(Last Updated Oct 2020)
This policy sets out how we will use and, occasionally, share the information that you provide us and relates to personal data collected by us via:
• The Echo DMS website
• Visits to our office
• Paper, Telephone and Email communications
• Enquiring about or buying products or services from us
• Enquiring about or supplying products or services to us
You should be aware that, if you access third party websites using links provided on this website, these websites are outside of our control and have their own privacy policies governing the use of personal data. We do not accept any responsibility or liability for these policies.
Why we process your data
Whilst you are either an active client or supplier, we will process your personal data under the legal ground of ‘Contract’, regardless of whether there is a formal written contract in place. Where we use any email addresses you have provided to us, these will be processed under ‘Consent’. If you should stop being an active client or supplier, then we will continue to process your data on ‘Legitimate Interest’ grounds as you may wish to work with us again in the future, or we may wish to purchase goods or services from you. After two years of inactivity, or earlier if requested, any personal data held will be deleted except where we are legally required to retain it for longer.
The data we process
We may collect and process the following categories of personal data about you:
• Name & Contact Details (including organisation name, job title, email address, postal address and telephone number)
• Information generated by the work, service or relationship we may have with you
• Business details, bank and financial details and general correspondence
You may ask to see what personal data is held by us (contact firstname.lastname@example.org or call 01454 568 555) and we will provide this free of charge and in any reasonable format required. If you notify us of any amendments that are required to the personal data we hold, we will change them and if you wish us to delete the information or stop contacting you, then we will do so. It is important that the personal information we hold about you is accurate and current. Please keep us informed of any personal information changes during your relationship with us. Please also note that we are required to obtain affirmative proof of identity prior to releasing any information.
How we collect information about you and how we will use it
We may collect and process information that you provide during your correspondence with us in one of the following ways:
• When filling in the ‘Contact Form’ on our website
• When requesting details of our products or services
• When providing us with bank details for payment purposes
• Communicating with us through methods including but not limited to e-mail, telephone and written correspondence
We will only use your personal information in ways that do not contravene the Data Protection Act (2018).
We will generally use your personal information in the following circumstances:
• Where we are committed to perform a contractual obligation we have entered into with you, or the business for whom you work
• Where it is necessary for our Legitimate Interests and where your interests and fundamental rights do not override those interests
• Where you have given consent for us to process your information
• Where we need to comply with a legal obligation
Your personal data will not be sold or rented to other companies.
We may share some of your personal data with the following categories of third parties:
• Suppliers who provide goods or services to our clients as a part of our contractual obligation
• Suppliers who provide services to us to help us run our business
We require third parties to respect the security of your personal data and to treat it in accordance with the law. We will share your personal information with third parties where required by law.
Data subject’s rights
You have rights in respect of your personal data. We will need to confirm your identity before we can consider your request so, if you wish to exercise any of these rights, we will need a suitable form of identification. Please contact the DPO as this identification will depend if personal or company data is required for disclosure.
Right of access – you have the right to know whether we are processing your personal data, and to a copy of that data. We would need as much information as possible to enable us to locate your data. We will respond to your request within 21 days of receipt of your request. If you want to exercise this right, please contact the DPO at the contact details below. If you want to know more about this right, the ICO has more guidance on their website: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-of-access/
Right to rectification – you have the right to have any incorrect personal data corrected or completed if it is incomplete. You can make this request verbally or in writing. We will need as much information as possible to enable us to locate your data. We will look at any request and inform you of our decision within 21 days of receiving the request. If you want to exercise this right, please contact the DPO at the contact details below. If you want to know more about this right, the ICO has more guidance on their website: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-rectification/
Right to erasure – this right, often referred to as the right to be forgotten allows you to ask us to erase personal data where there is no valid reason for us to keep it. We will look at any request and inform you of our decision within 21 days of receiving the request. If you want to exercise this right, please contact the DPO at the contact details below. If you want to know more about this right, the ICO has more guidance on their website: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/
Right to restrict processing – you have the right to ask us to restrict processing of your data. We will look at any request and inform you of our decision within 21 days of receiving the request. If you want to exercise this right, please contact the DP at the contact details below. If you want to know more about this right, the ICO has more guidance on their website: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-restrict-processing/
Right to data portability – you have the right to move, copy or transfer your personal data from one IT environment to another. This right applies to data that you have provided to us and that we are processing on the legal basis of consent or in the performance of a contract and that processing is by automated means. We will respond to your request within 21 days of receipt of your request. If you want to exercise this right, please contact the DPO at the contact details below. If you want to know more about this right, the ICO has more guidance on their website: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-data-portability/
Right to object – you have the right to object to our processing of your personal data based on (i) legitimate interests, or for the performance of a task in the public interests/exercise of official authority (including profiling); (ii) direct marketing (including profiling); and (iii) for purposes of scientific/historical research and statistics.
(i)Legitimate interests/legal task – your objection should be based on your particular situation. We can continue to process the data if we can demonstrate compelling legitimate grounds which override your interests.
(ii)Direct marketing – you have an absolute right to ask us to stop processing for the purposes of direct marketing. We will action your request as soon as possible.
(iii)Scientific/historical research and statistics – your objection should be based on your particular situation. If we are conducting research where the processing is necessary for the performance of a public task, we can refuse to comply with your objection.
If you want to exercise this right, please contact the DPO at the contact details below. If you want to know more about this right, the ICO has more guidance on their website: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-object/
Rights relating to automated decision making including profiling – you have the right in respect of automated decision making, including profiling. Where we carry out solely automated decision making, including profiling, which has legal or similarly significant effects on you, we can only do this if it is in connection with a contract with you, we have a right under law or you have provided your explicit consent. We will tell you if this happens and tell you how you can request human intervention or challenge the decision. If you want to exercise this right, please contact the DPO at the contact details below. If you want to know more about this right, the ICO has more guidance on their website: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/rights-related-to-automated-decision-making-including-profiling/
International Transfer of Data
We will not send your data outside the European Economic Area (the European Economic Area being the European Union and Iceland, Liechtenstein and Norway, also referred to as the ‘EEA’.
Retention and deletion of personal information
We will take all reasonable steps to ensure the accuracy of the information we hold about you. We will not use your personal information unless it is, to the best of our knowledge, accurate.
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Data Protection Officer
If you would like to raise any concerns or queries with us then please contact our Director and lead data security officer, David Jarrett.
email: email@example.com or telephone: 01454 568 555
You also have the right to complain to the Information Commissioners Office if you believe we have not acted within the law or have infringed your rights https://ico.org.uk/for-the-public
We will do our best to protect your personal information. Once we have received your data we will use security measures to try to protect it against loss, misuse, or unauthorised alterations.