GDPR - Governance - Risk - Compliance
The GRC Director or the GRC Director Ltd (“We, Us, Our”) understands that your privacy is important and that you care about how your personal data is used. We respect and value the privacy of all individuals (known as Data Subjects) that is provided to or obtained by Us during the course of Our business activities and will only collect and use personal data in ways that are described here, and in a way that is consistent with Our obligations and your rights under the law.
The (“Applicable Data Protection Law”) means all legislation and regulations in force from time to time regulating the use of personal data and the privacy of electronic communications including, but not limited to, the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) (the “UK GDPR”), as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003 as amended, and any successor legislation..
1. Information About Us as a Data Controller
The GRC Director Ltd is registered in England under company number 12955086.
Registered address: 2 Bayfield Close, Hade Edge, Holmfirth, HD9 2QX.
Data Protection Officer: Stephen Murray (CIPP/E, CIPM).
· Email address: stephen@thegrcdirector.co.uk .
· VOIP number: 01484 883 626
· Mobile: 07762 292 979
· Postal address: 2 Bayfield Close, Hade Edge, Holmfirth, HD9 2QX.
We are regulated by The Information Commissioners Office.
2. What Does This Notice Cover?
This Privacy Notice explains how We use your personal data:
· how it is collected;
· how it is held; and
· how it is processed.
It also explains your rights under the law relating to your personal data.
3. What Is Personal Data?
Personal data is defined by the Applicable Data Protection Law as ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier’.
Personal data is, in simpler terms, any information about you that enables you to be identified. Personal data covers obvious information such as your name and contact details, but it also covers less obvious information such as identification numbers, electronic location data, and other online identifiers.
The personal data that We use is set out in section 5, below.
It is important that your personal data is kept accurate and up to date. If any of the personal data We hold about you changes, please keep Us informed whilst ever We have that data.
4. What Are My Rights?
Under the Applicable Data Protection Law, you have the rights to:
a. Request access to your personal data (commonly known as a "data subject access request or DSAR"). This means you can ask for and receive a copy of the personal data We hold about you and check that We are lawfully processing it.
b. Request correction of the personal data that We hold about you. This means you can have any incomplete or inaccurate data We hold about you corrected, though We may need to confirm the accuracy of any new data you provide.
c. Request erasure of your personal data (sometimes referred to as the right to be forgotten). This means you can ask Us to delete or remove personal data where there is no good reason for Us continuing to process it. You also have the right to ask Us to delete your personal data where you have successfully exercised your right to object to processing (see below), where We may have processed your information unlawfully or where We are required to erase your personal data to comply with the law. However, We may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
d. Object to processing of your personal data where We are relying on a legitimate interest (or those of a third party) as you feel it impacts on your fundamental rights and freedoms and there is something about your particular situation which makes you want to object to the processing. You also have the right to object where We are processing your personal data for direct marketing purposes. In some cases, We may demonstrate that We have compelling legitimate grounds to process your information which override your rights and freedoms.
e. Request restriction of processing of your personal data. This means you can ask Us to suspend the processing of your personal data in the following scenarios: (a) to establish the data's accuracy; (b) where Our use of the data is unlawful but you do not want Us to erase it; (c) where you need Us to hold the data even if We no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to Our use of your data but We need to verify whether We have overriding legitimate grounds to use it.
f. Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for Us to use or where We used the information to perform a contract with you.
g. Withdraw consent at any time where We are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, We may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
Note We do not rely on consent as a legal basis for processing personal data. We are working with you in a business or not for profit organisation or similar capacity, and We consider that you are not providing data which relates to you as an individual nor in respect of your personal life.
If you wish to exercise any of the rights set out above, please contact Us. You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, We may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, We may refuse to comply with your request in these circumstances.
Additionally, We may need to request specific information from you to help Us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up Our response.
Further information about your rights can also be obtained from the Information Commissioner’s Office or your local Citizens Advice Bureau.
If you have any cause for complaint about Our use of your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office. We would welcome the opportunity to resolve your concerns ourselves, however, so please contact Us first, using the details in section 11 below.
5. What Personal Data Do You Collect and How?
We may collect and use your personal data which We have collected because you are:
(i) a businessperson or organisation that purchase services from Us by any agreed method (“Business Client”)
(ii) a businessperson or organisation with whom We would like to do business with (“Prospect”) or
(iii) a supplier to Us (“Third-Party Supplier”).
Each of these being a Data Subject in their own right.
The data We collect and Our use of it depends on the context of Our dealings with you as Business Client or Third-Party Supplier. In this notice where We refer to “you” We do not make a distinction between these routes of collection and uses, and this distinction will be driven by the context. However, We have indicated the Data Types below.
We do not collect any ‘special category’ or ‘sensitive’ personal data or personal data relating to children.
Should you provide any personal data relating to your customers, service users or members, We will only process these in accordance Our Data Processing Notice or as instructed by you as the Controller of that data. All services are supplied in accordance with Our Standard Terms and Conditions.
The data types we collect include:
We might collect audio and video recordings of you:
6. How Do You Use My Personal Data?
Under the Applicable Data Protection Law, We must always have a lawful basis for using personal data. Most commonly, We will use personal data in the following circumstances:
Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.
Legitimate Interest means the interest of Our business in conducting and managing Our business to enable Us to give you the best service and the best and most secure experience. We make sure We consider and balance any potential impact on you (both positive and negative) and your rights before We process personal data for Our legitimate interests. We do not use personal data for activities where Our interests are overridden by the impact on you (unless We have your consent or are otherwise required or permitted to by law). You can obtain further information about how We assess Our legitimate interests against any potential impact on you in respect of specific activities by contacting Us.
Comply with a legal or regulatory obligation means processing personal data where it is necessary for compliance with a legal or regulatory obligation that We are subject to.
Below we describes how We intend to use your personal data, and Our lawful bases for doing so:
Uses of Personal Data
We use personal data primarily to build and maintain commercial relationships with people including the following activities:
1. Managing enquiries from Prospects and onboarding Business Clients to support effective delivery of Our services including handling consultations and support requests;
Lawful basis
Performance of Contract
2. Relationship management with Prospects, actual, and former Business Clients and Third-Party Suppliers which includes creating and maintaining customer/supplier records in Our CRM and to keep in regular contact with you;
Lawful basis
Performance of Contract
Legitimate Interest
3. Marketing of Our services, research and development including the use of direct marketing by email, phone, social media and traditional mail to raise awareness of products and services that we legitimately believe may be of interest to you. We may, from time to time, send newsletters and/or questionnaires by email to Prospects and Business Clients;
Lawful basis
Legitimate Interest
4. Obtaining feedback from Business Clients and Prospects to help inform improvements to how We run the business;
Lawful basis
Legitimate Interest
5. Financial management including invoicing, chasing debts, making payments etc.;
Lawful basis
Performance of Contract
Legal or Regulatory Obligation
Legitimate Interest
6. Contracting with Third-Party Suppliers to assist with the efficient delivery of services and information to our Business Clients and Prospects.
Lawful basis
Performance of Contract
Marketing and Communications Data
When We use your personal data for marketing purposes, which may include contacting you with information, news and offers about products and services. You will not be sent any unlawful marketing or spam. We will always work to fully protect your rights and comply with Our obligations under the Applicable Data Protection Law and you will always have the opportunity to opt-out at any time. We do not share your personal data with third parties for marketing purposes.
We will only use your personal data for the purpose(s) for which it was originally collected unless We reasonably believe that another purpose is compatible with that or those original purpose(s) and need to use your personal data for that purpose.
If We need to use your personal data for a purpose that is unrelated to, or incompatible with, the purpose(s) for which it was originally collected, We will inform you and explain the legal basis which allows Us to do so.
In some circumstances, where permitted or required by law, We may process your personal data without your knowledge or consent. This will only be done within the bounds of the Applicable Data Protection Law and your legal rights.
7. How Long Will You Keep My Personal Data?
We will not keep your personal data for any longer than is necessary in light of the reason(s) for which it was first collected. Your personal data will therefore be kept for the following periods (or, where there is no fixed period, the following factors will be used to determine how long it is kept):
Type of data
Information required for fulfilment of a contract
Retention period
For seven years after they cease being clients for tax purposes
Type of data
Communication/marketing contact information
Retention period
Until you unsubscribe or otherwise opt out of receiving communications from Us
Type of data
Finance/Accounts contact information
Retention period
For seven years after they cease being clients for tax purposes
Type of data
Marketing contact data/email addresses (unsubscribes)
Retention period
For people who have requested Us to remove them from the marketing database We keep this record indefinitely so as to prevent resending
Type of data
Anonymised Data for research and development
Retention period
In some circumstances We may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case We may use this information indefinitely without further notice to you.
8. How and Where Do You Store or Transfer My Personal Data?
Generally, for Our internal functions We do not transfer your personal data outside the UK or the European Economic Area (EEA). The EEA consists of all EU member states, plus Norway, Iceland, and Liechtenstein. This means that your personal data will be fully protected under the UK GDPR. Whilst the UK has left the European Union, the UK has been granted adequacy decisions under the EU GDPR meaning standards remain aligned with the EU. Transfers of personal data to the EEA from the UK are permitted without additional safeguards.
