Bostonair Group GDPR Policy (UK GDPR & Data Protection Act 2018 Compliant)

Request Data Removal

1. Introduction

Bostonair Group (and all Associated Companies including Bostonair Technical Training Ltd, Bostonair Ltd and Boston Renewables) must gather, store, and process certain information relating to individuals and organisations in order to fulfil its business and service obligations. This may include customers, clients, suppliers, employees, contractors, job applicants, and other contacts with whom the organisation has a relationship or may need to communicate.

This policy sets out how personal data must be collected, handled, processed, and protected to comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This policy also outlines our responsibilities regarding the use of personal data for marketing purposes, including the lawful and appropriate use of names, email addresses, job titles, and related information for direct marketing, business development, and communications.

2. Policy Scope

This policy applies to all staff, contractors, and anyone acting on behalf of Bostonair Group. All staff must familiarise themselves with this policy and comply with its requirements.

It supplements our existing internal policies relating to IT, information security, email and internet use. Additional guidelines may be issued from time to time, and any updated or supplementary policies will be circulated in advance of adoption. This policy applies to all personal data held by the company, even where certain categories
may fall outside strict GDPR definitions.

Personal data covered by this policy includes, but is not limited to:

• Names
• Postal addresses
• Email addresses
• Telephone numbers
• Job title
• CVs, qualifications, skills and work history
• Financial, payroll or administrative information
• Any other information relating to an identifiable individual

3. Terms and Definitions

Business Purposes

Business purposes include legitimate activities such as:

• Personnel, administrative, payroll and HR functions
• Customer management and service delivery
• Communications, including marketing activities
• Business development and commercial operations
• Compliance with legal, regulatory, and governance obligations
• Record-keeping, training, quality control, and auditing
• Operational processes, such as pre-employment checks
• Safety, security, and monitoring of staff access
• Investigation of complaints or incidents

Marketing is considered a legitimate business purpose when processed under a lawful basis such as consent or legitimate interests.

Personal Data

Personal data means any information relating to an identified or identifiable natural person. Examples include contact details, job titles, financial details, qualifications, and any other personal identifiers.

Data Controller:

The organisation responsible for determining the purposes and legal basis for processing personal data.

Data Processor:

A third party that processes data on behalf of the controller.

Processing:

Any operation performed on personal data, including collection, storage, retrieval, use, sharing, restriction, or deletion.

Supervisory Authority:

The national data protection regulator. For Bostonair Group, this is the Information Commissioner’s Office (ICO).

4. Responsibility for This Policy

The Data Protection Officer (DPO), holds overall responsibility for managing and implementing this policy. She acts as the point of contact for staff and external enquiries relating to data protection.

5. Data Protection Principles

Bostonair Group adheres to the six core principles of the UK GDPR. Personal data must be:

1. Lawful, fair, and transparent
   Collected and processed with a lawful basis, and communicated openly.
2. Collected for specified and legitimate purposes
   Data cannot be used for purposes incompatible with the original reason for collection.
3. Adequate, relevant, and limited
   Only data that is necessary for the stated purpose may be collected.
4. Accurate and kept up to date
   Reasonable steps must be taken to ensure data accuracy.
5. Not kept for longer than necessary
   Data must be retained only for as long as required.
6. Processed securely
   Data must be protected through appropriate technical and organisational measures.

Bostonair Group is committed to upholding these principles in all data processing.

6. Accountability and Transparency

We must be able to demonstrate compliance with each UK GDPR principle. This includes:

• Maintaining up-to-date documentation of processing activities
• Implementing appropriate technical and organisational measures
• Conducting Data Protection Impact Assessments (DPIAs) where required
• Adopting privacy-by-design and privacy-by-default practices

All staff are responsible for ensuring compliance within their area of work.

7. Purpose of This Policy

This policy ensures that Bostonair Group:

• Meets all legal obligations under UK data protection law
• Protects the rights of staff, customers, partners, and stakeholders
• Operates transparently in how personal data is stored and processed
• Reduces the risk of data breaches, reputational damage, or legal issues

8. Lawful Basis for Processing

Under the UK GDPR, Bostonair Group may process personal data under the following lawful bases:

Contract – Article 6(1)(b)
Processing necessary to perform a contract or take steps prior to entering into a contract.

Legal Obligation – Article 6(1)(c)
Processing required to comply with legal or regulatory requirements.

Legitimate Interests – Article 6(1)(f)
Processing necessary for our legitimate business interests, including:

• Business communications and operations
• Network and information security
• Marketing to existing or interested business contacts (where appropriate and expected)

Consent – Article 6(1)(a)
Used primarily for marketing communications where consent is required or preferred.

9. Data Protection Risks

This policy helps mitigate risks such as:

• Unauthorised disclosure of personal data
• Failure to respect individual choice regarding marketing or data use
• Reputational harm following data loss or cyber breaches
• Legal and financial penalties for non-compliance

10. Responsibilities

Company Responsibilities

Bostonair Group must:

• Document the types of personal data processed
• Ensure procedures protect individuals’ rights
• Identify lawful bases for processing
• Ensure consent mechanisms are compliant
• Detect, report, and investigate data breaches
• Store data securely
• Conduct risk assessments and DPIAs

Employee Responsibilities

Employees must:

• Understand their data protection obligations
• Conduct processing activities in line with this policy
• Avoid unlawful handling or careless storage of data
• Report concerns or breaches immediately
• Ensure data is used only for legitimate business purposes
• Follow approved processes when using or sharing data

Roles with Specific Responsibility

Board of Directors
Ultimately accountable for data privacy compliance.

Data Protection Officer

• Oversees data protection compliance
• Provides training and guidance
• Manages data subject requests
• Reviews data protection agreements and contracts
• Reports to the board on risks and issues

IT Coordinator
Responsible for IT security measures including:

• Maintaining secure systems
• Performing security checks
• Assessing third-party services for data security

Marketing Manager
Responsible for:

• Ensuring marketing practices comply with data protection requirements
• Ensuring marketing databases are accurate and up to date
• Ensuring marketing communications meet UK GDPR standards
• Managing marketing permissions, including opt-outs and suppression lists.

11. General Staff Guidelines

Employees must:

• Only access personal data when needed for work
• Avoid sharing data informally
• Use strong, confidential passwords
• Store data securely and dispose of it appropriately
• Seek guidance if unsure about compliance

Ensure data is regularly reviewed and updated

12. Data Storage and Security

Paper Records

• Must be stored in locked cabinets or secure rooms
• Must not be left unattended or visible to unauthorised staff
• Must be shredded when no longer required

Electronic Records

• Must be password protected
• Stored on approved drives and cloud services
• Backed up regularly
• Not saved on personal devices
• Protected by security software and firewalls
• Encrypted before external transfer

13. Data Use

When using personal data:

• Screens must be locked when unattended
• Data must not be sent via unsecured email
• Transfers must be encrypted
• Data must not be processed outside the UK/EEA unless compliant safeguards exist
• Staff must use the central data system to avoid duplication

14. Data Accuracy

Bostonair Group will take reasonable steps to ensure all data is accurate and current.

• Data will be stored in as few locations as necessary
• Staff should update data whenever inaccuracies are identified
• Marketing databases must be checked against suppression files every six months

15. Rights of Individuals

Bostonair Group respects all rights under the UK GDPR, including:

1. Right to be informed
2. Right of access
3. Right to rectification
4. Right to erasure
5. Right to restrict processing
6. Right to data portability
7. Right to object (including objection to marketing)
8. Rights related to automated decision-making and profiling

Objections to direct marketing must always be honoured immediately.

16. Disclosing Data to Third Parties or Authorities

Personal data may be disclosed to law enforcement or regulatory bodies when legally required.
Before doing so, the Data Controller must verify the legitimacy of the request.

Subject access requests must be verified and handled in line with statutory timeframes.

Request Data Removal 

Submit a request to have your personal data reviewed or removed in line with GDPR.