Data & Privacy Policy
Data & Privacy Policy (Combined) We have measures in place to protect rights of you and the personal information that we hold for individuals and organisations. We work hard to comply with all relevant laws including the UK Data Protection Act (1998) and the General Data Protection Regulations (GDPR) introduced in May 2018. We maintain internal data protection and privacy policies on which all our staff are trained to ensure that we meet our obligations under these laws. Additionally, we seek contractual commitments from all third-party data processors to which we provide personal information for the day-to-day transaction of our business and marketing activities, to ensure that they meet or exceed the standards that we apply. We review and change our policies and processes regularly to ensure that we continue to meet any changing demands of the applicable laws. We encourage our staff to be vigilant and to reports to the Directors any suspected non-compliance with our policies, and are committed to taking actions whenever these reports are made. Privacy Policy for Website – GDPR Under Article 13 of the GDPR, a business is required to provide the individual with certain information at the point their data is collected (see Drafting note, Provision of information to data subjects). All information provided must be concise, transparent, easily accessible and given in plain language (Article 12, GDPR). It remains to be seen how this presentational requirement will be interpreted by the ICO. Although the WP29 Draft Transparency Guidelines have already suggested various mechanisms to assist with these requirements, there remains an inherent tension between the requirement to provide extensive information to individuals and the conciseness requirement. The GDPR allows for the use of visualisation tools as well as language communications to comply with the principle of transparency. Visualisation tools can include icons, certification mechanisms and data protection seals and marks. As these mechanisms are still in their infancy, this document does not refer to them in detail. Many privacy regulators recommend a layered notice format, which pairs a short summary with a linked detailed disclosure, as the most effective way to simplify a complex privacy notice and make it clearly and conspicuously accessible. In particular, the ICO recommends using several different techniques to present information in a fair and transparent way, taking into account the audience, the available methods of communication and the complexity of the data processing. However, businesses should avoid fragmenting notices into too many individual documents to ensure the privacy notice remains accessible to users. The WP29 Draft Transparency Guidelines also refer to use of “privacy dashboards” and “just-in-time” notices which businesses may want to consider implementing. This privacy notice follows a layered format providing links to certain sections which lend themselves to being clicked through to, rather than setting out everything in full in one document. This notice has split the different areas by the type of processing (for example, collection, use and sharing). However, businesses could follow a different format and split their notice up differently, by perhaps following the execution process with a customer (for example, marketing, onboarding a customer and provision of goods and services, after sales or complaints). Organisations with entities in multiple jurisdictions face compliance challenges when trying to implement website privacy notices as part of a global privacy compliance programme. Multinationals must choose between implementing a single, global privacy notice applicable for all its customers globally or jurisdiction-specific or regional privacy notices, taking into account the fact that even within the EU, member states are likely to have varying rules on data protection. Provision of information to data subjects The GDPR requires businesses to provide the data subject with the following information: The controller’s identity (meaning the name of the legal entity) and contact details and its representative, if any. The contact details of the data protection officer (DPO), where applicable. The intended purposes of, and the legal basis for, the processing. Where the processing is based on Article 6(1)(f) of the GDPR (legitimate interest), the legitimate interest pursued by the business or by a third party. The recipients or categories of recipients of the personal data, if any. Where applicable, the fact that the business intends to transfer the personal data to a recipient in a country outside the EU or an international organisation, and the existence or absence of a Commission adequacy decision or information about the appropriate or suitable safeguards adduced to secure the data and the means to obtain a copy of them. Data Policy Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). We may collect, use, store and transfer different kinds of personal data about you which we have grouped together follows: Identity Data includes first name, last name, username or similar identifier, title, date of birth and gender. Contact Data includes billing address, delivery address, email address and telephone numbers. Financial Data includes bank account and payment card details. Transaction Data includes details about payments to and from you and other details of products and services you have purchased from us. Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website. Profile Data includes your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses. Usage Data includes information about how you use our website, products and services. Marketing and Communications Data includes [our preferences in receiving marketing from us and our third parties and your communication preferences. We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice. We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any information about criminal convictions and offences. If you fail to provide personal data Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services). In this case, we may have to cancel a product or service you have with us but we will notify you if this is the case at the time. Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). We may collect, use, store and transfer different kinds of personal data about you which we have grouped together follows: Identity Data includes first name, last name, username or similar identifier, marital status, title, date of birth and gender. Contact Data includes billing address, delivery address, email address and telephone numbers]. Financial Data includes bank account and payment card details. Transaction Data includes details about payments to and from you and other details of products and services you have purchased from us. Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website]. Profile Data includes your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses. Usage Data includes information about how you use our website, products and services]. Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences. We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice. We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any information about criminal convictions and offences. If you fail to provide personal data Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services). In this case, we may have to cancel a product or service you have with us but we will notify you if this is the case at the time.