At Gwythan Ltd. we are committed to keeping your data private and secure, and will act in accordance with the General Data Protection Regulation (GDPR), Data Protection Act, the Privacy and Electronic Communications Regulations (PECR), and further amendments to ePrivacy regulations resulting from the implementation of GDPR as they come into force.
We are also registered as a Data Controller, under the Data Protection Act, with the Information Commissioners Office, for the purposes of Data Protection, and we are also a Data Processor on behalf of our clients.
This Privacy Notice explains what personal data we collect and how we store and use the data that we hold. The lawful basis for processing the data is to fulfil our contractual obligations with our clients and to respond to the enquiries of potential clients.
Who we are
Registered in England and Wales.
Registered Company Number: 07894749
Registered Address: Kemp House, 160 City Road, London, EC1V 2NX
Telephone number: 0208 191 77381
Named contact: Kevin Ashbridge - Director
About the General Data Protection Regulation (GDPR)
This privacy notice is written in accordance with the General Data Protection Regulation.
The General Data Protection Regulation is a regulation in EU law on data protection and privacy for all individuals within the European Union. It was adopted on 14 April 2016, and after a two-year transition period, became enforceable on 25 May 2019.
It gives individuals the right to:
- be informed about how we use their personal data;
- have access to the personal data that we hold;
- request that their personal data is amended if it is inaccurate or incomplete;
- request that their personal data be erased where there is no compelling reason for its continued use;
- object to their personal data being used for direct marketing purposes;
- request that the processing of their data be restricted;
- obtain and reuse their personal data for their own purposes across different services e.g. to move, copy or transfer their data from one IT environment to another in a safe and secure way;
- not be subject to automated decision-making or profiling;
- object to their personal data being processed.
We must comply with these rights and after someone gives their consent for us to use their personal data this consent may be withdrawn by them at any time.
What we collect
Primarily, we collect the contact details of the clients or people that we work with so that we are able to contact them as part of the legitimate relationship that we have with them. This includes the full names, job titles, telephone numbers, addresses or email addresses of our own suppliers, and the staff, customers, suppliers, partners, students, governors or other representatives of our clients when we need this data to fulfil our contractual duties.
We also collect or process:
- the name and contact details of individuals who complete the contact forms on our websites, or who telephone, email or write to us enquiring about our products or services;
- photographs of staff, students, customers, partner representatives or others which may have been used within a brochure, report, newsletter, social media, website or any other form of communication, including press releases, that we produce or manage when acting on a client’s behalf;
- details relating to the conduct of a staff member if we are asked to assist with a crisis communication which relates to that staff member. This may include their full name, job title, contact details and details of their personal circumstances;
- details relating to the injured party, or affected individuals, if we are asked to assist with a crisis communication which relates to the actions of our client. This may include their full name, job title, contact details and details of their personal circumstances;
- log-in details for the email accounts, websites or other portals or systems which our clients provide in order for us to access information that we need to fulfil our duties under the contract that we have with them. By default this may give us access to personal data which we may not necessarily need to access, use or process;
- details of the staff or students who are listed within our PolicyViewer platform and other online platforms which includes their full name and email address;
- the names, job titles and contact details of journalists and other media contacts.
What we don’t collect
Although our clients may give us access to their own IT systems, or electronic and hard copy files as part of them enabling us to fulfil our obligations under the contract, we do not remove or process personal data relating to staff, customers, parents, students, partners or others, with whom we have no relationship under the working relationship or agreement that we have with them, from these systems. We also do not store any hard copy or electronic copies of these records on our premises or within our own IT systems. We only process or use data that is directly related to the role that we are undertaking. All other information is considered to be confidential and out of the scope of our use.
What do we use the data for?
We use the data that we hold to:
- respond to people who have made an enquiry about our products or services;
- evaluate the suitability of prospective clients and our ability to provide a suitable product or service that best meets their needs;
- contact our own suppliers, partners or media contacts, and the staff, customers, suppliers or other stakeholders of our clients so that we can perform our duties under the contract;
- provide the PolicyViewer service, which uses the names and email addresses of staff or students in order for the system to notify staff or students of school policies;
- make people aware of our products or services if they have given us permission to do so;
- make people aware of our own offers and promotions if they have given us permission to do so;
- send newsletters or updates to people who have given us permission to do so;
- produce quotations, proposals and invoices, and to maintain a record of our financial transactions with clients as part of our accounting processes;
- gain an understanding of our website traffic and how and when people are using our websites. This includes, amongst other things; details of the device used to access the website, the rough location of the user, the actions they take on the website and the source of their visit e.g. via a particular search engine, 3rd party website or advertisement.
Who do we share this data with?
- If we are lawfully permitted to do so, and acting on a client’s behalf, we may pass on the contact details of individuals including their name, job title, address, telephone number, email address, and photographs of these individuals, or others, to journalists when we are submitting a press release.
- If we are lawfully permitted to do so, and acting on a client’s behalf, we may pass on the contact details of individuals including their name, job title, address, telephone number and email address to our own suppliers, but only if the supplier has an adequate Privacy Notice and security measures in place.
- Our hosting provider Krystal Hosting Ltd, hosts websites that we have produced. If your website is hosted with them then, by default, any information contained within it (either on the public pages or within password-protected areas) will reside on their servers. Please note that we use their UK data centre for our sites.
- The name and job title of the relevant ‘addressee’ staff member on our invoices will be, by default, shared with FreeAgent Central Limited, the provider of the accounting package that we use which is called ‘FreeAgent’. These do not include contact details such as email addresses and telephone numbers but they will include the organisation's name and address.
