All organisations that process personal data are required to comply with data protection legislation. This includes in particular the Data Protection Act 1998 (or its successor) and the EU General Data Protection Regulation (together the ‘Data Protection Laws’). The Data Protection Laws give individuals (known as ‘data subjects’) certain rights over their personal data whilst imposing certain obligations on the organisations that process their data. As a recruitment business Orchard collects and processes both personal data and sensitive personal data. It is required to do so to comply with other legislation. It is also required to keep this data for different periods depending on the nature of the data. This policy sets out how Orchard implements the Data Protection Laws. It should be read in conjunction with the Data Protection Procedure.