LAST REVIEW DATE: 29th October 2021


We ask that you read this privacy notice carefully as it contains important information on who we
are, how and why we collect, store, use and share personal information, your rights in relation to
your personal information and on how to contact us and supervisory authorities in the event you
have a complaint.
This notice was last updated on Friday October 29th, 2021, and complies to the UK GDPR,
underpinned by the UK law the Data Protection Act (2018), additional relevant data protection
legislation and is regulated by the UK Information Commissioners Office (ICO).

Scope & Responsibilities
Our scope is any data subject, whose personal data is collected, in line with the requirements
under the Data Protection Act (2018) and UK GDPR.
Blossom HR Ltd must adhere to the UK GDPR data processing principles when processing personal
data. These principles require any personal data processing to be carried out in a lawful, fair,
open, and transparent manner.
Blossom HR Ltd has further responsibilities with regards to controlling and processing personal
data, which fall under the responsibility of the data protection lead.
All associates and employees of Blossom HR Ltd who interact with data subjects are responsible
for ensuring that this privacy notice is drawn to the data subject’s attention.

Who we are?
Blossom HR Ltd are a HR consultancy providing support to clients who are mainly SMEs. Blossom
HR Ltd offer telephone advice, e-mail support and on-site support and can also conduct meetings
(disciplinaries, grievances, absence management) on behalf of the company so will be privy to very
sensitive data.
Blossom HR Ltd is a private limited company, registered in England and Wales, under company
registration number 13497135. Blossom HR Ltd is registered with the ICO under registration
number ZB161941.
Blossom HR Ltd collects, controls and processes certain personal information about you, when we
do so we are regulated under the UK General Data Protection Regulation, which is underpinned by
the Data Protection Act (2018) and other relevant UK data privacy legislation.
We are responsible as the data controller & data processor for all personal information collected,
controlled, and processed under those laws and regulations. The data protection lead is Rosie
Wicks of Blossom HR Ltd.
Blossom HR Ltd can be contacted via email or via phone on 01749 372990.

Lawful bases for processing of personal data:
The lawful bases for processing are set out in Article 6 of the UK GDPR. At least one of these must
apply whenever Blossom HR Ltd processes your personal data:
• Contract – the processing is necessary for Blossom HR Ltd to fulfil the obligations of an
agreement, contract, or service level agreement (SLA) for the provision of our HR
consultancy services. Both parties would be provided with a copy of the contract and a copy
of this privacy notice.
• Legal Obligations – the processing is necessary for Blossom HR Ltd to meet the
requirements of a UK law and/or regulatory compliance. Blossom HR Ltd will identify the
source for obligation (e.g., Immigration Law) and explain why your personal data is
required to meet such obligations.
• Legitimate Interests – the processing is necessary, as Blossom HR Ltd has ascertained the
legitimate interest of the individual/organisation and explained why the processing of
personal data is required to action the legitimate interest. Blossom HR Ltd reviews our
legitimate interest to hold personal data annually via a Legitimate Interests Assessment
You can find more about the UK GDPR lawful bases here or by visiting

What information we collect about you.
The personal data you have provided, or we have collected from you, includes but is not limited or
restricted to:
• Personal Contact Data (e.g., addresses, contact name, email addresses, telephone
• Employee Data (e.g., employee number, recruitment information, training information)
• HR Service Data (e.g., right to work data, emergency contact details, employee
performance related data, disciplinary and grievance data, maternity leave data, paternity
leave data, exit interviews etc.)
• Special (Sensitive) Data – This is detailed below under the ‘Special Category Data’ section.

Special category data
Special category data is personal data that needs more protection because it is sensitive. For
Blossom HR Ltd to lawfully process special category data, we must identify both a lawful basis
under UK GDPR Article 6 (see above) and a separate condition for processing under UK GDPR
Article 9 (see below). Some conditions in UK GDPR Article 9 require an associated condition from
Schedule 1, Part 1 of the Data Protection Act (2018). These do not have to be linked.
Blossom HR Ltd may be required to process the following special categories of personal data (in
brackets we have detailed either the UK GDPR Article 9 condition or the Data Protection Act 2018
Schedule 1, Part 1 condition as required by law):
• Racial or ethnic origin (Explicit consent)
• Political opinions (Explicit consent)
• Religious beliefs (Explicit consent)
• Trade union membership (Employment, social security, and social protection if authorised
by law)
• Genetic data (Health or social care with a basis in law)
• Biometric data (Health or social care with a basis in law)
• Data concerning health (Health or social care with a basis in law)
• Data concerning a person’s sex life (Explicit Consent)
• Data concerning a person’s sexual orientation (Explicit Consent)
Each individual data subject and their relevant special (sensitive) category data will be assessed,
regards processing, to ensure it is necessary for the processing to take place. Data subjects will be
Blossom HR Ltd has identified a UK GDPR Article 9 condition & Data Protection Act (2018)
associated condition as set out in Schedule 1, Part 1 for the above processing of special category
data. Further details are provided here:
• Explicit Consent – the data subject has given explicit consent to the processing of their
personal data for one or more specified purposes, except where domestic law provides that
the prohibition referred to may not be lifted by the data subject.
• Employment, social security, and social protection (if authorised by law) – This
condition is met if:
(a) the processing is necessary for the purposes of performing or exercising obligations or
rights which are imposed or conferred by law on the controller or the data subject in
connection with employment, social security, or social protection, and
(b) when the processing is carried out, the controller has an appropriate policy document in
place (e.g., employment contract, etc.).
• Health or social care with a basis in law – This condition is met if the processing is
necessary for health or social care purposes. In this condition health or social care
purposes’ means the purposes of:
(a) preventive or occupational medicine,
(b) the assessment of the working capacity of an employee,
(c) medical diagnosis,
(d) the provision of health care or treatment,
(e) the provision of social care, or
(f) the management of health care systems or services or social care systems or services

