How SATIGO handles personal data for clients, candidates, suppliers, employees, workers and other third parties produced in accordance with the UK GDPR and our internal data protection policy.
| Detail | Information |
|---|---|
| Data Protection Officer | Sally Leishman |
| info@satigo.com | |
| Phone | +44 (33) 0027 1492 |
| Standard owner | Joanne Shand (oversight of this Privacy Standard) |
For any questions regarding our data policies, please use the details above. Response within 72 hours on working days.
SATIGO uses cookies which are necessary for the proper functioning of its websites. Subject to your preferences, we may also use cookies to improve your experience, remember log-in details, manage sessions, provide secure log-in, collect statistics, optimise site functionality, and deliver content tailored to your interests.
We do not use advertising or tracking cookies. You can withdraw consent at any time via our cookie preference centre or by emailing info@satigo.com.
This Privacy Standard sets out how SATIGO handles the personal data of our clients, candidates, suppliers, employees, workers and other third parties. It applies to all personal data we process regardless of the media on which that data is stored, or whether it relates to past or present employees, workers, customers, clients or supplier contacts.
SATIGO is committed to protecting and respecting your privacy. We need to collect and use certain types of information about people in the course of our work. This Privacy Standard describes how that data must be collected, handled and stored to meet our data protection standards and comply with UK GDPR.
Why it matters: this Standard protects both the people whose data we hold, and SATIGO itself from the consequences of a breach. Everyone who handles personal data within SATIGO is responsible for reading and following this Standard.
The correct and lawful treatment of personal data maintains confidence in the organisation and supports successful business operations. We are exposed to potential fines of up to EUR 20 million (approximately £18 million) or 4% of total worldwide annual turnover, whichever is higher, for failure to comply with the GDPR.
Always contact the DPO before starting a new processing activity, drafting a privacy notice, sharing data with a third party, or if you suspect a breach however minor.
We are responsible for establishing practices and policies in line with the GDPR. This Standard sets out our responsibilities and obligations under the law.
We adhere to the principles relating to processing of personal data set out in the GDPR. Personal data must be:
Processed lawfully, fairly and in a transparent manner in relation to the data subject.
Collected only for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes.
Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure inaccurate data is erased or corrected without delay.
Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes.
Processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and accidental loss.
The controller is responsible for, and must be able to demonstrate, compliance with all of the above principles.
Data subjects have rights which must be upheld — including access, rectification, erasure, portability, and the right to object.
The GDPR allows processing on specific bases: consent, contract, legal obligation, vital interests, public task, or legitimate interests (where not overridden by the data subject's interests or rights).
We must not process personal data in ways that are unduly detrimental, unexpected, or misleading to the individuals concerned.
We must be open and honest with individuals about how we use their data. Privacy notices must be clear, concise, and accessible.
Consent must be freely given, specific, informed and unambiguous. Pre-ticked boxes or silence do not constitute consent. Withdrawal must be as easy as giving it.
If you are unsure which lawful basis applies to a processing activity, contact the DPO before proceeding.
Four operational principles govern how personal data is collected, used and retained day to day.
Personal data must be collected only for specified, explicit and legitimate purposes. You cannot use it for new, different or incompatible purposes unless the data subject has been informed and consented where required.
Only collect personal data that is adequate, relevant and limited to what is necessary. Do not collect data on a "just in case" basis.
Take reasonable steps to ensure personal data is accurate and up to date. Establish processes to identify and correct inaccuracies without unnecessary delay.
Do not keep personal data longer than necessary. Retention periods are defined in our Retention Schedule — contact the DPO for the current schedule.
Personal data must be secured by appropriate technical and organisational measures against unauthorised or unlawful processing, and against accidental loss, destruction or damage. Our minimum baseline controls include:
All actual or suspected personal data breaches must be reported to the DPO within 4 hours of discovery. The DPO will assess severity and notify the ICO within 72 hours where required.
Never attempt to handle a suspected breach without notifying the DPO first. Self-remediation without reporting increases regulatory risk.
