Privacy Policy

Data Protection Consulting Limited Privacy Notice

Data Protection Consulting Limited is a UK based company.  You can contact our business and our Data Protection Specialist at 28, Hawthorne Avenue, Willerby, Hull, HU10 6JQ and at enquiries@dp-smart.co.uk

We provide data protection consulting services to other businesses and our activities include communication with clients’ human representatives to facilitate the provision of services and relationship management.  This is processing necessary to fulfil a contract with the client and it is in our legitimate business interests to build a relationship with client representatives.   For this purpose we have records of representatives’ name and work contact details, job title, and employer’s name; basically the information that might be provided on a business card.  In fact, client representatives themselves are the most likely source of this information although we might receive information about colleagues from “out of office” email responses.

Our business records are processed in the UK and we rely on EU approved Standard Contractual Clauses and consent of corporate representative contacts located outside the UK to the data transfer to us.

Most of this information is in Microsoft Exchange and we routinely hold emails for 12 months minimum, so we might have records going back a maximum of 18 months.  Where client representatives are named in documents, we retain these for the duration of the contract with the client and for six years thereafter.  Information held in invoices (contact name and work email address) is retained for seven years for tax purposes in a hosted accounting system, Xero.

Where Xero transfers personal data outside of the EEA, it only transfers to countries that have been identified as providing adequate protection or by entering into agreements using the EU Standard Contract Clauses.  See Xero’s privacy notice here https://www.xero.com/uk/about/terms/privacy/

Information in our accounting records will be shared with HMRC, the courts and our accountants as necessary to meet our legal obligations.

Use of personal data for marketing

We undertake some limited marketing activity.  We may take a stand at an exhibition or conference to promote our products and services and to obtain consent to receive our newsletter.  Our newsletters are mainly editorial with information about how we might be able to help clients with data protection compliance. Marketing is in our legitimate business interests to promote and sell our products and services.  We have records of the client or prospect name, the individual’s job title, name and work contact details.  We use a third party, iContact, to store email addresses and send out our newsletters.  iContact maintains data that is provided by us called “Customer Message Recipient Data” including name and email address which may also reveal the company where client representatives work.  We use this information to send out our newsletter and we use the statistics generated by the opening and reading of messages to check out which articles are most read and, by inference, most useful.  iContact holds data in the US and relies on the EU Standard Contractual Clauses for international transfers.  Their privacy policy can be accessed here: https://www.icontact.com/legal/privacy

We hold some of this information in Microsoft Exchange and we routinely hold emails for 12 months minimum, so we might have records going back a maximum of 18 months.   If we receive a request to unsubscribe from our newsletter we action that request before the next mailing. We keep an unsubscribe list so that we don’t accidentally add people back onto the mailing list in the future. Rejected newsletters may be followed up with an email from us and the email address is unsubscribed after three bounces.

Our online training data capture

Users of our online training are required to create an account by registering, creating a log-in and supplying some basic details.  This information is required to provide access to the training and provide a record to evidence that the training has been completed.  The processing is necessary to fulfil a contract with the trainee or his or her employer and it is with the knowledge and consent of the data subject as they sign up to their own accounts.  Where the contract is with the employer, it is in our legitimate business interests to hold the record and share it with the employer on request to evidence fulfilment of the contract.

The online training record consists of the following details of trainees: full name, email address, business geographic address, login details, date of registration, progress showing completed elements of the course and dates, whether the course was “passed” and the overall grade.  This information is held for a period of 24 months and then it is deleted.

The training records are held in the UK and where the trainee is located outsite the UK, we rely on consent of the trainee to the data transfer.

Acting as a data processor

Providing advice and consulting services to clients we are a data controller.  Occasionally we may be asked to act on client instructions as a data processor to assist in responding to a subject access request they have received.

Website

Our website is an advertisement for our products and services.  We use the data that you provide for marketing purposes to promote and sell our products.  Some of the data we collect is derived from information about your activities on our website provided to us by Google Analytics as described below.

Google services

The insights provided by Google Analytics help us to better understand who our users are and to understand the factors that influence whether a user will make a purchase or not.

The kind of information that Google provides to us includes:

  • traffic source data or information about where website users originate whether it is organic traffic, paid search traffic, or display traffic.
  • content data or information about your behaviour on our website including the URLs of pages that you look at, and how you interact with page content.

Due to the nature of the Google Analytics service, the information we are provided by Google is also used by that company to inform its services to us and other business users.

We do not share our marketing data except as described with Google and that is restricted to data derived from your use of our website.  This data is transferred by Google to the US and they have Standard Contractual Clauses in place to protect transferred data.

All of our marketing activity, including Google services is undertaken in our legitimate business interests in promoting and selling our products.

Your data protection rights

You have the right to ask for a copy of the personal data we hold that relates to you.  If you think that information about you which we hold is incorrect or misleading you have the right to have the information corrected provided you can demonstrate that it is incorrect.  You can also request the erasure of personal data relating to you in certain circumstances, where we do not require it to meet a legal obligation.  You can also request or restriction of processing so that your records are maintained beyond our usual retention period.  You have the right to object to processing on the grounds that it causes you damage or distress and the right to take away a copy of your personal data in electronic format in certain circumstances.

If you are unhappy about the way we use your personal data or the way in which we respond to your request to exercise your data protection rights, you can contact the Data Protection Specialist at 28, Hawthorne Avenue, Willerby, Hull, HU10 6JQ but you also have the right to lodge a complaint with a supervisory authority, the Information Commissioner at the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.