Full Colour sometimes undertakes research that collects or evaluates personal information about a living person who can be identified from the information they have provided. As such we aim to ensure compliance with the General Data Protection Regulation.


This policy applies to Full Colour’s dealings with respondents, clients and third parties that may be involved in processing personal information. It covers the way personal information will be obtained, used, shared, physically stored and destroyed.

What is data protection?

General Data Protection Regulation (GDPR) governs the processing of personal and sensitive data (i.e. information relating to a living individual – the data subject) and sets out the rights of individuals whose information is processed in manual or electronic form or held in a structured filing system.

There are principles that describe the legal obligations of organisations that handle personal information about individuals. Full Colour supports these. These principles are:

  • Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the individual.
  • The information we gather about an individual will be collected in a way where they are fully informed how we intend to use that information, for what purposes and how we will share it.
  • Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.
  • We will explain why we need the information we are collecting and not use it other than for those purposes.
  • Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
  • We will only collect the information we need to provide the services required.
  • Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
  • The information we collect will be accurate and where necessary kept up to date. Inaccurate information will be removed or rectified as we become aware of the changes.
  • Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals.
  • We will not hold information for longer than is necessary.
  • Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
  • We will make sure that the personal information we hold is held securely to ensure that it does not become inadvertently available to other organisations or individuals.

Rights of individuals

The General Data Protection Regulation creates specific rights of individuals. These include:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling.

Full Colour will be clear at the outset about the purpose for which information is obtained and processed and that people have a choice about whether to provide the information. A respondent is able to ask for confirmation of the source of their personal information; personal information is not used in ways that would have adverse effects on individuals; respondents are provided with easy to read and understand privacy notices when information is collected; personal information will only be handled in ways that individuals would reasonably expect; the third-party providers we work with to provide potential respondents must comply with the requirements of the General Data Protection Regulation as well; marketing undertaken by us will be undertaken in a manner that complies with the General Data Protection Regulation; We seek to uphold the individual’s rights with regard to their personal information; appropriate records will be maintained to demonstrate compliance with the above mentioned requirements.


When consent is required, it must be freely given, specific, informed and unambiguous. Requests for consent will be separate from other terms, and be in clear and plain language. The individuals consent will be “explicit” where it relates to sensitive data. Full Colour is required to be able to demonstrate that consent was given. We therefore maintain records of clients consent to meet the accountability requirements for both the profession and the requirements of the General Data Protection Regulation.


We ensure that all equipment used as part of our business processes is appropriately protected and secured. The equipment we use has up to date Malware and anti-virus software. When updates are notified because of a software patch, these are applied as they become available. The laptops and phones that are used for business purposes are encrypted and password protected to ensure that any personal information contained within them is appropriately secured.


Full Colour is responsible for ensuring that the websites comply with the PECR and that, where necessary, appropriate information is disclosed to website users and consent is obtained from users before cookies are set.

Cookies are small, often encrypted text files, located in browser directories. They are used by companies to help users navigate websites efficiently and perform certain functions. Cookies are also used to keep computer users logged in and their personal details private or for tracking their activity so that companies can improve the website. Cookies can be used by third parties to track information about individuals and spam them with adverts. By themselves, cookies pose no risk since they do not contain viruses.


Full Colour is responsible for ensuring that the following details are communicated to respondents:

  1. the identity of the business or if appropriate, its nominated representative;
  2. the purpose(s) for which we intend to process the respondent’s personal information and if the information is to be shared or disclosed to other organisations. (so that the individual concerned can choose whether or not to enter into a relationship with the company sharing it);
  3. the process for anonymising the information prior to it being shared with the commissioning organisation and
  4. how customers can access the information held about them (as this may help them to spot inaccuracies or omissions in their records – see section below on Rights of Data Subjects).

Minimum amount of personal data

Under the principles of GDPR, Full Colour identify the minimum amount of personal data we need to properly fulfil our purpose. We ensure that we hold that much information, but nothing further. If we need to hold particular information about certain individuals, we only collect the information for those individuals and nothing more. We do not hold personal data on the off-chance that it might be useful in the future.


Full Colour will take reasonable steps to ensure the accuracy of any personal information they obtain.

Subject access requests

An individual has the right to see the information that Full Colour holds about them and can make a request to access this information. Requests must be responded to within 30 days of receipt.
An individual who makes a request is entitled to be:

  • told whether any personal information is held and being used;
  • given a description of the personal information, the reasons it is being processed, and whether it will be shared with any other organisations or individuals;
  • given a copy of the information; and
  • given details of the source of the information (where this is available).

Requests for information from law enforcement agencies

The General Data Protection Regulation includes exemptions, which allow personal information to be disclosed to law enforcement agencies without the consent of the individual who is the subject of the information, and regardless of the purpose for which the information was originally gathered. Full Colour will release personal information to law enforcement agencies if required to do so.

Data security

Full Colour has appropriate security measures to prevent personal information held being accidentally or deliberately compromised.
If personal information is accidentally lost, altered or destroyed, attempts to recover it will be made promptly to prevent any damage or distress to the individuals concerned. In this regard Full Colour consider the following:

  • containment and recovery – the response to the incident includes a recovery plan and, where necessary, procedures for damage limitation.
  • assessing the risks – assess any risks and adverse consequences associated with the breach, as these are likely to affect how the breach needs to be contained.
  • notification of breaches – informing the Information Commissioner’s Office or other relevant Supervising Authority as necessary (within 72 hours), law enforcement agencies, data controllers on whose behalf we are working and individuals (whose personal information is affected) about the security breach is an important part of managing the incident.
  • evaluation and response – it is important to investigate the causes of the breach, as well as, the effectiveness of controls to prevent future occurrence of similar incidents.
  • Additionally, Full Colour would also look to ensure that any weaknesses highlighted by the information breach are rectified as soon as possible to prevent a recurrence of the incident.

Data retention

Full Colour data retention periods for different categories of personal information are based on individual business needs and contractual obligations. Any personal information that is no longer required will either be archived or deleted in a secure manner.

Once the retention period expires or, if appropriate, the customer or business information is no longer required; paper records should be disposed of in a secure manner. All paper records containing customer or business information are disposed of by shredding. This includes all archived records. All used computers, printers and any other electronic equipment that may contain or that will have stored customer or corporate information in electronic format must be disposed of in an policy-appropriate manner after the information has been completely wiped off.

Full Colour does not at this time meet the requirements for a dedicated Data Protection Officer.


If you wish to contact Full Colour with enquiries about this privacy policy, please email