top of page

Data Protection, GDPR and Security.

Introduction

At CODA Technology Services Ltd, we are committed to safeguarding the privacy and security of your personal data. In line with our legal responsibilities under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, we ensure that personal information is processed fairly, lawfully, and transparently.

This policy outlines how we collect, use, store, and share your personal data, and applies to the following individuals:

  • Current and former employees

  • Workers and agency workers

  • Job applicants and agency work seekers

  • Individual contacts at client organisations

If you fall into one of these categories, you are considered a ‘data subject’ under data protection law.

You should read this policy alongside your employment contract (or contract for services) and any additional data privacy notices issued by the Company.

We are the ‘data controller’ for your personal data, meaning we determine how and why your data is processed. If you have any questions about this policy or your data, you can contact:


Steve Lawson, Director
📧 steve@codatechnology.net
📍 CODA Technology Services Ltd, Suites 12 & 13 Chantal House 13-17 High Beech Road, Loughton, Essex, England, IG10 4BN

Data Security & Retention

We have implemented appropriate technical and organisational measures to protect your data from loss, misuse, or unauthorised access. We retain personal data only as long as necessary for business purposes or to comply with legal requirements, as outlined in our Data Retention Policy.

Lawful Basis for Processing

We process your personal data only where a lawful basis exists, including:

  • Legal obligations (e.g. tax reporting to HMRC)

  • Performance of a contract (e.g. payroll or benefits administration)

  • Legitimate interests (e.g. internal HR investigations)

We do not rely on consent as a primary basis for processing employment-related data, but where we do, you have the right to withdraw your consent at any time.

Your Personal Data

We collect and process a range of personal data including:

  • Recruitment and employment details (e.g. CVs, qualifications, job history)

  • Contact and identification information

  • Performance, training, and disciplinary records

  • Health and emergency contact information

  • Right-to-work documentation

We may also collect special category data, such as:

  • Health information

  • Racial or ethnic origin

  • Trade union membership

  • Criminal conviction data (where legally permitted)

Special category data is processed only where legally permitted and subject to additional safeguards.

Data Protection Principles

We adhere to the following principles:

  • Fair, lawful, and transparent processing

  • Purpose limitation

  • Data minimisation

  • Accuracy

  • Storage limitation

  • Integrity and confidentiality

  • Accountability

Privacy by Design & Security

We embed data protection in our systems and processes, including:

  • Data minimisation and retention limits

  • Use of pseudonymisation and anonymisation

  • Robust cyber security measures

  • Documented Data Protection Impact Assessments (DPIAs)

Examples of Data Use

We process your data for activities such as:

  • Recruitment and onboarding

  • Contract management and payroll

  • Performance and conduct reviews

  • Legal compliance and reporting

  • Health and safety monitoring

  • Providing references and responding to legal claims

Sharing Your Data

We may share your data with:

  • Contractors or agents (e.g. payroll providers)

  • Legal and regulatory bodies where required

We ensure third parties handle your data in line with data protection laws. We do not transfer data outside the UK or EEA unless appropriate safeguards are in place.

Your Rights as a Data Subject

You have the following rights:

  • Access to your personal data (via a Subject Access Request)

  • Correction of inaccurate or incomplete data

  • Erasure of personal data (in certain circumstances)

  • Restriction or objection to processing

  • Portability of your data to another service

  • The right not to be subject to automated decision-making (with exceptions)

  • Notification in the event of a data breach affecting your data

  • Lodging a complaint with the Information Commissioner’s Office (ICO) at www.ico.org.uk

 

Requests should be made in writing to Steve Lawson at the address or email provided above. We aim to respond within one month, unless the request is complex or numerous.

Data Security

CODA Technology Services Limited is committed to ensuring the security of personal data in compliance with the UK General Data Protection Regulation (UK GDPR). We implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage.

Security Measures

In line with Article 32 of the UK GDPR, we assess and implement security measures considering the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risks to individuals' rights and freedoms. These measures include:

  • Encryption and Pseudonymisation: Utilising encryption to protect data during storage and transmission, and pseudonymisation where appropriate to reduce risks in case of a data breach .

  • Access Controls: Implementing role-based access controls (RBAC) to ensure that only authorised personnel have access to personal data necessary for their roles .

  • Multi-Factor Authentication (MFA): Requiring MFA for accessing systems containing personal data to enhance security .

  • Regular Security Audits: Conducting periodic vulnerability assessments to identify and mitigate potential security risks.

Data Integrity and Availability

We ensure the ongoing confidentiality, integrity, and availability of personal data by:

  • Implementing measures to prevent unauthorised access or disclosure.

  • Regularly testing, assessing, and evaluating the effectiveness of our security measures .

  • Establishing procedures to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.

Staff Training and Awareness

All employees receive regular training on data protection principles, recognising and reporting potential data breaches, and understanding their role in maintaining data security. This training is updated periodically to reflect changes in legislation and best practices.

Data Breach Response

In the event of a data breach, we have established procedures to:

  • Assess the risk to individuals' rights and freedoms.

  • Notify the Information Commissioner’s Office (ICO) within 72 hours, if required.

  • Inform affected individuals without undue delay when there is a high risk to their rights and freedoms.

  • Take corrective actions to mitigate any adverse effects and prevent future breaches.

Third-Party Processors

When engaging third-party processors, we ensure that they provide sufficient guarantees to implement appropriate technical and organisational measures to meet the requirements of UK GDPR. Contracts with processors include clauses that stipulate their obligations regarding data security.

Data Minimisation and Retention

We adhere to the principles of data minimisation and retention by:

  • Collecting only the personal data necessary for the specified purposes.

  • Retaining personal data for no longer than is necessary to fulfil the purposes for which it was collected.

  • Regularly reviewing data retention schedules and securely disposing of data that is no longer required.

For any questions or further information, please contact Steve Lawson, Director, at steve@codatechnology.net or in writing to CODA Technology Services Limited, Suites 12 & 13 Chantal House, 13-17 High Beech Road, Loughton, Essex, England, IG10 4BN.

Suites 12 & 13 Chantal House 13-17 High Beech Road, Loughton, Essex, England, IG10 4BN

©2025 by CODA Technology Services.

bottom of page