Data Protection Policy

Decorum Trade Ltd
Data Protection & Privacy Policy

1. Purpose & Scope

Decorum Trade Ltd (“Decorum”, “we”, “our”, “us”) processes personal data relating to:

  • current, former and prospective employees,
  • customers and end-users,
  • suppliers, contractors and service partners, and
  • visitors to our premises, websites or digital services.
This Policy applies to all processing of personally identifiable information (“Personal Data”) in any format or location, whether or not the processing is covered by the UK General Data Protection Regulation (“UK GDPR”) or the Data Protection Act 2018 (“DPA 2018”). Where UK GDPR does not directly apply, we nevertheless adopt its standards as a matter of corporate policy to afford maximum protection to Decorum.

2. Our Legal & Contractual Bases for Processing

We will only process Personal Data when at least one lawful basis under Article 6 UK GDPR applies:

Lawful basis Typical examples relevant to Decorum
Contract Accepting an order, registering warranties, providing support or repairs.
Legal obligation VAT & corporation-tax records (HMRC), health-and-safety reporting, employment law.
Legitimate interests Network security, CCTV crime prevention, direct B2B marketing (subject to PECR), supplier due diligence. We balance our interests against the data subject’s rights.
Consent Optional marketing where not covered by legitimate interest, installation of non-essential cookies.
Vital interests Emergency medical information, safeguarding staff or visitors.
Public task Rare; applied only if we process on behalf of a public authority.

For special category or criminal-offence data, we additionally meet an Article 9 or 10 condition (e.g., employment law, legal claims, explicit consent).

3. Data Protection Principles

  • Lawfulness, fairness & transparency – processed in a manner that is lawful, fair and transparent.
  • Purpose limitation – collected for explicit, specified purposes and not further processed incompatibly.
  • Data minimisation – adequate, relevant and limited to what is necessary.
  • Accuracy – kept accurate and, where necessary, up-to-date.
  • Storage limitation – retained no longer than is necessary for the purpose(s) or as required by law.
  • Integrity & confidentiality – processed with appropriate technical and organisational security.
  • Accountability – we keep demonstrable records of compliance (Article 30 ROPA, DPIAs, audits).
  • International transfers – not transferred outside the UK without an approved mechanism (UK IDTA, APEC CBPR, adequacy regulations or explicit informed consent).

4. Roles & Responsibilities

Role Core responsibilities
Board of Directors Ultimate accountability for data protection compliance and risk appetite.
Data Protection Officer (DPO) – Finance Director Advises on obligations, conducts DPIAs, handles data-subject requests (“DSRs”), liaises with the ICO. Contact: info@decogroup.co.uk
All staff & contractors Must only access, use or disclose Personal Data as authorised, follow security procedures, complete annual training, and report incidents immediately.

Unauthorised processing, disclosure or disposal of data may be treated as gross misconduct and could constitute a criminal offence under s.170 DPA 2018.

5. Information We Collect & Why

Category Examples Purpose / lawful basis Retention (minimum / typical maximum)
Identity & contact data Name, address, email, phone, employee NI number Contract, legal obligation 6 years after contract ends (statutory limitation)
Transactional data Orders, invoices, warranty registrations Contract, legal obligation 7 years (HMRC)
Technical data IP addresses, device identifiers, log files Legitimate interests (security), consent (analytics cookies) 12 months (logs)
CCTV footage Images of visitors and staff Legitimate interests (crime prevention) 30 days unless required for an investigation
Special category data Health & safety incident reports, diversity monitoring Legal obligation, employment law, explicit consent As required by law / 3 years post-employment

Where we cannot specify a fixed period, we apply documented retention reviews and securely erase or anonymise data once no longer required.

6. Data Security Measures

  • Physical – controlled premises access, CCTV, secure shredding.
  • Technical – AES-256 encryption at rest, TLS 1.3 in transit, MFA, segregated networks, vulnerability scanning and penetration testing.
  • Organisational – ISO 27001-aligned policies, least privilege, supplier security due-diligence, incident-response plan (72-hour ICO notification window).

The data subject remains responsible for maintaining strong, unique passwords and securing any device used to access our services. Decorum excludes liability for losses arising from a user’s negligent security practices except where prohibited by law.

7. Data-Subject Rights & Requests

Under UK GDPR individuals enjoy rights to: access, rectification, erasure, restriction, portability, objection, and not to be subject to solely automated decisions.

DSRs should be emailed to info@decogroup.co.uk or mailed to “The DPO” at our registered office. We will:

  • respond within one calendar month (90 days for complex requests),
  • not charge a fee unless a request is manifestly unfounded, excessive or repetitive, in which case we may refuse or charge a reasonable administrative fee (Article 12 (5) UK GDPR).
  • Identity verification is mandatory before releasing any Personal Data.

8. Disclosures & International Transfers

We may share Personal Data strictly on a need-to-know basis with:

  • payment processors, couriers, warranty service centres, insurers, professional advisers;
  • vendors and their authorised data partners to register products or analyse sell-out volumes;
  • police, regulators or courts where required by law or to defend legal claims;
  • prospective purchasers or investors under NDAs in the context of a merger or acquisition.
All third-party processors must sign Decorum’s Data Processing Addendum guaranteeing UK GDPR-equivalent safeguards, audit rights and breach-reporting duties.

9. Marketing & Cookies

  • B2B communications – we rely on Legitimate Interests for relevant product and service updates. You may opt out at any time.
  • B2C / end-user marketing – sent only with verifiable opt-in consent.
  • Cookies – essential cookies operate under Legitimate Interests; non-essential cookies are disabled until the user consents via the cookie banner. Our full Cookie Notice lists providers, purposes and lifespans.
  • We never sell Personal Data.

10. Closed-Circuit Television (CCTV)

  • CCTV is deployed at all Decorum sites for crime prevention, detection and the safety of staff and visitors.
  • Signage is displayed prominently.
  • Live feeds are restricted to authorised staff.
  • Footage is automatically overwritten after 30 days unless required for an investigation or to comply with a lawful request.

11. Data Breaches

Any actual or suspected Personal Data Breach must be reported to info@decogroup.co.uk immediately. We will investigate, mitigate risks, notify the ICO within 72 hours where required, and inform affected data subjects without undue delay when there is a high risk to their rights and freedoms.

12. Policy Governance & Updates

  • This Policy is approved by the Board and reviewed at least annually or upon:
    • changes in legislation or regulatory guidance,
    • material changes to Decorum’s processing activities, or
    • significant security incidents.
  • We may amend the Policy at our discretion. Updated versions will be published on our websites with a new “effective date”. Continued use of our services after that date constitutes acceptance of the revised terms.

13. Contact & Complaints

Questions, concerns or complaints should be directed to the DPO (details above). Data subjects may lodge a complaint with the UK Information Commissioner’s Office (“ICO”) if unsatisfied with our response (ico.org.uk).

© Decorum Trade Ltd 2025 – All rights reserved