam-Digger, Managing Director
Date: 1 September 2025