Data Protection & Privacy Policy
1. Introduction
This Privacy Policy explains how 360Compliance LTD (“we”, “us”, “our”) collects, uses, stores, and protects personal data in accordance with applicable data protection legislation.
This policy applies to personal information processed by or on behalf of 360Compliance LTD, including information relating to our clients, their organisations, directors, nominated individuals, registered managers, associates, and relevant third parties connected with our regulatory and compliance services. Your privacy is taken seriously. We are committed to processing personal data lawfully, fairly, transparently,
and securely.
2. This Policy Explains
• Who we are and how we use personal data
• What categories of personal data we process
• Our lawful basis for processing personal data
• Who we share personal data with and why
• How long personal data is retained
• How we protect confidentiality and security
• Your rights under UK data protection law
• How to raise concerns or complaints
3. Legal Framework
This Privacy Policy is drafted in accordance with:
• UK General Data Protection Regulation (UK GDPR)
• Data Protection Act 2018
• Human Rights Act 1998
• Common Law Duty of Confidentiality
For the purposes of UK data protection legislation, 360Compliance LTD is the Data Controller of personal data processed in connection with our services.
4. How We Use Your Information
360Compliance LTD processes personal data to deliver regulatory, compliance, governance, registration, audit, and advisory services, including but not limited to Care Quality Commission (CQC) and Ofsted-related activities. We collect and process personal data that is necessary, relevant, and proportionate to the
services provided.
Categories of Personal Data We May Process
This may include:
• Names, job titles, roles, and professional credentials
• Business addresses and correspondence details
• Email addresses and telephone numbers
• Information relating to directors, nominated individuals, registered managers, and key personnel
• Company information, governance structures, and service models
• Regulatory application data and supporting documentation
• Commercially sensitive operational information
• Information relating to third-party professionals connected to your organisation
We do not process patient or service-user clinical records unless explicitly required under contract and with appropriate safeguards.
5. Lawful Basis for Processing
Personal data is processed in accordance with Article 6 of the UK GDPR, primarily under the following lawful bases:
• Performance of a contract – where processing is necessary to deliver agreed services
• Legal obligation – where processing is required by law or regulatory authorities
• Legitimate interests – where processing is necessary for operational, quality assurance, or governance purposes and does not override your rights
• Consent – where required for optional activities such as marketing communications Where special category data is processed, this is done strictly in accordance with Article 9 UK GDPR and only where legally justified.
6. Confidentiality and Security
360Compliance LTD maintains strict confidentiality controls and applies appropriate technical and organisational measures to protect personal data against:
- Unauthorised or unlawful access
- Accidental loss, destruction, or damage
All employees, associates, and subcontractors are subject to confidentiality obligations. Where a third party acts as a data processor on our behalf, an appropriate Data Processing Agreement (Articles 28–29 UK GDPR) is in place.
7. Data Sharing and Recipients
Personal data may be shared, where necessary and lawful, with:
- Care Quality Commission (CQC)
- Other statutory or regulatory bodies where required
- Approved data processors and professional partners engaged to support service delivery
Data is shared strictly on a need-to-know basis, under written agreements, and with appropriate safeguards. You will be informed where consent is required.
8. Data Storage and International Transfers
All personal data is processed by staff in the UK. Electronic data is stored on secure systems, including AWS & Google Workspace, where Google acts as a data processor under UK GDPR-compliant contractual terms. Data is hosted within the UK and/or jurisdictions recognised as providing adequate protection under UK law
9. Data Retention
Personal data is retained only for as long as necessary to fulfil contractual, legal, regulatory, and accounting obligations. Unless otherwise required, records are retained for up to 25 years in line with statutory and regulatory requirements, after which they are securely destroyed.
10. Your Rights
You have the right to:
• Access your personal data (Subject Access Request)
• Rectify inaccurate or incomplete data
• Object to processing based on legitimate interests
• Withdraw consent where processing is consent-based
• Request erasure (where legally permissible)
• Request restriction of processing
• Request data portability
Requests will be handled without undue delay and within statutory timeframes (normally one month).
11. Marketing and Communications
We may contact you about services relevant to your organisation only where a lawful basis exists. You may opt out of marketing communications at any time.
We do not sell or share personal data for third-party marketing purposes.
12. Complaints and Supervisory Authority
If you are dissatisfied with how your data is handled, you may contact us directly. You also have the right to complain to the UK supervisory authority:
Information Commissioner’s Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Tel: 01625 545745
Website: https://ico.org.uk/
13. Data Protection Officer
Data Protection Officer
Tariq Minhas
360Compliance LTD
Email: help@360compliance.co.uk
Telephone: 0208 111 1818
Urgent / OOH: 07999367999
14. Policy Updates
This Privacy Policy may be updated periodically to reflect legal, regulatory, or operational changes. The most current version will always apply.
