You have a legal right to be informed about how our organisation uses any personal information that we hold about you. To comply with this, we provide a ‘privacy notice’ to you where we are processing your personal data.

This privacy notice explains how we collect, store and use personal data about you.

We, Gateway HR & Training Limited are the ‘data controller’ for the purposes of data protection law.

Gateway HR is registered with the Information Commissioners Office (ICO) as a data controller.

Our data protection officer is Theresa Wright (see ‘Contact us’ below).

The personal data we hold

We process data relating to our employees, our clients and employees of our clients.  Personal data that we may collect, use, store and share (when appropriate) includes, but is not restricted to:

  • Contact details and job title
  • Contact information including email address, (we may also collect information that is available from your browser) and telephone number
  • Information relating to the employment records of our clients’ data subjects
  • demographic information such as postcode, preferences and interests
  • other information relevant to customer surveys and/or offers
  • We may keep a record of any correspondence that you send to us.
  • Details of your visits to our website including but not limited to, traffic data, location data, weblogs and other communication data and the resources that you access.
  • Details of transactions you carry out through the website and of the fulfilment of your order.
  • Applications for roles we are recruiting, either on behalf of clients or ourselves.
  • Occupational health records on behalf of our clients to enable us to assist clients to make informed decisions about supporting employees in their roles.
  • As an applicant for a role you will be required to provide proof of your identity and proof of your qualifications prior to receiving a job offer.
  • As part of a recruitment process a criminal records declaration may be required to declare any unspent convictions, in roles that require such checks to be completed.
  • Photographs
  • CCTV images
  • Date of birth and gender (training delegates – when required by accreditation bodies)
  • Assignments (training delegates)
  • Details of any learning difficulties (training delegates)
  • Qualification results (training delegates)
  • Other qualifications held

We may also collect, store and use information about you that falls into “special categories” of more sensitive personal data. This includes information about (where applicable):

  • Health, including any medical conditions relating to both physical and mental health

Our legal basis for using this data

We only collect and use personal information about you when the law allows us to. Most commonly, we use it where we need to:

  • Fulfil a contract we have entered into with you
  • Comply with a legal obligation
  • You have given us consent to use it in a certain way
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

Less commonly, we may also use personal information about you where:

  • We need to protect your vital interests (or someone else’s interests)
  • Carry out a task in the public interest

Where you have provided us with consent to use your data, you may withdraw this consent at any time. We will make this clear when requesting your consent and explain how you go about withdrawing consent if you wish to do so.

Some of the reasons listed above for collecting and using personal information about you overlap, and there may be several grounds which justify the organisation’s use of your data.

Why we use this data

The purpose of processing your information is to understand your needs and to help us provide you with an effective service.

Purpose Legal basis To whom it applies
Internal record keeping. Legitimate interest All
Providing clients with the appropriate support, information, products and services in relation to any contractual obligations Legitimate interest Clients and employees of clients
Progressing a person’s application, assessing a person’s suitability for a role Legitimate interest Potential employees of Gateway and our clients
To confirm the identity of our employees and those employees of our clients and their right to work in the United Kingdom. Legal obligation Potential employees of Gateway and our clients
To enable us to complete pre-employment checks for either our clients or us. Legal obligation and Legitimate interest Potential employees of Gateway and our clients
Bank details to process payments such as salaries, invoices or to set out direct debit instructions for clients Legitimate interest All
To enable our clients to fulfil any contractual obligation set out in the written statement of employment terms and conditions Legal obligation and Legitimate interest Clients and employees of clients
Support learning / development Legitimate interest Gateway employees and all engaging in our training and development services
Monitor and report on learning/development progress and check whether any additional support is needed Legitimate interest Gateway employees and all engaging in our training and development services
Track how well the Tutors/Trainers/Coaches and the organisation as a whole are performing Legitimate interest Gateway employees and all engaging in our training and development services
Look after individual wellbeing and that of others Legal obligation Legitimate interest All
To improve our products and services Legitimate interest All
Carry out research Legitimate interest All
Comply with the law relating to data sharing Legal obligation and Legitimate interest All
Comply with health and safety obligations, completion of accident book and RIDDOR reporting Legal obligation and Legitimate interest All
Ensure client welfare and staff welfare through CCTV monitoring Legitimate interest All employees and visitors to Gateway premises
Monitor use of our information and communication systems to ensure compliance with our internal procedures Legitimate interest Employees
Promote Gateway HR and Training on the website and social media pages. Consent All
We may periodically send promotional emails about new products, special offers or other information which we think you may find interesting using the email address which you have provided. Consent Clients and potential clients

Collecting this information

We collect your personal data by a variety of means including online communication, telephone communication and via face to face contact. We may also collect additional information from third parties including employers, employees and other professional bodies.

