top of page

Privacy at Shire

 

Ownership
The domains shire.taxi and shirecabs.co.uk and any other communication lines are the proprietary asset of Mr Subrata Pati T/A SHIRE, herein acting as the data controller for individuals' personal data.
Effective Date: 01st August 2024 (Last Updated: 07/05/2026)


ICO Registration
SHIRE is duly registered with the Information Commissioner's Office under Organisation Number C1370149.

Legal Framework

This Privacy Policy is issued in compliance with the following legislation and regulations, as amended and in force from time to time:
•    UK General Data Protection Regulation (UK GDPR)
•    Data Protection Act 2018 (DPA 2018)
•    Data (Use and Access) Act 2025 (DUAA), including amendments in force from 5 February 2026
•    Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), as amended by the DUAA
•    Human Rights Act 1998
The DUAA, which received Royal Assent on 19 June 2025, amends (but does not replace) the UK GDPR, the DPA 2018, and PECR. Key reforms effective from 5 February 2026 include: the introduction of a new ‘Recognised Legitimate Interests’ lawful basis (Article 6(1)(ea) UK GDPR); codification of the ‘reasonable and proportionate’ search standard for data subject access requests (DSARs); and clarification of purpose limitation provisions. A further tranche of reforms concerning formal complaints procedures takes effect on 19 June 2026.
This Policy governs the collection, use, storage, and disclosure of personal data in connection with SHIRE’s Hackney Carriage and related services. It covers data collected through the website, booking systems, messaging platforms, and all other operational tools.

Lawful Collection of Personal Data

In accordance with Articles 5(1)(a) and 6(1)(a)–(f) UK GDPR (as amended by the DUAA), SHIRE collects personal data only where a lawful basis exists. No automatic collection of personal data occurs when visiting our platforms. Data is gathered only upon voluntary submission — for example, name, contact information, and service preferences — via contact forms, emails, messaging applications, or direct use of our services.​

Lawful Bases for Processing

All processing is grounded in one or more of the lawful bases under Article 6 UK GDPR, as amended by the DUAA. These include:
•    Consent (Article 6(1)(a)): Where the data subject has given clear consent for a specific purpose. Where it is not realistically possible to obtain individual consent, implied consent will apply for the purpose of service usage.
•    Contract (Article 6(1)(b)): Where processing is necessary for performance of a contract with the data subject, such as a booking.
•    Legal obligation (Article 6(1)(c)): where processing is required to comply with a legal duty.
•    Vital interests (Article 6(1)(d)): to protect the vital interests of the data subject or another natural person.
•    Public task (Article 6(1)(e)): where processing is necessary for the performance of a task carried out in the public interest.
•    Legitimate interests (Article 6(1)(f)): where processing is necessary for the purposes of the legitimate interests pursued by SHIRE or a third party, except where overridden by the data subject’s rights and interests.
•    Recognised Legitimate Interests (Article 6(1)(ea), introduced by DUAA): for prescribed processing activities; including the prevention, investigation, or detection of crime; where no balancing test is required, provided the processing is necessary.
Any processing of special category data complies with Article 9 UK GDPR and the applicable provisions of the DPA 2018.

Subcontracted or Third-Party Service Provision

To deliver certain services, SHIRE may share minimal personal data (such as name, contact number, and pickup/drop-off details) with trusted subcontractors or third-party service providers. This is carried out under Articles 6(1)(b) and 6(1)(f) UK GDPR, for contractual and legitimate interest purposes respectively. All subcontractors are contractually bound to implement appropriate data protection measures and are engaged as data processors under Article 28 UK GDPR.

Audio Recordings of Telephone Communications

Inbound telephone calls are recorded under the legitimate interests basis (Article 6(1)(f) UK GDPR) and, where applicable, the legal obligation basis (Article 6(1)(c) UK GDPR). These recordings serve training, evidentiary, and safeguarding functions.
Publication of this policy constitutes written notice satisfying the transparency requirements of Article 13 UK GDPR. Retention is capped at 30 days unless a legitimate or legal basis requires retention for a longer period, up to a maximum of 10 years.
The same recording policy may apply to outbound calls as well. Due to the volume of calls handled, verbal notice may not always be given at the start of each call. By engaging with SHIRE by telephone, callers acknowledge this policy. Callers are signposted to the website to make themselves aware of this provision and should they object, the data will be deleted upon confirming that the Data Subject will not be engaged in terms of obtaining service from SHIRE.

*Visual and Audio Recordings via Dashcams*

Dashcam system currently inactive. Dashcam recording will not apply until explicitly notified by an update to this policy.

8.1  System Description
SHIRE’s vehicles use a 360° outward-facing video capture mechanism designed primarily to record the external environment surrounding the vehicle. The system does not operate on a continuous recording basis; instead, footage is captured in buffered or event-triggered intervals to support the principle of data minimisation under Article 5(1)(c) UK GDPR.
Due to the physical configuration of a 360° capture system installed within a vehicle, recording of the vehicle’s interior is unavoidable. Any such internal video capture is a technical consequence of the camera’s field of view and is not the primary or intended purpose of the system. SHIRE acknowledges this and applies proportionality and necessity assessments accordingly.

8.2  Audio Recording
The dashcam system incorporates audio recording capability. Audio is captured in buffered intervals, consistent with the non-continuous operation of the system. Audio is not recorded on a persistent or continuous basis; processing of audio only takes place where triggered by the system’s event-detection parameters or as part of a buffered capture sequence.
Publication of this policy constitutes written notice of non-continuous audio recording, satisfying the transparency requirements of Article 13 UK GDPR and ICO guidance on in-vehicle surveillance. Passengers and third parties in proximity to the vehicle are notified of the potential for audio recording by virtue of this publicly accessible policy.

8.3  Legal Bases for Dashcam Processing
Processing of dashcam footage (video and audio) is carried out under the following lawful bases:

 

  •  Legitimate Interests (Article 6(1)(f) UK GDPR): SHIRE has a legitimate interest in operating dashcam systems for the safety of drivers and passengers, prevention and detection of crime, protection against fraudulent or exaggerated insurance claims, and compliance with licensing conditions applicable to Hackney Carriage operators. A Legitimate Interests Assessment (LIA) is maintained on file. The privacy impact on data subjects has been considered and is proportionate to the safety and operational benefits pursued.

 

  • Legal Obligation (Article 6(1)(c) UK GDPR): Where applicable, processing may be required to comply with legal obligations imposed by licensing authorities or regulatory bodies, including the obligation to cooperate with police or licensing investigations under relevant legislation.

 

  • Recognised Legitimate Interests (Article 6(1)(ea) UK GDPR, introduced by the Data (Use and Access) Act 2025): For disclosures of footage to law enforcement agencies for the purposes of the prevention, investigation, or detection of crime, no balancing test is required. SHIRE may rely on this basis when sharing footage with police or other competent authorities.

 

  • Special category data: In circumstances where dashcam footage incidentally captures special category data (for example, where passengers’ health conditions, religious symbols, or ethnicity are visible), processing is additionally justified under Article 9(2)(f) UK GDPR (necessary for the establishment, exercise, or defence of legal claims) and/or Article 9(2)(g) (substantial public interest under Schedule 1 DPA 2018, specifically paragraph 10; preventing or detecting unlawful acts).

8.4  Retention
Standard retention for dashcam footage is 24–48 hours from the date of capture, after which it is automatically overwritten or deleted, in compliance with Article 5(1)(e) UK GDPR. Retention for up to 10 years is permitted where a specific legitimate, contractual, or legal basis applies; for example, where footage is relevant to an ongoing insurance claim, legal proceedings, regulatory investigation, or law enforcement request. Where footage is retained beyond the standard 48-hour period, access is restricted to authorised personnel only.

Data Retention Practices

Personal data is retained only for as long as necessary for the purpose for which it was collected, in compliance with Article 5(1)(e) UK GDPR (‘storage limitation’). SHIRE maintains a documented retention schedule consistent with applicable sector standards and legal obligations. Access to retained data is governed by confidentiality obligations, data minimisation principles, and integrity controls.

Feedback, Marketing and Communication
SHIRE may contact customers for service-related feedback or updates, relying on the legitimate interests basis under Article 6(1)(f) UK GDPR. Communications are limited in frequency (a maximum of three per service engagement) and will never include third-party promotional material.
Where the soft opt-in exemption applies, SHIRE relies on Regulation 22(3) PECR, as amended by the DUAA.
The right to opt out of communications is always available and will be honoured promptly. Where consent is the applicable legal basis, it will be obtained prior to communication and may be withdrawn at any time.

Permitted Disclosures Without Consent

SHIRE may be required to disclose personal data under Articles 6(1)(c) or 6(1)(e) UK GDPR where a legal obligation or public task applies; for example, in response to requests from the police or licensing authorities.
With effect from 5 February 2026, SHIRE may also rely on the ‘Recognised Legitimate Interests’ basis under Article 6(1)(ea) UK GDPR (introduced by the DUAA) for disclosures necessary for the prevention, investigation, or detection of crime, where no balancing test is required.
Each disclosure request is reviewed for legal validity and proportionality. SHIRE will refuse any disclosure request where no lawful basis is established, or where the requesting authority has a documented history of data breach. Data subjects’ rights under Articles 12–23 UK GDPR are upheld in all cases.


Anonymised Statistical Data

Once personal data has been fully anonymised such that individuals cannot reasonably be re-identified, it falls outside the scope of data protection legislation, in accordance with Recital 26 UK GDPR. Anonymised data may be used by SHIRE for operational analysis, service reporting, and research in the public interest.

 

Data Security Measures

SHIRE implements appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or destruction, in compliance with Article 32 UK GDPR. These measures include encryption, access controls, and routine security audits.
Standard email encryption is applied; however, SHIRE cannot guarantee absolute immunity from external threats such as malware or phishing. Users communicating with SHIRE electronically are advised to take appropriate precautions on their own systems.

Data Subject Rights
Under Articles 12–23 UK GDPR, individuals whose personal data SHIRE processes have the following rights:
•    Right to be informed (Article 13–14)
•    Right of access (Article 15)
•    Right to rectification (Article 16)
•    Right to erasure / ‘right to be forgotten’ (Article 17)
•    Right to restriction of processing (Article 18)
•    Right to data portability (Article 20)
•    Right to object (Article 21)
•    Rights related to automated decision-making and profiling (Article 22, as amended by the DUAA)
To exercise any of these rights, please submit a written request with proof of identity to:
✉  userdata@shirecabs.co.uk
SHIRE will respond without undue delay and, in any event, within one calendar month of receipt of a valid request, in accordance with Article 12(3) UK GDPR. Where a request is complex or multiple requests have been received, this period may be extended by up to two further months (a total of three months). The data subject will be informed of any extension and the reasons for it within the initial one-month period.
In line with the DUAA (in force from 19 June 2025), SHIRE conducts reasonable and proportionate searches when responding to DSARs. The response clock may be paused while awaiting identity verification or clarification of the scope of a request.
Where requests are manifestly unfounded or excessive, SHIRE may charge a reasonable administrative fee or decline to respond, in accordance with Article 12(5) UK GDPR. Responses and communications under Articles 15–22 and 34 are provided free of charge in standard cases.


Minors and Parental Consent

For individuals under the age of 16, verified parental or guardian consent is required before any personal data may be processed, in accordance with Section 9 of the DPA 2018. The DUAA further strengthens obligations in relation to children’s personal data, including explicit requirements to consider children’s higher protection matters when providing services likely to be accessed by children. SHIRE disclaims liability for data submitted without the required parental or guardian consent.

International Data Transfers

SHIRE does not transfer personal data outside the United Kingdom. Where any transfer to a third country is necessary, it will be carried out only in compliance with Chapter V UK GDPR, as amended by the DUAA. The DUAA replaces the previous ‘essentially equivalent’ test with a new ‘data protection test’ requiring that the standard of protection in the recipient country is not materially lower than UK standards.

Notice for European Economic Area Residents

Residents of the European Economic Area (EEA) may also benefit from the rights and protections described in Section 14 of this Policy. The UK retained its European Commission adequacy status following the review concluded in December 2025, which is valid until December 2031. European residents wishing to exercise their rights may contact SHIRE directly at userdata@shirecabs.co.uk.

Data Model and Internal Access

SHIRE operates a single-thread data model. Personal data is accessed internally only for the purposes of service provision or legitimate operational reporting. Complex requests may require additional time and, where appropriate, a reasonable fee consistent with Article 12(5) UK GDPR.
All requests for personal data received from external authorities are evaluated for compliance with UK GDPR and the DPA 2018 before any disclosure is made.

​​

Consent and Policy Updates

By submitting personal data through SHIRE’s channels, users acknowledge this Privacy Policy. SHIRE may revise this Policy periodically to reflect changes in law, regulatory guidance, or operational practice. Continued use of SHIRE’s services following notification of an update constitutes acceptance of the revised Policy. Significant changes will be communicated proactively where practicable.


Complaints Procedure

SHIRE takes data protection complaints seriously. If you believe that your personal data has been processed in a manner that does not comply with applicable law, you may raise a concern directly with SHIRE in the first instance at userdata@shirecabs.co.uk. In accordance with the DUAA (with the complaints procedure obligation taking effect on 19 June 2026), SHIRE will acknowledge receipt of complaints within 30 days and respond without undue delay. A formal complaints mechanism will be in place by that date.

Important Notice Regarding Data-Related Complaints
Data protection and privacy-related complaints are regulated matters that fall exclusively under the jurisdiction of the Information Commissioner’s Office (ICO). Such complaints are not handled by Maidstone City Council (MCC) or any other local council authority. If your complaint concerns the processing of your personal data, you must direct it to the ICO, not to MCC.


You have the right to lodge a complaint with the ICO at any time, including without first raising the matter with SHIRE:

Information Commissioner’s Office
2nd Floor, Churchill House, Churchill Way, Cardiff, CF10 2HH
☎  0330 414 6421
✉  wales@ico.org.uk
🌐  ico.org.uk
 


Data Model
SHIRE employs a single-thread data model with all data associated with specific users. User data is not accessed unless for prognostication or in-house research or reporting. A reasonable amount of time and expenses may be requisite to furnish certain data due to its intricacy. In the event of authorities or court orders soliciting data in contravention of GDPR regulations, SHIRE will evaluate any request against applicable laws and only disclose where required or permitted by GDPR regulation.

bottom of page