How we use your personal information
Blossom HR Ltd uses your personal information:
• To pre-qualify which of our HR consultancy services are suitable for your
requirements (e.g., responding to website contact forms, written correspondence, email
requests for our services, telephone calls, referrals).
• To provide our HR consultancy services (e.g., providing advice to a client on an
employee relations case in relation to one of their employees, writing letters on behalf of
clients, such as communicating the outcome to a disciplinary hearing or grievance
• To communicate with you, via official Blossom HR Ltd communication channels (e.g.,
to fulfil the objectives as outlined in the agreements and contracts).
• To facilitate client and prospect meetings (e.g., to set-up and confirm meetings, either
electronically via video call, such as Microsoft Teams or Zoom or to arrange site meetings
at client nominated premises. Additionally Blossom HR Ltd will also conduct meetings on
behalf of their clients, such as long-term absence meetings with employees).
• To provide client after care and client support (e.g., obtaining feedback, contract
• To keep you informed of any Blossom HR Ltd company updates (e.g., changes to this
privacy notice, other important company updates).
• To produce invoices and receipts for our HR consultancy services.
• To provide compliance with all the Legal requirements of England and Wales.

Who we share your personal information with?
Where relevant, given the nature of the HR consultancy services provided to you by Blossom HR
Ltd, we may also share your personal data with the following categories of third parties:
• Trusted 3rd party partners who we work alongside and process personal data on behalf of
Blossom HR Ltd, with regards to agreements and contracts for example, or for the
provision of supplementary support services (e.g., personal data protection support).
Disclosure of the nominated trusted 3rd party partner would be provided at the
agreement/contract stage and a relevant Data Processing Agreement (DPA) would be put in
place to protect all personal data, from a data processing perspective.
• Third party service providers who support the operation of our business.
• Fraud prevention agencies, money laundering agencies and associations.
• Regulators and law enforcement agencies, including the police, HM Revenue and Customs
or any other relevant authority who may have jurisdiction.
We would always inform you ahead of acting on any instructions to proceed with any of our HR
consultancy services, should this be the case.
This data sharing enables Blossom HR Ltd to supply the above HR consultancy services to you in a
professional and timely manner, whilst undertaking quality control & regulatory compliance
procedures. Furthermore, it ensures compliance with all necessary UK GDPR & Data Protection Act
(2018) lawful requirements.
Blossom HR Ltd will share personal information with law enforcement or other authorities if
required by law.

Whether information must be provided by you, and if so, why?
The provision of certain personal data including (but not limited to) contact name, email address &
telephone number is required from you. This enables Blossom HR Ltd to provide our HR
consultancy services to you.
It may also be a legal requirement to obtain proof of identity from time to time. If this is required,
we will explain why, what identification is required, how long the personal data will be kept on file
and the necessity for the processing.
We will inform you at the point of collecting information from you, whether you are required to
provide this and any other additional information to us.