The GDPR restricts data transfers to countries outside the EEA to ensure that the level of data protection afforded to individuals is not undermined. You may only transfer personal data outside the EEA if one of the following applies:
All international transfers must be documented in the Record of Processing Activities (RoPA) and approved by the DPO before transfer commences.
Data subjects have rights when it comes to how we handle their personal data. All requests must be forwarded to the DPO immediately on receipt and responded to within one calendar month.
| Right | What it means |
|---|---|
| Withdraw consent | Withdraw consent to processing at any time. |
| Be informed | Receive certain information about the data controller's processing activities. |
| Access | Request access to the personal data we hold about them. |
| Object to marketing | Prevent our use of their personal data for direct marketing purposes. |
| Erasure | Ask us to erase personal data no longer necessary for the purposes for which it was collected. |
| Rectification | Rectify inaccurate data or complete incomplete data. |
| Restrict processing | Restrict processing in specific circumstances. |
| Object to processing | Challenge processing justified on the basis of legitimate interests or public interest. |
| Transfer safeguards | Request a copy of an agreement under which personal data is transferred outside the EEA. |
| Object to ADM | Object to decisions based solely on automated processing, including profiling. |
| Prevent damage | Prevent processing likely to cause damage or distress to the data subject or anyone else. |
| Breach notification | Be notified of a personal data breach likely to result in high risk to their rights and freedoms. |
| Data portability | In limited circumstances, receive or transfer their personal data in a structured, commonly used and machine-readable format. |
The data controller must implement appropriate technical and organisational measures, in an effective manner, to ensure compliance with the data protection principles — and must be able to demonstrate that compliance. Our accountability framework covers six operational areas:
Full, accurate records of all processing activities — maintained in the Record of Processing Activities (RoPA).
Data protection considerations embedded into all new projects, systems and processes from the outset.
All staff complete data protection training at induction and annually thereafter. Records maintained by the DPO.
Data Protection Impact Assessments completed for all high-risk processing activities before commencement.
Appropriate data processing agreements (DPAs) in place with all processors and sub-processors.
Regular internal audits of data protection practices. External audit aligned to ISO 27001 certification cycle.
We reserve the right to update this Privacy Standard from time to time and may make changes without prior notice. Where local laws conflict with this Standard, this Standard does not override the requirements of those national laws.
Material changes will be communicated to all SATIGO personnel and the Standard will be re-issued with an updated version number and date. The DPO is responsible for maintaining the Standard and ensuring it remains current.
| Term | Definition |
|---|---|
| ADM | Automated Decision-Making — decisions made solely by automated means, including profiling, that have a legal or similarly significant effect on an individual. |
| BCR | Binding Corporate Rules — internal rules that allow lawful transfer of personal data outside the EEA within a corporate group. |
| Company Personnel | Employees, workers, contractors and any other individuals processing personal data on behalf of SATIGO. |
| Consent | A freely given, specific, informed and unambiguous indication of a data subject's wishes — by clear affirmative statement or action. |
| Data Controller | The entity that determines the purposes and means of processing personal data. |
| Data Subject | An identified or identifiable natural person to whom personal data relates. |
| DPIA | Data Protection Impact Assessment — required for high-risk processing. |
| DPO | Data Protection Officer — Sally Leishman, PMO Lead. |
| EEA | European Economic Area. |
| GDPR | The General Data Protection Regulation, as it applies in the UK. |
| Personal Data | Any information relating to an identified or identifiable natural person. |
| Personal Data Breach | A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. |
| Privacy Notice | A notice given to data subjects describing how their personal data will be processed. |
| Processing | Any operation performed on personal data — collection, storage, use, disclosure, erasure and more. |
| RoPA | Record of Processing Activities — SATIGO's internal register of all data processing activities, maintained by the DPO. |
| Special Categories | Personal data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, health, biometric or genetic data, or data concerning sex life or sexual orientation. |
This Privacy Standard has been approved on behalf of SATIGO Limited. It will be reviewed annually, or sooner if there is a material change in our processing activities, the regulatory environment, or following any breach or audit finding.
Data Protection Officer
SATIGO Ltd
Standards referenced: UK GDPR · Data Protection Act 2018 · ICO guidance