Skip to content

Transparency Policy

Name of Controller 

Gresley Engineering Limited is the Controller under the EU General Data Protection Regulation (EU GDPR).  Gresley Engineering Limited is incorporated in England and Wales,  company registration number 11264124 

 

Contact details of the Controller  

You may contact Gresley Engineering Limited to make requests, for example to exercise your data protection rights, to provide positive feedback or to make complaints by writing to us at: 

 

For Attention Of:  Privacy Office 

Company Name: Gresley Engineering Limited 

Registered Office Address: 17 Queens Lane, Newcastle Upon Tyne, Tyne And Wear, United Kingdom, NE1 1RN 

 

Or by emailing us at privacy@gresleyengineering.com 

 

Contact details of Representative  

We are established in the UK and we are not currently required to appoint a Representative. 

 

 

Contact details of the Data Protection Officer 

Our Data Protection Officer can be contacted in writing at: 

For Attention Of:  Data Protection Officer 

Company Name: Gresley Engineering Limited 

Registered Office Address: 17 Queens Lane, Newcastle Upon Tyne, Tyne And Wear, United Kingdom, NE1 1RN 

Or by emailing at dpo@gresleyengineering.com 

Purposes of the processing  

We process your personal data for the following purposes: 

 

  • To conduct ‘proof of concept’ testing for our FindYourData project.  We expect to refine and improve our approach during the proof of concept phase.  If there are any significant changes, we will always let you know promptly, and update this Transparency Notice if needed.  You can reasonably expect that our proof of concept phase will definitely include: 

 

Searching the dark web to find information about you that should not be there, at your request; 

 

Providing you with one or more reports relating to what we have found that we think you will be interested in;  

 

Potentially requesting additional information from you to provide more successful searches and richer results, if you are content to proceed. 

 

  • After our ‘proof of concept’ phase is complete, we will contact you to let you know what is happening with our FindYourData project and to invite you to participate in future activities, if you wish. 

 

 

Legal basis for processing 

Our legal bases for processing your personal data are as follows: 

  Processing purpose  Legal basis 
1  Proof of concept testing  Contract 
2  At the end of our proof of concept phase, to provide you with options regarding participation in future activities and services offered by us.  Our legitimate interests 

 

 

The legitimate interest of the Controller for processing personal data 

Our legitimate interests for the processing purpose set out in (5(2)) above, specifically providing you with options regarding your potential participation in future activities and services offered by us, are predicated upon our existing relationship with you following our proof of concept phase and the reasonable belief that you may be interested in similar products and services provided by us.  We will always abide by your wishes and if you do not wish to participate and will give you the ability to easily opt-out at any point.  

 

Categories of personal data obtained  

We process the following personal data provided by you relating to our proof of concept testing: 

  • Your email address 
  • Mobile phone number 

 

Whilst we do not collect special category data for any processing relating to the processing purposes identified above we cannot, by definition, be certain about what data we may find that relates to you on the dark web. 

 

 

Any recipients or categories of recipients of the personal data 

Within our company, we only share your personal data with those members of our work force who have a valid business ‘need to know’ for the purposes set out above.  This may sometimes include data processors.  Individual team members will only be given access to the part of your data that they need to perform their roles.   

 

Details of transfers of the personal data to any third countries or international organizations  

We do not transfer your data to any third countries or international organisations.   However, as a part of our testing, we may find data about you in those locations. 

 

The retention period for the personal data  

We will retain your personal data for the duration of our ‘proof of concept’ testing unless you tell us that you wish to withdraw your participation.   

After the ‘proof of concept’ testing is complete, we may offer you the chance to benefit from other services. 

 

The rights available to individuals in respect of the processing  

You have the right to exercise the rights set out below, where those rights apply under data protection law. Please contact us using the details of the Controller set out in this notice if you wish to exercise any of your rights. 

 

  • Right to transparency – we must provide you with all the information set out in this privacy notice in a concise, transparent, intelligible and easily accessible form, using clear and plain language, so that you may understand how and why we process your data and what your rights are. We must keep you informed in timely manner about our progress in responding to requests from you to access your rights under data protection law. 

