data protection POlicy


1.1. Policy Statement

Data protection compliance and the appropriate and proportionate use of Personal Data is an increasingly significant issue for businesses.  Across our business, Gracilis Ltd ("Gracilis" or "we/us/our") collect and use large volumes of Personal Data relating to our customers, employees, suppliers and other individuals whose data we process for business purposes.

We are fully committed to the protection of the data that we process, including by recognising that compliance with applicable data protection laws is a board level issue that impacts upon everyone and requires all employees to meet certain standards when handling or otherwise processing Personal Data.

We are committed to ensuring that:

  • there are individuals with specific responsibility for data protection within the organisation;
  • everyone whose role requires them to access, use, process and/or be responsible for Personal Data understands that they are responsible for following and promoting good data protection practice (and understands the consequences if they fail to do so);
  • everyone whose role requires them to access, use, process and/or be responsible for Personal Data is appropriately trained to do so and knows how to find out more about how to use Personal Data appropriately;
  • queries about Personal Data are appropriately dealt with; and
  • any use or disclosure of Personal Data will be in compliance with applicable laws and with our approved procedures.

1.2. Scope of this Policy

This Policy is designed to help all employees, contractors and agents (collectively referred to for the purposes of this Policy as "employees") understand Gracilis expectations about how we may use Personal Data from time to time.  The Policy (and the requirements and standards described within it) apply to the use of any Personal Data within Gracilis (in whatever format that data is stored or used).

There are lots of examples of the ways in which Personal Data is used by Gracilis. We have set out a few examples below but you should think carefully about your own role and work with others in your team to understand how you process Personal Data on behalf of Gracilis:

  • if you work on the reception desk of one of our office sites, you will handle the information given by visitors when visiting our office sites;
  • if you are a member of our sales team or another customer facing team you will have access to the Personal Data of our customers to provide them with the services that they request from us;
  • if you work in the HR Team you will have access to HR data as part of your day to day role.

Two additional policies, the Personal Information and Data Protection section contained within the Group Employee Handbook and the Gracilis website privacy policy describe in more detail the way that Gracilis uses (i) employee data and (ii) customer and supplier data respectively.

1.3. Potential consequences of breaching the DPA and this Policy

Breaches of data protection requirements may result in enforcement action by the Information Commissioner against Gracilis and in fines being imposed of up to £18,000,000 (approximately) or 4% of our global turnover, whichever is higher. It is really important to remember that some breaches of data protection law may also be a criminal offence (e.g. deliberately taking or altering copies of personal data without appropriate authorisation). Trust and reliability are an important part of our brand – our customers need to know that we take our responsibilities seriously.  As such, any breach of data protection laws or any security breach could also result in adverse publicity and significant reputational damage.

Gracilis (and its Board) takes compliance with data protection law and this Policy extremely seriously and we expect all employees to take this issue equally seriously. Any breach of this Policy will be investigated and may result in disciplinary action, including termination of employment.  We want you to be able to comply with these requirements and so if you are unsure about what is required of you, what the consequences of non-compliance could be or if you have ideas about how compliance could be improved or made easier, please do talk to your line manager or Louise Whitney in the first instance.

1.4. Sharing this Policy

This Policy (together with any other policies referred to in it) is an internal document and should not be shared with third parties, customers or regulators without prior authorisation from Louise Whitney (details below).

1.5. Changes to this Policy

We will review this Policy regularly to make sure that we are ensuring the highest standards of protection for the Personal Data that we process across Gracilis.  On that basis, it may be updated from time to time.  The Policy does not form part of any contract of employment or service contract, and any changes will be communicated to you in writing from time to time.

This Policy was last updated on 11th October 2021.

1.6. Questions about this Policy

If there is anything in this Policy which you do not understand or which you have any questions about, please contact Louise Whitney (whose details are set out below) for assistance.

Name: Louise Whitney

Telephone No: 01737 274848


However, if you consider that the Policy has not been followed in respect of Personal Data about you or other individuals and you wish to raise a complaint, you should raise the matter with your line manager.


Personal Data

Any information about a living individual which can identify that individual or otherwise allow action to be taken with respect to that individual, even if we don't know their name.

For example, names, contact details including email addresses, job title and other HR data will all obviously be personal data as well as CCTV footage, photographs and voice recordings. So will information in relation to the finances of our customers ahead of a purchase and their choices of optional extras in their new home. 

Other data can qualify as "personal data" even if it would typically be seen as less obviously related to an individual, such as shift patterns, physical descriptions of people, opinions about people, location data, device related data, browsing data, online identities and so on that could all lead to that person being identifiable.

Information which does not on its own identify an individual will still be 'personal data' if it can be put together with other information which Gracilis holds or which it could fairly easily get hold of.  For example, if personal data for an individual has been made 'anonymous' by Gracilis but we hold (or could easily get hold of) information which could identify that living individual, the 'anonymous' information will still be regarded as 'personal data'. True anonymisation is very difficult to achieve and you should not attempt it without support from Louise Whitney.

Sensitive Personal Data

Personal Data about an individual which relates to their race or ethnic origin, political opinion, religious or other beliefs, trade union membership, physical or mental health or condition, sexual life, gender or criminal proceedings or convictions.  The law recognises this data as being worthy of extra protection since its misuse presents a higher risk of harm to the individuals.


This covers virtually anything you can do with Personal Data, for example:

  • collecting, obtaining, recording, retrieving, viewing or storing it;
  • organising, adapting or altering it;
  • disclosing, sharing, publishing, disseminating or otherwise making it available; and
  • erasing or destroying it;
  • using it in any way.

Data Subject

An identified or identifiable person such as an individual using our website, one of our customers or an individual contact at a supplier, or one of our employees.

Data Controller

An organisation (such as a business like Gracilis) that determines how and why Personal Data is collected and how and why that data is used.  There can be more than one data controller for a particular dataset.

For the purposes of almost all of the Personal Data that we as a business collect and use, including HR data, customer data and supplier data, we (i.e. Gracilis) will be the data controller.

Data Processor

A third party (i.e. not an employee) processing Personal Data on behalf of a data controller.  This could be a supplier, service provider, business partner or independent contractor/freelancer.

For example, Foot Anstey LLP would be a data processor for Gracilis on the basis that Foot Anstey LLP processes Purchaser’s information data on behalf of Gracilis.

Information Commissioner / ICO

This is the UK Information Commissioner (and "ICO" is an abbreviation of the Information Commissioner's Office) who is responsible for implementing, overseeing and enforcing data protection laws in the UK.


3.1. Overview of the requirements of data protection law

Data protection law requires us to consider risks to individual data subjects' rights whenever we process Personal Data, and to proactively seek to minimise those risks.  As such, and in addition to this overarching Policy, there are lots of processes and policies within the business that are relevant to the way that we use Personal Data.

As well as taking (and demonstrating) a general 'risk based' approach as described above, there are a number of broad principles that we need to comply with when processing Personal Data. We have set out an overview of these principles below, along with an explanation of what this means for Gracilis and for you in practical terms.

Personal data must be processed lawfully, fairly and in a transparent manner ('lawfulness, fairness and transparency').

Data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes ('purpose limitation').

What this means for Gracilis in practice:

Fairness and transparency:

In order to make sure that our processing of Personal Data is fair and transparent, we have to give individuals information about the way that we will use their data.  For example, we have to tell our employees and customers about the purposes for which we will use their data and who else might have access to it.

We typically inform customers and suppliers about the way that we use their data through our privacy notices published on our website.  Employees can find out more about how we process their Personal Data in the Employee Handbook.


We are also required to make sure that we have a legal justification for using data in the way that we want to.  There are various legal justifications for processing Personal Data, and all will require careful legal analysis in each case.  With this in mind, it's very important that data collected for a particular purpose is only used for that same purpose, as we may not have a legal justification to use it for any other purpose.

Sometimes we may be required to get consent from individuals for certain types of processing. For example, processing Sensitive Personal Data will often require explicit consent, and most types of direct marketing are likely to require consent.

There are additional requirements in respect of Sensitive Personal Data and the purposes for which we can process Sensitive Personal Data are more limited.  More information (for relevant business teams) can be found from speaking with Louise Whitney – Sales & Marketing Manager.

When commencing new projects we may need to carry out a data protection impact assessment (as referred to in more detail below) to ensure that our use of Personal Data is necessary and proportionate.

What you need to consider:

You should only use data that you access for the normal purposes of your job role and you should only use that data for its usual or normal purpose.

For example, we couldn't suddenly start using HR data for marketing purposes, and we couldn't start using email addresses of individual contacts at our suppliers for marketing purposes without additional consideration of appropriate legal justifications for such secondary uses of data.

If you use someone's data in a way that might not be obvious to (or expected by) the individual, then you may be breaching data protection law or infringing someone's rights. If you are ever unsure, make sure you consult with Louise Whitney –

If you think that you have identified a new purpose for which the data could be used, you may need to work with key stakeholders to manage any risks involved and ensure that we can use the data in the way that protects the rights of the individuals concerned. In the first instance, you should consult with Louise Whitney –

Personal Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ('data minimisation').

What this means for Gracilis in practice:

We should not collect Personal Data that we don't need for specific purposes. For example, we don't need information regarding an individual's religious beliefs or their political preferences, in order to discuss their house purchase (however interested we might be for other reasons).

This may seem like an obvious example, but whenever you are capturing data, you will need to think about how to ensure that you are only collecting what you specifically need for the purpose for which you will process the data.

If we need to share Personal Data with third parties, we must ensure that we only share the minimum information necessary to achieve the purpose of sharing the data.

What you need to consider:

You should use our standard input fields and data capture forms within Outlook for collecting Personal Data wherever relevant, since these have been designed to try to ensure that we only capture data that is relevant for the purpose for which we will process it.

If there is no appropriate template data capture "form" or no available pre-determined data capture fields (e.g. in relation to web analytics), you should only collect the Personal Data that is strictly relevant to what you are doing and you should, at all times, seek to "minimise" the data that we collect and process, including by considering and applying applicable retention policies and practices.  You should not speculatively collect excess or additional data fields (even if you think that the additional data may be of interest to Gracilis) as we may not have a valid legal basis to do so.

Personal data must be accurate and where necessary, kept up to date ('accuracy').

What this means for Gracilis in practice:

We are required to implement processes and policies to ensure the 'quality' of our data and to ensure that it can be kept up to date and accurate.

Although ultimately it is our responsibility to make sure Personal Data is up to date and accurate, we will often be reliant on data subjects themselves to tell us of changes to their Personal Data. From a practical perspective it is often useful to encourage data subjects to contact us if Personal Data we hold about them becomes out of date or if they are aware of any inaccurate data we hold about them. For example, we may ask our customers to verify that their details on our systems are up to date.

If we are notified about inaccurate data (for example, a change of contact telephone number or email address), we must ensure that our records are updated promptly.  It will be the responsibility of Louise Whitney to ensure that processes are in place to facilitate this.

What you need to consider:

If an individual notifies you that their Personal Data is incorrect, or that their circumstances have changed, you should ensure that our records for that individual are updated (including ensuring that all relevant datasets and records are updated, not just the dataset that you are using or working with). You will also need to ensure that applicable policies and processes are followed, e.g. processes to periodically review, cleanse, validate and update existing datasets.

Personal Data must not be kept for longer than is necessary for the purpose or the purposes that we collect it for ('storage limitation').

What this means for Gracilis in practice:

We should not keep Personal Data for longer than we need it (this requires us to consider the original purpose for which the data was collected). If Personal Data is no longer required for the purposes for which it was collected, we should securely and confidentially dispose of or delete it.

What you need to consider:

You should ensure that data that is out of date, or that is no longer required for its original business purpose is deleted according to our existing documented practices and processes. You must ensure that we comply with our Data Retention Policy at all times.  If you are unsure about whether or not data is still required for its original business purposes, you must speak to your line manager or Louise Whitney – as opposed to simply retaining it without checking.

If you think that you have identified a new purpose for which the data could be used (and so you want to keep it for an extended period), you may need to work with key stakeholders to manage any risks involved and ensure that we can use the data in the way that protects the rights of the individuals concerned. In the first instance, you should consult with Louise Whitney –

Personal Data must be processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality').

What this means for Gracilis in practice:

We need to implement processes to ensure that we keep all Personal Data secure and confidential, and that access is only granted to those people that need and have a right to access it.

Wherever we share Personal Data with service providers or suppliers (e.g. outsourced payroll, hosting or data storage), we need to ensure that we factor in the security of Personal Data that we share at the earliest stage of negotiating the relationship, and that we build appropriate protections for the data into our contracts with these suppliers and related processes.

