Data Protection Policy

Last updated October 21, 2022

VARIO PRESS LIMITED collects and uses information about individuals. This policy sets out how PII is collected, handled and stored in order to meet our data protection standards and to comply with the law.

Table of Contents

  1. Introduction
  2. Why This Policy Exists
  3. Data Protection Law
  4. People, Risks and Responsibilities
  5. General Employee Guidelines
  6. Data Storage
  7. Data Use
  8. Data Accuracy
  9. Subject Access Requests
  10. Data Breach Notifications
  11. Disclosing Data For Other Reasons
  12. Providing Information
  13. Contacting The ICO


Vario Press Limited needs to gather and use certain information about individuals.

These can include customers, suppliers, business contacts, employees and other people the organisation has a relationship with or may need to contact.

This policy describes how this personal data must be collected, handled and stored to meet the company's data protection standards — and to comply with the law.

Why This Policy Exists

This Data Protection Policy ensures Vario Press Limited:

Data Protection Law

The General Data Protection Regulations describes how organisations, including Vario Press Limited, must collect, handle and store personal information.

These rules apply regardless of whether data is stored electronically, on paper or on other materials.

To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.

Under the GDPR, the data protection principles set out the main responsibilities for organisations. Article 5 of the GDPR requires that personal data shall be:

This is the eighth data protection principle, but other principles of the GDPR will also be relevant to sending personal data overseas. For example, the first principle (relating to fair and lawful processing) will in most cases require organisations to inform individuals about disclosures of their personal data to third parties overseas. The seventh principle (concerning information security) will also be relevant to how the information is sent and the necessity to have contracts in place if using sub-contractors abroad.

Article 5(2) requires that “the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”

The GDPR creates some new rights for individuals and strengthens some of the rights that existed in the Data Protection Act. The GDPR provides the following rights for individuals:

People, Risks and Responsibilities

Policy Scope

This policy applies to:

Data Protection Risks

This policy helps to protect Vario Press Limited against some very real data security risks, including:


Everyone who works for, or with Vario Press Limited has some responsibility for ensuring data is collected, stored and handled appropriately.

Each team that handles personal data must ensure that it is handled and processed in line with this policy and data protection principles.

However, these people have key areas of responsibility:

The Directors are responsible for ensuring that the Company meets its legal obligations and that resource and investment are considered to ensure the security of assets.

All Vario Press Employees are responsible for:

The Chief Compliance & Data Protection Officer (CC & DPO) (Management Representative) for:

The Human Resources Manager is responsible for:

The Contracts Officer is responsible for reviewing, drafting and advising on any contracts or agreements with clients for whom we process data and for any third parties that may have access to sensitive data on behalf of Vario Press prior to approval sign-off by a Director.

The Head of IT is responsible for:

Department Heads & Managers are responsible for:

The Marketing Manager is responsible for:

General Employee Guidelines

The only people able to access data covered by this policy should be those who need it for their work.Data must not be shared informally. When access to confidential information is required, employees can request it from their line managers.

Vario Press Limited will provide training to all employees to help them understand their responsibilities when handling data. Employees must keep all data secure, by taking sensible precautions and following the guidelines below. In particular, strong passwords must be used and they should never be shared.

Personal data must not be disclosed to unauthorised people, either within the company or externally.Employees must request help from their line manager or the Chief Compliance Officer if they are unsure about any aspect of data protection.

Data Storage

These rules describe how and where data should be safely stored. Questions about storing data safely can be directed to the Group IT Manager or Chief Technical Officer.

When data is stored on paper, it must be kept in a secure place where unauthorised people cannot see it.

These guidelines also apply to data that is usually stored electronically but has been printed out for some reason:

Data Use

Personal data is of no value to Vario Press Limited unless the business can make use of it. However, it is when personal data is accessed and used that it can be at the greatest risk of loss, corruption or theft:

Data Accuracy

The law requires Vario Press Limited to take reasonable steps to ensure data is kept accurate and up to date.

The more important it is that the personal data is accurate, the greater the effort Vario Press Limited should put into ensuring its accuracy.

It is the responsibility of all employees who work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible.

Subject Access Requests

All individuals who are the subject of personal data held by Vario Press Limited are entitled to:

External Subject Access Requests from individuals should be made in writing to:

Chief Compliance & Data Protection Officer
Vario Press Limited
Marish Wharf
St. Mary’s Road

Once approved, The Chief Compliance & Data Protection Officer will provide the relevant data within 30 days.

The data controller will investigate with relevant parties for verification of the identity of anyone making a subject access request before providing any information.

Data Breach Notifications

What Is A Personal Data Breach?

A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data.

What Breaches Need To Be Notified To The Relevant Supervisory Authority?

A breach that is likely to result in a risk to the rights and freedoms of individuals needs to be notified. If unaddressed such a breach is likely to have a significant detrimental effect on individuals – for example, result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.

This has to be assessed on a case by case basis. For example, notification to the relevant supervisory authority for a loss of customer details, where the breach leaves individuals subject to identity theft. On the other hand, the loss or inappropriate alteration of a employees telephone list, for example, would not normally meet this threshold.

When Do Individuals Have To Be Notified?

Where a breach is likely to result in a high risk to the rights and freedoms of individuals, Vario Press's HR Manager will notify employees concerned directly or in the instance the breach relating to Vario Press's clients' data, the agreed escalation process will be followed.

A 'high risk' means the threshold for notifying individuals is higher than for notifying the relevant supervisory authority.

Notification Of A Breach

A notifiable breach must be reported to the relevant supervisory authority within 72 hours of the organisation becoming aware of it. The GDPR recognises that it will often be impossible to investigate a breach fully within that time-period and allows you to provide information in phases.

If the breach is sufficiently serious to warrant notification to the public, the organisation responsible must do so without undue delay.

A breach relating to client data being processed by Vario Press will be reported in accordance with Data Protection Agreements between the two parties.

Failing to notify a breach when required to do so, could result in a significant fine.

Preparing To Report A Breach

Vario Press Limited provides training to ensure employees understand what constitutes a data breach, and that this is more than a loss of personal data.

Vario Press has a system and procedure in place to accommodate the reporting of a breach. This facilitates decision-making about whether Vario Press needs to notify the relevant supervisory authority or the public.

In light of the tight timescales for reporting a breach – Vario Press Limited has robust breach detection, investigation and internal reporting procedures in place, in addition to Data Protection Agreements with its clients.

Disclosing Data For Other Reasons

In certain circumstances, the Data Protection Act allows personal data to be disclosed to law enforcement agencies without the consent of the data subject.

Under these circumstances, Vario Press Limited will disclose requested data. However, the Chief Compliance Officer will ensure the request is legitimate, seeking assistance from the board and from the company's legal advisers where necessary.

Providing Information

Vario Press Limited aims to ensure that individuals are aware that their data is being processed, and that they understand:

Contacting The ICO

Data Subjects wishing to report a data protection breach can do so by using the following link for the Information Commissioner's Office (ICO):