Datawoj Limited (the business) is a research and intelligence company. We handle personal data when we process survey results.

This statement sets out our approach to the General Data Protection Regulation (GDPR) together with responsibilities for implementing and monitoring compliance.

This outlines when and why we collect personal information, how we use it responsibly. It also includes a data protection policy outlining how we keep it secure.

Datawoj Ltd. Is registered as a Data Controller with the Information Commissioner’s Office (ICO). Registration number: ZA222141

For more information on GDPR please visit the Information Commissioner’s Office website.


Lawfulness, fairness and transparency:


Information held

  • The business has documented what personal data is held, where it came from, who it is shared with and what we do with it.
  • The business has conducted an information audit to map data flows.


Lawful basis for processing personal data

The business identifies the lawful basis for processing each type of personal data and documented them. In summary, the six lawful bases are:

  1. Consent: the individual has given clear consent for the business to process their personal data for a specific purpose.
  2. Contract: the processing is necessary for a contract we have with the individual, or because they have asked us to take specific steps before entering a contract.
  3. Legal obligation: the processing is necessary for us to comply with the law (not including contractual obligations).
  4. Vital interests: the processing is necessary to protect someone’s life.
  5. Public task: the processing is necessary for us to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
  6. Legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)


  • The business has reviewed how we ask for and record consent.
  • The business has systems to record and manage ongoing consent.

Legitimate Interests

  • When we are relying on legitimate interests as the lawful basis for processing, the business has applied the three-part test and can demonstrate we have fully considered and protected individual’s rights and interests.


Individuals’ rights:

The right to be informed including privacy information

  • The business has made privacy information readily available to individuals.


Right of access

  • The business has established a process to recognise and respond to individuals’ requests to access their personal data.


Right to rectification and data quality

  • The business has processes in place to ensure that the personal data we hold remains accurate and up to date.


Right to erasure including retention and disposal

  • The business has a process to securely dispose of personal data that is no longer required or where an individual has asked for it to be erased.


Right to restrict processing

  • The business has procedures to respond to an individual’s request to restrict the processing of their personal data.


Right to data portability

  •  The business has processes to allow individuals to move, copy or transfer their personal data from one IT environment to another in a safe and secure way, without hindrance to usability.

Right to object

  • The business has procedures to handle an individual’s objection to the processing of their personal data.

All requests related to individuals’ rights should be to the Data Protection Officer via the email address:

Rights related to automated decision – making including profiling

  • The business has identified whether any of your processing operations constitute automated decision making under Article 22 of the GDPR and has procedures in place to deal with the requirements.


Accountability and Governance:


Data Protection Policy

  • The business has an appropriate Data Protection Policy.
  • The business monitors its own compliance with data protection policies and regularly reviews the effectiveness of data handling and security controls.
  • The business provides data protection awareness training for all staff.

Processor Contracts

  • The business has a written contract with any processors we use.


Information Risks

  • The business manages information risks in a structured way so that management understands the business impact of personal data related risks and manages them effectively.

The information risks are covered in the appended data protection policy.

Data Protection by Design

  • The business has implemented appropriate technical and organisational measures to integrate data protection into its processing activities.

Data Protection Officer (DPO)

  • The business has appointed a DPO. Colin Wojtowycz can be contacted via

Management Responsibility

  • Decision makers and key people in our business demonstrate support for data protection legislation and promote a positive culture of data protection compliance across the business.

The management responsibilities and approach to data protection are included within this data privacy statement.


Data Security, International Transfers and Breaches:

Security Policy:

  • The business has an information security policy supported by appropriate security measures.

The information security policy is appended to this privacy statement.


International Transfers

  • The business ensures an adequate level of protection for any personal data processed by others on our behalf that is transferred outside the European Economic Area.

Breach Notification

  • The business has effective processes to identify, report, manage and resolve any personal data breaches.



Appendix – Data Protection Policy:

Data Transfers

  • The business will avoid collecting personal data without a legitimate business reason and only collect the minimum required to meet purposes specified.
  • Data will be held in as few places as necessary. Unnecessary additional datasets will not be created.
  • Personal data will not be sent via un-secure email without prior steps to anonymise, encrypt or password protect it.
  • Personal data will not be transferred outside of the European Economic Area without prior permission of the client.


Data Accuracy 

  • Every opportunity will be taken to ensure that data is updated.
  • Data will be updated as inaccuracies are discovered.



  • We are committed to guaranteeing the security and confidentiality of any data provided by any client both during and after completion of the project.
  • We do not share personal or confidential information derived from a project with third parties unless authorised to do so.


Data Retention

  • We will discard, delete or anonymise personal data as soon as it becomes surplus to requirements.
  • We will maintain a copy of non-personal data files, questionnaire and reports for our own internal files unless agreed otherwise for a period of at least 12 months after project completion.
  • Electronic data will be securely deleted from laptop hard drives and portable devices such as memory sticks, including emptying the ‘recycle bin’ once it is no longer needed.
  • All electronic equipment will be disposed of securely including ensuring all personal data has been deleted beforehand.

Data Security

  • We will store securely, any confidential data received from clients as part of a project.
  • Laptop profiles are automatically backed up daily to a private secure cloud server located on premises.
  • Personal data is backed up to a secure approved cloud computing service (which are password protected).
  • When data is stored on paper it is kept in a secure place where unauthorised people cannot see it.
  • All printed materials will be shredded.  Only non-confidential materials are printed.
  • The company premises are always securely locked with authorised access only.
  • Data on laptops is automatically encrypted in case of loss or theft by a ‘Fire-vault’ to prevent un-authorised access.
  • Laptops are protected by a ‘Fire-wall’ which prevents unauthorised applications, programs, and services from accepting incoming connections.
  • All laptops or mobile devices such as mobile phones or tablets with email access will automatically lock after no more than 5 minutes of inactivity.
  • Laptops require strong passwords to un-lock. Access to mobile devices is secured by fingerprint encryption. All portable storage devices such as memory sticks are protected by password protected encryption.
  • Website passwords are stored securely via password protected encryption.
  • Software patches are regularly updated to ensure maximum performance efficiency is maintained.  Software installation is password protected.
  • Laptops are insured to ensure support, maintenance and business continuity.