‘Personal data’ relates to a living individual. This data could be as simple as your name and email address, or more sensitive information, for instance, data relating to your health, race or religion.
As it would not be possible to provide our services without personal information relating to the project, ‘contractual necessity’ is our lawful basis for processing under GDPR. Employees
Contractual necessity is our primary lawful reason for processing your data, and a requirement for us to retain your information is bound into law.
Our professional bodies and our Professional Indemnity Insurance require us to process and retain your data as part of our project files, and doing so is in our legitimate interest.
In order to facilitate collaborative working, all permanent members of our team have access to live project files. Our contracted IT provider has access to all files within the business.
Employee records are access controlled, with appropriate access granted to Directors and IT.
You have the right to request copies of personal data held by the practice at any time. Requests to access, amend or delete data will be considered and responded to without undue delay.
In order to help facilitate compliance with the GDPR, we politely request that all contact with us be limited to email and face-to-face meetings. The use of alternative text-based messaging platforms or social media cannot be accepted (this includes WhatsApp, iMessage and SMS).
We maintain a list of all freelancer names, which is kept indefinitely in order to request repeat service. Employee records are kept for the duration of the employment contract.
We keep copies of employment applications for six months from submission date, and a list of candidates for up to three years.
Unless otherwise communicated to you, your data will be stored on our internal servers and storage arrays. Backups will be made both within our business, and to a European data centre. Printed copies of information may also be produced and stored. If your information leaves our network, for instance on an employee’s laptop, then it is typically encrypted to minimise the risk of it falling into the wrong hands.
We have policies in place to ensure an appropriate response to any data breach, be it something simple such as an incorrectly addressed email, or a serious attack on our network from a third party. These policies will ensure that the appropriate people are alerted following any breach (or suspected breach).
If you become aware of a breach, please contact us as soon as possible at email@example.com