• Introduction

    The General Data Protection Regulation (GDPR) is a new legal framework set up by the European Union in April 2016 to build upon existing data protection legislation. GDPR came into effect on 25th May 2018, and has introduced a range of fresh guidelines spelling out the rights of consumers and dictating how companies can store and share information.As a hugely significant change to the global business landscape, it is critical that Airport Transport Centreembraces all aspects of GDPR to maintain full compliance.

  • Our obligations for GDPR compliance

    Here at Airport Transport Centre, we fully appreciate and support the European Union’s focus on expanding upon digital rights. As a company, we strongly believe in the need for greaterbusiness transparency and accountability concerning the collection and handling of personal data.

    That is why Airport Transport Centre is a firm advocate of GDPR and its many implications. These include among many other aspects:

    The Right to Object to Processing

    The Right to Be Forgotten

    The Right to Data Portability

    The Right to Withdraw Consent

    As part of our commitment to GDPR and the rights of our customers and clients, Airport Transport Centrevows to ensure our organisation considers and actions all necessary changes surrounding data processing, data storage and the disposal of personal data.

    This includes a commitment to fully fulfil Breach Disclosure Requirements by notifying authorities and concerned individuals of any compromise within 72 hours. Moreover, as part of our GDPR strategy, Airport Transport Centre will complete impact assessments wherever possible, to identify and deliver the best service possible, as well as to extend our customers a guarantee that data is being kept secure.Furthermore, we pledge to uphold the following key values and responsibilities:

  • Airport Transport Centre’s strategic values and responsibilities

    We vow to demonstrate full responsibility and dutiful respect as a keeper of customer, client and employee data.

    We totally support GDPR and its requirements, and will do everything within our power to appropriately resource and fund any changes we must enforce to ensure Airport Transport Centre can meet its obligations.

    We promise to maintain ownership and transparency concerning data protection and privacy across all elements of our company.

    We pledge to create and maintain a purposeful data processing inventory documenting all data operations, including collection, processing and storage.

    We guarantee to extend every possible show of support to individuals intent on exercising their rights as outlined under GDPR legislation.

    We will conduct a regular review to assess the legality and purpose for the collection, processing and storage of personal data.

    We vow to act upon identified gaps and develop robust processes to maintain full GDPR compliance.

    We promise to clearly communicate the business purpose and legal grounds for any transfer of data –including transfer outside of the European Union.

    We will contact all partner organisations, contractors or other third parties to identify their own GDPR commitments, establish relevant contract terms and solidify GDPR compliance controls.


    Here at Airport Transport Centre,we collect, process and store personal data for a range of business purposes. Data subjects include customers, suppliers, partners, employees, clients and other stakeholders and individuals.

    Bearing in mind Airport Transport Centre’s commitment to upholdthe rights of the individual as enshrined in law, our data security policy is designed to protect all past, current and future employees, customers, or partners, from illegal or damaging activity conducted by others using their personal data.

    Our data security policy outlines how Airport Transport Centre will endeavour to guard and protect all personal data. It also sets out to raise the awareness of staff members in relation to the ways in which GDPR impacts their use of individual’s personal data.

    Thispolicy applies to all data processing activities involving Airport Transport Centre and includes activities or systems related to both internal business operations, as well as external relations and any third-party agreements.

    Please note that Airport Transport Centre’s data security policy applies to all employees, and this policy may be subject to review and amendment on a regular basis. For more information about this policy and its overall implementation, consult our Data Protection Officer.This document is subject to regular review to ensure ongoing regulatory compliance.

  • Sensitive personal data

    Under GDPR, sensitive personal data is defined as encompassing any of the following:

    Racial or ethnic origin

    Political opinion

    Religious or philosophical beliefs

    Trade union membership

    Genetic data

    Biometric data

    Health-related information

    Sexual orientation

    It is paramount that all sensitive personal data is kept under stringent control as part of the implementation of our data security policy.

  • Purposes ofpersonal data

    Airport Transport Centre uses personal data for a range of various purposes. These purposes may include:



    Human resources

    Regulatory compliance


    Business development

    Please note the above list is by no means exhaustive, and should merely be used as a reference point from which a working definition of purpose can be established.

