Contact us

Legal

Data Protection Policy

Version: 4.0
Published: June 2025
Review date: June 2026

At Getech, we treat the privacy of our staff, partners and customers with the utmost seriousness. We have established clear protocols for handling data breaches and robust mechanisms for individuals to exercise their rights over their own information.

Whether we are processing orders, managing employee records, or conducting hardware repairs, we adhere to core data protection principles: fairness, transparency, accuracy and storage limitation.

This policy details how we gather, retain and secure data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Overview

1.1

Getech gathers and retains certain information or ‘data’ about its employees, customers, and other third parties in the performance of the Company’s services, provisions and managing its relationships. This policy outlines the measures Getech takes, regarding the security and privacy of personal data, with the intention to fully comply with all legal obligations under the Data Protection Act 2018 (the ‘DPA 2018’) and the UK General Data Protection Regulation (‘UK GDPR’) in respect of data privacy and security. Where applicable, Getech will also comply with the requirements of the EU General Data Protection Regulation (‘EU GDPR’) as required.

1.2

This policy applies to current and former Getech employees (including workers, volunteers, apprentices, and consultants), along with partners, customers, and end users alike. Where an individual may be defined by the above, they are then deemed to be a ‘data subject’ for the purposes of this policy. This policy is to be read fully alongside any employment contracts (or contracts for services) and must be considered and observed alongside any further notice Getech issues which also relates to personal data.

1.3

Where Getech collects data, it is classified as a ‘data controller.’ This means that Getech decides how and why it will process an individual’s personal data. Getech may also act as a ‘data processor’ on behalf of customers under certain circumstances.

1.4

This policy details the way Getech will hold and process personal data and explains an individual’s rights as a data subject. It also explains the obligations of all Getech employees when obtaining, handling, processing, or storing personal data while performing their respective duties and roles on behalf of the Company.

1.5

This policy does not form part of Getech’s employment contracts (or contract for services, if relevant) and as such it may be updated at any time. It is intended that this policy is fully compliant with the DPA 2018, the UK GDPR and the EU GDPR. If any conflict arises between those laws and this policy, Getech intends to comply with the DPA 2018, the UK GDPR and the EU GDPR.

2. Data Protection Principles

2.1

Personal data must be processed in accordance with the following ‘Data Protection Principles.’ It must:
  • be processed fairly, lawfully, and transparently;
  • be collected and processed only for specified, explicit and legitimate purposes;
  • be adequate, relevant, and limited to what is necessary for the purposes for which it is processed;
  • be accurate and kept up to date. Any inaccurate data must be deleted or rectified without undue delay;
  • not be kept for longer than is necessary for the purposes for which it is processed;
  • be processed securely; and
  • Be processed in a manner which is accountable and in compliance with the UK GDPR.
Getech are responsible for ensuring and demonstrating compliance with these principles.

3. How Getech define personal data

3.1

‘Personal data’ means information which relates to a living person who can be identified from that data (a ‘data subject’) on its own, or when taken together with other information which is likely to come into Getech’s possession. It includes any expression of opinion about the person and an indication of the intentions of Getech or others, in respect of that person. It does not include anonymised data.

3.2

This policy applies to all personal data, regardless of format and media (i.e. whether it is stored electronically, on paper, or in/on other materials).

3.3

This personal data might be procided to Getech by an individual, or by someone else (such as a former employer, a doctor, or a credit reference agency), or it could be created by Getech. It could be provided or created during the sales or service provision process, or during the recruitment process and subsequent employment (or contract for services), including after said employment has ended. It could be created by a member of Getech’s Management team, or by any other employee.

