GDPR Policy

Pocket Office Services Limited – GDPR policy April 2022

Pocket Office Services Limited is committed to protecting our clients’ data and the identity of individuals within our clients’ organisations, our staff, freelance contractors, and our suppliers. We are committed to ensuring that your personal data is stored and processed correctly, and in line with the GDPR regulations. This document outlines how we do this, what personal information we hold about individuals, how we use this data and how to opt-out of future marketing correspondence.

If you have any questions about the information that we hold or wish to request access or changes to your data, please contact us.

You can write to us at our Registered Office:
Artillery Business Park, Oswestry, Shropshire, SY11 4AD

You can telephone us on:
+44 (0)1691 889600

You can email us at:

We gather and retain data on prospective and existing clients and suppliers for the following reasons:

  • Information on clients and suppliers is used to enable us to provide services and products, to enable us to market information on products and services which we believe will be of interest to existing and prospective clients, to manage activities such as selecting prospects and suppliers and to enable us to invoice clients and pay suppliers. Such information may include, but is not limited to, name, addresses, job titles, bank account details, directors’ names and company historical details obtained from Companies House, data on services and products enquired about or purchased, data gathered through client satisfaction surveys, or any other personal information which may have been provided by the client, prospective client or supplier in the course of entering into a business relationship.
  • Due to the nature of our business, products and services we provide may include personal data supplied to us. This data is not processed in any way apart from being used solely for the purpose requested by the client in creating artwork, online content or in supplying products or services of which that data is an integral part. Appendix I also details examples of where information will be transferred to a third party within the EEA, or to a third party outside of the EEA and whether that country is covered by a European Commission adequacy decision or Privacy Shield.
  • The provision of personal data is a contractual requirement necessary to enter into a contract with us – such information may include, for example; details of individuals who have the authority to act on behalf of a business or organisation whom they represent, or if they are acting in the course of their own business or personal requirements for our services, the requirement to provide us with information to enable us to identify the legal owner(s) of the entity with whom we enter a contract, means of contacting them such as addresses, telephone numbers and email addresses, and financial information such as trade references, bank details etc. to enable us to provide invoices for our services and to serve documents to request payment. Failure to provide such data will mean we will not enter into a contract.
  • We may from time to time undertake postal, digital or telephone marketing campaigns or lead nurturing using individuals’ data supplied to us as they have entered into a trading relationship with us, have expressed an interest in our services or have specifically opted in to receive marketing information from us. This data may be monitored and interpreted during a campaign using third-party providers and software to identify individuals’ interests and responses to marketing emails.
  • We may also be party to individuals’ data supplied to us by clients or prospective clients in the course of undertaking or quoting to undertake marketing work for them – such as marketing campaigns to their own database which they may supply to us. This data may be monitored and interpreted in the course of a campaign using third-party providers and software to identify individuals’ interests and responses to marketing emails, or may be processed using third-party software to identify fictitious or non-existent email addresses. The client will indemnify us in such cases and will provide us with details of how the data was acquired along with their opt-in procedures to ensure compliance with the GDPR relating to marketing.
  • Individual client data may also be accessible to third party service providers to enable us to provide technical support and online security such as IT support companies, data centre employees and website security company employees as an integral and necessary part of providing these services. We will never share data unless in the course of providing products or services in the normal course of undertaking our normal business and contractual obligations, unless we are legally required to do so.

Retention periods:
Client and supplier records will be retained for the duration of our relationship with the individual/organisation and for a further 6 years as part of the statutory financial and trading records of the company.

Supplier management:
We will request that our suppliers assure us that they have policies and controls in place to ensure that they are compliant with the GDPR and the right to privacy, and will only deal with suppliers who are able to satisfy us that their systems and processes are compliant.

Legal basis of processing:
Article 6.1 of the GDPR defines the lawful grounds for data processing and we will adhere to the following legal bases for processing:

  • Where we are marketing to a prospect or client ourselves we will do so with the consent of the data subject
  • Where the processing of data is necessary for the performance of a contract with the data subject
  • Where we are complying with a legal obligation
  • Where we are protecting the vital interests of a data subject or another person
  • Where data processing is in the public interest
  • Where data processing is for the purposes of legitimate interests pursued by ourselves or a third party.

Our processing of data will mainly be on the bases of consent and legitimate interests.

Examples of legitimate interests relating to our business transactions may include: direct marketing, relevant and appropriate relationship – such as with a client, reasonable expectations as to processing data in the course of a business transaction, website analytics to learn more about a client’s needs and interests, updating clients’ and suppliers’ details and preferences, following up on enquiries and recording the result of follow up and ongoing correspondence.

We gather and retain data on employees for the following reasons:

  • Information on employees is used to allow us to manage HR and payroll functions, to record information in case of emergency, such as next of kin, and health information disclosed to us by the employee. This information is held to assist in the running of the business and to enable individuals to be paid. Such information may also include full names, gender, details of staff appraisals, driving licence details, passport details, accident books, pension contributions, National Insurance contributions, addresses, telephone numbers, salary information and bank account details, or any other personal documents or information which have been freely provided by the employee in the course of their employment application and ongoing employment.

Retention periods:
Employee records will be retained for 6 years as part of the financial and employment records of the business. Parental leave records will be retained for the statutory 5 years from the birth/adoption of the child or 18 years if the child receives a disability living allowance.

Employee Privacy Notice:
A more detailed privacy notice will be issued to employees prior to the GDPR taking effect and to new employees after that date. See Appendix II for full employee privacy notice.

Staff training:
We make all of our employees and subcontractors aware of their responsibilities and the law relating to the GDPR. We also make them aware of their rights and the rights of others.

Storage of data:
Client data, financial data, employees’ payroll data etc. is held confidentially in password protected folders on Microsoft SharePoint with access limited to specific employees Financial accounts are held in cloud-based Xero accounting software. Backup of older data prior to migration to Xero is held in external memory devices held in a fireproof safe at our Registered Office. Less sensitive client data/marketing/design files are held on password protected Microsoft SharePoint. This is only accessible to nominated Pocket Office employees and our IT service provider, whose systems and process are GDPR compliant.

Destruction of confidential papers and paper waste:
Paper waste, including paper waste of a confidential nature, is stored in a locked confidential paper waste bin and collected and disposed of by EvaStore and a certificate of destruction is obtained.

General Information relating to this policy:

Data Controller:
Pocket Office Services Limited, The Fort Offices, Artillery Business Park, Oswestry, Shropshire, SY11 4AD

Data Subjects Rights:
Individuals, known as ‘Data subjects’, have the right to request access to, rectification of, or erasure of their personal data, to restrict the processing of their personal data, to object to processing, direct marketing and to restrict data portability. Data subjects have the right to withdraw consent to processing of their data at any time. Data subjects have the right to complain to the Information Commissioner’s Office (or other supervisory authority if outside the UK) if there is a problem. Further information can be found on the

Information Commissioner’s Office website:

Data Protection Officer (DPO):
Jess Jones Business Centre Manager 01691 889600

Data Breach reporting:
Any data breach involving personal data will be reported to the ICO within 72 hours of us becoming aware of the breach unless deemed to have little or no risk of impacting on an individual’s rights.