1. WHO WE ARE
We are Quite Brilliant Ltd. (“we/our/us”). We are a company incorporated in England and Wales with registered company number 08337375. Our registered office address is 167-169 Great Portland Street, 5th Flr. London, W1W 5PF.
For the purpose of the Data Protection Act 1998, the General Data Protection Regulation (Regulation (EU) 2016/679) and any amended, updated or subsequently implemented legislation in the UK and/or EU relating to the controlling and processing personal data (“Data Protection Legislation”) we are a data controller of personal data provided by you to us through use of our Services and/or Website (as defined below). Where we consider it appropriate (and as further described in this policy) we may also provide third party data processors with such personal data for the purposes set out in this policy.
We are registered as a data controller with the UK Information Commissioner’s Office with registration number ZA338057.
The Data Protection Compliance Manager is responsible for ensuring compliance with the Data Protection Legislation and with this policy. That post is held by Russ Shaw, +44 (0)207 097 9260 and firstname.lastname@example.org. Any questions about the operation of this policy or any concerns that the policy has not been followed should be referred in the first instance to the Data Protection Compliance Manager.
2. ABOUT THIS POLICY
This policy sets out how, when and why we may collect, control, store, process and transfer personal data that you provide to us, or that we collect from you, when you use our services and/or correspond with us directly (“Services”) and the www.quitebrilliant.co.uk website (“Website”).
This policy also sets out your rights and our obligations in relation to collecting, controlling and processing such personal data.
Our main objective is for you to have absolute trust and confidence in us when we collect, control and process your personal data. The Data Protection Legislation is not intended to prevent processing of personal data, however, but to ensure that such processing is done fairly and without adverse impact on your fundamental rights and freedoms.
Any third party data processors are obliged to comply with this policy when processing personal data on our behalf. Any breach of this policy by that third party may result in disciplinary action being taken against them.
This policy is drafted in English. If there is a conflict between a translated version and the English version of these terms then, to the extent permitted under applicable law, the English version shall prevail.
3. WHAT IS PERSONAL DATA?
Personal data is information relating to an “identified” or “identifiable” living individual. An “identifiable” individual is one who can be identified, directly or indirectly, in particular reference to an identifier such as a name, a postal address, date of birth, an email address, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
Sensitive personal data includes, but is not limited to, personal data which reveals racial or ethnic origin, and data concerning health or sex life and sexual orientation.
Further detail as to the specific types of personal data and sensitive personal data we may control and process is set out at paragraph 6, below.
For personal data to be processed lawfully, they must be processed on the basis of one of the legal grounds set out in the Data Protection Legislation. These include, among other things:
• the data subject’s consent to the processing;
• that the processing is necessary for the performance of a contract with the data subject;
• that processing is necessary for compliance with a legal obligation to which the data controller is subject; or
• where processing is in the legitimate interest of the data controller or the party to whom the data is disclosed.
As such, we do not always require consent from you in order to lawfully process your personal data. If we collect sensitive personal data, however, we will generally ask for explicit consent from you in order to process such sensitive personal data.
4. INTEGRITY AND SECURITY MEASURES
Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, we must, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, which are designed to implement data-protection principles in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of the Data Protection Legislation and to protect your rights as a data subject.
In order to ensure data protection by design and by default, we will:
(a) take appropriate security measures against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data.
(b) put in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. Personal data will only be transferred to a data processor if he agrees to comply with those procedures and policies, or if he puts in place adequate measures himself.
(c) maintain data security by protecting the confidentiality, integrity and availability of the personal data, defined as follows:
(i) Confidentiality means that only people who are authorised to use the data can access it.
(ii) Integrity means that personal data should be accurate and suitable for the purpose for which it is processed.
(iii) Availability means that authorised users should be able to access the data if they need it for authorised purposes.
5. PERSONAL DATA WE MAY CONTROL AND PROCESS
We may collect and process various types of personal data and other information from you when you correspondence with us, when you use our Services and when you access our Website, and when you correspond with us by phone, email or otherwise. The type of data collected, and the manner in which such data is collected, will vary depending on how you correspond with us, which Services you use and how you use our Website, and whether or not we have a lawful basis for processing data in that way. Further details of the type of data we collect and the manner in which such data may be processed is set out below in paragraph 6 under the heading “How we collect and use Personal Data”.
6. HOW WE COLLECT AND USE PERSONAL DATA
Personal data may be collected by us actively and passively. The specific types of personal data we may collect from you, and the manner in which such data may be collected, includes:
If you are a client, we will collect your name, email address, postal address, telephone number and current place of work when you contact us directly or use our Services.
We will also collect your email address, name and other personal data (such as your postal address and telephone number) made available to us when you contact us via email, post, telephone or through the Website.
How Client Data is stored:
Client Data will be stored on secure servers located at our trading address. Such servers are located in a locked room which requires password protection in order to access, and will be stored on such servers from time of collection and throughout the duration of its storage.
How we will use Client Data:
We will use Client Data for the purpose of us identifying you from other users of our Website and/or Services. Such use of Client Data is necessary in order for us to provide Services to you in accordance with good professional standards. Such Services may include corresponding with you in respect of the work we are undertaking on your behalf and sending invoices to you relating to work we are undertaking on your behalf.
We will also use Client Data for the purpose of sending direct marketing emails to you. Such direct marketing emails will contain information relating to products and Services offered by us which we consider to be of interest to you. You may unsubscribe from receiving such direct marketing emails at any time by following the “unsubscribe” link in such marketing emails.
Why we may lawfully process Client Data for these purposes
We may lawfully process Client Data for the purpose of providing the Services to you on the lawful basis that such use is necessary in order for us to provide those Services to you adequately, particularly given that we could not achieve the same purpose without using Client Data.
We may also use Client Data for the purpose of sending direct marketing emails to you on the basis that we have a legitimate interest in doing so. We consider ourselves to have a legitimate interest as:
i) we are pursuing a lawful business interest in sending marketing materials to our existing contacts and clients;
ii) sending such marketing materials to you via email is the quickest and easiest way for us to pursue and manage this lawful business interest, so such processing is therefore necessary; and
iii) given that you may unsubscribe to such emails at any time, and that we make you aware at the time of collecting your data as to how, when, where and why we will use Client Data, we consider your fundamental rights and freedoms to be balanced with our interest in sending such direct marketing emails to you.
If you are an employee of ours we will collect your name, personal email address, date of birth, national insurance number, postal address and telephone number.
How Employee Data is stored:
Employee Data will be stored on secure servers hosted and operated by Pay Check Ltd.
How we will use Employee Data:
We will use Employee Data for the purpose of us identifying you from other employees and carrying out general activities required of a reasonable employer. Such activities will include, but are not necessarily limited to, contacting you in the case of emergency, corresponding with you in connection with your role as an employee and making payment to you in connection with your employment.
Why we may lawfully process Employee Data for these purposes
We may lawfully process Employee Data for these purposes on the lawful basis that such use is necessary in order for us to act as your employer and fulfil our obligations in that regard, particularly because we could not achieve the same purpose in any other way without using Employee Data.
We may collect and process video footage and/or photographs of you if you are the subject of our promotional/marketing videos and/or photography. You will be made aware of you being the subject of such filming and photography prior to such filming and/or photography taking place, typically through such information being provided to you via relevant “consent” or “release” forms prior to you agreeing to such Footage Data being collected and processed.
How Footage Data is stored:
Footage Data will be stored on secure servers located at our trading address. Such servers are located in a locked room which requires password protection in order to access, and will be stored on such servers from time of collection and throughout the duration of its storage.
How we will use Footage Data:
Footage Data will be used in accordance with the purpose set out in relevant “consent” or “release” forms provided to you prior to such Footage Data being collected and processed.
Why we may lawfully process Footage Data for these purposes
We will lawfully process Footage Data for such purposes on the basis that we consider ourselves to have a legitimate interest in doing so as:
i) we are pursuing a lawful business interest in collecting and processing such Footage Data, in that Footage Data is required in order for us to provide a lawful business service to our clients (namely, producing and editing footage for us by those clients in respect of their marketing and promotional activities);
ii) recorded such Footage Data, editing and transferring such Footage Data to our clients is necessary in pursuit of this lawful business interest as there is no alternative means by which we could achieve this purpose; and
iii) given that you are provided with “consent” or “release” forms prior to such Footage Data being collected and processed by us, which set out the purpose for which such Footage Data will be collected and processed, such processing is entirely transparent and you expect us to use such Footage Data in accordance with those purposes. As such, we consider your fundamental rights and freedoms to be balanced with our lawful business interests.
Website Data includes, but is not limited to, your device’s location at the time of using the Website, as well as information relating to when, where and how the Website is used by you, and how many times the Website is accessed by you.
Website Data may also include your device’s Internet Protocol (IP) address, cookies, device type and version, the areas of the Website you visit, the amount of time spent within particular areas of our Website, time zone settings, the time and date of your use of the Website and the operating system and version you use to access the Website, information about your use of the Website including (if applicable) the full Uniform Resource Locators (URL), clickstream to, through and from our Website (including date and time), any products or Services you have viewed or searched for, the Website response times, download errors, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page.
Where is Website Data stored?
Website Data is passively collected and stored on secure servers operated by 123-reg (as well as its group companies), a third party processor who will collect Website Data as and when it arises through your use of the Website. This processor may subsequently provide the Website Data to us once they have collated and processed the Website Data.
Google, Inc. may also passively collect and stored (on secure servers) Website Data in connection with our use of its ‘Google Analytics’ service.
How we will use Website Data
We will use Website Data for the purpose of tracking and analysing the popularity and performance of the Website, how it is used by users and for other purposes so that we can tailor, develop and improve the Website and performance of the Website for the benefit of Website users and our clients.
Why we may lawfully process Website Data for these purposes
We will lawfully process Website Data for such purposes on the basis that we consider ourselves to have a legitimate interest in doing so as:
i) we have lawful business interest in developing and improving the Website for the benefit of our users;
ii) that we may only pursue this interest by obtaining and analysing Website Data in this way, so our activities our necessary in pursuing our lawful business interest; and
iii) we also consider this interest to be balance with your fundamental rights and freedoms given that we have informed you as to how, when, where and why such Website Data will be collected and processed in this manner, as well as given that us processing the Website Data in this manner will positively impact upon your user experience of the Website.
7. YOUR RIGHTS AND OUR OBLIGATIONS
In some circumstances we may require explicit consent from you in order to process your personal data for a particular purpose or purposes. We will generally only obtain consent from you if we do not have another lawful basis for doing so, for example if we do not have a legitimate interest in doing so or such processing is not contractually necessary.
We do not require consent in order to obtain and process your personal data for the purposes set out in section 6 above (“How We Collect and Use Personal Data”)
However, if we are controlling and processing your personal data on the sole basis of consent, we will ensure that such consent:
(a) is presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of the Data Protection Legislation will not be binding.
(b) can be easily withdrawn by you at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, you shall be informed accordingly. It shall be as easy to withdraw as to give consent.
(c) is freely given. When assessing whether consent is freely given, we shall take account of whether the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
(d) is lawful where we intend to collect and process personal data children. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child (and we shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology).
You may exercise your right to withdraw consent to processing at any time by contacting us via email@example.com. However, such withdrawal of consent will not retrospectively render processing prior to withdrawal of consent as unlawful.
We will retain personal data for a reasonable period of time following delivery of Services to you as a client, or following termination of employment.
We will hold Client Data for the duration of time that we consider you to be a client of ours, and for such additional periods as we consider reasonable in order for us to be able to provide our services to you in the future. We may also store Client Data for any additional period for which we are legally entitled and/or required to do so.
We will hold Employee Data for the entire period for which you are employed by us as it is necessary in order for us to carry out our duties and responsibilities as your employer. We will retain such information following termination of employment for a reasonable period of time and/or for any additional period for which we are legally entitled/required to do so.
The Right to Erasure (also known as the “Right to be Forgotten”)
You also benefit from the right to erasure. This means that you have the right to request us to erase personal data we hold about you, and that we should erase such data without undue delay, provided that you are able to demonstrate one of the following to us:
(a) that our processing of the personal data is no longer necessary in relation to the purpose for which it was collected;
(b) that you withdraw your consent to the processing and there is no other legal ground for us to continue to process the data;
(c) that you object to the processing under the Data Protection Legislation and there are no overriding legitimate grounds for processing;
(d) that the personal data must be erased in order to comply with a national legal obligation; or
(e) the personal data in question belongs to a child under the age of 16 and no consent is given or authorised by the holder of parental responsibility over the child.
You also benefit from the right to rectify inaccurate personal data we hold which relates to you (also known as the “right to rectification”). This means that, taking into account the subject of the processing, you shall have the right to have incomplete personal data completed. You can exercise your right to rectification by contacting us via firstname.lastname@example.org.
You also have the right to receive the personal data concerning you in a structured, commonly used and machine-readable format. You have the right to transmit such data to other data controllers without hindrance from us where we are processing that data on the basis of having your consent to do so, or where it is necessary for the performance of a contract, and the processing is carried out by automated means.
Subject Access Requests
You as a data subject are entitled to make a formal request for information we hold about you. We must provide you with a copy of this information, the reasons it is being processed and whether it will be given to any other organisations or people provided that you make this request in writing.
8. CHILDREN’S PRIVACY
The Services we provide, and our Website, are not marketed to (and should not be used by) anybody under the age of 16.
We do not knowingly collect personal data from children under the age of 16. In the event that we discover that a child under the age of 16 has provided us with personal data, we will delete such data from our servers unless consent is given or authorised by the holder of parental responsibility over the child.
9. SHARING AND TRANSFERRING PERSONAL DATA
We use industry standard encryption for transmission of data to our systems. Although we cannot guarantee the absolute safety of transmission of data via the internet, we adhere to industry standards to give your data the most appropriate protection possible.
We may provide your personal data to the following third party processors for the following purposes:
Pay Check Ltd.
We will provide Employee Data to Pay Check Ltd. for the purpose of it providing payroll and auto enrolment administration services to us. Pay Check Ltd. will use Employee Data solely for the purposes of processing and managing payment of your salary to you, including processing and producing payslips.
We will provide Client Data to MailChimp, a member of The Rocket Science Group, LLC, a Georgia limited liability corporation for the purpose of MailChimp sending direct marketing emails to you on our behalf.
Other sharing of Personal Data
We may share personal data we hold with any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries.
We may also disclose personal data we hold to third parties, with your consent, or on the basis of us an otherwise lawful basis under the Data Protection Legislation. For example, we may do so:
(a) in order to facilitate, provide and improve the Services we provide to you;
(b) in order to improve the functionality of the Website;
(c) in order to analyse the manner in which our Services are used by users;
(d) in the event that we sell or buy any business or assets, in which case we may disclose personal data we hold to the prospective seller or buyer of such business or assets;
(e) if we or substantially all of our assets are acquired by a third party, in which case personal data we hold will be one of the transferred assets; and
(f) if we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply any contract with the data subject or other agreements; or to protect our rights, property, or safety of our employees, customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
Transfers outside the EEA
We may also transfer any personal data we hold to a country outside the European Economic Area (EEA), provided that one of the following conditions applies:
(a) the country to which the personal data is transferred ensures an adequate level of protection for the data subjects’ rights and freedoms;
(b) you have given your consent to such transfer;
(c) the transfer is necessary for one of the reasons set out in Data Protection Legislation, including the protection of your vital interests;
(d) the transfer is legally required on important public interest grounds or for the establishment, exercise or defence of legal claims; or
(e) the transfer is authorised by the relevant data protection authority where we have adduced adequate safeguards with respect to the protection of the data subjects’ privacy, their fundamental rights and freedoms, and the exercise of their rights.
10. CHANGES TO THIS POLICY
We reserve the right to change this policy at any time. Where appropriate, we will notify you, as a data subject, of those changes by email@example.com.
11. CONCERNS OR COMPLAINTS
If you have any concerns or complaints relating to this policy, its subject matter, or the manner in which we collect, control and/or process your personal data, please do let us know by sending an email to firstname.lastname@example.org.
You also have the right to lodge a complaint with a supervisory authority if you consider that the processing of your personal data has infringed the Data Protection Legislation. In the UK, the relevant supervisory authority is the Information Commissioner’s Office.
© 2020 quitebrilliant.co.uk, All rights reserved.
Unauthorised duplication or publication of any materials
from this Site is expressly prohibited.