Become an agent
Become an agent
Policies

GDPR Data protection policy

Purpose

Malvern International is committed to conducting its business in accordance with all applicable Data Protection laws and regulations and in line with the highest standards of ethical conduct.

This policy sets out the expected behaviours and standards required of Malvern International employees and third parties in relation to the collection, use, retention, transfer, disclosure and destruction of any Personal Data belonging to Data Subject.

Personal data is any information which “relates” to an identifiable living person. Personal data is subject to certain legal safeguards and other regulations which impose restrictions on how organisations may process Personal Data. Malvern International is responsible for ensuring compliance with the Data protection requirements outlined in this Policy. Non-compliance may expose Malvern International to complaints, regulatory action, fines and /or reputable damage. Deliberate action to breach this policy may also constitute a criminal offence.

Any infringement of this policy will be treated seriously by Malvern International and may be considered under the Disciplinary Procedure. To aid understanding of this policy the following terminology is explained below:

A Data Controller is a Company that determines when, why and how to Process Personal Data. As a Data Controller the Company is responsible for establishing practices and policies in line with data
protection law. We are the Data Controller of all Personal Data relating to our Company Personnel and Personal Data used in our business for our own commercial purposes.

Special Category means: any personal data which includes details about : race or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, generic data, biometric data, data concerning health, sex, sexual orientation or sex life.

Company Personnel: all employees, workers (including contractors, agency workers and consultants), directors, members and others (including volunteers, interns and apprentices).

Data Subject: a living, identified or identifiable individual about whom we hold Personal Data. Data Subjects may be nationals or residents of any country and may have legal rights regarding their Personal Data. This could be you, your colleagues, customers and suppliers or indeed any other person.

Data Protection Legislation: covers any legislation designed to protect personal data or respect the privacy of an individual. The legislation currently enforce is (i) the General Data Protection Regulation (“GDPR”) which applies where we target or sell to individuals based in any EU or EEA country and process their personal data.

The UK-GDPR and Data Protection Act 2018 which applies to any data subject residing in the United Kingdom

The Data (Use & Access) Act 2025 which supplements and expands specific aspects of the UK-GDPR and the current data protection framework.

Personal Data: any information identifying a Data Subject or information relating to a Data Subject that we can identify (directly or indirectly) from that data.

Personal Data Breach: any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of Personal Data.

Privacy Notices (also referred to as Fair Processing Notices) or Privacy Policies: separate notices setting out information that may be provided to Data Subjects when the Company collects information about them.

Processing or Process: any activity that involves the use of Personal Data.

Scope of Policy

This policy applies to all Malvern International entities where a data subject’s personal data is processed.

This policy applies to all processing of Personal data in electric form (including electronic mail and documents created with word processing software) or where it is held in manual files that are structures in a way that allows ready access to information about individuals.

Policy enforcement
The Leadership team must ensure that all Malvern International employees responsible for the processing of personal data are aware of and comply with the contents of this policy. In addition, Malvern International will ensure all Third Parties engaged to process personal data on their behalf are aware of and comply with the contents of this policy. Appropriate assurances of such compliance will be sought from all Third Parties, whether companies or individuals, prior to granting them access to personal data controlled by Malvern International.

Data Protection Principles
When we process personal data, we must follow the data protection principles which set out the obligations we must follow. All staff are expected to adhere to these principles which are set out below.

  • Lawfulness, Fairness and Transparency – All Personal data shall be processed lawfully, fairly and in a transparent manner, this means that we must tell the data subject what processing will occur (transparency) and it must be fair, necessary and proportionate. All staff are expected to ensure that the use of personal data is reasonable and expected. We must keep a written record of what personal data we process and why we process it. The Data Protection Officially er is responsible for maintaining this record and will conduct audits periodically to ensure the record is up to date.
    • Purpose Limitation – Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. This means we must specify exactly what the Personal Data collected will be used for and limit the processing of that personal data to only what is necessary to meet the specified purpose. The purpose for which personal data is collected and processed will be set out in the relevant privacy notices. If there is a requirement to use personal data for a new purpose the data protection officer should be notified, and any advice should be followed to ensure ongoing compliance. If the new purpose is already covered in one of our privacy notices it may not need to be updated however where there is a requirement to update our privacy notice prior to the new activity taking place this must be done as soon as possible.
    • Data minimisation – Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. This means Malvern International must not store any personal data beyond what is required.
    • Accuracy – Personal data shall be accurate and kept up to date. This means Malvern International must have in place processes for identifying and addressing out-of-date, incorrect and redundant personal data. All staff are responsible for ensuring the accuracy of the records within their working areas.
    • Storage limitation – Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. This means Malvern International must, where possible, store personal data in a way that limits or prevents identification of the data subject. As an organisation we must ensure that we only keep personal data for as long as is necessary. This means that we must follow records management best practise and delete data where we no longer have a purpose to keep it. The Data Protection Officer and members of the Senior Management Team are responsible for putting into place records management processes including a records retention
      schedule which sets out what personal data we have and how long we keep it for before it is either reviewed for relevance or deleted when necessary.
    • Integrity & Confidentiality – Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. Malvern International must use appropriate technical and organisational measures to ensure the integrity and confidentiality of personal data is maintained at all times. All staff are responsible for ensuring that they follow any policies or process requirements designed to protect the security and confidentiality of data. Staff must not attempt to circumvent security controls put in place for this purpose.
    • All staff have a key role to play in protecting the security of our data in particular:
      • You must not share your Malvern International password or credentials with anybody else.
      • You must not share, upload, or forward data about Malvern International with any third party unless it is a direct requirement of your role.
      • You must not disable, or attempt to disable any anti virus provision or security control on any Malvern International systems or computers.
  • Accountability – Malvern International and its staff are responsible for, and able to demonstrate compliance with legislation.

