The GDPR has been introduced across Europe to offer greater protection for consumers and it is a detailed enhancement to the previous Data Protection Act 1988 which has become widely ineffective, with companies across Europe frequently breaching the spirit of the Act and the Personal Information it was designed to protect.
GDPR focuses on improving an individual’s rights of privacy. Our new policy helps you to identify key points about the Personal Information we collect from you, why and how it is collected and where it is stored securely.
We have always taken this seriously as a front end web development company and introduced best practices to all of our clients who we work for; so we view GDPR as an important improvement that will sharpen up slack processes across the data landscape. The relationship we have with Personal Information is only within a business to business framework. We do not ordinarily collect any Personal Information from consumers.
What is Personal Information?
Personal Information is any information that in anyway describes your personal circumstances e.g. your name, your address, your mobile or home phone numbers and so forth. It may also include any employment information or personal attributes such as your sex, cultural or social identity.
However, in relation to the context in which we use Personal Information, we generally only collect and store data from businesses or their direct members of staff and such Personal Information may include:
- Title, name, contact details, work address – data that helps us identify the business client relationship.
- Employment data that relates directly to our staff e.g. PAYE data, employment contracts, employment history, educational qualifications, previous employment details.
- Bank Account details of our clients, accounts & invoice data, VAT tax data, company credit references.
- Email addresses that may be subscribed to an email marketing campaign list.
- Personal Information used to access certain online services for which we have your permission to use e.g. an Internet
Domain Name Registry or a Merchant Account facility.
Why do we need to deal with your Personal Information?
When you initially interact with Dezines Internet Solutions Limited in relation to any of the commercial services we offer – we will request a business card in the first instance and offer a potential client one of ours. We may take other information in the course of our respective commercial discussions. Equally if it is in relation to employment within our company – we will request more detailed information from an individual and that might for example include copies of training certificates or degrees issued by a university and so forth. We believe such Personal Information would be essential in order to enter a contract whether that be as a client of Dezines Internet Solutions or as an employee or Director.
In order to perform the contractual agreement – we would have a right to use your Personal Information. At the end of any contract period, we would retain the right to use your Personal Information, providing it is in our legitimate business interest to do so and of course that your rights are not affected in any way. The reason why we might need to use your Personal Information in this way is to make contact with you in relation to the service provision, or to secure specific content for a project, to set up an online Merchant Account facility that links to an ecommerce website we are developing, or to seek your feedback.
We might also capture your Personal Information electronically through our website’s main Contact Form. Our webforms are protected by 256 bit TLS encryption – providing excellent digital protection to any Personal Information sent to us via our website. This would be Personal Information you choose to send us.
We might also need to use your Personal Information in order to comply with the Law e.g. a Court Order has been issued to allow the Police to examine emails or online trading activity.
What are the Legal Grounds for processing your Personal Information?
We use the following legal bases under European Data Protection rules for processing your Personal Information:
1. The performance of, or entry into, a contract. The Personal Information that we are required to collect in order to comply with our professional obligations which must be provided to us, so we can perform the contract. Clearly we would not be able to act for you without such Personal Information.
2. Compliance with a legal obligation to which we are subject e.g. a Court Order.
3. We have a legitimate interest in doing so as a full service design and ecommerce development company. Such a legitimate interest will include the way we manage the commercial relationship with our clients, build digital infrastructure associated with web development projects, or capture digital photographic or video content that might include people, administering visits to our offices and ascertaining the achievement of proper standards and project management, practices or procedures.
4. We do not ordinarily handle or use ‘Special Category’ Personal Information in the normal context of what we do. However, where there is a commercial need to do so, and we have your express permission, we would take the appropriate responsibility to be compliant, but accept that such consent may be withdrawn at any time.
How do we collect Your Personal Data?
In most cases your Personal Information will be given to us by you, although we might collect and record your Personal Information from a variety of sources e.g. by taking your business card on display at a tradeshow or being given a business card as a result of talking with you at an event. However, it is often the case you will give us your Personal Information at initial project meetings or exploratory discussions to determine our suitability as a professional partner for your business. You might provide your Personal Information to us verbally, in writing (includes via electronic webforms) and email.
