Your privacy is critically important to us and as such we follow the data protection principles under Article 5(1) the GDPR and the DPA 2018:

• (a) processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency’);
• (b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
• (c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
• (d) accurate and, where necessary, kept up to date;
• (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
• (f) processed in a manner that ensures appropriate security of the personal data,

As well as the overarching principle of ‘accountability’ under Article 5(2) of the GDPR .

Below is our Privacy Policy, which incorporates and clarifies these principles.

Who We Are and What This Policy Covers

The GDPR consortium is a group of independent consultants and companies with a diverse range of experience   to offer the best solution for a client to support their specific requirements with understanding of their specific sector and market issues.

Please note that this Privacy Policy relates to the GDPRconsortium website, consortium social media platforms and communications by the consortium as part of DHR Consultancy.

Each member consultant or company is a controller in their own right and individually accountable to the client for their actions. Each member of the consortium, either consultant or company, is required to either publish a privacy notice on their corresponding website or provide it to the client upon request.

This Privacy Policy applies to information that we collect about you when you use:

• Our website
• Connect to our social media account either LinkedIn or Twitter.
• Direct communications via email or telephone
• Requested communications via a 3^rd party i.e. request via another client

Below we explain how we collect, use, and share information about you, along with the choices that you have with respect to that information.

Information We Collect

We only collect information about you if we have a reason to do so–for example, to provide our Services, to communicate with you, or to make our Services better.

The amount and type of information depends on the context and how we use the information. Here are some examples:

• Basic Contact Information:On initial enquiry we will only ask for basic information from you in order to identify your requirement and facilitate communication with the best member consultant. For example, your name, and email address. You may provide us with more information–like your organisation–but we don’t require that information to fulfil your initial enquiry.
• Transaction and Billing Information:If you contract a member consultant –you may provide additional personal and payment information beyond those initially provided during your enquiry, in order to facilitate a payment with the consultant direct. On these occasions the consultant is the controller under article 24 of the GDPR and they will not share this additional information with the consortium or any consortium member.

How And Why We Use Information

Purposes for Using Information

We use information about you as mentioned above and for the purposes listed below:

• To provide our Services–for example, to gather and process your request for contact based upon your description of requirement and allocation of the member consultant best suited to your need
• To monitor and analyse trends and better understand how users interact with our communications, which helps us improve and make them easier to use;
• To measure, gauge, and improve the effectiveness of our advertising, and better understand user retention and attrition–for example, we may analyse how many clients contracted a consultant after visiting our website or using one of our social media platforms.
• To communicate with you, for example through an email, about the progress of your enquiry with the consortium and communication with the assigned member consultant or solicit your feedback on your experience with the assigned consultant.

Legal Bases for Collecting and Using Information

Our legal grounds for processing information about you under EU data protection laws, which is that our use of our information is based on the grounds that:

• The use is necessary in order to facilitate communication and discussion of requirement with a GDPRconsortium member; or
• We have a legitimate interest in using your information–for example, to communicate with you, to measure, gauge, and improve the effectiveness of our advertising, to monitor and prevent any problems with our communications, and to personalise your experience; or
• You have given us your consent–for example before we place certain cookies on your device and access and analyse them later on, as described in our Cookie Policy.

Sharing Information

We share information about you in the limited circumstances spelled out below and with appropriate safeguards on your privacy:

• Consortium members: We may disclose information about you to our members who are independent contractors and controllers in their own right, that need to know the information in order to help us provide the best solution based on the description of your requirements. We require all GDPRconsortium members to have and publish, either on their individual website, if available or provide upon request, and follow the GDPRconsortium Privacy Policy for personal information that we share with them.
• Third Party Vendors: GDPRconsortium members will NOT share your any personal information with third party vendors unless requested to do so by the client.
• Legal Requests: We may disclose information about you in response to a warrant, court order, or other governmental request.
• Business Transfers: In connection with any merger, sale of company assets, or acquisition of all or a portion of a consortium members business by another company, or in the unlikely event that a consortium member goes out of business or enters bankruptcy, personal information of a client will NOT be declared, transferred or acquired as an asset by a third party however any personal data transferred as part of a legitimate interest or legal obligation will be declared to the data subject, as required under Article 14 of the GDPR by the consultant or acquiring 3rd Party.
• With Your Consent: We may share and disclose information with your consent or at your direction. For example, we may share your information with third parties with which you authorise us to do so.

