Privacy Policy – ECO Improvements

ECO Improvements Experts Ltd.

Data Protection & Privacy Policy

Date Implemented	July 2024
Date of Last Review	March 2025
Date of Next Review	April 2026

Data Controller 3

Personal Data We Collect 4

Lawful Bases for Processing 4

Use of Personal Data 5

Sharing Personal Data 6

Data Obtained from Third Parties 7

Telephone and Marketing Compliance (PECR & TPS) 8

Data Retention 9

Data Security 10

Data Breach Notification and Handling 12

International Data Transfers 13

Data Protection Impact Assessments (DPIAs) 14

Staff Training and Accountability 15

Records of Processing Activities (ROPA) 16

Handling of Data Protection Complaints 17

Your Data Protection Rights 18

Updates to This Policy 20

APPENDIX: Legal Compliance Mapping 22

By proceeding with our service, you confirm that you have read and accepted this Data Protection Policy and all other relevant ECO Improvements policies.

This comprehensive policy explains how Eco Improvements Experts Ltd (“we”, “us”, “our”) collects, uses, stores, and protects personal data securely, fairly, and transparently in compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018), the Privacy and Electronic Communications Regulations 2003 (PECR), and the Data (Use and Access) Act 2025 (DUAA)[1].

We operate as a UK-based lead generation company under the government-backed ECO4 energy efficiency scheme, collecting information from individuals who may qualify for government-funded energy-saving measures and sharing relevant details with approved installers and surveyors to facilitate assessments and installations.

Data Controller

Eco Improvements Experts Ltd is the Data Controller for the personal data we collect and process. This means we determine the purposes and lawful bases for processing personal data. Our contact details are provided in the Contact Us section of this policy.

Third-Party Partners (Processors and Independent Controllers)

We work with carefully selected third parties who support the delivery of our services.
Where a partner processes personal data on our behalf (acting as a data processor), we remain responsible for that processing. We have written Data Processing Agreements in place requiring that all processing is carried out in compliance with applicable data protection laws, following our documented instructions, and with appropriate technical and organisational security measures.

Where we share personal data with approved installers, surveyors, or other partners who act as independent data controllers, those organisations determine their own purposes and means of processing and are separately responsible for their compliance with data protection law. We only share information that is necessary for the intended purpose, and we perform due diligence to ensure those partners meet high data protection standards.

We encourage all customers to review the privacy notices of our partner organisations for details of how they process and protect personal data.

If we and a partner jointly determine the purposes and means of processing (i.e. act as joint controllers), we will document the essence of our respective responsibilities and make this information available to you in accordance with UK GDPR Article 26.

Personal Data We Collect

We collect personal data both directly from individuals and indirectly from verified third-party sources. Collection methods include application forms, phone calls, door-to-door visits, website submissions, social media interactions, and GDPR-compliant data suppliers. We limit the data we collect to what is necessary, relevant, and adequate for the purposes described (upholding the data minimisation principle of UK GDPR)[3].

The types of personal data we may collect include:

Identification Data: Name, address, email, phone number.
Eligibility Data: Income and benefit information, energy usage (e.g. energy bills), and documents required for ECO4 grant checks.
Property Data: Information about the property (e.g. Energy Performance Certificate details, property characteristics).
Special Category Data: Health or vulnerability information (only collected with explicit consent due to its sensitive nature, in line with UK GDPR Article 9(2)(a) and relevant conditions in DPA 2018 Schedule 1).
Transaction Data: Records of service requests, leads generated, and interactions related to our services.
ECO4 Grant Verification Data: Any additional personal details (including proof of benefits or income provided via government documentation) needed to determine grant qualification.

Providing certain information may be mandatory to determine eligibility for ECO4 grants; if required data is not provided, we may be unable to offer the related services. We will always inform you which data elements are necessary for these purposes. All data collection is conducted lawfully, fairly, and with transparency to the individual (in accordance with UK GDPR Article 5(1)(a)).

Lawful Bases for Processing

We ensure that all processing of personal data has a valid lawful basis under UK GDPR Article 6 (and Article 9 where special-category data is involved). Depending on the context, we rely on the following bases:

Consent: We obtain your clear consent for specific processing purposes – for example, when sending marketing communications or when processing special category data such as health information. You have the right to withdraw consent at any time, and we make it as easy to withdraw as to give[4]. Please see details in the Privacy Notice, available here: https://www.ecoimprovements.co.uk/privacy-policy/.

(Withdrawal of consent will not affect the lawfulness of processing already carried out.)

Contract: Processing is necessary for the performance of a contract or to take steps at your request prior to entering into a contract. For instance, using your data to arrange a survey or installation you have requested.
Legitimate Interests: In some cases, we process data to pursue our legitimate business interests in a way that is not overridden by individuals’ rights and freedoms. An example is making cold calls to potential qualifying customers, which we conduct in compliance with PECR’s direct marketing rules (screening against the Telephone Preference Service, etc.) as described below.

When relying on legitimate interests, we ensure our interests are balanced against your privacy rights. (Note: The DUAA 2025 introduced certain predefined “Recognised Legitimate Interests” for important public interest purposes like crime prevention and safeguarding[5].

While our typical activities (such as direct marketing for ECO schemes) do not explicitly fall under those specific categories, we continue to assess and document our legitimate interest processing to meet the UK GDPR’s requirements.)

Legal Obligation: We process personal data where required to comply with our legal obligations. For example, retaining records to meet regulatory requirements or providing information to law enforcement or regulators when the law requires it.

We will always identify and document the lawful basis for each processing activity in accordance with UK GDPR and DPA 2018. Where consent is our lawful basis, we note that UK GDPR Article 7(3) gives you the right to easily withdraw that consent at any time, and we honor such requests promptly.

Use of Personal Data

We only use personal data for specified, explicit, and legitimate purposes that we have explained to you[3]. In particular, we use the data we collect to:

Determine Eligibility: Evaluate whether you qualify for the ECO4 energy efficiency grant or other related funding schemes. This involves reviewing the information you provide (and, if applicable, data from public records or third parties) against the scheme’s criteria.
Contact You: Communicate with you about our services, such as to discuss your eligibility, schedule property assessments, provide information on energy-saving measures, or respond to your inquiries. Communications may occur via phone, email, SMS, or post, in line with your preferences and applicable law.
Service Fulfillment: Share necessary details with approved installers, surveyors, or other partners so they can carry out property assessments, installations, or follow-up services as part of the ECO4 scheme. (See ‘Sharing Personal Data’ below for how we do this under strict agreements.)
Verification and Audit: Verify the accuracy of the information (e.g. checking your documentation for eligibility) and perform quality assurance audits. We may use data to ensure compliance with scheme rules and to prevent fraud or misuse of government funds, which is both our legitimate interest and a public interest mandate.
Service Improvement: Analyse and improve our lead generation services and user experience. For example, we might review call recordings or feedback to train staff and enhance our processes. Any analysis is done in aggregate or with personal identifiers removed when possible, to respect your privacy.
Legal and Regulatory Compliance: Fulfill our obligations under law. We retain and disclose personal data as needed to comply with laws and regulations (such as maintaining appropriate records for the time required by energy scheme regulations or tax laws) and to respond to lawful requests from government authorities or the Information Commissioner’s Office (ICO).

