Privacy Notice

JH Data Protection Limited  

Company number: 16501012  

ICO Registration: ZB909482 
Data Protection Officer: Jemma Handley 
Email: DPO@jhdataprotection.com 
Registered address: available on request 

We are the data controller of the personal data you provide. 

Depending on your interaction with us, we may collect: 

When you visit our website: 

• IP address 

• Browser type and version 

• Device and operating system 

• Pages visited and time spent on site 

• Referral sources 

• Cookie preferences and analytics data 

When you contact us by email or through our contact form: 

• Name, email address, phone number (if provided) 

• The contents of your message and attachments 

• Any documents or personal data you send us voluntarily 

When you engage us professionally: 

• Business or employment information (e.g. client details, contracts, policies) 

Personal data of third parties (only where required and provided lawfully) 

When you subscribe

When you subscribe to receive updates, newsletters, or other communications from us, we collect your name and email address for the purpose of sending you relevant information. We rely on your consent as the lawful basis for this processing. You can unsubscribe at any time by following the link in our emails or by contacting us directly. Your information will be stored securely and not shared with any third parties without your permission.

We collect and process personal data from you for one or more of the following reasons:

🔒 To provide you with information you have requested or that we believe may be relevant to a subject in which you have shown interest.

🔒 To initiate and complete commercial transactions with you, or the entity that you represent.

🔒 To comply with a contract that we have entered into with you or with the entity that you represent. In some cases, the entity, rather than you personally, may have provided us with your personal data.

🔒 To support one of our clients who may act as a data controller for your information.

🔒 To comply with legal or regulatory obligations where the processing of your personal data is required by law.

🔒 To ensure the security and safe operation of our company website and business infrastructure.

🔒 To facilitate and manage any communication between you and us.

🔒 To notify you of services that may be helpful and of interest to you.

🔒 To process information and referrals for new or prospective clients.

Directly from you (e.g. contact form, email correspondence, verbal instructions) 

• Automatically via our website and cookies 

From publicly available sources (e.g. LinkedIn, Companies House), if relevant to our legitimate interest or pre-contractual discussions 

We process your data under the following lawful bases: 

In the course of providing data protection consultancy services, clients may need to share special category data with us. This may include personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (where used for identification), health data, or data concerning a person’s sex life or sexual orientation. 
 
We only process special category data when it is necessary for the provision of our professional services, and where the client has a lawful basis and appropriate conditions for sharing that data under Article 9 of the UK GDPR. In addition to the above lawful bases under Article 6 UK GDPR, we rely on one or more of the following conditions for processing under Article 9: 
 
Article 9(2)(f): The processing is necessary for the establishment, exercise or defence of legal claims. This includes support in responding to data subject rights requests, preparing legal documentation, or conducting audits. 

 
Article 9(2)(g): The processing is necessary for reasons of substantial public interest, on the basis of UK law. This may apply in contexts such as employment, safeguarding, or regulatory compliance, as outlined in Schedule 1 of the Data Protection Act 2018, as amended. 

 
Article 9(2)(b): The processing is necessary for the purposes of carrying out obligations in the field of employment and social protection law, particularly where we assist with HR or workplace data protection matters. 

 
Article 9(2)(a): Explicit consent may apply where the data subject has given informed and specific consent to the client for the data to be shared with us for a defined purpose. 
 
Any such data is treated with the highest level of confidentiality and is protected through secure Microsoft 365 services (hosted in UK-based data centres), encryption, and strict access controls. 
 
We do not use special category data for purposes other than fulfilling client instructions and delivering professional advice. 

🔒 Who we share your data with 

We use third-party services to host and process data securely: 

💻 Website and Hosting 

• WordPress.com – content management and hosting provider 

• Jetpack by Automattic – for analytics, performance, and security 

• Google Analytics – to understand user interaction (anonymised IPs where possible) 

• Cookies may be set for functionality, security and analytics 

📨 Email and Cloud Storage 

• Microsoft 365 – used for email (DPO@jhdataprotection.com), document handling, and secure cloud storage 

• Microsoft’s cloud services are hosted in UK and EU-based data centres (see below) 

• Access is protected via multi-factor authentication and encryption 

Note: We do not share your data with advertisers or sell your data to third parties. 

