Privacy Notice

This Privacy Policy was last modified on 27 April 2023.  It will be reviewed every 12 months.

Generis Enterprise Technology Limited (referred to as “Generis”, “GETL”, “We, “Our” or “Us”) is committed to protecting the privacy and security of your personal data. We have developed this privacy notice to inform you of the data we collect, what we do with your data, what we do to keep it secure as well as the Rights you have over your personal data.

Throughout this notice we refer to data protection legislation which includes (but is not limited to) the UK GDPR, EU GDPR, and e-Privacy legislation such as the EU e-Privacy Directive and the UK Privacy Electronic Communication Regulation 2003 (“PECR”). This also includes any data protection laws that are updated or newly enforced from time to time.

This website privacy notice applies to all Generis websites:

Our main office is based in the United Kingdom (“UK”) and below are our contact details:

Post: Generis Enterprise Technology Limited, 239 Kensington High Street, London W8 6SN, United Kingdom.


Our UK office is registered with the Information Commissioners Office (the ICO) with registration number ZA824292.

We have a dedicated data protection team who can also be contacted via who can help with data protection matters.

We have appointed an external data protection officer (DPO) and their details are as follows:

Evalian Limited                                                           Email: 
West Lodge                                                                 Phone: +44 (0)333 050 0111
Leylands Business Park                                               Website:
Colden Common
SO21 1TH
United Kingdom

Generis is both a data controller and a data processor and this notice sets out how we act as both roles.

Who are we?

Generis is a leader in content and information management systems, specializing in proven solutions for regulated industries. CARA, the Company’s flagship product, is a leading content and information management platform providing ECM and EIM solutions.

Lawful Basis

The lawful bases we rely on as a data controller are detailed below with brief examples of when they may apply:

Consent; to opt into marketing communications
Contractual obligation; to enter contractual arrangements with employees
Vital interests; to know of any medical conditions to a visitor/guest to any one of our offices
Legal obligation; for tax purposes
Legitimate interests; to help answer any questions or concerns that may be sent to us from individuals who we may have no prior existing relationship with

There may also be instances of where we would collect and process special category personal data for purposes such as recruitment (e.g., health data to make any reasonable adjustments for any interviews). Where we have identified the need for special category data, we will work with our DPO to ensure the appropriate special condition is identified and documented where needed.

As a data processor we process personal data in line with the lawful basis determined by the data controller. For the purposes of our CARA system this would be legitimate interest.

Whose Personal Data We Use

Due to the different services we offer and our business activities, we may process personal data of the following individuals (“data subjects”):

– Clients
– Enquirers/complainers
– Job applicants
– Employees
– Vendor/Service providers
– Prospective clients

The above list is representative and non-exhaustive.

How We Collect Personal Data

We collect personal data through different means such as:

– When you send us an enquiry
– Contact us via telephone, email or letter
– When you apply for one of our job vacancies
– Through marketing lists
– Contact us on social media

The above list is representative and non-exhaustive.

Personal Data Processed

Depending on the service or business activity we may process the following types of personal data:

– Name
– Address
– Email address
– Phone numbers
– Job details
– Recruitment data
– IP address

The above list is representative and non-exhaustive.

How We Use Personal Data

We may use personal data for various activities which can include the following activities:

– To send any marketing communications.
– Enter into contracts of services with clients.
– Process job applications.
– Onboarding of new employees.
– Process payments and other financial activities
– To monitor website usage
– Health and safety
– Action any data subject right requests
– Communicate to clients and data subject right requests
– Shared services (e.g. HR)
– Seek your views or comments on the services we provide
– Notify you of changes to our services
– Handle an enquiry or complaint you have made

The above list is representative and non-exhaustive.
For more information to how we process personal data you can contact us as detailed above.

Recruitments and Criminal Data Processing

We have a separate recruitment privacy notice on our website which details how we process personal data in line with our recruitment activities. We advertise roles which may also require the need for background checks, which can involve criminal conviction data. This should not deter anyone from applying for any job roles with us as we review any criminal conviction data on a case-by-case basis.

Generis does not have official authority to conduct these checks and so we will utilise appropriate third parties who have official authority to conduct these checks on our behalf.

For more information to this you can contact us using our details above and view our Job Applicant Privacy Notice on our website.

Children’s Data

Our services are not designed for children of any age. If we do become aware of any children’s data being processed, we will take all reasonable steps and efforts to remove their data where identified.