3.4

Getech may collect and use the following types of personal data about a data subject (staff and workers):

  • Basic customer personal information;
  • Recruitment information such as an application form and CV, references, qualifications and membership of any professional bodies and details of any pre-employment assessments;
  • Contact details and date of birth;
  • The contact details for employee’s emergency contacts;
  • Gender;
  • Marital status and family details;
  • Information about a given employment contract (or contract for services) including start and end dates of employment, role, and location, working hours, details of promotion, salary (including details of previous remuneration), pension, benefits, and holiday entitlement;
  • Bank details and information in relation to tax status, including National Insurance number;
  • Identification documents including passport and driving licence and information in relation to immigration status and right to work;
  • Information relating to disciplinary or grievance investigations and proceedings involving employees (whether or not they were the main subject of those proceedings);
  • Information relating to performance and behaviour whilst in Getech’s employ;
  • Training records;
  • Electronic information in relation to use of IT systems/swipe cards/telephone systems;
  • Images (whether captured by CCTV, by photograph or video); and/or
  • Any other category of personal data, which Getech may notify a data subject of as required.

3.5

Getech may collect and use the following types of personal data about a data subject (customer):

  • Basic personal information;
  • Delivery address details;
  • Contact information;
  • Payment details; and/or
  • Any other information required to support the provision of services to be provided.

3.5.1

No special categories of personal information will be held where a customer is the data subject.

4. How the Company define special categories of personal data

4.1

‘Special categories of personal data’ are types of personal data consisting of information about:
  • Racial of ethnic origin;
  • Political opinions;
  • Religious or philoshophical beliefs;
  • Trade union membership;
  • Genetic or biometric data;
  • Health; and/or
  • Sex life and sexual orientation.
Getech will not hold or use any of these special categories of personal data, except where that usage is strictly necessary and in full compliance with Article 9 of the UK GDPR.

5. How Getech define processing

5.1

‘Processing’ means any operation which is performed on personal data such as:
  • collection, recording, organisation, structuring or storing;
  • adaptation or alteration;
  • retrieval, consultation, or use;
  • disclosure by transmission, dissemination or otherwise making available;
  • alignment or combination; and/or
  • restriction, destruction, or erasure.
This includes processing personal data which forms part of a filing system and any automated processing.

6. How will Getech process personal data?

6.1

Getech will process personal data (including special categories of personal data) in line with the Company’s obligations under the DPA 2018.

6.2

Getech will use personal data:

  • For facilitating the provisions of goods and services to customers during the sales process, in respect of meeting legal requirements as outlined by the Sales of Goods Act;
  • for performing the employment contract (or contract for services) between Getech and an individual;
  • for complying with any legal obligation; and/or
  • if it is necessary to Getech’s legitimate interests. However, Getech can only do this if a party’s interests and rights do not override Getech’s (or those of a particular individual). Parties have the rights to challenge the Company’s legitimate interests and request that the Company stop this processing. See details of data subject rights in Section 12 below.

6.3

Getech may process personal data for these purposes without knowledge or consent. The Company will not use personal data for any unrelated purpose without notifying the data subject about said processing, along with the legal basis that Getech intend to rely on for processing it.

6.4

Where a data subject chooses not to give Getech certain personal data, the Company may not be able to conduct some parts of a contract where one may exist. For example, where the Company does not have the party’s bank account details, Getech may not be able to pay the individual in accordance with the contract agreement. It might also prevent Getech from complying with certain legal obligations and duties, such as in paying the correct amount of tax to HMRC, or in making reasonable adjustments in relation to any disability a person may have.

7. Examples of when Getech might process personal data

7.1

Getech must process personal data in various situations during the sales, recruitment, employment (or engagement) process, and even following termination of a party’s employment (or engagement).

