The GDPR has been introduced across Europe to offer greater protection for consumers and it is a detailed enhancement to the previous Data Protection Act 1988 which has become widely ineffective, with companies across Europe frequently breaching the spirit of the Act and the Personal Information it was designed to protect. Even after the UK leaves the European Union - we still expect the GDPR to be effective in the United Kingdom.
GDPR focuses on improving an individual’s rights of privacy. Our new policy helps you to identify key points about the Personal Information we collect from you, why and how it is collected and where it is stored securely.
We have always taken this seriously and we view GDPR as an important improvement that will sharpen up slack processes across the data landscape. The relationship we have with Personal Information is within a business to business (B2B) and business to consumer (B2C) framework. We do not ordinarily collect any Personal Information from persons under the age of 18 years.
Personal Information is any information that in anyway describes your personal circumstances e.g. your name, your address, your mobile or home phone numbers and so forth. It may also include any employment information or personal attributes such as your sex, cultural or social identity.
However, in relation to the context in which we use Personal Information, we generally only collect and store data from businesses or their direct members of staff, or consumers, and such Personal Information may include:
1. Title, name, contact details, work or home address – data that helps us identify the business/consumer client relationship.
2. Employment data that relates directly to our staff e.g. PAYE data, employment contracts, employment history, educational qualifications, previous employment details.
3. Bank Account details of our clients, accounts & invoice data, VAT tax data, company credit references.
4. Email addresses that may be subscribed to an email marketing campaign list.
5. Personal Information used to access certain online services for which we have a genuine need to use e.g. a Credit Reference Agency
or a Merchant Account facility to establish transactional payment data.
When you initially interact with 360 Design Consultants Ltd in relation to any of the commercial services we offer – we will request you complete
a secure online form on our website in the first instance. Alternatively you may call us direct and we would complete a Customer Relationship
Management (CRM) record to store your contact information and articulate your reasons for contacting us. We may record calls and store
the data securely, although where applicable, credit card information is not recorded as part of our PCI DSS compliance.
We may take other information in the course of our respective commercial discussions. Equally if it is in relation to employment within our company – we will request more detailed information from an individual and that might for example include copies of training certificates or degrees issued by a university and so forth. We believe such Personal Information would be essential in order to enter a contract whether that be as a client of 360 Design Consultants Ltd or as an employee or Director.
In order to perform the contractual agreement – we would have a right to use your Personal Information. At the end of any contract period, we would retain the right to use your Personal Information, providing it is in our legitimate business interest to do so and of course that your rights are not affected in any way. The reason why we might need to use your Personal Information in this way is to make contact with you in relation to the service provision, or to secure specific information from you, to ensure you have received good customer service, or to seek your feedback in relation to our service or to respond to your complaint.
We might also capture your Personal Information electronically through our website’s main 'Contact Page Form' or a payment transaction form.
Our webforms are protected by 256 bit TLS encryption – providing excellent digital protection to any Personal Information sent to us via
our website. This would be Personal Information you choose to send us. However, we should point out that despite our best efforts to protect
all data transmitted over the internet - we cannot guarantee it is secure.
We might also need to use your Personal Information in order to comply with the Law e.g. a Court Order has been issued to allow the Police to examine our digital and or paper records including any email.
We use the following legal bases under European Data Protection rules for processing your Personal Information:
1. The performance of, or entry into, a contract. The Personal Information that we are required to collect in order to comply with our professional obligations which must be provided to us, so we can perform the contract. Clearly we would not be able to act for you without such Personal Information.
2. Compliance with a legal obligation to which we are subject e.g. a Court Order.
3. We have a legitimate interest in doing so. Such a legitimate interest will include the way we manage the commercial relationship with our clients, build digital CRM records associated with new or existing customer interactions whether by email, web forms or direct telephone calls, administering visits to our offices and ascertaining the achievement of proper standards and client management, practices or procedures.
4. We do not ordinarily handle or use ‘Special Category’ Personal Information in the normal context of what we do. However, where
there is a commercial need to do so, and we have your express permission, we would take the appropriate responsibility to be compliant,
but accept that such consent may be withdrawn at any time.