We do not use your data in any way that is incompatible with the original purposes for which it was collected, unless permitted by law. The DUAA 2025 has clarified rules around further use of data; for instance, it confirms that certain re-uses (like disclosing information to prevent crime) can be lawful even if not identical to the original purpose[6].

We will only engage in any such further processing in strict accordance with UK GDPR Article 6(4) and DUAA provisions, ensuring a lawful basis exists and your rights are respected.

Sharing Personal Data

We share personal data only when necessary for the purposes outlined and always under strict controls and agreements. Recipients of personal data are limited to those categories described here, and we do not sell or trade your personal information to third parties. When we do share data, we ensure the recipient has a valid need to know and will handle your data securely and lawfully. The main scenarios in which data may be shared are:

Approved Installers & Surveyors: We pass on relevant details (e.g. your contact information and eligibility status) to accredited installation companies or surveyors who are responsible for conducting home assessments and installing energy-saving measures. This sharing is done to fulfill the service you have requested (contractual necessity) and each such partner is independently responsible for complying with data protection law as a data controller for the data we provide to them. We have agreements in place to require that they only use your information for the intended ECO4-related purposes and safeguard it appropriately.
Government or Regulatory Bodies: We may share information with government departments (such as the Department for Energy or its appointed administrators of the ECO scheme) or regulatory authorities to demonstrate compliance with the scheme, for auditing purposes, or if required to report on our activities. For example, we could be asked to supply data to evidence that grants are being allocated correctly. Any such sharing will be done under a legal obligation or in the public interest, in line with UK GDPR and DPA 2018 provisions.
Service Providers (Data Processors): We employ trusted third-party service providers to perform certain business operations on our behalf. This includes, for instance, cloud platform providers for data hosting, Customer Relationship Management (CRM) software, call center software, email service providers, and data analytics services. When we engage such processors, they are bound by Data Processing Agreements to process personal data only under our instructions, to keep it secure, and to maintain confidentiality.
Auditors and Certification Bodies: We may share data with external auditors or certifiers who assess our compliance with quality standards or regulatory requirements (for example, auditors ensuring we adhere to the rules of the ECO4 scheme). These parties will only use personal data for audit purposes and are bound to confidentiality.
Legal Authorities: If required by law or court order, or to enforce our legal rights, we may disclose personal data to law enforcement agencies, courts, or regulators (such as the ICO). For instance, if we receive a lawful subpoena or need to report fraudulent activity, we will provide only the data that is necessary and proportionate for those purposes.

We do not share personal data with any third parties for their own marketing or unrelated purposes, unless you have explicitly consented to such sharing. In all cases of data sharing, we adhere to the UK GDPR principle of transparency by informing individuals about the categories of recipients of their data[2].

We also ensure that any data transfer is supported by a lawful basis (e.g. consent, contract, legal obligation) as required by UK GDPR Article 6(1)(c)-(f) and, where applicable, that appropriate safeguards are in place for international transfers (see below). Our approach is consistent with the spirit of the DUAA 2025, which encourages responsible data sharing with continued high data protection standards[7].

Data Obtained from Third Parties

In some cases, we receive personal data about individuals from third-party sources instead of directly from the individual. For example, we may purchase leads or marketing lists from reputable data suppliers who have collected data in a GDPR-compliant manner (e.g. individuals have consented to be contacted for energy-efficiency offers), or we might receive referrals from partner organizations. When we obtain your data from a third party, we take several steps to ensure fair and lawful processing:

Verification of Third Parties: We perform due diligence on all third-party data providers to confirm they comply with UK GDPR and PECR. We require assurances that the data was originally collected lawfully, with the proper consents or other legal bases, and that individuals were informed that their data could be shared with companies like ours.
Informing Individuals: If we receive your personal information from a third party, we will inform you at the earliest practical opportunity, and at the latest within the timeframe required by law (within one month under UK GDPR Article 14(3)). We will let you know the source of your personal data (the name of the company or source that provided it) and, if applicable, the categories of personal data involved[8].

We will also provide you with all other relevant privacy information at that time – including the purposes for which we will use the data, your rights, and our contact details – just as if we collected the data from you directly. This ensures full transparency even when data comes from other sources.

Respecting Your Rights: Even if we obtained your information from another source, you retain all the same rights over your data (see ‘Your Data Protection Rights’ below). For instance, you can still object to marketing or ask us to erase your details. Additionally, if you tell us that you never consented to the third party sharing your data or you had withdrawn consent, we will cease processing your data for marketing and investigate with the provider. We will honor any valid opt-outs or preferences that accompanied your data.

In summary, any personal data we acquire indirectly is handled with the same care and legal compliance as data you give us directly. We recognize our obligation under UK GDPR to ensure fairness in processing such data and to provide you with all required information whenever we first contact you[9][8].

Telephone and Marketing Compliance (PECR & TPS)

We conduct direct marketing communications in strict compliance with the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), including recent amendments under the Data (Use and Access) Act 2025, as well as relevant Ofcom requirements. Our practices include:

Do-Not-Call Screening: Before making any marketing call, we screen telephone numbers against the Telephone Preference Service (TPS) and Corporate TPS registers[10]. It is our policy not to call any individual or business number that is listed on the TPS/CTPS unless we have that person’s prior specific consent to do so[11]. We also maintain our own internal “Do Not Call” list and promptly add any person who has indicated to us that they do not wish to receive marketing calls[12][13]. We will not make unsolicited calls to anyone who has opted out, even if they might otherwise be eligible for our services.
Identification and Caller ID: In every call, our representatives will clearly state the name of our company and the reason for the call. Our outbound calls always present a valid caller identification number (no “blocked” or hidden numbers) so that you can see who is calling[14][15]. If you ask for contact details during a call, we will provide an address or freephone number you can use to reach us[14]. This complies with both PECR and Ofcom regulations requiring transparency in marketing calls.
Automated Calls: We do not use automated calling systems or pre-recorded marketing messages without your explicit consent. Under PECR, automated marketing calls (robocalls) are prohibited unless the subscriber has specifically consented to receive such calls from us[16]. We currently do not employ any automated call technology; if that policy ever changes, we will only send automated messages to those who have opted in, and all such messages would include our name and contact information as legally required[17].
Email and SMS Marketing: Any electronic mail marketing (emails or text messages) we send will be in accordance with PECR Regulation 22. This means we will only send you marketing emails or texts if: (a) you have given us affirmative consent (opted in) to receive such messages, or (b) you are an existing customer and the message relates to similar products or services you originally enquired about or purchased (applying the “soft opt-in” exception), and in all cases you have not opted out of such communications. Every marketing email or text we send will include a clear unsubscribe or opt-out mechanism. If at any time you tell us you do not want marketing emails/texts, we will stop immediately.
Compliance with Updated Rules: We note that the DUAA 2025 has clarified certain aspects of PECR. For example, it confirms that a “call” or “communication” is considered made even if it does not reach its intended recipient (e.g. if the phone rings but is not answered)[18]. We treat even attempted calls as communications under the rules, meaning we do not attempt to bypass TPS rules by re-dialing repeatedly or any other method – all such activities are considered and controlled under our compliance procedures. Additionally, while DUAA introduced a soft opt-in expansion for charities (allowing them to email recent supporters without explicit consent)[19], we as a commercial entity continue to rely on consent or the standard soft opt-in criteria for our email marketing, as applicable.

In summary, our marketing practices are designed to respect your communication preferences and privacy rights at all times. We comply with PECR’s specific requirements for telemarketing and electronic marketing to avoid nuisance and only reach out in appropriate ways. If you ever receive a marketing communication from us that you believe you should not have (for example, you are on the TPS and haven’t consented, or you have opted out previously), please inform us and we will investigate and resolve the issue, including updating our records to prevent any further unwanted contact.

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or to satisfy legal or reporting requirements[20]. In line with the GDPR’s storage limitation principle (UK GDPR Article 5(1)(e)), we have defined retention periods for different categories of data, based on legal obligations and our operational needs:

Lead and Inquiry Data: If you contact us or we receive your details as a lead (but you do not ultimately receive services from us), we retain your personal data for up to 2 years from the date of last interaction. This allows us to follow up on potential eligibility as scheme rules or your circumstances might change, but ensures we do not keep data indefinitely if no services are provided.
Customer and ECO4 Project Data: For individuals who go through the process and whose details are used in an ECO4 assessment or installation, we retain that data for up to 7 years. This longer period accounts for our obligations under the ECO4 scheme record-keeping requirements, any warranty or follow-up service issues, and inspection or audit purposes by regulators. It aligns with typical statutory limits (for example, the UK limitation period for certain legal claims) and any scheme-mandated retention.
Marketing Data: Contact details and consent records used for marketing are kept until you withdraw your consent or object to processing. If you opt out of marketing, we will retain just enough information (e.g. your email or phone number on a suppression list) to ensure we respect your no-contact request in the future.
Call Recordings: Recorded telephone calls (for quality assurance or training) are kept for up to 6 months. This timeframe allows us to review interactions and resolve any disputes or complaints, but recordings are not kept longer than necessary for those purposes. Critical information from calls (such as service agreements) is documented in our system so we don’t rely solely on audio. After 6 months, recordings are securely deleted.

At the end of the applicable retention period, we will either securely delete or irreversibly anonymise the personal data. Secure deletion involves removing data from all our active systems and backups (or segregating and later purging backups). Anonymisation may be used for analytical purposes – for example, we might keep aggregated statistics about how many people qualified for the grant, but in a form that no longer identifies any individual.

We periodically review the data we hold and erase or anonymise information that is no longer needed. These retention practices ensure we are not keeping your information for longer than justified, in accordance with UK GDPR and DPA 2018 requirements. If you have any questions about our specific retention periods or want us to consider erasing data, you can contact us (see ‘Contact Us’ section).

Data Security

We take the security of personal data very seriously and implement appropriate technical and organizational measures to protect it against unauthorized access, loss, or damage. In accordance with UK GDPR Article 5(1)(f) and Article 32, we ensure that personal data is handled in a way that maintains its integrity and confidentiality[21].

Our security measures include:

Encryption: Personal data held in electronic form is stored on encrypted servers or databases. We use encryption protocols (HTTPS/TLS) to protect data in transit over networks (for example, when you submit a form on our website or when we transfer information to our service providers). Sensitive documents (such as copies of benefit statements or IDs) are encrypted at rest.
Secure Storage and Access Control: We store data on secure servers located in the UK. Access to personal data is restricted based on the “need-to-know” principle – only staff members and contractors who require the information to perform their duties (e.g. our customer service agents or the installers handling your case) are granted access. User accounts are protected with strong passwords and, where possible, two-factor authentication. We maintain access logs and can audit who has accessed personal records.
Personnel Training and Confidentiality: All staff receive training on data protection and privacy requirements (UK GDPR, DPA 2018, and PECR) as part of their induction and through regular refreshers[22]. They are educated on the importance of safeguarding personal data, following our policies (like not removing data from secure systems, recognising phishing attempts, etc.), and reporting any suspected security issues. Each employee is bound by confidentiality obligations.
Anti-Malware and Patching: We protect our IT systems with up-to-date antivirus and anti-malware tools, firewalls, and intrusion detection systems. Our IT team ensures that security patches and updates are applied promptly to servers, computers, and applications to mitigate vulnerabilities.
Backup and Recovery: We perform regular backups of key data to prevent accidental loss, and those backups are encrypted. In case of any data loss incident, we have disaster recovery procedures to restore information and resume operations while maintaining data protection.
Physical Security: For any physical documents (e.g. printed forms or copies of IDs) and our office premises, we have physical security controls. Offices are access-controlled and alarmed. Sensitive paper records are kept in locked cabinets with limited personnel access. When no longer needed, paper records are shredded or disposed of via secure shredding services.
Continuous Monitoring and Testing: We conduct periodic reviews and audits of our security measures. This includes vulnerability scanning and penetration testing of our websites and systems, as well as internal audits to ensure procedures are followed. We also review our suppliers’ security measures (through questionnaires or compliance certificates) to ensure any third parties handling data meet our security standards.

By applying these safeguards, we aim to protect personal data against risks such as breach, theft, or misuse. However, if an unlikely event occurs (for example, a security incident resulting in personal data compromise), we have a ‘Breach Notification’ procedure in place (see next section) to promptly address and communicate the issue.

Data Breach Notification and Handling

Despite strong security measures, no system is completely immune to incidents. Eco Improvements Experts Ltd has a detailed data breach response plan to ensure that if a personal data breach occurs, we can minimise harm and fulfill our legal obligations. A “personal data breach” means any security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. Our breach handling protocol includes:

Immediate Containment and Assessment: Upon discovering or suspecting a data breach, our team will act quickly to contain the breach (e.g. isolating compromised systems, changing access credentials) and assess the scope and severity of the incident. We document all relevant facts, including what data is involved, how many individuals are affected, and the potential consequences for those individuals.
Internal Reporting: We have designated personnel (including our data protection officer or responsible manager) who must be informed of any breach. They will lead the investigation and response. We maintain a breach log to record incidents, their effects, and the remedial actions taken.
Notification to ICO: If the breach is likely to result in a risk to the rights and freedoms of individuals (e.g. risk of discrimination, identity theft, financial loss, or reputational damage), we will notify the Information Commissioner’s Office (ICO) without undue delay and at the latest within 72 hours of becoming aware of the breach[23]. Our notification to the ICO will include the nature of the breach (categories and approximate number of data subjects and records concerned), likely consequences, and measures taken or proposed to address the breach. If not all details are available within 72 hours, we will provide information in phases as permitted by Article 33 UK GDPR.
Notification to Individuals: If a breach is likely to result in a high risk to you (for example, if sensitive personal details have been exposed in a way that could lead to fraud or harm), we will also communicate the breach to you without undue delay[24]. We will contact you directly with clear information on the nature of the breach, the data involved, and any steps you should take to protect yourself (such as changing passwords or being vigilant for suspicious activity). We will also inform you of the actions we have taken to mitigate the breach and provide contact information for further inquiries. We will not notify individuals if, for example, data was encrypted or remedial measures have removed the risk, in line with GDPR Article 34 exceptions, but the ICO will still be informed if required.
Remediation: After containing the immediate threat, we will work to remedy the root cause of the breach. This may involve patching software, improving access controls, retraining staff, or changing procedures to prevent a similar incident. We will also cooperate with the ICO’s investigations or guidance in response to the breach. Our goal is not only to resolve the incident but to strengthen our data protection going forward.
Ongoing Communication: We maintain communication with affected individuals and the ICO (if applicable) throughout the process. If further information becomes available after initial notifications, we will update the ICO or individuals as relevant. We also provide support to individuals to help them mitigate any negative effects (for instance, advice on protecting themselves from identity theft if their ID was compromised).
Review and Learnings: Every breach incident triggers an internal debrief once resolved. We review what went wrong and how effective our response was. We update our policies and train our staff on lessons learned to reduce future risks.

