Data Protection Policy



  1. Introduction

1ST CHOICE BEDROOMS collects, holds and processes personal data to provide manufacturing services, promote our goods and services, maintain our accounts and records and to support and manage our staff. It therefore has a number of legal obligations under the General Data Protection Regulation (GDPR) and the expected provisions of the Data Protection Act 2018 (DPA 2018) as set out in the Data Protection Bill.

Within this policy we will set out how we seek to protect personal data and ensure that employees understand the rules governing their use of personal data to which they have access in the course of their employment. This policy applies to all personal data, regardless of whether it is held in paper or electronic format.

1ST CHOICE BEDROOMS is a registered data controller with the Information Commissioner and will continue to register with the Commissioner under the new GDPR regime. All members of staff have responsibility for how 1ST CHOICE BEDROOMS collects, holds and processes personal data. The policy therefore applies to all staff as well as external organisations or individuals processing data on behalf of 1ST CHOICE BEDROOMS. Staff who do not comply with this policy may face disciplinary action.

  1. Definitions

The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.

The GDPR refers to sensitive personal data as ‘special categories of personal data’. Special category data is personal data which the GDPR says is more sensitive, and so needs more protection. For example, information about an individual’s race, ethnic origin, politics, religion, trade union membership, genetics, biometrics, health, sex life or sexual orientation, are all ‘special categories of personal data’.

  1. Data Protection Principles

Under Article 5 of the GDPR, the data protection principles set out the main responsibilities for organisations. It states personal data shall be:

a) Processed lawfully, fairly and in a transparent manner in relation to individuals;

b) Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;

c) Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and

f) Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”

Article 5(2) requires that:

“The controller shall be responsible for, and be able to demonstrate, compliance with the principles.”

  1. Lawful Processing

The first principle requires that organisations process personal data in a lawful manner. 1ST CHOICE BEDROOMS will only process personal data if it can meet one of the following lawful bases set out under Article 6:

(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

(d) Vital interests: the processing is necessary to protect someone’s life.

(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

In addition if the 1ST CHOICE BEDROOMS wishes to process ‘special category data’, it will identify an additional condition for processing as set out under Article 9.

  1. Consent

Where a need exists to request and receive consent of an individual prior to the collection, use or disclosure of personal data, 1ST CHOICE BEDROOMS is committed to seeking such consent. In all cases consent must be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s wishes. 1ST CHOICE BEDROOMS is therefore committed to obtaining consent in the following manner:

  • consent is presented in a manner clearly distinguishable from other matters

  • the request is made in an intelligible and easily accessible form using plain language

  • is freely given (i.e. not based on the need to conduct another processing activity)

  • the date, method, validity and content of the consent is documented

  • a simple method is provided for the data subject to be able to withdraw consent at any time


Once consent is withdrawn by the data subject, 1ST CHOICE BEDROOMS will cease processing data for the specified purpose without undue delay.

  1. Accountability and Governance

The contact details for any data protection queries are as follows:


First Choice Bedrooms

Spring Vale Business Park,

Watery Ln,



Staff should contact the Management Team at 1ST CHOICE BEDROOMS if they have any queries about this policy, data protection law, data retention or the security of personal data.

Register of Processing Activities (RoPA)

1ST CHOICE BEDROOMS are not required to maintain records of activities related to higher risk processing of personal data as they do not meet the specified requirement of 250+employees however, in line with good practice 1ST CHOICE BEDROOMS will maintain a record of our processing activity (ROPA) register and will publish a link to the 1ST CHOICE BEDROOMS Privacy note here. All members of staff are required to notify the Management Team before they embark on any new processing activities so they can be adequately recorded on the RoPA.

Workforce Training

1ST CHOICE BEDROOMS is committed to providing data protection training to all staff as part of their induction process and will issue regular refresh training throughout the course of their employment or in the event of any changes in data protection law.

Data Protection Impact Assessments (DPIA’s)

Data protection impact assessments (DPIAs) are a tool which can help 1ST CHOICE BEDROOMS to identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy. An effective DPIA allow organisations to identify and fix problems at an early stage, reducing the associated costs and damage to reputation which might otherwise occur.

1ST CHOICE BEDROOMS will complete DPIA for certain listed types of processing, or any other processing that is likely to result in a high risk to individuals’ interests. Therefore staff must consult the Management Team before they embark on any new processing that could be regarded as being high risk to individuals’ interests.


