Privacy Notice July 2019
Secret Recordings Limited
This notice explains what happens when we process your personal information. It covers when and why we collect personal information, how we use it and what we do with it.
All processing of personal data will be in line with the General Data Protection Regulation (GDPR) and in accordance with general UK legislation.
It is important for you to read this so that you are properly informed and also are aware of your rights under GDPR.
Personal data is any information by which an individual person can be identified. This includes a name, an identification number, address, email address, IP address, photo, date of birth, phone number and images captured by our CCTV cameras. This covers any factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a person.
Processing includes collection, recording, organising, storage, adapting, retrieval, use, erasure or destruction.
We are committed to keeping your information securely and with respect.
For any information please contact Joanna Russell of Secret Recordings Limited 3rd Floor 23 Pilkington Avenue Sutton Coldfield B72 1LA
Email firstname.lastname@example.org Phone : 0793 159 1256
For independent advice about data protection issues you can contact the Information Commissioner at Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF Email : email@example.com Phone : 0303 123 1113 Website : www.ico.org.uk
What Information do we collect?
We only collect information when we need it to provide our services, to promote our services, to maintain our accounts and records and comply with UK law.
For general enquiries by phone ,email or the contact form on our website
We will have your name and email or telephone number and the nature of your query and our reply
For Clients entering contracts for the provision of our Services we will have :
Your name, address email, telephone number of your Business and the contact person we deal with.
Details of your Business Activities and whatever further information necessary for the successful provision of our services.
Details of the Services provided
Further information will also be obtained as necessary throughout until the service is concluded and will be kept in our records.
We also process personal information about our suppliers, employees, complainants, independent contractors, advisers and other professional experts.
2. Who will we share your data with?
We sometimes need to share personal information with other organisations that we work with or who provide services on our behalf. When sharing information, we will comply with all aspects of current data protection law.
Your data may be shared with Third Party contractors or businesses who we engage to provide and assist with the provision of Services to our Clients.
Where necessary or required we share information with
Business associates and other professional advisers
Current, past or prospective employers and employees
Suppliers and services providers.
We never share personal information with any other organisation for Third Party marketing purposes.
Third Parties will also have access to some of your information through your use of our website on a limited basis.
3. The Legal Basis for the Processing
The legal basis for processing shall be:
The processing is necessary for the performance of a contract to provide a service which the individual is a party or in order to take steps at the request of the individual prior to entering into a contract
Processing is necessary to comply with our legal obligations
Processing is necessary in order to protect the vital interests of the individual or another natural person.
Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.
Processing is necessary for our legitimate interests or those of a third party except where overridden by the interests of the individual
The individual has given consent to the processing of their personal information for one or more specific purposes
We may ask for written consent to receive marketing materials from us that we believe would be of interest to you. You can withdraw any such consent at any time by contacting us.
4. Sensitive Data
We do not normally process Sensitive Data .
This is personal data ‘ revealing racial or ethnic origin, political opinions, religious or philosophical beliefs , or trade union membership and the processing of genetic data, biometric data for the purpose of uniquely identifying a Natural Person, data concerning health or data concerning a natural Person’s sex life or sexual orientation ‘.
However, should it be necessary we would require the written consent of the Individual involved which can be withdrawn at any time.
5. Security of Processing
We are implementing technical and organisational measures to ensure personal information processed remains secure but absolute security cannot be guaranteed.
6.How long will we keep your data?
Personal data is retained only as long as necessary to comply with statutory retention periods. At the end of those periods the data will be securely deleted provided it is no longer required to fulfil the contract or any legal proceedings
7.Failure to provide data
Sometimes the provision of Personal Data by an individual is required by law or failure to provide can result in us being unable to provide the service agreed. If an individual should fail to supply such information, we shall not be liable for the consequences of being unable to complete any contract for services.
8.Automated Decision making and Profiling
We do not process personal data for automatic decision making or profiling.
We are committed to upholding your rights in respect of your personal data.
a. Right of Access
You have a right to ask us what personal information we hold about you and to request a free copy of your information. This is known as a Subject Access Request (SAR). SARs need to be in writing, and we ask it is accompanied by proof of your identity and address.
If you want specific information e.g. a particular time frame, please clarify this in your written confirmation of consent.
If someone is requesting information on your behalf, we shall need your written consent and evidence of ID for both of you.
We have to comply you with the information you request within 30 days although we will endeavour to do so as soon as possible.
b. Right to Rectification
You can ask us to rectify your personal data if it is inaccurate or incomplete. Please assist us by informing us of any obvious changes such as changes of address.
c. Right to erasure
This is known as the ‘right to be forgotten’. In some circumstances you can ask for your data to be deleted or removed. However, we will need to consider each case on its circumstances and it may be that we are obliged to retain the data under our legal and other obligations.
d. Right to Withdraw Consent
Where consent forms the basis of processing you have the right to withdraw that consent at any time.
e. Right to data portability
You have the right to ask that we transfer or provide the data we hold on you in a portable form for transfer to another organisation or yourself
f. Right to Restriction of Processing
You can ask us to restrict the processing of your data depending on the exact circumstances
g. Right to object to Processing
You can object to the processing of your data in some circumstances
No fee is initially payable if you exercise any of these rights. However, if we deem you to be unreasonable such as by making repeated requests then we have the right to make a charge
In the first instance please send any complaints to Joanna Russell as above. If you are not satisfied with the response then you should contact the Information Commissioner at Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF Email : firstname.lastname@example.org Phone : 0303 123 1113 Website : www.ico.org.uk
You may not transfer any of you rights under this Privacy Notice to any other person. We may transfer our rights where we reasonably believe your rights will not be affected.
This Notice will be governed by the laws of England.
This Notice will be updated from time to time and a copy of the latest version will be on our website.
With regard to each of your visits to our websites we may automatically collect the following information.....
technical information, including the Internet Protocol (IP) address used to connect your computer to the internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform;
information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from our site (including date and time); terms you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page.
Data Protection Policy
Secret Recordings Limited
This Policy was approved by the Board of Secret Recordings Limited (the organisation) on 30th July 2019. It will apply and be enforced from that date. The Owner of this policy will be the incumbent Data Protection Officer (DPO).
Personal Data is any information by which an individual person can be identified. This includes a name, an identification number, address, email address, IP address, photo, date of birth, phone number and images captured by our CCTV cameras. This covers any factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a person.
Sensitive Data is personal data ‘ revealing racial or ethnic origin, political opinions, religious or philosophical beliefs , or trade union membership and the processing of genetic data, biometric data for the purpose of uniquely identifying a Natural Person, data concerning health or data concerning a natural Person’s sex life or sexual orientation ‘.
Data Subject is any identified or identifiable natural person, whose personal data is processed
Processing is any operation performed on Personal Data whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination , restriction, erasure or destruction.
Data Protection Officer shall be the person appointed to oversee all activities pertaining to processing of personal data of EU subjects
- An organisation which controls processing activities , involving Personal or Sensitive Data relating to European Union Data Subjects , must comply with the General Data Protection Regulation 2016 (GDPR) and the Privacy and Electronic Communications Regulations 2003 (PECR).This Policy sets out the requirements.
This Policy is subject to all the laws, rules and regulations that this organisation is governed by. In the event this policy allows the exercise of discretion, such discretion must be exercised within the confines of the organisation’s statutory obligations and must not contravene any of its legal, accounting or other regulatory requirements.
3. Risk Appetite Statement
The Boards Risk appetite for a material breach of GDPR compliance is Low.
The Board has identified Personal Data breaches, failing to uphold Data Subjects rights and reputational damage as key data protection risks.
This policy covers all Processing activities and supporting Information Systems involving Personal or Sensitive Data where the organisation acts as the Controller. The Controller is the natural person or the body that determines the purposes and means of processing Personal Data. This includes personal or sensitive data in physical form, stored in a relevant filing system.
This policy covers all global geographic territories including Third Countries outside the European Union (EU).
This policy covers all Employees, Contractors, third parties, and others who process Personal or sensitive data on behalf of the organisation.
