Data Protection & Security Policy

​​

Get Swarms Limited
Publication date: 16 June 2025

​

This Policy relates to information from which individuals can be identified and sets out how the Company will manage such information.  

 

1. DEFINITIONS  

 

Throughout this Policy, the following definitions apply:  

 

Company name: Get Swarms Limited  

 

Company Personnel: all employees, workers, contractors, agency workers, consultants, directors, members.  

 

Data Controller: the person or organisation that determines when, why and how to process Personal Data.  

 

Data Protection Act 2018: the Data Protection Act 2018, as amended from time to time.  

 

Data Subject: an identified or identifiable individual about whom we hold Personal Data.  

 

Data Privacy Impact Assessment (DPIA): tools and assessments used to identify and reduce risks of a data processing activity.  

 

Data Protection Officer (DPO): the person required to be appointed in specific circumstances under the GDPR. Where a DPO has not been appointed, this term refers to the data protection compliance manager or refers to the Company data protection/privacy team with responsibility for data protection compliance.  

 

General Data Protection Regulation (GDPR): the EU General Data Protection Regulation.  

 

Personal Data: any information identifying a Data Subject or information relating to a Data Subject that we can identify (directly or indirectly) from that data alone or in combination with other identifiers. 

  

Personal Data Breach: the loss, or unauthorised access, disclosure or acquisition of Personal Data. 

  

Privacy Guidelines: the Company Privacy/GDPR and Data Protection Act 2018 related guidelines provided to assist in interpreting and implementing this Data Protection Policy and Related Policies, as amended from time to time. These are available from the Operations Director.  

 

Privacy Notices: separate notices setting out information that may be provided to you that details why we collect information about you and what we do with it.  

 

Processing or Process: any activity that involves the use of Personal Data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties.  

 

Related Policies: the Company’s policies, operating procedures or processes related to this Data Protection Policy and designed to protect Personal Data, as amended from time to time.  

 

Sensitive Personal Data: information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data, and Personal Data relating to criminal offences and convictions.  

 

1. INTRODUCTION  

 

This Data Protection Policy applies to all Personal Data the Company processes regardless of how that data is stored or whether it relates to past or present employees, apprentices, workers, contractors, agency workers, volunteers and interns. Separate policies in respect of data subjects who are job applicants, customers, suppliers are available from the Director.  

 

This Data Protection Policy applies to all Company Personnel. You must read, understand and comply with this Data Protection Policy. You must also comply with all such Related Policies and Privacy Guidelines, including any amendments. Any employee who is found to have breached this Data Protection Policy may be subject to disciplinary action up to and including summary dismissal.  

 

1. SCOPE  

 

We recognise that the correct and lawful treatment of Personal Data will maintain confidence in the organisation and will provide for successful business operations. It is a critical responsibility that we always take seriously. 

  

Whilst employees are required to comply with the terms of this Data Protection Policy, it does not form part of their employment contract. 

 

Please contact the Operations Director with any questions about the operation of this Data Protection Policy or if you have any concerns that this Data Protection Policy is not being or has not been followed.  

 

1. TYPES OF DATA WE HOLD  

 

Personal data is kept in personnel files or within the Company’s HR systems. The type of data held by the Company includes but is not limited to the following:  

 

• name, address, phone numbers - for individual and next of kin  

• CVs and other information gathered during recruitment  

• references from former employers  

• National Insurance numbers  

• job title, job descriptions and pay grades  

• conduct issues such as letters of concern, disciplinary proceedings  

• holiday records  

• internal performance information  

• medical or health information  

• sickness absence records  

• tax codes  

• terms and conditions of employment  

• training details  

• driving records.  

 

Relevant individuals should refer to the Company’s Privacy Notice for more information on the reasons for its processing activities, the lawful bases it relies on for the Processing and data retention periods.  

 

1. PERSONAL DATA PROTECTION PRINCIPLES 

  

1. LAWFULNESS AND FAIRNESS 

Data may only be collected by the Company if the Processing is fair, lawful and for specified purposes, some of which are set out below:  

• the Data Subject has given his or her consent.  

• the Processing is necessary for the performance of a contract with the Data Subject.  

• to meet our legal compliance obligations.  

• to protect the Data Subject’s vital interests.  

• to pursue our legitimate interests.  

 

5.2 CONSENT  

In some circumstances consent maybe required. Consent should be freely given, specific and informed. It may also be withdrawn at any time. 

 

5.3 TRANSPARENCY 

Information in relation to how and why we collect data will be provided through appropriate Privacy Notices. 

 

5.4 PURPOSE LIMITATION  

Personal Data will be collected only for specified, explicit and legitimate purposes. It will not be further Processed in any manner incompatible with those purposes. We will not Process Personal Data for new, different or incompatible purposes from that disclosed when it was first obtained unless the Data Subject has been informed and has consented where necessary.  

 

5.5 DATA MINIMISATION  

Personal Data will be adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed. When Personal Data is no longer needed, it is deleted or anonymised in accordance with the Company’s data retention guidelines. 

 

5.6 ACCURACY  

We will ensure that the Personal Data we use, and hold is accurate, complete, kept up to date and relevant to the purpose for which we collected it. We will take all reasonable steps to destroy or amend inaccurate or out-of-date Personal Data 

  

5.7. STORAGE LIMITATION  

Personal Data will be kept in an identifiable form for no longer than is necessary for the purposes for which the data is processed.  

 

1. SECURITY INTEGRITY AND CONFIDENTIALITY 

  

1. PROTECTING PERSONAL DATA  

Personal Data will be secured by appropriate technical and organisational measures against unauthorised or unlawful Processing, and against accidental loss, destruction or damage. You must follow all procedures and technologies we put in place to maintain the security of all Personal Data from the point of collection to the point of destruction as set out in our Information Technology Policy. Where you work remotely, whether at home or at client sites, or Process Personal Data on personal devices, you must follow all guidance we issue in relation to this. Failure to follow the Company’s rules on data security may be dealt with via the Company’s disciplinary procedure. Appropriate sanctions include dismissal with or without notice dependent on the severity of the failure.  

1. REPORTING A PERSONAL DATA BREACH  

The GDPR and Data Protection Act 2018 requires Data Controllers to notify any Personal Data Breach to the applicable regulatory and, in certain instances, the Data Subject. We have put in place procedures to deal with any suspected Personal Data Breach and will notify Data Subjects or any applicable regulator where we are legally required to do so within 72 hours. If you know or suspect that a Personal Data Breach has occurred, you should contact the Operations Director immediately. 

 

1. TRANSFER LIMITATION  

 

Where it appears necessary to transfer Personal Data outside of the UK, you must first contact the Operations Director for guidance on how this can be achieved within the scope of the GDPR and Data Protection Act 2018. 

 

1. COMPANY PROCEDURES  

The Company has appointed the Operations Director with a specific responsibility for protecting the personal data of individuals in respect of processing and controlling the data. If you wish further information in relation to the steps taken, please contact the Operations Director.  

 

1. DATA SUBJECT’S RIGHTS AND REQUESTS  

 

Data Subjects have certain rights when it comes to how we handle their Personal Data.  

These include rights to: withdraw consent to Processing; receive certain information about the Data Controller’s Processing activities; request access to the Personal Data that we hold; ask us to erase Personal Data if it is no longer required for the purpose for which it was collected or Processed; to rectify inaccurate data; to complete incomplete data; restrict Processing in specific circumstances; challenge Processing which has been justified on the basis of our legitimate interests or in the public interest; prevent Processing that is likely to cause damage or distress to the Data Subject or anyone else; be notified of a Personal Data Breach which is likely to result in high risk to their rights and freedoms; make a complaint to the supervisory authority.  

You must immediately forward any Data Subject request you make or receive to the Operations Director and comply with the Company’s Data Subject response process. 

  

1. ACCOUNTABILITY 

 

We implement appropriate technical and organisational measures to ensure compliance with data protection principles. Our policies and procedures are one way in which we demonstrate our compliance with the GDPR and Data Protection Act 2018.  

 

1. RECORD KEEPING  

 

Where required by the GDPR and Data Protection Act 2018 we will keep full and accurate records of all our data Processing activities. In addition, we will keep records of Data Subjects’ consents and procedures for obtaining consents, in accordance with the Company’s record keeping guidelines. 

  

1. TRAINING AND AUDIT  

 

We require all Company Personnel to read and understand the Data Protection Policy when they are inducted. In addition, you will be required to undergo training appropriate to your role to enable you to comply with the GDPR and Data Protection Act 2018. 

 

1. SHARING PERSONAL DATA 

 

We will only share Personal Data with third parties where certain safeguards and contractual arrangements have been put in place.  

We only share the Personal Data we hold with third parties, including but not limited to our service providers such as benefits providers, payroll providers and professional advisors if:  

• we have a lawful basis for doing so.  

• sharing the Personal Data complies with the Privacy Notices provided to the Data Subject and, if applicable, consent has been obtained; and  

• the third party has agreed to comply with the required data security policies and procedures and put adequate security measures in place.  

 

1. CHANGES TO THIS DATA PROTECTION POLICY 

  

We reserve the right to change this Data Protection Policy at any time without notice to you.  

 

This Data Protection Policy does not override any applicable national data privacy laws and regulations in countries where the Company operates 

​

Approved by Get Swarms Limited’s Board.

Signed on behalf of Get Swarms Limited by:

​

Amit Jain

Managing Director
Date: 16 June 2025

​