  • Business purposes

    Airport Transport Centre must carry out a range of functions and processes as part of our operational activity. Datakept in relation to these activities falls under the category of data for business purposes, which includes information of the following nature:



    Policy adherence

    Human resources and personnel


    The above list is by no means exhaustive, and should be used merely as a point of reference from which a working definition of business purposes can be established and further developed.

  • Fair processing

    At Airport Transport Centre,there will be occasions when employees will need toprocess personal data; however, processing activities must always be carried out in a fair and lawful manner that is compatible with the rights of each corresponding individual. Consequently, we should avoid processing the personal data of any individual who has not provided us with explicit consent.

    Our company must strive to obtain explicit consent at all costs, and we must clearly identify to the individual what data is being processed, why we need to use it and who will have access to their data. Thesefactors must be identified and clearly reiterated to the individual at the point of request for consent.

    It’s worth noting there may be exceptional circumstances in which we are asked to process sensitive personal data without consent. An example of an exceptional circumstance could include legal obligations we may need to carry out to comply with health and safety regulations.

    Airport Transport Centre endeavours to take all actions necessary to ensure that all personal data we obtain, process and store isaccurate, relevant and adequate in relation to the reason in which we asked for that information. We should not hold excessive or irrelevant data on any individuals, and we will not process any personal data for a purpose unrelated to the purpose in whichthe relevant individual has consented to the processing of their data.

  • Our roles and responsibilities

    Data security is a critical component of our business. It falls on everyone at Airport Transport Centre to take responsibility for data security, and allemployees must familiarise themselves with our data security policy and do everything within their power to uphold that policy on a day-to-day basis.

    Please note that Airport Transport Centre takes data protection incredibly seriously, and we expect all staff members to adhere to this data security policy. Any failure and refusal to comply with this policy could ultimately place our company at risk.

    Bearing that in mind, personal non-compliance with this data security policy could lead to disciplinary action as they relate to ordinary personnel procedures. Please contact your line manager with any further questions concerning data protection at Airport Transport Centre.

    As a staff member at Airport Transport Centre,you can expect to receive data protectiontraining in line with our data security policy. All incoming employees will be provided training as an aspect of the wider staff induction process, and all staff members can anticipate the requirement to undergo additional training as a result of subsequent regulatory updates to GDPR or other relevant legislation as it relates to data security.

    Data security will inevitably encompass a range of additional responsibilities for various roles within the company. These roles and their responsibilities include (but are not limited to):

  • Data Protection Officer

    GDPR stipulates our company must appoint a Data Protection Officer. It is our Data Protection Officer’s responsibility to:

    Organise data security training for all employees not specifically referenced within this data security policy.

    Review and analyse all existing data security protocols and processes on a regular basis.

    Be a point of contact for all employees, clients and stakeholders to answer questions about data protection and data security.

    Respond to internal or external queries from individuals wanting to know what data relating to them may have been obtained, processed or stored by our company.

    Conduct due diligence and submit approval in relation to any contractual agreement with a third partyinvolving the processing or storage of data.

    Maintain constant contact with company directors, board members and stakeholders in relation to data security, company responsibilities and data risk management.IT Manager

  • IT Manager

    Information technology plays a crucial role in the way our company operates. Any processes relating to IT and the processing and storage of data must be carefully monitored, assessed and guided by an IT Manager.

    It is the responsibility of Airport Transport Centre’s IT Manager to:

    Conduct duediligence and appropriate levels of research into any third-party service that our company may call upon to store or process any data.

    Make sure that all company software, IT systems, equipment and services meet changing levels of data security standards.

    Carry out regular checks, audits and scans to ensure security hardware and security software are fully functional and optimised to manage and mitigate data security risks.

  • Marketing Manager

    A significant proportion of our marketing activities involve the collection, storage and processing of data. Consequently, our Marketing Manager must oversee the following responsibilities:

    Accept all queries relating to data security and data protection from leads, media outlets, clients or other individuals and oversee and deliver an adequate response.

    Work alongside Airport Transport Centre’s Data Protection Officer to make sure that all of our marketing processes, campaigns and activities are compliant with all relevant data security and data protection laws –as well as our own company data security policy.