Whenever 1ST CHOICE BEDROOMS uses a processor, it will have a written contract in place. This is important so that both parties understand their responsibilities and liabilities. 1ST CHOICE BEDROOMS contracts will include the following compulsory details in its contracts:

  • the subject matter and duration of the processing;

  • the nature and purpose of the processing;

  • the type of personal data and categories of data subject; and

  • the obligations and rights of the controller

  1. Individual Rights

Right to be informed

Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR. 1ST CHOICE BEDROOMS will issue privacy notices via our website in relation to the personal data we process.

Right of Access

Individuals have the right to access their personal data (commonly known as subject access) and supplementary information about the processing of their data. The right of access allows individuals to be aware of and verify the lawfulness of the processing of their personal data. The information that can be requested includes:

  • confirmation that their personal data is being processed

  • access to a copy of the data

  • the purposes of the data processing

  • the categories of personal data concerned

  • who the data has been, or will be, shared with

  • how long the data will be stored for

  • the source of the data, if not the individual

  • whether any automated decision-making is being applied to their data, and what the significance and consequences of this might be for the individual

‘Subject access’ requests can be submitted to 1ST CHOICE BEDROOMS in writing to the address at point 6 and must contain the name of the data subject, a correspondence address and a description of the information requested. 1ST CHOICE BEDROOMS will provide the information without delay and at the latest within one month of receipt of the request. 1ST CHOICE BEDROOMS will not apply a fee to requests unless the request is manifestly unfounded or excessive.

Individual rights

GDPR also empowers individuals with the right to rectification, erasure, right to restrict processing, data portability, right to object and rights in relation to automated decision making or profiling. 1ST CHOICE BEDROOMS will carefully consider any requests under these rights and requests can be made in writing to the 1ST CHOICE BEDROOMS by emailing info@firstchoicebedrooms.co.uk

  1. Data Security

Principle f) states data should be processed in a manner that ensures appropriate security of the personal data. This means 1ST CHOICE BEDROOMS must have appropriate security to prevent the personal data it holds being accidentally or deliberately compromised.

Manual data will be stored where it is not accessible to anyone who does not have a legitimate reason to view or process that data. The following measures will be taken by staff in relation to electronic data:

  • portable electronic devices, such as laptops, ipads and hard drives that contain personal data are stored in a locked cupboard or draw

  • adequate protection is applied to all portable devices and removable media that contain personal data, such as laptops and USB devices

  • passwords must meet appropriate security standards, be changed at regular intervals and must not be divulged to any other persons

  • where personal data is shared with a third party, staff should carry out due diligence and ensure the data is sent in a secure manner or appropriate measures are taken to mitigate the risk of individuals being identified

  • when sending personal data to a third party, staff must carefully check the recipient and their contact details

  • staff will not open links when emails are received from unknown recipients or the emails appear suspicious

  • personal data must be stored in a secure and safe manner, with careful consideration made to who can access the data

  1. Breach Reporting

The GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. Where feasible,1ST CHOICE BEDROOMS will do this within 72 hours of becoming aware of the breach, it is therefore essential that all members of staff make the relevant persons aware of any potential breaches of data protection without undue delay. This includes all losses, thefts or inadvertent disclosures of personal data. It also includes the loss or theft of any device that holds personal data. The relevant persons will then follow the breach procedure outlined in 1ST CHOICE BEDROOMSs breach reporting policy

1ST CHOICE BEDROOMSs Management Team will investigate all reported incidents to confirm whether or not a personal data breach has occurred. If a personal data breach is confirmed, 1ST CHOICE BEDROOMS will follow the relevant procedure based on the criticality and quantity of the personal data involved. For significant personal data breaches, 1ST CHOICE BEDROOMS will carefully consider whether it is required to notify the Information Commissioner and the data subjects affected.

  1. Data Retention

Principle f) states data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Data will only be retained for the specified period of Current Year +6 for financial and accounting purposes.

  1. Data Accuracy and Limitation

1ST CHOICE BEDROOMS will issue regular reminders to staff to ensure that personal data held is up to date and accurate. Any inaccuracies discovered should be rectified and if the inaccurate information has been

  1. Contacts

For further information relating to this policy please contact info@firstchoicebedrooms.co.uk