Data Protection Policy

Element Human Limited, Element Human Research Ltd and Crowd Emotion Limited take privacy and data protection very seriously. All three companies are committed to privacy by design and giving due consideration to data protection at every stage of the company’s development. In particular, the companies will:

  • ensure data protection is considered and supported at the highest levels of the organisation and, as part of this, ensure that the board is involved in data protection matters where appropriate;

  • consider data protection when designing, building and introducing a new product or service;

  • carefully consider the partners and other organisations it works with before entering into a relationship with them; and

  • comply with the spirit as well as the letter of the law.

Matt Celuszak is the final authority for data protection. Diego Caravana is the primary responsibility for data protection.

Data Retention

Data should be held for the shortest amount of time possible and regular review is required of the data held to ensure this is complied with. A key priority is setting up an automated system for deleting the data and this is currently in progress.

The data retention policy is available upon request by emailing:

The data retention policy should be kept under regular review.

Data breaches

While we take every care to avoid a data breach and protect the personal data we process, it is important to be prepared in the event that a data breach does unfortunately occur.

A data breach is an event or action which may compromise the confidentiality, integrity or availability of systems or data, either accidentally or deliberately and includes both actual and suspected data breaches. An incident includes, but is not limited to:

  • loss or theft of data or equipment on which data is stored;

  • unauthorised use of, access to or modification of data or information;

  • attempts to gain unauthorised access to information or IT systems; and

  • unauthorised disclosure of data.

Any individual who discovers a data breach, whether actual or suspected, is responsible for reporting it immediately to Diego Caravana, Technical Director including full and accurate details of the incident.

Diego will be responsible for:

  • investigating any such breach;

  • determining what actions should be taken to mitigate the impact of any such breach;

  • determining the impact and risk level of such breach;

  • reviewing any applicable contracts and determining which partners need to be notified;

  • deciding if such breach needs to be reported to the ICO and the relevant data subject;

  • in every situation, recording the breach including, where it is not being reported to the ICO, why the decision was made that it should not be reported to the ICO.

In reviewing the data breach and determining the above, the following shall be taken into account:

  • the type of data involved;

  • the sensitivity of the data;

  • the number of data subjects involved and the potential impact on them;

  • any protection that is in place, for example is it encrypted?

  • the type of breach that has occurred - for example has the data been lost or stolen?

  • whether the affected data could be used inappropriately; and

  • all other appropriate information including any wider consequences of the breach.

Reporting the breach to the ICO

Where the breach is a risk to people’s rights and freedoms, it should be immediately reported to the ICO and, in any event, within 72 hours. Where the breach is not being reported to the ICO, it should still be recorded in our record of data breaches and the reason why it is not being reported should be noted.

Client data

Where we are acting as a data processor, we have an obligation to inform the relevant controller about any breach. As such, as soon as a breach or suspected breach is discovered, the relevant client involved should be identified, the contract with them reviewed and they should be provided with the relevant information as soon as possible and, in any event, within 36 hours.

Contractual obligations

Even where we are not acting as a data processor, our contractual agreements with third parties impose a number of obligations on us in relation to notification of data breaches. As such, all relevant contracts should be reviewed to ensure that these obligations are met.

For example, our agreement with third party sample providers includes a number of provisions regarding data breaches.

Our record of data breaches can be requested by emailing

Data subjects’ rights

While there have, so far, been no requests by data subjects to exercise their rights, it is important to ensure that the organisation is able to respond rapidly and appropriately when a data subject does wish to exercise their rights.

It is likely that any data subject request will come in through the channel and this should be carefully monitored to ensure any requests are caught immediately and dealt with as soon as possible. While requests are most likely to come in in this way, it is feasible they would come in other than through this channel and so care should be taken that any such requests are quickly identified no matter how they arise.

Any request from a data subject should be passed to Matt Celuszak, CEO, who will review the request and respond as required.


Records of processing - both where we are a controller and a processor - need to be updated for every additional processing we undertake. These documents can be made available at the sole discretion of Element Human upon request to:

Our records of breaches and subject requests should also be kept updated.

Last updated 1/10/21

Did this answer your question?