Bettaserve Ltd. Privacy and GDPR Policy V1.1
1.1 Date and information we hold
i. Prospect Data
ii. Client Data
iii. Supplier Data
iv. Employee Data
The Data we hold is in all cases is opt-in data and held with the owner’s permission.
1.2 Lawful basis for processing personal data
The data we hold complies with the six available lawful bases for processing. No single basis is better or more important than the others. The basis that is most appropriate will depend on the purpose for processing and relationship with the individual.
In summary, the six lawful bases we comply with are: (a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose. (b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract. (c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations). (d) Vital interests: the processing is necessary to protect someone’s life. (e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law. (f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
We have a policy in place to ensure permission is given for us to retain client data and send quotations and communications.
All data is managed via secure Ontraport CRM system, paper copies are secured from public areas.
1.4 Consent to process children’s personal data for online services
No Children’s data is at any point recorded or retained.
1.5 Vital interests
Our policy complies with lawful basis for vital interests.
1.6 Legitimate interests
Legitimate interests is the most flexible lawful basis for processing.
We use people’s data in ways they would reasonably expect and which have a minimal privacy impact; or there is a compelling justification for the processing.
The GDPR specifically mentions use of client or employee data, marketing, fraud prevention, intra-group transfers, or IT security as potential legitimate interests, but this is not an exhaustive list. It also states we have a legitimate interest in disclosing information about possible criminal acts or security threats to the authorities.
When processing data through legitimate interests, we apply the three-part test, or a legitimate interests assessment (LIA), to assess whether it applies.
Firstly, identify the legitimate interest(s).
* Why do we want to process the data – what are we trying to achieve? * Who benefits from the processing? In what way? * Are there any wider public benefits to the processing? * How important are those benefits? * What would the impact be if you couldn’t go ahead? * Would your use of the data be unethical or unlawful in any way?
Secondly, the necessity test is applied.
* Does this processing help to further that interest? * Is it a reasonable way to go about it? * Is there another less intrusive way to achieve the same result?
Thirdly, we perform a balancing test. We consider the impact of our processing and whether this overrides the interest identified.
* What is the nature of your relationship with the individual? * Is any of the data particularly sensitive or private? * Would people expect you to use their data in this way? * Are you happy to explain it to them? * Are some people likely to object or find it intrusive? * What is the possible impact on the individual? * How big an impact might it have on them? * Are you processing children’s data? * Are any of the individuals vulnerable in any other way? * Can you adopt any safeguards to minimize the impact? * Can you offer an opt-out?
1.7 Data Protection Registration
2.1 Right to be informed including privacy information
The information that Bettaserve Ltd holds is for the benefit of sending quotations and information that we believe will be of interest to you and complies with GDPR.
2.2 Communicate the processing of children’s personal data
We do not process children’s data.
2.3 Right of access
You have the right to obtain: * confirmation how we process your data; * access to your personal data; and * other supplementary information.
You can request information verbally or in writing. We will provide a copy of the information free of charge. However, we reserve the right to charge a ‘reasonable fee’ when a request is: * manifestly unfounded or excessive, particularly if it is repetitive, unless we refuse to respond; or * for further copies of the same information (that’s previously been provided).
The fee is based on the administrative cost of providing the information (currently £25.00).
We provide requested information without delay and at least within one calendar month of receiving it. We reserve the right to increase this time frame by a further two months for complex or numerous requests (in which case we will inform you and provide an explanation).
We calculate the time limit from the day after we receive the request (whether the day after is a working day or not) until the corresponding calendar date in the next month. A calendar month ends on the corresponding date of the next month (e.g. 2 January to 2 February), unless that date does not exist in which case it is the last day of the next month (e.g. 31 January to 28 February).
If the corresponding date falls on a weekend or a public holiday, we will respond the next working day
We will supply any information requested in electronic format.
2.4 Right to rectification and data quality
Bettaserve Ltd has processes to ensure that the personal data we hold remains accurate and up to date as outlined in the following guidelines.
Individuals have the right to have personal data rectified if it is inaccurate or completed if it is incomplete.
An individual can make a request for rectification verbally or in writing.
We will respond to a request without delay and at least within one month of receipt and calculate the time limit from the day after we receive the request (whether the day after is a working day or not) until the corresponding calendar date in the next month.
A calendar month ends on the corresponding date of the next month (e.g. 2 January to 2 February), unless that date does not exist in which case it is the last day of the next month (e.g. 31 January to 28 February).
We will always verify the identity of the person making the request, using “reasonable means”.
We regularly review the information we process or store and conduct regular data quality reviews of systems and manual records we hold to ensure the information continues to be adequate for the purposes we are processing for.
We complete regular data quality checks to provide assurances on the accuracy of the data being inputted by our staff.
If we identify any data accuracy issues, we communicate lessons learned to staff through ongoing awareness campaigns and internal training.
2.5 Right to erasure including retention and disposal
You have the right to have personal data rectified if it is inaccurate or completed if it is incomplete.
You can make a request for rectification verbally or in writing.
2.6 Right to restrict processing
We have procedures to respond to your requests to restrict the processing of your personal data in accordance with the following guidelines:
You have a right to block or restrict the processing of your personal data.
You can make a request verbally or in writing. We will verify the identity of the person making the request, using “reasonable means”.
We will respond to a request without delay and at least within one month of receipt. We will calculate the time limit from the day after we receive the request (whether the day after is a working day or not) until the corresponding calendar date in the next month. A calendar month ends on the corresponding date of the next month (e.g. 2 January to 2 February), unless that date does not exist in which case it is the last day of the next month (e.g. 31 January to 28 February).
When processing is restricted, we may store your personal data, but not further process it. We may retain just enough information about you to ensure that the restriction is respected in the future. As a matter of good practice, we may consider restricting the processing of personal data if:
* you contest the accuracy your personal data, we may restrict the processing until we have verified the accuracy of your personal data. * an individual has objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and you are considering whether your businesses legitimate grounds override those of the individual. * processing is unlawful and the individual opposes erasure and requests restriction instead. * you no longer need the personal data but the individual requires the data to be retained to allow them to establish, exercise or defend a legal claim.
You may need to review procedures to ensure you are able to determine if you need to restrict the processing of personal data.
If we have disclosed personal data to other organisations (controllers or processors), we will inform you about the restriction, unless it is impossible or involves disproportionate effort to do so.
You must inform individuals when you decide to lift a restriction on processing.
2.7 Right to data portability
We have processes to allow us to move, copy or transfer your personal data from one IT environment to another in a safe and secure way, without hindrance to usability as outlined in the following guidelines.
The right to data portability allows you to obtain and reuse your personal data for your own purposes across different services.
We can receive personal data or easily move, copy or transfer that data from one business to another in a safe and secure way.
The right to data portability only applies:
* to personal data an individual has provided to a controller;
* where the processing is based on the individual’s consent or for the performance of a contract; and
* where the processing is carried out by automated means. Individuals can make a request verbally or in writing. You must verify the identity of the person making the request, using “reasonable means”.
We will respond to a request without delay and at least within one month of receipt. We calculate the time limit from the day after we receive the request (whether the day after is a working day or not) until the corresponding calendar date in the next month. A calendar month ends on the corresponding date of the next month (e.g. 2 January to 2 February), unless that date does not exist in which case it is the last day of the next month (e.g. 31 January to 28 February).
We provide your personal data in a structured, commonly used and machine readable format. Examples of appropriate formats include CSV and XML files.
We will provide the information free of charge. If you request it, we may transmit the data directly to another business where this is technically feasible at your request.
2.8 Right to object
We have procedures to handle objections to the processing of your personal data in accordance to the following policy
We will verify the identity of any person making the request, using “reasonable means”.
We will respond to a request without delay and at least within one month of receipt. We will calculate the time limit from the day after you receive the request (whether the day after is a working day or not) until the corresponding calendar date in the next month. A calendar month ends on the corresponding date of the next month (e.g. 2 January to 2 February), unless that date does not exist in which case it is the last day of the next month (e.g. 31 January to 28 February)
We reserve the right to extend this period by a further two months for complex or numerous requests (in which case you must inform the individual and give an explanation).
If the right to object does apply, it is not always absolute. Whether it is an absolute right depends on our purposes for processing the data.
You have an absolute right to object to any processing (including profiling) undertaken for the purposes of direct marketing.
2.9 Rights related to automated decision making including profiling
We do not process data using automated decision making processes.
We monitor our own compliance with data protection policies and regularly review the effectiveness of our data handling and security controls.
We ensure that we have a process to monitor compliance for data protection and security policies.
We regularly test measures that are detailed within the policies to provide assurances about our continued effectiveness.
Responsibility for monitoring compliance with our policy (wherever possible) is independent of the people implementing the policy, to allow the monitoring to be unbiased. We report the results of compliance testing on a regular basis to senior management.
Bettaserve Ltd provides data protection awareness training for all staff.
3.2 Processor contracts
Whenever we use a processor we have a written contract in place so that both parties understand their responsibilities and liabilities.
We only appoint processors who can provide ‘sufficient guarantees’ that the requirements of the GDPR will be met and the rights of data subjects protected.
Processors only act on our documented instructions.
3.3 Information risks
Bettaserve Ltd manages information risks in a structured way so that management understands the business impact of personal data related risks and manages them effectively complying to the regulations set below:
We set out how we (and any of our data processors) manage information risk.
We have a senior staff member with responsibility for managing information risks, coordinating procedures put in place to mitigate them and for logging and risk assessing information assets.
Where we have identified information risks, we have appropriate action plans in place to mitigate any risks that are not tolerated or terminated.
3.4 Data Protection by Design
Bettaserve Ltd has implemented appropriate technical and organisational measures to integrate data protection into our processing activities following the guidelines below:
Under the GDPR, we have a general obligation to implement appropriate technical and organisational measures to show that we have considered and integrated data protection into our processing activities. This is referred to as data protection by design and by default.
We adopt internal policies and implement measures which help us comply with the data protection principles.
3.5 Data Protection Impact Assessments (DPIA)
Bettaserve Ltd implement a DPIA and have processes in place to action this following the recommended guidelines:
DPIAs help identify the most effective way to comply with our data protection obligations and meet your expectations of privacy.
We will implement a DPIA before we begin any type of processing which is “likely to result in a high risk”.
We will carry out a DPIA if we plan to:
* use new technologies; * use profiling or special category data to decide on access to services; * profile individuals on a large scale; * process biometric data; * process genetic data; * match data or combine datasets from different sources; * collect personal data from a source other than the individual without providing them with a privacy notice (‘invisible processing’); * track individuals’ location or behaviour; * profile children or target marketing or online services at them; or * process data that might endanger the individual’s physical health or safety in the event of a security breach.
Our DPIA will contain the following information:
* a description of the nature, scope, context and purposes of the processing and ,where applicable, the legitimate interests pursued by our business; * an assessment of the necessity and proportionality of the processing in relation to the purpose; * an objective assessment of the risks to individuals, which considers both the likelihood and severity of the possible harm; and * what controls we have identified to address any of those risks, and whether those risks are eliminated, reduced or accepted as a result (including security).
3.6 Data Protection Officers (DPO)
Bettaserve Ltd has nominated a data protection lead or Data Protection Officer (DPO) who is to:
inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws; * monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, awareness raising and training of staff and conducting internal audits; * advise on and monitor data protection impact assessments; * act as the contact point for, and to cooperate with the ICO, and to consult on any data protection matter; and * be the contact point for individuals whose data is processed (employees, customers etc).
3.7 Management Responsibility
Decision makers and key people in our business demonstrate support for data protection legislation and promote a positive culture of data protection compliance across the business in conjunction with the following policy
We make sure that decision makers and key people in our business are aware of the requirements under the GDPR.
Decision makers and key people lead by example, demonstrating accountability for compliance with the GDPR and promoting a positive culture, within your business, for data protection.
We take the lead when assessing any impacts to our business and encourage a privacy by design approach.
We help to drive awareness amongst all our staff regarding the importance of exercising good data protection practices.
4.1 Security policy
Bettaserve Ltd has an information security policy supported by appropriate security measures as detailed below:
We process personal data in a manner that ensures appropriate security.
If we are processing personal data within our IT system(s) we recognise the risks involved and take appropriate technical and organisational measures to secure the data.
4.2 Breach notification
Bettaserve Ltd has effective processes to identify, report, manage and resolve any personal data breaches.
GDPR introduces a duty on all organisations to report certain types of personal data breaches to the ICO and, in some cases, to the individuals affected.
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
We will notify the ICO of a breach unless it is unlikely to result in a risk to the rights and freedoms of individuals. Where a breach is likely to result in a high risk to the rights and freedoms of individuals, you must notify those concerned directly and without undue delay.
In all cases we maintain records of personal data breaches, whether or not they are notifiable to the ICO.
We will report a notifiable breach to the ICO without undue delay, but not later than 72 hours after becoming aware of it. The GDPR recognises that it will not always be possible to investigate a breach fully within that time-period and allows you to provide additional information in phases, so long as this is done without undue further delay You should make sure that your staff understand what constitutes a personal data breach, and that this is more than a loss of personal data.
We ensure an internal breach reporting procedure in place. This will facilitate decision-making about whether we need to notify the ICO or affected individuals.
4.3 International transfers
There are no transfers internationally