LINKFRESH Software Holdings Limited – Data Protection Policy
Context & Overview
- Policy Prepared by: Sarah Neale, Director of Marketing
- Approved for operational use on: 14th March 2018
- Policy became operational on: 14th March 2018
LINKFRESH Software Holdings Limited (‘LSHL’) needs to gather and use certain information about individuals, including customers, suppliers, business contacts, employees and other people that the organisation has a relationship with, or many need to contact.
This policy describes how this personal data must be collected, handled and stored to meet the company’s data protection standards and obligations and to comply with the law and regulatory requirements.
Why this policy exists
This data protection policy ensures that LSHL:
- Complies with data protection law and follows good practice.
- Protects the rights of staff, customers, suppliers, partners, and other individuals
- Is open and transparent about how it stores and processes individuals’ data
- Protects itself from the risks of a data breach
Data Protection Law
The Data Protection Act 1998
The data protection act 1998 describes how organisations – including LSHL – must collect, handle and store personal information.
These rules apply regardless of whether data is stored electronically, on paper or on other materials.
To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.
The Data Protection Act is underpinned by eight important principles. These say that personal data must:
- Be processed fairly and lawfully
- Be obtained only for specific, lawful purposes
- Be adequate, relevant and not excessive
- Be accurate and kept up to date
- Not be held for any longer than necessary
- Processed in accordance with the rights of data subjects
- Be protected in appropriate ways
GDPR – The General Data Protection Regulation 2018
The General Data Protection Regulation (GDPR) is European Union legislation that will begin to be enforced on May 25, 2018.
Its aim is to strengthen the rights of data subjects within the European Union (EU) and European Economic Area (EEA) with regard to how their personal data is used and how it’s protected. (‘Personal data’ means any information that relates to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, ID number, location data, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person). LSHL do not hold any data relating to items categorised as “Special Categories of Personal Data” as defined within GDPR (Race, Religion, Political Opinions, Trade Union Membership, Sexual Orientation, Health information, Biometric Data or Genetic Data).
The GDPR applies to any organization inside or outside the EU who is marketing goods or services to, and/or tracking the behaviours of, data subjects within the EU and EEA.
The GDPR is structured around six key principles (detailed in Article 5 of the legislation):
- Transparency on how data will be used and what it will be used for.
- Ensuring that the data collected is used only for the purposes explicitly specified at the time ofcollection.
- Limiting the data collection to what is necessary to serve the purpose for which it is collected.
- Ensuring the data is accurate.
- Storing the data for only as long as necessary within its intended purpose.
- Prevention against unauthorized use or accidental loss of the data through the deployment ofappropriate security measures.
In addition, the GDPR includes a new accountability requirement to be able to demonstrate how compliance with the principles is being managed and tracked. This requires the maintenance of records of how and why personal data was collected, how and when consent was given, as well as the documentation of the processes put in place to protect it.
This policy applies to:
- The head office of LSHL
- All branches and subsidiaries of LSHL
- All staff of LSHL
- All contractors, suppliers and other people working on behalf of LSHL and its branches and subsidiaries
It applies to all data that the company holds relating to identifiable individuals, this can include:
- Names of individuals
- Postal addresses
- Email addresses
- Telephone numbers
- Plus any other information relating to an identifiable natural person
Processing is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Data subject is any identified or identifiable natural person, whose personal data is processed by the controller responsible for the processing.
Consent of the data subject is any freely given, specific, informed and unambiguous indication of the data subjects wishes where he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Collection of Website data analytics
The website of LSHL (www.linkfresh.com) collects a series of general data and information when a data subject accesses our website pages. This general data and information provides statistics on website visitors, usage, date & time, frequency and duration of visits, page views, browsers used, referrers, and IP address.
When using these general data and information, LSHL does not draw any conclusion about the data subject. This information is used to:
- Improve the website browsing experience.
- Optimise the website content
- Monitor effectiveness of our marketing activities
- Ensure the long term viability of our information technology systems and website technology.
- Provide law enforcement authorities with the information necessary for criminal prosecution in case of a cyber-attack.
