1.3 Status of this policy
1.4 Further advice
2.0 Governing Principles
2.2 Compliance with the principles
2.3 Responsibility for compliance
3.0 LEGAL BASIS
3.2 Legitimate Interests
3.4 Legal Obligation
3.5 Public Interest
4.3 Data Protection by Design / Data Protection by Default – Approach
4.4 Data Protection Impact Assessment (DPIA)
5.0 Data subject rights
5.1 Summary of Rights
5.2 Right to be informed
5.3 Right of access (‘Subject Access Requests’)
5.4 Right to rectification
5.5 Right to erase (‘the right to be forgotten’)
5.6 Right to restriction
5.7 Right to data portability
5.8 Right to object
5.9 Rights in relation to automated decision-making, including profiling
5.10 Right to complain
5.11 Right to bring legal proceedings
5.13 Personnel responsibilities
6.0 Information collected, use and retention
6.1 Where is data held?
7.0 What happens if you do not provide the information?
8.0 Third party compliance
9.0 Aggregated data
10.0 Security measures in place
12.0 Use of Google Fonts Web API
1.0 IntroductionThis policy governs the use of personal information within Westend on Sixth so that all of our team members, individual contractors and other workers (Personnel) will have a clear idea of the limits of use of personal information, and where to go for further advice.
1.1 PurposeThis policy lays down the principles for the processing of personal information, whether it relates to team members, suppliers, guests, customers or others. Personal information means any information relating to a living, natural person, who can be identified either directly or indirectly. Processing personal information includes the obtaining, handling, processing, transporting, storing, destruction and disclosure of personal information. It is not designed to replace practical advice from the Data Manager. Nor is it intended to provide all the answers to questions concerning the use of personal information in particular areas, such as HR, IT or marketing.
1.2 SummaryWestend on Sixth will use the personal information of individuals fairly, lawfully, transparently and in a manner consistent with its valid business interests and at the same time, respecting the fair and lawful privacy requirements of those individuals concerned.
1.3 Status of this policyThis policy has been approved by the board of Westend on Sixth. Personnel who process personal information on behalf of the company must adhere to the terms of this policy and any breach will be taken seriously and may result in formal disciplinary action. Any questions or concerns about the interpretation or operation of this policy should be taken up in the first instance with your line manager, HR team or the Data Manager. Any Personnel who consider this policy has not been followed should raise this matter with their relevant head of his/her function within the company, or (if an employee related issue) the HR Team.
1.4 Further adviceFurther advice may be obtained from the Data Manager at Westend on Sixth. The Data Protection Officer Suite 30610, Level 6, Southport Central 3, Commercial, 9 Lawson Street, Southport QLD 4215, Australia Phone: (07) 5555 0198 E-mail: firstname.lastname@example.org Website: www.westendonsixth.com Any data subject can contact our data protection officer at any time.
2.0 Governing Principles
2.1 PrinciplesPersonal information will be used within Westend on Sixth by its Personnel according to the principles of applicable data protection legislation (the “DP Legislation”), meaning the General Data Protection Regulation (“GDPR”), the Data Protection Act (“DPA”) and the Privacy and Electronic Communications Regulations (“PECR”). The principles require that personal information will be:
|1. Lawfulness, fairness & transparency
|The DP Legislation seeks to ensure that processing is carried out lawfully, fairly and transparently without adversely affecting the freedoms, interests and rights of the individual concerned. For personal information to be processed lawfully, certain conditions have to be met. These may include, among other things, requirements that the individual data subject has consented to the processing, or that the processing is necessary for the performance of the contract with the individual, for compliance with a legal obligation, the vital interest of the data subject, or the legitimate interest of Westend on Sixth or the party to whom the information is disclosed. DP Legislation imposes specific requirements in relation to electronic marketing (e.g. email, Apps, social media and SMS), telephone marketing and the use of tracking or profile analysis technology (e.g. to deliver targeted online advertising). It is very important that you seek advice from internal teams, including the Data Manager before undertaking such activities on behalf of the company. Before personal information is passed to third parties, including law enforcement agencies, government bodies, investigators or anyone else, it is important that full consideration is made of the possible data protection implications of doing so.