How Long We Keep Information

• We generally discard information about you when we no longer need the information for the purposes for which we collect and use it–which are described in the section above on How and Why We Use Information–and we are not legally required to continue to keep it.

When you delete a post, page, or comment from our WordPress.com managed website, it stays in a Trash folder for thirty days. After the thirty days are up, the deleted content may remain on our backups and caches until purged.

Security

While no systems are ever 100% secure, consortium members work very hard to protect information about you against unauthorised access, use, alteration, or destruction, and take reasonable measures to do so, such as employing cyber essentials principles from the National Cyber Security Centre.

Your Rights

Your rights with respect to your personal data, subject to any exemptions provided by the law, including the rights to:

• Right to be informed (Privacy Notice);
• Right to access to your personal data (subject access request);
• Right to rectification (correction) of your personal data;
• Right to erasure/deletion of your personal data (in certain circumstances);
• Right to object to our use and processing of your personal data;
• Right to limit our use and processing of your personal data;
• Right to request portability of your personal data you have provided to us; and
• Right in relation to automated decision making and profiling.

You can exercise these rights directly with the consultant contracted through the register of controllers below or alternatively if you have any issues contacting the consultant you can contact the consortium administrator Darren Rose via darren.rose@dhrconsultancy.co.uk

EU individuals also have the right to make a complaint to a government supervisory authority in the case of the UK it is the Information Commissioners Office via the ICO website https://ico.org.uk/global/contact-us/

Controllers and Responsible Companies

Each member/consultant of the GDPRconsortium are the controller (or co-controller) of personal information, which means that they are the company responsible for processing that information. Each member of the GDPR consortium is required to have public liability and professional indemnity insurance of £1M and £2M respectively.

Depending on the consultant you use, more than one company may be the controller of your personal data. Generally, the “controller” is the consultant that entered into the contract with you under the Terms of Service for the product or service you use. In addition, DHRConsultancy is the controller for the processing activities across all the GDPRconsortium communication mechanisms, including twitter, LinkedIn and websites.

How to Reach Us

If you have a question about this Privacy Policy, or you would like to contact us about any of the rights mentioned in the Your Rights section above, please email darren.rose@dhrconsultancy.co.uk.

Transferring Information

Information, including name, organisation and contact details are shared between members of the consortium only and not transferred to any outside body unless required by law or in the legitimate interests of a consortium member but bearing in mind the restrictions of such legitimate interests under the GDPR consortium membership agreement.

Visitors to Our Website

• The GDPRconsortium website is updated and managed using a content management system called WordPress which is a product created by Automattic. Details of your personal information which is captured and processed during this visit can be seen on the Automattic, visitors to our users websites

Privacy Notice

. Whilst this privacy notice details your personal information which is processed during your visit/interaction to our website, Automattic have been chosen by GDPRconsortium and therefore joint responsability is held by both Automattic and Darren Rose of DHRConsultancy, 50b Manchester Road, Huddersfield, HD7 5JA, for any lawful breaches of your personal data whilst visiting or as a result of using the GDPRconsortium website.

Privacy Policy Changes

• Although most changes are likely to be minor, GDPR consortium may change its Privacy Policy from time to time. We encourage visitors to frequently check this page for any changes to its Privacy Policy. If we make changes, we will notify you by revising the change log below, and, in some cases, we may provide additional notice (such as adding a statement to our homepage or the

GDPRconsortium

Blog, or sending you a notification through email. Your further use of the Services after a change to our Privacy Policy will be subject to the updated policy.

Change log

• 2 Aug, 2018:Data Privacy Policy published on GDPRconsortium website.