LSHL analyses anonymously collected data and information statistically, with the aim of increasing the data protection and data security of our enterprise, and to ensure an optimal level of protection for the personal data we process. This anonymous data is stored separately from all personal data that may be otherwise provided by a data subject.
Consent via our Website
The data subject has the possibility to request, via a website contact form, further contact by LSHL, for example, to find out more information on our products and services. The personal data entered by the data subject is collected and stored exclusively for use LSHL, and will be used in accordance with the following privacy statement, to which the data subject has agreed to:
LINKFRESH Software Holdings Limited (“LSHL”) and its subsidiaries will be what is known as the “Data Controller” of the personal data you provide to us. LSHL’s registration number is: 08237552 and its registered address is: Harston Mill, Harston, Cambridge, CB22 7GG, United Kingdom.
- Policy Prepared by: Sarah Neale, Director of Marketing
- Approved for operational use on: 14th March 2018
- Policy became operational on: 14th March 2018
Your Personal Data
What data we need
Unless otherwise agreed with you, we will only collect basic personal data about you, which does not include any special categories of personal information about you (often known as “sensitive personal data”). The basic personal data we collect about you does include: name, job title, telephone number(s), email and business address.
Why we need it
We need to know basic personal data in order to provide you with the consultancy services you have engaged us to provide, and to assert our right to be recompensed in return for these services, as per the services agreement or contract we have with you. If you do not provide this information we will be unable to provide the consultancy services you have requested.
We will also collect your personal data for marketing activities, and to provide you with information about our products and services. Specifically, these marketing activities will include: email marketing, newsletters, press releases, telephone sales, event invitations, product launches, product and services updates and direct mail.
These marketing communications may be transmitted via of telephone, email or post. Please note that where marketing information is transmitted to you via email then your data will be shared to a secure third party web-based marketing automation application, Marketo. For more information on how Marketo protects our data visit https://www.marketo.com/company/trust/gdpr/.
We will not collect any personal data from you that we do not need in order to provide the above mentioned activities.
What we do with it
All personal data we hold about you will be processed by our staff and no additional third parties will have access to your personal data unless there is a legal obligation for us to provide it. Please be aware that your personal data may be stored on a cloud-based system whose servers are located within the European Union.
We take all reasonable steps to ensure that your personal data is processed securely and more information on this can be found in our Data Protection Policy.
How long we keep it
We will generally keep your personal data for a minimum of six years, after which time it will be destroyed if it is no longer required for the lawful purpose(s) for which it was obtained.
Personal data collected and processed solely for marketing activities will be kept until you notify us that you no longer wish to receive marketing communications.
If the processing of personal data is necessary for the performance of a contract to which the data subject is a party, as is the case for example when processing operations are necessary for the supply of goods or to provide any other services, the processing is based on Article 6(1) lit. b GDPR – Legitimate Interest.
The same applies to such processing operations which are necessary for carrying our pre- contractual measures, for example, in the case of enquiries concerning our products or services.
What are your rights
If at any point you believe the information we process on you is incorrect, you can request to see this information and have it corrected or deleted. If you wish to raise a complaint on how we have handled your personal data, you can email us to have the matter investigated at firstname.lastname@example.org.
If you are not satisfied with our response or believe we are processing your personal data not in accordance with the law you can complain to the Information Commissioner’s Office https://ico.org.uk/
LSHL will also collect and store details in relation to the data subjects consent to contact. These details will include:
- Affirmative consent to processing (Yes/No)
- Date upon which consent was given
- Date upon which consent was last updated
- Consent Notes (how consent was obtained and for what purposes)
Everyone who works for, or with, LSHL has some responsibility for ensuring data is collected, stored and handled appropriately.
Each team that handles data must make sure that it is handled and processed in line with this policy and data protection principles.
However, the following people have key areas of responsibility:
The Board of Directors is ultimately responsible for ensuring that LSHL meets it legal obligations.
The Data Protection Officer Jacquie Fisher is responsible for:
- Keeping the Board updated about data protection responsibilities, risks and issues.
- Reviewing all data protection procedures and related policies, in line with an agreed schedule.
- Arranging data protection training and advice for the people covered by this policy.
- Handling data protection questions from staff and anyone else covered by this policy.
- Dealing with requests from individuals to see the data LSHL holds about them (also called “subject access requests”).
- Checking and approving any contracts or agreements with third parties that may handle the company’s sensitive data.
The IT & Operations Manager Jeremy Wardell is responsible for:
- Ensuring all systems, services and equipment used for storing data meet acceptable security standards.
- Performing regular checks and scans to ensure security hardware and software is functioning properly.
- Evaluating any third party services the company is considering using to store or process data. For example, cloud computing services.
The Director of Marketing Sarah Neale is responsible for:
- Approving any data protection statements attached to communications such as emails and letters.
- Working with other staff to ensure marketing initiatives abide by data protection principles.
General Staff Guidelines
- The only people able to access data covered by this policy should be those who need it for their work.
- Data will not be shared informally. When access to confidential information is required, employees can request it from their line managers.
- LSHL will provide training to all employees to help them understand their responsibilities when handling data.
- Employees will keep all their data secure, by taking sensible precautions and following the guidelines below.
- In particular, strong passwords will be used, and they should never be shared.
- Personal data will not be disclosed to unauthorised people, either within the company or externally.
- Data will be regularly reviewed and updated if it is found to be out of date. If no longer required it should be deleted and disposed of.
- Employees will request help from their line manager or the data protection officer if they are unsure about any aspect of data protection.
These rules describe how and where data should be safely and securely stored. Questions about storing data safely can be directed to the IT manager or data controller.
When data is stored on paper, it should be kept in a secure place where unauthorised people cannot access it.
These guidelines also apply to data that is usually stored electronically but has been printed out for some reason:
- When not required, the paper or files will be kept in a locked drawer or filing cabinet.
- Employees will make sure paper and printouts are not left where unauthorised people could see them, for example, on a printer.
- Data printouts will be shredded and disposed of securely when no longer required. When data is stored electronically, it will be protected from unauthorised access, accidental detection and malicious hacking attempts:
- Data will be protected by strong passwords that are changed regularly and never shared between employees.
- If data is stored on removable media (like CD, DVD or flash drive), these will be encrypted.
- Servers containing personal data are sited in a secure location, away from the general office space.
- Data will only be stored on designated drives on these secured servers.
- Some personal data will be stored on approved secured cloud computing services.
- Data will be backed up frequently, in line with the company’s standard backup procedures.
- Where laptops are used these will be encrypted to prevent unauthorised access, any data saved directly to these laptops will be secured.
- As a technology company we use a variety of devices in addition to laptops. These include tablets and smart phones. We have a policy in place to ensure that all devices are secure and regularly updated to maintain security levels.
- All servers and computers containing data are protected by approved security software and a firewall.
Personal data is of no value to LSHL unless the business can make use of it. However, it is when personal data is accessed and used that it can be at the greatest risk of loss, corruption or theft:
- When working with personal data, employees will ensure the screens of their computers are always locked when left unattended.
- Personal data will not be shared informally. When data is transferred by e-mail it is carried out from our secure servers and is encrypted whilst in transit. As an additional precaution, wherever possible, attachments will be separately encrypted or password protected.
- Employees should not save copies of personal data to their own computers. Always access and update the central copy of any data.
The law requires LSHL to take reasonable steps to ensure data is kept accurate and up to date.
It is the responsibility of all employees who work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible.
- Data will be held in as few places as necessary. Staff should not create any unnecessary additional data sets.
- Staff should take every opportunity to ensure data is updated. For instance, by confirming a customer’s details when they call.
- Data should be updated as inaccuracies are discovered. For instance, if a customer can no longer be reached on their stored telephone number, it should be removed from the database.
Subject Access Requests
All individuals who are the subject of personal data held by LSHL are entitled to:
- Ask what information the company holds about them and why
- Ask how to gain access to it
- Be informed how to keep it up to date
- Be informed how the company is meeting it data protection obligations
If an individual contacts the company requesting this information, this is called a subject access request.
