General Data Protection Regulations (2018)...

Privacy Policy of Wellsteed Associates Limited

1. Introduction

1.1 Privacy laws about how organisations collect and use personal data changed on May 25th 2018 when the General Data Protection Regulations (GDPR), as supplemented by the UK Data Protection Act 2018, came into force.

1.2 This data protection framework has created new obligations for organisations, whilst strengthening the rights that individuals have over the processing of their personal information.

1.3 This privacy policy document describes how Wellsteed Associates Limited processes personal data. If you wish to contact us directly about this policy, please phone 0118 9331098 to speak with one of two Directors, namely Lorna Wellsteed or Andrew Foster. The Directors are also contactable on Email at

2. Wellsteed Associates Limited and Data Protection

2.1 We process personal data to help us provide an extensive range of consultant interventions, services and products. We also deal with enquiries, gather client feedback, undertake market research and direct marketing, including analysis to create profiles, in our legitimate interests, to promote our business and improve our service and its delivery.

2.2 When clients commission our services, we never actively seek sensitive personal data. If a client or someone on the client’s behalf provides such information, explicit consent to process the information must be given. In some cases, it may be permissible for us to have such data if it is in the client ’s vital interests.

2.3 For some activities, Wellsteed Associates Limited may use approved third party service providers who are typically our Associates. Clients’ personal data is disclosed to our Associates only where it is necessary to provide the service or where it is in our legitimate interests.

2.4 Personal data may also be shared with regulators, government authorities and/or law enforcement officials for the prevention or detection of crime, if required by law or if required for a legal or contractual claim or for regulatory purposes.

2.5 When we collect basic information (e.g. a client’s name and contact details), we ensure that we process, store and share that data safely and securely. We encrypt our devices and we use anti-virus software. We lock away paper documents and computers and we use ‘cloud’ storage. We make and retain back-ups securely and we personally shred all unneeded documents. Lastly, we ensure that ‘auto complete’ is always disabled when we are in email.

2.6 When we process personal data on the basis of a client’s consent, we retain it only for as long as it is required for a specified purpose (e.g. for the duration of a consultant intervention or work programme, an internal or external investigation, litigation, in accordance with statutory limitation periods and for tax, legal or regulatory purposes to protect contractual or legal rights). Where the same personal data is processed for two or more purposes, we will retain it for the longest period.

2.7 We store financial information for a period of 7 years, for accounting, business reporting, analysis and audit purposes.

2.8 Regarding posts on social media about our business, we may use a client’s contact details to respond to any complaints or comments, on the legal basis of our legitimate interests.

2.9 Personal data and personal identifiers (e.g. titles, names, postal and email addresses, postcodes, IP addresses, contact telephone numbers) help us to develop and market the products and services that clients request. Amongst many things, we are able to verify a client’s identity, improve our communication with clients, develop networks, processes and premises to prevent and detect fraud and protect our business.

3. Consent

3.1 The issue of consent in matters of data protection has central importance. Consent must be clear and affirmative and shown to be given freely. Silence or inactivity does not constitute consent. Written consent must be clear, intelligible and easily accessible. Unless these criteria are met, consent will not be deemed ‘binding’. Consent must also be capable of being withdrawn at any time.

3.2 We process basic information if either a client or a party on a client’s behalf provides this. On other occasions, where we ask a client for consent, we use the personal data for the purposes which we explain at the time.

3.3 Wherever we rely on client consent, the client is always able to withdraw that consent, at any time. We will continue to process the client’s personal data for other purposes on a different lawful basis (other than consent) where that applies or is required.

3.4 In some cases, we are permitted to send clients direct marketing material, without consent and where we are able to rely on our legitimate interests. The client always has the choice to opt out.

3.5 In the unlikely event that the business known as Wellsteed Associates Limited is sold or integrated with another business, basic client details may be disclosed to our advisers and any prospective purchaser’s adviser, where appropriate and with the client ’s consent.

4. The Principles of GDPR

4.1 Seven principles underpin GDPR. They are set out at the start of the legislation and inform everything that follows. They don’t comprise hard and fast rules. Instead, they reflect the spirit and essence of the general data protection regime.

4.2 However, compliance with these key principles is a fundamental building block for good data protection practice. Failure to comply with the principles can leave businesses open to substantial fines. Article 83(5) (a) states that infringements of the basic principles for processing personal data are subject to the highest tier of administrative fines.

4.3 Article 5(1) requires that personal data shall be processed lawfully, fairly and in a transparent manner in relation to individuals ( ‘lawfulness, fairness and transparency’).

