Introduction In order to conduct its business activities, it is necessary for East Coast Design Studio to act as a data controller with respect to gathering and using the personal data of individuals. These can include clients, suppliers, freelancers, employees and other person the company has a relationship with or may need to contact. This policy sets out how we collect, use and protect any information you give us when you use this website and/or our services.
We are committed to safeguarding your privacy. Should we ask you to provide certain information, you can be assured that it will only be used in accordance with this policy. We may be required to update this policy from time to time in order to remain legal and compliant. You should check this page periodically to ensure that you are happy with any changes.
What we collect We may collect the following information:
Clients & Suppliers • Name, company name and job title • Contact information including telephone number and email address • Business address and postcode • Other information relevant to your enquiry or to enable us to fulfil a contract Employees and Freelancers
• Name • Contact information including address, telephone number and email address • Details of previous work and/or employment • Other information to enable us to fulfil a contract or terms & conditions
Lawful reasons for processing Clients & Suppliers: For Business toBusiness clients and contacts, our lawful reason for processing your personal information will usually in the first instance be “legitimate interests”. Under this we can process your information if we have a genuine and legitimate business reason and we are not harming any of your rights and interests. Once you enter into a contract with us our lawful reason becomes “contractual obligation”. This also includes steps taken at your request before entering into a contract.
Freelancers & Employees: For Business to Consumer clients and contacts, our lawful reason for processing your personal information will usually be “contractual obligation” e.g. to supply services you have requested, or to fulfil obligations under an employment contract. This also includes steps taken at your request before entering into a contract.
What we do with the information we collect Clients: We require this information to understand your needs and provide you with a better service and in particular, for the following reasons:
• To provide ongoing customer service and maintain internal record keeping including for accounting purposes • To enable contact by email or phone in relation to the enquiry you have made with us • To periodically send update emails about new products/services or other information relevant to your enquiry. You may unsubscribe from receiving these emails at any time by clicking the unsubscribe link which is included at the bottom of all our update emails Employees and Freelancers: We require this information, in order to fulfil your employment contract. Retention We are required to keep documents, contracts etc. for the length of the contract as a minimum and for up to seven years afterwards as a maximum. We will determine this on a case-by-case basis after taking into account the individual circumstances and will only keep data which is necessary for us to fulfil our contractual obligations. Any personal data held by us for marketing updates will be kept by us until such time that you notify us you no longer wish to receive this information.
Security We are committed to ensuring that your information is secure and protected against unauthorised or unlawful processing, accidental loss, destruction and damage. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, technical and managerial procedures to safeguard and secure the information we collect.
Paperwork: Personal data collected in paper form is stored in locked filing cabinets and shredded when no longer required. IT Systems: We have completed an internal cyber security risk assessment and applied suitable controls to reduce or mitigate any vulnerabilities or threats. Personal data stored in digital format is on secure cloud servers hosted in the United Kingdom with access to data highly restricted for approved business purposes only.
Security Breaches Despite all the controls we have put in place to address all the key GDPR principles, there is still always a risk a data breach may happen. Our work for you may occasionally require us to pass yourinformation to our service providers and for the purpose of delivering ourservices to you. Where we are entering into an engagement with a third party,we will seek to be satisfied that they have secure measures in place so yourprivacy rights continue to be protected as outlined in this policy. We only disclose information that is necessary to deliverour services and we never allow your personal data to be used by any thirdparty for any market research, marketing or other commercial purposes. UnderGDPR law, we may be required to disclose your data for compliance with a legalobligation to which we are subject, or in order to protect your vital interestsor the vital interests of another natural person. We may also be required todisclose your personal data where such disclosure is necessary for theestablishment or defence of legal claims, whether in court proceedings or in anadministrative or out-of-court procedure.In the unlikely event of this, the breach will be notified to all data subjects affected without undue delay. If appropriate, this will also be reported to the ICO within 72 hours of us becoming aware. The person who should be informed of any breaches is named at the bottom of this policy and is contactable by email at all times.
We use some unobtrusive cookies to identify which pages are being used. This helps us analyse data about web page traffic and improve our website in order to tailor it to client needs. We only use this information for statistical analysis purposes and then the data is removed from the system.
Overall, cookies help us provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.
You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the website however. You can find out more about cookies by visiting the All About Cookies resource website.
Third Party Processing Our work for you may occasionally require us to pass your information to our service providers and for the purpose of delivering our services to you. Where we are entering into an engagement with a third party, we will seek to be satisfied that they have secure measures in place so your privacy rights continue to be protected as outlined in this policy.
We only disclose information that is necessary to deliver our services and we never allow your personal data to be used by any third party for any market research, marketing or other commercial purposes. UnderGDPR law, we may be required to disclose your data for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person. We may also be required to disclose your personal data where such disclosure is necessary for the establishment or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.
Your rights under GDPR Your principle rights under GDPR are:
• The right to be informed • The right of access • The right to rectification • The right to erasure • The right to restrict processing • The right to data portability • The right to object • The right not to be subject to automated decision-making, including profiling
This means you have the right to know what data we are holding for you at anytime, the right to access this data, change it and/or have it removed from any further processing activity.
Subject access request If you would like to contact us with a subject access request, please use the email address email@example.com with ‘GDPR Subject Access Request’ in the subject line. We will contact you within ten days of receiving this request.
If you are unhappy with the way your subject access request has been dealt with, you have the right to report a concern with a supervisory authority. In the UK, this is the Information Commissioner’s Office www.ico.org.uk/concerns/.
Responsible person for GDPR Tessa Dewing East Coast Design Studio, 35 St Georges Street, The Creative Quarter, Norwich NR3 1DA firstname.lastname@example.org