Data collection

Data sources

Personal data should be collected directly y from the data subject unless one of the following applies:

  • The nature of the business purpose necessitates collection of the personal data from other persons or bodies.
  • The collection must be carried out under emergency circumstances in order to protect the vital interests of the data subject or to prevent serious loss or injury to another person.

If personal data is collected from someone other than the data subject, the data subject must be informed of the collection unless one of the following apply:

  • The data subject had received the required information by other means.
  • The information must remain confidential due to a professional secrecy obligation.
  • A national law expressly provides for the collection, processing or transfer of the personal data.

Where is has been determined that notification to a data subject is required, notification should occur promptly, but no later than one calendar month from the first collection or recording of the personal data, at the time of first communication if used for communication with the data subject, at the time of disclosure if disclosed to another recipient.

Data subject Notification

Malvern International will, when required by applicable law, contract, or where it considers that it is reasonably appropriate to do so, provide data subjects with information as to the purpose of the processing of their personal data.

Where a data subject is asked to give consent to the processing of their personal data, and when any personal data is collected from the data subject, all appropriate disclosures will be made, in a manner that draws attention to them, unless one of the following apply:

  • The data subject already has the information.
  • A legal exemption applies to the requirements for disclosure and/or consent.
  • The disclosure may be given electronically or in writing.

Privacy Notices for Personnel

Malvern International will provide Company Personnel with a privacy notice relating to the collection and processing of their personal data.

Malvern International will also include an online Privacy Notice for potential third parties other than Company Personnel and an online ‘Cookie Notice’ fulfilling the requirements of applicable law.

Profiling and Automated decision making

Malvern International does not currently engage in profiling and automated decision making. If it becomes necessary to engage in profiling and automated decision-making it will only be to enter into, or to perform a contract with the data subject or where it is authorised by law. In such cases, the data subject will be given the opportunity to:

  • Express their point of view
  • Obtain an explanation of the automated decision
  • Review the logic used by the automated system
  • Supplement the automated system with additional data
  • Have a human carry out a review of the automated decision
  • Contest the automated decision
  • Object to the automated decision-making being carried out.

Profiling an automated decision making are heavily restricted in data protection law and must only be conducted once a date protection impact assessment has been completed. Staff are not permitted to carry out Activities involving automated profiling or decision making without first seeking the advice and support of the Data Protection Officer.

Digital Marketing

Malvern International will only send promotional or direct marketing material to any contact through digital channels such as mobile phones, email and the internet where such material complies with data protection law. Anybody associated with Malvern International wishing to carry out a digital marketing campaign without obtaining prior consent from the data subject must first have it approved by the Data Protection Officer.

Where personal data processing is approved for digital marketing purposes, the data subject must be informed at the point of first contact that they have the right to object, at any stage, to having their data processed for such purposes. If the data subject puts forward an objection, digital marketing related processing of their personal data must cease immediately and their details should be kept on a suppression list with a record of their opt-out decision, rather than being completely deleted.

It should be noted that where digital marketing is carried out in a ‘business to business’ context, there is no legal requirement to obtain an indication of consent to carry out digital marketing to individuals provided they are given the opportunity to opt-out.

Data Retention
To ensure fair processing, personal data will not be retained by Malvern International for longer than necessary in relation to the purposes for which it was originally collected, or for which it was further processed.

The length of time for which Malvern International needs to retain personal data is set out in Appendix 1. This takes into account the legal, contractual and business requirements that influence the retention periods. All personal data should be deleted or destroyed as soon as possible where it has been confirmed that there is no longer a need to retain it unless there is a legitimate purpose not to do so. Any decision not to destroy or delete personal data in line with the retention guidance in Appendix 1 must be documented in writing and approved by the CEO.

Data Protection
Malvern International will adopt physical, technical and organisational measures to ensure the security of personal data. This includes the prevention of loss or damage, unauthorised alteration, access or processing, and other risks of which it may be exposed by virtue of human action or the physical or natural environment.

The minimum set of security measures to be adopted by Malvern International is provided as follows:

  • Prevent unauthorised persons from gaining access to data processing systems in which personal data are processed.
  • Prevent persons entitled to use a data processing system from accessing personal data beyond the needs and authorisations.
  • Ensure that personal data in the course of electronic transmission during transport cannot be read, copied, modified or removed without authorisation.
  • Ensure that access logs are in place to establish whether, and by whom, the personal data was entered into, modified on or removed from a data processing system.
  • Ensure that in the case where processing is carried out by a data processor, the data can be processed only in accordance with the instructions of the data controller.
  • Ensure that personal data is protected against undesired destruction or loss.
  • Ensure that personal data collected for different purposes can and is processed separately.
  • Ensure that personal data is not kept longer than necessary.
  • Ensure that appropriate Company Personnel are trained on the key compliance requirements under Data Protection legislation and how they can ensure the security of personal data is maintained in accordance with this policy.

Company Personnel Responsibilities

Everyone who works for, or on behalf of, Malvern International has some responsibility for ensuring data is collected, stored and handled appropriately, in line with this policy and associated policies.

The CEO and HR Business Partner are responsible for reviewing this policy and updating the Board of Directors on Malvern International’s data protection responsibilities and any risks in relation to the Processing of data. Any questions in relation to this policy or data protection should be directed to this person.

Company Personnel should:-

  • only access Personal Data if they need it for the work they do for Malvern International and only if authorised to do so. They should only use the data for the specified lawful purpose for which it was obtained.
  • not share Personal Data informally.
  • keep Personal Data secure and not share it with unauthorised people.
  • regularly review and, where required or requested, update Personal Data they deal with. This includes telling us if their own contact details change.
  • not make unnecessary copies of Personal Data and should keep and dispose of any copies securely.
  • use strong passwords and not share your passwords with any other person.
  • should lock their computer screens when not at their desk.
  • not take Personal Data away from Company’s premises without authorisation from your line manager or the HR Business Partner.
  • ask for help from the HR Business Partner if you are unsure about data protection or if you notice any areas of data protection or security we can improve upon.

Personal Data should be encrypted before being transferred electronically to authorised external contacts. Speak to IT for more information on how to do this.

Consider anonymising data or using separate keys/codes so that the Data Subject cannot be identified.

Personal Data should not be saved to personal computers or other devices not belonging to Malvern International.

Personal Data should never be transferred outside the European Economic Area except in compliance with the law and authorisation of the CEO.

Desk drawers and filing cabinets should be locked. Do not leave paper with Personal Data lying about.

Personal Data should be shredded and disposed of securely when it is no longer required.

Policy Enforcement

Any deliberate or negligent breach of this policy by Company Personnel may result in disciplinary action being taken against those personnel in accordance with our disciplinary procedure.

It is a criminal offence to conceal or destroy Personal Data which is part of a subject access request (see below). This conduct would also amount to gross misconduct under our disciplinary procedure, which could result in dismissal.

It should be noted that whilst this policy provides examples, this is by no means an exhaustive list and you may be notified of other specific rules from time to time.

Data Subject Rights and Data Subject Requests

Data Subjects (which includes Company Personnel) have a number of rights in relation to their personal data processed by Malvern International. These will be detailed in the privacy notice relevant to the data subject. Company Personnel will be issued with a privacy notice. Third parties will be able to access privacy notices online or can request a copy directly.

Malvern International will establish a system to enable and facilitate the exercise of data subjects rights related to:

  • Information access
  • Objection to processing
  • Objection to automated decision-making and profiling
  • Restriction of processing
  • Data portability
  • Data rectification
  • Data erasure

If an individual makes a request relating to any of the rights listed above, Malvern International will consider each request in accordance with all applicable data protection laws and regulations. If a member of staff receives a request, they are not permitted to manage the request themselves and must notify the data protection officer as soon as possible.

Data Subjects may make a request relating to their rights as long as it is in writing. However, Data Subjects are encouraged to request and use the data subject request form (available from HR) and submit this to the HR department. This will ensure a request is received by the right individuals within Malvern International and can be processed promptly.

Data Subjects will be required to verify their identity when they submit their request. Failure to do so may result in their request not being completed.