7.2

For example (see clause 7.5 below for the meaning of the asterisks):

  • to decide whether to employ (or engage) a person;
  • to decide how much to pay a party, and the other terms of their contract with the Company;
  • to confirm that parties have the legal right to work;
  • to conduct the contract between an individual and Getech including, where relevant, its termination;
  • to train a person and review their performance*;
  • to decide whether to promote an individual;
  • to decide whether and how to manage performance, absence, or conduct*;
  • to conduct a disciplinary or grievance investigation or procedure in relation to employees of the Company;
  • to determine where Getech need to make reasonable adjustments to the workplace or role because of a disclosed disability*;
  • to monitor diversity and equal opportunities*;
  • to monitor and protect the security (including network security) of the Company, the individual, other staff, customers, and all other parties;
  • to monitor and protect the health and safety of an individual, Getech’s other staff, customers and third parties*;
  • to pay individuals and provide pension and other benefits in accordance with the contract between them and Getech*;
  • to pay tax and National Insurance;
  • to provide a reference uppon request from another employer;
  • to pay trade union subscriptions*;
  • to monitor compliance by employees, Getech, and others with Getech’s policies and contractual obligations*;
  • to comply with employment law, immigration law, health and safety law, tax law and other laws which affect Getech*;
  • to answer questions from insurers in respect of any insurance policies which relate to an individual*;
  • to run Getech’s business and plan for the future;
  • for the prevention and detection of fraud or other criminal offences;
  • to defend the Company in respect of any investigation or litigation and to comply with any court or tribunal orders for disclosure*; and/or
  • for any other reason which the Company may notify a data subject of from time to time.

7.3

Getech will only process special categories of personal data (see above) in certain situations in accordance with the law. For example, Getech can do so if the Company has a data subject’s explicit consent. If the Company asks for consent to process a special category of personal data then Getech will explain the reasons for said request. Data subjects do not have an obligation to consent, and may withdraw consent later if they so choose by contacting the Data Protection Offier (DPO@getech.co.uk).

7.4

Getech do not need consent to process special categories of personal data where processing it for the following purposes:

  • Where it is necessary for conducting rights and obligations under employment law;
  • Where it is necessary to protect an individual’s vital interests or those of another person where a data subject/they are physically or legally incapable of giving consent;
  • Where a party has made the specific data available to the public;
  • Where processing is necessary for the establishment, exercise, or defence of legal claims; and/or
  • Where processing is necessary for the purposes of occupational health or for the assessment of an individual’s working capacity.

7.5

Getech may process special categories of personal data for the purposes in clause 7.2 above which have an asterisk (*) beside them. In particular, the Company will use information in relation to:

  • race, ethnic origin, religion, sexual orientation, or gender to monitor equal opportunities;
  • sickness absence, health, and medical conditions to monitor absence, assess fitness for work, to pay benefits, to comply with all legal obligations under employment law including to make reasonable adjustments and to look after an individual’s health and safety; and/or
  • trade union membership to pay any subscriptions and to comply with legal obligations in respect of trade union members.

7.6

Getech does not make automated decisions about data subjects when using personal data, nor does the Company use profiling in relation to data subjects.

8. Sharing personal data

8.1

On occasion, Getech might share personal data with agents and/or contractors to conduct the Company’s obligations under a given contract with a data subject or for its legitimate interests.

8.2

Getech requires those people and companies to keep all personal data confidential and secure and to protect it in accordance with the law and in keeping with Getech’s policies. They are only permitted to process data for the lawful purpose for which it has been shared and must do so in accordance with Getech’s instructions.

8.3

Getech do not send personal data outside the European Economic Area (EEA). If this changes, Getech will tell data subjects. The Company will also explain the protections that are in place to ensure the security of personal data.

8. Sharing personal data

8.1

On occasion, Getech might share personal data with agents and/or contractors to conduct the Company’s obligations under a given contract with a data subject or for its legitimate interests.

8.2

Getech requires those people and companies to keep all personal data confidential and secure and to protect it in accordance with the law and in keeping with Getech’s policies. They are only permitted to process data for the lawful purpose for which it has been shared and must do so in accordance with Getech’s instructions.

8.3

Getech do not send personal data outside the European Economic Area (EEA). If this changes, Getech will tell data subjects. The Company will also explain the protections that are in place to ensure the security of personal data.

9. How should employees process personal data for Getech?

9.1

Everyone who works for, or on behalf of, Getech has some responsibility for ensuring data is collected, stored, and overseen appropriately, in line with this and other relevant policies.

