Our privacy statement – Our committment to your privacy

Privacy statement

This privacy statement applies to all GPTOOLS UK LTD owned websites, domains, services, applications and products including but not limited to GPTOOLS UK LTD 360, GPTOOLS UK LTD & GPTOOLS UK LTD PSQ Surveys.

GPTOOLS UK LTD of Kemp House, 152 City Road, London EC1V 2NX is committed to protecting the privacy of the data that we process and hold and complying with GDPR.

We hold personal data about our users, their nominated appraisers and appraisal administrators; this document explains what information we hold, how we use it and your rights regarding that information.

What data do we hold?

Only data entered by you or by nominated persons is held by us.
All data entered by you is owned by you and you are responsible for anything you enter into our system.
We will always maintain the highest levels of security and not share your data with anyone else unless you authorise it.

The data we hold may include some or all of the following:

  1. Identifying information – e.g. name, GMC number
  2. Contact information – e.g. email address, postal address, phone number
  3. Professional information – e.g. job title, specialty, place of qualification, year of qualification, CV / biography, education level, job grade or level, employment start date, department/ function, location (your place of work), contract type, working hours
  4. Appraisal preparation and documentation
  5. Continuing Professional Development information
  6. Survey information provided by your nominees


Online payment information
In addition to the above, if you elect to pay for our services by Stripe or PayPal, we may hold the last four digits of your payment card number.

Where do we get your data from?

The personal data that we hold is provided to us by you, your respondents to your 360° feedback or your employer.

You are the complete owner of this data and you are reponsible for the contents of this data.

If you elect to pay by PayPal or Stripe, they may provide us with the last 4 digits of your payment card number.

How do we use your personal data?

1. Contractual relationship. We may use your data to fulfil a contract to provide services to you.
In carrying out these services we may do one or more of the following:

  • use data provided to us by Stripe and PayPal for the purpose of matching service users and payments
  • use your details so that we can communicate with you by email or phone
  • use data provided by respondents completing 360⁰ feedback to provide a view of an individual’s performance
  • use feedback requested during 360⁰ from colleagues, peers and patients to support the revalidation process for hospital doctors and GPs
  • all feedback data is anonymised at point of entry and contains no patient identifiable information. We do not store or use browser fingerprinting to track or collect data on users of our system

2. Legal compliance. We may hold your data if we are legally required to do so.

3. Legitimate business interests. We may anonymise your data for research purposes in order to:

  1. Produce relevant norm groups so that individuals, teams and organisations can compare themselves to other
  2. Improve the quality of our services and products
  3. Conduct and publish research to provide thought leadership in our field.

All data we use for research is completely anonymised at the point of data entry.

4. Information that we collect automatically on our Websites. Our website or its third-party tools use cookies, which are necessary to its functioning and required to achieve the purposes illustrated in the cookie policy. If you want to know more or withdraw your consent to some or all of the cookies, please refer to our Cookie Policy.

How we protect your data.

The personal information we hold is stored and processed securely in line with the UK government’s guidelines for Cyber security controls, Cyber Essentials Plus*.

Your personal information is held and processed in the UK.
Where we share your personal information with your apprasier and/or appraisal admin team we will ensure that this is only with authorised persons that you allow.

Online payment processing. If you elect to pay for services using the Stripe system (i.e. you elect to pay by credit/debit card) or PayPal, the personal data you provide to complete the transaction may be transferred outside the EEA. To see further information about Stripe’s privacy policy, please click here. For further information about PayPal’s privacy policy, pleased click here.

What we don’t do with your personal data

  • We do not make automated decisions relating to your personal data
  • We do not sell your personal data to any third party
  • We do not transfer your personal data to any third parties other than sub-contractors whose services are necessary for us to carry out our contracted service
  • We do not collect or store credit card details

How long do we keep your personal data?

The information we use to communicate with you will be kept until you notify us that you no longer wish to receive information from us, or you want us to delete your personal data. Any personal data that we hold will be kept in line with the requirements of the Data Controller (this is usually your employer), or if the Data Controller has not provided a deletion policy, we will hold the data until we are requested to delete it.

What are your personal data rights?

If at any point you believe the personal data we hold on you is incorrect, you want us to correct or delete that information, or you no longer want us to hold that information or contact you, you can exercise your rights under the current Data Protection laws. These rights include:

  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restriction of processing
  • Right to data portability
  • Right to object

For more information about your personal data rights please visit the Information Commissioner Office website at: https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/individuals-rights/

Who do I contact if I have an issue with or question about the personal data relating to me?

Please contact our Data Protection Officer at support at gptools org dot uk

If you are not satisfied with our response or believe we are processing your personal data in a manner which is not in accordance with the instructions of the Data Controller or the law, you can contact the Information Commissioner’s Office (ICO) https://ico.org.uk/ Their Helpdesk number is 0303 123 1113.

* For more information about Cyber Essentials Plus please visit: https://www.gov.uk/government/publications/cyber-essentials-scheme-overview

General Data Protection Regulation (GDPR) Statement

As part of our commitment to protecting your privacy, GPTOOLS UK LTD adheres to the General Data Protection Regulation (GDPR) standards. Our GDPR practices include the following:

1. Data Protection Principles

We comply with the GDPR principles of lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, and confidentiality.

2. Data Subject Rights

Under GDPR, you have specific rights regarding your personal data. These include:

  • Right to Access: You have the right to request a copy of the personal data we hold about you.
  • Right to Rectification: You have the right to request correction of any inaccurate or incomplete data.
  • Right to Erasure: You have the right to request the deletion of your personal data, subject to certain conditions.
  • Right to Restriction of Processing: You can request that we restrict the processing of your personal data under certain circumstances.
  • Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format and have the right to transmit that data to another controller.
  • Right to Object: You can object to the processing of your personal data in certain situations.

3. Data Breach Notifications

In the unlikely event of a data breach, we will notify the affected individuals and the relevant supervisory authorities as required by GDPR.

4. Data Protection Officer (DPO)

We have appointed a Data Protection Officer to ensure ongoing compliance with GDPR and to act as a point of contact for data subjects and supervisory authorities.

5. International Data Transfers

We do not transfer your data outisde the EEA. However, if your personal data is transferred outside the European Economic Area (EEA), we would ensure it is protected by appropriate safeguards as required by GDPR.

6. Data Processing Agreements

We do not employ any third parties to process your personal data.

7. Data Protection Impact Assessments (DPIAs)

Where processing is likely to result in high risk to individuals’ rights and freedoms, we conduct DPIAs to identify and mitigate risks.

8. Legal Bases for Processing

We process personal data based on lawful grounds as defined under GDPR, including consent, performance of a contract, compliance with a legal obligation, protection of vital interests, performance of a task carried out in the public interest or exercise of official authority, and legitimate interests.

By using our services, you acknowledge that you have read and understood this GDPR statement and our privacy practices. If you have any questions or concerns about our GDPR compliance, please contact our Data Protection Officer at support at gptools dot org dot uk.

For further information on your rights under GDPR, please visit the Information Commissioner’s Office (ICO).

Your privacy and data protection are our top priorities, and we are committed to maintaining the highest standards of data privacy and security.