1. Purpose
This policy establishes an effective, accountable, and transparent framework for ensuring
compliance with the requirements of the UK General Data Protection Regulation (UK
GDPR) and the Data Protection Act 2018.
2. Scope
This policy applies to all Salons Connect employees, contractors, and third parties who
process personal data on behalf of the company. It covers all processing of personal data
relating to employees, clients, suppliers, and any other data subjects.
3. Policy Statement
BCC Connect Ltd is committed to conducting its business in full compliance with all
applicable data protection laws and in line with the highest standards of ethical conduct.
As a Data Controller, BCC Connect Ltd is responsible for ensuring that personal data is:
• Collected, used, retained, transferred, disclosed, and destroyed lawfully and fairly.
• Handled with the appropriate safeguards to protect individual rights.
• Processed in compliance with the principles outlined in the UK GDPR.
Any breach of this policy will be taken seriously and may result in disciplinary action or
contractual termination.
3.1 Governance
• Data Protection Officer (DPO): BCC Connect Ltd appoints a Data Protection
Officer to oversee compliance and provide guidance. The DPO will act independently, report to senior management, and liaise with the Information
Commissioner’s Office (ICO) where necessary.
• Data Protection by Design: All new systems, processes, or projects involving
personal data must undergo a Data Protection Impact Assessment (DPIA) before
implementation.
• Compliance Monitoring: The DPO will conduct periodic audits and reviews of data
protection practices to ensure adherence.
3.2 Data Protection Principles
BCC Connect Ltd follows the seven core principles of data protection:
1. Lawfulness, Fairness, and Transparency
2. Purpose Limitation
3. Data Minimisation
4. Accuracy
5. Storage Limitation
6. Integrity and Confidentiality
7. Accountability
3.3 Data Collection
• Data will normally be collected directly from the data subject unless lawful
exceptions apply.
• Consent will be sought where required, and records of consent will be maintained.
• Clear and accessible Privacy Notices will be provided to explain how data is used.
3.4 Data Use
• Personal data will only be processed where there is a lawful basis (consent,
contract, legal obligation, vital interests, public task, or legitimate interests).
• Special category data will only be processed under strict conditions and with
appropriate safeguards.
• Children’s data will only be processed with appropriate parental/guardian consent
where required.
• Profiling and automated decision-making will only be used in compliance with UK
GDPR and with safeguards to protect data subjects.
• Digital marketing activities will comply with the Privacy and Electronic
Communications Regulations (PECR).
3.5 Data Retention
• Personal data will not be retained longer than necessary.
• A Data Retention Schedule will be maintained in line with legal, regulatory, and
business requirements.
3.6 Data Protection
BCC Connect Ltd will implement appropriate technical, organisational, and physical
security measures to protect personal data, including:
• Access controls and authentication.
• Encryption and secure transmission of data.
• Regular system monitoring and logging.
• Secure disposal of records.
3.7 Data Subject Rights
BCC Connect Ltd will ensure that individuals can exercise their rights under the UK GDPR,
including:
• Right of access
• Right to rectification
• Right to erasure (“right to be forgotten”)
• Right to restrict processing
• Right to object
• Right to data portability
Rights relating to automated decision-making and profiling
Requests can be submitted by email to: [Insert company DPO contact email]
3.8 Law Enforcement Requests & Disclosures
BCC Connect Ltd may disclose personal data without consent where required by law, for
example:
• Prevention or detection of crime
• Legal or regulatory obligations
• Tax or law enforcement purposes
All such requests will be reviewed by the DPO.
3.9 Data Protection Training
• All employees handling personal data will receive data protection training during
induction and at regular intervals.
• Refresher training will be provided in line with regulatory updates or following
incidents.
3.10 Data Transfers
• Data will only be transferred outside the UK where appropriate safeguards are in
place (adequacy decision, Standard Contractual Clauses, or Binding Corporate
Rules).
• Data subjects will be informed where international transfers apply.
3.11 Complaints Handling
• Complaints regarding data protection should be submitted to the DPO.
• If not resolved, complaints can be escalated to the ICO.
3.12 Breach Reporting
• All employees must immediately report any suspected personal data breaches to
the DPO.
• The DPO will investigate and notify the ICO and affected individuals where legally
required.
4. Roles and Responsibilities
• Directors & Senior Management: Ensure resources and commitment to
compliance.
• Employees: Comply with this policy and report breaches or risks.
• Third-Party Processors: Must comply with this policy through appropriate
contractual agreements.
5. Review
This policy will be reviewed at least every 3 years, or earlier if legislation or company
practices change.
6. Records Management
• Records relating to this policy will be retained for 5 years.
• Records must be stored securely and only accessible by authorised personnel.
7. Terms and Definitions
· 2018 Act – The Data Protection Act 2018, UK law that works alongside the UK GDPR.
· UK GDPR – The UK’s data protection rules (based on the EU GDPR but adapted for the
UK after Brexit).
· Data Controller – The company (like BCC Connect Ltd) that decides why and how
personal data is used.
Data Processor – A person or company that processes personal data on behalf of the
controller (e.g. an IT provider or payroll company).
· ICO (Information Commissioner’s Office) – The UK regulator for data protection.
· Data Protection Officer (DPO) – The person responsible for making sure the company
follows data protection rules.
· Data Subject – Any individual whose personal data we hold (e.g. staff, customers,
suppliers).
· Personal Data – Any information that identifies a person (e.g. name, phone number,
email, address, ID number).
· Privacy Impact Assessment (PIA/DPIA) – A check to make sure a project or system
that uses personal data is safe and compliant.
· Processing – Anything done with personal data: collecting, storing, using, sharing,
deleting, etc.
· Profiling – Using data to analyse or predict someone’s behaviour (e.g. for marketing or
risk scoring).
· Public Authority – A government body or organisation covered by UK data protection
law.
· Regulation – A law that must be followed in full.
· Subject Access Right – The right for someone to see the personal data we hold about
them.
8. Related Legislation & Documents
• UK GDPR
• Data Protection Act 2018
• ICO Guidance
9. Feedback and Suggestions
Employees may provide feedback on this policy to the DPO via [Insert contact email].
10. Approval and Review Details
• Approval Authority: Board of Directors, BCC Connect Ltd
• Approval Date: 26/09/2025
• Next Review Date: 26/09/2026
• Approved by: Directors of BCC Connect