By following this breach handling procedure, we comply with our legal duties under UK GDPR (Articles 33 and 34) and applicable parts of PECR (for telecommunications service providers) as amended by the DUAA 2025. Our priority in any such event is to protect our customers and their data, keeping you informed and taking swift action to prevent or reduce harm.

International Data Transfers

Currently, we do not transfer personal data outside the United Kingdom or European Economic Area (EEA) in our operations. All data is stored and processed on servers located within the UK or EEA, and our primary service providers also host data within these regions. This means your information benefits from the robust data protection laws in those jurisdictions.

If in the future we (or one of our engaged service providers) need to transfer personal data internationally (for example, to a country outside the UK/EEA that may not have equivalent data protection laws), we will ensure that one of the approved safeguards is in place, as required by the UK GDPR Chapter V. These safeguards may include:

Transferring data only to countries that the UK has designated as adequate (i.e. countries officially recognised to provide an adequate level of data protection).
Implementing Standard Contractual Clauses (SCCs) or an International Data Transfer Agreement, which are legal contracts approved by regulators that oblige the recipient to protect your data to UK/EU standards.
Relying on other valid transfer mechanisms or derogations permitted by law (such as explicit consent from you or transfer necessary for the performance of a contract with you).

We will inform you via this policy (and obtain consent if required) before transferring your personal data to any new country or international organization. Any such transfer will fully comply with UK GDPR Articles 44–49 and relevant provisions of DPA 2018, ensuring your data remains secure and your rights are upheld.

We also note that the Data (Use and Access) Act 2025 has introduced some streamlining of international data transfer rules to reduce burdens while maintaining protection[25]. We will stay updated on guidance from the ICO regarding these changes. Regardless of simplifications, our stance remains that your personal data will only be sent overseas if it is lawful and safe to do so. We continuously monitor our vendor relationships and data flows to ensure compliance with the latest requirements.

Data Protection Impact Assessments (DPIAs)

We perform Data Protection Impact Assessments (DPIAs) for any processing that is likely to result in a high risk to individuals’ rights and freedoms, in accordance with UK GDPR Article 35 and Section 64 of DPA 2018. DPIAs are a systematic way for us to identify and minimise data protection risks in new projects or significant changes to how we handle data.

Examples of when we conduct DPIAs include:

High-Risk Marketing Activities: Our practice of cold calling individuals about ECO4 opportunities, especially when using data sourced from third-party lists, has been evaluated with a DPIA. We considered risks such as calling people who do not expect it or who are vulnerable, and we implemented measures like TPS screening, call scripts that are clear and not misleading, and training to mitigate those risks[26][27].
Processing of Special Category Data: When we handle health-related information (e.g. someone’s disability status or health condition to assess vulnerability for heating needs), we recognize this as sensitive data. We have conducted DPIAs on these data flows to ensure explicit consent is obtained, the data is highly secured, and only minimal necessary details are collected for determining eligibility.
New Systems or Technology: If we introduce a new IT system, database, or analytical tool that will process personal data (especially if it involves large-scale profiling or automated decision-making), we will perform a DPIA before deployment. This helps us address questions of necessity and proportionality, security features, and how to facilitate individuals’ rights in the new system.

Our DPIA process includes consulting our data protection officer or an external privacy expert when needed, and incorporating advice from the ICO’s DPIA guidelines. If a DPIA were to indicate that residual risks remain high even after mitigation, we would consult the ICO as required by law before proceeding.

By carrying out DPIAs, we adhere to the “data protection by design and by default” principle (UK GDPR Article 25) – embedding privacy considerations into the planning of our activities. This proactive approach is part of our accountability obligations and ensures we continually evaluate and improve how we protect personal data.

Staff Training and Accountability

We maintain a culture of accountability within Eco Improvements Experts Ltd, meaning every team member understands their responsibility in protecting personal data (UK GDPR Article 5(2)). All staff and any contractors who handle personal data are trained on data protection laws and company policies:

Training Program: We provide mandatory training on UK GDPR, DPA 2018, and PECR to new employees during onboarding, and regular refresher training to all staff annually. Our training covers key principles (like lawful processing, data minimization, individual rights), practical guidance (such as how to identify and avoid phishing emails, how to properly dispose of confidential documents), and our internal procedures (like how to respond to a data subject access request or what to do if they suspect a data breach). We update the training content to reflect any changes in law or internal policy – for instance, we have included the new developments from the DUAA 2025 into our latest training sessions so that staff are aware of updated rules (such as handling subject access “stop-the-clock” scenarios or new direct marketing interpretations).
Ongoing Awareness: Beyond formal training, we issue periodic reminders, tips, and updates to keep privacy and security top-of-mind. This may include monthly newsletters with data protection news, posters in the workplace about confidentiality, and targeted coaching if we identify any compliance gaps.
Monitoring and Supervision: We monitor staff compliance with data protection procedures. For example, we record calls and review a sample for quality and compliance – ensuring representatives give the required privacy notices and handle data appropriately. Managers conduct spot-checks on data entry and sharing practices. Any incidents or near-misses (like emailing information to the wrong address, or an unshredded document found) are treated as opportunities for retraining and improvement, with disciplinary action taken if negligence is found.
Clear Responsibilities: We have appointed specific roles for data protection governance. Our management team, led by [if applicable, Data Protection Officer or Privacy Manager], oversees compliance efforts. Team leaders are responsible for enforcing good practices in their teams. Employees know how to escalate any data protection concerns up the chain. We maintain documentation (as described below) to demonstrate who is responsible for various aspects of processing.
Policies and Procedures: We have internal policies (such as this Data Protection Policy, an IT Security Policy, Clean Desk Policy, etc.) that staff are required to follow. These policies are readily accessible to all employees. We obtain acknowledgments from staff that they have read and understood these policies. Regular audits are done to ensure procedures (like timely deletion of data, respecting opt-outs, etc.) are being followed.

By investing in training and enforcing accountability at all levels, we ensure that data protection is embedded in our organizational culture. This approach meets the requirements of UK GDPR Article 24, which mandates that controllers implement appropriate measures and be able to demonstrate compliance[28]. It also aligns with the expectation under DPA 2018 that organisations take responsibility for protecting data and reflects the ICO’s guidance on accountability frameworks.

