Privacy Policy



Aros acknowledges that everyone has rights with regard to the way in which their personal data is handled.

Aros will collect, store and process personal data about its employees (past, present and prospective), clients, suppliers and other third parties in accordance with our statutory obligations, including the General Data Protection Regulation 2016 (GDPR).

Data users (see Definition of Data Protection Terms) are obliged to comply with this policy when processing personal data on Aros’ behalf. Any breach of this policy may result in disciplinary action.

Aros, as a data controller, is registered with the Information Commissioner’s Office (ICO), registration number ZA284823.


About This Policy

This policy applies to all individuals working for Aros at all levels, including directors, senior managers, staff, consultants, agency staff, agents or any other person associated with us wherever located.

The types of personal data that Aros may be required to handle include information about current, past and prospective employees, clients, suppliers, users of its website and others that Aros communicates with.

The personal data, which may be held on paper or on a computer or other media, is subject to certain legal safeguards specified in the General Data Protection Regulation 2016 (GDPR) and other regulations.

It is Aros’ policy to ensure that our compliance with the GDPR and other relevant legislation is clear and demonstrable at all times.

This policy and any other documents referred to in it sets out the basis on which Aros will process any personal data it collects from data subjects, or that is provided to Aros by data subjects or other sources. It also sets out rules on data protection and the legal conditions that must be satisfied when Aros obtains, handles, processes, transfers and stores personal data.

Anyone processing personal data on behalf of Aros must only do so as instructed and in accordance with this policy and any other policy or procedure designed to ensure our compliance with our legal obligations.


Definition of Data Protection Terms

Data is the information which is stored electronically, on a computer or in certain paper-based filing systems.

Data Subjects for the purpose of this policy include all living individuals about whom Aros hold personal data. A data subject need not be a UK national or resident. All data subjects have legal rights in relation to their personal information. In Aros, data subjects include current, past and prospective employees, suppliers, contractors and clients.

Personal Data means data relating to a living individual who can be identified from that data (or from that data and other information in Aros’ possession). Personal data can be factual (for example, a name, address or date of birth) or it can be an opinion about that person, their actions or behaviour.

Data Controllers are the people who, or organisations which, determine the purposes for which, and the manner in which, any personal data is processed. They are responsible for establishing practices and policies in line with regulation. Aros is the data controller of all personal data used in its business for its own commercial purposes.

Data Users are those Aros employees whose work involves handling (‘processing’ in Data Protection terms) personal data. Data users must protect the data they handle in accordance with this data protection and any applicable data security procedures at all times. Data users are likely to include people in ‘Administration’ roles (including studio management, finance, senior management and Directors).

Data Processors include any person or organisation that is not a data user that processes personal data on Aros’ behalf and on Aros’ instructions e.g. IT support, pensions, accountants, health insurance brokers

Processing is any activity that involves use of the data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organizing, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring personal data to third parties.

Sensitive Personal Data includes information about a person’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition or sexual life, or about the commission of, or proceedings for, any offence committed or alleged to have been committed by that person, the disposal of such proceedings or the sentence of any such court in such proceedings. Sensitive personal data can only be processed under strict conditions, including a condition requiring the express permission of the person concerned.


Our Principles

Anyone processing personal data must comply with the Article 5 of the GDPR that requires that personal data shall be:

Processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’)

Collectedfor specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’)

Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)

Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)

Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’)

Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)

The controller shall be responsible for, and be able to demonstrate, compliance with the principles (‘accountability’)

Aros must ensure that it complies with all of these principles both in the processing it currently carries out and as part of the introduction of new methods of processing such as new IT systems.


Addressing Compliance to the GDPR

The following actions are undertaken to ensure that Aros complies at all times with the accountability principle of the GDPR:

The legal basis for processing personal data is clear and unambiguous

All staff involved in handling personal data (data users) understand their responsibilities for following good data protection practice

Training in data protection has been provided to all staff as necessary

Rules regarding consent are followed

Routes are available to data subjects wishing to exercise their rights regarding personal data and such enquiries are handled effectively

Regular reviews of procedures involving personal data are carried out

Privacy by design is adopted for all new or changed systems and processes

These actions will be reviewed on a regular basis as part of the management review process of the information security management system.

more Privacy Impact Assessments (PIA).