    Review, draft and approve any relevant data security statements that must accompany emails, other messages or applicable marketing collateral.

  • Our data security policies

    Airport Transport Centre’s takes data security extremely seriously, and we place the rights of the individual and regulatory adherence at the heart of everything we do as a company.

    n light of our commitments, it is mandatory all staff members must observe and adhere to the following data security policies:

    Data storage policy

    All information or data that is collected and processed is subject to all of the applicable requirements as outlined and documented within this policy. This includes information collected electronically, by paper, telephone or data collected through any other means.

    All data must be collected, stored and protected in a secure location appointed by Airport Transport Centre’s for a retention period as predefined by corresponding legislature or company policy.

    Staff members are strictly forbidden to retain confidential information or personal data not relating to themselves on their personal devices. Exceptions to this policy include information that is needed for a purpose that is work-related, temporary and specified and approved by a relevant manager.

    Staff members should avoid downloading sensitive files or confidential information to local devices wherever possible. Information being necessarily processed for work purposes may be exempt from this policy.

    Employees must install and use software and systems that have been licensed and approved by the company on devices while carrying out the duties of their role. Downloading or using any software, app or system that is not preapproved by the company will require prior approval from the company’s IT Manager.

    All mobile and portable devices used by staff members should be approved by the company’s IT Manager and secured to prevent unauthorised access or breach. Personal devices could include a laptop, smartphone, tablet or any other handheld computing devices. This policy also applies to any shared cloud storage spaces.

    All internet access and online operations carried out by employees could be subject to monitoring and filtering in accordance with relevant legislation and company policy. This monitoring should be carried out only by the IT Manager or an authorised member of staff.

    Employees must adhere to all applicable elements of this policy when using personal devices to access company resources. Similarly, employees must observe and adhere to all applicable elements of this data security policy when using equipment provided by Airport Transport Centre’s to access information externally.

    Employees are forbidden from using public access devices. This practice is allowed in some circumstances; however, prior and explicit approval from a line manager for regular public access must be obtained and recorded.

    Employees must use access tools provided to them by a client or partner ofAirport Transport Centre’s if access is granted to any third-party storage system or data storage facility.

    It is forbidden to send, forward or submit any of the information or data referred to within this data security policy to a third-party unless deemed essential to complete approved processes.

    If anemployee needs to carry out an approved submission of data to any relevant third-party, that data must be made secure in accordance with company policy and any relevant third-party data protection protocols.

    If anemployee needs to carry out an approved submission of data to any relevant third-party, that data must be made secure in accordance with company policy and any relevant third-party data protection protocols.

  • Data retention policy

    While Airport Transport Centre must routinely collect and store data, weare committed to the rights of individuals. That’s why we retain all information and personal data for no longer than we need to.

    The necessary length of retention will often be decided on a case-for-case basis, bearing in mind the rationale and originalpurpose surrounding data collection and retention. Decisions of this nature must be made in a way that is compatible with our existing data retention guidelines under GDPR.

    For additional guidance, consult the following corresponding documents:

    Data retention and erasure policy document

  • International data transfer policy

    Employees must observe a series of restrictions that apply towards the international transfer of data or personal information. Employees are not permitted to transfer personal information or data outside of the United Kingdom without having obtained explicit permission in the first instance from the company’s Data Protection Officer.

  • Data encryption and anonymisation policy

    Airport Transport Centre deploys encryption to secure and protect data that is stored on devices from unlawful processing or unauthorised access. Encryption is also used to protect information that is in transit.

    We also use the anonymisation of personal data wherever deemed prudent to ensure the rights of the individual are fully protected and observed.

    In line with these principles, we are committed to the use both encryption and anonymisation as a risk management tool alongside existing systems, to protect the company from accidental loss, as well as from the damage or destruction of data or personal information.

  • Activities that are prohibited

    Unless otherwise noted or informed, employees are strictly forbidden from using company equipment, tools or systems for any purpose unrelated to their role responsibilities, excluding any previously mentioned exceptions. This policy also relates to any relevant systems, tools or equipment belonging to a company client or partner.

