Privacy Policy 

Privacy Policy

Organisations are compelled by data protection laws to process personal data fairly and transparently.They are required to give data subjects a Privacy Notice in order to comply with this requirement.

A privacy notice should inform a data subject in a context of sharing:

·         Any automated decision-making, including profiling, and the methodology used to reach those judgments

·         Any retention durations or standards that are used to establish retention durations

·         Consequences of failing to provide the information if it is required by law or a contract

·         If not directly from you, where the info came from.

·         If the data will be sent to a third nation, where, and under what conditions

·         The capability of submitting a grievance to the Information Commissioners Office

·         The flexibility to change your mind at any time, if appropriate

·         The name and contact information for the organisation’s data protection officer

·         The name and contact information of the company in charge of the data you are sharing.

·         The organisation’s legitimate interests, as appropriate

·         The potential subcontractors with whom your information might be shared

·         The types of personal information

·         What justifies sharing it, and on what legal grounds?

·         Your rights as a data subject are present.

Luxpool is the company distributing this notice to you and in charge of the data you have provided.

Sharing of personal information enables:

·         Observance of statutory and legal requirements.

·         Performing pool maintenance based on past experience

·         Providing a variety of useful pool construction and service data.

·         Templates for information sharing protocols

Because all employees of these organisations are subject to the common law obligation of secrecy, any information you supply to us must be kept private and not disclosed to anyone else unless:

·         You provide permission for the information to be shared.

·         You have the right to seek a copy of your information in accordance with the Data Protection legislation.

·         To address the needs of service users for communication, reasonable measures must be implemented. These requirements should be disclosed to partners in data exchanged as part of integrated, local data sharing processes with your permission.

·         Partners are required or permitted by law to reveal the information to another company or individual.

Data Protection Policies


Policy, scope, and goals

ü  The Board of Directors of Luxpool Ltd, with office at PA104, Technology Centre, Glaisher Drive, Wolverhampton WV10 9RU is committed to compliance with all applicable UK and EU laws regarding personal data, as well as to protecting the “rights and freedoms” of individuals whose information we collect in accordance with the General Data Protection Regulation (GDPR).


ü  To that purpose, Luxpool Ltd.’s Board of Directors/Principals has created, implemented, maintained, and constantly improved a written personal information management system (‘PIMS’).


the geographic context, jurisdiction, management responsibility, organisational structureof the PIMS.

The PIMS’s objectives

The PIMS goals for Luxpool Ltd are that it should:

·         Ensure the company complies with all applicable statutory, regulatory, contractual and/or professional obligations,

·         Impose controls in accordance with the company’s acceptable level of risk,

·         Protect the interests of individuals and other important stakeholders.

·         Support organisational goals and obligations,

The following are some examples of how Luxpool Ltd. complies with data privacy laws and best practices:

·         Ensuring the security of all personal data; limiting the transfer of personal data beyond the EU to situations where it can be effectively safeguarded; and making use of the numerous exemptions permitted by data protection laws;

·         Gathering just the minimal amount of personal data necessary for these purposes and avoiding processing excessive amounts of personal data;

·         Just keeping personal data as long as it’s required for legal, regulatory, or admissible organisational purposes;

·         Letting people know exactly who will be using their personal information and how it will be utilised;

·         Maintaining current and accurate personal information as needed;

·         Processing only appropriate and pertinent personal information;

·         Processing personal data honestly and legally; keeping a list of the categories of personal data that the company processes;

·         Processing personal data only when it is absolutely necessary for lawful organisational reasons;

·         Protecting people’s privacy rights, especially the right to subject access to their personal information;

·         The designation of employees with specific responsibilities and accountability for the PIMS

·         The development and implementation of a PIMS to make it possible to put the policy into practice;

·         When necessary, identifying internal and external stakeholders and the level of their involvement in the management of the company’s PIMS;

The Information Commissioner has been alerted by Luxpool Ltd. that it is a data controller and that it processes specific data regarding data subjects. The Data Inventory Register contains all the personal data that we have identified and processed.

Data Protection Officer

The designated individual with the company (The Data Protection Officer) keeps a copy of the ICO notification details, and the ICO Notification Handbook is utilised as the final, official source for notification instructions.The annual ICO notifications are refreshed automatically.

The Data Protection Officer is in charge of annually reviewing the notification details in light of any modifications to the company’s operations (as determined by changes to the Data Inventory Register and the management review) and any new requirements discovered through data protection impact analyses.

All employees [and interested parties] of Luxpool Ltd are subject to the policy, including outsourced suppliers. Any violation of this PIMS or the GDPR will be handled in accordance with the company’s disciplinary procedures and may constitute a criminal offense, in which case the incident will be notified as quickly as possible to the relevant authorities.

Partners and any other parties that work for or with the business and have access to or may obtain personal information are assumed to have read, comprehended, and complied with this policy.

Without first signing a data confidentiality agreement that places third parties under obligations no less onerous than those to which the company is committed and that gives the company the right to audit compliance with the agreement, no third party is permitted to access personal data held by the company.

Term usage within the Organisation

Child: According to the GDPR, a child is someone who is younger than 16 years old. Only with parental or custodial consent is it legal to process a child’s personal information under the age of 13.

Controller– The natural or legal person, public authority, agency, or other body that chooses, on its own or in collaboration with others, the objectives and means of processing a person’s personal data is known as the data controller. If the objectives and means of processing are determined by Union or Member State law, the controller or the precise requirements for its nomination may also be specified by Union or Member State law.

