top of page

Spencer David General Data Protection Regulation Policy


Spencer David has ensured that it is compliant with the General Data Protection Regulation (GDPR) and observes all regulations in relation to the collection and storage of data.

We guarantee not to process data unless there is at least one lawful basis to do so:

  • The data subject has given consent to the processing of personal data for one or more specific purposes.

  • Processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract.

  • Processing is necessary for compliance with a legal obligation to which the controller is subject.

  • Processing is necessary to protect the vital interests of the data subject or of another natural person.

  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

  • Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data, in particular if the data subject is a child.


As a supplier of goods and services Spencer David shall at all times:

  1. Protect the rights of Data Subjects and duly observe all its obligations under the Data Protection Laws which arise in connection with the provision of the Services and the Agreements.


Where we process data on behalf of a client Spencer David shall at all times:

  1. Process the Personal Data solely on the documented instructions of our client, including any agreements, for the purposes of providing the goods and services.

  2. Process only the types of Personal Data, relating to the categories of Data Subjects, and in the manner required to deliver the Services in the manner agreed by the client.

  3. Designate a data protection officer if required by the Data Protection Laws.

  4. Take all Protective Measures including those required by Article 32 of the GDPR to ensure the security of the Personal Data.

  5. Take all reasonable steps to ensure the reliability and integrity of any Supplier Personnel who may have access to the Personal Data, and to ensure their treatment of the Personal Data as confidential.

  6. Ensure that Supplier Personnel have their access to Personal Data limited to that which is strictly necessary for their role in the performance of the Services.

  7. Ensure that all Supplier Personnel have undertaken and regularly (at least yearly) undertake appropriate information governance training.

  8. Not permit any third party to Process the Personal Data ("") without the prior written consent of the client, such consent to be conditional upon fulfilling the conditions referred to in Article 28 (2) and (4) of the GDPR.

  9. Not Process or transfer the Personal Data outside the European Union, which until further notice shall include the United Kingdom, whether in accordance with GDPR Article 46 or LED Article 37, without: (i) the client’s prior written consent, such consent to be given or withheld at the client’s absolute discretion; and (ii) ensuring the Data Subject has enforceable rights and effective legal remedies.


Spencer David guarantees it will immediately inform the client if:

  1. It receives a data subject access request (or purported data subject access request) to rectify, block or erase any Personal Data.

  2. It receives a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Data Protection Laws.

  3. It receives any communication from the Information Commissioner’s Office (ICO) or any other regulatory authority in connection with Personal Data processed under the Agreements.

  4. It receives any other request, complaint or communication relating to either
    party's obligations under the Data Protection Laws.

  5. It becomes aware of a Personal Data Breach threatened Personal Data Breach or suspected Personal Data Breach.


Spencer David promises its clients that it will:

  1. Provide full assistance in relation to any obligations under Data Protection Laws and any complaint, communication or request made under clause 2.10.

  2. rovide any assistance reasonably requested by the client in relation to all preparation of any Data Protection Impact Assessment prior to commencing any processing.

  3. Maintain complete and accurate records and information to demonstrate its compliance with this clause 2.

  4. Maintain all records required by Article 30 (2) of the GDPR.

  5. Permit the client or its designated auditor, on reasonable prior notice, to inspect and audit the facilities used by Spencer David and/or any Sub-Processor to Process the Personal Data, and any and all records maintained by Spencer David and/or any Sub-Processor relating to that Processing.

  6. Provide any assistance reasonably requested by the client in relation to: (i) any communication received under clause 2.10 above, as well as any equivalent communication received by the client directly; and (ii) any Personal Data Breach, including by taking any appropriate technical and organisational measures directed by the client.

  7. Notify the client immediately if it considers that any of the client’s instructions infringe the Data Protection Laws.

  8. Cease Processing the Personal Data immediately upon the termination or expiry of the relevant Agreement and at the client’s option either return, or securely delete the Personal Data.

bottom of page