1. Introduction
The FSC Group (“FSC”, “we”, “us”, “our”) is committed to protecting the privacy and security of personal data belonging to our employees, workers, contractors, job applicants, and customers. This policy explains what personal data we collect, how and why we use it, and the rights you have over it.
This policy has been updated to reflect the Data (Use and Access) Act 2025 (“DUAA”), which amends the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (“PECR”). The DUAA’s data protection reforms were introduced in stages between June 2025 and 19 June 2026, and this policy reflects the position once all provisions are in force.
This policy applies alongside, and does not replace, our internal HR policies (including our Recruitment, Employee Records, and Data Retention procedures). Where you have questions about how your data is used in a specific process, please speak to your line manager or the HR team in the first instance.
2. How and why we use your personal data
We collect and use personal data to run our business responsibly, to meet our obligations as an employer, and to provide a good experience for our customers and candidates. We only use your data where we have a valid legal basis to do so, and we will always tell you if we intend to use it for a materially different purpose than the one for which it was collected.
If you choose not to share certain personal data, or you withdraw a permission you have previously given us, we may not be able to provide the related service — for example, we cannot progress a job application without your CV, or process certain payroll benefits without your bank details.
2.1 The legal bases we rely on
Depending on the activity, we rely on one or more of the following legal bases under Article 6 UK GDPR:
- Contract – to perform your contract of employment, or a contract for goods or services.
- Legal obligation – to comply with employment, tax, health and safety, or other legal requirements.
- Legitimate interests – where our need to use the data (or a third party’s) is not overridden by your rights and interests, for example to manage our business, protect our premises, and improve our services.
- Recognised legitimate interests – the DUAA introduced a defined list of “recognised legitimate interests” (Annex 1, UK GDPR) covering matters such as safeguarding vulnerable people, preventing crime, and responding to requests from public bodies. Where processing falls within one of these categories, we are not required to carry out a full legitimate interests balancing test, though we still only process data that is necessary for the purpose.
- Consent – for example, where you have agreed to receive marketing communications or to us holding your speculative CV. You can withdraw consent at any time.
- Vital interests – in rare cases, to protect someone’s life, for example in a medical emergency.
2.2 What we use your data for
- To respond to queries, complaints, and refund requests, and to keep a record of how we have communicated with you, on the basis of our legitimate interest in providing a good service and improving it over time.
- To operate CCTV at our premises and car parks, to protect our people, customers, premises and assets, on the basis of our legitimate business interests.
- With your consent, to consider your CV or application (whether sent directly, via a recruitment agency, or found on a job board or social media) for current or future vacancies. You may withdraw this consent, and opt out of hearing from us, at any time.
- To send you relevant communications by post relating to employment contracts, company information, or responses to a complaint, on the basis of our legitimate business interest. You may opt out of postal communications at any time.
- To send communications required by law, or necessary to tell you about changes to a service — for example, changes to this policy or product recall notices. These do not include promotional content and do not require prior consent when sent by email or text.
- To comply with a legal or contractual obligation to share data with law enforcement — for example, in response to a court order.
- To send survey and feedback requests to help us improve our services, on the basis of our legitimate interest in understanding and improving the customer and employee experience. These do not include promotional content.
3. Automated decision-making
Where we use automated tools to support decisions that affect you (for example, initial screening of job applications), the DUAA has replaced the previous blanket restriction on solely automated decision-making with a “permission-plus-safeguards” model (Articles 22A–22D UK GDPR). This means automated decisions can be made in a wider range of circumstances, provided we put in place appropriate safeguards. Where a decision is made about you without meaningful human involvement, you have the right to:
- be informed that an automated decision has been made about you;
- obtain meaningful information about the logic involved;
- request human review of the decision, and contest it if you disagree.
Decisions based on special category data (such as health information) remain subject to stricter conditions, and we do not use automated tools to make final decisions of this kind without human oversight.
4. How we protect your personal data
We know data security matters to our employees and customers, and we take appropriate technical and organisational measures to protect the personal data we hold.
- Access to personal data is restricted and password-protected, on a need-to-know basis.
- Sensitive data, such as payment card information, is encrypted and tokenised.
- We regularly monitor our systems for vulnerabilities, and our IT support provider carries out penetration testing to identify and address weaknesses.
- We maintain incident response procedures so that any data breach is contained, assessed, and reported to the Information Commissioner’s Office (ICO) and affected individuals where required, within the statutory timescales.
5. Call recording
We record calls to and from our customer service and sales lines for training, quality assurance, and to help resolve queries or disputes. Recording is carried out in line with the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000, which permits business call recording for these purposes without requiring the caller’s separate consent, provided callers are told the call may be recorded.
