Legal Information and Compliance - Fox Project Management

Legal Notice

GDPR Policy

Last updated: December 2025

Fox Project Management Consultancy Ltd is committed to protecting the personal data of our clients, prospects, suppliers and website visitors. This GDPR Policy explains how we comply with the United Kingdom General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Scope

This policy applies to all personal data processed by Fox Project Management Consultancy Ltd in the course of providing project management consultancy services, whether collected through our website, by email, by telephone, in person, or through contracts and engagements.

2. Data protection principles

We process personal data in line with the six UK GDPR principles. Personal data must be:

  • Processed lawfully, fairly and transparently;
  • Collected for specified, explicit and legitimate purposes;
  • Adequate, relevant and limited to what is necessary;
  • Accurate and, where necessary, kept up to date;
  • Kept for no longer than is necessary;
  • Processed securely, including protection against unauthorised access, loss or damage.

3. Data controller and contact

Fox Project Management Consultancy Ltd is the data controller for personal data we determine the purposes and means of processing. Our registered office is in Glasgow, Scotland. For any data protection enquiry — including subject access requests — please contact us at info@foxconsultancy.org.

4. Lawful bases we rely on

We only process personal data where we have a valid lawful basis under Article 6 of the UK GDPR. The bases we typically rely on are: performance of a contract, legitimate interests, compliance with a legal obligation, and consent.

5. Special category data

We do not routinely collect or process special category data (such as health, racial or ethnic origin, religious beliefs or biometric data). Where this is unavoidable in the course of a specific project engagement, we will only process it where an additional Article 9 condition applies and will inform data subjects accordingly.

6. Data subject rights

We respect and uphold all rights afforded to data subjects under UK GDPR:

  • Right to be informed
  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restrict processing
  • Right to data portability
  • Right to object
  • Rights related to automated decision-making and profiling

We will respond to verified subject requests without undue delay and within one calendar month, in accordance with UK GDPR timeframes.

7. Security and integrity

We implement appropriate technical and organisational measures to protect personal data, including access controls, encrypted transmission, secure cloud storage with reputable UK and EU providers, restricted user privileges, and regular review of our security practices. Staff with access to personal data are trained in data protection and confidentiality obligations.

8. Data sharing and processors

Where we engage third-party processors (for example, secure cloud storage, email services or accounting software), we put in place written data processing agreements that require them to maintain UK GDPR-compliant safeguards and to act only on our documented instructions.

9. International transfers

Where personal data is transferred outside the UK or European Economic Area, we ensure such transfers are protected by appropriate safeguards, including UK-approved standard contractual clauses, the UK International Data Transfer Addendum, or transfers to jurisdictions covered by a UK adequacy decision.

10. Breach notification

We maintain procedures to detect, report and investigate personal data breaches. Where a breach is likely to result in a risk to the rights and freedoms of individuals, we will notify the UK Information Commissioner's Office (ICO) within 72 hours of becoming aware of it, and affected data subjects without undue delay where required.

11. Records of processing

We maintain an internal record of processing activities (ROPA) covering the categories of personal data we handle, processing purposes, retention periods and recipients, available to the ICO on request.

12. Complaints

If you have a concern about how we handle personal data, please contact us first and we will work to resolve it. You also have the right to lodge a complaint with the UK Information Commissioner's Office at ico.org.uk or by writing to: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

13. Review

This GDPR Policy is reviewed at least annually and updated as necessary to reflect changes in our processing activities, the law or regulatory guidance. Last review: December 2025.

Information icon

We need your consent to load the translations

We use a third-party service to translate the website content that may collect data about your activity. Please review the details in the privacy policy and accept the service to view the translations.