4.4 Article 5(1) requires that personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes ( ‘purpose limitation’).

4.5 Article 5(1) requires that personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ( ‘data minimization’).

4.6 Article 5(1) requires that personal data shall be accurate and where necessary, kept up to date. Every reasonable step must be taken to ensure that whenever personal data is shown to be inaccurate, having regard to the purposes for which the data has been processed, it must be erased or rectified without delay ( ‘accuracy’).

4.7 Article 5(1) requires that personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods insofar as it will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organizational measures required by GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation ’).

4.8 Article 5(1) requires that personal data shall be processed in a manner that ensures its appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures ( ‘integrity and confidentiality’).

4.9 Article 5(2) adds that the Controller shall be responsible for and able to demonstrate compliance with, paragraph 1 ( ‘accountability’).

5. Data Protection Rights

5.1 Data protection is a right and GDPR gives us all some control about how our personal information is used. The European Convention on Human Rights says that any infringement of data protection rights must be necessary, proportionate, appropriate and justified.

5.2 The role of The Data Controller is to facilitate the exercise of the Data Subjects’ Rights which comprise the right to be informed; the right to request access to personal information that is held about you; the right to rectify personal data that is inaccurate or incomplete; the right to object by asking that your personal data no longer be processed; the right to be forgotten by requesting the erasure of personal information; the right to request that the processing of your personal information be restricted pending the conclusive consideration of any other outstanding requests that you have made (e.g. a request for erasure); the right to request a review by a person in the event of a decision having been made solely by using an automated computerised process and which legally affects you and the right to request that personal information is transferred into a portable electronic machine readable format and is capable of being transmitted to someone else.

6. How does Wellsteed Associates Limited facilitate your Rights?

6.1 The right to be informed – when we seek to collect information from you, we inform you why we need to process your personal information, including advising you about how we propose to use it, who we intend to share it with and the safeguards we have put in place. If we receive information about you from someone else, we will usually tell you before we use or share the personal information, unless we are aware that you already have this information or, where the law says this is not necessary (e.g. in the event that it may be prejudicial to ongoing law enforcement and criminal investigations).

Wellsteed Associates Limited


6.2 The right to request access to your personal information - when we fulfil an access request, we advise you of the reasons why it is necessary to process your personal information. We also tell you about the types of personal information that we process, the recipients or categories of recipient to whom your personal information has been or will be disclosed and where possible, the envisaged period for which your personal information will be stored. If this is not possible, we will specify the criteria which will be used to determine that timeframe. In some cases, information may be so interlinked to the extent that it is not possible to meet a request for access to information without breaching another person's privacy rights. We may therefore redact personal information about other persons, including third parties, where we are satisfied it is reasonable to do in the prevailing circumstances. We will always explain to you if we have redacted any information that identifies third parties and if we withhold information on the basis that it is exempt from disclosure. Where achievable, we will explain the exemption(s) that we are relying on and the reason why one or more exemptions may apply. In certain circumstances, we may refuse to respond to an access request if we consider that it is unfounded, excessive or repetitive in nature.

6.3 The right to request that your personal data be rectified – when we are made aware that we hold personal information about you that is either inaccurate or incomplete, we comply with this right by way of updating and correcting and completing the information that we hold.

6.4 The right to object - where you object to us using your personal information for direct marketing, or profiling linked to direct marketing, we will cease processing for this purpose(s). Likewise, if you object to the use of your personal data for either scientific/historical research and/or statistical purposes, the request will be considered robustly. Where processing is carried out for the purpose of measures or decisions with respect to particular individuals, in accordance with the law and/or is necessary for specified bodies to carry out approved medical research, it may not be possible to comply with your request. Where the law requires us to process your information to meet our statutory functions and public tasks, including law enforcement functions, it is also very likely that we will not be able to assist with the request (e.g. when we take measures to protect the health and safety of our staff; when we are establishing, exercising or defending our legal rights or when we are pursuing criminal investigations or proceedings). In instances where we do not uphold an objection, we explain our reasons in writing. Furthermore, you have the right to complain to the Information Commissioner.

6.5 The right to request the erasure of personal information - in defined circumstances (e.g. if we are storing your personal information for longer than is necessary or if it is in breach of a legal obligation that requires its erasure), you may withdraw your consent and ask us to erase your personal information where there is no legal ground for processing it or where we have accepted your objection. However, there are circumstances when it is not possible to agree to an erasure request on the grounds that it may be necessary for us to retain the information (e.g. in the interests of freedom of expression, in order to comply with a legal obligation, for archiving in the public interest, for public health functions in the public interest or for exercising legal rights or defending legal claims). If a request has the potential to reveal personal data about another person or if we are asked to erase information which we are required to retain by law, we may have a compelling justification for processing the information. We will inform you about the relevant exemptions we rely upon when responding to a request.