Establishment – The controller will make the majority of its decisions about the nature of its data processing activities at its principal establishment within the EU. An EU processor’s administrative hub will be its primary location. If a controller is located outside of the EU, it must designate a representative to act on its behalf and communicate with supervisory authorities in the country in which it conducts business.

Filing system-Any organised collection of personal data that is searchable based on predetermined criteria, whether centrally located, spread geographically, or distributed according to functional criteria is referred to as a filing system.

Information breach-An unintentional or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data that has been sent, stored, or otherwise processed constitutes a personal data breach. The controller has a responsibility to notify the supervisory authority of any breaches of personal data that may have an impact on the data subject’s privacy or personal information.

Personal information-An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier like a name, an identification number, location information, an online identifier, or to one or more factors specific to that natural person’s social,  physiological,physical, mental, genetic, economic, and cultural identity. Personal data includes any information relating to an identified or identifiable natural person (the “data subject”).

Processing- It is any action taken on a personal data set or set of personal data, whether or not it is done automatically. Examples include gathering, recording, organising, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, dissemination, or other means, aligning or combining, restricting, erasing, or destroying data.

Profiling-A natural person’s performance at work, economic condition, location, health, personal preferences, reliability, or conduct may all be evaluated using profiling, which is any automated processing of personal data intended to do so. This definition is connected to the data subject’s right to object to profiling as well as a right to information regarding the practice’s existence, any applicable policies, and any potential negative impacts on the person.

Special data segments– The processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, health data, or data pertaining to a natural person’s sex life or sexual orientation are special categories of personal data. These categories also include personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership.

Subject consent-Any freely offered, precise, well-informed, and unambiguous expression of the data subject’s preferences by which he or she, by a statement or by a blatant affirmative action, expresses assent to the processing of personal data is referred to as data subject consent.

Subject of information-Any living person whose personal information is the topic of a company’s database is referred to as a data subject.

Territorial scope-The GDPR shall be applicable to all controllers that are based in the EU (European Union) and who treat data subjects’ personal information within the context of that establishment. It will also apply to controllers based outside the EU who use personal data to market goods and services to data subjects who live there or to keep tabs on their activity.

Third party-Other than the data subject, the controller, the processor, and those who are directly authorised to handle personal data by the controller or processor, a third party is any real or legal person, public authority, agency, or body.

Information security guidelines

The following data protection principles of the Regulation shall be followed in all processing of personal data, and the company’s policies and processes are set up to ensure compliance with them.

·         According to GDPR, the controller must have transparent and readily accessible rules relating to the processing of personal data and the enjoyment of individuals’ “rights and freedoms.”

·         Luxpool Ltd.’s Fair Processing Procedure is outlined in a separate document, and personal data will be processed in a way that is legal, fair, and transparent.

·         The data subject will receive information in an understandable format using simple, straightforward language. The particular details that will be given to the data subject will at the very least consist of:

·         The identity and contact information of the controller and, if applicable, the controller’s representative; the contact information of the Data Protection Officer; the duration of storage of the personal data; the existence of the right to request access, rectification, erasure, or to object to the processing; the categories of personal data that will be processed; and

Only specific, legal, and specified reasons may necessitate the collection of personal data.In accordance with the company’s formal notification to the Information Commissioner as part of its GDPR registration, data gathered for specific reasons won’t be used for any other purposes.The pertinent procedures are outlined in the company’s fair processing policy.

Personal data will be sufficient, pertinent, and kept to a minimum required for processing

The GDPR Owner, who is the data protection officer, is in charge of preventing the collection of information that is not strictly essential for the intended purpose.

The Data Protection Officer will give his or her approval to all forms used to collect data, whether they are electronic or paper-based or part of new information systems.

The Data Protection Officer will see to it that every year, [internal audit/external experts] examine all data gathering methods to make sure that the data continues to be sufficient, pertinent, and not excessive.

Name is responsible for making sure that any data provided or retrieved that is excessive or that is not specifically required by the company’s stated procedures is securely deleted or destroyed in accordance with the company’s policy for disposing of storage media.

The information we collect about you will be true and current

Long-term stored data will be examined and updated as appropriate. No data should be retained unless there is a solid basis for doing so.All employees must receive training from the company on the value of gathering accurate data and maintaining it.

Individuals must also make sure that the data the company maintains is accurate and current. It will be assumed that the data contained therein is accurate as of the date of submission if the appropriate registration or application form is completed.

Any changes in circumstance should be reported by employees to the company so that personal records can be updated appropriately. The company is accountable for making sure that any notification of a change in circumstances is taken seriously and addressed.

In light of the volume of data collected, the potential speed at which it might change, and any other pertinent factors, it is the duty of the data protection officer to ensure that additional measures are taken as necessary to maintain the accuracy and currency of personal data.

The Data Protection Officer will assess all the personal data that the organisation maintains at least once a year, using the Data Inventory Register as a guide. In accordance with the company’s policy for disposing of storage media, the DPO will identify any data that is no longer necessary in the context of the registered purpose and make arrangements to have it securely deleted or destroyed.

The data protection officer is in charge of taking the necessary steps to ensure that inaccurate or outdated personal information provided to third party organisations does not influence decisions about the individuals in question. They also have to pass along any necessary corrections to the third party.

Let's get your project started?

For a bespoke quote, Book a Free Consultation with our expert consultants today !