Skip to main content

External Data Protection Policy

Administrator:  John Brynford-Jones 
Owner:  John Brynford-Jones 
Version  1.1 
Reviewed  23/01/2025

Contents 

  1. Introduction
  2. Scope
  3. Policy
    • Personal data protection principles
  1. Data Subjects’ Rights
  2. General provisions
  3. Schedule of Processing, Personal Data and Data Subjects
    • Description Details
    • Subject matter of the processing
    • Duration of the processing
    • Nature and purposes of the processing
  1. Types of Personal Data
  2. Categories of Data Subject
    • Plan for return and destruction of the data once the processing is complete
  1. Appendix 1.
    • Principle 1 of GDPR – Processing personal data lawfully, fairly and transparently
    • Lawfulness and fairness
    • Consent
    • Legal bases for Processing Sensitive Personal Data, including Special Category Data.
  1. Transparency (notifying data subjects)
  2. Appendix 2.
    • Principle 2 of GDPR – Purpose Limitation
    • Principle 3 of the GDPR – Data minimisation
    • Principle 4 of the GDPR – Accuracy
    • Principle 5 of the GDPR – Storage limitation
    • Principle 6 of the GDPR – Security, Integrity and Confidentiality
  1. Appendix 3.
    • Glossary of Terms
  2. Appendix 4.
    • Email Policy for User Accounts

________________________________________________

1. Introduction

For-Sight Software Limited takes its responsibilities regarding the management of the requirements of the General Data Protection Regulation (GDPR) very seriously. This policy sets out how For-Sight manages those responsibilities.

For-Sight obtains, uses, stores and otherwise processes personal data relating to the customers and contacts of its Customers, collectively referred to in this policy as data subjects. When processing personal data, For-Sight is obliged to fulfil individuals’ reasonable expectations of privacy by complying with UK GDPR and other relevant data protection legislation (data protection law).

This policy therefore seeks to ensure that we:

  • are clear about how personal data must be processed and For-Sight’s expectations for all those who process personal data on its behalf.
  • comply with the data protection law and with good practice.
  • protect For-Sight’s reputation by ensuring the personal data entrusted to us by Customers is processed in accordance with their data subjects’ rights.
  • protect For-Sight from risks of personal data breaches and other breaches of data protection law.

The main terms used are explained in the glossary at the end of this policy (Appendix 3).

 

2. Scope

This policy applies to all personal data we process, regardless of the location where that personal data is stored (e.g. in the cloud or on our devices used by employees remotely) and regardless of the data subject. All staff and others processing personal data on For-Sight’s behalf must read it.

User accounts must be created using business domain email addresses to ensure identity verification, security, and compliance with organisational policies. Public domain email addresses (e.g., Gmail, Hotmail) are not permitted.

A failure to comply with this policy may result in disciplinary action.

The management of For-Sight is responsible for ensuring that all staff comply with this policy and should implement appropriate practices, processes, controls and training to ensure that compliance.

The Data Protection Officer is responsible for overseeing this policy and can be reached at:
john.brynford-jones@for-sight.com.

 

3. Policy

 Personal data protection principles

When we process personal data, we will be guided by the following principles, which are set out in the GDPR. For-Sight is responsible for, and must be able to demonstrate compliance with, the data protection principles listed below:

Those principles require personal data to be:

(Detail on how to achieve this can be found in Appendix 1 & 2.)

  • processed lawfully, fairly and in a transparent manner (Lawfulness, fairness and transparency).
  • collected only for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes (Purpose limitation).
  • adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed (Data minimisation).
  • accurate and, where necessary, kept up to date (Accuracy).
  • not kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the personal data is processed (Storage limitation).
  • processed in a manner that ensures its security, using appropriate technical and organisational measures to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage (Security, integrity and confidentiality).

 

4. Data Subjects’ Rights

Data subjects have rights in relation to the way our Customers, and we on their behalf as Processors, handle their personal data. These include the following rights:

  • where the legal basis of our processing is Consent, to withdraw that Consent at any time.
  • to ask for access to the personal data that we hold
  • to prevent our use of the personal data for direct marketing purposes
  • to object to our processing of personal data in limited circumstances
  • to ask us to erase personal data without delay:
  • if it is no longer necessary in relation to the purposes for which it was collected or otherwise processed.
    • if the only legal basis of processing is Consent and that Consent has been withdrawn and there is no other legal basis on which we can process that personal data.
    • if the data subject objects to our processing where the legal basis is the pursuit of a legitimate interest, or the public interest and we can show no overriding legitimate grounds or interest;
    • if the data subject has objected to our processing for direct marketing purposes.
    • if the processing is unlawful.
  • to ask us to rectify inaccurate data or to complete incomplete data.
  • to restrict processing in specific circumstances e.g. where there is a complaint about accuracy.
  • to ask us for a copy of the safeguards under which personal data is transferred outside of the EU&UK;
  • the right not to be subject to decisions based solely on automated processing, including profiling, except where necessary for entering into, or performing, a contract, with For-Sight; it is based on the data subject’s explicit consent and is subject to safeguards; or is authorised by law and is also subject to safeguards;
  • to prevent processing that is likely to cause damage or distress to the data subject or anyone else;
  • to be notified of a personal data breach which is likely to result in high risk to their rights and freedoms;
  • to make a complaint to the ICO; and
  • in limited circumstances, receive or ask for their personal data to be transferred to a third party in a structured, commonly used and machine-readable format.
  • We must verify the identity of an individual requesting data under any of the rights listed.
  • Requests (including for data subject access – see below) must be complied with, usually within one month of receipt. You must immediately forward any Data Subject Access Request you receive to the Data Protection Officer at brynford-jones@for-sight.com. A charge can be made for dealing with requests relating to these rights only if the request is excessive or burdensome.

 

5. General provisions

  • For the purposes of the Data Protection Legislation, the Customer is the Controller and For-Sight is the Processor. The only processing that For-Sight is authorised to do must be listed in our GDPR agreement with the Customer and may not be determined by For-Sight.
  • For-Sight shall notify the Customer immediately if it considers that any of the Customer’s instructions infringe the Data Protection Legislation.
  • Third-party user accounts (e.g., consultants, agencies) will only be granted access upon receiving explicit, written authorisation from the Customer. For-Sight reserves the right to deny or terminate accounts not meeting this criterion.
  • For-Sight shall provide all reasonable assistance to the Customer in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Customer, include:
    • a systematic description of the envisaged processing operations and the purpose of the processing;
    • an assessment of the necessity and proportionality of the processing operations in relation to the Services;
    • an assessment of the risks to the rights and freedoms of Data Subjects; and
    • the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.

For-Sight shall, in relation to any Personal Data processed in connection with its obligations under a Customer Agreement:

  • process that Personal Data only in accordance a Customer Agreement, unless For-Sight is required to do otherwise by Law. If it is so required For-Sight shall promptly notify the Customer before processing the Personal Data unless prohibited by Law;
  • ensure that it has in place Protective Measures, which have been reviewed and approved by the Customer as appropriate to protect against a Data Loss Event having taken account of the:
    • nature of the data to be protected;
    • harm that might result from a Data Loss Event;
    • state of technological development; and
    • cost of implementing any measures;
  • ensure that For-Sight personnel do not process Personal Data except in accordance with a Customer Agreement;
  • it takes all reasonable steps to ensure the reliability and integrity of any Contractor Personnel who have access to the Personal Data and ensure that they:
    • are aware of and comply with For-Sight’s duties under this clause;
    • are subject to appropriate confidentiality undertakings with For-Sight or any Sub-processor;
    • are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Customer or as otherwise permitted by a Customer Agreement; and
    • have undergone adequate training in the use, care, protection and handling of Personal Data; and
  • not transfer Personal Data outside of the EU and UK unless the prior written consent of the Customer has been obtained.
  • at the written direction of the Customer, delete or return Personal Data (and any copies of it) to the Customer on termination of the Agreement unless For-Sight is required by Law to retain the Personal Data.
  • Subject to clause below, For-Sight shall notify the Customer immediately if it:
    • receives a Data Subject Access Request (or purported Data Subject Access Request);
    • receives a request to rectify, block or erase any Personal Data;
    • receives any other request, complaint or communication relating to either Party’s obligations under the Data Protection Legislation;
    • receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under a Customer Agreement;
    • receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
    • becomes aware of a Data Loss Event.
  • For-Sight’s obligation to notify under clause above shall include the provision of further information to the Customer in phases, as details become available.
  • It is the Customer’s responsibility to notify For-Sight immediately when a user account needs to be deactivated, modified, or removed. This ensures the security and integrity of both Customer data and any data shared with For-Sight.
  • Considering the nature of the processing, For-Sight shall provide the Customer with full assistance in relation to either Party’s obligations under Data Protection Legislation and any complaint, communication or request made under clause above (and insofar as possible within the timescales reasonably required by the Customer) including by promptly providing:
    • the Customer with full details and copies of the complaint, communication or request;
    • such assistance as is reasonably requested by the Customer to enable the Customer to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation;
    • the Customer, at its request, with any Personal Data it holds in relation to a Data Subject;
    • assistance as requested by the Customer following any Data Loss Event;
    • assistance as requested by the Customer with respect to any request from the Information Commissioner’s Office, or any consultation by the Customer with the Information Commissioner’s Office.
  • For-Sight shall maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where For-Sight employs fewer than 250 staff, unless:
    • the Customer determines that the processing is not occasional;
    • the Customer determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; and
    • the Customer determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
  • For-Sight shall allow for audits of its Data Processing activity by the Customer or the Customer’s designated auditor.
  • For-Sight shall designate a data protection officer if required by the Data Protection Legislation.
  • Before allowing any Sub-processor to process any Personal Data related to a Customer Agreement, For-Sight shall:
    • notify the Customer in writing of the intended Sub-processor and processing;
    • obtain the written consent of the Customer;
    • enter into a written agreement with the Sub-processor which give effect to the terms set out in this clause such that they apply to the Sub-processor; and
    • provide the Customer with such information regarding the Sub-processor as the Customer may reasonably require.
  • For-Sight shall remain fully liable for all acts or omissions of any Sub-processor.
  • For-Sight shall not be held liable for unauthorised access, data breaches, or any damages arising from the Customer’s failure to notify For-Sight of required changes to user accounts, such as termination of access, updates to credentials, or role changes. This clause does not limit For-Sight’s liability for breaches resulting from its own negligence or failure to comply with data protection legislation.
  • For-Sight may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to a Customer Agreement).
  • For-Sight shall take account of any guidance issued by the Information Commissioner’s Office. The Customer may on not less than 30 Working Days’ notice to For-Sight amend a Customer Agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office.

 

6. Schedule of Processing, Personal Data and Data Subjects

Before processing any Customer data, For-Sight shall obtain a GDPR agreement with a Schedule of Processing, Personal Data and Data Subjects containing at least the information set out hereunder:

Description Details

Subject matter of the processing

  1. For-Sight will provide access to a secure system for the transfer of the Customer data and then securely process and distribute data based on the supplied data and instructions submitted by the Customer.

 Duration of the processing

  1. The duration standard is three months however if a Customer requests a different duration that can be implemented.

Nature and purposes of the processing

Data will be loaded by the Customer manually via the use of For-Files or other secure service as specified by the Customer. It will be recorded, updated, used as the basis for CRM processing and communications, it will not be used for any other purposes not requested by the Customer.

 

7. Types of Personal Data

  • Name
  • Contact details (address, email)
  • Gender, date of birth
  • Unique references
  • Hotel booking and in-stay activity details
  • Monetary values of purchases of services and goods

The above section shall be completed based on each project to be undertaken.

 

8. Categories of Data Subject

  • Customers’ customers (guests, bookers, agents, employers)
  • Persons logging into the For-Files and For-Sight services as Users

Plan for return and destruction of the data once the processing is complete

Data will be retained for only as long as activity under the Permitted Purpose is required. Thereafter there will be deletion of the data from the database and from any backups by the Customer or on the Customer’s instruction. Data will not be systematically returned to the Customer.

  • For-Sight shall comply with any further written instructions with respect to processing by the Customer.
  • Any such further instructions shall be incorporated into this Schedule.

 

9. Appendix 1

Principle 1 of GDPR – Processing personal data lawfully, fairly and transparently

Lawfulness and fairness

One may only process personal data fairly and lawfully and for specified purposes. These restrictions are not intended to prevent processing but ensure that we process personal data for legitimate purposes without prejudicing the rights and freedoms of data subjects. To be justified, For-Sight may only process personal data if the processing in question is based on one (or more) of the legal bases set out below. Section 4.3 below deals with justifying the processing of sensitive personal data. Including special category data.

The legal bases for processing non-sensitive personal data are as follows:

  • the data subject has given his or her Consent
  • the processing is necessary for the performance of a contract with the data subject
  • to meet our legal compliance obligations
  • to protect the data subject’s vital interests (i.e. matters of life or death)
  • to pursue our legitimate interests (or another’s legitimate interests) which are not overridden because the processing prejudices the interests or fundamental rights and freedoms of data subjects. The specific legitimate interest or interests that For-Sight is pursuing when processing personal data will need to be set out in relevant Privacy Notices. This ground can only be relied upon for private functions e.g. marketing, fundraising and not for public functions.

One must identify the legal basis that is being relied on for each processing activity, which will be included in the Privacy Notice provided to data subjects.

Consent

One should only obtain a data subject’s Consent if there is no other legal basis for the processing. Consent requires genuine choice and genuine control.

A data subject consents to processing of his/her personal data if he/she indicates agreement clearly either by a statement or positive action to the processing. Silence, pre-ticked boxes or inactivity are therefore unlikely to be sufficient. If Consent is given in a document that deals with other matters, you must ensure that the Consent is separate and distinct from those other matters.

Data subjects must be able to withdraw Consent to processing easily at any time. Withdrawal of Consent must be promptly honoured. Consent may need to be renewed if you intend to process personal data for a different and incompatible purpose which was not disclosed when the data subject first consented, or if the Consent is historic.

The Customer will need to ensure evidence of Consent and should keep a record of all Consents obtained so that we can demonstrate compliance.

Consent is required for some electronic marketing and some research purposes.

Legal bases for Processing Sensitive Personal Data, including Special Category Data

Special Category Personal Data is data revealing:

  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs,
  • trade union membership,
  • It also includes the processing of:
    • genetic data
    • biometric data for the purpose of uniquely identifying a natural person,
    • data concerning health
    • data concerning a natural person’s sex life or sexual orientation.

Personal data relating to criminal convictions and offences including the alleged commission of offences or proceedings for offences or alleged offences should be treated in the same way to special category data.

The processing of sensitive personal data by For-Sight must be based on one of the following (together with one of the legal bases for processing non-sensitive personal data as listed above):

  • the data subject has given explicit Consent (requiring a clear statement, not merely an action)
  • the processing is necessary for complying with employment law;
  • the processing is necessary to protect the vital interests of the data subject or another person where the data subject is physically or legally incapable of giving Consent;
  • the processing relates to personal data which are manifestly made public by the data subject;
  • the processing is necessary for the establishment, exercise or defence of legal claims;
  • the processing is necessary for reasons of substantial public interest (provided it is proportionate to the aim pursued and considers the privacy rights of the data subject)
  • the processing is necessary for the purposes of preventive or occupational medicine, etc. if it is subject to professional confidentiality
  • the processing is necessary for reasons of public interest in the area of public health, provided it is subject to professional confidentiality;
  • the processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes if it is subject to certain safeguards (i.e. pseudonymisation or anonymisation where possible, the research is not carried out for the purposes of making decisions about particular individuals (unless it is approved medical research) and it must not be likely to cause substantial damage/distress to an individual and is in the public interest).

Examples of sensitive personal data processed by For-Sight will include:

  • details of relevant unspent convictions for the purposes of assessing eligibility to enrol on For-Sight’s academic programs
  • details of relevant unspent convictions for the purposes of recruiting relevant staff
  • unspent convictions or allegations of sexual misconduct for staff
  • health data for the purposes for assessing eligibility to work
  • details of disability for the purposes of assessing and implementing reasonable adjustments to For-Sight’s policies, criteria or practices
  • details of racial/ethnic origin, sexual orientation, religion/belief for the purposes of equality monitoring

Processing sensitive personal data represents a greater intrusion into individual privacy than when processing non-sensitive personal data. You must therefore take special care when processing sensitive personal data and ensure that you comply with the data protection principles (as set out in the main body of this policy) and with this policy, in ensuring the security of the sensitive personal data.

 

10. Transparency (notifying data subjects)

Under the GDPR For-Sight is required to provide detailed, specific information to data subjects depending on whether the information was collected directly from data subjects or from elsewhere. That information must be provided through appropriate Privacy Notices which must be concise, transparent, intelligible, easily accessible, and in clear and plain language so that a data subject can easily understand what happens to their personal data.

Whenever we collect personal data directly from data subjects, for example for the recruitment and employment of staff, at the time of collection we must provide the data subject with all the prescribed information which includes:

  • Company details
  • Contact details of Data Protection Officer
  • Purposes of processing
  • Legal basis of processing
  • Where the legal basis is legitimate interest, identify the interests (e.g. marketing)
  • Where the legal basis is Consent, the right to withdraw
  • Where statutory/contractual necessity, the consequences for the Data Subject of not providing the data of non-provision

When personal data is collected indirectly (for example, from a third party or publicly available source), you must also provide information about the categories of personal data and any information on the source. The data subject must be provided with all the information required by the GDPR as soon as possible after collecting/receiving the data. You must also check that the personal data was collected by the third party in accordance with the GDPR and on a basis which contemplates our proposed processing of that personal data.

 

11. Appendix 2

Principle 2 of GDPR – Purpose Limitation

Personal data must be collected only for specified, explicit and legitimate purposes. It must not be further processed in any manner incompatible with those purposes.

You cannot therefore use personal data for entirely new, different or incompatible purposes from those disclosed when it was first obtained unless you have informed the data subject of the new purposes. Where the further processing is not based on the data subject’s Consent or on a lawful exemption from data-protection law requirements, you should assess whether a purpose is incompatible by considering factors such as:

  • the link between the original purpose/s for which the personal data was collected and the intended further processing
  • the context in which the personal data has been collected, in particular the For-Sight-Customer-Data Subject relationship. You should ask yourself if the data subject would reasonably anticipate the further processing of his/her personal data
  • the nature of the personal data whether it involves special categories of personal data (i.e. sensitive) or personal data relating to criminal offences/convictions
  • the consequences of the intended further processing for the data subjects
  • the existence of any appropriate safeguards e.g. encryption or pseudonymisation.

Provided that prescribed safeguards are implemented, further processing for scientific or historical research purposes or for statistical purposes will not be regarded as incompatible. Safeguards include ensuring data minimisation (e.g. pseudonymisation or anonymisation where possible), the research will not be carried out for the purposes of making decisions about individuals and it must not be likely to cause substantial damage/distress to an individual, unless it is approved medical research.

Principle 3 of the GDPR – Data minimisation

Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed. You should not therefore amass large volumes of personal data that are not relevant for the purposes for which they are intended to be processed. Conversely, personal data must be adequate to ensure that we can fulfil the purposes for which it was intended to be processed.

You may only process personal data when performing your job duties requires it and you should not process personal data for any reason unrelated to your job duties.

You must ensure that when personal data is no longer needed for specified purposes, it is deleted or anonymised in accordance with For-Sight’s data retention policy and schedule.

Principle 4 of the GDPR – Accuracy

Personal data must be accurate and, where necessary, kept up to date. You should ensure that personal data is recorded in the correct files.

Incomplete records can lead to inaccurate conclusions being drawn and where there is such a risk, you should ensure that relevant records are completed.

You must check the accuracy of any personal data at the point of collection and at regular intervals thereafter. You must take all reasonable steps to destroy or amend inaccurate records without delay and you should up-date out-of-date personal data where necessary (e.g. where it is not simply a pure historical record).

Where a data subject has required his/her personal data to be rectified or erased, you should inform recipients of that personal data that it has been erased/rectified, unless it is impossible or significantly onerous to do so.

Principle 5 of the GDPR – Storage limitation

You must not keep personal data in a form that allows data subjects to be identified for longer than needed for the legitimate For-Sight business purposes or other purposes for which For-Sight collected it. Those purposes include satisfying any legal, accounting or reporting requirements. Records of personal data can be kept for longer than necessary if anonymised.

You will take all reasonable steps to destroy or erase from For-Sight’s systems all personal data that we no longer require in accordance with all relevant For-Sight records retention schedules and policies. For-Sight has a document retention policy.

You will ensure that data subjects are informed of the period for which their personal data is stored or how that period is determined in any relevant Privacy Notice.

Principle 6 of the GDPR – Security, Integrity and Confidentiality

For-Sight is required to implement and maintain appropriate safeguards to protect personal data, considering the risks to data subjects presented by unauthorised or unlawful processing or accidental loss, destruction of, or damage to their personal data. Safeguarding will include the use of encryption and pseudonymisation where appropriate. It also includes protecting the confidentiality (i.e. that only those who need to know and are authorised to use personal data have access to it), integrity and availability of the personal data. We will regularly evaluate and test the effectiveness of those safeguards to ensure security of our processing of personal data.

You are also responsible for protecting the personal data that you process in the course of your duties. You must therefore handle personal data in a way that guards against accidental loss or disclosure or other unintended or unlawful processing and in a way that maintains its confidentiality. You must exercise particular care in protecting sensitive personal data from loss and unauthorised access, use or disclosure.

You must comply with all procedures and technologies we put in place to maintain the security of all personal data from the point of collection to the point of destruction.

You must comply with all applicable aspects of our Information Security Policy and comply with and not attempt to circumvent the administrative, physical and technical safeguards we implement and maintain in accordance with the Data Protection Law standards to protect personal data.

You may only transfer personal data to third-party service providers (i.e. data processors) who provide sufficient guarantees to implement appropriate technical and organisational measures to comply with Data Protection Law and who agree to act only on For-Sight’s instructions. Data processors should therefore be appointed subject to For-Sight’s standard contractual requirements for data processors.

 

12. Appendix 3

Glossary of Terms

1. Automated Decision-Making (ADM)
when a decision is made which is based solely on automated processing (including profiling) which produces legal effects or significantly affects an individual. The GDPR prohibits Automated Decision-Making (unless certain conditions are met) but not automated processing.
2. Profiling
any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to an individual, to analyse or predict aspects concerning that individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. Profiling is an example of automated processing.
3. Consent
agreement which must be freely given, specific, informed and be an unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear positive action, signifies agreement to the processing of personal data relating to them.
4. Data Controller
the person or organisation that determines when, why and how to process personal data. It is responsible for establishing practices and policies in accordance with the GDPR. For-Sight is the Data Controller of all personal data relating to it and used delivering training, conducting research and all other purposes connected with it including business purposes.
5. Data Subject
a living, Identified or identifiable individual about whom we hold personal data.
6. Data Protection impact assessment (DPIA)
tools and assessments used to identify and reduce risks of a data processing activity. DPIA can be carried out as part of Privacy by Design and should be conducted for all major system or business change programs involving the processing of personal data.

7. Data Protection Officer
the person appointed as such under the GDPR and in accordance with its requirements. A Data Protection Officer is responsible for advising For-Sight (including its employees) on their obligations under Data Protection Law, for monitoring compliance with data protection law, as well as with For-Sight’s polices, providing advice, cooperating with the ICO and acting as a point of contact with the ICO.
8. Personal Data
any information identifying a data subject or information relating to a data subject that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. Personal data includes sensitive personal data and pseudonymised personal data but excludes anonymous data or data that has had the identity of an individual permanently removed. Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person’s actions or behaviour.
9. Personal Data Breach
any breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to, personal data, where that breach results in a risk to the data subject. It can be an act or omission.
10. Privacy by Design and Default
implementing appropriate technical and organisational measures in an effective manner to ensure compliance with the GDPR.
11. Privacy Notices
separate notices setting out information that may be provided to data subjects when For-Sight collects information about them. These notices may take the form of general privacy statements applicable to a specific group of individuals or they may be stand-alone, one-time privacy statements covering processing related to a specific purpose.
12. Processing or Process
any activity that involves the use of personal data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties. In brief, it is anything that can be done to personal data from its creation to its destruction, including both creation and destruction.

13. Pseudonymisation or Pseudonymised
replacing information that directly or indirectly identifies an individual with one or more artificial identifiers or pseudonyms so that the person, to whom the data relates, cannot be identified without the use of additional information which is meant to be kept separately and securely.
14. Law
means any law, subordinate legislation within the meaning of Section 21(1) of the Interpretation Act 1978, bye-law, enforceable right within the meaning of Section 2 of the European Communities Act 1972, regulation, order, regulatory policy, mandatory guidance or code of practice, judgment of a relevant court of law, or directives or requirements with which For-Sight is bound to comply.
15. Contractor Personnel
means all directors, officers, employees, agents, consultants and contractors of For-Sight and/or of any Sub-Contractor engaged in the performance of its obligations under a Customer Agreement
16. Data Protection Legislation
(i) the GDPR, the LED and any applicable national implementing Laws as amended from time to time (ii) the DPA 2018 [ subject to Royal Assent] to the extent that it relates to processing of personal data and privacy; (iii) all applicable Law about the processing of personal data and privacy.
17. Data Protection Impact Assessment
an assessment by the Controller of the impact of the envisaged processing on the protection of Personal Data.
18. Controller, Processor, Data Subject, Personal Data, Personal Data Breach, Data Protection Officer
take the meaning given in the GDPR.
19. Data Loss Event
any event that results, or may result, in unauthorised access to Personal Data held by For-Sight under a Customer Agreement, and/or actual or potential loss and/or destruction of Personal Data in breach of a Customer Agreement, including any Personal Data Breach.
20. Data Subject Access Request
a request made by, or on behalf of, a Data Subject in accordance with rights granted pursuant to the Data Protection Legislation to access their Personal Data.
21. DPA 2018
Data Protection Act 2018
22. GDPR
The Data Protection Act 2018, being the UK’s implementation of the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679)
23. LED
The Data Protection Act 2018 :Part 3, being the UK’s implementation of the Law Enforcement Directive (Directive (EU) 2016/680)
24. Protective Measures
appropriate technical and organisational measures which may include: pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of such measures adopted by it.
25. Sub-processor
Any third Party appointed to process Personal Data on behalf of For-Sight related to a Customer Agreement.

 

13. Appendix 4

Email Policy for User Accounts

  • Only business domain emails are accepted for user account creation. (e.g. @for-sight.com)
  • No public domain emails (e.g., Gmail, Yahoo) will be registered.
  • Third-party user accounts require prior written authorisation from the Customer.”
Unlocking the guest Journey

©2026 For-Sight Software Limited. Incorporated in Scotland (SC114093) Registered Office: 61 Dublin Street, Edinburgh, Scotland, EH3 6NL