How we use your information
This privacy notice tells you what to expect when GDPR Compliance Ltd. (GDPR365) collects personal information. It applies to information we collect about:
- visitors to our websites;
- complainants and other individuals in relation to a data protection complaint or enquiry;
- people who use our services, for example who subscribe to our service or our newsletter;
- people who notify under the Data Protection Act; and
- job applicants and our current and former employees.
Data we collect on visitors to our website and how we use it
When someone visits www.gdpr365.com we use a third party service, Google Analytics, to collect standard Internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site or which portions of our service are being used. This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website. If we do want to collect personally identifiable information through our website, we will be up front about this. We will make it clear when we collect personal information and will explain what we intend to do with it.
Marketing emails and newsletters
We use a third party provider, SharpSpring, to deliver our emails and newsletters. We gather statistics around email opening and clicks using industry standard technologies including clear gifs to help us monitor and improve our communications. For more information, please see SharpSpring’s privacy notice.
Security and performance
The GDPR365 uses a third party service to help maintain the security and performance of the GDPR365 website. To deliver this service it processes the IP addresses of visitors to the GDPR365 website.
We use a third party service, <CMS Name>, to publish our blog, and some of our landing pages.These sites are hosted at <hosting location>, which is run by <name>. We use a standard <CMS name> service to collect anonymous information about users' activity on the site, for example the number of users viewing pages on the site, to monitor and report on the effectiveness of the site and help us improve it. <CMS Name> requires visitors that want to post a comment to enter a name and email address. For more information about how <CMS Name> processes data, please <Company privacy notice>
People who contact us via social media
We use a third party provider, <name> to manage our social media interactions.
If you send us a private or direct message via social media the message will be stored by <name> for <x> months. It will not be shared with any other organisations.
People who call our helpline
When you call the GDPR365's helpline we collect Calling Line Identification (CLI) information. We use this information to help improve its efficiency and effectiveness.
People who email us
Any email sent to us, including any attachments, may be monitored and used by us for reasons of security and for monitoring compliance with company policy. Email monitoring or blocking software may also be used. Please be aware that you have a responsibility to ensure that any email you send to us is within the bounds of the law.
People who make a subject access request to us
When we receive a subject access request from a person we make up a file containing the details of the request. This normally contains the identity of the individual and any other individuals involved in the request.
We will only use the personal information we collect to process the request and to check on the level of service we provide. We do compile and may publish statistics showing information like the number of requests we receive, but not in a form which identifies anyone.
We will keep personal information contained in request files in line with our retention policy. This means that information relating to a request will be retained for two years from closure. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.
Similarly, where enquiries are submitted to us we will only use the information supplied to us to deal with the enquiry and any subsequent issues and to check on the level of service we provide.
People who use GDPR365 services
The GDPR365 offers a service to subscribers. Any processing that occurs on behalf of a third party is done in strict accordance with our policies.
We have to hold the details of the people who have requested the service in order to provide it. However, we only use these details to provide the service the organisation has requested and for other closely related purposes. When people do subscribe to our services, they can cancel their subscription in accordance with our Terms of Service.
Notifications to Data Protection Authorities
Through your engagement with the GDPR service we may, as required by law and with your approval, ‘notify’ certain specified information to the Data Protection Authority or Information Commissioner. This may contain personal information, for example where the business is a sole trader. GDPR365 compiles this information into a register which it is required by law to make publicly available. GDPR365 cannot therefore give any guarantees as to how the information contained on the register will be used by those accessing it.
When businesses fill in their registration forms, they are asked to provide the contact details of a relevant member of staff. GDPR365 will use this for its own purposes, for example where we have a query about a registration or to provide support for the GDPR365 service.
When we request information as part of the registration process, we make it clear where the provision of information is required by law and where it is voluntary.
Service providers reporting a breach
Public electronic communications service providers are required by law to report any security breaches involving personal data to the appropriate Data Protection Authority.
GDPR365 provide an online form for this purpose. We use the data collected by the form to record the breach, to make decisions about the action we may take, and as relevant in order to carry out those actions. GDPR365 retains personal information only for as long as necessary to carry out these functions, and in line with our retention schedule. This means that logs and breach reports will be retained for two years from receipt, and longer where this information leads to regulatory action being taken. We retain de-personalised information about organisations for as long as is necessary to help inform future actions, but no individuals are identifiable from that data.
GDPR365 has measures in place to ensure the security of data collected and transferred via this form. GDPR365 only processes personal information in line with client instructions.
Job applicants, current and former GDPR365 employees
When individuals apply to work at GDPR365, we will only use the information they supply to us to process their application and to monitor recruitment statistics. Where we want to disclose information to a third party, for example where we want to take up a reference or obtain a ‘disclosure’ from a records bureau we will not do so without informing them beforehand unless the disclosure is required by law.
Personal information about unsuccessful candidates will be held for 12 months after the recruitment exercise has been completed, it will then be destroyed or deleted. We retain de-personalised statistical information about applicants to help inform our recruitment activities, but no individuals are identifiable from that data.
Once a person has taken up employment with the GDPR365, we will compile a file relating to their employment. The information contained in this will be kept secure and will only be used for purposes directly relevant to that person’s employment. Once their employment with GDPR365 has ended, we will retain the file in accordance with the requirements of our retention schedule and then delete it.
Complaints or queries
GDPR365 tries to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.
This privacy notice was drafted with brevity and clarity in mind. It does not provide exhaustive detail of all aspects of GDPR365’s collection and use of personal information. We are happy to provide any additional information or explanation needed. Any requests for this should be sent to the address below.
Access to personal information
GDPR365 tries to be as open as it can be in terms of giving people access to their personal information. Individuals can find out if we hold any personal information by making a ‘subject access request’. If we hold information we will:
- give provide a description;
- explain why we hold it;
- tell you who it could be disclosed to; and
- provide you with a copy of the information.
To make a request to the GDPR365 for any personal information we may hold you need to put the request by filling in this form, or writing to the address provided below.
If we do hold information about you, you can ask us to correct any mistakes and we will do so, or request that we stop using all or any portions of the information we hold.
Disclosure of personal information
In many circumstances we will not disclose personal data without consent. However when we investigate a subject access request or complaint, for example, we may need to share personal information with the organisation concerned and with other relevant bodies.
Links to other websites
This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.
Last update to this privacy notice
We keep our privacy notice under regular review. This privacy notice was last updated on 2 May 2017.
How to contact us
GDPR Compliance Ltd.
1st Floor, 10/11 Exchange Place