At PolicyViewer Ltd. we are committed to keeping your data private and secure, and will act in accordance with the General Data Protection Regulation (GDPR), Data Protection Act, the Privacy and Electronic Communications Regulations (PECR), and further amendments to ePrivacy regulations resulting from the implementation of GDPR as they come into force.
We are also registered as a Data Controller, under the Data Protection Act, with the Information Commissioners Office, for the purposes of Data Protection, and we are also a Data Processor on behalf of our clients.
This Privacy Notice explains what personal data we collect and how we store and use the data that we hold. The lawful basis for processing the data is to fulfil our contractual obligations with our clients and to respond to the enquiries of potential clients.
Who we are
Registered in England and Wales.
Registered Company Number: 11446221
Registered Address: 128 City Road, London, EC1V 2NX
Telephone number: 0208 191 7738
Named contact: Christian Wright – Director
About the General Data Protection Regulation (GDPR)
This privacy notice is written in accordance with the General Data Protection Regulation.
The General Data Protection Regulation is a regulation in EU law on data protection and privacy for all individuals within the European Union. It was adopted on 14 April 2016, and after a two-year transition period, became enforceable on 25 May 2019.
It gives individuals the right to:
- be informed about how we use their personal data;
- have access to the personal data that we hold;
- request that their personal data is amended if it is inaccurate or incomplete;
- request that their personal data be erased where there is no compelling reason for its continued use;
- object to their personal data being used for direct marketing purposes;
- request that the processing of their data be restricted;
- obtain and reuse their personal data for their own purposes across different services e.g. to move, copy or transfer their data from one IT environment to another in a safe and secure way;
- not be subject to automated decision-making or profiling;
- object to their personal data being processed.
We must comply with these rights and after someone gives their consent for us to use their personal data this consent may be withdrawn by them at any time.
What we collect
Primarily, we collect the contact details of the clients or people that we work with so that we are able to contact them as part of the legitimate relationship that we have with them. This includes the full names, job titles, telephone numbers, work addresses or work email addresses of our own suppliers and the staff, governors or other representatives at our customers schools (where applicable). We need this data to fulfill our contractual duties.
We also collect or process:
- the name and contact details of individuals who complete the contact forms on our websites, or who telephone, email or write to us enquiring about our products or services;
- details of the staff who are listed within our PolicyViewer platform which includes their full name and work email address.
What we don’t collect
Although the PolicyViewer platform may make a connection with a customer’s own IT systems we do not have access to view or download information within the environment of these IT systems. We only process or use limited data that is directly related to the role that we are undertaking. For example, the names, job roles and email addresses of staff which appear in our own platform. All other information is considered to be confidential, not accessible and out of the scope of our use.
What do we use the data for?
We use the data that we hold to:
- respond to people who have made an enquiry about our products or services;
- evaluate the suitability of prospective customers and our ability to provide a suitable product or service that best meets their needs;
- provide the PolicyViewer service, which uses the names, job titles and email addresses of staff in order for the system to notify staff of school policies;
- make people aware of our products or services if they have given us permission to do so or where there is a legitimate interest;
- make people aware of our own offers and promotions if they have given us permission to do so or where there is a legitimate interest;
- send newsletters or updates to people who have given us permission to do so or where there is a legitimate interest;
- produce quotations, proposals and invoices, and to maintain a record of our financial transactions with customers as part of our accounting processes;
- gain an understanding of our website traffic and how and when people are using our websites. This includes, amongst other things; details of the device used to access the website, the rough location of the user, the actions they take on the website and the source of their visit e.g. via a particular search engine, 3rd party website or advertisement.
Who do we share this data with?
- If we are lawfully permitted to do so, and acting on a customer’s behalf, we may pass on the contact details of individuals including their name, job title, address, telephone number and email address, in order for us to carry out our duties as instructed by the customer.
- If we are lawfully permitted to do so, and acting on a customer’s behalf, we may pass on the contact details of individuals including their name, job title, address, telephone number and email address to our own suppliers, but only if it is necessary to carry out our duties and if the supplier has an adequate Privacy Notice and security measures in place.
- Our hosting provider Krystal Hosting Ltd, hosts websites that we have produced. If your website is hosted with them then, by default, any information contained within it (either on the public pages or within password-protected areas) will reside on their servers. Please note that we use their UK data centre for our sites.
- The name, work address and job title of the relevant ‘addressee’ staff member on our invoices will be, by default, shared with out accountancy firm (Ledgers Accountancy Services Ltd).
We may also, if lawfully requested or permitted to do so, share data with the UK government, HM Revenue and Customs, debt collection agencies, police forces or courts.
How do we protect your data?
We ensure our anti-virus software is properly installed and kept up-to-date.
Our computers and mobile phones are password protected and never left unlocked when unattended.
We change all of our passwords regularly and do not use the same password for different systems.
