Hayes Associates Limited Privacy Notice
We have updated this Notice, to incorporate the changes brought about by the General Data Protection Regulation (GDPR) that came into force on 25th May 2018. GDPR includes provisions on Privacy Notices in Articles 12, 13 and 14.
Hayes Associates Ltd. provides management consultancy in form of data protection, information management and governance and cyber security to a wide variety of organisations. It has been established since 1988.
What is a Privacy Notice?
A Privacy Notice is a statement by the company to its customers, the public and staff that describes how we collect, use, retain and disclose personal information which we hold.
Why issue a Privacy Notice?
Hayes Associates Limited recognises the importance of protecting personal and confidential information in all that we do and takes care to meet its legal and regulatory duties. This notice is one of the ways we can demonstrate our commitment to our values and to being transparent and open. It also shows our commitment to respecting diversity, acting with integrity, demonstrating compassion, striving for excellence and listening and supporting others.
This notice explains what rights you have to control how we use your information.
Legal basis for processing your information
We only process your information if we have a lawful reason to do so. We make sure you know how we use your information, and tell you about your rights.
We rely on the following specific conditions in Articles 6 and 9 of the GDPR to process your information:
6(1) (f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
6(1) (c) ‘…for compliance with a legal obligation to which the controller is subject’
We also comply with the Common Law Duty of Confidentiality
What information do we collect from you, and why?
We may ask for or hold personal confidential information about you which will be used to help us deliver appropriate care and treatment. This supports us to collect the minimum that we require for the provision of our service.
These records may include:
- Basic details, such as name, date of birth, address, phone number, mobile number and email address (where you have provided it to us)
- Financial information where a transaction is required.
Most of your records are electronic and are held on a computer system and secure IT network.
How we use your information
- To enable us to provide our services
- To process financial transactions where required.
- To comply with any associated regulatory requirements
It helps you because:
- Accurate and up-to-date information helps us to provide you with the best possible service.
Where possible, when we use information to update you about future services and provision, this will be non-identifiable.
How we keep your information safe and confidential
Hayes Associates Limited is committed to keeping your information secure. Information is retained in secure electronic and paper records and access is restricted to those who need it. Security and access controls, operational policies and procedures are in place to protect your information.
The GDPR regulates the processing of personal information. Strict principles govern our use of information and our duty to ensure it is kept safe and secure.
Hayes Associates Ltd. is registered with the Information Commissioners Office (ICO).
Everyone working for the company is subject to the Common Law Duty of Confidentiality, as well as the GDPR and Data Protection Act 2018 provisions. Information provided in confidence will only be used for the purposes for which have consented, unless there are other circumstances covered by the law.
All of our staff are required to protect information, inform you of how your information will be used and to allow you to decide if and how your information can be shared. This will be noted in your records.
Who we share your information with
We do not share your information with any other Third Parties without your specific consent.
Contacting us about your information
We have a senior person responsible for protecting the confidentiality of your information.
If you have any questions or concerns about the information we hold on you, the use of your information or would like to discuss further, please contact as below
How can I access the information you hold about me, and what are my rights?
Under the GDPR a person may request access to information (with some exemptions) that is held about them by an organisation. This is called a Subject Access Request. There is no fee for this unless a request is unfounded or excessive, particularly if it is repetitive. In that case, a reasonable fee may be charged.
To submit a Subject Access Request, please email to
Your Rights under the GDPR Subject are:
- Right to be informed
- Right to access
- Right of rectification
- Right to erasure
- Right to restriction of processing
- Right to data portability
- Right to object
- Automated individual decision-making, including profiling
We will comply with your rights and our responsibilities as stated above
Data breaches under GDPR
Under the GDPR we have a duty to report certain types of breach to the Information Commissioner’s Office (ICO). If the breach creates a risk to your rights and freedoms we will notify you without undue delay and the ICO within 72 hours of becoming aware of the breach, where possible.
If the breach is likely to bring a high risk of adversely affecting your rights and freedoms, we will also inform you without undue delay.
Contacting us if you have a complaint or concern
We try to meet the highest standards when collecting and using personal information. We encourage people to bring concerns to our attention and we take any complaints we receive very seriously. You can submit a complaint through to us at:
Following your complaint, if you are still dissatisfied with our decision you may wish to contact:
Information Commissioner’s Office
You can find more information on their website at www.ico.gov.uk The Information Commissioner will not normally consider an appeal until you have exhausted your rights of redress and complaint to the Trust.