Data subjects are entitled to obtain the following information about their own personal data:

  • The purposes of the collection, processing, use and storage of their personal data.
  • The source(s) of the personal data, if it was not obtained from the data subject.
  • The categories of personal data stored for the data subject.
  • The recipients or categories of recipients to whom the personal data has been or may be transmitted, along with the location of those recipients.
  • The envisaged period of storage for the personal data or the rationale for determining the storage period.
  • The use of any automated decision-making, including profiling.
  • The right of the data subject to object to processing of their personal data to lodge a complaint with the data protection authority, request rectification or erasure of their personal data, request restriction of processing of their personal data.

All requests received for access to, or rectification of personal data must be directed to the HR Department who will log each request as it is received. A response to each request will be provided within 30 days of the receipt of the written request from the data subject. Appropriate verification must confirm that the requestor is the data subject or their authorised legal representative. Data subjects shall have the right to require Malvern International to correct or supplement erroneous, misleading, outdated, or incomplete personal data.

If Malvern International cannot respond to the request within 30 days, it will commit to providing the following within the specified time:

  • An acknowledgement of receipt of the request.
  • Any information located to date.
  • Details of any requested information or modifications which will not be provided to the data subject, the reason(s) for the refusal and any procedures available for appealing the decision.
  • An estimated date by which any remaining responses will be provided (no later than 3 months from when the initial request was submitted).
  • An estimate of any costs to be paid by the data subject (e.g. where the request is excessive in nature).
  • The name and contact information of the individual who the data subject should contact for follow up.

It should be noted that situations may arise where providing the information requested by a data subject would disclose personal data about another individual. In such cases, information must be redacted or withheld as may be necessary or appropriate to protect that person’s rights.

Law enforcement requests and disclosures
In certain circumstances, it is permitted that personal data is shared without the knowledge or consent of a data subject. This is the case where the disclosure of the personal data is necessary for any of the following purposes:

  • The prevention or detection of crime.
  • The apprehension or prosecution of offenders.
  • The assessment or collection of a tax or duty.
  • By the order of a Court or by any rule of law.

If Malvern International processes personal data for one of these purposes, then it may apply an exception to the processing rules outlined in this policy but only to the extent that not doing so would likely prejudice the case in question.

Data Protection training

All Malvern International employees that have access to personal data will have their responsibilities under this policy outlined to them as part of their staff induction training. Malvern International will provide regular Data Protection training and procedural guidance for their staff and completion of this training is mandatory.

Transfers between Malvern International sites

In order for Malvern International to carry out its operations effectively across its various sites, there may be occasions when it is necessary to transfer personal data from one site to another, to allow access to the personal data from an overseas location. Should this occur, the site sending the personal data remains responsible for ensuring protection of that personal data and also compliance with data transfers outside the European Economic Area. All staff must ensure that data is transferred using official, authorised means. Staff are not permitted to share data informally using personal platforms such as WhatsApp or other instant messaging services,

Transfers to Third Parties

Malvern International will only transfer personal data to or allow access by third parties when it is assured that the information will be processed legitimately and protected appropriately by the recipient. Where third party processing takes place Malvern International will first identify if, under applicable law, the third party is considered a data controller or data processor of the personal data being transferred.

Where the third party is deemed to be a data controller, an appropriate agreement with the controller to clarify each party’s responsibilities in respect to the personal data transferred will be entered into.

Where the third party is deemed to be a data processor, Malvern International will endeavour to enter into an adequate processing agreement with the data processor. The agreement shall require the data processor to protect the personal data from further disclosure and to only process personal data in compliance with Malvern International instructions. In addition, the agreement shall require the data processor to implement appropriate technical and organisational measures to protect the personal data as well as procedures for providing notification of personal data breaches.

When Malvern International is outsourcing services to a third party, they will identify whether the third party will process personal data on its behalf and whether the outsourcing will entail any third country transfers of personal data. In either case, it will make sure to include adequate provisions in the outsourcing agreement for such processing and third country transfers.

Complaints Handling

Data subjects with a complaint about the processing of their personal data should be directed to the Data Protection mailbox gdpr@malvernplc.com

Breach Reporting

Any individual who suspects that a personal data breach has occurred due to the theft or exposure of personal data must immediately notify the Data Protection Officer providing a description of what occurred. Notification of the incident can be made via email at gdpr@malvernplc.com

The Data Protection Officer will investigate all reported incidents to confirm whether or not a personal data breach has occurred. If a personal data breach is confirmed, the Data Protection Officer will follow the relevant authorised procedure based on the criticality and quantity of their personal data involved. For severe personal data breaches, Malvern International will initiate and chair an emergency  response team to co-ordinate and manage the personal data breach response.