    Bearing that in mind, the following activities should be deemed forbidden with no exceptions:

    Any unauthorised replication of copyrighted materials.

    The violation of individual rights by way of the unnecessary collection, storage and processing of personal data or information.

    The violation of rights of an individual or organisation protected under intellectual property law in any jurisdiction.

    The violation of rights of an individual or organisation protected under intellectual property law in any jurisdiction.

    The use of any programme, command or interface designed to interfere with a user or corresponding user session.

    The accessing of any data, user account or server for any purpose unrelated to the business function of an individual’s company role.

    Issuing fraudulent product or service offers from a company account.The allowed sharing or use of employee login credentials or company systems by anyone apart from the named individual.

    The export of proprietary or confidential information as it relates to the company.The export of any software or data that is in breach of regulation or the company’s data security policy.

    Knowingly causing a network disruption or security breach.

    An employee is not allowed to access data that is not intended for them by logging into a system or gaining access to a confidential or limited-access account. The only exception to this rule is if the employee is granted access as part of a specific company project.

    Please note that any violation of this policy can lead to disciplinary action, alongside legal action where deemed prudent or necessary.

  • Reporting security issues

    If you encounter any incidents or issues relating to the security or protection of information or data, you must report this immediately to company management. Management will subsequently take and record any action deemed necessary to prevent damage or loss in relation to a security threat.

    If necessary, it is the responsibility of company management to report relevant incidents relating to a data breach or information security threat to regulators or the authorities. Under GDPR, it also falls upon management to contact the individuals involved in any breach or security threat.


  • Introduction to your General Data Protection Notice

    A General Data Protection Notice is a short document your company can use to set out the conditions under which you will capture or process the data of visitors to your website. This is ordinarily displayed in a clearly marked section of your company website, and it’s important to bear in mind that the conditions you outline as part of your General Data Protection Notice do not include a request for marketing consent.

  • Your Data Protection Notice

    Airport Transport Centre collects, processes and stores the information and personal data you submit to our website in relation for the execution of sales as booking. All processing activities shall be carried out in accordance with your individual rights as defined by the European Union’s General Data Protection Regulation.

    Please note that by submitting information about yourself through our website, you are agreeing for Airport Transport Centre to process and store that data. This data shall be stored only for the duration of the previously outlined purpose for collection. We never store or process your data longer than we need to, and we do not use your data for any purpose other than those you have agreed to.

    The data you submit to our website will never be shared with or transferred to a third-party organisation. The following partners are exempt from this policy as they assistAirport Transport Centre in processing your personal data and delivering its services; Airport Transport Centre, drivers and operators.

    You reserve the right to request Airport TransportCentre update your personal data at any time. You can also request information about your personal data, withdraw your consent for us to process your information or request a transfer or deletion of your data.

    For more information about Airport Transport Centre and how we protect and secure your data, consult our Privacy Policy: tick this box to indicate you have read and consent to our Privacy Policy:

    Yes, I agree to Airport Transport Centre Privacy Policy


    • Policy introduction

      Here at Airport Transport Centre, we are committed to data security, the privacy of the individual and upholding all our compliance obligations under GDPR. We take our responsibilities seriously, and we recognise that the use of information assets and data form a crucial aspect of our business activity. That is why we’ve devised the following Data Classification Policy to outline the way in which we classify and use data.

      Our Data Classification Policy is designed to ensure that:Airport Transport Centre adheres to all necessary legal obligations

      We implement controls to maximise return on investmentAirport Transport Centre maintains availability, confidentiality and integrity where necessary for all data

      Our company has the ability to chart data protection levels that protect both Airport Transport Centre as well as the individuals whose personal data we must collect, process or store

      We are able to avoid threats of disclosure and/or unauthorised access to data

    • Policy values

      Data classification is a vital process our company must carry out to ensure the individuals who claim a legitimate right to access information we hold are able to do so. Our data classification process must also ensure our data and any other piece of information we hold is protected from any and all individuals or organisations that should not have access to that information.