6.6 The right to request that the processing of personal information is ‘restricted’ – may be exercised in circumstances when we need time to consider your representations, where we contest the accuracy of the personal information that we hold about you or when you have objected to our processing your information when it has already been determined that such processing is 'unlawful' and that you have asked us to retain and 'restrict' its use when we no longer need to retain the personal information but you further ask us to retain it for the establishment, exercise or defence of your own legal claims. If we decide a restriction is appropriate, we will seek to notify any recipients of your personal information and advise you of their name(s), should you so wish. Where a restriction is applied pending a determination of 'accuracy' or any 'objection' which that you may have submitted, we will advise you about the outcome(s) of your representations prior to lifting the restriction, if so indicated. When there is a different reason for the restriction, the erasure of the personal information will not take place until we have resolved any outstanding evidential issues with you. Furthermore, where processing is restricted, as well as storing your personal information we will only process it during the period of restriction with your consent, or if it is necessary for the establishment, exercise or the defence of legal claims, or for the protection of the rights of another person or for reasons of important public interest.

6.7 The right to complain to the Information Commissioner about the significance and potential consequences and impact of profiling - where decisions are made about you using only automated means and without human intervention. Where an automated decision is made about you, you are entitled to be informed that the processing activity involves automated decision making. Furthermore, we will advise you about the logic involved and the likely consequences of the processing. You also have a right to be told which measures and safeguards have been implemented to protect your privacy. Within 1 month of your receipt of this notification, you also have the rights to contest the automated decision and to ask that the automated decision be reconsidered by an appropriate person with the authority/seniority to reach a fresh decision that is not based solely on automated processing. If you contest an automated decision and ask for it to be reconsidered, we will respond within the allowed time period and advise you promptly whether or not a fresh decision has led to the same or a different outcome.

6.8 You have the right to request that the personal data which you have provided (e.g. for a contract or with your consent) is placed in a portable electronic machine readable format and is capable of being shared with another controller. This helps to ensure that you are able to transmit the personal information to someone else. Lastly, you also have the right to complain to a supervisory authority regarding the source(s) of any personal information that we hold that has not been collected directly from you.

Glossary of Terms

Automated Decision-Making (ADM) refers to a decision which is based solely on Automated Processing (including Profiling) which produces legal effects or significantly affects an individual. The GDPR generally prohibits Automated Decision-Making except in defined circumstances, subject to certain conditions and safeguards being met.

Automated Processing means any processing of personal information that is automated through the use of computers and computer software.

Consent is such that it must be freely given, specific, informed and unambiguous indication of an individual’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Controller denotes the person or organisation that determines when, why and how to process personal information.

Data Protection Act 2018 means UK legislation that repeals the 1998 Act; implements discretions delegated to EU Member States under the GDPR; provides for the role, responsibilities and enforcement powers of the Information Commissioner and sets data protection standards for processing activities that do not fall within the purview of the GDPR.

Data Subject refers to a living, identified or identifiable individual about whom we, in the role of Controller, hold personal information.

General Information Protection Regulation (GDPR) means the General Information Protection Regulation ((EU) 2016/679).

Personal information means any information relating to an identified or identifiable living person. An identifiable person is anyone who can be identified, directly or indirectly, by reference to an identifier, such as a name, identification number or online identifier.

Privacy Notices are notices setting out the information given to you at the time we collect information from you or within a reasonable time period after we obtain information about you from someone else. These notices may take the form of an overarching privacy statement or apply to a specific group of individuals (e.g. service specific or employee privacy notices) or they may be stand-alone, one time privacy statements covering processing and related to a specific purpose.

Processing means any activity that involves the use of personal information. It includes obtaining, recording or holding the information, or carrying out any operation or set of operations on the information including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring personal information to other Recipients.

Profiling connotes the recording and analysis of a person's psychological and behavioural characteristics, so as to assess or predict their capabilities in a certain sphere or to assist in identifying categories of people.

Recipient means a person or organisation who receives your personal information from us. This may be a company with whom we have entered into a contract to provide services on our behalf or another Controller with whom we are either required or permitted to share personal information.

Special or Sensitive Personal information is information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data, and personal information relating to criminal offences and convictions.

Third Party is a living individual other than the person who is the data subject.



Any changes to this Privacy Notice will be communicated here on the Wellsteed Associates Limited website.

Wellsteed Associates Limited, (Company Number: 7983580), is a Registered Office in Stratfield Mortimer, Near Reading, Berkshire, RG7 3PE, UK.