Privacy & Cookie Policy


D2 Global LTD (known as the company) is committed to all aspects of data protection and takes seriously its duties, and the duties of its employees, under the General Data Protection Regulation (GDPR) as it applies in the UK, tailored by the Data Protection Act 2018. This policy sets out how the company deals with personal data, including personnel files and data subject access requests, and employees’ obligations in relation to personal data.

Data Protection Officer

The CEO is the company’s data protection officer and is responsible for the overall implementation of this policy. If employees have any questions about data protection in general, this policy or their obligations under it, they should direct them to the data protection officer.

Data Protection Principles

GDPR sets out key data principles that are be followed in the handling of personal data. These principles are as follows:

Personal data

The Data Protection Act 1998 and GDPR applies to information that constitutes “personal data”. Information is “personal data” if:

Consequently, automated and computerised personal information about employees held by employers is covered by the Act. Personal information stored physically (for example, on paper) and held in any “relevant filing system” is also covered. In addition, information recorded with the intention that it will be stored in a relevant filing system or held on computer is covered.

A “relevant filing system” means a well-structured manual system that amounts to more than a bundle of documents about each employee filed in date order, i.e. a system to guide a searcher to where specific information about a named employee can be located easily.

The Data Protection Act 1998 and GDPR applies to personal information that is “processed”. This includes obtaining personal information, retaining, and using it, allowing it to be accessed, disclosing it and, finally, disposing of it in a confidential way.

The personal data that we collect

Our legal basis for collecting personal data

Collecting personal data based on consents

Any collection of personal data based on consent from the data subject will be not be undertaken until written consent is obtained. All documentation related to the consent given by the individual will be stored and documented in our systems.

Collecting personal data based on contracts

We use personal information for fulfilling our obligations related to contracts and agreements with customers, partners and suppliers.

Collecting personal data based on legitimate interest

We may use personal data if it is considered to be of legitimate interest, and if the privacy interests of the data subjects do not override this interest. Normally, to establish the legal basis for data collection, an assessment has been made during which a mutual interest between D2 and the individual person has been identified. This legal basis is primarily related to our sales and marketing purposes. We will always inform individuals about their privacy rights and the purpose for collecting personal data.

Why do we collect and use personal data?

We collect and use personal data mainly for HR reasons about partners and persons seeking a job or working in our company. We may also use personal data for marketing purposes through our website.

We may use your information for the following purposes:

Personnel Files

An employee’s personnel file is likely to contain information about his/her work history with the organisation and may, for example, include information about any disciplinary or grievance procedures, warnings, absence records, appraisal or performance information and personal information about the employee including address details and national insurance number.

There may also be other information about the employee located within the organisation, for example in his/her line manager’s inbox or desktop; with payroll; or within documents stored in a relevant filing system.

The company will ensure that personal information about an employee, including information in personnel files, is securely retained. The company will keep hard copies of information in a locked filing cabinet or cupboard. Information stored electronically will be subject to access controls and passwords and encryption software will be used where necessary.

Special Category data

The GDPR defines special category data as

The company will not retain special category data without the express consent of the employee in question and will process special category data in accordance with GDPR special category data principles.

GDPR provides the following rights for individuals:

Data Subject Access Requests

An employee has the right to access information kept about him/her by the company, including personnel files, sickness records, disciplinary or training records, appraisal or performance review notes, emails in which the employee is the focus of the email and documents that are about the employee. Should an employee require access a subject access request must be made to the Data Protection Officer. Subject access requests can be emailed to all subject access requests will be stored on the restricted access drive.

The company will inform each employee of:

The data protection officer is responsible for dealing with data subject access requests. The company will respond to any data subject access requests within 30 calendar days, this is calculated from the day the request is received until the corresponding calendar date in the next month. If the corresponding date falls on a weekend or a public holiday, the next working day will be regarded as the 30-day period.

The company may reserve its right to withhold the employee’s right to access data where any statutory exemptions apply.

Examples of exemptions: where a reference given (or to be given) in confidence for employment, training or educational purposes. The exemption covers the personal data within the reference whether processed by the reference giver or the recipient.

Correction, updating and deletion of data.

The company has a system in place that enables employees to check their personal information on a regular basis so that they can correct, delete or update any date. If an employee becomes aware that the company holds any inaccurate, irrelevant or out-of-date information about him/her, he/she must notify the data protection officer immediately and provide any necessary corrections and/or updates to the information.

Any requests will be actioned within 30 days of receipt. The company may reserve its right to withhold the employee’s right to rectify data where any statutory exemptions apply.

Data that is likely to cause substantial damage or distress.

If an employee believes that the processing of personal information about him/her is causing, or is likely to cause, substantial and unwarranted damage or distress to him/her or another person, he/she may notify the company in writing to the data protection officer to request the organisation to put a stop to the processing of that information.
Within 30 days of receiving the employee’s notice, the company will reply to the employee stating either:

If the request is upheld and processing is restricted, the company may still to store the personal data, but not use it.


The company may monitor employees by various means including, but not limited to, recording employees’ activities on CCTV, checking emails, listening to voicemails and monitoring telephone conversations. If this is the case, the company will inform the employee that monitoring is taking place, how data is being collected, how the data will be securely processed and the purpose for which the data will be used. The employee will usually be entitled to be given any data that has been collected about him/her. The company will not retain such data for any longer than is absolutely necessary.

In exceptional circumstances, the company may use monitoring covertly. This may be appropriate where there is, or could potentially be, damage caused to the company by the activity being monitored and where the information cannot be obtained effectively by any non-intrusive means (for example, where an employee is suspected of stealing property belonging to the company). Covert monitoring will take place only with the approval of the data protection officer or a Director.

Data Processors obligations regarding personal information.

If a date processor acquires any personal information in the course of his/her duties, he/she must ensure that:

Where information is disposed of, data processors should ensure that it is adequately destroyed. This may involve the permanent removal of the information from the server, so that it does not remain in an employee’s inbox or trash folder.

Hard copies of information will be confidentially shredded. Employees should be careful to ensure that information is not disposed of in a wastepaper basket/recycle bin.

If an employee acquires any personal information in error by whatever means, he/she shall inform the Data Protection Officer immediately and, if it is not necessary for him/her to retain that information, arrange for it to be handled by the appropriate individual within the organisation.

The GDPR primarily applies to the European Economic Area (the EEA) with some exceptions. the GDPR restricts transfers of personal data outside the EEA, or the protection of the GDPR, unless the rights of the individuals in respect of their personal data is protected in another way, or one of a limited number of exceptions applies. Where an employee is required to disclose personal data to any other country, he/she must ensure first that there are adequate safeguards for the protection of data in the host country, these safe guards must also be prior approved by the Data Protection Officer.

An employee must not take any personal information away from the company’s premises save in circumstances where he/she has obtained the prior consent of the data protection officer to do so.
If an employee is in any doubt about what he/she may or may not do with personal information, he/she should seek advice from the data protection officer. If he/she cannot get in touch with the data protection officer he/she should not disclose the information concerned.


The company provides compulsory training on data protection issues to all employees who handle personal information in the course of their duties at work. The company will continue to provide such employees with refresher training on a regular basis. Such employees are also required to have confidentiality clauses in their contracts of employment and will be asked to confirm they have read, understood and will comply with D2 Global LTD General Data Protection Regulation (GDPR) Privacy Policy and the Data Protection & GDPR procedure.

Consequences of non-compliance

The Information Commissioner has the power to issue a monetary penalty for an infringement of the provisions of Part 3 of the Act – Law Enforcement Processing. Any penalty that we issue is intended to be effective, proportionate and dissuasive, and will be decided on a case by case basis.
Under Part 6 of the Act, there are two tiers of penalty for an infringement of Part 3 – the higher maximum and the standard maximum.

The higher maximum amount is 20 million Euros (or equivalent in sterling) or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher.

The higher maximum amount can apply to any failure to comply with any of the data protection principles, any rights an individual may have under Part 3 or in relation to any transfers of data to third countries.

If there is an infringement of other provisions, such as administrative requirements of the legislation, the standard maximum amount will apply, which is 10 million Euros (or equivalent in sterling) or 2% of the total annual worldwide turnover in the preceding financial year, whichever is higher.

All employees are under an obligation to ensure that they have regard to the data protection principles (see above) when accessing, using or disposing of personal information. Failure to observe the data protection principles within this policy may result in disciplinary action up to and including dismissal. For example, if an
employee accesses another employee’s employment records without the requisite authority, the organisation will treat this as gross misconduct and instigate its disciplinary procedures.