      Airport Transport Centre’s Data Classification Policy identifies and elaborates upon the correct handling and classification processes our company must use, as per the regulatory requirements that we:

      Make data available to all those individuals who have a legitimate reason to access it

      Manage all data in line with its corresponding classification

      Maintain the integrity of all data

      Ensure all data our company holds is accurate, complete and consistent

    • Policy objectives

      Airport Transport Centre’s Data Classification Policy has been developed to meet the following objectives:

      To outline the duties and responsibilities of Airport Transport Centre employees that ensure data is kept safe and secure

      To establish a robust data classification process that is consistent and compliant with UK regulatory requirements

      To ensure data is sufficiently protected and encrypted so that unwarranted actions will not be taken against Airport Transport Centre in the event data is lost, damaged or accessed illegally

      To avoid and minimise reputational or operational damage to Airport Transport Centre, our stakeholders, clients, customers or partners associated with compromised data

    • Policy implementation

      To make sure our Data Classification Policy is effective, Airport Transport Centre will implement the following procedures:

      All users of data will be identified and provided access to data in which they have a legitimate need to access

      All data will be classified, managed and controlled in relation to its correct categorisation, as per the processes and requirements outlined within this policy

      Airport Transport Centre must ensure control mechanisms are created and implemented to protect data we collect, process or store

      All control mechanisms and classification protocols must be reviewed and amended as required by law on a regular basis

      Data users and data controllers must implement and maintain adequate levels of physical security as required, in relation to computer facilities or access terminals from which data can be viewed or accessed

      Airport Transport Centre must ensure that all data and relevant equipment is safely disposed of, as and when required

    • Obligations under GDPR (2018) and Data Protection Act 2018 (DPA)

      Airport Transport Centre is committed to meet its regulatory obligations under GDPR and DPA. That is why we are committed to ensure that adequate and appropriate measures are taken to prevent the unauthorised access or illegal processing or storage of data. We are required to do everything we can, within reason, to protect the data we use and hold against destruction, accidental loss or damage.

    • Data classifications

      Data that is sensitive in nature must be adequately protected at all times. To properly assign safeguards, all data that our company collects, processes or stores must be assigned one of the following classification categories:




      Strictly Confidential


      A vast amount of the data Airport Transport Centre uses will most likely be classed as being either ‘Public’ or ‘Open’ data. Any information relating to an individual or organisation that could identify them or is personal or private in nature must be assigned a category of either ‘Confidential’ or ‘Strictly Confidential’.

      This is to ensure Airport Transport Centre upholds its regulatory commitment to uphold the rights of individuals, as outlined under GDPR.

      On rare occasions, Airport Transport Centre may wish to class data as ‘Secret’. If an employee is unsure as to whether they should categorise a piece of data as being secret –or if they need assistance in classifying any other piece of data, they should consult a line manager. If no manager is available for consultation, data should default to a ‘Confidential’ classification.

    • Data classification types and handling procedures

      To minimise discrepancies and ensure Airport Transport Centre does everything it can to uphold its regulatory commitments, the following working definitions should be associated with the aforementioned classification categories.

    • Public data

      Public data is information or data that can be accessed by any external individual or organisation.

      Types of public data might include:

      Official contact data of relevant company employees

      Newsupdates or press releases

      External-facing company policies or procedures

    • How to handle public data:

      Public data should be formatted to allow for the most basic security measures. Examples might include converting a Word document into a PDF to avoid others editing it, as this could subsequently cause some form of reputational damage.

    • Open

      Anyone is able to access this information. Types of open data might include:

      Official contact data e.g. full name, primary email address and telephonenumber

      Authorised communications, such as blogs, news articles and industry updates

      Approved company policies, guidance and processes

    • How to handle open data:

      Open data should be formatted to allow for the most basic security measures. Examples might include converting a Word document into a PDF to avoid others editing it, as this could subsequently cause some form of reputational damage.

  • Confidential data

    Access to confidential data must be limited only to individuals who have been granted appropriate authorisation to view or process that information. .

    Alternatively, there may be occasions in which unauthorised individuals or stakeholders may need to be granted access to confidential data; however, this access must only be provided on a need-to-know basis.

