Thank you for visiting Now Design (the Site). This Notice set outs the basis on which any personal data provided to me by you, or received by me from third parties, will be used by me.
I am the data controller of personal data provided to me and am registered as a data controller with the ICO under registration number ZA355805. If you have any questions in relation to this notice, or in relation to our handling of personal data, you can contact me at email@example.com.
Full details are set out in the relevant sections of this Notice below, but in summary:
- I generally receive personal data relating to you directly from you. For example, I will receive that data if you contact me through the Site or otherwise, or if I do business with you;
- personal data may occasionally be provided to me by third parties with whom each of you and I have a relationship. For example, if I do business with your employer then they might provide me with your contact details, or if you are recommended to me (or vice versa) by a third party then they might pass on your details;
- I use your data to improve my Site, conduct my business, keep appropriate records and meet my legal obligations;
- I only provide your personal data to third parties for my business purposes or as permitted by law. I don’t share your data with third party advertisers;
- I store data for specified periods for my business purposes;
- you have certain rights, prescribed by law, in relation to the processing of your data, such as rights to request access, rectification or deletion of your personal data;
- you can contact me to enquire about any of the contents of this Notice.
1. My use of personal data
1.1 In this section I have set out:
(a) the general categories of personal data that I may process;
(b) in the case of personal data that I did not obtain directly from you, the source and specific categories of that data;
(c) the purposes for which I may process personal data; and
(d) the legal bases of the processing. When I refer to a “legal basis”, I mean a lawful basis set out in Article 6 of the General Data Protection Regulation (GDPR) under which we conduct the relevant processing.
Personal data I obtain from you
1.2 I may process data about your use of the Site (usage data). This may include your geographical location, browser type and version, operating system, referral source, length of visit, page views and website navigation paths, as well as information about the timing, frequency and pattern of your use. This data is obtained through Google Analytics and will be aggregated and anonymised in such a way that it contains no information pertaining to any identifiable individual at all – as such it is not actually personal data but I address it in this Notice for completeness’s sake. I process usage data for the purpose of improving my Site.
1.3 I may process personal data contained in or relating to any communication that you send to me, whether through the Site, by email, through social media, or otherwise. All of this together is correspondence data. This may include the communication content and metadata associated with the communication, as well as any contact details you provide to me such as your name, email address, phone number, job title, address or social media username. I process correspondence data for the purposes of communicating with you and record-keeping. If you are a customer of mine, or have indicated your interest in my products, services or business, then I may also process correspondence data for the purposes of addressing your enquiry and providing you with occasional news about my products and services.
1.4 If I do business with you or your employer, I may process information relating to transactions, such as bank account details, contact details or transaction data in relation to our business relationship or payments made by me to you or by you to me (business data). This may include your contact details, any bank account or sort code information provided for the purposes of making payment, transaction details (such as POs or invoices) and the contents of related correspondence and documents. The business data may be processed for the purpose of supplying or receiving the relevant products or services and keeping proper records of those transactions, for making and receiving payments, and for managing my business relationship with you.
Personal data I obtain from others
1.5 Your personal data may be provided to me by someone other than you: for example, by your employer, by an organisation with whom you and I are both dealing or by someone who wishes to refer you to me or vice versa. Normally this data will be correspondence data or business data as described above and will be processed by me for the purposes described above.
My legal basis of processing
1.6 I will process personal data only on lawful bases. In particular, I will process personal data on the following lawful bases identified in Article 6 GDPR:
(a) for the performance of a contract with you, or to take steps at your request prior to entering into a contract with you (Article 6(1)(b) GDPR);
(b) for our legitimate interests (Article 6(1)(f) GDPR). This may be my basis for processing:
- correspondence and business data (as I have an interest in properly administering my business and communications, in developing my business with interested parties, making and receiving payments promptly and in recovering debts);
- any personal data identified in this Notice where necessary in connection with legal claims (as I have an interest in the protection and assertion of my and your legal rights and the legal rights of others); and
- any personal data identified in this Notice in connection with backups of any element of my IT systems or databases containing that personal data (as I have an interest in ensuring the resilience of my IT systems and the integrity and recoverability of my data).
1.7 I may also process your personal data set out above where necessary for compliance with law (Article 6(c) GDPR).
2. Providing your personal data to others
2.1 I may disclose your personal data to my insurers and/or professional advisers as necessary for the purposes of obtaining and maintaining insurance coverage, managing risks, obtaining professional advice and managing legal disputes.
2.2 I may disclose personal data to my suppliers or subcontractors in connection with the uses described above. For example, I may disclose:
(a) any personal data in my possession to suppliers which host the servers on which my data is stored;
(b) transaction information and billing contact details to my accountants; and
(c) transaction information and other relevant personal data to third parties for the purposes of fraud protection, credit risk reduction and debt recovery.
2.3 I do not allow my third-party service providers to use your personal data for their own purposes. They process your personal data for specified purposes and in accordance with my instructions and applicable law.