Whilst you are engaged with our company we may need to collect additional personal information from you not identified on the above list but before doing so we will provide you with a written notice setting out details of the purpose and the lawful basis of why we are collecting that data, its use, storage and your rights.

While the majority of information we collect from you is mandatory, there is some information that you can choose whether or not to provide to us.  Whenever we seek to collect information from you, we make it clear whether you must provide this information (and if so, what the possible consequences are of not complying), or whether you have a choice.

How we store this data

All data provided is stored on a secure local server with appropriate restricted access and electronic procedures. The data on the server is backed up with a third-party data security company. Your information will not be transferred outside of the European Economic Area.

We use Infusionsoft as a marketing tool and data base.  Although this is an American software company, they have confirmed that they have taken the necessary steps to be GDPR compliant.

We use Basecamp, a project management software tool, to share information relating to current HR client issues that we are dealing with. The information stored is a brief update, to ensure that any HR consultant understands the progress of a project and can provide appropriate, timely advice to the client. The storage used by Basecamp is a combination of AWS, Google Cloud and own managed servers which are located in the USA. Basecamp have confirmed that they have the relevant security measures in place to comply with GDPR.

We will not collect more information than we need to fulfil our stated purposes and will not keep it for longer than is necessary. Once your engagement with us has ended, we will retain all data securely before destroying the information in accordance with our Retention of personal data policy.  A copy of the policy can be requested from the DPO. 

Data sharing

We will never sell, rent or trade information about you to other companies. Your data will not be supplied to anyone except as described in this privacy notice, unless we are obliged by law to disclose it.

Where it is legally required, or necessary (and it complies with data protection law) we may share personal information with:

  • Suppliers and service providers – to enable them to provide the service we have contracted them for, for example, payroll providers, HR system providers and Occupational Health providers. In these instances, we will ensure that any such provider follows the same obligations of security with regards to your data as us.
  • Central and local government
  • Educators and examining bodies
  • Health authorities
  • Health and social welfare organisations
  • Police forces, courts, tribunals
  • Professional bodies

In certain circumstances, this information may be shared after you have ceased engagement with Gateway HR & Training Ltd. 

Transferring data internationally

In the unlikely event that we need to transfer personal data to a country or territory outside the European Economic Area, we will do so in accordance with data protection law.

Your rights

How to access personal information we hold about you

Individuals have a right to make a ‘subject access request’ to gain access to personal information that the organisation holds about them.

If you make a subject access request, and if we do hold information about you, we will:

  • Give you a description of it
  • Tell you why we are holding and processing it, and how long we will keep it for
  • Explain where we got it from, if not from you
  • Tell you who it has been, or will be, shared with
  • Let you know whether any automated decision-making is being applied to the data, and any consequences of this
  • Give you a copy of the information in an intelligible form

You may also have the right for your personal information to be transmitted electronically to another organisation in certain circumstances.

If you would like to make a request, please contact our data protection officer.

Your other rights regarding your data

Unless subject to exemption under GDPR law, individuals have certain rights regarding how their personal data is used and kept safe. You have the right to:

  • Object to the use of your personal data if it would cause, or is causing, damage or distress
  • Prevent your data being used to send direct marketing
  • Object to the use of your personal data for decisions being taken by automated means (by a computer or machine, rather than by a person)
  • Withdraw your consent to the processing at any time, where consent was the lawful basis for processing the data
  • In certain circumstances, have inaccurate personal data corrected, deleted or destroyed, or restrict processing
  • Claim compensation for damages caused by a breach of the data protection regulations

To exercise any of these rights, please contact our data protection officer.


We take any complaints about our collection and use of personal information very seriously.

If you think that our collection or use of personal information is unfair, misleading or inappropriate, or have any other concern about our data processing, please raise this with us in the first instance.

To make a complaint, please contact our data protection officer.

Alternatively, you can make a complaint to the Information Commissioner’s Office:

  • Report a concern online at
  • Call 0303 123 1113
  • Or write to: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Contact us

If you have any questions, concerns or would like more information about anything mentioned in this privacy notice, please contact our data protection officer:

What we do

Who we are