  • Types of confidential data might include

    Someone’s personal details or any information that could be used to identify them. Examples of identifiable or personal details include:


    Date of birth


    Telephone number

    Email address

    National Insurance number



    Health details

    Political affiliations

    Trade union membership

    Criminal offences

    Employee contracts

    Non-Disclosure Agreements

    Unfinished or unapproved company documents

    Employee wage slips

    Death certificates

    PDR documentation

  • How to handle confidential data:

    As and where required to handle confidential data, employees should exercise the following handling processes:

    Paper documents must be:

    In secure locked storage

    Transported in sealed envelopes only

    Transported by an approved third-party courier service

    Securely disposed of

    Electronic data must be:


    Password-protected wherever possible

    Transportation must follow secure file transfer protocol

    Storage must be limited to secure file stores

    Securely disposed of

  • Strictly confidential data

    A minimal number of authorised individuals, authorities or other stakeholders may be permitted access to data that has been classified as being ‘Strictly confidential’.

  • Types of strictly confidential data might include:

    Bank details

    Credit card information

    Financial information

    Server information

    Usernames or passwords

    Test data

    Medical records

    Disciplinary proceedings

    Patent information

    Network information

  • How to handle strictly confidential data:

    As and where required to handle strictly confidential data, employees should exercise the following handling processes:

    Paper documents must be:

    In secure locked storage

    Transported in sealed envelopes only

    Transported by an approved third-party courier service

    Electronic data must be:


    Password-protected wherever possible


    Transportation must follow secure file transfer protocol

    Storage must be limited to secure file stores

  • Secret data

    Access to data that has been classed as ‘Secret’ or a request to access secret data is subject to the Official Secrets Act.

    Various types of secret data may require different controls and circumstances. Bearing that in mind, individual protocols should be reviewed on a case-for-case basis in line with UK Government requirements. Government advice concerning the handling of secret data should be sought.

  • Data classification markings

    Data classification markings need to be clearly visible at all times and must match the classification category in which that data has been assigned. Appropriate data classification identification markings should be included either at the top, bottom or centre of each document page.

  • Reclassifying data

    There may be occasions in which data must be reclassified from one data category to another data category. The need for reclassification could depend upon a content change, or an alteration in terms of the data’s intent, where it is stored or how it is being used. Before reclassifying data, a firm and justifiable rationale must be established. If in doubt, contact the Data Protection Officer or your line manager for guidance.

  • Sensitive data

    It is the responsibility of the data owner or the data originator to define the category of data classification for a piece of data. Responsibility also rests with the data owner or originator to ensure that adequate protection has been afforded to that data in line with its relevant classification.

    Any data that could or should be defined as being personal in nature must be afforded a higher level of protection and be treated as data that is sensitive. Personal data can be classed as information relating to an individual that could identify them. Aforementioned examples of sensitive personaldata might include (among other pieces of data) a person’s name, contact information, race, religion, political affiliations, sexual preference and so on.

    Sensitive data must be identified and assessed on a case-for-case basis. In most cases, sensitive data will inherently be classed as confidential; thus, access and/or availability must be limited.

    Sensitive data which is made available in the public domain can lead to reputational damage for private individuals or company employees. As a company we must ensure that sensitive data is given sufficient protection to protect individuals, company employees and the company itself.

  • Data storage and backup

    Because data is such an integral aspect of our business, it is everyone’s responsibility at Airport Transport Centre to do everything within their power to ensure that sensitive data is being collected, processed, backed up, stored and secured in line with company policy.

  • Data anonymisation

    Prior to the sharing, transfer or disclosure of data, Airport Transport Centre and its employees must take all necessary steps to ensure that the anonymity of corresponding data subjects is protected and maintained in line with our regulatory commitments.

    Necessary steps may include omitting or redacting (deleting) said personal identifiers within a piece of data. Audio visual data or verbally exchanged data recordings should be likewise edited.

  • Secure data disposal

    Sensitive data that is no longer needed or has reached an ‘end of life’ classification asdecided upon by the relevant authorised individuals must be disposed of in a secure fashion. Examples of disposing data as stored on paper would include shredding.

  • Data security response

    If data is damaged or lost, it must be immediately reported to an appropriate line manager and company Data Protection Officer andlogged as an incident requiring urgent response.


