GDPR Policy

Last Reviewed Aug 2019

In addition to our Privacy Policy there are several further considerations and regulations to take note of. 

Under GDPR individuals (data subjects) have a number of rights with which they can control the use of their information

Right of Access/Data Subject request – Applicable to Clients

Individuals have the right to obtain from us, a confirmation as to whether personal data concerning them are being processed and where that is the case access to the personal data.

  • Requests for right of access/subject access request may ask for all data or just some specified data and should contain enough information about the individual to allow us to correctly identify the person making the request
  • Should a verbal request be made we may need further evidence to confirm identity
  • In addition to this it would be helpful to have this in writing, so the data subject can provide us with a list of all data they are requesting

For example, the data subject may request order / contract history information or email correspondence between them and us. It should be noted this is not an exhaustive list.

We can refuse the request if the data subjects data contains information about another individual unless:

  • the other individual has agreed to the disclosure
  • it is reasonable to provide the information without the other individual’s consent

In the above case we must balance the data subject’s right against the right of the other individual’s rights regarding their own information

We can also refuse the request if it is manifestly unfounded or excessive.

In the case of any refusal we need to inform the data subject making the request, justifying the decision and inform of their right to complain to the ICO or through the courts

We may only charge a fee if the request is manifestly unfounded or excessive in which case a reasonable fee to cover administrative costs may be due

Example template and definitions

Definitions

Right of Access/Subject access request draft Notes for PVTL
Personal Data data held on system
Purposes of processing in relation to purposes laid out in privacy policy
The categories of personal data concerned See Records of Processing Activities
Categories of recipient to whom the personal data have been or will be disclosed See disclosures of data section of privacy policy
Envisaged period for which the personal data will be stored seven year retention period for legal and tax obligations
Existence of right to request rectification, erasure etc. *
Right to lodge complaint with ICO **
If data not collected from subject, information as to source sources such as person placed an order / signed a contract to be delivered to third party
Data to be transmitted in email form if request made electronically or if requested in an alternative form
Request should be fulfilled in one month or less

* Please note you have other rights under data protection laws detailed below

  • Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us
  • Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request
  • Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms
  • Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it

** You have the right to make a complaint at time to the supervisory body responsible for data protection concerns, the ICO by visiting their website at https://ico.org.uk/. However, we would appreciate the opportunity to address any concerns you have before you approach them so please get in touch with us beforehand

Request example (please note this is simply for illustrative purposes and should not be taken as all the information that may be under the scope of the request.

 

Personal Data Name Example
Address 123 A Street
A place
Somewhere
Phone +44 1234567890
etc
etc
etc
Purposes of processing Name We use this information to fulfil our commitment as agreed
Address We use this information to fulfil our commitment as agreed
Phone We use this information to fulfil our commitment as agreed
etc fill as applicable
Disclosures of data The following information has been shared with service providers as required if necessary to complete out commitment as agreed in contract and statements of work
Data retention period Your details will be held for a period of seven years to fulfil our legal/tax purposes

Please note you have other rights under data protection laws detailed below:

  • Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us
  • Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request
  • Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms
  • Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it

You have the right to make a complaint at time to the supervisory body responsible for data protection concerns, the ICO by visiting their website at https://ico.org.uk/. However, we would appreciate the opportunity to address any concerns you have before you approach them so please get in touch with us beforehand

RIGHT OF RECTIFICATION

Individuals have a right to have any data held about them corrected. In this instance we should consider the following

  • Requests for Rectification can be made verbally or in writing
  • Should a verbal request be made we may need further evidence to confirm identity
    In addition to this it would be helpful to have this in writing for documenting the request
  • Any amendment of data should have record of rectification associated with it

It should be noted that any with any rectification request an individual can request restriction of their personal data while accuracy of the data is being ascertained, however this is best practice should a restriction request not be made

  • If any rectification is made it must be communicated to all third-party processors so they can rectify the data at their end

Much of this is likely to be beyond the scope of operation at PVTL LTD

For PVTL LTD it seems reasonable to amend any erroneous entries on any internal systems and leave notes documenting the changes and the date of the request.

We should also note the following:

  • We can refuse the request if it is manifestly unfounded or excessive
  • In the case of any refusal we need to inform the data subject making the request, justifying the decision and inform of their right to complain to the ICO or through the courts
  • We may only charge a fee if the request is manifestly unfounded or excessive in which case a reasonable fee to cover administrative costs may be due

RIGHT TO ERASURE (RIGHT TO BE FORGOTTEN)

An individual has the right to obtain from us erasure of personal data without undue delay. The below should be taken into consideration:

  • Requests for Erasure can be made verbally or in writing
  • Should a verbal request be made we may need further evidence to confirm identity
  • In addition to this it would be helpful to have this in writing for documenting the request

RIGHT OF ERASURE/RIGHT TO BE FORGOTTEN APPLIES IN ANY OF THESE CASES

  • The personal data is no longer necessary for the purpose which we originally collected or processed it for
  • We are relying on consent as your lawful basis for holding the data, and the individual withdraws their consent
  • We are relying on legitimate interests as the basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing
  • We are processing the personal data for direct marketing purposes and the individual objects to that processing
  • We have to comply with a legal obligation

If we have disclosed data to third parties within contractual purposes, we should inform them of the erasure request also.