Taking employment records off site

An employee must not take employment records off site (whether in electronic or paper format) without prior authorisation from the data protection officer.

An employee may take only certain employment records off site. These are documents relating to disciplinary or grievance meetings that cannot be held on site/meetings with occupational health/discussions surrounding the sale of the business or specific monitoring purposes/seeking professional advice. An employee may also take employment records off site for any other valid reason given by the data protection officer.

Any employee taking records off site must ensure that he/she does not leave his/her laptop, other device or any hard copies of employment records on the train, in the car or any other public place. He/she must also take care when observing the information in hard copy or on-screen that such information is not viewed by anyone who is not legitimately privy to that information.

Where laptops are taken off site, employees must follow the company’s relevant policies relating to the security of information and the use of mobile devices.

The use of cookies and beacons

We use cookies and web beacons (‘Website Navigational Information’) to collect information as you navigate the company’s websites. Website Navigational Information includes standard information from your web browser, such as browser type and browser language; your Internet Protocol (“IP”) address; and the actions you take on the company’s websites, such as the web pages viewed and the links clicked.

This information is used to make websites work more efficiently, as well as to provide business and marketing information to the owners of the site, and to gather such personal data as browser type and operating system, referring page, path through site, domain of ISP, etc. for the purposes of understanding how visitors use a website. Cookies and similar technologies help us tailor our website to your personal needs, as well as to detect and prevent security threats and abuse. If used alone, cookies and web beacons do not personally identify you.

Do we share your data with anyone?

We do not share, sell, rent, or trade your information with any third parties without your consent, except from what is described below:

Third-party Service Providers working on our behalf:

We may pass your information on to our distributors, agents, sub-contractors and other associated organizations with the purpose of them providing services to you on our behalf.

If required by law:

We will disclose your personal information if required by law or if we, as a company, reasonably believe that disclosure is necessary to protect our company’s rights and/or to comply with a judicial proceeding, court order or legal process. However, we will do what we can to ensure that your privacy rights continue to be protected.

Changes to this Privacy Policy

D2 reserves the right to amend this privacy policy at any time. The applicable version will always be found on our websites. We encourage you to check this privacy policy occasionally to ensure that you are happy with any changes.

If we make changes that significantly alter our privacy practices, we will notify you by email or post a notice on our websites prior to the change taking effect.

Your right to complain with a supervisory authority

If you are unhappy with the way in which your personal data has been processed, you may contact

Use of Cookies

What is a Cookie?

A cookie is a small amount of data, which often includes a unique identifier that is sent to your computer or mobile phone (referred to here as a “device”) browser from a website’s computer and is stored on your device’s hard drive. Each website can send its own cookie to your browser if your browser’s preferences allow it, but (to protect your privacy) your browser only permits a website to access the cookies it has already sent to you, not the cookies sent to you by other websites. Many websites do this whenever a user visits their website in order to track online traffic flows.

How do we use Cookies?

Information supplied by cookies can help us to analyse the profile of our visitors and help us to provide you with a better user experience. For example, if on a previous visit you went to our blog pages, we might find this out from your cookie and highlight similar stories on your second and subsequent visits.

Third Party Cookies

Please note that during your visits to our website you may notice some cookies that are not related to directly to us. When you visit a page with content embedded from YouTube, or one which has a “Share” button, you may be presented with cookies from these websites. We have no control of these cookies and you should check the third party websites for more information about these.

Don’t want us to use cookies?

We will not use cookies to collect personally identifiable information about you. However, if you wish to restrict or block the cookies which are set by this site, or indeed any other website, you can do this through your browser settings. The Help function within your browser should tell you how.

Alternatively, you may wish to visit which contains comprehensive information on how to do this on a wide variety of browsers. You will also find details on how to delete cookies from your computer as well as more general information about cookies. For information on how to do this on the browser of your mobile phone you will need to refer to your handset manual.

Cookies used by

_utma, _utmb, _utmc, _utmz We use Google Analytics to monitor traffic levels, search queries and visits to this website. Google Analytics stores IP address anonymously on its servers in the US, and neither D2 or Google associate your IP address with any personally identifiable information. These cookies enable Google to determine whether you are a return visitor to the site, and to track the pages that you visit during your session.