Privacy policy

Introduction and overview

Dynamic Skillset Ltd ("we", "us") complies with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable UK data protection law.

This document explains how we collect, use, share, and protect personal data, and sets out the rights of individuals whose data we process.

We take into account guidance published by the Information Commissioner's Office (ICO), including its materials for organisations on UK GDPR compliance.

This policy is reviewed regularly and updated when necessary to reflect changes in law, regulation, or our processing activities.

Awareness

The Company Secretary and other responsible persons at Dynamic Skillset Ltd are aware of the requirements of the UK GDPR and related data protection law.

Relevant personnel have read, understand, and follow our internal data protection policies, and receive training appropriate to their role so they understand their responsibilities in protecting personal data.

This privacy policy, and related procedures, are reviewed at appropriate intervals and whenever there is a significant change in our processing, our systems, or in applicable law or ICO guidance. Any material updates are communicated to relevant personnel in a timely manner.

Data we hold

We only collect personal data that is adequate, relevant, and limited to what is necessary for the purposes set out below, in line with the principle of data minimisation.

Access to personal data is restricted to personnel who need it to perform their role and is controlled using appropriate technical and organisational measures (for example, access controls and password protection).

We may hold the following data:

• Email addresses of people or organisations who have emailed us and to whom we have replied (legal basis: legitimate interests).
• Email addresses of those who have signed up to newsletters via a double opt‑in link on the website; this data is held in Mailchimp (legal basis: consent).
• Names, addresses, email addresses, and Directors' interests in relation to our members or clients, held in Google Workspace (legal basis: performance of a contract or taking steps at the request of the data subject prior to entering into a contract).
• Email addresses, names, and self‑identified descriptors (for example, "CEO") of people who have been the main contact within an organisation with which we have worked (legal basis: performance of a contract or legitimate interests, depending on context).

The Company Secretary and Weaver Financial Ltd (our accountants) may have access to the following data:

• Email addresses and postal addresses of organisations with which we have worked, recorded in Google Workspace and Xero (both protected by passwords and access controls) (legal basis: performance of a contract and legal obligation for accounting records).
• Postal addresses and bank details of organisations with whom we have worked, held securely in Xero (legal basis: performance of a contract and legal obligation for financial records).

We do not sell personal data. We only share personal data with third parties (including service providers such as Google Workspace, Mailchimp, and Xero) where this is necessary for the purposes described in this policy, and where appropriate contractual safeguards are in place, such as data processing agreements.

Communicating private information

We ensure that the Company Secretary and relevant personnel are kept up to date with policy amendments and procedural changes that affect how personal data must be handled.

Training and updates are provided on a regular basis, and whenever there is a material change in law, ICO guidance, or our processing, so that personnel continue to handle personal data securely and lawfully.

Individuals' rights

Under the UK GDPR, individuals (data subjects) have the following rights in relation to their personal data:

• The right to be informed about the collection and use of their personal data.
• The right of access to their personal data.
• The right to have inaccurate personal data rectified, or completed if it is incomplete.
• The right to have personal data erased in certain circumstances.
• The right to request restriction of processing in certain circumstances.
• The right to data portability, which allows individuals to obtain and reuse their personal data for their own purposes across different services.
• The right to object to processing in certain circumstances, including processing based on legitimate interests and direct marketing.
• Rights in relation to automated decision‑making and profiling.

Any individual or organisation may request information on the personal data we hold about them. We will update or delete this data where required by law and subject to any legal obligations that require us to keep certain records (for example, financial records for tax and audit purposes).

Subject access requests

We will respond to all valid requests to exercise data protection rights (including subject access requests) without undue delay and, in any event, within one month of receipt.

In complex cases, or where numerous requests are made, we may extend this period by up to two further months; if we do this, we will inform the requester within one month of receiving the request and explain why an extension is necessary.

We may need to request additional information to confirm the requester's identity where reasonable, particularly where we need to ensure that access is only given to the correct individual.

Lawful basis for processing data

We identify and document a lawful basis for each type of processing we undertake, in line with the UK GDPR.

The main lawful bases we rely on are:

• Legitimate interests: When an individual or organisation contacts us via email, their email address and any other personal data contained in the communication is stored on our email servers so that we can respond and manage ongoing correspondence.
• Consent: If an individual or organisation has opted into one of our email lists, they have done so on the basis that they will receive communications such as newsletters or updates. They may unsubscribe at any time using the link provided in our emails or by contacting us directly.
• Performance of a contract: When individuals or organisations enter into a contract with us, their contact details and relevant business information are stored in our systems (for example, Xero and Google Workspace) to allow us to perform the contract and manage our relationship with them.
• Legal obligation: Some personal data, especially within accounting and tax records, must be kept to meet legal and regulatory requirements.

Where we rely on legitimate interests, we balance our interests against the rights and freedoms of the individuals concerned and only proceed if our interests are not overridden.

Consent

Where we rely on consent, it will be freely given, specific, informed, and unambiguous, and obtained by a clear affirmative action.

Individuals or organisations subscribed to our email lists can withdraw their consent and unsubscribe at any time by clicking the relevant link in our communications or by contacting us via our website.

For auditing reasons, email addresses may be retained as "unsubscribed" for up to one year, after which they will be removed or anonymised unless there is another lawful basis for retaining them.

Where consent is withdrawn for other processing activities and no other lawful basis applies, we will stop the processing and delete or anonymise the personal data as appropriate.

Children

We do not knowingly collect personal data from children under the age of 13.

If we become aware that we have inadvertently collected personal data from a child under 13, we will delete that data as soon as reasonably practicable.

We encourage parents and guardians to monitor their children's online activities and to instruct them not to provide personal data without permission.

