Documents
Ready-made and fully up-to-date employment documents that cover all your personnel dealings

< Go back

Data protection (27)

GDPR consent to use of employee's image
Normally, you can't rely on an employee's consent as the lawful basis for processing their personal data. However, using their image in marketing materials can be an exception if they have a genuine choice about whether to consent.Personal dataObtaining an individual's written consent to the processing... Read more
DOWNLOAD
Type: Letter
GDPR data breach policy and response plan
Use our document to ensure the prompt and effective detection, investigation, reporting and resolution of personal data breaches.Personal data breachUnder the UK GDPR, certain personal data breaches must be notified to the Information Commissioner's Office (ICO) and sometimes affected data subjects need... Read more
DOWNLOAD
Type: Policy
GDPR data processor clauses
If you use any third-party processors to handle employees' personal data, you must by law include a number of key written terms governing data protection in the commercial contracts you enter into with them.Processor obligationsAs an employer, you're a "controller" in relation to your employees' personal... Read more
DOWNLOAD
Type: Clause
GDPR data protection clause
Our clause draws attention to your data protection policy and puts the employee under a contractual obligation to comply with any requirements or restrictions in that policy in their personal data-handling activities. It also refers them to your privacy notice for further information concerning the personal... Read more
DOWNLOAD
Type: Clause
GDPR data protection impact assessment
A data protection impact assessment is required where a new type of processing is likely to result in a high risk to the rights and freedoms of data subjects. Use our document as your starting point.What's a DPIA?A data protection impact assessment (DPIA) is a risk assessment tool which can help you... Read more
DOWNLOAD
Type: Document
GDPR data subject access clarification/refusal
Before responding to a data subject access request, the UK GDPR says that you can use reasonable means to verify the individual's identity, or you can ask them to be more specific about the data sought where you process large quantities of personal data about them. You can also request a fee, or refuse... Read more
DOWNLOAD December 2020
Type: Letter
GDPR data subject access request form
The UK GDPR enables individuals to gain access, on request, to personal data that you hold about them. There's no particular format in which such a request should be made, but you can use our form to assist them with making a request. Form of requestUnder the UK GDPR, individual data subjects have the... Read more
DOWNLOAD
Type: Form
GDPR data subject access response letter
Use our GDPR data subject access response letter to set out your reply to a data subject access request that's been made under the UK GDPR.Response requirementsThe UK GDPR enables individuals to access the personal data that you hold about them by making a data subject access request (DSAR). In response... Read more
DOWNLOAD January 2021
Type: Letter
GDPR data subject rights clarification/refusal
Use our letter to respond to a data subject who has requested the erasure, rectification or restrictions on the processing of their personal data, where further information is required to identify the individual. You can also use it to ask for a fee, or to refuse to act on the request, if it's manifestly... Read more
DOWNLOAD March 2021
Type: Letter
GDPR employee data processing checklist
Our checklist sets out the various tasks you'll need to undertake to ensure UK GDPR compliance. Whilst some involve producing documents, others are geared towards checking your current processing operations and the security of your systems and training your staff.Compliance checklistCompliance with the... Read more
DOWNLOAD
Type: Checklist
GDPR employee monitoring clause
Insert our clause into employees' employment contracts to reserve the right to monitor their use of your communications and computer systems. You'll need a lawful basis for processing and you must limit monitoring to the minimum amount necessary to achieve your aims.ConsentUnder the UK GDPR, you can... Read more
DOWNLOAD
Type: Clause
GDPR erasure of data request form
The UK GDPR enables individuals to make a request for the erasure of the personal data that you hold about them. You can use our form to assist them with making a request.The statutory rightUnder the UK GDPR, individual data subjects (including employees and workers) have the right to require you to... Read more
DOWNLOAD
Type: Form
GDPR erasure of data response letter
You can use our letter to set out your reply to an individual's request, made under the UK GDPR, for erasure of some or all of their personal data that you hold about them. Erasure of personal dataWhere any of the grounds for making a request are met, the UK GDPR enables individual data subjects to submit... Read more
DOWNLOAD
Type: Letter
GDPR legitimate interests assessment
If you intend to rely on legitimate interests as your lawful basis for processing certain personal data under the UK GDPR, you should first conduct a legitimate interests assessment.Lawful basis for processingTo process personal data, under the UK GDPR you always need a lawful basis for processing. The... Read more
DOWNLOAD
Type: Form
GDPR letter notifying personal data breach
As well as notifying the Information Commissioner's Office (ICO), certain personal data breaches must also be notified to affected data subjects. Your notification to them must, as a minimum, describe the nature of the data breach, the likely consequences of it and the measures you've taken or are taking... Read more
DOWNLOAD
Type: Letter
GDPR personal data breaches register
The UK GDPR requires you to document all personal data breaches, whether they're notifiable to the Information Commissioner's Office (ICO) or not. Use our register to do this.Mandatory registerUnder the UK GDPR, you must record all personal data breaches in a register, regardless of whether they're notifiable... Read more
DOWNLOAD
Type: Form
GDPR privacy notice for job applicants
The UK GDPR sets out a list of detailed information that must be included in a privacy notice. Our privacy notice complies with these requirements.Privacy notice requirementsA compliant privacy notice for the processing of personal data under the UK GDPR is essential. The UK GDPR says that the information... Read more
DOWNLOAD
Type: Notice
GDPR privacy notice for staff
The UK GDPR sets out a list of detailed information that must be included in a privacy notice. Our privacy notice complies with this.Privacy notice requirementsA compliant privacy notice for the processing of personal data under the UK GDPR is essential. The UK GDPR says that the information you provide... Read more
DOWNLOAD
Type: Notice
GDPR rectification of data request form
The UK GDPR provides the right for individuals to make a request to you for the rectification of their personal data, which they can do if they wish by completing our form.The statutory rightThe UK GDPR provides the right for individuals to require you to rectify any inaccurate personal data that you... Read more
DOWNLOAD
Type: Form
GDPR rectification of data response letter
Once you've dealt with an individual's request, made under the UK GDPR, for rectification of their personal data, you can use our letter to set out your response to them.Rectification of personal dataThe UK GDPR enables individuals to submit a request that you rectify the personal data that you hold... Read more
DOWNLOAD
Type: Letter
GDPR register of data subject access requests
The UK GDPR requires you to demonstrate that you're complying with the data protection principles. Maintaining a GDPR register of data subject access requests can help you show that you're observing subject access rights.AccountabilityThe UK GDPR requires you to demonstrate that you're complying with... Read more
DOWNLOAD
Type: Form
GDPR restriction of processing request form
One of the data subject rights in the UK GDPR is to obtain restriction of processing of their personal data. Our form provides a straightforward way for them to make a request for this.The statutory rightUnder the UK GDPR, an individual can require you to restrict processing of their personal data where... Read more
DOWNLOAD
Type: Form
GDPR restriction of processing response letter
Individuals have a right in certain circumstances to prevent the processing of their personal data. If processing is restricted, you can store the data, but you have limited rights to process it. Use our letter where you've restricted processing.Restrictions on processingUnder the UK GDPR, individuals... Read more
DOWNLOAD
Type: Letter
GDPR time extension for data subject rights response
Using our letter, you can extend the one-month time period for compliance with a data subject rights request by a further two months if the request is complex or if you have received numerous requests from the individual.Standard time limitUnder the UK GDPR, the time limit for responding to a data subject's... Read more
DOWNLOAD February 2021
Type: Letter
GDPR time extension for subject access response
You can extend the one-month period for compliance with a UK GDPR data subject access request by a further two months where requests are complex or numerous. Two-month extensionUnder the UK GDPR, the time limit for responding to a data subject access request (DSAR) is one month from the date of receipt... Read more
DOWNLOAD
Type: Letter
Letter to ex-employee threatening to contact ICO
Use our letter where you believe a former employee has taken personal data with them on leaving employment, such as client records, without your permission. Unlawfully obtaining personal data is a criminal offence prosecuted by the Information Commissioner's Office (ICO), so threatening to contact the... Read more
DOWNLOAD
Type: Letter
Record of personal data processing activities
Use our document to keep a written record of your processing activities for employee-related personal data as required by the UK GDPR. Your record must incorporate certain minimum information.Processing recordThere's a specific obligation in the UK GDPR, to maintain a written record of your processing... Read more
DOWNLOAD
Type: Form