Privacy & Cookies Policy
Approved by the Director, Authentic Management Limited, on 1st July 2018
Authentic Management Limited and its associated group of companies (The Company) needs to collect and retain certain personal data to fulfil business purposes and to meet its legal obligations.
Personal data means any information relating to an identified or identifiable living person. An identifiable person is one who can be identified, directly or indirectly, in particular by an identifier such as a name, identification number, on-line identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. Processing is any activity carried out involving personal information, including holding and storing it in any format, both digital and hardcopy.
The Company is committed to protecting the rights of individuals with regard to the processing of personal data and undertakes to manage personal data fairly and lawfully in accordance with the General Data Protection Regulation.
This policy (together with its annexes) deals with the requirements of the General Data Protection Regulation and its principles and provides the policy framework through which effective management of personal data can be achieved.
2. Responsibility for this policy
Ultimate responsibility for the development of clear and effective processes and procedures associated with data protection and the management of personal data lies with the director of Authentic Management Limited.
Responsibility for the implementation of this policy is shared across all staff and functions, both individually and collectively, of the Company.
If you have any questions about the Company’s privacy practices, please contact the Data Protection Officer. (DPO).
How to contact us:
Data Protection Officer
Authentic Management Limited
3 The principles of data protection
There are six data protection principles set out under the General Data Protection Regulation. In summary they are that personal data should be:
Processed fairly and lawfully and in a transparent manner
Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
Accurate and kept up to date
Kept only for as long as is necessary for those purposes
Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
Procedural approach to data protection
The Company only collects personal data for specified legitimate purposes and shall only process the information in accordance with those purposes.
4. General use of personal data
In accordance with the normal and proper conduct of business operations, the Company holds personal data on business contacts, prospective clients and their employees; and other individuals interested or connected with the Company.
Personal data is held in a variety of formats, both electronic and hard copy.
For individuals this will include (but not be restricted to) the normal conduct of business matters.
5. The types of personal information the Company collects
The Company collects and processes information relating to its clients.
Not all of the personal information the Company holds about its clients will come directly from the client. It may, for example, come from other organisations; for example; professional organisations.
6. Lawful basis for processing
The Company will only process and use personal data for legitimate and lawful purposes, and where practicable, with the relevant individual’s consent.
It is necessary for the Company to collect, process and use personal data in order to fulfil the engagement between the client and the Company.
The Company will ensure that personal data is accurate, kept up to date and securely, and is only retained for as long as is necessary.
Access to personal data is restricted to those personnel to whom it is necessary for the performance of their role. All staff who are authorised to access personal data are under an obligation to comply with this policy, the General Data Protection Regulation and any other relevant guidelines or legislation.
Staff with access to personal data are required to ensure that it is held in a secure location where other unauthorised staff will not be able to access it without permission.
The Company will routinely and safely dispose of information once it appears to have exceeded its useful life and will do so in accordance with its data retention policy and related procedures.
If reasonably necessary or required to meet legal or regulatory requirements, resolve disputes, prevent fraud and abuse, or enforce our terms and conditions, we may also keep hold of some of your information as required, even if it is no longer needed to provide the services to you.
7. Rights of individuals
Under the General Data Protection Regulation, an individual has the following rights:
- To be informed about how their personal data is being used
- To access the personal data held about them
- To request that elements of that data be ported to another service provider
- To request rectification of any mistakes in the data that is held
- To request the erasure of personal data in certain situations
- To request the restriction of processing
- To object to the processing
- To object to any decisions being taken by automated means
A formal request to exercise any of these rights can be made free of charge and in writing to the DPO. The Company will require proof of identity and address and the information to which the request relates.
For further information on each of these rights, including the circumstances in which they apply, see the Guidance from the UK Information Commissioner’s Office (ICO) on individual’s rights under the General Data Protection Regulation.
8. Accessing your personal data
Subject to the requirements of the General Data Protection Regulation, anyone has the right to know and inspect what personal data the Company holds about them and for this to be correct. If an individual has a query regarding the accuracy of their personal data, then their request will be dealt with fairly and impartially.
9. Data Transfer
The Company will only disclose or transfer personal data to third parties where consent has been obtained, where required by law, or as otherwise authorised under the General Data Protection Regulation.
Personal data will only be transferred to third parties where this is for proper purposes related to business matters. This can include where the Company uses a subcontractor to carry out activities on its behalf. In such cases, the Company will ensure that the subcontractor is engaged under a suitable contract and that appropriate controls are in place to ensure that personal data is protected. Third party service providers include professional service providers such as website hosts, marketing agencies and advertising partners.
Any exceptional disclosure of personal data will always be balanced against the rights of the person as provided for under the General Data Protection Regulation. The Company will not sell or supply personal data to third parties for their own marketing purposes unless specific consent has been obtained or as otherwise authorised by law.
The Company will only transfer personal data to countries located outside the European Economic Area in accordance with a European Commission approved contract as permitted under Article 46 (5) of the General Data Protection Regulation that are designed to safeguard privacy rights.
Personal data may be transferred to countries which are located outside the European Economic Area. For more information, please contact the Data Protection Officer.
If there are concerns regarding the processing of personal data, individuals should contact the Data Protection Officer.
If an individual remains dissatisfied with the Company’s response or requires any advice in regard to personal data, they should contact the Information Commissioner’s Office. (ICO)
11. Contact us
12. Monitoring and evaluation of the provision
Formal responsibility for monitoring and evaluation of this policy lies with the Data Protection Officer.