Documents
Ready-made and fully up-to-date employment documents that cover all your personnel dealings

< Go back

Data protection (19)

GDPR consent to use of employee's image
Normally, you can't rely on an employee's consent as the lawful basis for processing their personal data. However, using their image in marketing materials can be an exception if they have a genuine choice about whether to consent.Personal dataObtaining an individual's written consent to the processing... Read more
DOWNLOAD
Type: Letter
GDPR data breach policy and response plan
Use our document to ensure the prompt and effective detection, investigation, reporting and resolution of personal data breaches.Personal data breachUnder the General Data Protection Regulation (GDPR), certain personal data breaches must be notified to the Information Commissioner's Office (ICO) and... Read more
DOWNLOAD
Type: Policy
GDPR data processor clauses
If you use any third-party processors to handle employees' personal data, you must by law include a number of key written terms governing data protection in the commercial contracts you enter into with them.Processor obligationsAs an employer, you're a "controller" in relation to your employees' personal... Read more
DOWNLOAD
Type: Clause
GDPR data protection clause
Our clause draws attention to your data protection policy and puts the employee under a contractual obligation to comply with any requirements or restrictions in that policy in their personal data-handling activities. It also refers them to your privacy notice for further information concerning the personal... Read more
DOWNLOAD
Type: Clause
GDPR data protection impact assessment
A data protection impact assessment is required where a new type of processing is likely to result in a high risk to the rights and freedoms of data subjects. Use our document as your starting point.What's a DPIA?A data protection impact assessment (DPIA) is a risk assessment tool which can help you... Read more
DOWNLOAD
Type: Document
GDPR data subject access clarification/refusal
Before responding to a data subject access request, the GDPR says that you can use reasonable means to verify the individual's identity, or you can ask them to be more specific about the data sought where you process large quantities of personal data about them. You can also request a fee, or refuse... Read more
DOWNLOAD
Type: Letter
GDPR data subject access request form
The GDPR enables individuals to gain access, on request, to personal data that you hold about them. There's no particular format in which such a request should be made, but you can use our form to assist them with making a request. Form of requestUnder the General Data Protection Regulation (GDPR), individual... Read more
DOWNLOAD
Type: Form
GDPR data subject access response letter
Use our GDPR data subject access response letter to set out your reply to a data subject access request that's been made under the GDPR.Response requirementsThe General Data Protection Regulation (GDPR) enables individuals to access the personal data that you hold about them by making a data subject... Read more
DOWNLOAD October 2019
Type: Letter
GDPR employee data processing checklist
Our checklist sets out the various tasks you'll need to undertake to ensure GDPR compliance. Whilst some involve producing documents, others are geared towards checking your current processing operations and the security of your systems and training your staff.Compliance checklistCompliance with the... Read more
DOWNLOAD
Type: Checklist
GDPR employee monitoring clause
Insert our clause into employees' employment contracts to reserve the right to monitor their use of your communications and computer systems. You'll need a lawful basis for processing and you must limit monitoring to the minimum amount necessary to achieve your aims.ConsentUnder the General Data Protection... Read more
DOWNLOAD
Type: Clause
GDPR legitimate interests assessment
If you intend to rely on legitimate interests as your lawful basis for processing certain personal data, you should first conduct a GDPR legitimate interests assessment.Lawful basis for processingTo process personal data, under the GDPR you always need a lawful basis for processing. The three most relevant... Read more
DOWNLOAD May 2019
Type: Form
GDPR letter notifying personal data breach
As well as notifying the Information Commissioner's Office (ICO), certain personal data breaches must also be notified to affected data subjects. Your notification to them must, as a minimum, describe the nature of the data breach, the likely consequences of it and the measures you've taken or are taking... Read more
DOWNLOAD
Type: Letter
GDPR personal data breaches register
The General Data Protection Regulations (GDPR) requires you to document all personal data breaches, whether they're notifiable to the Information Commissioner's Office (ICO) or not. Use our register to do this.Mandatory registerUnder the GDPR, you must record all personal data breaches in a register,... Read more
DOWNLOAD
Type: Form
GDPR privacy notice for job applicants
The GDPR sets out a list of detailed information that must be included in a privacy notice. Our GDPR privacy notice complies with these requirements.Privacy notice requirementsA compliant privacy notice for the processing of personal data under the General Data Protection Regulation (GDPR) is essential.... Read more
DOWNLOAD
Type: Notice
GDPR privacy notice for staff
The GDPR sets out a list of detailed information that must be included in a privacy notice. Our GDPR privacy notice complies with this.Privacy notice requirementsA compliant privacy notice for the processing of personal data under the General Data Protection Regulation (GDPR) is essential. The GDPR says... Read more
DOWNLOAD
Type: Notice
GDPR register of data subject access requests
The GDPR requires you to demonstrate that you're complying with the data protection principles. Maintaining a GDPR register of data subject access requests can help you show that you're observing subject access rights.AccountabilityThe General Data Protection Regulation (GDPR) requires you to demonstrate... Read more
DOWNLOAD October 2019
Type: Form
GDPR time extension for subject access response
You can extend the one-month period for compliance with a GDPR data subject access request by a further two months where requests are complex or numerous. Two-month extensionUnder the General Data Protection Regulation (GDPR), the time limit for responding to a data subject access request (DSAR) is one... Read more
DOWNLOAD
Type: Letter
Letter to ex-employee threatening to contact ICO
Use our letter where you believe a former employee has taken personal data with them on leaving employment, such as client records, without your permission. Unlawfully obtaining personal data is a criminal offence prosecuted by the Information Commissioner's Office (ICO), so threatening to contact the... Read more
DOWNLOAD
Type: Letter
Record of personal data processing activities
Use our document to keep a written record of your processing activities for employee-related personal data as required by the GDPR. Your record must incorporate certain minimum information.Processing recordThere's a specific obligation in the General Data Protection Regulation (GDPR), to maintain a written... Read more
DOWNLOAD
Type: Form