We may also, if lawfully requested or permitted to do so, share data with the UK government, HM Revenue and Customs, debt collection agencies, police forces or courts.
How do we protect your data?
- As much as possible we use our clients’ own systems for sending and receiving emails that may contain personal data. For example; by having our own email address at their business or school so that sensitive email exchanges occur within their own IT infrastructure.
- We ensure our anti-virus software is properly installed and kept up-to-date.
- Our computers and mobile phones are password protected and never left unlocked when unattended.
- We change all of our passwords regularly and do not use the same password for different systems.
- Log-ins and access details are stored within password protected areas to provide a second layer of protection.
- We do not send personal data via methods which are not encrypted.
- Information which we no longer need to fulfil our contractual obligations is deleted from our systems, even if we are still working with the client.
- Data that we hold will be deleted when the contract comes to an end, or when the client stops using our products or services.
- If we dispose of a computer then all data is removed prior to its disposal.
- Users have the option to accept Cookies when visiting our websites and our Cookies Policy is available to view which explains what Cookies are, which Cookies we use and how we use them.
- If we design and produce a website on a client’s behalf then we will ensure that the website is protected with SSL.
- If we design and produce a website on a client’s behalf, and arrange the hosting, then the website will be hosted with a company that has a European data centre, high security standards and a robust Privacy Notice and security measures in place.
With regards to the PolicyViewer platform:
- The site itself has SSL.
- The information we store is encrypted.
- The LDAP connection will use an SSL certificate generated by your Directory Server.
- When using an LDAP connection to your Directory Server, PolicyViewer stores only a user's GUID and not any other personal data. This makes the PolicyViewer platform itself more secure around individual data security. (Personal data is pulled only as required from your Directory Server in real-time, nothing is cached on PolicyViewer).
- The firewall is configured to allow only trusted applications (such as PolicyViewer) access via LDAP through ports 389 and 636 (Port 389 is enabled only during initial setup to ensure LDAP, to troubleshoot authentication issues).
- Data is stored in a secure EU data centre.
There are also other ways for you to enable access to Directory Server data but also keep it protected from the wider internet. These include:
- Creating a Read-Only Domain Controller in an Active Directory environment.
- Tunnelling LDAP requests via SSH or a VPN.
- Developing a specific web service to pass selected Directory Server data.
How long do we keep the data for?
The data is only kept for as long as we are providing products or services to the client. With the exception of information which is needed for accountancy purposes, or if an individual has opted-in to receive future communication, we will remove all personal data that we hold when the contract comes to an end, or when they opt-out or stop using our products or services. However, if someone has stopped using our products or services and we have not yet received full payment for the products or services that were used then we will need to retain their contact details until the full payment has been made.
If you are a supplier then we will hold your data until we no longer need, or want to use, your products or services, or until you ask us to erase the data that we hold.
As a UK based Ltd Company, we must keep financial records for 6 years from the end of the last company financial year they relate to. This means that we will have a record of the names, job titles and contact details of the people who appear on quotations, purchase orders, invoices and remittance notices for this period of time.
The rights of our clients as Data Controllers and our role as Data Processors
Our clients are Data Controllers and as part of fulfilling our duties, we may have to process data on their behalf as the Data Processor.
As a company we will:
- act in accordance with this Privacy Notice;
- act with transparency;
- provide complete confidentiality;
- act in accordance with your own Privacy Notice and abide by the rules, terms or conditions that you provide so that you are able to comply with your own data protection and confidentiality requirements;
- not use another Data Processor without your prior written consent;
- only process data in the way that is necessary for us to fulfil our obligations under the contract;
- contact you and the ICO immediately if there is a data breach, providing full details of how it happened, why it happened, the impact, and what we are doing to ensure that it cannot happen again.
As a client you:
- have the right to have access to the data that we hold;
- have the right to restrict the data that we hold and the access to that data;
- have the right to request an amendment to the data that we hold;
- have the right to object to the data being processed or how it is being processed;
- have the right to request that the data be erased;
- must not ask us to hold or process data in a way that is unlawful.
Transferring data outside of the EU
If we ever have the need to transfer data to a country outside of the EU then we will ensure that this complies with data protection law and that the company has adequate safeguards. However, this is only likely when you or the client requests such processing under the working relationship or contract that we have with you, and when we have a valid reason for doing so.
Our expectations of our suppliers
We expect our suppliers to:
- be committed to keeping personal data private and secure, and act in accordance with the General Data Protection Regulation (GDPR), Data Protection Act, the Privacy and Electronic Communications Regulations (PECR), and further ePrivacy directives resulting from the implementation of GDPR as they come into force;
- be registered as a Data Controller under the Data Protection Act with the Information Commissioners Office for the purposes of Data Protection if applicable;
- act with complete transparency with regards to data protection;
- act with complete confidentiality, never disclosing information about our clients to others who are not directly involved in the delivery of the products or services that you are providing to us.
Who to contact
If you have any enquiries or requests related to the data that we may hold about you then you can contact us in the following ways:
By telephone: 0208 191 7738
By email: email@example.com
By letter: Gwythan Ltd, Kemp House, 160 City Road, London, EC1V 2NX
If you request a copy of the data that we hold then we will provide this within 21 days of the request and we will ask that you verify your identity before we release the data.
Data Protection Officer
Our Data Protection Officer is the Company Director, Kevin Ashbridge: firstname.lastname@example.org
How to complain
In the first instance, please contact our Data Protection Officer who is listed above. You can also submit your complaint to the Information Commissioner by using the following contact details:
Telephone: 0303 123 1113
Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF