GDPR & privacy policy for staff

Third City is committed to protecting your privacy and complies with the Data Protection Act 1998 and General Data Protection Regulation (GDPR).  In particular, we want you to know that Third City is not in the business of selling, renting or trading email lists with other companies and businesses for marketing purposes.

In this Privacy Policy, we’ve provided lots of detailed information on when and why we collect personal information, how we use it, the limited conditions under which we may disclose it to others and how we keep it secure.

It has also been developed to help you understand how GDPR legislation affects you as an employee at Third City. It will explain what to do when you handle personal data, so that you are better informed, and so that you can help us comply with our responsibilities. It also lets you know what information we keep about you, and how we make sure that it’s processed and stored safely.

Information protected by GDP

• Personal case studies we use for the media

• Event registrants, competition entrants

• Social media information we collect on influencers, fans, group members etc.

• Details about our employees

• Personal details about our suppliers

• Personal details about journalists (the sort of information we might put on briefing documents like their personal mobile phone number)

• Personal information about our clients (like their home addresses, phone numbers, birthday details etc.)

Information NOT protected by GDP

• Personal case studies for the media where they’re anonymous

• Client’s work details – office addresses, phone numbers

• Supplier or journalist work details

• Office addresses, phone numbers

How to comply with GDPR procedures when you’re working with personal data

If you’re working with personal data, please make sure you follow these instructions.

• When we collect any personal data (name/date of birth/contact details) as case study information from the public, we need to keep it in a locked, password protected, Excel file

• The same goes for any personal data we collect for any other reason (e.g. for an event, competition or for influencer work, etc)

• We also need to delete the information after 365 days.

• We also must have written permission to collect personal data, like case studies, and to use them for the media.

• If you’re using a google doc to store personal data check the privacy settings and ensure It cannot be shared (i.e. anyone with a link)

• If you’re unsure what policies apply to the information you’re working with, check first – either with your line manager, or Suzie Barrett.

How to store information correctly 

The best way we can protect information is to store it properly. You’re not responsible for the IT   infrastructure at Third City, which includes the servers, firewalls, networking and software, but you are responsible for helping us to protect the information as best as you can. This means:

• Saving information (with personal data details) correctly, in our password protected pCloud

• Being careful to not alter the sharing settings of documents

• Don’t save documents (with personal data details) to your personal desktops

• Keep your email and laptop passwords up to date – changing them regularly is a good idea

• Do not share your passwords or login details with anyone else

Rules around sharing information

It’s critical that you do not share company documents – which include personal information –

with outside parties. If we do need to do this, we need to have informed the people included and have their written permission. If you’re not sure whether you can share information or not, please check with your line manager before you do it or Suzie Barrett.   Remember too, not to share information by sending it to your personal email addresses, or to friends and family.

Looking after information on the move

With more remote working, it’s important we keep laptops/mobiles secure so that we don’t fall victim to any data breaches. You can help us to this by:

• Keeping your passwords up to date, and changing them regularly

• Making sure you have the latest security software installed. If you’re not sure you do, contact your line manager or

• Keeping laptops and phones in good condition and in a safe, secure place. Don’t leave them in public places, and make sure you don’t lend them to friends or family to use

• Using your phone tethering feature or cellular Internet service instead of free Wi-Fi whenever possible

• Never conducting financial transactions, including any transaction requiring a personal or work debit or credit card, when using public or free Wi-Fi services

• Backing up regularly (or even better, don’t use local storage at all)

Reporting breaches

If we’ve had a data breach, we must report it to the Data Protection Commission (DPC) within 72 hours of becoming aware of it. Breaches that may harm a data subject, for example, identity theft, must also be reported to the person concerned. If we don’t report a breach quickly enough, we may be fined.  This means that we need you to tell us about any data breach straight away. If you think that personal information you store may have been compromised or shared in error, or if you’ve lost your company laptop or phone, please tell your line manager AND a member of Panda/Suzie Barrett as soon as possible.

Employee information we collect

We collect personal information you knowingly provide to us such as your name, date of birth, phone number, address, and bank details, email addresses and in some cases, medical history.  If you completed the diversity questionnaire, we also collect sensitive data; this includes data relating to a data subject’s gender, ethnic origin, religious beliefs, sexual orientation and educational attainment.

