Operational Excellence (OPEX) Group Limited (“OPEX Group”) is registered in Scotland. Registration Number SC382192 Registered Address: OPEX Digital Collaboration Centre, 18 Carden Place, Aberdeen, AB10 1UQ


Access to this website is permitted on a temporary basis and we reserve the right to withdraw or amend the service we provide on the site without notice.


This website is protected by copyright. Permission is given for the downloading and temporary storage of one or more of these pages for the purpose of viewing on a personal computer or monitor. The reproduction, permanent storage, or retransmission of the contents of this website is prohibited without the prior written consent of OPEX Group. For permission to reproduce any of the contents of this website please contact us - info@opex-group.com

Unless otherwise stated all contents of this website are copyright of OPEX Group.


OPEX Group is committed to providing a website that is accessible to the widest possible audience. We actively work to ensure that this website is accessible and have taken great care to ensure that it meets standard accessibility requirements. In doing so, we believe this site meets the WCAG 2.0 AA guidelines laid down by the World Wide Web Consortium (W3C). If you have any problem accessing any part of this site or would like further information please contact us - info@opex-group.com


OPEX Group will use reasonable care to ensure that information is accurate at the time it is added to this site. Please note, however, that OPEX Group cannot guarantee the information is accurate and it shall not be liable for any losses or damage that anyone may suffer as a result of relying on this information. The information may be changed by OPEX Group at any time.

OPEX Group assumes no responsibility for the contents of any other websites to which this website has links.

This website is not guaranteed to be free from any so-called computer viruses and it is strongly recommended that you check for such viruses before down-loading it to your computer equipment.


Any links to third party websites are provided solely for the purpose of your convenience. Such websites are operated and controlled by third parties and their inclusion does not imply any endorsement or approval by OPEX Group of the materials on such websites.


OPEX Group reserves the right to amend or replace the Terms of Use at any time. If we make any substantial changes, we will notify you by posting a prominent notice on the site.


The Terms and Conditions shall be governed by and construed in accordance with the Laws of Scotland and any disputes that may arise will be subject to the jurisdiction of the Scottish courts.


For all enquiries please contact OPEX Group – info@opex-group.com


This privacy policy explains the way in which OPEX Group uses and protects the information collected from, or provided by you, via our website at www.opex-group.com. This also applies when we are introduced in a business context and share contact information. This privacy policy may be supplemented by additional privacy statements, terms or notices.

This website and its owners take a proactive approach to user privacy and ensure the necessary steps are taken to protect the privacy of its users throughout their visiting experience. This website complies to all EU laws and requirements for user privacy.


OPEX Group is committed to ensuring the secure and safe management of data held in relation to customers, staff and other individuals. OPEX Group’s staff members have a responsibility to ensure compliance with the terms of this policy, and to manage individual’s data in accordance with the procedures outlined in this policy and documentation referred to herein.

OPEX Group needs to gather and use certain information about individuals. These can include customers, employees and other individuals that the Company has a relationship with. The Company manages a significant amount of data, from a variety of sources. This data contains Personal Data and Sensitive Personal Data (known as Special Categories of Personal Data under the GDPR).

This Policy sets out the Company's duties in processing that data, and the purpose of this Policy is to set out the procedures for the management of such data.

Section 12 hereto details the Company’s related policies.

This document should be reviewed at least annually.


It is a legal requirement that the Company process data correctly; the Company must collect, handle and store personal information in accordance with the relevant legislation.

The relevant legislation in relation to the processing of data is:

⦁ the General Data Protection Regulation (EU) 2016/679 (“the GDPR”)

⦁ the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as may be amended by the proposed Regulation on Privacy and Electronic Communications); and

⦁ any legislation that, in respect of the United Kingdom, replaces, or enacts into United Kingdom domestic law, the General Data Protection Regulation (EU) 2016/679, the proposed Regulation on Privacy and Electronic Communications or any other law relating to data protection, the processing of personal data and privacy as a consequence of the United Kingdom leaving the European Union


OPEX Group holds a variety of data relating to individuals, including customers and employees (also referred to as data subjects) which is known as Personal Data. The Personal Data held and processed by the Company is detailed within the Fair Processing Notice and the Data Protection Addendum of the Terms of and Conditions of Employment which has been provided to all employees.

“Personal Data” is that from which a living individual can be identified either by that data alone, or in conjunction with other data held by the Company.

OPEX Group also holds Personal data that is sensitive in nature (i.e. relates to or reveals a data subject’s racial or ethnic origin, religious beliefs, political opinions, relates to health or sexual orientation). This is “Special Category Personal Data” or “Sensitive Personal Data”.


The Company is permitted to process Personal Data on behalf of data subjects provided it is doing so on one of the following grounds:

  • Processing with the consent of the data subject (see clause 4.4 hereof);
  • Processing is necessary for the performance of a contract between the Company and the data subject or for entering into a contract with the data subject;
  • Processing is necessary for the Company's compliance with a legal obligation;
  • Processing is necessary to protect the vital interests of the data subject or another person;
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of the Company's official authority; or
  • Processing is necessary for the purposes of legitimate interests.


OPEX Group has produced a Fair Processing Notice (FPN) which it is required to provide to all customers whose personal data is held by the Company. That FPN must be provided to the customer from the outset of processing their Personal Data and they should be advised of the terms of the FPN when it is provided to them.

The Fair Processing Notice sets out the Personal Data processed by the Company and the basis for that Processing. This document is provided to all of the Companies customers at the outset of processing their data.


Consent as a ground of processing will require to be used from time to time by the Company when processing Personal Data. It should be used by the Company where no other alternative ground for processing is available. In the event that the Company requires to obtain consent to process a data subject’s Personal Data, it shall obtain that consent in writing. The consent provided by the data subject must be freely given and the data subject will be required to sign a relevant consent form if willing to consent. Any consent to be obtained by the Company must be for a specific and defined purpose (i.e. general consent cannot be sought).


In the event that the Company processes Special Category Personal Data or Sensitive Personal Data, the Company must do so in accordance with one of the following grounds of processing:

  • The data subject has given explicit consent to the processing of this data for a specified purpose;
  • Processing is necessary for carrying out obligations or exercising rights related to employment or social security;
  • Processing is necessary to protect the vital interest of the data subject or, if the data subject is incapable of giving consent, the vital interests of another person;
  • Processing is necessary for the establishment, exercise or defence of legal claims, or whenever court are acting in their judicial capacity; and
  • Processing is necessary for reasons of substantial public interest.


The Company shares its data with various third parties for numerous reasons in order that its day to day activities are carried out in accordance with the Company's relevant policies and procedures. In order that the Company can monitor compliance by these third parties with Data Protection laws, the Company will require the third-party organisations to enter in to an Agreement with the Company governing the processing of data, security measures to be implemented and responsibility for breaches.

Personal data is from time to time shared amongst the Company and third parties who require to process personal data that the Company process as well. Both the Company and the third party will be processing that data in their individual capacities as data controllers.

Where the Company shares in the processing of personal data with a third-party organisation (e.g. for processing of the employees’ pension), it shall require the third party organisation to enter in to a Data Sharing Agreement with the Company in accordance with the terms of the model Data Sharing Agreement.


A data processor is a third - party entity that processes personal data on behalf of the Company and are frequently engaged if certain of the Company's work is outsourced (e.g. payroll, maintenance and repair works).

  • A data processor must comply with Data Protection laws. The Company's data processors must ensure they have appropriate technical security measures in place, maintain records of processing activities and notify the Company if a data breach is suffered.
  • If a data processor wishes to sub-contact their processing, prior written consent of the Company must be obtained. Upon a sub-contracting of processing, the data processor will be liable in full for the data protection breaches of their sub-contractors.
  • Where the Company contracts with a third party to process personal data held by the Company, it shall require the third party to enter into a Data Sharing Agreement.


All Personal Data held by the Company must be stored securely, whether electronically or in paper format.


If Personal Data is stored on paper it should be kept in a secure place where unauthorised personnel cannot access it. Employees should make sure that no Personal Data is left where unauthorised personnel can access it. When the Personal Data is no longer required it must be disposed of by the employee so as to ensure its destruction. If the Personal Data requires to be retained on a physical file then the employee should ensure that it is affixed to the file which is then stored in accordance with the Company's storage provisions.


Personal Data stored electronically must also be protected from unauthorised use and access. Personal Data should be password protected when being sent internally or externally to the Company's data processors or those with whom the Company has entered in to a Data Sharing Agreement. If Personal data is stored on removable media (CD, DVD, USB memory stick) then that removable media must be stored securely at all times when not being used. Personal Data should not be saved directly to mobile devices and should be stored on designated drivers and servers.


A data breach can occur at any point when handling Personal Data and the Company has reporting duties in the event of a data breach or potential breach occurring. Breaches which pose a risk to the rights and freedoms of the data subjects who are subject of the breach require to be reported externally in accordance with Clause 7.3 hereof.


The Company takes the security of data very seriously and in the unlikely event of a breach will take the following steps:

⦁ As soon as the breach or potential breach has occurred, and in any event no later than six (6) hours after it has occurred, the DPO must be notified in writing of (i) the breach; (ii) how it occurred; and (iii) what the likely impact of that breach is on any data subject(s);

⦁ The Company must seek to contain the breach by whatever means available;

⦁ The DPO must consider whether the breach is one which requires to be reported to the ICO and data subjects affected and do so in accordance with this clause 7;

⦁ Notify third parties in accordance with the terms of any applicable Data Sharing Agreements


The DPO will require to report any breaches which pose a risk to the rights and freedoms of the data subjects who are subject of the breach to the Information Commissioner’s Office (“ICO”) within 72 hours of the breach occurring. The DPO must also consider whether it is appropriate to notify those data subjects affected by the breach.


A Data Protection Officer is an individual who has an over-arching responsibility and oversight over compliance by the Company with Data Protection laws.

The DPO will be responsible for:

  • monitoring the Company's compliance with Data Protection laws and this Policy;
  • co-operating with and serving as the Company's contact for discussions with the ICO
  • reporting breaches or suspected breaches to the ICO and data subjects in accordance with Part 7 hereof.


  • Certain rights are provided to data subjects under the GDPR. Data Subjects are entitled to view the personal data held about them by the Company, whether in written or electronic form
  • Data subjects have a right to request a restriction of processing their data, a right to be forgotten and a right to object to the Company's processing of their data. These rights are notified to the Company's tenants and other customers in the Company's Fair Processing Notice.


Data Subjects are permitted to view their data held by the Company upon making a request to do so (a Subject Access Request). Upon receipt of a request by a data subject, the Company must respond to the Subject Access Request within one month of the date of receipt of the request. The Company:

  • must provide the data subject with an electronic or hard copy of the personal data requested, unless any exemption to the provision of that data applies in law.
  • where the personal data comprises, data relating to other data subjects, must take reasonable steps to obtain consent from those data subjects to the disclosure of that personal data to the data subject who has made the Subject Access Request, or
  • where the Company does not hold the personal data sought by the data subject, must confirm that it does not hold any personal data sought to the data subject as soon as practicably possible, and in any event, not later than one month from the date on which the request was made.


  • A data subject can exercise their right to be forgotten by submitting a request in writing to the Company seeking that the Company erase the data subject’s Personal Data in its entirety.
  • Each request received by the Company will require to be considered on its own merits and legal advice will require to be obtained in relation to such requests from time to time. The DPO will have responsibility for accepting or refusing the data subject’s request in accordance with clause 9.4 and will respond in writing to the request.


