Thunderhead Data Protection and Security Policy v4 0_Page_01
Click to download

1. Introduction

Thunderhead is committed to preserving the confidentiality and integrity of all information it holds and processes and to operating its business in compliance with the requirements of the UK Data Protection Act 1998, the EU Data Protection Directive (95/46/EC) and related rules.

We recognise the importance of Personal Data and of respecting the privacy rights of individuals. This Data Protection & Security Policy (“Policy”) sets out the principles which we apply to our Processing of Personal Data and use of Confidential Information so that we not only safeguard one of our most valuable assets, but also that which belongs to our customers and employees. For the most part we process this information in one of two capacities, either : (i) as a Data Controller for our own internal business operations, such as human resources, administration, marketing, sales etc. or (ii) as a Data Processor when carrying out our software-as-a-service (or “SaaS”) operations for our customers. However for certain software products, Thunderhead will undertake processing in both capacities and employees will be specifically advised when they are processing Personal Data in both capacities.

Although the Legislation places most of the obligations upon the Data Controller, it is the responsibility of all Thunderhead employees to apply the provisions of this Policy in relation to all Processing of Personal Data and handling of Confidential Information, whether Thunderhead is acting as Data Controller or Data Processor (or both). Thunderhead provides employees with regular instruction in respect of such matters.

Thunderhead complies with the U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries and Switzerland. Thunderhead has certified that it adheres to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement. To learn more about the Safe Harbor program, and to view Thunderhead’s certification, please visit

Any questions about this Policy should be raised with the Data Protection Officer whose details are at the end of this Policy.

2. Definitions

The following key words and phrases are used within this Policy:

“Confidential Information”
means all information (however recorded, preserved or disclosed) disclosed to Thunderhead or its representatives, whether or not marked as “confidential”, including but not limited to:

(a) Personal Data, any information designated as confidential or commercially sensitive or that which is, by its nature, clearly confidential,
(b) the business, affairs, customers, clients, suppliers, plans, developments, intentions, or market opportunities of the disclosing party or of the disclosing party’s group;
(c) the operations, processes, product information, know-how, designs, trade secrets or software of the disclosing party or of the disclosing party’s group; and
(d) any information or analysis derived from Confidential Information;
but not including any information that:
(a) is or becomes generally available to the public other than as a result of its disclosure by Thunderhead in breach of this Policy;
(b) was available to Thunderhead on a non-confidential basis prior to disclosure by the disclosing party;
(c) is received by Thunderhead from a third party who lawfully acquired or developed it and who is under no obligation of confidentiality in relation to its disclosure;
(d) the parties agree in writing is not confidential or may be disclosed; or
(e) is independently developed by Thunderhead without the use of the disclosing party’s Confidential Information.

means information that is processed electronically (e.g. by computer); is recorded manually (e.g. on paper) with the intention of being processed electronically; or is recorded as part of any filing system structured by reference to individuals or criteria relating to them in such a way that specific information relating to a particular individual is readily accessible;

“Data Controller”
means the organisation that determines the purposes for which and the manner in which Personal Data are processed;

“Data Processor”
means the organisation that processes Personal Data on behalf of the Data Controller;

“Data Subject”
means a living, identifiable individual about whom Personal Data is processed;

“Personal Data”
means Data which relate to a living individual who can be identified from those Data or from those Data and other information which is in the possession of or is likely to come into our possession as Data Controller or Data Processor, as the case may be. Personal Data include opinions and any indications of our intentions towards an individual;

includes obtaining, recording, holding, altering, retrieving, consulting, using, disclosing, blocking, erasing or destroying Personal Data;

“Sensitive Personal Data”
means information about the Data Subject relating to the (a) racial or ethnic origin, (b) political opinions, (c) religious beliefs or other beliefs of a similar nature, (d) trade union membership, (e) physical or mental health or condition, (f) sexual life, (g) commission or alleged commission by any offence, and (h) any proceedings for any offence committed or alleged to have been committed, the disposal of such proceedings or the sentence of any court in such proceedings.