Data breaches

We use appropriate technical and organisational measures, such as strong passwords, two‑factor authentication where available, encryption in transit where supported by our providers, and access controls, to reduce the risk of personal data breaches.

If a personal data breach occurs, we will assess the risk to individuals' rights and freedoms and, where required, notify the ICO without undue delay and, where feasible, within 72 hours of becoming aware of the breach.

Where a breach is likely to result in a high risk to individuals' rights and freedoms, we will also inform those individuals without undue delay, in line with ICO guidance.

Data protection by design and Data Protection Impact Assessments

We take data protection by design and by default into account when developing or changing systems, services, or processes that involve personal data.

For processing that is likely to result in a high risk to individuals' rights and freedoms, we will carry out a Data Protection Impact Assessment (DPIA), in line with ICO guidance on DPIAs.

Data Protection Officer / data protection contact

We are not currently required by law to appoint a statutory Data Protection Officer under the UK GDPR.

We have appointed an internal contact for data protection matters who can be reached at:

Email: privacy@dynamicskillset.com

This contact is responsible for coordinating responses to data protection queries, managing data protection risk, and liaising with the ICO where necessary.

International data transfers

We are registered with the Information Commissioner's Office (ICO) as required for organisations that process personal data and pay the applicable data protection fee, where relevant.

Some of our service providers may process personal data outside the UK (and, in some cases, outside the European Economic Area).

Where personal data is transferred internationally, we ensure that appropriate safeguards are in place, such as:

• An adequacy regulation made by the UK government in respect of the destination country; or
• The use of the ICO's International Data Transfer Agreement (IDTA) or the International Data Transfer Addendum to the European Commission's Standard Contractual Clauses, as appropriate.

Further information about the safeguards used for international transfers can be obtained by contacting us using the details below.

Our commitment to your privacy

We are committed to protecting your personal data and handling it lawfully, fairly, and transparently.

We obtain your personal data when you:

• Correspond with us (for example, by email or through our website).
• Enter into, or consider entering into, a contract with us.
• Sign up to our newsletters or other communications.

The categories of personal data that we may collect and hold include:

• Personal information (such as name, telephone number, address, email address) needed to communicate with you and provide our services.
• Corporate information (such as company name, address, email address, and bank details) needed to manage our business relationship, process payments, and comply with legal obligations.

Your rights under UK GDPR include the right to access, rectify, erase, restrict processing of, object to processing of, and request data portability of your personal data, as described earlier in this policy.

How and when we use your personal data

We use personal data only where we have a lawful basis and only for specified, explicit, and legitimate purposes.

Examples include:

• Dealing with your enquiries quickly and efficiently.
• Establishing and managing ongoing communication relating to the provision of services and maintaining a good relationship with you and your organisation.
• Managing accounts, processing invoices and payments, and meeting our legal and regulatory obligations.

Where we rely on legitimate interests, these include the effective management and administration of our business and the provision of our services, balanced against your rights and interests.

Some of our systems and service providers store personal data in the UK and/or the EEA.

Where personal data is transferred outside the UK, appropriate safeguards (as described under "International data transfers") are used.

We aim to keep personal data accurate and up to date and encourage you to notify us if your details change, so we can rectify or update our records promptly.

We retain personal data only for as long as necessary for the purposes described in this policy, taking into account business needs, legal requirements, and guidance on retention.

Storing your data

We hold personal data for varying lengths of time depending on the type of information and the purposes for which it is used, always in line with data protection principles and legal obligations.

For example, contract‑related and financial data is typically stored for up to six years from the end of the business relationship or last correspondence, to comply with limitation periods and accounting rules.

If you require more detail about retention periods for particular categories of data, please contact us using the details below.

Who we share your information with

We may share your personal data with third parties where this is necessary and lawful, including on the following bases defined by the UK GDPR: consent, contract, legal obligation, vital interests, public task, or legitimate interests.

Examples include:

• Accountants, auditors, and other professional advisers, for good governance, accounting, and auditing.
• Government bodies or regulatory authorities, where required by law.
• Service providers and subcontractors who help us provide our products and services (for example, providers of cloud services, email services, or bookkeeping software).
• Payment service providers, where necessary to process transactions.
• Other organisations and individuals where required to protect the security or integrity of our operations or to exercise or defend legal claims.

We only share the minimum personal data necessary and ensure that appropriate contractual safeguards are in place with service providers who process personal data on our behalf.

Sharing your personal data

We do not share personal data with third parties for their own direct marketing purposes.

We will only share your personal data in specific situations, such as:

• Where we are required to do so by law (for example, to regulators or law enforcement).
• Where disclosure is necessary to perform a contract or to take steps at your request before entering into a contract.
• With subcontractors and service providers engaged to support our business operations, under appropriate contractual terms.
• Where necessary to protect our rights, property, or safety, or that of our clients or others.

Requesting access to your personal data

Under the UK GDPR, you have the right to:

• Request access to information we hold about you.
• Request rectification of inaccurate or incomplete personal data.
• Request erasure of your personal data in certain circumstances.
• Request restriction of processing in certain circumstances.
• Object to processing, including processing based on legitimate interests and direct marketing.
• Object to decisions being taken by automated means and, in some cases, request human intervention.
• Request data portability, where applicable.
• Withdraw consent at any time where processing is based on consent.

To exercise any of these rights, please contact our data protection contact using the details below.

If you raise a concern about how we process your personal data, we will do our best to address it.

If you are not satisfied with our response, you can lodge a complaint with the ICO at ico.org.uk/concerns.

Contact

To discuss anything in this privacy notice or to exercise your data protection rights, please contact:

Email: privacy@dynamicskillset.com

Dynamic Skillset Ltd
UK Company number: 09365574