Under the GDPR : Personal Data is defined as “any information relating to an identified or identifiable natural person (‘data subject’); by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever personal data is to be processed:
We collect personal data only if it is directly provided to us by you (the user). The data we collect will only be in relation to the service you are requesting from us.
We collect information that you provide by completing forms in writing, email, through our web site or in person. This includes information provided at the time of registering with us, to use our Website (where applicable), to become a member of staff, to enter into a contract for our services, to support or subscribe to our services (where applicable), to request materials or to request further services or when you report a problem with any of our communication channels or services.
We collect the following classes of information:
To help us improve our services, if you send us personal information which identifies you via email, we may keep your email, your email address and ‘screen’ name. We may also collect information that is available from your browser.
We use analytical and statistical tools that monitor details of your visits to our website and the resources that you access, including, but not limited to, traffic data, location data, weblogs and other communication data (but this data will not identify you personally).
There are two main ways in which we collect your personal data:
Personal data that you give to us may be through one of a number of ways. These may include:
Personal data may be given to us through another organisation with which you have registered, and we may be required to process that data in order to fulfil services that you expect of us.
This could include one of the following:
We will process any of your personal data, in accordance with our obligations under applicable data protection laws and regulations, for the following reasons: to provide you with the services you have requested; to comply with applicable laws and regulations; for administrative purposes; to assess enquiries; and to provide you with information about us and our services. If, at any time, you do not wish to receive further information about us and our services, contact us at firstname.lastname@example.org.
The information that we collect and store relating to you is used to enable us to provide our services to you, and to meet our contractual commitments to you. Where you have consented to us contacting you, we may do so by post, email, phone or text.
We may disclose your information to regulatory bodies to enable us to comply with the law and to assist fraud protection and minimise credit risk.
We may disclose your personal information to third parties if we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply any agreements; or to protect the rights, property, or safety of the organisation, or others. This includes exchanging information with other companies and organisations for the purposes of safeguarding or other statutory regulations we have to comply with as well as those organisations with whom you and we have reciprocal agreements for providing services for education or professional development.
You can revoke or vary consent at any time. If you do not want us to use your data or want to vary the consent that you have provided you can write to us at the address detailed in clause 2 above or email us at email@example.com at any time
We do not use or disclose sensitive personal data, such as race, religion, or political affiliations, without your explicit consent.
Otherwise, we will process, disclose or share your personal data only if required to do so by law or in the good faith belief that such action is necessary to comply with legal requirements or legal process served on us or the website.
We do not use your personal data for marketing purposes.
Your data subject rights are listed below:
The DPA and GDPR give you the right to access information held about you by us. Please write to us or contact us by email if you wish to request confirmation of what personal information we hold relating to you. You can write to us at the address detailed in point 2 of the introduction above, or by email to firstname.lastname@example.org. There is no charge for requesting that we provide you with details of the personal data that we hold. We will provide this information within one month of your requesting the data.
You have the right to change the permissions that you have given us in relation to how we may use your data. You also have the right to request that we cease using your data or that we delete all personal data records that we hold relating to you. You can exercise these rights at any time by writing to us at the address detailed in clause 2, above, or by email to email@example.com.
The transmission of information via the Internet or email is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of data while you are transmitting it to our site; any such transmission is at your own risk. Once we have received your personal data, we will use strict procedures and security features to try to prevent unauthorised access.
The data that we collect from you will be processed at our servers in the UK. It may also be processed by organisations operating in the EEA that TACT has instructed.
If Personal Data is transferred outside the UK or EEA to a country without a designated adequacy rating TACT will request the data subject’s consent before processing the data. Consent will not be sought where the Processor’s Binding Corporate Rules, an adequacy decision or Standard Contractual Clauses stipulate that the data will be processed in accordance with GDPR.
We will hold your data in line with our data retention policy or until you opt out, whichever is the sooner.
All data hosted remains within the European Union. All data backups are encrypted at the time of creation, during transmission and in storage. Our lifecycle policies remove old backups after a set period of time. Backups are used only to restore data in the event of data loss either through system failure or by client request.
There are daily MYSQL backups that run each night at midnight, encrypted on the server and kept on a 60-day lifecycle policy.
The content management system, WordPress, provides weekly backups. These backups are encrypted during creation and during transmission. These backups are kept on a 60-day lifecycle policy.
You might find links to third party websites on our website. These websites should have their own privacy policies, which you should check. We do not accept any responsibility or liability for their policies whatsoever.
We welcome any queries, comments or requests you may have regarding these policies. Please do not hesitate to contact us at Data Controller, TACT, The Courtyard, 303 Hither Green Lane, London SE13 6TJ or by emailing: firstname.lastname@example.org.
Last Updated: October 2019
For further information on your rights and how to complain to the ICO, please refer to the ICO website https://ico.org.uk/concerns
Information Commissioner’s Office
Tel: 0303 123 1113 (local rate)
Last Updated: November 2019