Why is there a diversity questionnaire?

The diversity questionnaire allows Third City to monitor the effectiveness of our strategies and recruitment to ensure they are open to all sections of the community. We designed the ‘Diversity Questionnaire’ with the intention of having a separate, confidential record of your name, where you obtained information about Third City’s vacancy you applied for and information about certain characteristics within the Equality Act 2020 listed: Age, Disability, Race, Religion or belief (including non-belief), sex and sexual orientation.  It is helpful if these questionnaires are completed, however, they are not compulsory. 

How do we store and process this personal information?

We take every precaution to ensure that your personal information is kept safely, securely and privately.  This means that it’s stored on our secure pCloud, in a locked, password protected file. Only Panda (the data controller – Suzie Barrett and Lee Turley) has access to this information. Our servers and systems are protected by antivirus and security programmed to ensure they’re as secure as possible.

Access to your data

You are entitled to view, amend, or delete the personal information that we hold. Email your request to our Data Protection Manager (DPM) Suzie Barrett  – her email address is She will ensure your data request is handled in accordance with GDPR.

Your rights as a data subject

Under General Data Protection Regulation (GDPR) data subjects (you) have a number of rights

The right to be informed – about the collection and use of individual’s personal data, including: our purposes for processing personal data, our retention periods for that personal data, and who it will be shared with

The right of access – Individuals have the right to access their personal data and supplementary information. The right of access allows individuals to be aware of and verify the lawfulness of the processing

The right to rectification – individuals to have inaccurate personal data rectified, or completed if it is incomplete. You can make a request for rectification verbally or in writing. We have one calendar month to respond to any request

The right to erasure – individuals have the right to have inaccurate personal data rectified, or completed if it is incomplete. You can make a request for rectification verbally or in writing. We have one calendar month to respond to any request

The right to restrict processing – Individuals have the right to request the restriction or suppression of their personal data. This is not an absolute right and only applies in certain circumstances. When processing is restricted, you are permitted to store the personal data, but not use it. An individual can make a request for restriction verbally or in writing. We have one calendar month to respond to a request

The right to data portability – Individuals have the right to receive copies of the data we hold upon request. We have one calendar month to respond to any request

The right to object – Individuals have a right to object to processing based on legitimate interests or the performance of a task in the public interest, or direct marketing

Clients and supplier information we collect

We collect data including name of client or supplier, Company address, email address & telephone numbers. We collect this data based on the need for processing and performing our contract.

We collect personal data about contacts (potential clients) using a third party, new business agency, Manifest.  

Personal data relating to business contacts may be visible to and used by Third City’s employees to learn more about an account, client or opportunity they have an interest in, and may be used for the following purposes:

• Administering, managing and developing our businesses and services

• Providing information about us and our range of services

• Identifying clients/contacts with similar needs

Personal data will be retained for as long as it is necessary for the purposes set out above (e.g. for as long as we have, or need to keep a record of, a relationship with a business contact).  

Journalists/media information we collect

We collect Name, Company address, email address & telephone numbers. We collect this data based on the need for processing and performing our contract. As part of our role as a Public Relations company we will contact journalists/media regularly to place news stories. We use the third party media intelligence portal Gorkana as our media database. Please see Gorkana’s privacy notice (


We collect data including name, address, and email address & telephone numbers. We collect this data based on lawful basis for processing and recruitment purposes.

We will advertise any jobs at Third City on our website and ask applicants to send in their CV and a covering letter. If candidates choose to send us their details we will save them for review at a future date. The data will be securely stored on our server, with strictly limited access. If candidates wish for us to delete or change their information, they can let Suzie Barrett our Data Protection Manager know and she will process this request.

Who we disclose information to

We will only pass on information about you as an individual (as opposed to aggregated information) to third parties to enable us to perform services requested by you or with your prior consent.

Data Protection

Third City is registered with the Information Commissioner in the UK as a ‘data controller’ in accordance with the provisions of GDPR. Further details of the registration are available at


Keeping information about you secure is very important to us. However, no data transmission over the Internet can be guaranteed to be totally secured. As a result, while we strive to protect your personal information, we cannot ensure or warrant the security of any information, which you deliberately send to us, and you do so at your own risk.

Changes to this privacy notice

Finally, we keep this privacy notice under regular review. It was last updated on 11 December 2020