For the many firms, organisations and individuals who purchase our services this document provides information and assurance on how we will comply with the GDPR.
Under the GDPR we are a Data Controller1. We are not a Data Processor2 as we do not process data under the instructions of any third party Data Controller
- As a Data Controller we have reviewed the purposes of our processing activities and will always select the most appropriate lawful basis (or bases) for each activity.
- We will document our decision on which lawful basis applies to help us demonstrate compliance.
- We do not process special category data, criminal offence data or data relating to children.
- We do not sell or rent any personal data.
- In relation to consent as a lawful basis for processing, we will ask people to positively opt in and we will not use pre-ticked boxes or any other type of default consent.
- We will tell individuals they can withdraw their consent at any time and we will never use consent a precondition of a service.
- In relation to legitimate interests as a lawful basis for processing, we have conducted a legitimate interests assessment (LIA) and on the balancing test are confident that the individual’s interests do not override those legitimate interests and we only use individuals’ data in ways they would reasonably expect.
The Rights of Individuals
- How to contact us
- Purpose of the processing and the lawful bases for the processing
- The legitimate interests
- Categories of personal data
- Retention period
- Data subject’s rights
- The right to withdraw consent at any time
- The right to lodge a complaint with us and/or the ICO (the UK supervisory authority)
- The possible consequences of failing to provide personal data as part of entering into a contract
We are committed to ensuring that personal data is processed in a manner that ensures its security including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage using appropriate technical and organisational measures.
Our procedures are compliant with the GDPR requirements.
Whilst we do not process sensitive category data, we have breach detection, investigation and internal reporting procedures in place in order to facilitate decision-making about whether or not we need to notify the ICO and the affected individuals.
A record is kept of any personal data breaches, regardless of whether we are required to notify.
Where a notification is required processes are in place to comply with Article 33.
1 GDPR Article 4(7)
‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law
2 GDPR Article 4(8)
‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller