Data Protection Policy

1. Introduction

Chief of Staff Quest is committed to protecting the rights and freedoms of data subjects and safely and securely processing their data in accordance with all of our legal obligations.

This policy sets out how we handle personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Data Controller

Chief of Staff Quest acts as a data controller for the personal data we process. Our contact details are:

Email: hello@chiefofstaff.quest

3. Data Protection Principles

We adhere to the seven key principles of data protection:

• Lawfulness, fairness and transparency: Personal data shall be processed lawfully, fairly and in a transparent manner.
• Purpose limitation: Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes.
• Data minimisation: Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
• Accuracy: Personal data shall be accurate and, where necessary, kept up to date.
• Storage limitation: Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary.
• Integrity and confidentiality: Personal data shall be processed in a manner that ensures appropriate security.
• Accountability: The controller shall be responsible for, and be able to demonstrate compliance with, the above principles.

4. Lawful Bases for Processing

We only process personal data where we have a lawful basis to do so. The lawful bases we rely on include:

• Consent: The individual has given clear consent for us to process their personal data for a specific purpose.
• Contract: The processing is necessary for a contract we have with the individual, or because they have asked us to take specific steps before entering into a contract.
• Legal obligation: The processing is necessary for us to comply with the law.
• Legitimate interests: The processing is necessary for our legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual's personal data which overrides those legitimate interests.

5. Individual Rights

Under UK data protection law, individuals have the following rights:

• Right to be informed: The right to be informed about the collection and use of personal data.
• Right of access: The right to obtain confirmation of whether personal data is being processed and access to that data.
• Right to rectification: The right to have inaccurate personal data rectified or completed if incomplete.
• Right to erasure: The right to have personal data erased in certain circumstances ("right to be forgotten").
• Right to restrict processing: The right to request restriction or suppression of personal data processing.
• Right to data portability: The right to obtain and reuse personal data for own purposes across different services.
• Right to object: The right to object to processing in certain circumstances.
• Rights related to automated decision making: The right not to be subject to a decision based solely on automated processing.

To exercise any of these rights, please email us at hello@chiefofstaff.quest or use our contact form. We will respond to valid requests within one month.

6. Data Security

We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

• Encryption of data in transit (HTTPS/TLS)
• Secure hosting infrastructure
• Access controls and authentication
• Regular security assessments
• Staff training on data protection

7. Data Breaches

In the event of a personal data breach, we will:

• Assess the risk to individuals' rights and freedoms
• Report notifiable breaches to the ICO within 72 hours where feasible
• Notify affected individuals without undue delay where there is a high risk to their rights and freedoms
• Document all breaches regardless of whether they are reportable

8. International Transfers

We primarily process data within the UK and European Economic Area. Where we transfer personal data outside these regions, we ensure appropriate safeguards are in place, such as standard contractual clauses approved by the ICO or adequacy decisions.

9. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected. Our retention periods are:

• Contact form enquiries: Up to 3 years
• Job posting submissions: Duration of listing plus 1 year
• Website analytics data: Up to 26 months (anonymised)
• Email correspondence: Up to 3 years

10. Third-Party Processors

We use carefully selected third-party processors to help deliver our services:

• Vercel: Website hosting (USA - EU-US Data Privacy Framework)
• Neon: Database services (EU region)
• Calendly: Meeting scheduling (USA - Standard Contractual Clauses)

We ensure all processors provide sufficient guarantees to implement appropriate technical and organisational measures.

11. Policy Updates

This policy is reviewed regularly and may be updated from time to time. Any changes will be posted on this page with an updated revision date. Significant changes may be communicated via email where appropriate.