3. Data Protection Principles

Thunderhead is committed to complying with the data protection principles set out in the Legislation. Under the UK Data Protection Act, these are set out as eight data protection principles, under which Personal Data must:

  1. be processed fairly and lawfully;
  2. be obtained and processed only for one or more specified and lawful purposes;
  3. be adequate, relevant and not excessive in relation to the purpose;
  4. be accurate and, where necessary, kept up to date;
  5. be kept for no longer than is necessary for the purpose;
  6. be processed in accordance with the rights of Data Subjects under the Legislation;
  7. be held securely and appropriate technical and organisational measures must be taken against unauthorised or unlawful Processing and against accidental loss, destruction or damage;
  8. not be transferred to a country or territory outside the European Economic Area unless adequate protection is in place.

Thunderhead has notified the Information Commissioner’s Office of the types of personal information it processes and the purposes for which it does so.

Further details of how Thunderhead complies with these principles are set out below.

1.1 Principle 1 – Fair & Lawful Processing

Fair Processing

The Legislation requires that Personal Data must be processed fairly. This means the Data Controller must ensure transparency of Processing so that Data Subjects are aware of who is Processing their Personal Data and why. This is primarily an obligation on the Data Controller who determines what is being processed and is much less relevant to a Data Processor who does not determine what is processed.

This obligation affects Thunderhead primarily when acting as a Data Controller in relation to the operation of our own internal business. For example all employees’ terms of employment contain a data protection notice which includes the following information:

  • the identity of the Data Controller (i.e. Thunderhead);
  • the purposes for the Processing ;
  • any other information that is necessary to make the Processing fair (such as any recipients of the Data and their purposes, a reminder of the Data Subject’s right of access (see below) and correction and whether any of the information we are asking for is mandatory or voluntary);

In the case of Thunderhead marketing activities e.g. advertisement of Thunderhead products and services on our website, we include a description of the communication channels that we intend to use. If any of those channels involve marketing by email, SMS, fax or automated calling systems, we will (as a general rule) obtain the Data Subject’s consent by means of a suitable (reversible) opt in provision. Where we obtain Personal Data directly from the Data Subject (e.g. as a result of a telephone call, or online capture) we give the notice to the Data Subject at the time we obtain their Data. Where we obtain Personal Data about a Data Subject from a third party source (e.g. an agent) we provide the data protection notice as soon as reasonably practicable after we have started Processing their Data (unless it would be a disproportionate effort to do so).
Accordingly where we act as a Data Processor for our SaaS customers, the obligation to issue any necessary data protection notices rests with our customer.
Lawful Processing

This is primarily an obligation for Data Controllers and for the most part only affects Thunderhead in the operation of our own internal business. Thunderhead will only process Personal Data where it is justified under one of the following conditions:

  • the Data Subject has given his consent to the Processing; or
  • the Processing is necessary:
    • in order to enter into or perform a contract with the Data Subject;
    • for compliance with a legal obligation to that applies to Thunderhead (other than an obligation under a contract);
    • in order to protect the vital interests of the Data Subject (i.e. a life or death situation);
    • for the purposes of legitimate interests pursued by the Data Controller or by the third party to whom the information is disclosed, except where the Processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the Data Subject.

Processing Sensitive Personal Data

In addition, where Thunderhead processes Sensitive Personal Data, due to the sensitive and sometimes confidential nature of this category of Personal Data we will only process Sensitive Personal Data where it is justified under one of the following additional conditions:

  • the Data Subject has given explicit consent to the Processing; or
  • the Processing is necessary for:
    • Thunderhead to comply with employment law;
    • the protection of the vital interests of the Data Subject or another person, where the Data Subject’s consent cannot be given or has been unreasonably withheld, or where the Data Controller cannot reasonably be expected to obtain consent;
    • the purposes of legal proceedings or for obtaining legal advice, or otherwise for establishing, exercising or defending legal rights;
    • medical purposes and is undertaken by a health professional or someone subject to an equivalent duty of confidentiality;
    • monitoring equality of opportunity and is carried out with appropriate safeguards for the rights of Data Subjects.
    • the prevention or detection of any unlawful act, and must necessarily be carried out without the explicit consent of the Data Subject being sought so as not to prejudice those purposes;
    • research purposes in the substantial public interest and it does not support measures or decisions with respect to any particular Data Subject and does not cause, nor is likely to cause, substantial damage or distress to the Data Subject or any other person.

1.2 Principle 2 – Collection & Processing For Specified & Lawful Purposes

The Legislation requires that Personal Data must be obtained by Data Controllers only for one or more specified and lawful purposes, and must not be further processed in any manner incompatible with those purposes.

Accordingly the purposes for which Thunderhead will process Personal Data as a Data Controller are set out below:

  • Staff Administration
  • Advertising, Marketing and Public Relations
  • Advertising, Marketing and Public Relations on behalf of customers
  • Accounts and Records
  • Consultancy and Advisory Services
  • Information and databank administration.

Thunderhead will not process Personal Data for any other purpose unless the Data Subject gives consent. Where Thunderhead acts as a Data Processor for a SaaS customer the responsibility for obtaining any such consent rests with the relevant SaaS customer.

1.3 Principle 3 – Adequate, Relevant And Not Excessive

The Legislation requires that Personal Data must be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed and that it must be kept up to date.
To fulfil the requirement for Personal Data to be adequate, relevant and not excessive, Thunderhead ensures that when acting as Data Controller:

  • we identify the Personal Data needed for a particular purpose and we collect the minimum amount required to properly fulfil that purpose;
  • we do not hold Personal Data on a ‘just-in-case’ basis or because we think it might be useful in the future except where a Data Subject consents, e.g. a prospective employee agrees to us retaining Personal Data should a suitable vacancy arise;
  • we keep Data up to date; and
  • we do not keep Data for too long.

1.4 Principle 4 – Accurate & Up To Date

When inputting Data onto our system in our capacity as a Data Controller, Thunderhead takes reasonable steps to ensure the Data is accurate and may contact Data Subjects for clarification if we are unsure as to the accuracy of certain information.

Thunderhead will not be in breach of this principle, even if we are holding inaccurate Data if:

  • we accurately recorded those Data when we received them from the Data Subject or a third party;
  • we took reasonable steps to ensure the accuracy of those Data; and
  • if the Data Subject has notified us that the Data are inaccurate, we have taken steps to indicate this fact.

Thunderhead takes reasonable steps to keep Data up to date to the extent necessary.

1.5 Principle 5 – Kept For No Longer Than Is Necessary

The Legislation requires that Personal Data processed for any purpose must not be kept for longer than is necessary for that purpose.

Thunderhead reviews the Personal Data it holds on a regular basis and, where relevant, securely removes any Data which is no longer required in connection with the purpose for which it was originally obtained. Securely removes means that any printed material is appropriately shredded or electronic media has the record removed from it relating to the subject including from backups, in a manner that the material is not normally retrievable.

Where Thunderhead acts as Data Processor and holds Data on its servers on behalf of its customers that the customer has input directly into Thunderhead’s system, the customer will be responsible for maintaining such Data and deleting any Data that is no longer required. Thunderhead will return or destroy all Data held on behalf of a SaaS customer in accordance with the terms of the relevant contract with that customer.

1.6 Principle 6 – Processed In Accordance With The Rights Of Data Subjects

Data Subjects have certain rights under the Legislation to access their Data and to prevent processing in certain circumstances. Most requests will come from our employees where Thunderhead is a Data Controller, although Thunderhead will also have to respond to subject access requests from the customers of our SaaS customers.

Right of Subject Access

If Thunderhead receives a written request from a Data Subject for access to his/her Personal Data, we will respond within 40 days of receipt of the request and provide a description of:

  • the Personal Data relating to that Data Subject;
  • the purposes for which the Data are being processed;
  • the recipients of the Data;
  • the information constituting the Personal Data; and
  • the source of those Data (if available).

Thunderhead reserves the right to charge the Data Subject a fee for the provision of this information as defined by the Legislation. Where the Data is held on behalf of a SaaS customer, Thunderhead will notify that customer of such request for access and give the SaaS customer the option to deal with the request itself.

Right to Prevent Processing Likely to Cause Damage or Distress

Data Subjects have the right to ask us not to process their Personal Data if the Processing of the Data in a particular way or for a particular purpose is causing, or is likely to cause, damage or distress to that Data Subject or another person; and that damage or distress is, or would be, unwarranted.

If we receive a written request from any person exercising this right, we will respond within 21 days of receipt of the request and confirm that we have either complied or intend to comply with the request, or stating our reasons for non-compliance. Where this occurs in the case of Thunderhead acting as a Data Processor for a SaaS customer, the request must be forwarded to the relevant SaaS customer and the Data Subject advised whether Thunderhead has the authority to cease processing the Personal Data.

Right to Prevent Processing for the Purposes of Direct Marketing

If we receive a request from a Data Subject that we stop Processing their Personal Data for direct marketing purposes, we will take the appropriate action to ensure that the individual’s details are suppressed on our marketing database and the individual is no longer contacted by us for marketing purposes.

Right to Object to Automated Decision Taking

Data Subjects have the right to object to automated decisions being taken about them in relation to important matters that significantly affect them (such as evaluating performance at work, creditworthiness, reliability or conduct).

If we receive a written request from any person exercising this right, we will respond within 21 days of receipt of the request and inform the individual of the steps that we intend to take to comply with the request. Where this affects the services being provided to a SaaS customer, Thunderhead will notify the relevant SaaS customer before responding to the Data Subject.

1.7 Principle 7 – Security And Technical And Organisational Measures

The Legislation requires Thunderhead to take appropriate technical and organisational measures to safeguard Personal Data against unauthorised or unlawful processing, accidental loss, destruction, or damage.

Thunderhead has put in place a number of technical and organisational measures and procedures which we apply not only to Personal Data, but also to all information we hold, including Confidential Information and information of any other kind that is used within the business.

Details of our technical and organisational measures are available upon request.

Where Thunderhead uses third parties to process Personal Data on our behalf, they will be acting as our Data Processors and we will ensure that we:

  • put in place a contract in writing with each of our Data Processors under which they agree to act only on instructions from us;
  • include the right to audit our Data Processors to ascertain compliance with the data protection requirements in their contract; and
  • ensure that the Data Processor agrees to comply with obligations equivalent to those set out in this Policy.

1.8 Principle 8 – Overseas Transfers

The Legislation requires that Personal Data must not be transferred to a country or territory outside the European Economic Area (i.e. the member states of the EU plus Iceland, Liechtenstein and Norway), unless that country or territory ensures an adequate level of protection for the rights and freedoms of Data Subjects in relation to the Processing of Personal Data.

Thunderhead has offices across the world and there may be occasions where it is necessary to transfer Data between these offices or to third parties to process Personal Data on our behalf. Thunderhead recognises that in addition to complying with the rules on overseas transfers contained in the Legislation it will also be necessary to comply with the privacy laws as apply in each country.

Thunderhead has put in place measures and procedures to ensure that any Personal Data transferred outside the EEA is adequately protected and that local privacy laws are observed.