Subject access requests from individuals should be made by email, addressed to the Data Protection Officer at email@example.com. The Data Protection Officer can supply a standard request form, although individuals do not have to use this.
The Data Protection Officer will always verify the identity of anyone making a subject access request before handing over any information.
Disclosing data for other reasons
In certain circumstances, the Data Protection Act allows personal data to be disclosed to law enforcement agencies without the consent of the data subject.
Under these circumstances, LSHL will disclose requested data. However, the data controller will ensure the request is legitimate, seeking assistance from the board and from the company’s legal advisers where necessary.
LSHL aims to ensure that individuals are aware that their data is being processes, and that they understand:
- How the data is being used
- How to exercise their rights
To these ends, the company has a privacy statement, setting out how data relating to individuals is used by the company. This document is available on request and is also on the company’s website.
Rights of the data subject
Right of confirmation
Each data subject shall have the right to obtain from the controller the confirmation as to whether or not personal data concerning them are being processed. If a data subject wishes to avail himself of this right of confirmation, he or she may, at any time, contact our Data Protection Officer.
Right of access
Each data subject shall have the right to obtain from the controller free information about his or her personal data stored at any time and a copy of this information. Furthermore, the European directives and regulations grant the data subject access to the following information:
- The purposes of the processing
- The categories of personal data concerned
- The recipients or categories of recipients to whom the personal data has been or will be disclosed, in particular recipients in third countries or international organisations
- Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period.
- The existence of the right to request from the controller rectification or erasure of personal data, or restriction of processing of personal data concerning the data subject, or to object to such processing.
- The existence of the right to lodge a complaint with a supervisory authority
- Where the personal data are not collected from the data subject, any available information as to their source
- The existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significant and envisaged consequences of such processing for the data subject.
Furthermore, the data subject shall have the right to obtain information as to whether personal data are transferred to a third country or to an international organisation. Where this is the case, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer.
If a data subject wishes to avail himself of this right of access, he or she may at any time contact our Data Protection Officer.
Right to rectification
Each data subject shall have the right granted by the European legislator to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
If a data subject wishes to exercise this right to rectification, he or she may, at any time, contact our Data Protection Officer.
Right of restriction of processing
Each data subject shall have the right granted by the European legislator to obtain from the controller restriction of processing where one of the following applies:
- The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data.
- The processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead.
- The controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims.
- The data subject had objected to processing pursuant to Article 21(1) of the GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.
If one of the aforementioned conditions is met, and a data subject wishes to request the restriction of the processing of personal data stored by LINKFRESH Software Holdings, he or she may at any time contact our Data Protection Officer. The Data Protection Officer of LSHL will arrange the restriction of the processing.
Right to data portability
Each data subject shall have the right granted by the European legislator, to receive the personal data concerning him or her, which was provided to a controller, in a structured, commonly used and machine- readable format. Her or she shall have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, as long as the processing is based on consent pursuant to point (a) or Article 6(1) of the GDPR or point (a) of Article 9(2) of the GDPR, or on a contract pursuant to point (b) of Article 6(1) of the GDPR, and the processing is carried out by automated means, as long as the processing is not necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Furthermore, in exercising his or her right to data portability pursuant to Article 20(1) of the GDPR, the data subject shall have the right to have personal data transmitted directly from one controller to another, where technically feasible, and when doing so does not adversely affect the rights and freedoms of others.
In order to assert the right to data portability, the data subject may at any time contact the Data Protection Officer designated by LINKFRESH Software Holdings.
Right to Object
Each data subject shall have the right granted by the European legislator to object, on grounds relating to his or her particular situation, at any time, to processing of personal data concerning him or her, which is based on point (e) or (f) of Article 6(1) of the GSPR. This also applies to profiling based on these provisions
LSHL shall no longer process the personal data in the event of the objection, unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.
If LSHL processes personal data for direct marketing purposes the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing. This applies to profiling to the extent that it is related to such marketing. If the data subject objects to LSHL processing personal data for direct marketing purposes, then LSHL will no longer process the personal data for these purposes.