9.2

The board of directors are responsible for reviewing this policy. Employees should direct any questions in relation to this policy or data protection to either the Data Protection Officer (DPO@getech.co.uk) or a member of Getech’s Management team.

9.3

Where employees have concerns regarding the integrity of personal data storage or protection or where they are made aware of a potential risk or breach, they are to direct this to the Data Protection Officer (DPO@getech.co.uk) immediately. The Data Protection Officer is responsible for the administration of, investigation into and subsequent resolution of any risks or breaches where personal data may be compromised. This process is documented, with all reporting presented to the Board of Directors in every instance.

9.4

Individuals should only access personal data covered by this policy if it is required for the work they do for, or on behalf of Getech and only if they are authorised to do so. Employees should only use the data for the specified lawful purpose for which it was obtained.

9.5

Employees should not share personal data informally.

9.6

Employees should keep personal data secure and not share it with any unauthorised individual or party under any circumstance.

9.7

Colleagues should regularly review and update personal data which they must deal with for work. This includes notifying Getech where their own contact details change.

9.8

Employees should not make unnecessary copies of personal data and should keep and dispose of any copies securely.

9.9

All employees must use unique, complex, strong passwords. Passwords should not be written down, shared, or duplicated to ensure they provide the maximum protection possible.

9.10

Employees must lock computer screens when not at their desk, irrespective of the duration they may be away.

9.11

Personal data should be encrypted before being transferred electronically to authorised external contacts. Staff must speak to the IT department for support and guidance in ensuring this provision.

9.12

Employees must consider anonymising data or using separate keys/codes so that the data subject cannot be identified.

9.13

Getech staff must not save personal data to personal computers or other devices.

9.14

Personal data should never be transferred outside the European Economic Area (EEA) except in compliance with the law and with the full authorisation of Getech’s Management team and notification of all data subject, as per 8.3.

9.15

Employees must lock drawers and filing cabinets. Paper articles that contain personal data must not be left unattended in any communal shared space and if being retained, are stored in a secured location.

9.16

Staff should not take personal data away from Getech premises without authorisation from a line manager or Getech’s Management team.

9.17

Where personal data is printed, these materials should be shredded and disposed of securely when employees have finished processing them.

9.18

Employees should ask for help from a member of Getech’s Management team or the Data Protection Officer if they are unsure about data protection or if they notice any areas of data protection or security upon which Getech can improve.

9.19

Any deliberate or negligent breach of this policy by a member of staff may result in disciplinary action being taken against them under Getech’s Disciplinary Policy.

9.20

It is a criminal offence to conceal or destroy personal data which is part of a Data Subject Access Request (SAR) (see Section 11 below). This conduct would also amount to gross misconduct under Getech’s Disciplinary Policy and may lead to dismissal.

10. How to deal with data breaches

10.1

By adhering to the stipulations of this policy, Getech aims to minimise potential breaches as much as practical. Where a breach of personal data occurs (whether in respect of a member of staff or any other party) then Getech must document, investigate, and evidence resolution of said breach. If the breach is likely to result in a risk to the rights and freedoms of individuals then Getech must also notify the Information Commissioner’s Office (ICO) within seventy-two (72) hours, where feasible.

10.2

If a member of staff becomes aware of a data breach, they must contact the Data Protection Officer (DPO@getech.co.uk) or board of directors immediately and keep any evidence they may have in relation to the breach. All reported breaches will be investigated and reviewed until a resolution can be determined.

11. Subject Access Requests (SARs)

11.1

Data subjects can make a ‘subject access request’ (‘SAR’) to find out what information Getech holds about them. This request must be made in writing to DPO@getech.co.uk. Where Getech staff receive a SAR they should forward it immediately to the Data Protection Officer or a member of Getech’s Management team, who will coordinate a response.