 

  • Rights of access by the data subject – you have the right to obtain from us confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, to access the personal data and associated information. 

 

  • Right to rectification – you have the right for your personal data to be rectified without undue delay if it is not accurate. Taking into account the purposes of the processing, you also have the right to have incomplete personal data completed, including by providing a supplementary statement. 

 

  • Right to erasure (‘right to be forgotten’) – In some limited circumstances, you may have the right to obtain from us the erasure of your personal data without undue delay, when and if: 

Processing your personal data is no longer necessary in relation to the purposes for which your data were collected 

You withdraw consent for processing, but only if consent was the legal basis relied upon for that processing  

You object to processing and there are no overriding legitimate grounds for the processing or where you withdraw your consent to marketing 

Your personal data has been unlawfully processed 

Your personal data has to be erased to comply with a legal obligation to which the Controller is subject 

Your personal data has been collected in relation to the offer of information society services to children. 

  • Right to restriction of processing – In some limited circumstances you have the right to request that the processing of your personal data is restricted, in some cases for a limited time only, specifically when: 

You are contesting the accuracy of your personal data while we verify its accuracy or correct it 

The processing is unlawful and you oppose the erasure of your data 

Where we no longer need your personal data for the purposes for which it was obtained but where you require the data for the establishment, exercise or defence of legal claims 

Where you have objected to the processing of your data pending the verification whether legitimate interests of the Controller override your interests. 

You have the right to be informed by the Controller before the restriction of processing is lifted. 

 

  • Notification obligation regarding rectification or erasure of personal data or restriction of processing – We will let you know when the following things happen, unless it proves impossible or disproportionate to do so: 

When we have rectified your data 

When we have erased your personal data 

When we have restricted the processing of your personal data 

When we intend to lift any restriction to the processing of your personal data 

We will also advise you about any recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. 

 

  • Right to data portability – Upon your request and where the legal basis for processing your personal data is ‘consent’ or ‘contract’, we will provide you with a copy of your personal data that you have provided to us and which are processed by automated means, in a structured, commonly used and machine-readable format. Upon your request and where technically feasible, we will also transmit those data to another data controller. 

 

  • Right to object– In some limited circumstances, you have the right to object to our processing of your personal data. When certain conditions are met we, as Controller, will no longer process your personal data. This right can be exercised only when: 

 

Either the processing is necessary for the performance of a task carried out in the public interest or processing is necessary for the purposes of our legitimate interests (including profiling), but where we cannot demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or where processing is necessary for the establishment, exercise or defence of legal claims 

Processing for direct marketing purposes, including profiling 

Personal data are processed for scientific or historical research purposes or statistical purposes unless the processing is necessary for the performance of a task carried out for reasons of public interest. 

 

  • Automated decision-making, including profiling – You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significant effects.   

 

  • The right to withdraw consent  Where you have given us your consent to process your personal data, you have the right to withdraw your consent at any time. The withdrawal of your consent will not affect the lawfulness of processing based on consent before its withdrawal.   

 

 

The right to lodge a complaint with a supervisory authority 

You have the right to lodge a complaint about us with the supervisory authority for data protection.  In the United Kingdom, the Supervisory Authority is: 

UK Information Commissioner’s Office  

Information Commissioner’s Office 

Wycliffe House 

Water Lane 

Wilmslow 

Cheshire  

SK9 5AF  

 

Tel: 0303 123 1113 (local rate) 

www.ico.org.uk 

 

 

The source your personal data originates from and whether it came from publicly accessible records. 

We obtain your personal data from two sources: 

 

Details provided by you; and 

Details about you that we have found on the dark web. 

 

Details of whether individuals are under a statutory or contractual obligation to provide the personal data  

You are not under a statutory or contractual obligation to provide personal data to us. 

 

Details of the existence of automated decision-making including profiling  

We do not conduct automated decision making or profiling.

Visit our social