2.4 I may also disclose your personal data where necessary for compliance with law.
2.5 If any part of my business is sold or transferred to, or integrated with, another organisation (or if I enter into negotiations for those purposes), your personal data may be disclosed to that organisation.
3. International transfers of your personal data
3.1 In this section, I provide information about the circumstances in which your personal data may be transferred to countries outside the European Economic Area (EEA).
3.2 Some of the third parties to whom I may transfer your personal data, discussed above, may be located outside the EEA or may transfer your personal data to their own service providers located outside the EEA. If so, then I will ensure that transfers will only be made to countries in respect of which the European Commission has made an “adequacy decision”, or otherwise will only be made with appropriate safeguards, such as the use of standard data protection clauses adopted or approved by the European Commission. You may contact me if you would like further information about these safeguards.
3.3 I may also transfer personal data outside the EEA from time to time:
(a) with your consent or where required by your instructions (for example, if I am corresponding with you and you are outside the EEA); or
(b) if I take our mobile devices with me when travelling overseas to ensure continuity of service.
4. Data security
4.1 I have put in place appropriate security measures to prevent your personal data from being lost, used, accessed, altered or disclosed by accident or without authorisation. In addition, I limit access to your personal data to those of our officers, employees and freelancers who have a business need to know and who will only process your personal data on our instructions.
4.2 I have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where I am legally required to do so.
5. Retaining and deleting personal data
5.1 Personal data that I process for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
5.2 I will retain and delete your personal data as follows:
(a) usage data (which is anonymised, and therefore not personal data) may be retained by me indefinitely;
(b) correspondence data will be retained for the period of the enquiry or chain of correspondence and then deleted after twelve months;
(c) business data will be retained for six years after the end of the relevant business relationship.
5.3 I may retain your personal data where necessary for compliance with a legal obligation to which we are subject, or in order to protect your or another individual’s vital interests.
I may update this Notice from time to time by publishing a new version on the Site. You should check occasionally to ensure you are happy with any changes to this Notice, although I will notify you of material changes to this Notice using the contact details you have given me.
7. Your rights
7.1 I have summarized below the rights that you have under data protection law. Some of the rights are complex, and not all of the details have been included in our summaries. You can read guidance from the Information Commissioner’s Office at www.ico.gov.uk for a fuller explanation of your rights.
7.2 Some of your principal rights under data protection law are:
- the right to access: you have the right to confirmation as to whether or not I process your personal data and, where I do, to access to the personal data, together with additional information including details of the purposes of the processing, the categories of personal data concerned and the recipients of the personal data. Providing the rights and freedoms of others are not affected, I will supply to you a copy of your personal data. The first copy will be provided free of charge, but additional copies may be subject to a reasonable fee;
- the right to rectification: you have the right to have any inaccurate personal data about you rectified and, taking into account the purposes of the processing, to have any incomplete personal data about you completed;
- the right to erasure: in some circumstances you have the right to the erasure of your personal data. These might include if the personal data are no longer needed for the purposes for which they were processed or if the processing is for direct marketing purposes. However, there are some exclusions of the right to erasure, such as where processing is necessary for compliance with a legal obligation or in connection with legal claims;
- the right to object to processing: you have the right to object to our processing of your personal data on the basis of the legitimate interests pursued by me or by a third party. If you make such an objection, I will stop processing the personal information unless I can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or unless the processing is for legal claims. You also have the right to object to my processing of your personal data for direct marketing purposes and if you do so I will stop processing your personal data for that purpose; and
- the right to complain to a supervisory authority: if you consider that my processing of your personal information infringes data protection laws, you have a legal right to lodge a complaint with a supervisory authority responsible for data protection. You may do so in the EU member state of your habitual residence, your place of work or the place of the alleged infringement.
8. About cookies
8.1 A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server.
8.2 Cookies may be either “persistent” cookies or “session” cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.
8.3 Cookies do not typically contain any information that personally identifies a user, but personal information that we store about you may be linked to the information stored in and obtained from cookies.
8.5 Most browsers allow you to refuse to accept cookies and to delete cookies. The methods for doing so vary from browser to browser, and from version to version. You can obtain up-to-date information about blocking and deleting cookies via the support pages made available by your browser operator.
9. Our details
You can contact us:
(a) using the contact form on the Site;
(b) by telephone at 01773 713700; or
(c) by email at firstname.lastname@example.org.
- Third Parties and Security
10.1 The Site contains links to third party websites and refers to third party service providers and other entities. If you follow a link to any third party website or deal with any third party entity referred to on the Site, then you should note that these third parties may have their own privacy and cookie policies, and that we are not responsible for their use of any personal data which you may provide to them. You should ensure that you have read and understood any relevant policies.
10.2 Although I do my best to ensure the security of personal data provided to us (and to use only reputable service providers), any transmission of data via the Internet is by its nature insecure and I cannot guarantee the security of any personal data you provide to me.
Last updated: 03/05/2018.