This Data Protection Notice explains how Penman Consulting collects, uses, and protects personal information in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This notice was generated using tools provided by the Information Commissioner’s Office (ICO).
GDPR & Data Protection Notice
Penman Consulting – UK GDPR / Data Protection Act 2018
Data Controller | Penman Consulting
ICO Registration Details
Contact Details
Email: data-protection@penmanconsulting.com
Responsible Person
Penman Consulting is not required to appoint a Data Protection Officer (DPO).
Responsibility for data protection compliance lies with Marsh Penman, IT Manager.
What Personal Information We Collect and Why
Customer Accounts and Guarantees
We collect and use:
Account and registration details
Information used for security purposes
Purpose: To operate customer accounts and fulfil contractual guarantees.
Legal and Employment Obligations
We collect and use:
Name and contact details
Health and safety information
Any other personal data required to comply with legal obligations
Purpose: To meet statutory and regulatory requirements, primarily as an employer.
Recruitment
We collect and use:
Contact details
Date of birth
National Insurance number
Copies of passports or photo ID
Employment and education history
Right to work information
Security clearance details
Purpose: To assess suitability for employment and meet legal requirements.
Queries, Complaints, and Claims
We collect and use:
Names and contact details
Account and service history
Financial transaction information
Correspondence and records
Purpose: To respond to enquiries, complaints, and legal claims.
Lawful Bases for Processing
We rely on the following lawful bases depending on context:
Contract
Where processing is necessary to enter into or perform a contract.
Legal Obligation
Where processing is required to comply with the law.
Consent
Where you have explicitly agreed to processing (e.g. recruitment or marketing).
You may withdraw consent at any time.
Legitimate Interests
Where processing supports our business operations without overriding your rights.
For recruitment, this includes assessing candidate suitability and maintaining records for future opportunities.
Where We Get Personal Information From
Directly from you
Previous employers
Third-party organisations we provide services to (limited to basic user data)
Data Retention
We retain personal information only for as long as necessary for the purposes for which it was collected, or to meet legal obligations.
You may request deletion of your personal data unless retention is required by law.
Who We Share Personal Information With
Data Processors
SaaS providers (HR, payroll, internal systems)
Insurance providers
HubSpot (CRM and communications management)
Each processor receives only the minimum data required and acts under our instructions.
Other Recipients
Professional or legal advisers
Insurance companies
Regulatory or law enforcement authorities where required by law
We do not sell or rent personal data.
International Data Transfers
Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place, including:
UK adequacy regulations
UK data bridges
Recipients may be located in:
The EEA
The United States
Other countries with adequacy decisions
Your Data Protection Rights
You have the right to:
Requests will be responded to within one month.
Complaints
If you have concerns about our use of your personal data, please contact us first.
You may also complain to the ICO:
Information Commissioner’s Office
Wycliffe House, Water Lane
Wilmslow, Cheshire, SK9 5AF
Helpline: 0303 123 1113