  • A data subject may request that the Company restrict its processing of the data subject’s Personal Data, or object to the processing of that data.
  • In the event that any direct marketing is undertaken from time to time by the Company, a data subject has an absolute right to object to processing of this nature by the Company, and if the Company receives a written request to cease processing for this purpose, then it must do so immediately.
  • Each request received by the Company will require to be considered on its own merits and legal advice will require to be obtained in relation to such requests from time to time. The DPO will have responsibility for accepting or refusing the data subject’s request in accordance with clause 9.5 and will respond in writing to the request.


These are a means of assisting the Company in identifying and reducing the risks that our Operations have on personal privacy of data subjects.

The Company shall:

  • Carry out a PIA before undertaking a project or processing activity which poses a “high risk” to an individual’s privacy. High risk can include, but is not limited to, activities using information relating to health or race, or the implementation of a new IT system for storing and accessing Personal Data; and
  • In carrying out a PIA, include a description of the processing activity, its purpose, an assessment of the need for the processing, a summary of the risks identified and the measures that it will take to reduce those risks, and details of any security measures that require to be taken to protect the personal data
  • The Company will require to consult the ICO in the event that a PIA identifies a high level of risk which cannot be reduced. The Data Protection Officer (“DPO”) will be responsible for such reporting, and where a high level of risk is identified by those carrying out the PIA they require to notify the DPO within five (5) working days.


The Company cannot store and retain Personal Data indefinitely. It must ensure that Personal data is only retained for the period necessary. The Company shall ensure that all Personal data is archived and destroyed in accordance with the periods specified.


  • OPEX 002 Privacy Notice for Employees
  • OPEX 003 Fair Processing Notice
  • OPEX 004 Cookies Policy
  • OPEX 005 Data Retention Periods – Employment Law
  • OPEX 006 Subject Access Request
  • OPEX 007 Data retention Periods

If you would like to review any of our related documents please contact Sarah Christie, Chief Financial Officer, on sarah.christie@opex-group.com


A cookie is a small piece of text sent to your browser by a website you visit. It helps the website to remember information about your visit, like your preferred language or other settings.

A cookie helps analyse web traffic or lets website operators know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.

This website uses Google Analytics, a web analytics service provided by Google, Inc. Google Analytics sets a cookie in order to evaluate the use of our website and compile reports on user activity.

It may use a set of cookies to collect information and report website usage statistics without personally identifying individual visitors to ourselves or to Google. The main cookie used by Google Analytics is the ‘__ga’ cookie.

Google stores the information collected by the cookie on servers in the United States. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf. Google will not associate your IP address with any other data held by Google. By using opex-group.com, you consent to the processing of data about you by Google in the manner and for the purposes set out above.


Some people prefer not to allow cookies, which is why most browsers give you the ability to manage cookies to suit you. Some browsers limit or delete cookies, so you may want to review your cookie settings and ads settings. In some browsers you can set up rules to manage cookies on a site-by-site basis, giving you more fine-grained control over your privacy. What this means is that you can disallow cookies from all sites except those that you trust.

For example in the Google Chrome browser, the Tools menu contains an option to Clear Browsing Data. You can use this option to delete cookies and other site and plug-in data, including data stored on your device by the Adobe Flash Player (commonly known as Flash cookies).

Another feature of Chrome is its incognito mode. You can browse in incognito mode when you don’t want your website visits or downloads to be recorded in your browsing and download histories. Any cookies created while in incognito mode are deleted after you close all incognito windows.

Other browsers include Microsoft Edge, Internet Explorer, Mozilla Firefox, Safari and Opera; as well as others. Please consult the relevant documentation for the browser you are using to find what cookie management options are available in your chosen browser. Alternatively, you may wish to visit www.aboutcookies.org which contains comprehensive information on how to do this on a wide variety of browsers. You will also find details on how to delete cookies from your computer as well as more general information about cookies. For information on how to do this on the browser of your mobile device you will need to refer to your manual.

Signup to our Newsletter