Find out how we use your data
Practical GDPR and ePrivacy support and advice whenever you need it
Last update: 16th January 2020
We respect your privacy and understand that privacy is important to you and that you care about how information about you is used, so this privacy notice sets out details about what data we collect and how we use it.
Visitors to our website
Where we collect personal data via this website (https://markgraceygdpr.co.uk/), we will be upfront about it and it will be obvious to you that you’re providing personal data and how we will be using it.
Other cookies used, tracking pixels or similar tools
If you fill out one of our website forms a notification email is sent to the relevant team within our company and stored within our email system. No copy of the data you submit is stored anywhere else. As our site uses SSL (https) the data you submit using the contact form will be encrypted once your press the “Submit” button.
Some of our forms may also store the information you submit within the website database. We tend to avoid this happening where possible, so will only store the information if it is necessary.
People who receive our newsletters
If you have subscribed for our updates email, your name and email address will be stored within our mailing list package (MailChimp). You will have the option to unsubscribe from the email list at any time, either by contacting us or using the unsubscribe link at the bottom of the emails we send.
Our mailing list provider is not based in the EU and therefore your subscription details will not be stored or processed within the EU, however, we have confirmed that they apply EU standards of data protection and have demonstrated they meet the adequacy tests required by European law.
People who use one of our services
Signing up for our services
Whether you sign up for our unlimited helpline, access to our online resources or receive pay-as-you-go support or services, the minimal amount of information will be collected from you for the purposes of providing the service. We will store your contact information in our CRM system and our accounting package for invoicing purposes. We will keep this information within our systems for as long as it is lawful for us to do so, and will delete your data as soon as it is no longer needed. If these online systems store our data outside the EU, we will always make sure they are GDPR compliant and have confirmed how they meet the GDPR requirements with regards to non-EEA data transfers.
If you signup for our GDPR DIY, GDPR Helpline or GDPR Helpline+ services, these are subscription based services which will mean that we will ask you to pay monthly or annually using one of our payment providers. We do not collect any payment information ourselves and you should visit our payment provider’s own privacy policies to understand how they will use your data.
People who have access to the GDPR Knowledge Centre
Customers who receive advice from us
If you receive advice via our helpline or advice services then we may record a transcript of our advice in both our email (if support is given via email, or telephone support is followed up by email) and/or in our CRM (as notes associated with your contact details). If you provide us with confidential materials or personal data (for the purposes of us providing you with advice) we will, where possible, avoid recording this in our CRM system, but may keep a copy of the information within our email system. We keep these records of our support conversations for future reference and for the purposes of being able to demonstrate, if required, the advice we gave.
If you book a phone support call, you will do so using an online system integrated into the Knowledge Centre. This system is provided by a third-party and records minimal information required to book the appointment. We will receive an email from the system to confirm you have booked the support call which will be used to contact you about arrangements for the call. The appointment system is a third-party application. The application provider is not based in the EU and therefore your details will not be stored or processed within the EU, however, we have confirmed that they apply EU standards of data protection and have demonstrated they meet the adequacy tests required by European law.
Purchases of specific content
From time to time we will also offer downloadable content and services for purchase from our website. If you purchase such a product or service you will be asked to set up an account and you will be asked to provide a range of minimal information required for us to set up the account so you can complete your purchase.
All information you provide is required for the purposes of delivering the product or service to you. The information is stored within our website database which is managed within the website backend.
We use a third-party to collect payments. We do not hold any billing or financial information relating to your purchase, only notification that a payment has been made. Any information you provide to our payment gateway provider is provided by you according to their own privacy and data protection compliance.
People who contact us by email
If you email us, your email will be stored via our email provider’s platform and are accessible on our computers via our email client which uses a local copy of the emails (as well as them being available via a web application). Access to them is protected via device and email-service passwords.
Our use of social media
We run a number of social media channels, but do not collect or process any information outside of those channels.
