Data Policy | Ensure Data Security - Learn More

DATA POLICY (DATA PROTECTION AND HANDLING POLICY)

For Tyrrell Promotions Limited

Last updated: 4 March, 2026

This Data Policy sets out how Tyrrell Promotions Limited (“TPL”) manages personal data in a consistent, lawful, and secure manner. It supports the Privacy Policy for www.teamtyrrell.com and applies to personal data we handle through:
• website contact form submissions,
• emails sent to and from our business accounts,
• newsletter sign-ups and newsletter distribution systems, and
• related business systems used to manage those interactions (for example, CRM and ticketing tools, if implemented later).

It is designed to scale as we add new tools, suppliers, and data flows.

1. Purpose and scope

TPL aims to comply with:
• the UK GDPR and the Data Protection Act 2018 (UK)
• the EU GDPR where it applies to individuals in the EEA

We follow the core principles:
• lawfulness, fairness, and transparency
• purpose limitation
• data minimisation
• accuracy
• storage limitation
• integrity and confidentiality (security)
• accountability (documenting decisions and controls)

2. Legal framework and principles

3. Roles and responsibilities

Controller: Tyrrell Promotions Limited.

Internal responsibilities:
• Privacy contact: contact@teamtyrrell.com

All staff/contractors handling personal data must:
• access data only as needed for their role,
• keep credentials secure,
• follow this Data Policy and any security procedures.

TPL maintains (or will maintain as systems expand):
• a record of processing activities (ROPA) covering purposes, categories, lawful bases, recipients, retention, transfers, and security measures
• a supplier register (processors and sub-processors)
• a retention schedule
• logs of consent and marketing preferences (where applicable)

4. Data inventory and records

5. Lawful bases and consent management

A) Enquiries and relationship management
Primary basis: legitimate interests and/or steps prior to contract.

B) Newsletter marketing
Primary basis: consent, captured via a clear opt-in mechanism.
Requirements:
• consent records must include who consented, when, and how
• each email must include an unsubscribe mechanism
• opt-outs must be applied promptly, with a suppression list retained to respect the opt-out

In the UK, electronic marketing and cookies are subject to PECR alongside UK GDPR.

6. Data minimisation and collection rules

TPL will only collect data necessary to:
• respond to enquiries,
• manage communications,
• send the requested newsletter, and
• maintain security and operational integrity.

Sensitive data: Individuals should not be asked to provide special category data (e.g. health, religion, political opinions). If someone voluntarily includes it in a message, TPL will handle it with additional care and only use it where necessary to respond.

7. Security controls (baseline)

TPL applies reasonable technical and organisational measures appropriate to risk, such as:
• access controls and least privilege (only authorised people access inboxes, newsletter lists, CRM)
• strong passwords and multi-factor authentication where available
• encryption in transit (HTTPS, TLS) and encryption at rest where supported by suppliers
• device security (screen lock, updates, malware protection)
• secure sharing (avoid forwarding personal data unnecessarily; use approved tools)
• supplier due diligence (processors must provide appropriate security and data protection commitments)

8. Processors and supplier management

When using third-party suppliers that process personal data, TPL will:
• select suppliers that can demonstrate appropriate security and compliance
• put in place a data processing agreement (DPA) where required
• assess sub-processors and international transfers
• review suppliers periodically

9. International transfers

If data is transferred outside the UK/EEA, TPL will use appropriate safeguards (adequacy decisions or contractual transfer mechanisms, plus any necessary supplementary measures).

10. Retention and deletion

TPL follows a documented retention schedule that aligns with the Privacy Policy. Key rules:
• keep data no longer than necessary for the purpose collected
• delete or anonymise data when it is no longer needed
• retain unsubscribe/suppression records as needed to evidence compliance and prevent re-marketing

11. Individual rights handling

TPL will respond to rights requests within the legally required timeframes.
Process:
• verify identity (proportionately)
• locate relevant systems (email, website form logs, newsletter platform, CRM)
• respond with the required information or action, documenting the outcome
• escalate complex requests to professional advisers if needed

TPL maintains a breach response process:
• identify and contain the incident
• assess risk to individuals
• record the incident and remediation steps
• notify the ICO and/or relevant EEA authority where required, and notify affected individuals where there is a high risk to them.

12. Personal data breaches

13. Cookies and tracking governance

If TPL uses cookies beyond strictly necessary cookies:
• provide clear cookie information and obtain consent where required
• maintain a cookie list/table and consent logs where applicable
• allow users to change cookie preferences

PECR applies to cookies in the UK alongside UK GDPR.

14. Policy review and updates

This Data Policy will be reviewed at least annually, and also when:
• new systems are introduced (new newsletter provider, CRM, analytics),
• new categories of data are collected, or
• relevant laws/regulatory guidance change.