If asked we also must inform the individual of the third parties the data has been disclosed to

If data has been fully anonymised, it does not fall under the scope of this right

If we are only retaining data for the minimum period possible it seems unlikely we will be obliged to comply with any request however it would be good practice to assess the needs each time a request is made

We can refuse the request or charge a fee for carrying out the request under the below conditions:

  • We can refuse the request if it is manifestly unfounded or excessive.
  • In the case of any refusal we need to inform the data subject making the request, justifying the decision and inform of their right to complain to the ICO or through the courts
  • We may only charge a fee if the request is manifestly unfounded or excessive in which case a reasonable fee to cover administrative costs may be due

DATA ERASURE AT PVTL LTD

  • Data to be removed from any internal systems via direct human engagement
  • Emails to be found and wiped manually across all locations and email accounts as applicable

RIGHT OF RESTRICTION OF PROCESSING

The data subject has the right to obtain from PVTL LTD restriction of processing.

  • Requests for restriction of data processing should say what data the subject wants restricting and why
  • Should a verbal request be made we may need further evidence to confirm identity
  • In addition to this it would be helpful to have this in writing, so the data subject can provide us with an explanation for the concern, with evidence, and their desired solution

Requests for a temporary restriction of data processing are valid for the following cases

  • Where data subject wants us to establish the accuracy of the data
  • Where data subject needs us to keep the data though we no longer require it as they need it to establish, exercise or defend legal claims

Requests can also be made to limit data processing rather than erasure in the following cases

  • Where our processing of the data is unlawful, but data subject does not want it erased
  • You have object to our processing of the data while we verify whether we have overriding legitimate grounds to use it

We should establish how we can restrict data in a secure fashion to prevent unauthorised processing of the data.

ICO suggests:

  • Make it unavailable to other users
  • Move data to another system
  • Temporarily remove from a website if published

Restricted data can be processed in the following situations:

  • With consent
  • Data needed for legal claims
  • It is used to protect another person’s rights
  • It is used for reasons for important public interest

Once we have investigated the complaint we may decide to lift the restriction and continue processing the data however we should inform the data subject before lifting the restriction.

We should respond to the request within one month however if we need more time to consider the request we can take another two months. In these cases, we should let the data subject know before one month is up and state the reasons why.

We may only charge a fee if the request is manifestly unfounded or excessive in which case a reasonable fee to cover administrative costs may be due.

RIGHT TO DATA PORTABILITY

Individuals have a right to have the data held on them transmitted to them or a nominated data controller under the following conditions:

  • Rights of data portability requests can be made in any form
  • Should a verbal request be made we may need further evidence to confirm identity. In addition to this it would be helpful to have this in writing for documenting the request

Right of Data Portability applies where:

  • lawful basis for processing is consent or performance of a contract
  • applies only to personal data of individual that they have supplied directly, this can apply to data such as website usage
  • applies only to personal data and not genuinely anonymous data. However, if redacted data can be attributed to an individual if they provide extra data for identification this falls under the right

If personal data supplied by an individual contains data about another we should consider the rights of the third party, however if the individual has supplied that third party’s data it is generally not a problem. In these instances, if transmitting this data directly to another controller, it may be prudent to reconsider this third party’s rights

  • The right entitles individuals to a copy of their personal data and/or to have their data transmitted directly to another controller
  • Any method for transmission of this data must be secure
  • Data to be supplied as CSV

If we receive data as a result of a request, ie. sent to us, requested from another, we should consider if we have lawful basis for processing all or part of that data and in the event we receive data that is excessive for our needs we should delete it as soon as possible.

The data we receive and subsequently store falls under the same GDPR obligations as any other data we control or process.

  • Requests should be responded to in one month
  • The right has no effect on the right of erasure, an individual can request their data be transmitted to them or another controller without having it removed from our system. While right of portability and erasure are separate, it is not unreasonable to ask for both at the same time, in which case care must be taken to ensure portability request completed first
  • Portability shall not apply to data processed in the course of a task carried out in the public interest or in exercise of official authority vested in the controller

We can use the right of access request template as a starting point for compiling the data to be sent

We should also note the following:

  • We can refuse the request if it is manifestly unfounded or excessive.
  • In the case of any refusal we need to inform the data subject making the request, justifying the decision and inform of their right to complain to the ICO or through the courts
  • We may only charge a fee if the request is manifestly unfounded or excessive in which case a reasonable fee to cover administrative costs may be due

TO BE NOTED FOR REQUESTS OF RECTIFICATION, ERASURE AND RESTRICTION

Any rectification, erasure and restriction must be communicated to all third parties with whom the data has been disclosed as applicable within the MSA / Contract / Statement of work/s . 

