Introduction
For the many firms, organisations and individuals who purchase our services this document provides information and assurance on how we will comply with the GDPR.
Under the GDPR we are a Data Controller1. We are not a Data Processor2 as we do not process data under the instructions of any third party Data Controller
Processing Activities
- As a Data Controller we have reviewed the purposes of our processing activities and will always select the most appropriate lawful basis (or bases) for each activity.
- We will document our decision on which lawful basis applies to help us demonstrate compliance.
- We have included information about both the purposes of the processing and the lawful basis for the processing in our privacy policy.
- We do not process special category data, criminal offence data or data relating to children.
- We do not sell or rent any personal data.
- In relation to consent as a lawful basis for processing, we will ask people to positively opt in and we will not use pre-ticked boxes or any other type of default consent.
- We will tell individuals they can withdraw their consent at any time and we will never use consent a precondition of a service.
- In relation to legitimate interests as a lawful basis for processing, we have conducted a legitimate interests assessment (LIA) and on the balancing test are confident that the individual’s interests do not override those legitimate interests and we only use individuals’ data in ways they would reasonably expect.
- We include more information about our legitimate interests in our privacy policy.
- How to contact us
- Purpose of the processing and the lawful bases for the processing
- The legitimate interests
- Categories of personal data
- Retention period
- Data subject’s rights
- The right to withdraw consent at any time
- The right to lodge a complaint with us and/or the ICO (the UK supervisory authority)
- The possible consequences of failing to provide personal data as part of entering into a contract
- Security