4. Confidential Information

Thunderhead will keep Confidential Information (which of course extends beyond Personal Data) it receives confidential and, except with the prior written consent of the disclosing party, and will:

  • not use or exploit the Confidential Information in any way except for the purposes for which it has been disclosed;
  • not disclose or make available the Confidential Information in whole or in part to any third party, except as expressly permitted by the disclosing party;
  • not copy, confirm in writing or otherwise record the Confidential Information except as strictly necessary for the purposes for which it has been disclosed and any such copies, confirmations or records shall remain the property of the disclosing party; and
  • apply the technical and organisational measures as Annexed to this Policy to Confidential Information

Thunderhead may only disclose the Confidential Information to those of our employees who need to know this Confidential Information for the purposes for which it has been disclosed, provided that:

  • we inform those employees of the confidential nature of the Confidential Information before disclosure;
  • at all times, we are responsible for compliance of those employees with the obligations set out in this Policy and the technical and organisational measures; and
  • the employees receive the training required under the technical and organisational measures prior to such disclosure.

Thunderhead may disclose Confidential Information to the extent such Confidential Information is required to be disclosed by law, by any governmental or other regulatory authority, or by a court or other authority of competent jurisdiction provided that, to the extent we are legally permitted to do so, we give the other party as much notice of this disclosure as possible.

Thunderhead may, provided that we have reasonable grounds to believe that the disclosing party is involved in activity that may constitute a criminal offence under the Bribery Act 2010, disclose Confidential Information to the Serious Fraud Office without first notifying the disclosing party of such disclosure.

At the request of the disclosing party, Thunderhead shall:

  • destroy or at Thunderhead’s discretion, return to the disclosing party all documents and materials (and any copies) containing, reflecting, incorporating, or based on the disclosing party’s Confidential Information;
  • erase all the disclosing party’s Confidential Information from its computer systems or which is stored in electronic form (to the extent possible); and
    certify in writing to the disclosing party that it has complied with the requirements of this clause, provided that Thunderhead may retain documents and materials containing, reflecting, incorporating, or based on the Confidential Information to the extent required by law or any applicable governmental or regulatory authority and to the extent reasonable to permit Thunderhead to keep evidence that it has performed its obligations under any agreement with the disclosing party.

5. Contacts And Responsibilities

In each of Thunderhead’s offices and internal departments, we have appointed “Data Owners” who are locally responsible for ensuring that employees within their department or area receive appropriate training and are working in compliance with this Policy. The Data Owners undertake regular assessments of Data types and ensure that the right levels of protection are in place.

Thunderhead has appointed an overall Data Protection Officer who is responsible for:

  • acting as a key point of contact for data protection queries and the reporting of breaches for all Data Owners, employees, customers and Data Subjects;
  • monitoring and ensuring the compliance with this Policy across the whole of the Thunderhead group worldwide and dealing with any disputes which may arise concerning Data Protection issues;
  • conducting reviews of internal procedures to ensure that they continue to provide adequate protection of Data and Confidential Information;
  • liaising with Data Owners to deliver training, improve security awareness and communicate information relating to this Policy to employees;
  • updating this Policy to reflect any changes in data protection laws;
  • registering with government agencies (such as the UK Information Commissioner’s Office).

If you have any queries regarding this Policy or its Schedules please contact the Data Protection Officer at our Soho Customer Experience Centre.

6. Amendments To This Policy

This Policy and its Schedules will be updated from time to time by the Data Protection Officer to reflect any changes in legislation or in our methods or practices. The current issue of the Policy will be available from our website at or from Paul Milton our Data Protection Officer.

Date of issue: November 2015
Thunderhead Data Protection and Security Policy v4 0

7. Document Control

  • Paul Milton November 2012 1.0 Final
  • Paul Milton 15th October 2013 1.0 Annual Document Review – No Changes
  • Paul Milton 22nd September 2014 1.0 Annual Document Review – No Changes
  • Paul Milton 8th September 2015 2.0 Annual Document Review – Replace with Thunderhead as company name – No approval Required
  • Paul Milton 18th November 2015 3.0 Remove references the EU/US Safe Harbor
  • Paul Milton 26th November 2015 4.0 Added – U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework

By signing this document, the undersigned indicate that the following are true:

  • The Reviewers have reviewed the contents of this document and its applicable attachments.
  • The Reviewers find the document correct and complete.
  • The Reviewers approve the document for use.