11.2

To make a SAR in relation to one’s own personal data, employees should write to the DATA Protection Officer or Getech’s Management team. Getech must respond within one (1) month unless the request is complex or numerous, in which case the period in which a response must be provided may be extended by up to two (2) months.

11.3

There is no fee for making a SAR; however, if a request is manifestly unfounded or excessive Getech may charge a reasonable administrative fee or refuse to respond to said request. Getech normally work on the basis that any request which will take an individual more than a day to deal with is likely to be manifestly excessive, and in those circumstances Getech may apply a reasonable charge of one (1) working day’s salary for the employee in question.

12. Data subject rights

12.1

Data subjects have the right to information about their personal data that Getech holds, how it is processed and on what basis as set out in this policy.

12.2

Data subjects have the right to access their own personal data by way of a SAR (see Section 11 above).

12.3

Data subjects can correct any inaccuracies in their personal data by contacting the Data Protection Officer or the Board of Directors.

12.4

Individuals have the right to request that Getech erases their personal data where the Company is not entitled under law to process it, or where it is no longer necessary to process the data for the purpose for which it was collected. Parties can request erasure by contacting the Data Protection Officer or the Board of Directors.

12.5

During the process of requesting that any personal data is corrected or erased, or while contesting the lawfulness of Getech’s processing, data subjects can ask for the data to only be used in a restricted manner. To do so, they may contact the Data Protection Officer or Getech’s Management team.

12.6

Data subjects have the right to object to data processing where Getech are relying on a legitimate interest to do so, and they think that their rights and interests outweigh the Company’s, and they wish for Getech to stop.

12.7

Data subjects have the right to object if Getech process their personal data for the purposes of direct marketing.

12.8

Data subjects have the right to receive a copy of their personal data and, with some exceptions, to transfer their personal data to another data controller. Getech will not charge for this and will in most cases aim to do this within one (1) month of notification. See Clause 11.2.

12.9

With some exceptions, data subjects have the right not to be subjected to automated decision-making.

12.10

Data subjects have the right to be notified of a data security breach concerning their personal data where that breach is likely to result in an elevated risk of adversely affecting their rights and freedoms.

12.11

In most situations Getech will not rely on given consent as a lawful ground to process a parties data. If Getech does request consent to the processing of personal data for the specific purpose, data subjects have the right not to consent or to withdraw their consent later. To withdraw consent, data subjects should contact the Data Protection Officer (DPO@getech.co.uk) or the Board of Directors.

12.12

Data subjects have the right to complain to the Information Commissioner. They can do this by contacting the Information Commissioner’s Office directly. Full contact details including a helpline number can be found on the Information Commissioner’s Office website (www.ICO.org.uk). This website has more information on a data subject’s rights and Getech’s obligations as a registered company and business entity.

Appendix A: Departmental Data Protection

1. Overview

1.1

Getech holds only the necessary and essential personal information in order to effectively provide its products and services to interested parties. Given the markets in which Getech operates, these informational requirements may vary between departments.

2. Repair Centre and Customer Services (Helpdesk)

2.1

Getech anticipates that, where applicable, repairs will be completed by manufacturer field support teams. As such, Getech’s engineers will only come in to contact with customer devices on an ‘as-needed’ basis.

2.2

After consent is agreed, individuals/customers give their personal data in the form of name, address, telephone number, and e-mail address to log repair centre calls.

2.3

Customers are asked to back up their data before sending equipment in for repair. Customer equipment/drives that come in for repair are subject to the UK GDPR and the Data Protection Act 2018.

2.4

Getech are an approved service provider in relation to certain manufacturing partners, as such the Company offers the repair of certain warranty and non-warranty products, and by extension must on occasion handle customer goods and devices on which personal data may be stored. All devices are overseen by experienced and certified first-line and second-line support teams and engineers.

2.5

Getech does not collect, store or duplicate personal data where hardware is submitted to its Repair Centre, except for where this is explicitly requested and authorised by a customer and/or data subject. Getech aims to facilitate all repairs with the minimum access necessary to personal data and storage media.

