UK GDPR Policy
t2 group is committed to protecting and respecting your privacy. This policy explains how we collect, use, disclose, and safeguard your information in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
The UK GDPR sets out seven key principles:
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality (security)
- Accountability
GDPR compliance
All personal data processing at t2 group is conducted in compliance with UK GDPR requirements. This includes implementing appropriate policies and procedures to manage data securely and lawfully.
Lawful basis for processing
t2 group processes personal data under one of the six legal bases:
Consent
Processing data where a positive opt-in is required (e.g., marketing communications).
Contract
When we have a contract with an individual and need to process their data to fulfil contractual obligations.
When an individual requests a service, and processing is necessary to take pre-contractual steps.
Legal obligation
When processing is required to comply with a common law or statutory obligation.
Vital interests
When processing is necessary to protect the vital interests of an individual.
Public task
When processing is necessary to perform a task carried out in the public interest.
Legitimate interest
When processing is necessary for the purposes of legitimate business interests, except where overridden by individual rights.
Retention of data
Employee data
Retained in line with statutory retention periods refereed within our Data Retention Policy, available on our website.
Employee files are archived regularly and can be accessed upon request.
Learner data
Retained in compliance with funding body regulations (typically six years after completion) in line with our Data Retention Policy, available on our website.
Any variances to this will be expressly agreed with the individual.
Individual rights
Under UK GDPR, individuals have the following rights:
Right to access
Individuals may request access to their personal data.
Requests should be submitted to dataprotection@t2group.co.uk.
t2 group will respond within one month of receipt.
Right to rectification
Individuals may request correction of inaccurate data.
If data has been shared with third parties, t2 group will inform them of corrections where possible.
Right to erasure ("right to be forgotten")
Individuals can request deletion of their data where there is no compelling reason for continued processing.
Requests may be declined if data is required for legal, contractual, or regulatory purposes.
Right to restriction
Individuals can request that processing of their data be limited in certain circumstances.
Right to object
Individuals may object to processing based on legitimate interest or direct marketing.
Objection requests can be submitted to dataprotection@t2group.co.uk.
Right to data portability
Individuals can request their data in a structured, commonly used format.
Rights related to automated decision-making
t2 group does not use automated decision-making processes.
Data breach response
t2 group follows a data breach response plan:
- Breaches are assessed for risk to individuals' rights and freedoms
- The ICO is notified within 72 hours if required
- Affected individuals are informed where applicable
Privacy by design & security measures
t2 group implements privacy by design principles, including:
- Role-based access controls
- Data encryption and anonymisation
- Regular security audits
Amendments & contact information
t2 group reserves the right to amend this policy as needed.
For any questions or concerns, contact our Data Protection Officer:
Email: dataprotection@t2group.co.uk
Address: t2 group, Fern House, Unit 1, Links Court, Fortran Road, St. Mellons, Cardiff CF3 0LT.
This policy is reviewed annually to ensure continued compliance with UK GDPR and Data Protection Act 2018.