A new EU regulation will soon come into effect that impacts how all organisations collect, hold and process people’s personal data. The EU General Data Protection Regulation (GDPR) is a significant piece of European legislation which will come into force on 25 May 2018. It builds on existing data protection laws, strengthening the rights that EU individuals have over their personal data, and creating a single data protection approach across Europe.
As we approach May 2018 Ashdown Solutions is focused on its GDPR compliance responsibilities. During our implementation period, we are evaluating new requirements and restrictions imposed by GDPR and will take any action necessary to ensure that we handle all data in compliance with the applicable law.
Ashdown Solutions is committed to meeting any contractual obligations for procedures, products and services and is approaching GDPR compliance on three main fronts:
- To ensure our own compliance as a company that holds and processes people’s personal data.
- To ensure our partners and suppliers adhere to the highest standards of compliance and GDPR regulation.
- To ensure that our service solutions all support our customers’ GDPR compliance efforts.
Ashdown Solutions Limited (“We” or “ASL”) are committed to protecting and respecting your privacy.
This privacy statement (together with our terms and conditions and any other policies referred to in it) explains what information we gather about you, what and how we use that information, the lawful basis on which that information is used and who we give that information to. It also sets out your rights and our obligations in relation to your information and who you can contact for more information or queries.
Who this privacy statement applies to and what it covers
This privacy statement sets out how we will collect, handle, store and protect information about you when providing services to you or our clients, or performing any other activities that form part of the operation of our business ASL.
This privacy statement also contains information about when we share your personal information with other members of our group and other third parties (for example, third parties carrying out due diligence activities on our behalf).
In this privacy statement, your information is sometimes called “personal data” or “personal information”. We may also sometimes collectively refer to handling, collecting, protecting and storing your personal information as “processing” such personal information.
We understand the importance of protecting children’s privacy. Our website is not designed for, or intentionally targeted at, children. It is not our policy to intentionally collect or store information about children.
What information we collect
We may collect and process personal data about you because you give it to us, because other people give that data to us (for example, third party service providers that we use to help operate our business) or because it is publicly available.
The personal data that we collect or obtain may include: your name; age; date of birth; gender; e-mail address; home address; country of residence; lifestyle and social circumstances (for example, your pastimes); employment and education details (for example, the organisation you work for, your job title and your education details); your IP address; your browser type and language; your access times; complaint details; details of how you use our products and services; details of how you like to interact with us and other similar information.
We may collect and process personal data about you that you give to us, as follows:
- If you provide information to us by filling in forms on our website. This may include information provided at the time of registering, subscribing to any of our services, posting material, sending messages and posting in ConnectWise Manage, giving reviews, making or receiving payments through your ASL User Account or requesting further services.
- Details of transactions and projects you carry out via our website.
- We may ask you for information when you report an issue or concern or we have or receive a complaint or query about you (whether or not a formal dispute is raised).
- We may keep a record of correspondence between you and us.
- We may ask you to complete surveys that we use for research purposes, although you do not have to respond to them.
- Details of the messages you send and receive using Connectwise Manage including without limitation, when you sent or received a message and the contents of that message. Messages are not private and are not confidential.
We may collect and process personal data about you from other sources as follows:
- We sometimes supplement the information that you provide with information received from third parties. For instance, credit reference agencies, search information providers, PayPal, other companies (subject to their privacy policies and applicable law), and from other accounts we have reason to believe you control (whether in part or in whole).
- Where we are provided with personal data about you by any third party such as a service provider, we take steps to ensure that that third party has complied with the privacy laws and regulations relevant to that information; this may include, for example, that the third party has provided you with notice of the collection (and other matters) and has obtained any necessary consent (if applicable) for us to process that information as described in this privacy statement.
We collect personal data about our prospective, current and former employees (including contingent workers, providers and interns) as follows: basic identification information, such as your name, title, position, professional history, experience, and contract details.
For current employees, we usually collect in addition to the above:
- Detailed identification information including passport numbers, right to work documentation, private email and/or postal address and country of residence.
- Electronic identification data (e.g. email address, login information, badge number, online identifiers/cookies, log files, connection time).
- Education and employment information (e.g. remuneration, bonuses, insurance and other benefits information, employment dates, position information such as title, attendance information including, where relevant, illness or leaves of absence for medical or other reasons, language skills and education details , pensions information including entitlements and recruitment information including job applications, CVs, job history and references.
- Financial information (e.g. bank account details, and tax-related information).