    • Our approach towards data retention

      This policy is designed to ensure Airport Transport Centredoes everything within its power to adequately protect, maintain and store data. This policy has also been developed to ensure that any data, documents or records that have no further use or value to Airport Transport Centre are disposed of in line with our regulatory obligations and relevant company policy.

      Employees should consult our data retention and erasure policy, to develop an understanding of our company’s obligationsrelating to the ways in which we retain data or electronic documents. These documents may include, but are not limited to:


      Word Documents


      PDF documents

      Web files

      Sound files


      Personal data must never be kept for longer than it isneeded. Consequently, employees should utilise our company’s data retention schedule as a guide to understanding Airport Transport Centre’s general retention period time for various data categories that have been assigned based upon the purpose of the data. In line with our regulatory obligations, all data that is no longer necessary should be deleted and all copies must be destroyed in line with our data erasure schedule

    • Data retention schedule administration

      This data retention schedule documents the maintenance, retention and disposal guidelines relating to any and all records our company holds. It must be reviewed and accordingly amended on a regular basis to ensure data storage and erasure processes are adhering to Airport Transport Centre’s wider data retention policy approach.

      There will be times when data may need to be retained longer than the pre-defined amount of time permitted. Circumstances in which our policy will need to be suspended may include, but are not limited to:

      Legal proceedings

      Regulatory investigations

      If criminal activity is suspected or alleged

      If relevant data concerns a company or organisation in receivership or liquidation

      If the relevant data is of historical importance to the owner or controller

      In the event of legal proceedings, criminal activity or investigations, Airport Transport Centre and its employees must retain data that relates to the situation and could serve to aid the company’s case or position, liability or amount involved. If such a situation may occur during the lifetime of this policy, Airport Transport Centre will inform all staff of the policy’s suspension as it relates to said situation.

  • Accounting and finance data
    Data retention

    Any and all items that display customer bank details or credit card information must be kept under secure conditions when not in immediate use. This includes keeping printed records in a locked desk drawer or filing cabinet.

    If Airport Transport Centredetermines it is necessary to keep a document that displays customer financial details beyond a retention period of 2 years, all identifying details or financial information as it relates to any customer must be redacted or removed from the document in question.

  • Data retention schedule

    Airport Transport Centre has developed its data retention policy in line with the following data retention schedule:

    Data retention
  • Contract data
    Data retention
  • Corporate records
    Data retention

    For the purpose of this schedule and corresponding policy, ‘corporate records’ should be defined to include anything relating to:

    Meeting minutes

    Signed minutes of the board

    Signed minutes of any committees

    Articles of incorporation

    Annual corporate reports

  • Correspondence and internal memoranda

    The vast majority of correspondence and internal memoranda must be retained to match the period of time as the document or data to which they relate. Examples may include an email relating to a contract –in which case the email in question would be expected to be retained for a period of 7 years after the expiration of the corresponding contract.

    Bearing this in mind, Airport Transport Centre recommends that all correspondence and internal memoranda as it relates to a company project be kept with said project as part of a project-wide file.

    Company correspondence or internal memoranda unrelated to documents that have a defined retention period, should be securely destroyed at an earlier time depending upon which of the following two categories it corresponds:

  • Category 1

    Category 1 correspondence or internal memoranda includes any and all data as it relates to routine processes. Category 1 correspondence and internal memoranda generally do not carry any significant consequences and should be disposed of with 2 years.

    Examples of category 1 correspondence and internal memoranda may include (but are not limited to):

    Notes of appreciation or thanks

    Plans for meetings

    Forms orletters that do not require a follow up

    General enquiries that have been settled

    Chronological correspondence data

    Complaints requesting a specific action that have already been addressed and carry no further value

    Correspondence relating to inconsequential subject matter

    All copies of internal office correspondence should be read and destroyed as per this policy unless that correspondence includes data or content that must be retained as part of a wider project.