All Processing activities shall be :
a. Collected for specified, explicit and legitimate purposes only
b. Accurate and where necessary kept up to date
c. Retained only for as long as necessary
d. Processed lawfully, fairly and in a transparent manner
e. Processed securely , in an appropriate manner to maintain security
f. Adequate, relevant and limited to what is necessary
6. Data Protection Officer (DPO)
6.1 A Data protection Officer (DPO) shall be appointed and report directly to the Board
6.2 The DPO shall support the organisation in upholding the rights of Data Subjects as it relates to the organisation’s processing activities
6.3 The DPO shall respond to enquiries form Data Subjects promptly
6.4 The DPO shall establish and maintain a programme to monitor compliance with this policy.
6.5 The DPO shall establish and maintain a General Data Protection training and awareness programme.
6.6 The DPO shall support compliance with this policy by providing support and advice as it relates to complying with the requirements of this policy.
6.7 the DPO shall be provided timely and appropriate access to information and information systems as it relates to the discharge of their duties.
6.8 Details of the DPO and their contact details shall be made publicly available.
6.9 The DPO shall maintain the following registers :
a. Register of Processing Activities
b. Register of Data Processing Impact Assessments
c. Register for Data Subject Enquiries
The DPO shall report personal data breaches to the Information Commissioners Office (ICO) no later than 72 hours after the breach has been detected. If the breach is likely to result in a high risk to the Data Subject’s rights and freedoms the DPO must inform the Data Subject of the breach within a reasonable time frame.
6.10 The DPO shall report personal data breaches to the Information Commissioners Office (ICO) no later than 72 hours after the breach has been detected. If the breach is likely to result in a high risk to the Data Subject’s rights and freedoms the DPO must inform the Data Subject of the breach within a reasonable time frame.If the breach is likely to result in a high risk to the Data Subject’s rights and freedoms the DPO must inform the Data Subject of the breach within a reasonable time frame.
7.Lawfulness of Processing
The DPO shall ensure processing is lawful and document the lawful grounds for processing
Where processing involves data of children parental consent must be provided and documented.
Apart from storage processing shall cease immediately where there are no longer lawful grounds for processing.
Data Subjects shall be informed of processing activities and provided statutory information at the time data is collected
If data is collected form a source other than a Data Subject, they shall be informed of processing activities and provided statutory information as soon as practicable but within no more than 10 working days.
The DPO shall review the published Data Protection Policy and Privacy Notice quarterly for any inaccuracies relating to their processes.
9. Data Protection
Information Systems and processes shall be designed to comply with the requirements of this policy
Process and System owners shall implement appropriate technical and organisational measures to ensure that data protection is incorporated into processes and systems by design and default.
Processing activities and information systems shall be designed to ensure the minimum personal data is stored and for the minimum period necessary.
All information Systems shall ensure their systems undergo a Data Protection Impact Analysis (DPIA)
10. Security of Processing
The DPO shall be accountable for ensuring systems meet the minimum required standards for security
Personal Data Breaches shall be reported to the DPO as soon as possible but no later than 24 hours after detection.
11. Accuracy of Processing
The DPO shall ensure data remains accurate and where inaccurate corrected as soon as possible but no later than 5 working days from when the error is reported and verified.
With the exemption of data held under statutory exemptions personal data shall not be retained any longer than necessary
13. Data Subject Access
DPO shall ensure those processing data understand how to identify a Data Subject Access Request (SAR)
SARs shall be recorded in a register owned by the DPO
SARs shall be completed as soon as possible but no more than 30 calendar days from request.
SARs shall not incur a charge
SARs shall be processed electronically if this is requested by the Data Subject.
Reasonable steps shall be taken to verify the identity of the Data Subject prior to providing access to their Personal Data.
System owners shall ensure appropriate resource is made available to support SARs.
Reasonable steps shall be made to seek the permission of Third Parties prior to including their information within an access request. Where permission is not provided the DPO shall be consulted to determine whether data should be provided or redacted.
Requested information shall be communicated to the Data Subject securely
14. Third Party Processing
Processing activities shall not be outsourced to a Third Party without a binding written contract that sets out the subject matter and duration of the processing , the type of personal data and categories of data subjects and the obligations and rights of this organisation
DPOs engaging Third Party Processors shall ensure continuing compliance with this policy and maintain accurate records of relevant meetings and compliance visits
15. Roles and Responsibilities
The Board has overall responsibility for this policy
Senior management shall ensure appropriate resources are made available to support the implementation of this policy throughout
All those in scope of this policy are responsible for adhering to the requirements of this policy
The DPO is responsible for monitoring compliance with this policy and shall report to the Board on compliance
The DPO shall be the contact point for all matters relating to the ICO.