International Data Transfers
Blossom HR Ltd does not control, process, or transfer personal data outside of the UK.
Should this situation change, Blossom HR Ltd would issue a company update via our official
communication channels to all affected parties. If the international data transfer would fall within
the European Union/EEA, data would be able to flow freely under the ‘Adequacy Decision’ agreed
between the UK and European Parliament on June 27th, 2021. If the international data transfer is
outside the EU/EEA/UK then appropriate safeguards would be put in place, such as data impact
assessments and risk assessments.
This Privacy Notice would also be updated.
Further information on International Data Transfers is provided by the Information Commissioners

How long your personal information will be kept?
• We will retain your personal information for several purposes, as is necessary to allow us to
carry out our business in accordance with our contract, legal obligation, or legitimate
• Any retention of personal data will be carried out in compliance with legal and regulatory
obligations. These data retention periods are subject to change, due to any revisions of
associated legislation or regulations.
• Your information will be kept for the relevant legal retention period after the completion of
the contract on our main systems, after which time it will be archived, deleted, or
anonymised depending on the content of the material and whether there is any continuing
legal need or legitimate interest for it to be retained.
• We will only retain your personal data for as long as necessary to fulfil the purposes we
collected it for, including for the purposes of satisfying any HR, legal, accounting, or
reporting requirements.
• To determine the appropriate retention period for personal data, we consider the amount,
nature, and sensitivity of the personal data, the potential risk of harm from unauthorised
use or disclosure of your personal data, the purposes for which we process your personal
data and whether we can achieve those purposes through other means, and the applicable
legal requirements.
• Details of retention periods for different aspects of your personal data are available in our
Document Destruction & Retention Policy which you can request from us by contacting us
• Any personal data held in hard document copy is securely stored pre-destruction after use
and is destroyed with a Certificate of Destruction in line with our UK GDPR Document
Destruction & Retention Policy.

Keeping your personal information secure
We have appropriate security measures in place to prevent personal information from being
accidentally lost or used or accessed in an unauthorised way. We limit access to your personal
information to those who have a genuine business need to know it. Those processing your
information will do so only in an authorised manner and are subject to a duty of confidentiality.
We also have procedures in place to deal with any suspected data security breach. We will notify
you and any applicable regulator (e.g., ICO) of a suspected data security breach where we are
legally required to do so.
A copy of our data breach policy is available upon request from the data protection lead.
If you want detailed information from, Get Safe Online on how to protect your information and
your computers and devices against fraud, identity theft, viruses, and many other online problems,
please visit
Get Safe Online is supported by HM Government and leading businesses.

We use cookies to collect, store and share bits of information about your activities when you use
our website.
Cookies do different things, like letting you navigate between pages quickly and generally
improving your experience of a website. If a website does not use cookies, it will think you are a
new visitor every time you move to a new page on the website – for example, when you enter your
login details and move to another page it will not recognise you and it will not be able to keep you
logged in.
Blossom HR Ltd only use non-personal data essential cookies on this website to track the
performance of the website via Google Analytics. This non personal data helps us to understand
how to improve the website content for the benefit of all users. If you want to block cookies, then
you can do this through your browser via the help function. You can also visit for further guidance.

Your rights
Under the UK GDPR you have several important rights free of charge. At any point while we are in
possession of or processing your personal data, you, the data subject (living person), have the
following rights:
• Right to be informed – you have the right to know why we are collecting and processing
personal data and this right is met by the provision of this privacy notice and any
subsequent updates.
• Right of access – you have the right to request a copy of the information that we hold
about you.
• Right of rectification – you have a right to correct data that we hold about you that is
inaccurate or incomplete.
• Right to be forgotten – in certain circumstances you can ask for the data we hold about you
to be erased from our records.
• Right to restriction of processing – where certain conditions apply to have a right to restrict
the processing.
• Right of portability – you have the right to have the data we hold about you transferred to
another organisation.
• Right to object – you have the right to object to certain types of processing such as direct
• Right to object to automated processing, including profiling – you also have the right to be
subject to the legal effects of automated processing or profiling.
For further information on each of those rights, including the circumstances in which they apply,
see the Guidance from the Information Commissioner’s Office (ICO) on individuals rights under the
UK General Data Protection Regulation.
If you would like to exercise any of those rights, please:
• call, email, or write to us in the first instance.
• let us have enough information to identify you,
• let us have proof of your identity and address (a copy of your driving licence or passport
and a recent utility or credit card bill), and
• let us know the information to which your request relates?

Changes to this privacy notice
This privacy notice was last reviewed and published on Friday October 29th, 2021.
Blossom HR Ltd is a private limited company, registered in England and Wales, under company
registration number 13497135. Blossom HR Ltd is registered with the ICO under registration
number ZB161941.
We may change this privacy notice from time to time, when we do, we will inform you via our
company communication channels and company website.
I confirm I have read and understood the Privacy Policy

How to complain
We hope that we can resolve any query or concern you raise about our use of your personal data.
The UK General Data Protection Regulation also gives you right to lodge a complaint with a
supervisory authority.
The supervisory authority in the UK is the Information Commissioners Office (ICO) who may be
contacted here or by telephone on 0303 123 1113.

How to contact us
Please contact us if you have any questions about this privacy notice or the information, we hold
about you.
The data protection lead is Rosie Wicks of Blossom HR Ltd.
Blossom HR Ltd can be contacted via email on or via phone on 01749