Log-ins and access details are stored within password protected areas to provide a second layer of protection.
We do not send personal data via methods which are not encrypted.
Information which we no longer need to fulfil our contractual obligations is deleted from our systems, even if we are still working with the customer.
Data that we hold will be deleted when the contract comes to an end, or when the customer stops using our products or services with the exception of quotations and invoices for accountancy records.
If we dispose of a computer then all data is removed prior to its disposal.
Users have the option to accept Cookies when visiting our websites and our Cookies Policy is available to view which explains what Cookies are, which Cookies we use and how we use them.
With regards to the PolicyViewer platform:
- The site itself has SSL.
- The information we store is encrypted.
- The LDAP connection will use an SSL certificate generated by your Directory Server.
- When using an LDAP connection to your Directory Server, PolicyViewer stores only a user’s GUID and not any other personal data. This makes the PolicyViewer platform itself more secure around individual data security. (Personal data is pulled only as required from your Directory Server in real-time, nothing is cached on PolicyViewer).
- The firewall is configured to allow only trusted applications (such as PolicyViewer) access via LDAP through ports 389 and 636 (Port 389 is enabled only during initial setup to ensure LDAP, to troubleshoot authentication issues).
- Data is stored in a secure EU data centre.
There are also other ways for you to enable access to Directory Server data but also keep it protected from the wider internet. These include:
- Creating a Read-Only Domain Controller in an Active Directory environment.
- Tunnelling LDAP requests via SSH or a VPN.
- Developing a specific web service to pass selected Directory Server data.
How long do we keep the data for?
The data is only kept for as long as we are providing products or services to the customer. With the exception of information which is needed for accountancy purposes, or if an individual has opted-in to receive future communication, we will remove all personal data that we hold when the contract comes to an end, or when they opt-out or stop using our products or services. However, if someone has stopped using our products or services and we have not yet received full payment for the products or services that were used then we will need to retain their contact details until the full payment has been made.
If you are a supplier then we will hold your data until we no longer need, or want to use, your products or services, or until you ask us to erase the data that we hold.
As a UK based Ltd Company, we must keep financial records for 6 years from the end of the last company financial year they relate to. This means that we will have a record of the names, job titles and contact details of the people who appear on quotations, purchase orders, invoices and remittance notices for this period of time.
The rights of our clients as Data Controllers and our role as Data Processors
Our clients are Data Controllers and as part of fulfilling our duties, we may have to process data on their behalf as the Data Processor.
As a company we will:
- act in accordance with this Privacy Notice;
- act with transparency;
- provide complete confidentiality;
- act in accordance with your own Privacy Notice and abide by the rules, terms or conditions that you provide so that you are able to comply with your own data protection and confidentiality requirements;
- not use another Data Processor without your prior written consent;
- only process data in the way that is necessary for us to fulfil our obligations under the contract;
- contact you and the ICO immediately if there is a data breach, providing full details of how it happened, why it happened, the impact, and what we are doing to ensure that it cannot happen again.
As a customer you:
- have the right to have access to the data that we hold about you;
- have the right to restrict the data that we hold and the access to that data;
- have the right to request an amendment to the data that we hold;
- have the right to object to the data being processed or how it is being processed;
- have the right to request that the data be erased;
- must not ask us to hold or process data in a way that is unlawful.
Transferring data outside of the EU
If we ever have the need to transfer data to a country outside of the EU then we will ensure that this complies with data protection law and that the company has adequate safeguards. However, this is only likely when you or the customer requests such processing under the working relationship or contract that we have with you, and when we have a valid reason for doing so.
Our expectations of our suppliers
We expect our suppliers to:
- be committed to keeping personal data private and secure, and act in accordance with the General Data Protection Regulation (GDPR), Data Protection Act, the Privacy and Electronic Communications Regulations (PECR), and further ePrivacy directives resulting from the implementation of GDPR as they come into force;
- be registered as a Data Controller under the Data Protection Act with the Information Commissioners Office for the purposes of Data Protection if applicable;
- act with complete transparency with regards to data protection;
- act with complete confidentiality, never disclosing information about our clients to others who are not directly involved in the delivery of the products or services that you are providing to us.
Who to contact
If you have any enquiries or requests related to the data that we may hold about you then you can contact us in the following ways:
By telephone: 0208 191 7738
By email: firstname.lastname@example.org
By letter: PolicyViewer Ltd, 128 City Road, London, EC1V 2NX
If you request a copy of the data that we hold then we will provide this within 21 days of the request and we will ask that you verify your identity before we release the data.
Data Protection Officer
Our Data Protection Officer is the Company Director, Christian Wright: email@example.com
How to complain
In the first instance, please contact our Data Protection Officer who is listed above. You can also submit your complaint to the Information Commissioner by using the following contact details:
Telephone: 0303 123 1113
Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF