For the purposes of this document “The Company” refers to RadioWorks Ltd and Auction Media Ltd, which consists of RadioWorks, Maple Street Creative (and its subsidiary brands), Digital Audio Works and Radio Trading Desk.

RadioWorks Ltd registered office is at 36 – 40 Maple Street, London, W1T 6HE. Registered in England and Wales company number 3171591, VAT no. 681 8837 86.

Auction Media Ltd registered office is at 36 – 40 Maple Street, London, W1T 6HE. Registered in England and Wales company number 05971611, VAT no. 906 2735 29.


The Company is and always has been committed to guarding and respecting your data whilst it is in our hands. We collect your personal information because it helps us to understand your needs and guides the way in which we interact and communicate with you. We have strict policies and procedures in place to protect your data when you send it to us, when we process it in order to provide you with the services you have requested or, where you have given us your permission to do so, to send you information that we think you'll find interesting, and thereafter when we store your data internally.

When people trust us with their information, we should live up to that trust.

Data protection law gives individuals the right to understand – and in some cases control – how their data is used. It also places obligations on us to handle people’s data fairly and respect their rights. We take our obligations under data protection law seriously.

If you have any questions about this Policy, you should contact our HR and Office Manager.

1. Who and What is covered by this Policy?

This Data Protection Policy together with the other policies referred to below will be understood and followed by all staff. This Policy applies to all our business units, operations, functions and staff, including permanent and temporary employees and any third party personnel such as agents, temps, contractors and consultants, who have access to “personal data” which is “processed” by our agency.

What is “personal data”?
This Policy only applies to “personal data”. This means information which relates to an identified or identifiable individual (i.e. a living person). It includes names, addresses, email addresses, job applications, photographs, and correspondence to and from an individual. Where it can be linked to an individual, it also includes online identifiers and web browsing information (e.g. cookie data).

Note that this Policy does not apply to confidential commercial information which is not personal data, e.g. financial information.

What is “processing”?
This Policy also refers to “processing” personal data. Processing essentially means doing anything with personal data; this includes collecting it, storing it, combining it with other data, sharing it with a third party, and even deleting it.

We process personal data captured by this Policy when we collect and store data about our own staff, job applicants, staff at our suppliers and our clients, and potentially consumers. All of this personal data will be treated in accordance with this Policy.

The Company is responsible for ensuring that the processing complies with data protection law – this includes where the personal data is processed by a service provider appointed to process personal data on the Company’s behalf. The Company has in place a robust contract with the service provider including appropriate data protection clauses.

2. Our Data Protection Principles

Everyone to whom this policy applies should follow our Data Protection Principles when processing personal data.

1. Fairness and Transparency: Give people information about how we process their personal data.

What does this mean in practice?
We are transparent and give people information about how we use their personal data. This also means not doing anything with their personal data which they would not expect or that we would be embarrassed for them to know about.

2. Lawful Processing: Make sure we always have a good, lawful reason to process personal data.

What does this mean in practice?
We comply with any applicable laws when we process personal data.

Additionally, we should only process personal data if it can satisfy certain conditions set out in data protection law. The most important of these for us will be one of the following: (i) the relevant individual has given her/his consent; (ii) the processing is necessary as part of a contract with the individual; (iii) the processing is necessary to comply with a legal obligation; or (iv) the processing is necessary for our (or a third party’s) ‘legitimate interests’, provided such interests are not overridden by any risk or harm to the individual.

3. Purpose Limitation: Only collect personal data for a specific purpose. If we want to reuse the personal data for a new purpose, we must make sure the new purpose is compatible with the original purpose.

What does this mean in practice?
We will always have a clear purpose for any personal data before we collect it, and this should reflect a specific business need. If we later want to use the personal data for a new purpose or share it with a new third party, we should consider whether it is compatible with the original purpose.

Before starting any new processing or collecting any new data, we assess this to ensure data protection and privacy is considered from the outset. If there could be risks associated with any new processing, we will conduct a “Data Protection Impact Assessment” (“DPIA”) to decide whether any safeguards need to be put in place to protect the individuals.

4. Data Minimisation: Only process as much personal data as we need, and no more.

What does this mean in practice?
In any particular case, we only collect or otherwise process as much personal data as we need for that specific purpose. This means we should not collect personal data that we do not need, or ask for personal data ‘just in case’ it may be useful.

5. Accuracy: Keep personal data accurate, complete and up-to-date.

What does this mean in practice?
Wherever possible, we keep personal data up to date. If we become aware of personal data which is inaccurate or out-of-date, we take reasonable steps to correct it or delete it.

6. Retention: Only keep personal data for as long as we need it. If we don’t need the personal data anymore, we delete it or anonymise it.

What does this mean in practice?
We should only keep personal data for as long as we need it for its specified purpose and outlined in our data retention policy

7. Security: Protect personal data from getting lost or stolen. Make sure our service providers protect our personal data as well.

What does this mean in practice?
We take all possible steps to protect personal data with appropriate security measures, to prevent any accidental or unauthorised access, damage, loss or disclosure.

We take data protection very seriously and as such all staff are aware of:

  • All responsible steps that they must take to protect personal data
  • The procedure they must follow surrounding a data breach

This Security Principle extends to our service providers who handle personal data on our behalf.

8. Individual Rights: Allow individuals the right to access, correct or erase their personal data, or object to it being used for certain purposes.

What does this mean in practice?
Anyone whose personal data we process has the right to obtain a copy of that personal data, and correct any inaccuracies. In certain circumstances, they also have a right to have their personal data erased or not used for a particular purpose.

9. Accountability: We will take steps to make sure our processing of personal data complies with this Policy. Our staff will also take all responsible steps to ensure they comply with this policy.

What does this mean in practice?
We are responsible for ensuring our processing of personal data is compliant with the law. That is why we have implemented this Data Protection Promise, as well as the various other policies which accompany it.

It is the responsibility of everyone working at our agency to complete their required training.

Any new websites, apps, or other tools should be designed to enable us to comply with our Data Protection Principles.

This Policy and the accompanying policies will be periodically reviewed and updated as necessary to ensure they are effective and meet our requirements.

10. New Data processing assessment: We will take necessary risk mitigation steps to ensure about robust systems and processes are used for new initiatives which involve data.

What does this mean in practice?
We will conduct a full risk assessment, designed to enable us to decide whether our new initiative is justified against GDPR rules and if so, how we can manage in the most privacy friendly manner.

Last updated: 08 May 2018