Additionally, there may be certain occasions where your Personal Information is given to us by your employer in connection with our and their legitimate interest to conduct business. We may also secure your Personal Information from verified and trusted sources where we have paid subscription services and have a legitimate interest to connect with you e.g. you have visited our website from your commercial premises and our technology determines your businesses identity, and we can select your Personal Information from a list of employees or Directors at that business. Our commercial partner that offers this type of facility to us as an approved Platinum Partner is Lead Forensics – a business intelligence platform. We may also use online credit check/score platforms to assist us in identifying business credentials or identify the owners or Directors. We will only process such information where you have expressed your consent or we have consent from our commercial processing partners who are compliant with the GDPR.
What systems do we use?
We are an official Adobe UK Partner. Our commercial relationship with Adobe affords us access to their global and highly secure server infrastructure – datacenters on which we position all our website and ecommerce developments. The European Datacenter is positioned in Dublin, Republic of Ireland and is compliant with European rules and is part of the Amazon Web Services (AWS) framework. It is a secure facility and only engineers with a legitimate need to be on site are granted access. Adobe’s server engineers around the world have significant expertise in preventing, detecting and effectively combating Direct Denial of Service (DDoS) attacks from organized criminals or rogue states. To date none of our website developments have ever been hacked, and in part this is because we trust the partnership we have with Adobe, and the fact we always set strong password and security protocols for our clients.
Our PaaS website technology is Level 1 PCI DSS 2.0 Compliant (PCI DSS = Payment Card Industry Data Security Standards). As such our technology does not store full details of credit card transactions, but it will capture the Personal Information of a user e.g. name, address, billing address, the transaction reference authorization number and any other unique identifiers that can be linked to a specific transactional process. The Payment Gateway e.g. Sage Pay, Stripe etc., will determine where that information is additionally shared e.g. the payment bank and the receiving bank or Merchant Account or Paypal Account. The transaction information will also be shared with the issuing credit or debit card Merchant e.g. Visa, Mastercard or American Express.
Our fully integrated Platform as a Service (PaaS) website technology is a secure system that includes multiple software provisions – including a dedicated email marketing system and Customer Relationship Management (CRM) system. Both of these facilities will store all of our electronic Personal Information within our server inside an Adobe datacenter – in effect ‘in the cloud’. Our clients operate around the world – so we determine the best datacenter on which to position their website or ecommerce development, based on their location and or country of operation. All of our website developments have a 256 bit encryption TSL Certificate that in effect wraps around the website and protects the transmission of any Personal Information from a user’s computer/tablet/mobile device to the Adobe datacenter. Equally, when we use our website’s integrated platform to upload or manage Personal Information, we have secure protection in place to protect Personal Information transmissions.
Our electronic mail systems (email) are secured by 256 bit encryption. However, whilst our system is secure and we use McAfee Total Protection across our digital computer/tablet/mobile assets, it does not mean you have sufficient security in place at your end. We highly recommend our clients to upgrade their systems on a regular basis to combat the effects of cyber security. We always provide advise on this when we meet for initial commercial discussions. Furthermore we use McAfee Total Protection anti-virus and intrusion software across our digital estate. This software provides us with firewall protection and screening for viruses and trojans which can disrupt and steal Personal Information.
Furthermore, our commercial premises have high security perimeter fencing and electric gates, access control systems, intruder detection, fire detection and CCTV all of which is monitored 24/7/365 by ADT Fire & Security plc. This means our offices are protected in ways that most companies are not. We take security extremely seriously and will continue to do so in the future.
Our paper records and files connected to specific client projects are secured in locked cabinets and are only accessed by staff on a need to know basis. When files are not in use – they are returned to prevent any potential leak of Personal Information, including but not limited to Merchant Account data, logins for other web portals e.g. Google Accounts and so forth.
What happens to Your Personal Information when it is disclosed to us?
In the course of handling Your Personal Information we will:
1. Record and store Your Personal Information in our paper files, mobile devices and electronically on our local computer systems and hard drives, and also where applicable on the Cloud. This information can only be accessed by employees within our company and only when it is necessary to provide our service to you, and to perform any project tasks associated with or incidental to our core service provision.
2. Submit your Personal Information when consent has been given (normally your name and email address) to our email marketing list positioned within our secure email marketing system on our PaaS website technology within the European Datacenter. This is essential in order for us to communicate with you and offer updates about our work or provide incentives to customers and special offers. You can always unsubscribe from our Newsletters at any time.