- National insurance number
- In some cases, the personal data we collect may also include so called ‘sensitive’ or ‘special categories’ of personal data, such as details about your: dietary requirements, health (for example, so that we can make reasonable accommodations for you in our buildings, products and services) and sexual orientation (for example if you provide us with details of your spouse or partner).
- The types of personal data and special categories of personal data that we collect may vary depending on the nature of the services that we provide to you. In some rare circumstances, we might also gather other special categories of personal data about you because you volunteer that data to us or we are required to gather that data as a result of legal requirements imposed on us.
Use of personal data
We will use your personal data to fulfil your requests and we will ask only for data that is adequate, relevant and not excessive for those purposes. Where we send you information for any purpose, it may be sent by e-mail or post. When we ask you for personal data it may include the following purposes:
- We may contact you occasionally to inform you of new products and services we will be providing;
- We may send you regular updates on issues we think will be of interest to you;
- We may send you requested information on our products and services;
- We may use your personal data for marketing purposes and market research;
- We may use your personal data internally to provide you with the services offered by us via this website, to administer the services we provide and to help us improve our services.
- We may use your personal data for managing and making information available to third party service providers (e.g. providers of due diligence services or in order to support our information technology) and our affiliates.
- We may use your personal data to allow you to participate in interactive features of our service when you choose to do so;
- We may use your personal data to notify you about changes to our services, terms and conditions , policies or website.
- We may use your personal data to manage risk, or to investigate, detect, prevent, and/or remediate fraud, suspected fraud or other potentially illegal or prohibited activities.
- We may use your personal data pursuant to applicable legal or regulatory requirements or to respond to requests and communications from competent authorities (including courts and tribunals).
- We may use your personal data for the services we receive from our professional advisors, such as lawyers, accountants and consultants.
- We may use your personal data for protecting our rights, those of our clients, or protecting those of our affiliates.
None of the information that we request from you is mandatory. However, where such information is not provided to us, ASL may be unable to identify, protect, or return your money or assets.
The legal grounds we use for processing personal information
We are not allowed to process personal information if we do not have a valid legal ground. Therefore, we will only process your personal information for the purposes outlined above because:
- of our legitimate interests in the performance of activities that form part of the operation of our business;
- of our legitimate interests in the effective and lawful operation of our business so long as such interests are not outweighed by your interests or fundamental rights and freedoms;
- of the legal and regulatory obligations that we are subject to, such as keeping records for tax purposes or providing information to a public body or law enforcement agency; or
- the information is required in order to carry out the activities that form part of the operation of our business(e.g. the processing is necessary to perform our contractual obligations towards you).
Examples of the ‘legitimate interests’ referred to above are:
- to benefit from cost-effective services (e.g. we may opt to use certain IT platforms offered by suppliers);
- to verify the accuracy of information provided by a third party;
- to prevent fraud or criminal activity;
- to safeguard the security of our IT systems, architecture and networks, and of our physical premises; and
- to exercise our rights under Articles 16 and 17 of the Charter of Fundamental Rights, including our freedom to conduct a business and right to property.
To the extent that we process any sensitive personal data relating to you for any of the purposes outlined above, we will do so because either: (i) we are required by law to process that data in order to ensure we meet our ‘know your client’ and ‘anti money laundering’ obligations (or other legal obligations imposed on us); (ii) the processing is necessary to carry out our obligations under employment, social security or social protection law; (iii) the processing is necessary for the establishment, exercise or defence of legal claims; or (iv) you have made the data manifestly public.
Anonymous data collected through this website
In addition to the information we collect as described above, we use technology to collect anonymous information about the use of our website. For example, our web server automatically logs which pages of our website our visitors view, their IP addresses and which web browsers our visitors use. This technology does not identify you personally, it simply enables us to compile statistics about our visitors and their use of our website.
Our website contains hyperlinks to other pages on our website. We may use technology to track how often these links are used and which pages on our website our visitors choose to view. Again this technology does not identify you personally – it simply enables us to compile statistics about the use of these hyperlinks.
Links to other websites
In order to collect the anonymous data described in the preceding paragraph, we may use temporary “cookies” that remain in the cookies file of your browser until the browser is closed. Cookies by themselves cannot be used to discover the identity of the user. A cookie is a small piece of information which is sent to your browser and stored on your computer’s hard drive. Cookies do not damage your computer. You can set your browser to notify you when you receive a cookie.
This enables you to decide if you want to accept it or not. We also use your IP address to help diagnose problems with our server and to administer our website. An IP address is a numeric code that identifies your computer on a network, or in this case, the internet. Your IP address is also used to gather broad demographic information. We may also perform IP lookups to determine which domain you are coming from (i.e.: aol.com, yourcompany.com) to more accurately gauge our users’ demographics.
Disclosure of your personal data
In connection with one or more of the purposes outlined in the “Use of personal data” section above, we may disclose details about you to: our affiliates; third parties that provide services to us and/or our affiliates, such as our lawyers; competent authorities (including courts and supervisory or other
authorities); your advisers or where applicable, your employer; credit reference agencies or other organisations that help us make decisions and reduce the incidence of fraud; and other third parties that reasonably require access to personal data relating to you for one or more of the purposes outlined in the “Use of personal data” section above.
Where you have chosen to connect your ASL account to your Facebook or LinkedIn account we may share, disclose, and transfer personal data to Facebook or LinkedIn, as applicable. This permission will be requested when you connect your accounts. If you have given this permission you may then disable this function at any time by changing your Facebook, LinkedIn or ASL account settings (as applicable).
Where appropriate, before disclosing personal data to a third party, we contractually require the third party to take adequate precautions to protect that data and to comply with applicable law.
Where you have consented, we may also share your personal data with other companies within our group of companies who may contact you about their products or services that may interest you
Please note that some of the recipients of your personal data referenced above may be based in countries outside of the European Union whose laws may not provide the same level of data protection. Those countries currently include Greece, India and the United States of America. In such cases, we will ensure that there are adequate safeguards in place to protect your personal data that comply with our legal obligations. To ensure this level of protection for your personal information, we typically use a data transfer agreement with the recipient based on standard contractual clauses approved by the European Commission. A copy of these clauses are available by requesting our Supplier Data Protection Addendum from email@example.com .
Protection of your personal data
All ASL personnel accessing personal information must comply with the internal rules and processes in relation to the processing of personal data to protect them and ensure the confidentiality of such information.
We have also implemented adequate technical and organisational measures to protect personal data against unauthorised, accidental or unlawful destruction, loss, alteration, misuse, disclosure or access and against all other unlawful forms of processing. These security measures have been implemented taking into account the state of the art of the technology, their cost of implementation, the risks presented by the processing and the nature of the personal information, with particular care for sensitive information.
Although we use appropriate security measures once we have received your personal data, the transmission of data over the internet (including by e-mail) is never completely secure. We endeavour to protect personal data, but we cannot guarantee the security of data transmitted to us or by us.
How long we keep your information for
We will hold your personal data on our systems for the longest of the following periods: (i) as long as is necessary for the relevant activity (which is typically 7 years); (ii) any retention period that is required by law or regulation; or (iii) the end of the period in which litigation or investigations might arise in respect of our activities.
You have various rights in relation to your personal data. In particular, you have a right to:
- request a copy of personal data we hold about you
- ask that we update the personal data we hold about you, or correct such personal data that you think is incorrect or incomplete
- ask that we delete personal data that we hold about you, or restrict the way in which we use such personal data
- object to our processing of your personal data
- ask that we restrict our processing of your personal data; and
- ask for the portability of personal data – receive the Personal Data you have provided to us in a structured, commonly used and machine-readable form and transmit it to another data controller.
To exercise any of your rights, or if you have any other questions about our use of your personal data, please contact us at firstname.lastname@example.org
Right to complain
If you are unhappy with the way we handled your personal information or any privacy query or request you have raised with us you also have a right to complain to a data protection authority in the place where you live or work, or in the place where you think an issue in relation to your data has arisen. A list of national data protection authorities can be found here .
We may, from time to time, e-mail or post you information to make you aware of our other similar products and services which may be of interest to you. If you do not wish to receive emails or post from us for these purposes, or if you want to be removed from our electronic mailing list you can either select “unsubscribe” from any of the marketing emails that we send or alternatively contact us
If you have any questions, comments or requests regarding this privacy statement contact us
Data Protection Officer
Our DPO can be contacted via our main office telephone number 01342 363000 or by email email@example.com
Data Loss / Incident Reporting
As at 18th May 2018 we have not suffered a data loss or breach that would require reporting to the ICO
Changes to our privacy statement
We may modify or amend this privacy statement from time to time.
To let you know when we make changes to this privacy statement, we will amend the revision date at the end of this page. The new modified or amended privacy statement will apply from that revision date. Therefore, we encourage you to periodically review this statement to be informed about how we are protecting your information.
Our policy was last updated on 22nd May 2018