- What we record: calls to and from customer service and sales telephone lines.
- Why: staff training and coaching, quality assurance, and as evidence in the event of a dispute or complaint.
- Legal basis: our legitimate interests in maintaining service standards and resolving disputes fairly.
- Notification: callers are told at the start of the call that it may be recorded, and are given the option to raise their query in writing instead if they would prefer not to be recorded.
- Retention: recordings are kept for [insert retention period, e.g. 6–12 months] before secure deletion, in line with Section 6, unless a recording is needed for longer as evidence in an ongoing complaint, dispute, or investigation.
- Access: recordings can only be accessed by line managers, IT and the quality team on a need-to-know basis.
If you would like to request a copy of, or the deletion of, a call recording that features you, you can do so via the process set out in Section 8.
6. How long we keep your personal data
We only keep personal data for as long as necessary for the purpose it was collected, and in line with our data retention schedules and any legal or regulatory retention requirements (for example, statutory retention periods for payroll and tax records).
At the end of the relevant retention period, your data is either securely deleted or anonymised — for example, aggregated with other data so it can no longer identify you, for statistical analysis and business planning.
7. International data transfers
FSC operates across the UK, Czech Republic, Canada, Malaysia, Germany, and Austria, and we may share personal data between these locations and with our suppliers and service providers overseas.
Where we transfer personal data outside the UK, the DUAA replaced the previous “essential equivalence” test with a new “data protection test”, which asks whether the standard of protection in the destination country is “not materially lower” than the standard of protection under UK law. We apply this test, together with appropriate safeguards, before making any restricted transfer. These safeguards may include:
- a UK “data bridge” (adequacy) regulation covering the destination country;
- the UK’s International Data Transfer Agreement (IDTA) or Addendum to the EU Standard Contractual Clauses; or
- other legally recognised safeguards approved by the ICO.
You can request further details of the safeguards we apply to a specific transfer by contacting our Data Protection Officer using the details in Section 10.
8. What are your rights over your personal data?
Subject to certain exemptions, you have the right to:
- request access to the personal data we hold about you, free of charge in most cases;
- request correction of your personal data where it is inaccurate, out of date, or incomplete;
- request erasure of your personal data — for example, once the purpose for which we hold it has ended (such as the end of employment), unless we need to keep it for a legal purpose such as payroll;
- request that we restrict or stop processing your personal data, including where you have withdrawn consent or object and we have no overriding legitimate interest;
- object to processing based on legitimate interests or for direct marketing purposes;
- request a portable copy of personal data you have provided to us, in certain circumstances;
- withdraw consent at any time, where processing is based on consent; and
- not be subject to a decision based solely on automated processing without appropriate safeguards, as set out in Section 3.
If we decide not to action a request, we will explain our reasons to you.
8.1 Making a request (subject access requests)
You can request a copy of the personal data we hold about you at any time by contacting our Data Protection Officer using the details in Section 9. Under Article 12A UK GDPR (introduced by the DUAA), we must respond within one calendar month of receiving your request. Where we reasonably need further information to confirm your identity or clarify the scope of your request — for example, because you hold a large volume of data with us — the one-month period runs from when we receive that information, rather than from your original request. We may extend the period by a further two months for complex or numerous requests, and we will tell you within the first month if this applies.
We will carry out a reasonable and proportionate search of our records in responding to your request.
9. How to complain
From 19 June 2026, the DUAA introduces a statutory right for you to complain to us directly about how we handle your personal data (new section 164A, Data Protection Act 2018), before referring the matter to the ICO. If you are unhappy with how we have used your personal data, you can complain to us by:
- emailing our Data Protection Officer at toril@thefscgroup.com;
- writing to us at the address in Section 10
We will acknowledge your complaint within 30 days of receiving it, and respond without undue delay, keeping you updated on progress and the outcome.
If you remain dissatisfied after raising a complaint with us, or you would prefer to complain directly, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk or by calling 0303 123 1113.
10. Contact us
Data Protection Officer: Toril Simpson
Address: The FSC Group, Cheddar Business Park, Wedmore Road, Cheddar, BS27 3EB
Email: toril@thefscgroup.com
Telephone: 01934 745600 (Toril Simpson or Kate Heappey)
ICO registration number: Z9225290
11. Changes to this policy
We may update this policy from time to time to reflect changes in the law, ICO guidance, or our own processing activities. We will communicate material changes to employees via PeopleHR and update the version and date at the top of this document.