|2. Purpose limitation
|Personal information will only be processed for the specific purposes notified to the individual when the information was first collected or for any other purposes specifically permitted by the DP Legislation. This means that personal information will not be collected for one purpose and then used for another, unless the other purpose is also specified.
|3. Data minimisation
|Only personal information that is necessary for the purposes specified will be collected. Any data which is not necessary for that purpose will not be collected in the first place.
|Information which is incorrect, misleading or inaccurate will be amended immediately. Inaccurate or out-of-date information will be securely destroyed.
|5. Storage limitation
|Personal information will not be kept longer than is necessary for the purpose for which it was collected. This means that data will be destroyed or erased from our systems when it is no longer required.
|6. Integrity and confidentiality
|Westend on Sixth will ensure that appropriate safeguarding measures are taken against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data. Individual data subjects may apply to the courts for compensation if they have suffered damage or distress from such a loss. The DP Legislation requires us to put in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction, be it paper-based or in electronic format. Thus, personal data will only be transferred to a third-party data processor (such as a supplier or service provider to the company or a group company) if they agree to comply with these procedures and policies, or if they have put adequate measures in place. DP Legislation also requires Westend on Sixth to have a written contract in place with all suppliers or service providers who will process personal information. Unless the relevant party has the prior written consent of the other or unless required to do so by law, each party will preserve the confidentiality of all confidential information of the other obtained in connection with this Agreement. Neither party will, without the prior written consent of the other, disclose or make any confidential information available to any person, or use the same for its own benefit, other than as contemplated by this agreement. Each party’s obligations under this clause will survive termination of the agreement. The provisions of this clause shall not apply to any information which: a) is or becomes public knowledge other than by a breach of this clause; b) is received from a third party who lawfully acquired it and who is under no obligation restricting its disclosure; c) is in the possession of the receiving party without restriction in relation to disclosure before the date of receipt from the disclosing party; or d) is independently developed without access to the Confidential Information. Please note that if at any time Westend on Sixth is required by law to release information about you or your organisation, Westend on Sixth must co-operate fully.
|Westend on Sixth will ensure that we are able to provide evidence that we comply with DP Legislation. For example, to demonstrate that all the above principles have been applied, documentation is up to date, training on data protection and privacy has been completed, and security measures are complied with.
2.2 Compliance with the principlesIn order to meet the requirements of the principles Westend on Sixth will:
- observe the conditions regarding the fair, lawful and transparent collection and processing of personal information;
- meet its obligations to specify the purposes for which personal information is used;
- collect and process personal information only to the extent it is required for the company’s valid business interests and where there is a legal basis for doing so;
- ensure the quality of the personal information used;
- adopt a data retention and disposal policy that includes the length of time personal information is held;
- ensure that the rights of individuals about whom personal information is held can be fully exercised under the respective DP Legislation;
- take appropriate technical and organisational safeguarding measures (which include strict Personnel access controls) to protect personal information including following the policy guidelines set out in Westend on Sixth IT Security Policy and IT Acceptable Use Guide;
- ensure that any contractor, agent or other third party who processes personal information on the company’s behalf does so under a written contract requiring that third party to:
- only process the personal information in accordance with the company’s instructions; and
- take appropriate technical and organisational security measures to safeguard personal information; and
- ensure that personal information is not transferred outside the European Economic Area without suitable safeguards; and
- confirms destruction of all information. This should include paper, electronic and consideration should be given to backup media; and
- which contains additional data processing clauses which are specified in the DP Legislation.
2.3 Responsibility for complianceWestend on Sixth is a data controller (and, in certain circumstances, also a processor) responsible for complying with the DP Legislation. It is the responsibility of each member of Personnel to comply with this policy when using personal information relating to team members, customers or others. The Data Manager has responsibility for this policy and its review.
