Revision Control

Rev. 1 – Initial Issue – 27 Aug 2025 – K.M
Rev. 2 – GDPR Update – 26 Feb 2026 – K.M

Introduction

This DATA PRIVACY POLICY explains what ExComs Innovation Centre does with your personal data, whether we are providing you with a service (Candidates – Engineers, Contractors, Consultants and Technicians), receiving a service from you (Suppliers), you are visiting our website (Website Users), or are continuing our relationship in a renewed capacity (Clients). All parties are collectively referred to as “Data Subjects”.

Legal Framework

This Policy aligns with:
– UK GDPR
– Data Protection Act 2018

ExComS may act as either:
– Data Controller
– Data Processor

depending on the nature of the service relationship.

Lawful Basis for Processing

ExComS processes personal data under one or more of the following legal bases:

– Contractual necessity
– Legal obligation
– Legitimate business interest
– Consent (where required)

We only collect data necessary for service delivery (Data Minimisation).

Data We Collect

ExComS may collect professional, identification, contact, financial, employment and compliance-related data required for recruitment, service delivery, and legal obligations.

Sensitive data (GDPR Article 9) will only be processed with explicit consent where required.

How We Collect Data

Data may be collected:

– Directly from individuals
– From clients
– From suppliers
– From third-party platforms
– Through website interaction
– Through operational systems (e.g. attendance tracking where applicable)

Use of Personal Data

We use personal data for:

– Recruitment
– Service delivery
– Compliance
– Legal defence
– Communication
– Equal opportunity monitoring
– Business relationship management

International Data Transfers

As ExComS operates globally, personal data may be transferred outside the UK/EEA.

Where this occurs, safeguards include:

– Standard Contractual Clauses (SCCs)
– Adequacy decisions
– Confidentiality agreements with contractors and partners

Automated Decision-Making

ExComS does not make decisions based solely on automated processing that produce legal or significant effects on individuals.

Children’s Data

Our services are not directed toward individuals under 18 and we do not knowingly collect children’s personal data.

Data Sharing

Personal data may be shared with:

– Clients
– Contractors
– Service providers
– Cloud platforms

Only where necessary for service delivery and subject to confidentiality safeguards.

Security Measures

ExComS applies industry-standard technical and organisational measures including:

– Access controls
– Role-based permissions
– Secure cloud storage
– Encryption where applicable
– Firewalls and VPN protection

Data Retention

Personal data is retained for up to seven years for:

– Contractual purposes
– Tax compliance
– Audit requirements
– Legal defence

Data Breach Response

In the event of a personal data breach, ExComS will assess risk and notify relevant authorities and affected individuals where legally required.

Your Rights

You have the right to:

– Access your data
– Rectify inaccuracies
– Request deletion
– Restrict processing
– Object to processing
– Withdraw consent

Supervisory Authority

You have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO).

Contact

For privacy queries or requests, contact:
Data Protection Officer
Email: dpo@excoms.com