More information on the adequacy decision can be found HERE.
Some of your personal data may be processed in countries outside of the UK. These are known as “third countries”. We will take additional steps in order to ensure that your personal data is treated just as safely and securely as it would be within the UK and under the Applicable Data Protection Law as follows:
o Data Protection Policy
o Data Processing Notice
o Data & IT Security Policy
o Cookie Notice
o Data Breach Policy
o Data Breach Record
o Data Protection Impact Assessments
o Data Retention Policy
These are all reviewed annually, or sooner, if Our business processes or the Applicable Data Protection Law should change.
We use Cloud Based data storage solutions and personal data collected by Us may be transferred to the following data processors:
Supplier/Processor
Hubspot UK Holdings Limited
Service
CRM – Contact database & email subscriber management
Location of Processor
Republic of Ireland (within the EEA)
Legal Framework
UK GDPR Compliant via use of Standard Contractual Clauses
Processor Notices or further information
https://legal.hubspot.com/product-privacy-policy
Supplier/Processor
Microsoft Ireland Operations Limited
Service
MS Office Software .e.g “Outlook” & “Word” plus cloud based file data storage – servers are EU/UK based
Location of Processor
Republic of Ireland
Legal Framework
UK GDPR Compliant via use of Standard Contractual Clauses
Processor Notices or further information
https://www.microsoft.com/en-gb/trust-center/privacy ;
https://privacy.microsoft.com/en-GB/privacystatement
Supplier/Processor
GoDaddy.com LLC
Service
Website hosting and developer
Location of Processor
USA
Legal Framework
UK GDPR Compliant via use of Standard Contractual Clauses
Processor Notices or further information
https://www.godaddy.com/en-ie/legal/agreements/data-processing-addendum
Supplier/Processor
Altlassia Trello
Service
Task Ticketing and Project Management Software
Location of Processor
Australia
Legal Framework
UK GDPR Compliant via use of Standard Contractual Clauses
Processor Notices or further information
https://www.atlassian.com/legal/privacy-policy
9. Do You Share My Personal Data?
As detailed in section 7 We may share Personal Data with third parties to supply services you order from Us.
If any of your personal data is shared with a third party, as described above, We will take steps to ensure that your personal data is handled safely, securely, and in accordance with your rights.
If We sell, transfer, or merge parts of Our business or assets, your personal data may be transferred to a third party. Any new owner of Our business may continue to use your personal data in the same way(s) that We have used it, as specified in this Privacy Notice.
In some limited circumstances, We may be legally required to share certain personal data, which might include yours, if We are involved in legal proceedings or complying with legal obligations, a court order, or the instructions of a government authority.
10. How Can I Access My Personal Data?
If you want to know what personal data We hold about you, you can ask Us for details of that personal data and for a copy of it (where any such personal data is held). This is known as a “data subject access request”.
All subject access requests should be made in writing and sent to the email or postal addresses shown in section 11.
There is not normally any charge for a subject access request. If your request is ‘manifestly unfounded or excessive’ (for example, if you make repetitive requests) a fee may be charged to cover Our administrative costs in responding.
We will respond to your data subject access request within one month of receiving it and normally aim to provide you with a complete response, including a copy of your personal data within that time. In some cases, however, particularly if your request is more complex, more time may be required up to a maximum of three months from the date We receive your request. You will be kept fully informed of Our progress.
11. How Do I Contact You?
To contact Us about anything to do with your personal data and data protection, including to make a subject access request, please use the following details for the attention of Stephen Murray:
Email address: stephen@thegrcdirector.co.uk.
VOIP number: 01484 883 626
Mobile: 07762 292 979.
Postal Address: 2 Bayfield Close, Hade Edge, Holmfirth, HD9 2QX.
12. Changes to this Privacy Notice
This Privacy Notice will be reviewed annually, or sooner, if the Applicable Data Protection Law or Our business processes should change in a way that affects personal data protection.
Should this notice change then any historic versions will be retained.
Version 2.3 – October 2023
The GRC Director Ltd
The GRC Director Ltd is a company registered in England and Wales. Company Registration no.12955086. Registered address: 2 Bayfield Close, Holmfirth, HD9 2QX
VOIP: 01484 883 626 Mobile: 07762 292 979
Copyright © 2023 The GRC Director Ltd - All Rights Reserved.
We use cookies to analyse website traffic and optimise your website experience. To see what cookies we use and why see our Cookie Notice.