We use third-party services to host and process data securely: 

💻 Website and Hosting 

• WordPress.com – content management and hosting provider 

• Jetpack by Automattic – for analytics, performance, and security 

• Google Analytics – to understand user interaction (anonymised IPs where possible) 

• Cookies may be set for functionality, security and analytics 
• Form submissions are securely transmitted via WP Mail SMTP through Microsoft 365’s authenticated mail service.

📨 Email and Cloud Storage 

• Microsoft 365 – used for email (DPO@jhdataprotection.com), document handling, and secure cloud storage 

• Microsoft’s cloud services are hosted in UK and EU-based data centres (see below) 

• Access is protected via multi-factor authentication and encryption 

Note: We do not share your data with advertisers or sell your data to third parties. 

🛡️ International data transfers 

Some of our third-party service providers are based outside the United Kingdom (UK) or may process limited personal data in non-UK jurisdictions. We ensure that any such transfers comply with UK GDPR by implementing appropriate safeguards. 

📋 Microsoft 365 

We use Microsoft 365 Business Basic for email communication, cloud document storage, and office tools. All client-related data (including email content, attachments, and files) is stored in UK-based Microsoft data centres by default. 

In limited situations — for example, technical support or system backup — Microsoft may process metadata or diagnostic information outside the UK. In such cases, Microsoft relies on: 

• UK-approved Standard Contractual Clauses (SCCs) 

• Supplementary technical and organisational security measures 

Microsoft does not transfer the content of your emails or documents outside the UK as part of normal operations. 

📉 WordPress.com and Jetpack (Automattic Inc.) 

Our website is hosted by WordPress.com and uses Jetpack to monitor performance, security, and analytics. 
The personal data collected via your interaction with the website is limited to technical information, such as: 

• IP address 

• Browser type and version 

• Device type 

• Pages visited 

• Referrer information 

This data may be processed by Automattic Inc. in the United States or other jurisdictions under the protection of: 

• Standard Contractual Clauses (SCCs) 

• Encryption and secure transmission protocols 

No personal messages, documents, or form contents submitted via the website are stored or processed by Automattic outside the UK beyond basic delivery handling. 

🔹 Google Analytics 

We use Google Analytics to understand how visitors interact with our website. The data collected is strictly technical and includes: 

• Anonymised IP address 

• Device type and browser 

• Pages visited and time on site 

This data is processed by Google LLC in the United States under Standard Contractual Clauses (SCCs), and where possible, we configure the service to limit retention and anonymise IPs. 

Google Analytics does not access or process personal emails, documents, or any other client-submitted content. 

We retain personal data only for as long as necessary:

• Enquiry emails: up to 12 months unless related to ongoing business
• Client correspondence and documents: 6 years (to align with legal and professional requirements)
• Analytics data: 26 months (via Google Analytics)

You can request deletion at any time, subject to legal and contractual obligations.

You have the right to: 

• To be informed 

• Access your personal data 

• Request rectification or deletion 

• Restrict or object to processing 

• Portability 

• Withdraw consent where applicable 

• Right to prevent automatic decisions 

Lodge a complaint with the ICO (Information Commissioner’s Office) if you’re unhappy with how your data is handled: www.ico.org.uk 

We take data protection seriously: 

• All emails and files are stored in Microsoft 365, protected with enterprise-grade security, MFA, and encryption 

• Website is secured via HTTPS, with Jetpack security enabled 

Access is restricted to authorised personnel only 

We use cookies to: 

• Improve website performance 

• Track visitor usage (via Jetpack and Google Analytics) 

• Enable security and form protection 

You can manage your cookie preferences via the pop-up banner on your first visit.

We may update this notice from time to time. The latest version will always be available on our website. 

For independent advice about data protection, you can contact the Information Commissioner’s Office (ICO): 

Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF 

Phone: 0303 123 1113  

Website ico.org.uk  

Email: casework@ico.org.uk. 

For questions about this notice or your data, contact: 

DPO@jhdataprotection.com