3.0 LEGAL BASISAll processing must be lawful, which means that there must be one of the following legal grounds established before processing can take place:
3.1 ConsentWhen using consent, Westend on Sixth must be able to demonstrate that consent has been unequivocally given, not just implied. Consent cannot apply to children under 13 vis-à-vis online unless the holders of parental responsibility have provided it. Nor can consent be coerced, for example, forced consent as part of a contract. Consent is a valid legal basis for processing of special categories of personal information. Consent must be prominent in any privacy statement:
- freely given, specific, informed and unambiguous
- a clear affirmative action, signifying agreement to the processing of their personal information
- only market to those individuals under the correct legal basis, such as consent, and for the specific purposes notified to the guest or customer when the personal information was collected;
- use safeguarding measures such as the Telephone Preference Service, Mailing Preference Service and other third party suppression lists where appropriate;
- use standard Westend on Sixth consent wording; and
- require our third party partners to use the an approach compatible with this document when capturing consents on our behalf.
3.2 Legitimate InterestsIt is always important to demonstrate the necessity for Westend on Sixth to process personal information for its legitimate interests if relying on this legal basis. When using legitimate interests, Westend on Sixth must be able to demonstrate that there are no over-riding risks to the individuals’ interests, rights or freedoms. Therefore, the company’s legitimate interests when weighed up against the risks to individuals must always be taken into account when conducting a data protection impact assessment (required for any new system or process – or a significant change). Similarly, the mitigating measures that are applied need to be documented.
3.3 ContractWhen using contract as the legal basis, Westend on Sixth must be able to demonstrate that the necessity of the performance of a contract (or negotiation of a contract) with the individual, for example, employee, supplier or customer / guest. NB – Consent is presumed not to be freely given if it does not allow separate consent to be given if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.
3.4 Legal ObligationWhen there is a statutory obligation, Westend on Sixth must be able to demonstrate for the specific purposes of processing personal information what that legal obligation is, third parties who receive the personal information under the auspices of the obligation, and any retention obligations required.
3.5 Public InterestWhen using public interest, Westend on Sixth must be able to demonstrate that there is a need to store personal information in the interests of the public. For example, for public safety and security purposes, retaining staff information to pass to emergency services personnel given some event.
4.1 NoticesIndividuals have the right to be informed regarding the specific purposes that their personal information is being processed before processing takes place, for how long the information will be stored and processed, who it is being shared with (including internationally), and if there is automated decision-making, including profiling.
4.2 TransfersFirm and client data will stay within the country or territory of origin. For example, the DP Legislation prohibits us from transferring personal information to countries outside the European Economic Area (EEA), unless we first put in place additional safeguards.
4.3 Data Protection by Design / Data Protection by Default – ApproachWestend on Sixth will ensure that our policies reflect processes and a culture of respecting privacy. This includes ensuring that we are each accountable for the security and other safeguarding measures are adhered to, as well as collecting, processing storing, and only sharing it with those authorised and required to use it, only the personal information that is required, and only for as long as it is required for.
4.4 Data Protection Impact Assessment (DPIA)DPIA guidance is to undertake an assessment from a risk-based perspective. Any new process or system that includes innovative technologies or processing personal information or monitoring individuals on a large scale, where there is a higher risk to rights and freedoms of individuals affected.
5.0 Data subject rights
5.1 Summary of RightsThe subjects of personal information held by, or on behalf of, Westend on Sixth (“Data Subjects”) have a wide range of rights granted to them under the DP Legislation. Whilst Westend on Sixth can make use of personal information for specific purposes and where we can lawfully justify such use, an individual can still exercise significant control over what we do. A summary of each of the rights is set out below.
5.2 Right to be informedIndividuals have the right to be informed of how their personal information is being processed. This will be provided in a privacy notice – the notice may be in the form of:
- an email signature, other correspondence, or information board in a public area;
- a privacy clause in an Employee Handbook; or
- a clause within the Terms and Conditions of a contract.
- the purpose for processing their personal information,
- what information is processed, and
- for how long.
5.3 Right of access (‘Subject Access Requests’)Individuals have the right to request that Westend on Sixth:
- confirm, amongst other things, whether we are holding their personal information;
- provide them with a copy of that information, and
- provide them with supporting (and detailed) explanatory materials.
