View/Download this page (DOCX)
Purpose of the notice
This notice explains how Nexilis HR Solutions collects and uses personal data, and the rights you have under the UK GDPR and the Data Protection Act 2018. Where we are working on behalf of a client, please also read any privacy information that client gives you.
Who We Are
Nexilis HR Solutions is the controller of the personal data described in this notice where we decide how and why it is processed. Our contact details are:
| Field | Detail |
| Organisation | Nexilis HR Solutions |
| Address | 4c Pentwyn Court, Cardiff, CF14 7BY |
| Data protection contact | Claire Bounds, Director. Email: claire@nexilishrsolutions.com |
| ICO registration number | ZB383725 |
Who This Notice Is For
- people who contact us, enquire about our services, or use our website;
- people who work at our client organisations and deal with us;
- employees and workers of the organisations we support, including the workforces of clients we support under ongoing HR retainers;
- candidates, and the complainants, respondents and witnesses involved in specific matters such as investigations, grievances and recruitment; and
- our suppliers and other business contacts.
Our own employees and contractors receive separate privacy information.
When We Are a Controller and When We Are a Processor
For much of our client work, for example ongoing HR retainer support, HR advisory, employee relations, recruitment support and payroll support, we act on the client’s instructions. In those cases the client is the controller, the client’s own privacy notice is the main one that applies to you, and we handle the data under our contract with that client. Under an HR retainer, we typically process records about the client’s employees and workers, on the client’s behalf, to help it manage its people. For some work we act in our own right, for example as an independent workplace investigator or mediator, and then we are a controller and this notice applies.
The Personal Data We Collect and Where It Comes From
- Contact and enquiry data: name, contact details, the content of your message, and limited technical information when you use our website.
- Client relationship data: names, job roles, business contact details and our correspondence.
- Employee records data (HR retainer and advisory support): where we support a client with its people, records about that client’s employees and workers, such as personal and contact details, employment terms, pay and benefits, absence and sickness, performance, and conduct, grievance and disciplinary records, including special category data where it arises.
- Casework data: identity and employment details; accounts, statements, evidence, notes and correspondence; and, where relevant, special category data (such as health) and information about alleged misconduct or alleged criminal offences.
- Supplier and contractor data: contact and payment details needed to work with you.
We collect this data from you directly, from our client, from the documents, records and people involved in a matter, and, where relevant, from publicly available sources.
Why We Use Your Personal Data, and Our Lawful Bases
- To provide our services and perform our contracts: performance of a contract with you where you are our client, and our legitimate interests and those of our client in delivering the service. Where we act as a processor, we rely on the client’s lawful basis.
- To respond to enquiries and manage our relationships: our legitimate interests.
- To meet our legal and regulatory obligations: compliance with a legal obligation.
- To establish, exercise or defend legal claims: our legitimate interests.
Special Category and Criminal Offence Data
Our casework, particularly investigations and mediation, can involve special category data (such as health) and information about alleged criminal offences. Where it does, we process it only where necessary and rely on conditions in the UK GDPR and the Data Protection Act 2018, including the establishment, exercise or defence of legal claims and substantial public interest conditions. We keep a special category and criminal records data policy, which serves as our Appropriate Policy Document and is available to the Information Commissioner on request.
Marketing, Website and Cookies
Where we send you information about our services, we do so on the basis of your consent or our legitimate interests, and you can ask us to stop at any time. Our website may use cookies to help it work and understand how it is used; where these are not strictly necessary we use them only with your agreement. We do not sell your personal data.
Who We Share Personal Data With
- Our service providers, who process personal data on our behalf under contract, including our IT, cloud storage and software providers, for example Microsoft for Microsoft 365, and providers of the software tools we use to help prepare and analyse our work. A full list of our processors is available on request.
- Our client, where we are carrying out work on that client’s behalf.
- Our professional advisers, insurers and associates engaged under confidentiality terms.
- Courts, tribunals, regulators or other authorities, where required by law or to establish or defend legal claims.
How We Make Decisions
We do not make decisions about you by solely automated means. We may use software, including AI-assisted tools, to help our team prepare and analyse our work, but these tools support our people; they do not make decisions. Every decision and judgement is made by a person, and any provider that processes personal data for us does so only on our instructions and is not permitted to use it for its own purposes.
Transfers Outside the UK
Some of our service providers may process personal data outside the United Kingdom. Where they do, we make sure a valid transfer mechanism is in place, such as the UK International Data Transfer Agreement or the UK Addendum to the EU standard contractual clauses, so that your data keeps an equivalent level of protection.
How Long We Keep It
We keep personal data only for as long as necessary, in line with our retention schedule, which is available on request. In summary: employee records processed under an HR retainer are held while we support the client and returned or deleted when the retainer ends; casework is returned or securely deleted on completion, with working copies deleted within three months; records we hold as an independent investigator or mediator are kept up to six years; payroll records are kept to meet HMRC requirements, generally six years; and enquiry and marketing data is kept until you ask us to stop or after a period of no contact.
How We Keep It Secure
We store personal data using secure, up-to-date systems, principally Microsoft 365, with access controls and multi-factor authentication. We limit access to those who need it, keep each client’s information separate, apply security to our devices, hold appropriate backups, and delete data securely when it is no longer needed. If a personal data breach occurs, we assess the risk and, where required, report it to the Information Commissioner and tell those affected.
Your Rights
You have the right to ask for a copy of your data; to have it corrected; to have it deleted, restricted or to object to its use in certain circumstances; to data portability where that right applies; and to withdraw consent where we rely on it. Some rights do not apply in every situation, for example where we must keep information to meet a legal obligation or to defend a claim. To exercise a right, contact us using the details above; we will respond within one month. Where we act as a processor for a client, we will pass your request to that client.
Complaints
If you have a concern about how we handle your personal data, please contact us first. You also have the right to complain to the Information Commissioner’s Office (ICO): Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF; helpline 0303 123 1113; www.ico.org.uk.
Changes to This Notice
We review this notice at least once a year and update it when our processing or the law changes. This is version 1.0, dated 3 July 2026. The next review is due by 3 July 2027.
Version Control
| Version | Date | Summary of changes | Author |
| 2.0 | 3 July 2026 | Update | Claire Bounds |
