top of page

UK GDPR Data Protection Policy

BA Partnership is committed to operating responsibly and ethically, ensuring that modern slavery and human trafficking have no place in any part of our business or supply chain. We take this responsibility seriously and continue to review our practices to promote transparency, fairness, and respect for human rights across all our operations.

Last Updated: 13/06/2025

1. Introduction

THE BA PARTNERSHIP (LONDON) LIMITED] (“the Company”, “we”, “us”, “our”) is committed to protecting the privacy and security of personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

 

We license office space to companies and individuals under terms ranging from one month to sixty months. In doing so, we process personal and confidential data of clients, employees, and contractors.

2. Scope

This policy applies to all personal data processed by the Company relating to:

  • Clients and prospective clients

  • Employees and job applicants

  • Contractors and suppliers

  • Website visitor

3. Legal Basis for Processing

This policy applies to all personal data processed by the Company relating to:

  • Clients and prospective clients

  • Employees and job applicants

  • Contractors and suppliers

  • Website visitor

4. Data Collection and Use

Clients:

We collect data such as names, contact details, identification documents, payment details, and contract terms to manage space licenses, billing, access control, and communication.

​

Employees & Contractors:

We collect personal data including identification, contact information, tax and payroll data, job performance records, and health and safety information for HR, payroll, legal compliance, and operational purposes.


Website Users:

We may collect personal data via cookies, contact forms, and analytics tools (e.g., IP address, browser details, usage data) for website functionality, user support, and marketing.

5. Data Storage and Security

All personal data is stored securely using encrypted digital storage and/or locked physical storage.

Access to data is restricted to authorised personnel based on job requirements.

We implement regular security reviews, firewall protection, password policies, and staff data protection training.

Cloud-based systems used by the Company are GDPR-compliant and under appropriate contractual agreements.

6. Data Retention

We retain personal data only for as long as is necessary and in accordance with our data retention schedule:

  • Client records: up to 7 years after contract end (for legal/tax purposes)

  • Employee records: up to 6 years after employment ends

  • Contractor/supplier records: up to 6 years after engagement

  • Marketing and website data: until consent is withdrawn or no longer required

7. Data Sharing and International Transfers

We may share data with trusted third parties (e.g., IT providers, payroll processors, legal advisors) under data processing agreements that ensure compliance with UK GDPR.

 

If personal data is transferred outside the UK, such transfers are made under:

  • An adequacy decision by the UK Government, or

  • A valid International Data Transfer Agreement (IDTA) or Addendum to the EU Standard Contractual Clauses (SCCs), ensuring equivalent protection.

8. Data Subject Rights

Under UK GDPR, individuals have the following rights:

  • Right to be informed about how personal data is used

  • Right of access to their data

  • Right to rectification of inaccurate data

  • Right to erasure (“right to be forgotten”)

  • Right to restrict processing

  • Right to data portability

  • Right to object to processing

  • Rights relating to automated decision-making and profiling

​

Requests may be submitted to the contact details in section 11, and we will respond within one calendar month.

9. Data Breach Response

In the event of a personal data breach, we will:

  • Contain and assess the breach promptly

  • Notify affected individuals where required

  • Report the breach to the Information Commissioner’s Office (ICO) within 72 hours, if necessary

  • Maintain a breach register and take remedial actions

10. Accountability and Governance

  • A designated Data Protection Officer (DPO) or Privacy Lead is responsible for ensuring compliance.

  • All staff are trained in data protection relevant to their role.

  • We carry out regular audits of our data protection practices and keep records of processing activities.

11. Contact and Complaints

If you have questions, wish to exercise your rights, or raise a complaint, please contact:


Data Protection Officer

Tony Steel

tony@thebapartnership.com

07539 736 008

THE BA PARTNERSHIP (LONDON) LIMITED

​

You may also file a complaint with the Information Commissioner’s Office (ICO): Website: https://www.ico.org.uk

Phone: 0303 123 1113

12. Policy Review

This policy is reviewed annually or in response to significant changes in law or business practices

Introduction
Scope
Legal Basis for Processing
Data Collection and Use
Data Retention
Data Sharing and International Transfers
Data Subject Rights
Data Breach Response
Accountability and Governance
Contact and Complaints
Policy Review
bottom of page