What you need to consider:

Keep the Personal Data that we process secure and confidential (remember that your contract of employment or service contract also includes general confidentiality obligations).

There are specific standards that we require you to comply with in respect of data security set out in the Group Employee Handbook. 

As a rule of thumb, you must not disclose any Personal Data to a third party supplier or customer other than in very limited circumstances. There are a number of specific conditions that can permit the disclosure of Personal Data.  You should work with Louise Whitney – Sales & Marketing Manager to determine whether or not in each case it is appropriate to disclose data.  You should not try to make those decisions on your own – if you are unclear, speak to Louise Whitney.

Even in circumstances where the disclosure of data may be justified:

  • any disclosure of Personal Data must be subject to appropriate security safeguards (e.g. sent on an encrypted storage device or via encrypted channels and, depending on the nature of the Personal Data, including appropriate and relevant confidentiality restrictions/obligations on the part of the recipient) in accordance with our policy set out in the Group Employees Handbook and
  • you must also ensure that appropriate contract terms have been put in place (and appropriate procurement and information security processes have been followed, as well as taking into account Gracilis’ other obligations as described in this Policy).

Always speak to Louise Whitney – 01737 274848 or email if you are unsure or need further guidance.

3.2. "Accountability" and "Data Governance"

Being able to demonstrate accountability and good data governance has long been considered 'best practice' in respect of data protection compliance.  However, applicable laws now require us to formally build these concepts into our data protection compliance framework and, accordingly, to put data protection at the heart of our business processes wherever appropriate.

The Data Controller shall be responsible for, and be able to demonstrate compliance with, the data protection principles described above ('accountability')

What this means for Gracilis in practice:

Accountability requires Gracilis to be able to demonstrate that we comply with all of the principles described in section 3.1 of this Policy, above.

In practical terms, this means that we must be able to show that we take data protection rights seriously, i.e. that we have a 'top down' approach and that this is a Board level issue for us.

It also requires us to show that we have implemented strategies, policies, processes, business rules, practices, controls and so on, and that we have ensured that our employees understand what is required and are able to comply, for example by raising awareness and providing training.

We must monitor compliance with our policies and processes and take action to ensure that any issues of non-compliance are remedied by the provision of further training or other measures and we must regularly review the adequacy of our policies and processes to ensure they enable compliance with the data protection principles.

What you need to consider:

You will need to make sure that you have read and understood all Gracilis policies relevant to the use of Personal Data (including this Policy), and that you carefully follow all relevant processes and practices.

Gracilis relies on the proactive and appropriate conduct of all employees in order to be able to demonstrate 'accountability'.  If you have any concerns about the way that Gracilis uses Personal Data or if you can think of ways that we could do things better, please always speak to Louise Whitney – 01737 274848 or email

Demonstrating good 'data governance' involves compliance with a suite of obligations including keeping records of processing, being able to demonstrate Data Protection by Design and Default, and conducting Data Protection Impact Assessments.

What this means for Gracilis in practice:

Data protection laws require Gracilis to put in place "comprehensive but proportionate governance measures". Best practice tools that have been championed for a long time by the Information Commissioner such as privacy impact assessments and privacy by design are now legally required in certain circumstances.  Gracilis will need to:

∙ keep certain records of the Personal Data that we process;

∙ implement measures, policies and processes to show that Gracilis builds data protection into its business practices (i.e. that we adhere to the principle of "data protection by design and default" particularly when implementing a new service or engaging with a new business partner);

∙ conduct data protection impact assessments in some scenarios where data processing presents certain risks to individuals;

∙ put the rights of the individual Data Subjects at the very heart of what we do; and

∙ keep its decision not to appoint a statutory data protection officer under review.

What you need to consider:

You will need to make sure that you understand the way that data protection impacts your role, and work with your teams and Louise Whitney, to ensure that you understand how you can demonstrate good data governance in your everyday role.

More specifically, you must make sure that you have read and understood our data protection policies and that you have attended all necessary training.  As set out above, if you have any concerns about the way that Gracilis uses Personal Data or if you can think of ways that we could do things better, please always speak to Louise Whitney – 01737 274848

3.3. Engaging third parties to process Personal Data on our behalf

We must only use Data Processors that provide sufficient guarantees to ensure that the data for which we are responsible is subject to appropriate protection.

What this means for Gracilis in practice:

Our arrangements with Data Processors must be documented in a written contract and that contract must include certain mandatory clauses as required by data protection laws.

We must carry out checks (including appropriate information security due diligence) before appointing any Data Processor to ensure that they are capable of providing appropriate protections for the relevant Personal Data and to ensure that their processing of the data will be compliant with applicable requirements.

Please always speak to Louise Whitney – 01737 274848 or email for more information before appointing a third party Data Processor and before signing any Data Processor terms.

We will carry out ongoing monitoring of Data Processors to ensure compliance with Data Protection Legislation, e.g. periodic audits or reviews.

What you need to consider:

You will need to work closely with Louise Whitney (and other stakeholders such as the IT team) to ensure that the third party supplier, service provider, business partner or contractor/freelancer is capable of providing appropriate protections for Personal Data, and to ensure that any contract terms are acceptable to us before signing them.  You may need to assist in carrying out a data protection impact assessment in certain circumstances and so it is important to engage with Louise Whitney and other stakeholders as early as possible when procuring services or engaging with suppliers that may act as Data Processors on Gracilis behalf.

You will also need to understand the location of processing carried out by the supplier (see 3.5 below).

3.4. Record keeping

We must keep a record of our data processing activities, including the purposes of processing, a description of the categories of individuals and categories of Personal Data, categories of recipients to whom Personal Data is disclosed, details of overseas data transfers, time limits for erasure of different categories of Personal Data and a general description of security measures in place to protect Personal Data.

What this means for Gracilis in practice:

We must ensure that a central record of all data processing activities is maintained.

Any new data processing activities or changes to existing data processing activities must be recorded on the central record.

We will ensure that we regularly review the record to ensure that it is accurate and up to date.

Our central record of processing is available at 111 Bell Street, Reigate, Surrey, RH2 7LF.

What you need to consider:

If you think that you have identified a new or different purpose for which the data is or could be used, please talk to your line manager or Louise Whitney so that we can update the appropriate records.

3.5. What data protection rights do individuals have?

Applicable data protection laws give individual Data Subjects various rights.  It is important that you understand them and that you are able to recognise them (since you could, depending on your role, be the recipient of a request from an individual to exercise their rights). A very brief summary of the rights is set out below:

  • the right to ask to see what Personal Data Gracilis holds about them and to find out about the way that we process the data (so-called "subject access requests");
  • the right to require Gracilis to correct any Personal Data which is inaccurate (this can extend to requiring Gracilis to update data that has been passed to a third party);
  • the right to ask for Personal Data to be deleted in some (but not all) circumstances;
  • the right to restrict, prevent, object to or stop processing of Personal Data in some (but not all) circumstances;
  • the right to be given a copy of certain Personal Data in a format that can be read by another business (i.e. the right to 'port' or transfer certain data from one business to another);
  • the right to object to and prevent direct marketing; and
  • the right not to be subject to automated decisions where the decision produces a legal effect or a similarly significant effect (such as deciding whether and on what terms to offer credit to an individual) unless an exemption applies.

The key points to remember are that:

  • an individual's request to exercise a right under data protection law may take many forms including email and could also include messages through social channels, and it does not have to include reference to data protection law.  A request could be easy to miss and so it is important that you understand the rights in order to spot them if they come to you by email or other means;
  • there are very short time limits that apply and individuals do NOT usually have to pay a fee in order to exercise their rights.  You must escalate any request to exercise data protection rights immediately (on the same day wherever possible) to Louise Whitney – Make sure that you speak to them as soon as possible or get an email or phone call acknowledgement so that you can be sure that the issue has been appropriately escalated.

3.6. Can I transfer Personal Data outside of the UK?

Applicable data protection laws place restrictions on the way that Data Controllers can transfer Personal Data outside of the UK.  Crucially, that does not mean that we can never send Personal Data outside of the UK, but it does mean that there are some important processes to go through before we can do so – this is likely to include looking at the 'recipient' country and the 'recipient' organisation, and may require us to put certain contractual and practical arrangements in place in respect of the international data flow.

Some examples of international data flows that could trigger these requirements are:

  • engaging an overseas or cloud-based SaaS provider;
  • using a data storage provider such as AWS or Microsoft Azure on any basis other than using UK server space; and
  • engaging an overseas IT maintenance and support provider.

