DATA PROTECTION and PRIVACY
Aim and scope of the policy
Holland Harvey (The Company) is aware of its obligations under the Data Protection Act 2018 (DPA) and the General Data Protection Regulation (GDPR) and is committed to processing your data securely and transparently. This privacy notice sets out, in line with the DPA and the GDPR, the types of data that we hold, how we use that information, how long we keep it for and your obligations to the DPA and GDPR.
“Personal data” is information that relates to an identifiable person who can be directly or indirectly identified from that information, for example, a person’s name, identification number, location, online identifier. It can also include pseudonymised data.
“Data processing” is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
The Company makes a commitment to ensuring that personal data is processed in line with GDPR and domestic laws.
Where third parties process data on behalf of the Company, the Company will ensure that the third party takes such measures in order to maintain the Company’s commitment to protecting data. In line with GDPR, the Company understands that it will be accountable for the processing, management and regulation, and storage and retention of all personal data held.
This Privacy Notice describes how we collect and use Personal Data about visitors to our website, clients and potential clients, third party consultants and any other individuals whom we may collect Personal Data.
Data controller details
The Company is a data controller, meaning that it determines the processes to be used when using your personal data.
Data protection principles
In relation to your personal data, we will:
- use it fairly, lawfully and in a clear, transparent way
- collect your data only for reasons that we find proper and in ways that have been explained to you and not used in any way that is incompatible with those purposes
- only use it in the way that we have told you about
- ensure it is correct and up to date
- keep data only as long as necessary for the purposes we have told you about
- process it in a way that ensures it will not be used for anything that you are not aware of or have not consented to
- keep data securely
Types of data we process
We hold many types of data about you, including:
- Contact details (including names, postal addresses, email addresses and telephone numbers);
- Professional information such CVs, job titles, previous roles, documentation relating to your right to work and professional experience and qualifications;
- Where you provide the information to us, information concerning your interests both business and personal;
- Details regarding your attendance at our events, training events and CPDs (Continuous Professional Development)
- Details of your visits to our website including, but not limited to, traffic data, location data, and web logs.
How we collect your data
Your personal data may be collected by us in a number of ways, including:
through our provision of services to you, your employer or the organisation you represent;
- during the course of dealings with you for or on behalf of a client;
- when you undertake a recruitment exercise;
- when you provide us with information in relation to your attendance at any hosted events;
- when you provide information to us by filling in forms on this web site;
- when you contact us, for example, to enquire about our services;
- when we collect publicly available information about you or your business (including through electronic data sources); and
- when we collect your personal data from our clients, consultants, suppliers and other advisers.
Why we process your data
The law on data protection allows us to process your data for certain reasons only:
- To provide you with information and services that you request from us or which we feel may interest you as permitted under applicable law
- To improve the content and methods of delivery of our website
- To maintain and develop our relationship with you
- For research, planning, service development, security or risk management
- To carry out services we have agreed to provide to you
- To allow you to use or access secure areas of our website
- To comply with legal and professional obligations
- To disclose your information as set out below
You have the right to ask us not to process your personal information for marketing purposes. When we collect contact information from you (for example, when you provide us with your business card or when you are the person instructing us on behalf of your employer), we may add your details to our contacts database and to our mailing lists. You can exercise the right at any time by sending us an email to firstname.lastname@example.org.
Protecting your data
We are aware of the requirement to ensure your data is protected against accidental loss or disclosure, destruction and abuse. We have implemented processes to guard against such.
How long we keep your data for
In line with data protection principles, we only keep your data for as long as we need it for.
Your rights in relation to your data
The law on data protection gives you certain rights in relation to the data we hold on you. These are:
- the right to be informed. This means that we must tell you how we use your data, and this is the purpose of this privacy notice
- the right of access. You have the right to access the data that we hold on you. To do so, you should make a subject access request
- the right for any inaccuracies to be corrected. If any data that we hold about you is incomplete or inaccurate, you are able to require us to correct it
- the right to have information deleted. If you would like us to stop processing your data, you have the right to ask us to delete it from our systems where you believe there is no reason for us to continue processing it
- the right to restrict the processing of the data. For example, if you believe the data we hold is incorrect, we will stop processing the data (whilst still holding it) until we have ensured that the data is correct
- the right to portability. You may transfer the data that we hold on you for your own purposes
- the right to object to the inclusion of any information. You have the right to object to the way we use your data where we are using it for our legitimate interests
- the right to regulate any automated decision-making and profiling of personal data. You have a right not to be subject to automated decision making in way that adversely affects your legal rights
Accessing your data
Where you have provided consent to our use of your data, you also have the unrestricted right to withdraw that consent at any time. Withdrawing your consent means that we will stop processing the data that you had previously given us consent to use. There will be no consequences for withdrawing your consent. However, in some cases, we may continue to use the data where so permitted by having a legitimate reason for doing so.
Requests for access to this data will be dealt with under the following summary guidelines:
- email email@example.com to make a subject access request. The request should be made to the compliance officer.
- the Company will not charge for the supply of data unless the request is manifestly unfounded, excessive, or repetitive, or unless a request is made for duplicate copies to be provided to parties other than the employee making the request
- the Company will respond to a request without delay. Access to data will be provided, subject to legally permitted exemptions, within one month as a maximum. This may be extended by a further two months where requests are complex or numerous.
You must inform the Company immediately if you believe that the data is inaccurate, either as a result of a subject access request or otherwise. The Company will take immediate steps to rectify the information.
Where a data breach is likely to result in a risk to the rights and freedoms of individuals, it will be reported to the Information Commissioner within 72 hours of the Company becoming aware of it and may be reported in more than one instalment.
Individuals will be informed directly in the event that the breach is likely to result in a high risk to the rights and freedoms of that individual.
If the breach is sufficient to warrant notification to the public, the Company will do so without undue delay.
Making a complaint
The supervisory authority in the UK for data protection matters is the Information Commissioner (ICO). If you think your data protection rights have been breached in any way by us, you are able to make a complaint to the ICO.
Data protection compliance
Rachael Stocker is the Company’s appointed compliance officer in respect of its data protection activities.