In most cases your Personal Information will be given to us by you, although we might collect and record your Personal Information from a variety of sources e.g. by taking your business card on display at a tradeshow or being given a business card as a result of talking with you at an event. However, it is often the case you will give us your Personal Information via our website or by directly calling us on our telephone number to determine your needs. You might provide your Personal Information to us verbally, in writing (includes via electronic webforms) and email.
Additionally, there may be certain occasions where your Personal Information is given to us by your employer in connection with our and their legitimate interest to conduct business. We may also secure your Personal Information from verified and trusted sources where we have paid subscription services and have a legitimate interest to connect with you e.g. you have visited our website from your commercial premises and our technology determines your businesses identity, and we can select your Personal Information from a list of employees or Directors at that business. A commercial partner that offers this type of facility is Lead Forensics – a business intelligence platform. We may also use online credit check/score platforms to assist us in identifying business credentials or identify the owners or Directors. We will only process such information where you have expressed your consent or we have consent from our commercial processing partners who are compliant with the GDPR.
Sometimes we will receive a referral from one of our commercial partners around the UK. In such circumstances you will have indicated a need
whilst in discussion with that Partner that you might need professional print/design advice in relation to your personal or commercial
business. The commercial partner will have told you that they can refer you through to 360 Design Consultants Ltd. They will have asked
for your explicit consent to share your Personal Information in this way. Your consent in this type of situation will mean that once we
receive this data, we will then record it within our secure framework of technology.
Our closely integrated web development partner is Dezines Internet Solutions Limited who are an official Adobe UK Business Catalyst Partner. Our commercial relationship with Dezines affords us access to their global and highly secure server infrastructure – datacenters on which we position our website and ecommerce developments. The European Datacenter is positioned in Dublin, Republic of Ireland, and is compliant with European rules and is part of the Amazon Web Services (AWS) framework. It is a secure facility and only engineers with a legitimate need to be on site are granted access. Adobe’s server engineers around the world have significant expertise in preventing, detecting and effectively combating Direct Denial of Service (DDoS) attacks from organized criminals or rogue states. To date none of Dezines website developments have ever been hacked, and therefore we trust the partnership we have with Dezines, who only position with very trusted technical partners. Additionally, we always set strong password and security protocols for our digital infrastructure on a 'need to know' basis.
Our PaaS website technology is Level 1 PCI DSS 2.0 Compliant (PCI DSS = Payment Card Industry Data Security Standards). As such our technology does not store full details of credit card transactions, but it will capture the Personal Information of a user e.g. name, address, billing address, the transaction reference authorisation number and any other unique identifiers that can be linked to a specific transactional process. Depending on the Payment Gateway ... will determine where that information is shared and in what country.
Our fully integrated Platform as a Service (PaaS) website technology is a secure system that includes multiple software provisions – including a dedicated email marketing system and Customer Relationship Management (CRM) system. Both of these facilities will store all of our electronic Personal Information within our server inside an Adobe datacenter – in effect ‘in the cloud’. All of our website developments have a 256 bit encryption TSL Certificate that in effect wraps around the website and protects the transmission of any Personal Information from a user’s computer/tablet/mobile device to the Adobe datacenter. Equally, when we use our website’s integrated platform to upload or manage Personal Information within the CRM system, we have secure https:// protection in place to protect Personal Information transmissions.
Our electronic mail systems (email) are also secured by 256 bit encryption. However, whilst our system is secure and we use McAfee Total Protection across our digital computer/tablet/mobile assets, it does not mean you have sufficient security in place at your end. We highly recommend our clients to upgrade their systems on a regular basis to combat the effects of cyber security. We are always happy to provide advise on this important area and often will release information on our website that you might find helpful. Furthermore we use McAfee Total Protection anti-virus and intrusion software across our digital estate. This software provides us with firewall protection and screening for viruses and trojans which can disrupt and steal Personal Information.
Furthermore, our commercial premises have high security perimeter fencing and electric gates, access control systems, intruder detection, fire detection and CCTV all of which is monitored 24/7/365 by ADT Fire & Security plc. This means our offices are protected in ways that most companies are not. We take security extremely seriously and will continue to do so in the future. Where we have Personal Information stored on paper records - then those records will be locked in secure cabinets within our commercial premises, and are only accessed by staff on a need to know basis. When files are not in use – they are returned to prevent any potential leak of Personal Information.
In the course of handling Your Personal Information we will:
1. Record and store Your Personal Information in our paper files, and electronically on our local computer systems and on the Cloud within our PaaS (Platform as a Service) website technology. This information can only be accessed by employees within our company and only when it is necessary to provide our service to you, and to perform any project tasks associated with or incidental to our core service provision.
2. Submit your Personal Information (normally your name and email address) to our email marketing list positioned within our secure email marketing system on our PaaS website technology within the European Datacenter. This is essential in order for us to communicate with you and offer updates about our work or provide incentives to customers and special offers. You have to opt in to our Newsletters lists and verify your subscription (often called a 'double opt-in') and you can always unsubscribe from our Newsletters at any time. We will never force opt you into one of our newsletters.
3. Use Your Personal Information for the purpose of communicating with you in relation to general administration or any ongoing
service discussions or initial exploratory discussions, or any other reason that has a legitimate interest.
Ordinarily we do not share your Personal Information with third party organisations other than as mentioned in Section 4 above. From time to time however, it may be necessary to share your Personal Information in the following ways:
1. Transactional Personal Information as a result of making a payment on our website. Such payment information will be shared between our server and CRM system, a Merchant Account (the authorizing bank) and the Payment Gateway provider e.g. Sage Pay or Stripe.
2. To verify your authority to make a payment using a credit or debit card e.g. services such as 3D Secure, Visa Verify or Mastercard SecureCode.
3. To refer you to one of our trusted commercial partners in order to provide additional installation services e.g. if you reqired a large billboard and we had to hire in specialist access or lifting equipment, where we had to diclose your location to the equipment provider.
We should point out that where we might share your Personal Information, it does not entitle third party organisations to send you marketing or promotional messages via email, text or telephone. It is shared to ensure we can adequately meet our responsibilities and your commercial expectations, and or as otherwise set out in this policy.
For UK or EEA only clients, your Personal Information will not be transferred outside of the European Economic Area. Your Personal Information will only be stored securely within our commercial premises or within the secure Adobe European datacenter in Dublin or elsewhere in the UK as previously mentioned. We reserve the right to change secure server locations and we will update this policy when we do so.
Your privacy is important to us and we will keep Your Personal Information secure in accordance with our legal responsibilities. We will take reasonable steps to safeguard Your Personal Information against it being accessed unlawfully or maliciously by a third party.
We also expect you to take reasonable steps to safeguard your own privacy when transferring information to us, such as not sending confidential information over unprotected email, ensuring email attachments are password protected or encrypted and only using secure methods of postage when original documentation is being sent to us. Your Personal Data will be retained by us either electronically or in paper format for a minimum of six years, or in instances whereby we have legal right to such information we will retain records indefinitely.
We are always willing to help you understand your rights. You can:
1. Request copies of Your Personal Information that is under our control.
2. Ask us to explain how we use your Personal Information.
3. Ask us to correct, delete or request us to restrict or stop using your Personal Information (the extent to which we could provide such assistance would be clarified at the time).
4. Request we send an electronic copy of your Personal Information to another organisation should you wish.
5. Change the basis of any consent you may have provided, to enable us to market to you in the future (including withdrawing any consent in its entirety).
If you have any questions or comments about this policy, or if you wish to make contact with us in order to exercise any of your rights set out within our policy, please contact:
The Data Protection Officer, K Ballard, 360 Design Consultants Ltd, 4 Factory Road, Newport, Gwent, NP20 5FA. Telephone: 0333 444 6 800. We are licensed by the Data Protection Registrar.
If we believe we have a legal right not to deal with your request, or you cannot verify your identity through reasonable means prior to us taking action or if in order to take action, we need to do this in different way to how you have requested, we will inform you at the time. Please take note that we have a duty to protect Personal Information and if we are not satisfied of your identity – it may cause delays to any reasonable request.
If you become aware of any unauthorised disclosure of your Personal Information and you think that it has something to do with 360 Design Consultants Ltd, you must please let us know of the cyber security risks you are facing as soon as possible so we may take action and mitigate the impact to you or our systems. This is also important so that we can fulfil our regulatory duties where a data breach may have occurred.
If you have any concerns or complaints as to how we have handled your Personal Information you may lodge a complaint with the UK's Data Protection regulator – at the Information Commissioners Office (ICO), who can be contacted through their website at https://ico.org.uk/global/contact-us/ or by writing to: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
Your account has been created. Close this popup and you're ready to go!