The earlier in the process that these issues are raised, the easier it will be to come up with a workable solution.  Speak to Louise Whitney whenever this is (or is likely to be) an issue. Remember that a "transfer" means that any processing occurs in the overseas territory, even if the data is just viewed or accessed from overseas – "transfers" are much broader than just overseas data storage.


Any employee dealing with telephone enquiries should be careful about disclosing any personal information held by us. In particular they should:

  • Check the caller's identity to make sure that information is only given to a person who is entitled to it;
  • Suggest that the caller put their request in writing if they are not sure about the caller's identity and where their identity cannot be checked;
  • Refer to their line manager or Louise Whitney – for assistance in difficult situations.

No-one should feel that they are being bullied into disclosing personal information.


Data protection breaches and data security breaches can take a variety of forms (it is not all about cyber security or 'hacking' or phishing attempts).  For example, all of the following (and many more events) would count as a data breach:

  • lost or stolen files, laptops or devices containing Personal Data;
  • a supplier inadvertently being given access to Personal Data not related to the services that they provide;
  • Personal Data being sent to the wrong recipient/email address;
  • Personal Data accidentally being disclosed via social media;
  • a website/platform error allowing individuals to see each other's account details;
  • unauthorised, malicious access to our websites, systems, servers or data.

The two key points for you to be aware of are:

  • there are – in many cases – mandatory requirements to notify regulatory authorities of a data breach, and the mandatory notification timeframes are extremely short (72 hours in many cases); and
  • if you suspect that there has been a data breach (even if you are not sure), you must immediately contact Louise Whitney,, even if it is in the evening or at the weekend.  Make sure that you speak to someone or get an email or phone call acknowledgement so that you can be sure that the issue has been appropriately escalated.


Clearly, we take our data protection obligations extremely seriously.  One of the ways that we can ensure that we mitigate risks to the individuals whose data we have (and also mitigate compliance risks to Gracilis) is to ensure that whenever we process Personal Data, we put the individual's data protection rights at the heart of everything we do.

Data protection by design and default impacts on every team and every role within the business and having a good understanding of this Policy is a good starting point for everyone.

Essentially, applying the principle of data protection by design and default will require you to factor in and give consideration to data protection whenever you process Personal Data, and particularly when you propose to do something new with Personal Data.  Data protection should not be a "bolt on" issue or an afterthought and, as such, the key practical point is to make sure that you consider these issues as soon as possible at the concept/design/proposal stages of any new business plans or processes involving Gracilis’ use of Personal Data.

A few illustrative examples of the ways that we can apply data protection by design and default are set out below:

  • Procurement: whenever we procure new services, we should consider at the earliest stage of the procurement process whether or not the service provider will be processing Personal Data on our behalf and if so, what risks the proposed activity presents from a data protection perspective (and what action might be required to minimise those risks).  For example, our procurement process should include a consideration of data protection implications, and the data protection risks should be factored into the process of selecting and appointing a service provider;
  • HR: if we introduce new HR processes (or suppliers) or if we propose to handle or share HR data in a new way, there are very likely to be data protection implications.  We should, make sure that these data protection implications are identified and considered at the earliest stage, i.e. data protection issues should be addressed at the concept/proposal stage (rather than after the decisions to change/update the relevant processes have been made);
  • Marketing: new marketing processes will often involve new uses of Personal Data.  For example, carrying out new types of profiling/segmenting of marketing contacts, initiating a new email marketing campaign or procuring a new hosted CRM supplier will all require a consideration of associated data protection issues.  The important point is to make sure that any issues are identified and addressed up-front at the earliest/proposal stage as this means that, not only will we minimise risks to individuals and the business, but we can also make sure that the consideration of data protection related issues is as streamlined as possible to facilitate delivery of business plans and objectives (rather than, for example, finding out at a later stage that the new business processes create data protection challenges that need to be 'unpicked' or amended to reduce risks).

If you have any questions or if you think that there are ways that we can do things better (i.e. if you identify a way for Gracilis to apply data protection by design and default), please speak to Louise Whitney – 01737 274848.


Louise Whitney – Is responsible for reviewing this Policy on an ongoing basis (and at least annually) and updating our board of directors on Gracilis' data protection responsibilities and any risks in relation to the processing of data. We will continue to review the effectiveness of this Policy to ensure it is achieving its stated objectives.  If you have any concerns or suggestions, please let Louise Whitney know in the first instance.