General Data Protection Regulation (GDPR)

Please note that this document is for general information only and should not be treated as legal advice to your organisation, as an explanation of the law or the extent of obligations on data controllers or processors under the EU General Data Protection Regulation (“the GDPR”).


Data protection by design

On 25 May 2018, the EU General Data Protection Regulation (GDPR) replaces the 1995 EU Data Protection Directive. The GDPR strengthens the rights that individuals have regarding personal data relating to them and seeks to standardise data protection laws across Europe. Regardless of where that data is processed, it is important to understand that this may also affect your business or school, even if it is not located in a EU member state.

You can be assured that du Pré Ltd is committed to GDPR compliance. We are also committed to helping our customers comply with the GDPR by providing rigorous privacy and security protections that are built into our service.


Data Controllers and Data Processors

Businesses and schools will typically act as the Data Controller for any personal data they provide to du Pré regarding their use of our services. The Data Controller determines the purposes and means of processing personal data, whilst the Data Processor processes data on behalf of the Data Controller.

du Pré is a Data Processor in respect of its customers and processes personal data on behalf of its customers (a Data Controller) when requested specifically to work on any element of the customer’s infrastructure where the customer’s personal data records are stored, including (for example), email, telephone voicemail and server systems.

Data Controllers and Data Processors are responsible for implementing appropriate technical and organisational measures to ensure and demonstrate that any data processing is performed in compliance with the GDPR legislation.

Data Controllers are responsible for compliance with the data protection principles such as lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality as well as fulfilling data subjects’ rights with respect to their data.

If you are a Data Controller, you may find guidance related to your responsibilities under GDPR by regularly checking the website of your national or lead data protection authority. For the UK, such authority is the Information Commissioner’s Office.

You should also seek independent legal advice relating to your status and obligations under the GDPR, as a legal adviser can provide you with guidance specifically tailored to your situation.


du Pré commitments to the GDPR

Alongside other duties, Data Controllers are required to only use Data Processors that provide adequate guarantees to implement appropriate technical and organisational measures so that data processing will meet the requirements of the GDPR.

Here are some aspects which we trust will re-assure you when conducting your assessment of du Pré:

Our terms and conditions for du Pré services and systems articulate our privacy commitments to customers. The terms have been amended over the years to reflect feedback from customers and regulators. The May 2018 edition of these terms reflect the new GDPR requirements, to assist in our customers’ compliance assessment and GDPR readiness when using du Pré services. The updated terms will take effect from 25 May 2018, when the GDPR comes into force.

In our assessment, the services we provide and processes we follow are compliant with the GDPR. The third-party products and services we provide are similarly compliant.

Any data that a customer and its users put into our systems to enable du Pré to deliver services will only be processed in accordance with the customer’s written instructions, as described in our current as well as our GDPR-updated terms.

All permanent and temporary employees are bound by confidentiality and non-disclosure terms within their employment terms and are also subject to our data protection, security and training policies. Fixed term or open-ended contractors that fall outside of normal employment contracts are similarly bound to confidentiality terms within their contract and a separate non-disclosure agreement, as well as the Company’s data protection, security and training policies.

For support, training and implementation, du Pré will only store the data of customers that is to be worked upon only for the time required to render the required services, typically no longer than two weeks and then only if permission has been received, prior to retrieval. Contact, communication and any other relevant data regarding the provision of services will be held in accordance with our Privacy Policy.

If you engage du Pré Ltd to manage back-ups of your data, then this will be managed according to the contract terms in force.

For further details of how we manage the privacy of all data that we gather in the course of our business, please see our Privacy Policy.

Should you have any questions at all, please contact