  • Category 2

    Category 2 correspondence or internal memoranda includes non-routine information or correspondence that is likely to have a consequential impact upon the company or its employees. Category 2 correspondence and internal memoranda should be retained on a permanent basis

  • Personal data

    There will be times when Airport Transport Centre and its employees must retain and/or delete personal data in line with its legal obligations.For the purposes of this data retention and erasure policy, ‘personal data’ can be defined as any identifying information as it relates to an individual. We never keep personal data for longer than is necessary for the purpose in which that data was collected. All personal data as defined within the following categories should be deleted based upon this retention and erasure schedule:Record

    Data retention

    Airport Transport Centre reserves the right to retain any and all documents (both electronic and print) containing personal data to the extent our company is required by law to do. We will also retain documents containing personal data if we have reason to believe said documents could be relevant to legal proceedings, or to establish and/or exercise our own legal rights.

    Our companywill organise backups of our database and all of the electronic data held within our company server(s). Backup activities should include all data that relates to current users or customers, alongside any document or dataset relating to one of the aforementioned reasons as outlined within this data retention and erasure policy. Airport Transport Centre does this to ensure that lost information can be retrieved within one year, as and where needed.

  • Electronic data

    Most emails do not need to be kept. Emails that are inconsequential or unrelated to contracts or projects should subsequently be treated in line with the following policies:

    All emails should be deleted after 12 months. This includes both internal and external emails

    Airport Transport Centre will archive emails for six months after employees have deleted them. After this six-month period, archived emails will be destroyed

    Employees should never send emails containing confidential or proprietary data to external sources unless it has been approved by a relevant manager

    Electronic documents

    Electronic documents include, among other formats, both PDF document and files originating from Microsoft Office Suite or similar software.

    Retention and erasure will depend upon the purpose of the electronic document, yet as a general rule of thumb employees can apply the following rules:

    For PDF documents, the maximum period of retention should be 6 years. PDF documents that employees deem vital to their performance or role should be printed and/or stored in the relevant employee’s workspace.

    For text documents or other formatted files, the maximum period of retention should be 5 years. Text documents or other formatted files that employees deem vital to their performance or role should be printed and/or stored in the relevant employee’s workspace.

    Airport Transport Centre does not and will not automatically delete electronic documents or corresponding data beyond the time periods defined within this policy. It is the responsibility of our employees to ensure they are adhering to our policy guidelines.

  • Insurance data
    Data retention
  • Legal data
    Data retention
  • Miscellaneous Data
    Data retention
  • Personnel data
    Data retention
  • Tax data

    Airport Transport Centre keeps accounts and/or records to demonstrate and establish amounts of gross income, deductions, credits and other information. These records are crucial to maintaining our company’s compliance of tax laws.

    Associated records and documentation will include (but are not limited to) the following records and associated schedules:

    Data retention
    Data retention

  • Privacy notice template

    Your privacy notice is considered one of the most complex but crucial aspects of GDPR compliance. To help you to better understand your privacy notice and obligations under GDPR, we’ve broken this guidance document down into two sections:

    A.General guidance

    B.Privacy notice template

  • A. General guidance

    Under GDPR, yourcompany must provide explicit privacy information to any and all data subjects. These privacy statement stipulations are more specific and contain stronger specifications than what was previously expected of UK companies under the Data Protection Act 1998.

    First and foremost, it’s worth noting a privacy statement absolutely must be supplied by your company to any relevant individual at the point in time that they provide to you or submit their personal data. More important still, the statement that your company provides those individuals with must be:



    Easily accessible

    Written in plain language

    Free of charge to access and read

    Please note that additional rules are required if your privacy statement is designed for and/or directed at children.

    To help you develop your privacy statement that complies with all of your GDPR obligations, we’ve compiled the following guidance sections.

  • Name and details of Data Controller

    You must identify the name and contact details of the relevant data controller within your privacy statement. Here is an example of how your company may wish to outline these details:

    Airport Transport Centre is the designated data controller for Airport Transport Centre and committed to upholding our commitments to protect the rights of individuals under legislation outlined within the Data Protection Act 2018 and the General Data Protection Regulation (GDPR).

  • Name and details of data protection officer

    You must identify the name and contact details of the relevant data protection officer within your privacy statement. Here is an example of how your company may wish to outline these details:

    Airport Transport Centre has an appointed data protection officer Khawar Siddiqui to assist us in upholding our commitment to individual rights. Our data protection officer can be contacted both through our website , as well as by post Shelton Street, Covent Garden, WC2H 9JQ.