Records of Processing Activities (ROPA)

In line with UK GDPR Article 30 and our accountability obligations, we maintain a Record of Processing Activities (ROPA). This internal documentation details the key aspects of all personal data processing we carry out. Our ROPA includes information such as:

Purposes of Processing: A description of why we process personal data in each case (e.g. lead generation for ECO4 scheme, direct marketing, HR/employee data management, etc.).
Categories of Individuals and Data: The types of data subjects (e.g. prospects, customers, employees) and categories of personal data (e.g. contact details, eligibility info, special category health data) for each processing activity.
Lawful Basis: The legal basis under UK GDPR for each processing purpose (consent, contract, legitimate interest, etc.), and for special category data the relevant Article 9 condition and DPA 2018 Schedule 1 condition if applicable.
Recipients of Data: Categories of third-party recipients to whom data is disclosed and why (e.g. “installer partners for service fulfillment,” “cloud hosting provider for data storage,” “accountants for payroll data”).
International Transfers: Details of any transfers to countries outside the UK/EEA, identifying the country and the transfer safeguard (if any). (At present we have “None” for customer data, as noted in our International Transfers section.)
Retention Schedule: The intended retention periods for each category of data (as summarized in ‘Data Retention’ above).
Security Measures: A high-level description of key security measures in place (e.g. encryption, access control, etc.).

Our ROPA is a living document – we update it whenever we introduce new processing activities or changes (for instance, if we start collecting a new type of personal data or engage a new processor, we reflect that in the record). This record can be made available to the ICO on request, and it helps us keep an organized overview of our data processing landscape.

Maintaining a ROPA not only keeps us compliant with the law, but also benefits us by clarifying what data we have and how it flows. It feeds into our DPIAs, our privacy notices, and our ability to respond to data subject requests efficiently. By documenting our processing, we demonstrate compliance as required (the so-called “accountability principle” of GDPR) and ensure nothing falls through the cracks[29].

Handling of Data Protection Complaints

We are committed to addressing any concerns or complaints about how we handle personal data. If you believe we have not processed your personal information in accordance with this policy or data protection laws, or if you are concerned about any aspect of your interaction with us related to privacy, we encourage you to let us know. Our complaint handling process is designed to be accessible and compliant with the latest legal requirements (including the DUAA 2025, which introduced new expectations for complaint handling)[30]:

How to Lodge a Complaint: You can submit a data protection complaint to us through multiple channels. You may email us at our dedicated privacy address (data@ecoimprovements.co.uk). Please provide as much detail as possible about your issue – for instance, the timeframe of the incident, the data involved, and any communications with our staff on the matter. If you need assistance in formulating a complaint (for accessibility or other reasons), our customer service team can help you.
Internal Review: Once a complaint is received, we will acknowledge it and a designated manager or our Data Protection Officer will investigate the issue thoroughly. We aim to resolve all complaints promptly and fairly. You can expect a substantive response typically within one month – 30 days. If the matter is complex or requires more time, we will inform you of the extension and the reason (and in any event, provide a final response within three months maximum, as guided by DUAA’s provisions on complaint handling).
Outcome and Resolution: We will provide you with a clear outcome of your complaint. This will include what we found in our investigation, whether we agree that there was an issue or non-compliance on our part, and what steps have been or will be taken to address it. Possible resolutions might include an apology, a corrective action (e.g. correcting or deleting your data if appropriate), changes to our processes to prevent a recurrence, or disciplinary action against an employee if misconduct was involved. We will also inform you of any remediation we carried out (for example, if data was improperly shared, we might contact the recipient to secure deletion). Our goal is to ensure your concern is fully addressed and that you are satisfied with the resolution wherever possible.
Right to ICO: If you are not content with our response or believe we have not resolved your complaint, you have the right to escalate the matter to the Information Commissioner’s Office (ICO), which is the UK’s supervisory authority for data protection. We will remind you in our response that you can contact the ICO and we will provide their contact details. You do not have to go through our internal process before contacting the ICO – you can do so at any time – but we do encourage using our internal route first so we have the chance to resolve the issue directly. The ICO’s website (ico.org.uk) has guidance on raising concerns and what they can investigate.
Learning from Complaints: All privacy complaints (even those that turn out to be misunderstandings) are logged internally. We analyse this log periodically to identify any patterns or systemic issues. Complaints help us improve. For instance, if we receive multiple complaints about a similar issue (say, communication about consent), we treat that as a signal to review and possibly enhance that aspect of our practice or training.

Providing an easy and transparent complaint process and responding with outcomes is part of our compliance with the DUAA 2025’s new requirements that organizations have a mechanism to handle data use complaints and inform individuals of the results[30]. More importantly, it’s part of our customer service values. We want you to feel confident that any privacy concern will be taken seriously by us.

Your Data Protection Rights

Under the UK GDPR and DPA 2018, you have a number of important rights regarding your personal data. We honour all these individual rights and will facilitate your exercise of them.

Your principal rights are:

Right to Be Informed: You have the right to clear and transparent information about how we collect and use your personal data[9]. This Data Protection Policy, along with any privacy notices we provide at data capture points, is intended to fulfill that right by informing you who we are, how and why we process data, who we share it with, how long we keep it, and what rights you have.
Right of Access: You have the right to request a copy of the personal data we hold about you, as well as to obtain supplementary information about how your data is processed (commonly known as making a Subject Access Request or SAR)[31]. In most cases, we will provide you with a copy of your data free of charge, within one month – 30 days of your request[32] being received. If your request is complex or numerous, we may extend the time by up to two further months, but we will inform you and explain why. We will ask you to verify your identity (to ensure we don’t disclose data to the wrong person) and let you know if we need any additional information to locate your data. The DUAA 2025 has introduced a “stop-the-clock” mechanism allowing us to pause the response time while we await clarification on a request[33]. If we do need you to clarify your request, we will stop the clock and help you narrow it down, then resume once we have your clarification. Your data will typically be provided to you in a structured, commonly used electronic format.
Right to Rectification: If you believe that any personal data we hold about you is inaccurate or incomplete, you have the right to request that we correct it[34]. Upon your request, we will investigate and, where appropriate, promptly correct any inaccuracies or add supplementary statements to complete the information. We aim to resolve rectification requests within one month as well.
Right to Erasure: This is also known as the “right to be forgotten.” You can ask us to delete or remove personal data we hold about you in certain circumstances[35]. This right is not absolute, but we will comply if: the data is no longer needed for the original purposes, you originally gave consent and now withdraw it, you object to processing and we have no overriding legitimate grounds to continue, the processing was unlawful, or erasure is required to comply with a legal obligation[36][37]. Please note that we might not be able to erase your data if an exemption applies – for example, if we are required by law to keep it (such as records of work done under ECO4 for regulatory audit) or if the data is needed to establish or defend legal claims. If we cannot fulfill an erasure request, we will explain why.
Right to Restrict Processing: You have the right to request that we limit the processing of your data (simply store it without doing anything further) in certain cases[38]. For instance, if you contest the accuracy of the data, or you have objected to processing (see below) and we are considering your objection, or if the processing is unlawful but you prefer restriction to erasure, or if we no longer need the data but you need us to keep it for a legal claim[39]. When processing is restricted, we will not use your data except to store it and will inform you before lifting the restriction.
Right to Data Portability: In situations where you have provided data to us and we are processing it based on your consent or a contract and the processing is carried out by automated means, you have the right to obtain that data from us in a portable format (e.g. a CSV file), and you can also request that we transfer it directly to another service provider where technically feasible[40]. This right is designed for your convenience (for example, to reuse data across different services). We will comply with portability requests by providing you or a nominated organization your data in a structured, commonly used, machine-readable format. For most of our services, this right may be less applicable (since our processing is not based on you repeatedly providing data to us in a way that would be reused elsewhere), but it is available if relevant.
Right to Object: You have the absolute right to object to your personal data being used for direct marketing purposes at any time[41]. If you object, we will stop using your data for marketing immediately, with no exceptions. You also have the right to object to processing based on our legitimate interests (or those of a third party) and to processing for research/statistical purposes. In such cases, we will stop processing unless we can demonstrate compelling legitimate grounds for the processing that override your rights, or if the processing is needed for legal claims[42][43]. For example, if you object to our processing of your data for lead generation (which we consider our legitimate interest), we will consider if our interest in processing truly overrides your privacy expectation; generally, if you object, we will cease the processing in question unless we have a strong justification to refuse (which is uncommon).
Rights related to Automated Decision-Making: You have rights to not be subject to decisions based solely on automated processing that have legal or similarly significant effects on you, unless certain exceptions apply (like you gave explicit consent, or it’s necessary for a contract with you, or authorised by law with safeguards). In any case, currently we do not make any automated decisions or profiling that would produce legal effects or similarly significant effects for you. Any eligibility assessments for ECO4 involve human review and judgment. If that changes, we will inform you and ensure your rights (such as the right to obtain human intervention, express your point of view, and contest the decision) are provided for. Under DUAA 2025, the framework for automated decision-making has become more flexible but with mandated safeguards[44][45]. Rest assured we will adhere to those safeguards if we ever engage in such processing.