3. Use Your Personal Information for the purpose of communicating with you in relation to general administration or any ongoing project discussions, initial exploratory discussions, the sharing of confidential plans or drawings, photographs, video, programming code, or any other reason that has a legitimate interest. We may also need to inform you of any developments in relation your project or certain outcomes or intelligence we have gathered and need to pass to you. Equally, where we have your explicit consent to setup or manage your various online accounts e.g. Google, we may need to use your Personal Information to create certain workflow notifications or regular usage statistics and so forth.
Do we Share Your Personal Information?
Ordinarily we do not share your Personal Information with third party organisations other than as mentioned in the Sections above. From time to time however, it may be necessary to share your Personal Information in the following ways:
• Transactional Personal Information as a result of making a payment on our website. Such payment information will be shared between our server and CRM system, a Merchant Account (the authorizing bank) and the Payment Gateway provider e.g. Sage Pay.
• To setup new online accounts that complement our website developments and are mission critical in the current digital world e.g. Domain Names, Google, Social Media technology.
• To create new Merchant Accounts on your behalf to connect seamless payment gateways to our ecommerce technology in order to allow you to trade safely and securely online – mitigating cyber security risks. We only work with ‘best of breed’ brands e.g. Sage Pay, Stripe and wherever it is necessary, we will include payment verification services such as 3D Secure, Visa Verify or Mastercard SecureCode.
• To refer you to Welsh Government, UK Government, Department of International Trade, or any UK Local Authority to assist in applying for Grants or other information that may be of help. We would only do this with your explicit consent.
• Where we need to add your name and email address to a Project Management software system such as Basecamp, in order to include you in the project review process. We would only do this with your explicit consent.
We should point out that where we might share your Personal Information, it does not entitle third party organisations to send you marketing or promotional messages via email, text or telephone. It is shared to ensure we can adequately meet our responsibilities and your commercial expectations, and or as otherwise set out in this policy.
For UK or EEA only clients, your Personal Information will not be transferred outside of the European Economic Area. Your Personal Information will only be stored securely within our commercial premises or within the secure Adobe European datacenter in Dublin as previously mentioned.
What about the Security of your Personal Information?
Your privacy is important to us and we will keep Your Personal Information secure in accordance with our legal responsibilities. We will take reasonable steps to safeguard Your Personal Information against it being accessed unlawfully or maliciously by a third party.
We also expect you to take reasonable steps to safeguard your own privacy when transferring information to us, such as not sending confidential information over unprotected email, ensuring email attachments are password protected or encrypted and only using secure methods of postage when original documentation is being sent to us.
Your Personal Data will be retained by us either electronically or in paper format for a minimum of six years, or in instances whereby we have legal right to such information we will retain records indefinitely.
Personal Information - what are your rights?
We are always willing to help you understand your rights. You can:
• Request copies of Your Personal Information that is under our control.
• Ask us to explain how we use your Personal Information.
• Ask us to correct, delete or request us to restrict or stop using your Personal Information (the extent to which we could provide such assistance would be clarified at the time).
• Request we send an electronic copy of our Personal Information to another organisation should you wish.
• Change the basis of any consent you may have provided, to enable us to market to you in the future (including withdrawing any consent in its entirety.
Contacting us about your Personal Information
If you have any questions or comments about this policy, or if you wish to make contact with us in order to exercise any of your rights set out within our policy, please contact:
The Data Protection Officer, K Ballard, Dezines Internet Solutions Limited, 4 Factory Road, Newport, Gwent, NP20 5FA. Telephone: +44 (0)1633 212388. We are licensed by the Data Protection Registrar.
If we believe we have a legal right not to deal with your request, or you cannot verify your identity through reasonable means prior to us taking action or if in order to take action, we need to do this in different way to how you have requested, we will inform you at the time. Please take note that we have a duty to protect Personal Information and if we are not satisfied of your identity – it may cause delays to any reasonable request.
If you become aware of any unauthorised disclosure of your Personal Information and you think that it has something to do with Dezines Internet Solutions Limited, you must please let us know of the cyber security risks you are facing as soon as possible so we may take action and mitigate the impact to you or our systems. This is also important so that we can fulfil our regulatory duties where a data breach may have occurred.
If you have any concerns or complaints as to how we have handled your Personal Information you may lodge a complaint with the UK's Data Protection regulator – at the Information Commissioners office (ICO), who can be contacted through their website at https://ico.org.uk/global/contact-us/ or by writing to: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.