In addition, the data subject has the rights, on grounds relating to his or her particular situation, to object to processing of personal data concerning him or her by LSHL for scientific or historical research purposes, or for statistical purposes pursuant to Article 89(1) of the GDPR, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
In order to exercise the right to object, the data subject may directly contact the Data Protection Office of LINKFRESH Software Holdings. In addition, the data subject is free in the context of the use of information society services, and notwithstanding Directive 2002/58/EC. To use his or right to object by automated means using technical specifications.
Right to withdraw data protection consent
Each data subject shall have the right granted by the European legislator to withdraw his or her consent to processing of his or her personal data at any time.
If the data subject wishes to exercise the right to withdraw the consent, he or she may at any time directly contact our Data Protection Officer.
Data protection for applications and the application procedures
The data controller shall collect and process the personal data of applicants for the purpose of the processing of the application procedure. The processing may also be carried out electronically. This is the case, in particular, if an applicant submits corresponding application documents by e-mail or by means of a web form on the website to the controller. If the data controller concludes an employment with an applicant, the submitted data will be stored for the purposes of processing the employment relationship in compliance with legal requirements. If no employment contract is concluded with the applicant, by the controller, the applicants’ data shall be kept for 12 months, after notification of the refusal decision, provided that no other legitimate interests of the controller are opposed to the erasure. Other legitimate interest in this relation is, e.g. a burden of proof in a procedure under the General Equal Treatment Act (AGG).
Legal basis for the processing
Article 6(1) lit. a GDPR serves as the legal basis for processing operations for which we obtain consent for a specific processing purpose. If the processing of personal data is necessary for the performance of a contract to which the data subject is party, as is the case, for example, when processing operations are necessary for the supply of goods or to provide any other services, the processing is based on Article 6(1) lit. b GDPR.
The same applies to such processing operations which are necessary for carrying our pre-contractual measures, to example, in the case of enquiries concerning our products or services.
If our company is subject to a legal obligation by which processing is required, such as for the fulfilment of tax obligations, the processing is based on Article 6(1) lit. c GDPR.
In rare cases, the processing of personal data may be necessary to protect the vital interests of the data subject or of another natural person. This would be the case, for example, if a visitor were injured in our company and his name, age, health insurance data or other vital information would have to be passed to a doctor, hospital or other third party. Then the processing would be based on Article 6(1) lit. d GDPR.
Finally, processing operations could be based on Article 6(1) Lit. d GDPR. This legal basis is used for processing operations which are not covered by any of the above mentioned legal grounds, if processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. Such processing operations are particularly permissible because they have been specifically mentioned by the European legislator. He considered that a legitimate interest could be assumed if the data subject is a client of the controller (Recital 47 Sentence 2 GDPR).
The legitimate interests pursued by the controller or by a third party
Where the processing of personal data is based on Article 6(1) lit. f GDPR our legitimate interest is to carry out our business in favour of the well-being of all our employees and the shareholders.
Period for which the data will be stored
The criteria used to determine the period of storage of personal data is the respective statutory retention period. After expiration of that period, the corresponding data is routinely deleted, as long as it is no longer necessary for the fulfilment of the contract or the initiation of a contract.
Provision of personal data as a statutory or contractual requirement; Requirement necessary to enter into a contract; Obligation of the data subject to provide the personal data; possible consequences of failure to provide such data
We clarify that the provision of personal data is partly required by law (e.g. tax regulation) or can also result from contractual provisions (e.g. information on the contractual partner). Sometimes, it may be necessary to conclude a contract that the data subjects provides us with personal data, which must be subsequently processed by us. The data subject is, for example, obliged to provide us with personal data when our company signs a contract with him or her. The non-provision of the personal data would have the consequence that the contract with the data subject could not be concluded. Before personal data is provided by the data subject, the data subject must contact our Data Protection Officer. Our Data Protection Officer clarifies to the data subject whether the provision of the personal data is required by law or contract or is necessary for the conclusion of the contract, whether there is an obligation to provide the personal data and the consequences of non-provision of the personal data.
Existence of automated decision making
As a responsible company, we do not use automatic decision making or profiling.