Privacy Policy

Privacy Policy 2019

This Privacy Policy has been compiled by SMI Data Ltd in compliance with the General Data Protection Regulations [GDPR] 2018. The purpose of this policy is to inform the individual of the means of collection of their personal data, including the security of that data; the means of processing that data; how long it is kept for; our obligations; and the rights of the Data Subject under the GDPR.

As of 28/05/2019 the relevant person with responsibility for data under the GDPR within our organisation is:

Data Controller: Mike Moran, Operations Manager, mike@smidata.co.uk

What is Personal Data?

For the purposes of the GDPR Data is identified under two categories:

Personal data is a term used to describe the data relating to an individual held by SMI Data from which they are identified or can be identified in conjunction with other information that is in, or is likely to come into, the possession of SMI Data. Examples of personal data includes forename, surname and online identifiers e.g. email address.

Special Categories of Personal Data is a term used to describe personal data of a sensitive nature such as data relating to a person’s racial or ethnic origin, political opinions or religious or other philosophical beliefs, physical or mental health, sexual life, criminal convictions, your genetic or biometric data or the alleged commission of an offence and/or trade union membership.

What are the legal bases for processing Data?

We may collect personal data either from individuals directly or from a third party supplier.

To control and process data requires one of six recognised legal bases under GDPR to do so. The six bases are as follows:

(1) Consent: the individual has given clear consent to process their personal data for a specific purpose.

(2) Contract: the processing is necessary for a contract we have with the individual, or because the individual has asked us to take specific steps before entering into a contract.

(3) Legal obligation: the processing is necessary for us to comply with the law (not including contractual obligations).

(4) Vital interests: the processing is necessary to protect someone’s life.

(5) Public task: the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.

(6) Legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

Legitimate Interest is determined by a three-part test as follows:

Rights of Individuals.

The GDPR provides the following rights for individuals:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling

More detail on these rights can be found here – https://ico.org.uk/your-data-matters/

In addition a Data Subject has the right to make a complaint to the Information Commissioner’s Office online, by phone or in writing at the following:

https://ico.org.uk/concerns/

Tel: 0303 123 1113;

Information Commissioner’s Office, Wycliffe house, Water Lane, Wilmslow, Cheshire. SK9 5AF.

The following table identifies the types of data we collect, control and process; and the legal basis we rely upon for doing so:

Type of information collected.
Purpose[s]
Legal basis for processing

Data Subject’s name, address, telephone numbers, e-mail address(es).

Managing the Data Subject’s relationship with the firm.

Performing the Firm’s contract with the Data Subject.

Data Subject’s name, address, telephone numbers and email address.

Market Research

Legitimate interest. The Data Subject may object at any time and will be informed accordingly.

Bank account details or payment details

To pay, be paid, or to refund monies.

To fulfil the contract between the Firm and the Data Subject.

Data subject’s name, address, email, next of kin.

To perform HR functions within organisation.

 

Contract with employee.

 

Data subjects name, address, bank details.

Maintain records for tax & NI purposes

Legal obligation.

Data Retention and Minimisation Policy

SMI Data will not retain personal data for longer than is necessary to fulfil the purpose it is being processed for. To determine the appropriate retention period, we consider the amount, nature and sensitivity of the personal data, the purposes for which we process it and whether we can achieve those purposes through other means.

SMI Data applies a data minimisation policy in relation to personal data. This means that we will only collect and process personal data that is adequate, relevant and necessary to achieve our commitments in relation to the purposes stated above and will not process data that is not required or excessive to those purposes.

Data Security

SMI Data will protect the data we collect in the following ways:

The Data Subject’s data will not be transferred outside the European Economic Area [EEA] without the explicit consent of the Data Subject;

We follow strict security procedures in the storage and disclosure of personal data, and to protect it against accidental loss, destruction or damage. SMI Data protects the confidentiality and integrity of personal data by having appropriate security measures in place including cyber security, securing IT systems and maintaining a high level of confidentiality.

Any breach of data which may pose a serious risk will be notified to the Data Subject without delay.

Sharing of Personal Data

Personal data will only be provided to third parties on the strict understanding that it is to be used only for the purposes as set out above, or in accordance with law, and that the data is not to be used for any other purpose and that for the duration of their access to such personal data they shall ensure that adequate security measures are in place to prevent unauthorised access to, or unauthorised alteration, disclosure or destruction of personal data.

SMI Data will not sell, pass on or contract with third parties Data Subject’s data without prior written [withdrawable] consent other than where required to by law; or otherwise provided for in the above table.

For further information, please address any questions or comments concerning this privacy policy to privacy@smidata.co.uk