To exercise any of these rights, you can contact us using the information in the Contact Us section. We will respond to your requests as soon as possible, and within the statutory time frames (usually one month – 30 days). There is generally no fee for making a request. If a request is unusually complex or repetitive, we are allowed to charge a reasonable fee or refuse, but we will explain our reasoning in such cases. You also have the right to complain to the ICO if you feel we are not handling your request properly (see ‘Handling of Data Protection Complaints’ above for more on that).

We are committed to upholding your rights and will always aim to facilitate them. When you contact us with a rights request, our team is trained to verify your identity (for security) and then carry out the necessary actions in line with legal requirements and our internal procedures.

Updates to This Policy

We may update this Data Protection Policy from time to time to reflect changes in our practices, to keep up with legal requirements, or to enhance clarity. If the policy is updated, we will post the revised version on our website with a new effective date and, where appropriate, provide a more prominent notice (such as a banner on our website or an email notification). Older versions of the policy will be archived for reference.

Any changes will not retroactively reduce your privacy rights or how we handle previously collected data without your consent. If we plan to process your personal data for a new purpose not covered by this policy, we will provide you with a new privacy notice describing that use and, if required, seek your consent.

We encourage you to review this policy periodically to stay informed about how we are protecting your information. Your continued use of our services after any update to the policy will signify your acceptance of the changes, to the extent permitted by law.

Contact Us

If you have any questions, concerns, or requests regarding this Data Protection Policy or how we handle your personal data, please do not hesitate to contact us:

Eco Improvements Experts Ltd
Email: info@ecoimprovements.co.uk (General Inquiries)
Alternatively, for privacy-specific inquiries: data@ecoimprovements.co.uk
Phone: 0333 090 0322 (Mon-Fri, business hours)
Registered address: Pilgrim House Bishop Street, Town Hall Square, Leicester, England, LE1 6AF
Website: https://www.ecoimprovements.co.uk

When contacting us, please provide as much information as possible about your query so we can assist you efficiently. For example, if you are making a data access request, it helps to mention the context (e.g. “I was a customer in June 2025 for an ECO4 survey”).

We are here to help and committed to resolving any issues to your satisfaction while protecting your rights.

Reminder: By continuing to use our services, you confirm your acceptance of this Data Protection Policy and all other relevant ECO Improvements policies/notices.

APPENDIX: Legal Compliance Mapping

Below is a section-by-section mapping of our Data Protection Policy to specific provisions in the four key legislative frameworks – the UK GDPR (2016), the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003 (PECR), and the Data (Use and Access) Act 2025 (DUAA) – demonstrating how each part of our policy aligns with legal requirements:

Introduction: Establishes our commitment to UK GDPR, DPA 2018, PECR, and DUAA compliance, fulfilling the transparency principle (UK GDPR Article 5(1)(a)) and the right to be informed (Articles 13 & 14). It explicitly names the laws for compliance, reflecting DUAA 2025’s position that it amends but does not replace these laws[46]. The acceptance clause (beginning and reminder) is a business practice to ensure users acknowledge the policy; while not mandated by law, it supports fairness and can help demonstrate consent for certain processing if needed (UK GDPR Article 7).
Data Controller: Satisfies UK GDPR Article 13(1)(a) by identifying Eco Improvements Experts Ltd as the controller and providing contact details. Clarifying that partners become independent controllers when data is shared aligns with GDPR’s definitions (Article 4) and DPA 2018’s stipulations on controllership. This section ensures we meet the obligation to inform individuals who is responsible for their data[2].
Personal Data We Collect: Addresses UK GDPR Article 13(1)(b)&(c) by describing categories of personal data collected and purposes of use. It aligns with the data minimisation principle (UK GDPR Article 5(1)(c); DPA 2018 Schedule 1, Part4) by noting we only collect what is necessary[47]. Special category data is noted as collected only with explicit consent, meeting UK GDPR Article 9(2)(a) and corresponding DPA 2018 Schedule 1 conditions. Mentioning that providing certain data is mandatory for service ties into the fairness principle and informs the user per Article 13(2)(e) about consequences of not providing data.
Lawful Bases for Processing: Maps directly to UK GDPR Article 6(1) (lawfulness of processing) by listing the exact bases we rely on (Consent, Contract, Legitimate Interests, Legal Obligation). Special category processing is accounted for via explicit consent, per Article 9(2) and DPA 2018. The inclusion of consent withdrawal reflects Article 7(3) UK GDPR. Our example of Legitimate Interests (cold calling) is handled consistent with Recital 47 GDPR (direct marketing as a possible legitimate interest) and PECR rules. The DUAA 2025’s introduction of Recognised Legitimate Interests (Section 70 & Schedule 4 DUAA, amending UK GDPR Article 6) is acknowledged[5], although not directly invoked, showing our awareness of the broadened scope for certain important interests like crime prevention. DPA 2018 Section 8 and 10 (which define how certain legal obligations and public functions bases are interpreted in UK law) underpin our use of “Legal Obligation” and any “Public Task” (though we did not list Public Task since not applicable to us).
Use of Personal Data: Fulfills the purpose limitation principle (UK GDPR Article 5(1)(b)) by explicitly stating the purposes for which data is used[48]. It also corresponds to the requirement in Articles 13(1)(c) and 14(1)(c) to inform data subjects of the purposes of processing. The purposes listed (eligibility, contacting, sharing for install, etc.) tie back to lawful bases and ensure no incompatible use. We referenced DUAA 2025’s clarification on further processing (Section 71 DUAA, amending GDPR Articles 5 and inserting 8A)[6][49], affirming we would only expand use within what individuals might reasonably expect or where law permits with safeguards.
Sharing Personal Data: Aligns with UK GDPR Article 13(1)(e) and 14(1)(e), which require informing individuals about recipients or categories of recipients of their data. It details our data sharing in compliance with those transparency duties. Each category of recipient is linked to a lawful basis (contract fulfillment, legal obligation, etc.), satisfying GDPR’s conditions for lawful sharing. We also adhere to Accountability (Article 5(2)) by using contracts (Data Processing Agreements) for processors and ensuring joint-controller or independent controller arrangements are clear – as mandated by Articles 26, 28 GDPR and relevant DPA 2018 provisions. The statement that we do not sell data reflects compliance with fairness and avoids unlawful sale without consent (which could otherwise breach PECR if for marketing). DUAA 2025 doesn’t heavily alter general sharing rules but encourages responsible data sharing with high protection[7], which our strict agreements accomplish.
Data Obtained from Third Parties: Complies with UK GDPR Article 14, which applies when personal data is not obtained directly from the data subject. Article 14 requires us to provide information on the source of data and the categories obtained, as well as all the information listed in Article 13, within one month or at first contact[8]. Our policy explicitly promises to inform individuals of the data source and their rights, meeting Article 14(2) & (3) obligations. This section also aligns with the fairness principle in DPA 2018 and UK GDPR, ensuring no processing of acquired data happens without the subject’s knowledge. By verifying third-party suppliers’ compliance, we adhere to UK GDPR requirements for lawful processing (if a third party’s data was gathered unlawfully, we could not lawfully use it). In essence, this section maps to Article 14 GDPR and demonstrates observance of Section 170 DPA 2018 (which makes it an offence to unlawfully obtain personal data) by avoiding illicit sources.
Telephone and Marketing Compliance (PECR & TPS): This section is grounded in PECR 2003 (which sits alongside DPA 2018). It maps to specific PECR provisions: we comply with Regulation 21 for live calls (no calling numbers on the TPS/CTPS without consent, and honoring individual objections)[10][11]; Regulation 19 for automated calls (prohibited without explicit consent)[16]; Regulation 22 for electronic mail (unsolicited emails or texts require prior consent unless soft opt-in). We also reference the Ofcom requirement (General Condition) to display Caller ID, which is enforced in practice and reflected in PECR guidance[14]. By screening against TPS and keeping an internal opt-out list, we meet legal duties under PECR Reg. 21 and ICO guidance[13]. The DUAA 2025 amendments to PECR, such as clarifying “calls” (Section 110 DUAA, amending PECR Reg. 2)[18] and extending soft opt-in for charities (not directly used by us)[19], are acknowledged. We thus ensure marketing is done lawfully (also satisfying UK GDPR Article 6 – consent or legitimate interest – in tandem with PECR) and respect Data Subject’s right to object to direct marketing (UK GDPR Article 21(3)), which is absolute.
Data Retention: Corresponds to the storage limitation principle in UK GDPR Article 5(1)(e) and DPA 2018 (Schedule 1, Part4). We list specific retention periods and justify them, which aligns with the requirement that personal data shall be kept no longer than necessary for the purposes[20]. This mapping shows compliance with that principle, as well as Article 13(2)(a) which suggests informing data subjects about retention periods. Additionally, by stating deletion or anonymisation occurs afterwards, we meet expectations of secure disposal under GDPR and DPA. (If any statutory requirements mandate minimum retention – e.g. financial records – our periods account for that, aligning with DPA 2018’s provisions that allow retention for legal obligations). The clarity here also supports the accountability principle, demonstrating that we actively manage and review data lifecycle.
Data Security: Maps to UK GDPR Article 5(1)(f) and Article 32, requiring integrity and confidentiality of personal data through appropriate security measures. The measures enumerated (encryption, access controls, training, audits, etc.) reflect what Article 32(1) calls “appropriate technical and organisational measures”[21]. This section also implicitly aligns with DPA 2018’s requirements (e.g. Part 4 for intelligence services, Part 3 for law enforcement, and generally for controllers to secure data – although those parts aren’t directly applicable to us, the security expectations are mirrored). By regularly reviewing security controls and training staff, we satisfy Article 32’s ongoing process approach. The detail provided is consistent with ICO guidance on security and with principle (f) of GDPR. In terms of DUAA 2025, there were no specific changes reducing security obligations; we maintain high standards which also positions us well for any future data protection codes of conduct or certification schemes mentioned in DUAA (Sections 115-116 DUAA enhanced ICO’s oversight and codes, e.g. allowing sectors to develop codes for PECR compliance[50]).
Data Breach Notification and Handling: Directly tied to UK GDPR Articles 33 (notification to supervisory authority) and 34 (communication to data subjects). Our policy commits to notifying the ICO within 72 hours of becoming aware of a notifiable breach[23], fulfilling Article 33(1) and DUAA’s alignment of various breach notification timelines. Communicating to affected individuals without undue delay when there is high risk is exactly Article 34(1) compliance[24]. We outline assessment and containment steps, which align with GDPR Recital 87 and ICO expectations. The DUAA 2025, via Section 111, brought PECR telecoms breach reporting from 24 hours to 72 hours to align with GDPR[51], which shows our 72-hour standard is up-to-date. Internally documenting breaches corresponds to GDPR Article 33(5). Thus, this section is in full compliance with breach handling laws and demonstrates accountability (Article 5(2)). It also dovetails with DPA 2018’s breach provisions (for law enforcement processing in Part 3, breaches must be notified to the ICO and sometimes to subjects similarly; while not our sector, we essentially follow the general regime which DPA 2018 endorses for others).