We must inform data subject of disclosure to thirds parties if requested.

ADDITIONAL INFORMATION TO BE NOTED FOR RECORD KEEPING

GDPR also requires us to note the following and keep this up to date with regular reviews

RECORDS OF PROCESSING ACTIVITIES

We have categorised the types of data, subjects and recipients we deal with below for reference

Categories of Personal Data Data defined under this category (though not exclusive)
Identity Data Name
Contact Data Address, Email Address, Phone Number
Order / Contract Data Relevant order / contract and payment information
Usage Data IP Address, Information about website usage / mail engagement
Subscription Data Name, email address, phone number
Categories of Data Subjects Explanation
Customers Individuals that have worked / in contract with us
Subscribed Individuals Individuals that have given consent to receive marketing emails
Business Enquiries Individuals that have voluntarily contacted us
Website browsers Individuals browsing the website
Staff Employees
Categories of Recipients of Personal Data Explanation
Service Providers Processors based in the EU who provide delivery services. accounting services etc
Fulfilment Partners Suppliers, CRM Platform
Marketing Platforms We use these to send promotional emails etc
HMRC, regulators, police & other authorities Processors or joint controllers who require reporting of processing activities in certain circumstances (such as criminal activity, including but not limited to, fraud)

DATA CONTROLLER 

Tait Pollack

CONTROLLER’S REPRESENTATIVES

Sam Davison

Hannah Dunham

CONTACT DETAILS

PVTL Limited t/a Pivotal,

3-4 Pivotal House,
Red Lion Street,
Norwich, Norfolk,
NR1 3TB, United Kingdom

+44 1603 630 016

[email protected]

Categories of Personal Data Data defined under this category (though not exclusive) Retention period (if data overlaps categories, the retention period will be whichever is the longer for the categories concerned)
Identity Data Name See privacy policy Data Retention section
Contact Data Address, Email Address, Phone Number See privacy policy Data Retention section
Order / contract Data Relevant order / contract and payment information See privacy policy Data Retention section
Usage Data IP Address, Information about in cart items See privacy policy Data Retention section
Subscription Data Name, email address, phone number See privacy policy Data Retention section
Categories of Data Subjects Explanation
Customers Individuals that have worked / in contract with us
Subscribed Individuals Individuals that have given consent to receive marketing emails
Business Enquiries Individuals that have voluntarily contacted us
Website browsers Individuals browsing the website
Staff Employees
Categories of Recipients of Personal Data Explanation
Service Providers Processors based in the EU who provide delivery services. accounting services etc
Fulfilment Partners Suppliers, CRM Platform
Marketing Platforms We use these to send promotional emails etc
HMRC, regulators, police & other authorities Processors or joint controllers who require reporting of processing activities in certain circumstances (such as criminal activity, including but not limited to, fraud)

PERSONAL DATA PROCESSING

As per privacy policy, data collected is processed on the following bases

Scenario Data Used Basis for using the data
Site browsing 1. IP Address
2. Information about your browseing habbits
1. Necessary for our legitimate interests – We use this data in maintaining the security of our website, helping to ensure a safer environment for visitors
2. Where you have provided consent
Onboarding of a client 1. Name
2. Address
3. Phone Number
4. Email
5. Relevant order / contract and payment information
This data is required for the purpose of a contract / working together
Communications (Email enquiries and contacting us) 1. Name
2. Email Address
1 & 2 Necessary for our legitimate interests – We use these details to get in touch with you to answer any queries or concerns you may have
Record Keeping 1. Name
2. Address
3. Phone Number
4. Email
5. Relevant order / contract and payment information
1-5 We are required to use this data to comply with legal obligations
To respond to requests for information regarding suspected or actual criminal activity including fraud 1. Name
2. Address
3. Phone Number
4. Email
5. Relevant order / contract and payment information
6. IP Address
1-6 Processing of these data is both necessary for our legitimate interests – to help prevent crime and fraud and would be necessary to comply with legal obligations

All processing of personal data is undertaken with security measures appropriate to the degree of risk to individual’s rights and freedoms, detailed in Security of Processing

SECURITY OF PROCESSING

Electronic Security

  • All Data stored in electronic form is stored in a encrypted secure fashion. We have appropriate measures in place to protect this data, including the ability to Redact, Erase and pseudonymisation.
  • All outbound emails are encrypted, and inbound correspondence originating from platforms we control are encrypted.
  • All Staff have been trained to ensure ongoing confidentiality, integrity, availability & resilience of processing systems and services

Website Hosting Security

Our own websites, internal platforms and internal tools are hosted in facilities with the security measures in place that include but are not necessarily limited to:

  • CCTV coverage throughout
  • Perimeter Fencing
  • Proximity card access to all doors and turnstiles
  • Gated trap controlling vehicle movements around site
  • Security centre staffed 24/7
  • Generator backup with sufficient fuel on site to power the building/s
  • Access controlled by proximity card

With the following accreditations:

  • ISO 27001 – Information security management systems standard
  • PCI DSS – Payment card industry data security standard
  • EU Code of Conduct for Data Centres – Participant
  • Government cyber essentials scheme – Certification
  • NaCTSO – endorsement of comprehensive security procedures

In-house Security

We have a number of principles and procedures in place in our business environment to preserve and protect the integrity and security of personal data including:

  • PCIDSS Compliance
  • All systems protected by secure passwords stored in secure password management system
  • All computers lock after 10 minutes of no activity
  • No public access to work computers – Designated machine for public access locked onto guest network
  • Computers and devices are all password protected
  • All computers have up to date operating systems and an up to date security suite which covers, antivirus, Firewalls, Browsing, and Email protection
  • All computers / systems are in a private network with personal devices locked out
  • Systems are scanned on a weekly basis locally and external vulnerability scanning and penetration testing
  • All paper records are securely destroyed using cross shredding
  • Any Electronic waste containing sensitive information is destroyed accordingly
  • Public access is limited and monitored / supervised by staff at all times
  • All-important records are securely stored behind lock and key
  • Building is locked securely when unattended
  • Appropriate risk assessments (DPIA) are undertaken where appropriate – (such as Migrating database or server, changing CRM provider or payment gateway provider and developer access to sensitive areas)
  • If DPIA has the potential to be high risk which Can’t be Mitigated through additional measures in place, we would inform ICO. 
  • Important Data is backed up on site and stored remotely
  • We can restore any data up to 72 hours in the past
  • All partners we work / engage with as part of our services and offerings are GDPR compliant and any data that is stored/passed to them for the purpose of Testing or completing specified tasks under the instruction of PVTL LTD . All Data passed onto data processors is stored securely and all data has a minimum of the same security measures that PVTL LTD have undertaken. No PII Data is passed to third party partners / services unless required for the purpose of processing and completion. 
  • All Staff have been trained to ensure ongoing confidentiality, integrity, availability & resilience of processing systems and services

In addition to this all staff have been fully trained in keeping a secure Data Protection standard within the IT and business environment Including some of the below methods and things to look out for:

  • Unusually slow Internet or Devices
  • Locked out accounts
  • Pop-ups and redirected websites when browsing
  • Unexpected software installs
  • Unexplained changes to files
  • Anomalies in normal network traffic patterns
  • Abnormal outbound traffic
  • Irregular access locations
  • Large number of requests for the same objects or files
  • Suspicious activity on the network after-hours
  • Multiple failed login attempts
  • Unknown/unauthorized IP addresses on wireless networks
  • Unexplained system reboots or shutdowns
  • Services and applications configured to launch automatically

In the event of a data breach we will notify the supervisory authority competent within 72 hours from detecting with all relevant information as requested in Article 33

If required and necessary in accordance with Article 34 we will notify the subject/s of a data breach also.

Restrictions and exemptions

GDPR provides provisions for member states to introduce rules that suspend the transparency obligations and individual rights of the regulation but only where the rules respect the individual’s fundamental rights and freedoms and is a necessary and proportionate measure in society to safeguard the following:

  • National Security;
  • Defence;
  • Public Security;
  • The prevention, investigation, detection or prosecution of criminal offences;
  • Other important public interests, in particular economic or financial interests, including budgetary and taxation matters, public health and security;
  • The protection of judicial independence and proceedings;
  • Breaches of ethics in regulated professions;
  • Monitoring, inspection or regulatory functions connected to the exercise of official authority regarding security, defence, other important public interests or crime/ethics prevention;
  • The protection of the individual, or the rights and freedoms of others; 
  • or the enforcement of civil law matters.

While there is at this time no evidence these rules have been put in place in the UK it seems reasonable that we should use these above instances as a guideline on the basis that if the exemptions aren’t in place now they will be in due course

For further information refer to Article 23

Compensations and liabilities

Should a situation arise where an individual has suffered material or non-material damage as a result of infringement of GDPR or believes they have please refer to GDPR full text section 82 for details on right to compensation and liability.