Data protection policy




Exchange Communications Group Ltd (“Exchange”) designs and provides telecommunications solutions.

The personal data that Exchange processes relates to its staff, clients and suppliers.

This policy sets out Exchange’s commitment to ensuring that any personal data, including special category personal data, which Exchange processes is carried out in compliance with Data Protection Law. Exchange is committed to ensuring that good data protection practice is imbedded in the culture of our staff and our organisation.

‘Data Protection Law’ includes the General Data Protection Regulation 2016/679; the UK Data Protection Act 2018 and all relevant EU and UK data protection legislation.

Exchange is committed to ensuring that its complies with the GDPR Data Protection Principles when processing any personal data and that it meets its legal obligations as laid down in Data Protection Law.


This policy applies to all personal data processed by Exchange and is part of Exchange’s approach to compliance with Data Protection Law. All Exchange staff are expected to comply with this policy.


Exchange confirms that it complies with the following data protection principles and undertakes to ensure that when it processes personal data:

Exchange is committed to facilitating and complying with any request from a data subject who wishes to exercise their rights under Data Protection Law in a transparent manner and without undue delay.

Exchange transfers personal data to countries outwith the EU. When it does this it ensures that the appropriate level of protection provided by Data Protection Law is in place.


Exchange will:

Exchange will ensure that all staff who handle personal data are aware of their responsibilities under this policy and other relevant data protection and information security policies and that they are adequately trained and supervised.

Proceedings under Exchange’s disciplinary policy may be taken in respect of those employees who breach this policy. Staff will also be aware that processing personal data in breach of this policy and Data Protection Law can be a criminal offence.


Exchange will ensure that it has procedures in place to allow data subject to exercise the following data subject rights under the GDPR:

Subject access: the right to request information about how personal data is being processed including whether personal data is being processed and the right to be allowed access to that data and to be provided with a copy of that data along with the right to obtain the following information:

Rectification: the right to allows you to rectify inaccurate personal data concerning you without undue delay.

Erasure: the right to have data erased in certain circumstances, and to have confirmation of erasure, but only where:

Restriction of processing: the right to ask for certain processing to be restricted in the following circumstances:

Data portability: you have the right to receive a copy of the personal data you have provided to us and certain information generated by us, if our processing is carried by automated means, which will allow you to transfer it to another data controller. This only applies if our legal basis for processing is consent or under a contract.

Object to processing: you have the right to object, on grounds relating to your particular situation, to the following:

You have an absolute right to object to any direct marketing that we are sending to you and there are no exemptions to this which would allow you to refuse to comply.

You cannot exercise this right in the following circumstances when the processing is:

6. Special Category Personal Data

This includes the following personal data revealing:

This policy sets out the safeguards we believe are appropriate to ensure that we comply with the Data Protection Principles set out above. We only process special category data when we have a legal basis to do so; access to this data is restricted; extra security measures are in place and we will only retain it as long as it strictly necessary in line with our Data Retention Policy.

7. Responsibility for the Processing of Personal Data

f you have any concerns or wish to exercise any of your rights under the GDPR then you can contact the Data Protection Lead in the following way:

Email Address:
Telephone: 0141 776 5851

8. Monitoring and Review

This policy was last updated in March 2018 and shall be regularly monitored and reviewed, at least every two years.