2.6

Where necessary, Getech’s repair teams will replace storage devices under warranty and return these warranty spares to a manufacturer for data destruction as per their agreed processes.

2.7

Getech will replace non-warranty storage devices as requested and will perform data destruction services and/or store these devices in a secure and lockable storage unit for regular documented despatch to the Company’s certified data destruction partners. All data destruction is documented with a data destruction certificate, provided on completion.

2.8

Where Getech undertakes the provision of refurbishing devices used outside of a customer institution, all data storage drives will be removed and for sent for disposal and certification per the above, either internally or via data destruction partner. Refurbished devices are fitted with clean data storage drives prior to any reuse or further commission.

2.9

Where an agreement exists with an institution, it is Getech’s standard process to reimage all devices upon receipt wherever an image exists for that institution. Getech accepts the exchange of data storage devices into swap out units to prevent the removal of a user’s personal data from site where this is conducted by a trained member of an institution’s staff.

2.10

Where loan or swap out devices are provided, these are reimaged by Getech upon receipt on their return.

2.11

Getech promotes the enabling of encryption technologies as a standard configuration option where new devices are to be provided.

2.12

In the provision of repair services, Getech may employ diagnostic tools to facilitate a resolution. Where these are used, Getech does not collect private or sensitive data stored on any customer device.

2.13

With a view to minimising the need to access any private or sensitive data, Getech does not offer any data recovery services. Getech does not make backups, nor does it duplicate the data of any non-Getech device without the specific instruction and consent of the data subject and device owner. Where this is provided, data is encrypted and held securely in Getech’s data stores for secure access by the data owner, with respect to their stated requirements.

2.14

Where devices are deemed ‘end of life’ these will be managed by Getech’s IT recycling processes, internally or via a data destruction partner. Both Getech and partners offer fully audited and secure services and provide full reports accompanying the recycling of any hardware and destruction of any data. Getech’s partners are certified with ISO 9001, ISO 14001 and ISO 27001 and provide services compliant with all government and international data privacy regulations and guidelines, fully assuring the security of any data. All audits, data erasure reports and certificates are archived for a maximum of seven (7) years.

3. Education

3.1

Education customers are regarded as Business-to-Business.

3.2

StudentStore and website data: By visiting any of Getech website(s), Getech may collect anonymous information (via cookies) about a user’s computer and their visits to Company websites; this may include IP address, geographical location, browser type, referral source, length of visit and number of page views. Getech may use this anonymous information in the administration of their websites or to improve the usability of those websites. This information may be recorded by a third party on Getech’s behalf.

3.3

Where users register or create an account directly on any of Getech’s websites, or via a third-party procurement system (usually in preparation to purchase from Getech), the Company may collect and store some basic personal information mainly (but not limited to) user’s names, addresses, e-mail addresses, Company or institution details, and telephone numbers to allow Getech to fulfil their obligations to a customer when processing an order.

4. Marketing

4.1

Getech may send data subjects marketing communications relating to the Company’s business which it has a reasonable basis to think may be of interest to the data subject (providing they have opted in to receive such information, have not opted out, and have not unsubscribed if they have previously had a contractual relationship with Getech by purchasing a product or service). If the data subject is a business (non-consumer) contact working for a business or institution who Getech have had a previous contractual history with, or again as a non-consumer contact who has been referred to Getech by one of their suppliers or vendors following an enquiry to them, Getech may add a data subject’s contact information to their business CRM system. Getech will, however, ask the data subject to opt in to receiving marketing communications before sending any marketing information or material(s).

5. Schools

5.1

If a school has provided a one-time Transfer Token this allows Getech access to that school’s Administrative Console, and by extension this provides access to the school’s data held within. Getech may manage the account on the school’s behalf, along with the provision of other services such as hardware deployment and support. The school remains the primary administrator of the account and the data owner. Getech have no other access to school data.

6. Distribution

6.1

Distribution customers are regarded as Business-to-Business.