Our use of Zoom and GoToWebinar
From time to time you might join us on a Zoom call or webinar. We use third-party software when we do this.
When you register to access a Zoom call (e.g. for the Article 13 Club virtual meet up) or a GoToWebinar webinar, we will collect the basic information about you necessary, typically this will be your name and email address. We will only use this information to follow up after the call/webinar (e.g. to share a recording).
As a host of these calls/webinars we may also be provided with a range of additional information which is usually aggregated (so not personal), such as viewing statistics and interest ratings. Whilst we may use this data out of interest, we do not process it for any other purpose.
Use of these services are subject to their own terms and conditions, privacy notices and cookie notices and you should read these carefully before agreeing to join a call/webinar or install their software on your device:
Unless stated elsewhere in this document or in our terms of services we only store the data necessary to provide the services we provide to you. We will keep this data for as long as it is lawful for us to do so (this may be for as long as you are a customer or because of a legal obligation to retain the information, whichever is the longest).
Third party processors
We use a number of third-party cloud-based services for the purposes of effectively running our business and providing our services to you. We also use a number of third-party organisations to support our business.
In all cases where we are using a third-party service or company, we will only provide the minimal amount of information for the purposes of delivering the service to us and to meet our requirements.
We always carry out due diligence against all our third-party suppliers for the purposes of ensuring their compliance with data protection, maintaining adequate security of your data and ensuring they apply adequate data protection principles to the processing of the data we supply.
Under current data protection legislation in the UK, you have rights as an individual which you can exercise in relation to the data we store and process about you. You can find more information about your rights on the Information Commissioner’s website: https://ico.org.uk/for-the-public/
If you want to make a compliant about the way we are processing your data, you can contact us, using the contact details below. You also have the right to complain to the Information Commissioner’s Office: https://ico.org.uk/concerns/
How to withdraw consent and object to processing
Where we are processing your data and needed to ask your permission to do so, you are able to withdraw your consent at any time. If you wish to stop receiving our marketing emails you can do so, by clicking on the “unsubscribe” link at the bottom or the email. Otherwise, you can contact us, using the contact details below.
If you wish to raise concerns about the way we are processing your data or would like to raise an objection, then please contact us, using the details below, with your concerns.
Keeping your data up to date
It is important that any of your data that we process is kept up to date. We will from time to time ask you to verify your contact details but if you wish to update any information we hold about you, please contact us using the contact details below.
Erasure of your data (the “right to be forgotten”)
Under some circumstances you may request us to delete your data from our systems. Where this is possible (e.g. we don’t have any legal purpose for continuing to process your data) we will erase it from our systems. If you wish to exercise your right to be forgotten, please contact us via the contact details below.
Your right to portability allows you to request a machine-readable format of the data you supplied to us and associated service logs (where we store them). Please contact us, using the contact details below, if you wish to receive a CSV export of your data.
Access to your data
You have the right to ask us about what data we hold about you, how we process it and provide you with a copy of the information, free of charge and within one month of your request.
To make a request for any personal information we hold and process about you, we would prefer it if you could put it in writing or in an email to the addresses below. We will need to verify your identity before providing the information and where necessary may contact you further to ensure we understand what data you are requesting.
Disclosure of information
We do not share any personal data with any third parties unless it is lawful for us to do so, if required by law to do so or if you provide us with permission to do so.
For more information about your data rights and privacy or data protection in general visit the Information Commissioner’s Office website: https://ico.org.uk
Our contact details and details of our DPO
If you have any questions about how we collect and use your information not covered in this privacy notice, or if you wish to speak to someone about our approach to data protection and privacy, please contact: Mark Gracey via firstname.lastname@example.org.
We are not mandated to have a DPO, but as Mark Gracey acts as an outsourced DPO, he has the DPO skills, so acts as our internal DPO.
Changes to our privacy notice
We may change or update elements of this privacy notice from time to time or as required by law. The most current version of our privacy notice is available on our website at https://markgraceygdpr.co.uk/privacy-policy/