The following information applies to those who receive services from us or who are seeking to do so.
Types of Personal Data Processed
The types of personal data processed will vary depending on the data you require us to process in order to
deliver to you with the requested service(s) and in accordance with our engagement terms with you. You may
ask us to process both ‘personal data’ as defined in Article 4(1) GDPR and or ‘Special category Personal Data’ as
defined in Article 9(1) GDPR.
Categories of Data Subjects
Personal data we process for our own purposes and on your behalf may include but may not be limited to your
client and prospect data, your staff data, your contractor data and your supplier data.
Categories of data subjects will, for so far as we act as a data processor, be determined by you and as
contemplated by our engagement terms with you. Normally, we will only require limited aspects of your staff
data for our own purposes and will advise you should it become necessary for us to process any other categories
for our own purposes.
Legal Basis for Data Processing
Generally, it will be your responsibility as the Data Controller to ensure you provide us with data for processing
activities for which you have identified a legal basis for such processing. We will not accept responsibility for
your providing us data without a legal basis for doing so.
Where we require personal data from you for our own purposes we normally do so on the following legal bases
as defined under GDPR:
• Contract entry and performance: In order to commence working with you as a client we are legally
required to take certain steps, such as assuring ourselves of your identity. In order to do so we require
some personal data from you. During the course of our engagement with you we require to continue
processing personal data about you to enable us to deliver the service(s) to you.
• Our legitimate interests: We may also use your personal data on the basis of our own legitimate interests
in promoting our services and developing our services and assessing our performance. Activities
promoting our services include business to business marketing which you may opt-out of at any
time. Opt-out can be achieved by responding using the unsubscribe options contained within the
information you have received or by emailing email@example.com.
• Legal obligations: certain statutory obligations apply to Heytesbury Corporate LLP work which require
us to process personal data and in some circumstances to provide it to third parties such as law
enforcement. Where such obligations arise we will, insofar as is possible without breaching any other
duty we owe to those services, advise you of our intention to process your data for their purposes.
Should we require Special Category Personal Data from you we will ask for your permission to process those
data. If you are not willing to provide us with certain data we may be unable to deliver some or all of our services
and will make this clear to you.
Duration of Processing
We will process personal data on your behalf for so long as you instruct us to do so. At the cessation of our
processing activities on your behalf it is your choice as to what happens to the personal data you have provided
to us. We will work with you to carry out your reasonable instructions.
Personal data we collect for our own purposes will be managed in accordance with our Data Retention Policy
which reflects current legal obligations.
Use of sub-processors
As part of our service delivery it is necessary for us to use sub-processors.
Our IT support is largely provided by parties external to Heytesbury Corporate LLP. Some solutions we utilise
are cloud based and our need to rely upon those systems varies depending upon the services we deliver to you.
All sub-processors are bound by Heytesbury Corporate LLP to provide at least the same level of protection for
your data as we do.
Most sub-processors do not engage directly with your data and simply provide secure storage solutions for the
data we process. Unless we have otherwise expressly agreed conditions with them, sub-processors are
prohibited from using your personal data for their own purposes.
Heytesbury Corporate LLP utilise a number of suppliers to provide us with IT and other associated services for
the delivery of our business and services to you. In many cases, the suppliers we use will be granted access to
the data we are processing in order to provide us with technical assistance. Such processing activities are not
directly related to our principal services to you and are considered ancillary to our own internal activities.
As an International firm, our people need to be able to work from anywhere in the world using our IT
services. Data may be stored on Heytesbury Corporate LLP encrypted devices and transported with individuals
as necessary for the delivery of our services in accordance with the terms and conditions we have agreed with
you. We have put in place appropriate technical measures to ensure data remain secure irrespective of where
our people deliver our services.
By asking us to act as a Data Processor on your behalf you permit us to use EU standard contractual clause
agreements with our chosen sub-processors on your behalf. All such agreements will be in our name and you
may enforce rights against the sub-processor(s) directly through us.
Your Data Subject Rights
Where we act as a Data Controller for your data you may exercise a number of rights.
• Request access to the personal data we hold about you
• Ask us to correct any data which are inaccurate
• Request to have your personal data deleted
• Put in place restrictions on our processing of your data
• Ask us to transfer your data to another controller (data portability)
We will handle all exercise of your data subject rights in accordance with the requirements of GDPR and any
national laws at the time of your request. Requests should be submitted in writing to our Data Protection Officer
If you are dissatisfied with the way we have handled your personal data and we are unable to resolve the matter
for you, you may take your complaint to the Information Commissioner’s Office. Further details can be found
via their website at www.ico.org.uk.
Should we receive a request from you or one of your staff, clients, customer, contractors or prospects, to exercise
data subject rights but we are only acting as a Data Processor, we will forward your request to you as Data
Controller to process. Unless you explicitly instruct us not to we will advise the data subject that we have passed
their request to you.
Heytesbury Corporate LLP has put technological and organisational controls, including policies and procedures,
in place to protect your personally identifiable information from loss, misuse, alteration or unintentional
destruction. Our personnel who have access to the data have been trained to maintain the confidentiality of
Please note that no communications over the internet can be guaranteed as secure. Whilst we take appropriate
steps to protect your data we cannot guarantee that it will remain secure in transit. Once data reaches your
network it is your responsibility to ensure it remains secure.
Some of our marketing emails may contain web beacons, web bugs, cookies or other similar technologies which
enable us to understand whether you open, read, or delete the message and any interaction you make with links
to log what pages you view, in accordance with our cookies policy.
Targeted emails from us may include additional data privacy information as required by applicable privacy laws.
Changes to this Statement
We recommend you check this statement on a regular basis to ensure you remain in agreement with the
activities we carry out in respect of processing personal data.
Should we make significant changes to the way we process data, we will draw your attention to the relevant
part(s) of this statement through email and or other appropriate communications as part of our engagement
activities with you.
Any changes to our ‘Website’ privacy notice shall be managed in accordance with the terms stated thereunder.
For any enquiries, please contact: firstname.lastname@example.org