Framework Training Privacy Policy

Bcorp Logo

Framework Training Privacy Statement


1. An organisation that processes personal data (Data Controller/ the controller) is required to handle personal data in accordance with the data protection principles. A data controller may choose to use another organisation to process personal data on its behalf – a data processor. The data controller remains responsible for ensuring its processing complies with the DPA, whether it processes in-house or engages a data processor. Where a data processor is used the data controller must ensure that suitable security arrangements are in place in order to comply with the seventh data protection principle.

2. The seventh data protection principle provides that: “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”.

3. Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller is not to be regarded as complying with the seventh principle unless – (a) the processing is carried out under a contract – (i) which is made or evidenced in writing, and (ii) under which the data processor is to act only on instructions from the data controller, and (b) the contract requires the data processor to comply with obligations equivalent to those imposed on a data controller by the seventh principle”.

4. The DPA requires the controller to have a written contract with their chosen processor. The contract must ensure that Framework Training Ltd:

a. may only use and disclose the personal data in accordance with their instructions; and

b. must take appropriate security measures to protect the data.

In summary, there are legal obligations that a Data Processor such as Framework Training Ltd is obliged to undertake when processing data on behalf of a client. However, the Data Protection Act and the Information Commissioners Office do not stipulate what measures should be undertaken. Instead they state:

“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”

From May 2018 GDPR comes into force and defines specific legal obligations for the Data Processor and Data Controller. Articles 28-36 specify that The Processor must:

  • only act on the written instructions of the controller;
  • ensure that people processing the data are subject to a duty of confidence;
  • take appropriate measures to ensure the security of processing;
  • only engage sub-processors with the prior consent of the controller and under a written contract;
  • assist the controller in providing subject access and allowing data subjects to exercise their rights under the GDPR;
  • assist the controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments;
  • delete or return all personal data to the controller as requested at the end of the contract; and
  • submit to audits and inspections, provide the controller with whatever information it needs to ensure that they are both meeting their Article 28 obligations, and tell the controller immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state.
  • Framework Training Ltd’s commitment to Clients

    We have defined a set of data principles that go beyond the basic requirements of the DPA and ICO in order to allow clients to be confident in working with Framework Training. These principles have now been updated to include the requirements of GDPR.


    Data of the following types will not be accepted by or processed by Framework Training Ltd:

    1. Personal data on individuals such as Date of Birth, National Insurance number, marital status, passwords, sexual preferences or other similar personal data

    2. Any data relating to persons under the age of 18

    Data to be processed

    Framework Training Ltd will process data that is required for the successful fulfilment of its role as a provider of education, coaching and consultancy services. This may include sole traders and non-incorporated businesses.

    This data can include:

    1. Addresses, business names, contacts names, job titles, phone numbers, email address including similar and related data

    2. Company data such as industry classification, number of employees, turnover and similar data

    3. Past history of engagement, purchases, web site visits and related data

    Keeping data secure

    Framework Training Ltd takes appropriate measures to ensure that data is both safe and cannot be accidentally damaged or destroyed. These measures include:

    1. Storing data on a resilient file system and/or database (regularly backed up)

    2. Ensuring that access to the data is limited to approved staff members

    3. Limiting access to staff members to prevent accidental destruction or damage to the data

    4. Securing the database behind appropriate security systems to prevent unauthorised access.

    5. Training all staff that process data to do so in an approved manner.

    6. Remain ready to detect and deal with a data breach should it ever occur.

    Contractual Terms

    Process only on the written instructions of the controller

  • Framework Training Ltd may only process personal data in accordance with the controller’s written instructions (including when making an international transfer of personal data) unless required to do so by law.
  • Duty of confidence

  • Framework Training Ltd must obtain a commitment of confidentiality from anyone it allows to process the personal data, unless they are already under such a duty by law.
  • Using sub-processors

  • Framework Training Ltd maintains appropriate contractual agreements covering the same strict data protection requirements with sub-processors who may have access to this data (namely CRM, Website and Email hosting);
  • if another processor is employed under the controller’s prior general written authorisation, Framework Training Ltd should let the controller know of any changes it has made and give the controller a chance to object to them;
  • if Framework Training Ltd employs another processor, then it must impose the contract terms that are required by Article 28.3 of the GDPR on the sub-processor; and
  • if Framework Training Ltd employs another processor, then the original processor will still be liable to the controller for the compliance of the sub- processor.
  • Data subjects’ rights

  • Framework Training Ltd must assist the controller in meeting their obligations to data subjects under chapter III of the GDPR, by having appropriate technical and organisational measures.
  • Assisting the Controller

  • Framework Training Ltd must assist the controller in meeting their Article 32 obligation to keep personal data secure;
  • Framework Training Ltd must assist the controller in meeting their Article 33 obligation to notify personal data breaches to their supervisory authority;
  • Framework Training Ltd must assist the controller in meeting their Article 34 obligation to advise data subjects when there has been a personal data breach;
  • Framework Training Ltd must assist the controller in meeting their Article 35 obligation to carry out data protection impact assessments (DPIAs); and
  • Framework Training Ltd must assist the controller in meeting their Article 36 obligation to consult with their supervisory authority where their DPIA indicates there is an unmitigated high risk to the processing.
  • End of contract provision

  • at the end of the contract Framework Training Ltd must, at The Controller’s choice, either delete or return to the controller all the personal data it has been processing for the controller; and
  • an exception to this general rule applies if Framework Training Ltd is required to retain the personal data by law.

  • Audits and inspections

  • Framework Training Ltd must provide the controller with all the information that is needed to show that that both of you have met the obligations of Article 28;
  • Framework Training Ltd must submit and contribute to audits and inspections that the controller carry out, or another auditor appointed by the controller carries out; and
  • Framework Training Ltd must tell the controller immediately if it thinks it has been given an instruction which doesn’t comply with the GDPR, or related data protection law.

  • Framework Training Ltd does not process data outside the EEA nor does it allow data to leave the EEA except where compliant with Article 29 Working Party guidelines.

    We would love to hear from you

    Get in touch

    or call us on 020 3137 3920

    Get in touch