top of page

Privacy Policy

MADDOX AND ASSOCIATES LIMITED

Data Protection Policy (Updated)

Effective Date: 1 January 2026
Review Date: 1 January 2027

 

Introduction

This Policy sets out the obligations of Maddox and Associates Limited (the “Company”) regarding data protection and the rights of employees, consultants, customers, and prospective customers (“data subjects”) in respect of their personal data under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. The Company is committed to lawful, fair, and transparent processing of personal data and to safeguarding the rights, privacy, and trust of all individuals.

Data Protection Principles

All personal data must be:

  • Processed lawfully, fairly, and transparently

  • Collected for specified, explicit, and legitimate purposes

  • Adequate, relevant, and limited to what is necessary

  • Accurate and kept up to date

  • Retained only as long as necessary

  • Processed securely with appropriate technical and organisational measures

 

Rights of Data Subjects

Data subjects have the following rights:

  • Right to be informed

  • Right of access

  • Right to rectification

  • Right to erasure

  • Right to restrict processing

  • Right to data portability

  • Right to object

  • Rights relating to automated decision-making and profiling

 

Lawful Basis for Processing

Personal data will only be processed where at least one lawful basis applies:

  • Consent

  • Contractual necessity

  • Legal obligation

  • Vital interests

  • Public task

  • Legitimate interests

  • Special category data will only be processed where an additional lawful condition is met.

 

Data Collection and Use

The Company collects and processes the following categories of personal data:

  • Prospect and client contact details: to manage relationships and deliver services

  • Employee data (contact, professional, financial): to manage employment and payroll

  • Supplier data: to procure and pay for services

  • Website data (cookies, device information): to monitor and improve website performance

  • Project-related data (e.g. addresses on plans): to deliver planning services

  • All data subjects will be informed of the purpose and legal basis for processing.

 

Data Accuracy and Retention

Personal data will be kept accurate and up to date. Data will not be retained longer than necessary and will be securely deleted when no longer required.

 

Data Security

The Company implements appropriate technical and organisational measures including:

  • Secure cloud-based storage using approved systems (including Cirro and Microsoft 365)

  • Role-based access controls and least-privilege principles

  • Multi-factor authentication (MFA)

  • Encryption of devices and secure data transmission protocols

  • Regular system updates and security patching

  • Personal data must not be stored on personal devices or transferred outside approved systems.

 

Use of Cirro

All project-related personal data must be stored and managed within Cirro, the Company’s approved project management and document system. Employees must:

  • Upload and store relevant personal data within Cirro

  • Avoid retaining personal data in email inboxes where possible

  • Ensure documents are appropriately labelled and access-controlled

 

Data Transfers

Personal data may be transferred outside the UK only where appropriate safeguards are in place, including:

  • UK adequacy regulations

  • International Data Transfer Agreements (IDTAs)

  • Standard contractual clauses

 

Data Subject Requests

All subject access requests (SARs) and other rights requests must be forwarded immediately to the Data Protection Lead. The Company will respond within one month unless an extension is justified.

 

Data Breaches

All personal data breaches must be reported immediately to the Data Protection Lead.

Where required, breaches will be reported to the ICO within 72 hours and affected individuals will be notified where there is a high risk.

 

Accountability and Governance

The Data Protection Lead is responsible for:

  • Monitoring compliance

  • Maintaining records of processing activities

  • Overseeing data protection impact assessments (DPIAs)

  • Managing breaches and data subject requests

 

The Company will maintain records of:

  • Processing activities

  • Data categories and purposes

  • Retention periods

  • Security measures

 

Training and Awareness

All staff handling personal data will receive appropriate training and must comply with this Policy.

 

Review

This Policy will be reviewed annually or when significant changes occur in law or Company operations.

 

Approved by:

David Maddox
Managing Director

bottom of page