DRIVING DIGITAL VIGILANCE
GDPR Information Privacy Notice
Net Consulting holds personal information about our employees, contractors, clients and potential clients, suppliers and other individuals for the purposes of satisfying operational and legal obligations. We recognise the importance of the correct and lawful processing and control of that information. Accordingly, this privacy notice sets out our commitment to protect personal information and ensures that our employees understand their obligations in relation to the use of personal information to which they have access. This privacy notice also requires our employees and contractors to ensure that our Data Protection Manager is consulted before any significant new information processing activity is initiated to demonstrate that relevant compliance requirements are implemented.
All personal information, whether held on paper, electronically or other media, will be subject to the appropriate legal safeguards as specified in the EU Data Protection Regulation 2016 (GDPR).
This privacy notice applies to all Net Consulting employees, including contractors and any suppliers or partners who have access to Net Consulting information. This privacy notice complements our other policies relating to website, internet and email use. We may supplement or amend this privacy notice by additional policies, notices and guidelines from time to time. Any new or revised privacy notices will be made available to employees before being adopted.
Fair and Lawful Processing
Net Consulting commits to processing personal information fairly and lawfully in accordance with the rights of data subjects. This means that we only process personal information in relation to the specific purpose(s) it was provided to or collected by us, which may include agreed contractual obligations or identified legitimate interest.
Accordingly, the processing of all personal information must be:
- Necessary to deliver our services; and
- In our legitimate interests and will not unduly prejudice the privacy of the data subject. In most cases, this provision will apply to routine business information processing activities.
Our standard terms and conditions of business contains an appropriate privacy notice, which describes our commitment to processing personal information fairly and lawfully and confirms:
- The purposes for which we hold personal information
- That any engagement or contract may require us to provide personal information to third parties who are legitimately involved in the provision of the related products and services
- That employees, contractors, clients and other individuals have a right of access to the personal information that we hold about them.
Sensitive Personal Information
In most cases, where Net Consulting processes sensitive personal information, we will require the data subject’s explicit consent, unless exceptional circumstances apply or we are required to do this by law. Any such consent will need to clearly identify what the relevant information is, why it is being processed and to whom it may be disclosed.
Accuracy and Relevance
Net Consulting will ensure that any personal information we process is accurate, adequate and relevant to the purpose for which it was obtained.
We commit not to process personal information obtained for a legitimate purpose for any unconnected purpose unless the data subject concerned has agreed to this or would otherwise reasonably expect us to do this.
Data subjects may request that we correct inaccurate personal information relating to them. If you believe that your personal information is inaccurate, you should contact Paul Thomas, the Net Consulting Data Protection Manager and provide details of the inaccuracies.
Your Personal Information
Data subjects must take reasonable steps to ensure that any personal information we hold is accurate and updated as required. For example, if your personal circumstances change, please inform the Data Protection Manager so that your personal information can be updated.
Net Consulting commits to keeping all personal information secure against loss, breach or misuse. Where we engage with third-parties to process personal information as a service on our behalf, Net Consulting will determine what additional information security measures are required in contracts with the third-party organisations.
Storing Information Securely
Net Consulting commits to managing all personal information appropriately, including:
- Where information is stored on paper, it should be kept securely, so that unauthorised individuals cannot access it
- Printed information should be shredded when it is no longer required
- Information stored on end-point computer devices should be protected by strong passwords that are changed regularly, in accordance with our password management policy
- All servers containing personal information must be sited in a secure location, so that unauthorised individuals cannot access them
- Information will be regularly backed up in accordance with our backup procedures
- All servers containing sensitive personal information will be protected by appropriate security measures, including technical and firewall controls.
Net Consulting will retain personal information for no longer than is necessary and justified. The retention of personal information will be managed in accordance with our information retention guidelines.
The Data Protection Manager is responsible for ensuring compliance with the EU General Data Protection Regulation 2016 (GDPR) and the implementation of this privacy notice on behalf of Net Consulting. Paul Thomas is the Data Protection Manager at Net Consulting. Any questions or concerns about the interpretation or operation of this privacy notice should be addressed in the first instance to Glenn Morgan.
Any staff member, who considers that the privacy notice has not been followed in respect of the control of personal information in any respect should raise the matter with Glenn Morgan in the first instance.
Rights to Access Information
All data subjects whose personal information is retained by Net Consulting are entitled to:
- Confirm what information is held about them and why
- Ask how to gain access to this information
- Be informed as to how to keep this information up to date
- Be informed as to what Net Consulting is doing to comply with its obligations under GDPR.
This is known as a ‘subject access request’. This right applies to all Net Consulting employees and contractors as well as other subjects of personal information held by Net Consulting.
This right is subject to certain exemptions which are set out in the EU General Data Protection Regulation 2016 (GDPR). Any person who wishes to exercise this right should make the request as follows:
Paul Thomas – Managing Director and Data Protection Manager
[email protected] or 02920 972020
Net Consulting, 4C Greenmeadow Springs Business Park, Village Way, Cardiff, CF15 7NE.
Net Consulting aims to comply with requests in relation to personal information as quickly as possible and will ensure that it is provided within 30 days of receipt of a valid request and associated pre-requisites prescribed in the EU General Data Protection Regulation 2016 (GDPR), unless there is a justifiable reason for delay. In such cases, the reason for delay will be explained in writing to the person making the request.
Control of Information
The storage, transmission and use of personal information and sensitive personal information outside of the control of Net Consulting is prohibited unless specifically authorised in accordance with the GDPR Privacy Notice.
Net Consulting commits to comply with the requirements of the EU General Data Protection Regulation 2016 (GDPR) and to manage and control the use of mobile devices and portable storage media to ensure that personal information and sensitive personal information is protected from unauthorised access, dissemination, alteration or deletion.
These controls apply to all Net Consulting employees and contractors who may be required to store, transmit and use personal information or sensitive personal information outside of Net Consulting’s direct control, including using mobile devices (laptops and mobile phones), portable storage media (memory sticks and CDs) or other forms of communication (email and extranet).
The definition of “personal information” can be complex, but for day-to-day purposes it is advisable to treat all information about living, identifiable individuals as “personal information”, which can be retained in a variety of formats, including but not limited to email, word processed documents, spreadsheets and databases.