Data Sharing

We do not sell, rent, or lease data pertaining to our customers or clients (including prospective’s) at any time.

Due to the nature of our business, there may be times we are required to share data with other departments or members of our organisation. Examples of this can include (but not limited to):

– Customer requests/concerns
– Recruitment purposes
– Service issues/support

Please note there may also be instances where we may need to share data with a competent law enforcement body, regulatory body, government agency, court, or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation or (ii) to exercise, establish or defend our legal rights.

International Data Transfers

Due to the global nature of our organisation, there may be instances where we may need to transfer and share your data with other Generis employees or other organisations (e.g. vendors, service suppliers, law enforcement bodies etc.) who are in the European Economic Area (The EU member states, Norway, Iceland, and Liechtenstein), in an adequate listed country or in other third countries who may not have robust or similar data protection laws to the UK/EEA. If we need to transfer your information globally where required, we will take steps to ensure that appropriate safeguards are taken with the aim of ensuring that your privacy rights continue to be protected as outlined in this notice.


There may be at times where we would need to utilise the help of third-party vendors for various services to our clients. Where we use our own third-party vendors for client related activities, they will be considered as sub-processors. We review our agreements with sub-processors to ensure the relevant data protection clauses are incorporated. For more information you can contact us using our details above.

Marketing Communications

We would like to send you marketing news and updates regarding our company, products and services should you like to receive them. You can always change your preferences (i.e. opt out) by clicking on the relevant unsubscribe link at the bottom of the email. You can opt out by contacting us directly using our details mentioned above.

Website Links

This website contains links to other websites, which are clearly marked as such. Please note that we have no control over external websites and are not responsible for the protection and privacy of any information which you may provide to them. Please refer to a website’s privacy notice when using it.


We use cookies on our website. More information to cookies can be found in our cookie notice. You can also change your consent via our website too.

Automated Decision-Making

We do not carry out any automated decision-making within our organisation. If this was to change, we will be sure to update this notice and provide details to when this would apply.

Data Retention

We regularly review our data retention practices ensuring we only retain personal data for as long as necessary in line with our data processing activities. We have created data retention policies and accompanying data retention schedules to help document relevant retention periods.

As a data controller we will retain personal data for as long as necessary in line with various requirements, such as, best practice recommendations (e.g. supervisory authority recommendations), relevant guidelines (e.g. employment guidance’s) or for as long as mandated under specific legislation (e.g. tax laws). We will also determine appropriate retention periods based on our legitimate interests where identified.

As a data processor we will retain personal data for as long as required as set by our client data controllers. Where the data controller has determined the relevant retention period we will be sure to document this and notify them in advance before the deletion is carried out, normally within 30 days.

When data is needed to be deleted, we will either delete manually or automatically, or anonymise it if deletion is not possible.

What Happens If Our Business Changes Hands?

We may, from time to time, expand or reduce our business and this may involve the sale and/or the transfer of control of all or part of our business. Any personal data that you have provided will, where it is relevant to any part of our business that is being transferred, be transferred along with that part and the new owner or newly controlling party will be permitted to use that data only for the purposes for which it was originally collected by us.

Data Security

We are ISO 27001 certified, and copies of our certification is available upon request using our details above.

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorised way, altered, or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.

If we become aware of any loss, misuse, alteration of personal data we will work closely with our security response and management team, DPO and other parties as necessary to investigate the incident at hand. We have put into place the relevant procedure and policies to investigate, mitigate and report (when needed to relevant parties) such instances.

Data Protection Rights

Under data protection legislation you have several Rights in relation to how an organisation processes your personal data. The Rights are as follows:

– Right to be informed
– Right to access data
– Right to rectification
– Right to erasure
– Right to restrict processing
– Right to objection
– Right to portability
– Right not to subject to automated decision making and profiling

If you would like to exercise any of the above Rights you can do so by sending us a written request to our email address mentioned above. Please note ID may be requested to verify identity and of those carrying our Right requests on an individual’s behalf.

Concerns and Complaints

We understand you may have concerns and complaints in relation to this notice and in relation to how we process personal data. If you would like to contact us directly to talk to us about a concern or to raise a complaint, you can do so by using our contact details above.

You can also submit a complaint directly to the UK ICO via this link.

Review and Updates

We will review this notice and make changes to it from time to time. We recommend that you check this notice to see where changes have been made, and to ensure you are able to review updated information at all times.