International Data Transfers: Reflects UK GDPR Chapter V (Articles 44-49). Stating we do not transfer outside UK/EEA means we currently avoid cross-border issues, satisfying Article 44’s general requirement. Our pledge to use safeguards like Standard Contractual Clauses if that changes aligns with Article 46 (and the UK’s international transfer mechanisms post-Brexit). This section also acknowledges DUAA 2025’s efforts to simplify transfer rules[25] – DUAA gave the UK government powers to craft new transfer mechanisms and clarify conditions, but until those are in effect, we adhere to existing law. DPA 2018 works with GDPR here, e.g. Section 17 of DPA 2018 defines how restrictions on transfers are implemented, and we comply by only transferring under allowed conditions. Overall, this section ensures we meet legal requirements for data export and inform data subjects of potential international transfers (Article 13(1)(f)), even though currently none occur.
Data Protection Impact Assessments (DPIAs): Corresponds to UK GDPR Article 35, which mandates DPIAs for high-risk processing, and Article 36 (consulting ICO if high risk remains). By conducting DPIAs for our high-risk scenarios, we fulfill this obligation. The policy mentions scenarios like cold calling and special category data – these likely require DPIAs under ICO guidance (e.g., large-scale profiling or use of sensitive data). This shows compliance with DPA 2018 Section 64 as well (which mirrors GDPR’s DPIA requirement for general processing) and with the accountability principle. DUAA 2025 did not remove DPIA duties (earlier drafts considered changing terminology but in the final Act DPIA requirements remain largely intact), so we remain aligned with current law. Our DPIA practice also demonstrates Data Protection by Design and Default (Article 25 GDPR) as we assess and mitigate risks early.
Staff Training and Accountability: Maps broadly to GDPR’s Accountability obligations (Article 5(2) and 24) and the requirement to have appropriate organizational measures (Article 32(4) – ensuring confidentiality through personnel measures, such as training). By training staff and monitoring compliance, we adhere to Recital 78 GDPR (which encourages training as part of security) and ICO accountability framework criteria. This also aligns with DPA 2018’s emphasis on accountability (e.g., Part 3, Chapter 4 for law enforcement has similar requirements for training, and generally organizations are expected to train staff under the principle of accountability). We also satisfy aspects of Article 39(1)(b) if we had a DPO, which includes training staff on data protection. DUAA 2025 did not diminish any training or accountability expectations; in fact, it reinforces the need for organisations to have good practices (like codes of conduct for sectors – Section 16 DUAA for PECR codes[50] – which would presumably include training commitments). Our policy’s transparency about training shows we are meeting implicit legal standards and building a privacy-resilient culture.
Records of Processing Activities (ROPA): Directly tied to UK GDPR Article 30 (which requires controllers with 250+ employees, or smaller ones engaged in risky processing, to maintain processing records). We explicitly state we maintain a ROPA consistent with Article 30’s required contents[29]. This demonstrates compliance with that record-keeping duty, and indirectly with DPA 2018 Schedule 1 Part 4 which requires documenting certain special category processing conditions. Through ROPA, we evidence the accountability principle (Article 5(2)), as maintaining such records is often examined by the ICO in compliance reviews. DUAA 2025 did not remove the need for ROPAs; our adherence remains necessary.
Handling of Data Protection Complaints: This maps to a new obligation introduced by the Data (Use and Access) Act 2025. DUAA Section 7 (and associated provisions) requires organizations to have a mechanism for individuals to lodge complaints about data usage and to be informed of outcomes[30]. Our policy directly reflects that by providing a clear complaint process, thereby complying with the new law. Additionally, under UK GDPR Article 13(2)(d), we should inform individuals of their right to lodge a complaint with the supervisory authority (ICO) – our policy does this in both the complaint section and rights section (right to complain). DPA 2018 Section 165 also covers how individuals can raise concerns to the ICO; our internal process is an added layer to resolve issues early. By implementing an electronic form and committing to response outcomes, we align with the spirit of DUAA 2025’s enhancements to data subject redress.
Your Data Protection Rights: Aligns with UK GDPR Chapter III (Articles 12–22) and corresponding parts of DPA 2018. We list each individual right and how we support it, which directly maps to:
Article 12: obligation to facilitate rights transparently and without undue delay – our policy explains how to make requests and our response timeframes, fulfilling Article 12(1)-(4).
Article 13/14: informing individuals of their rights, which we do in this policy’s text[52].
Article 15: Right of Access – explicitly stated and our process described (one month timeline, etc.)[32].
Article 16: Right to Rectification – reflected in “Rectify inaccuracies” and our promise to correct data[35].
Article 17: Right to Erasure – reflected in “Erase data when no longer necessary” and conditions we note[53][35].
Article 18: Right to Restrict – reflected in “Restrict processing” and described scenario in our text[38].
Article 20: Right to Data Portability – reflected in “Data portability” and our offer to provide machine-readable data.
Article 21: Right to Object – reflected in “Object to processing,” with special emphasis on direct marketing (which is absolute)[42].
Article 7(3): Right to withdraw consent – explicitly included as “Withdraw consent”[54].
Article 22: Rights related to automated decisions – covered in text that we currently don’t do such processing and would provide safeguards if we did. We also tie in the DUAA 2025 changes for Subject Access (stop-the-clock and “reasonable searches” codified by Sections 75-78 DUAA, amending GDPR Articles 12-15)[55][56], ensuring our process accounts for those (like asking for clarification). Additionally, we mention the right to lodge a complaint (Article 13(2) and Article 77 GDPR) with the ICO, mapping to DPA 2018 Section 165/166 as well. In summary, this section of the policy demonstrates full compliance with individual rights provisions and shows we have procedures to honor them, which is a critical part of GDPR/DPA and reinforced by DUAA’s clarifications (e.g., no fee for SARs unless excessive, and ability to refuse manifestly unfounded/excessive requests – which we note by referencing possible refusals with reasons).
Updates to This Policy: While not a direct requirement of GDPR to have a policy update clause, it aligns with the transparency and accuracy principles – ensuring data subjects are kept informed of material changes (implied by fairness and possibly by Article 13 requiring notifying new purposes). It also reflects accountability (showing we proactively maintain our notices). No specific article mandates this clause, but it is best practice per ICO guidance to inform individuals about changes to privacy information. In mapping terms, it supports compliance with Recital 58 GDPR (notifying changes in an understandable way) and helps us meet obligations if we change processing (since if we started a new processing, Article 13(3) would require informing subjects). Thus, it’s part of our compliance infrastructure, though not tied to a single legal citation.
Contact Us: Providing contact information for data protection queries maps to GDPR Articles 13(1)(a) and 12(2), which effectively require that controllers facilitate communication with data subjects. Having clear contact points (email, address, etc.) is also necessary for individuals to exercise their rights (Article 12(1) says communication should be easy). If we had a Data Protection Officer under Article 37, we would list their contact info here (not applicable in our case unless we voluntarily appoint one). This section ensures anyone can reach us to exercise rights or ask questions, thereby supporting compliance with all rights and transparency obligations. DPA 2018 and PECR don’t add separate demands here beyond what GDPR requires, so it’s mainly GDPR alignment.

Each section above has been carefully drafted to mirror the language and intent of the relevant laws, ensuring that our policy is not only a promise to our customers but also a reflection of our legal compliance. We have cited specific legal provisions and guidance (in square brackets throughout the policy) to demonstrate this alignment: for instance, ICO guidance on direct marketing[10][16], and excerpts from government summaries of DUAA changes[33][30], to show that our practices meet the latest standards. In summary, our Data Protection Policy is designed as a practical implementation of the requirements of the UK GDPR, DPA 2018, PECR, and the Data (Use and Access) Act 2025, giving both our customers and regulators confidence that personal data is handled lawfully and ethically at all stages.

[1] [7] [25] [30] [33] [44] [45] [46] Data (Use and Access) Act 2025: data protection and privacy changes – GOV.UK

https://www.gov.uk/guidance/data-use-and-access-act-2025-data-protection-and-privacy-changes

[2] [4] [8] [9] [31] [32] [36] [37] [39] [40] [41] [42] [43] [52] [53] Data subject rights under the UK GDPR | nibusinessinfo.co.uk