5.4 Right to rectificationIndividuals have the right to require us to rectify inaccuracies in personal data held about them. In some circumstances, if personal information records are incomplete or inconsistent, individuals have the right to require us to complete the data, make it consistent, or to record a supplementary statement correcting it.
5.5 Right to erase (‘the right to be forgotten’)Individuals have the right to have their personal information erased in certain specified situations – in essence where the continued processing of it does not comply with DP Legislation. There are several exemptions which apply to such requests, and you should not assume that your personal information is simply deleted.
5.6 Right to restrictionThe right to restrict allows individuals, in certain situations, to restrict our use of their personal information. This might result in our use of it being limited to storage only, and could mean we have to move personal information to separate IT systems, or temporarily block access to it. This issue could arise in a situation where an individual is disputing the accuracy of information we hold, or where they are objecting to our right to continue to use their information and we need to take some time to establish whether we have a right to continue to do so.
5.7 Right to data portabilityData portability is the right to access on request, information to individuals in a structured, commonly used and machine-readable format. We could also be asked by an individual to transmit personal information directly to another data controller in the same format. This right only applies to electronic records which have been provided to us by the individual themselves, or generated from their activity or are our observations of their activity (but not subsequent analysis of such activity), and only where we hold the personal information because we have the individual’s consent or because we are fulfilling a contract with them.
5.8 Right to objectIndividuals have an absolute right to object to their personal information being processed for the purpose of direct marketing. If we receive any such objection we will immediately cease such marketing activities in respect of that individual. Individuals have a wider right to object to processing we undertake which is justified on the basis that it is in our legitimate interests (rather than because we have their consent).
5.9 Rights in relation to automated decision-making, including profilingIndividuals have rights which apply if we take decisions about them which are based solely on automated processing (i.e. without human intervention) and which produce significant or legal effects on the individuals. Westend on Sixth can use such automated decision making in circumstances where we need to do so for us to enter into a contract with the individual, or where we have their explicit consent. However, transparency is required with individuals about what decisions are taken in this way.
5.10 Right to complainIndividuals have the right to bring a complaint to the Information Commissioner, or other supervisory authority.
5.11 Right to bring legal proceedingsIndividuals have the right to seek judicial remedy through the Courts.
5.12 RequestsTeam members, customers and other subjects of personal information held by, or on behalf of Westend on Sixth may exercise any of the rights specified above. These rights are subject to certain exemptions which are set out in the DP Legislation. Any team member, customer or other subject of personal information wishing to exercise any of these rights should make the request in writing to the Data Protection Officer. Westend on Sixth aims to comply with any requests in relation to personal information as quickly as possible and in any event within the time specified by DP Legislation.
5.13 Personnel responsibilitiesAll Personnel are responsible for:
- checking any personal information which they provide to Westend on Sixth is accurate and up to date;
- informing Westend on Sixth of any changes to personal information which they have provided, for example change of address; and
- checking any information that Westend on Sixth may send out from time to time, for example giving details of personal information that is held by the company.
- racial or ethnic origin;
- political opinions;
- religious beliefs or other beliefs of a similar nature;
- membership of a trade union;
- physical or mental health or condition;
- sexual life;
- biometric or genetic data (e.g. facial or iris imaging, or biological sample information.)
- commission or alleged commission of an offence;
- any proceedings for any offence or alleged offence, the disposal of such proceedings or any sentence imposed by a court
5.14 EmailDue to the ease with which large quantities of personal data can be accidentally or inappropriately exposed when using email staff will be particularly careful to use email in a considered manner. In particular:
- Email to addresses outside the “@westendonsixth.com” domain will not include personal data beyond simple contact information (name, email, telephone, address, job title and place of work). If more extensive data needs to be provided an encrypted attachment can be used (MS Office encryption is adequate for low risk data) or a specialised secure transfer option may be used in high risk cases.
- Emails sent from “@westendonsixth.com” addresses to “@westendonsixth.com” addresses are restricted to the secure environment and may include personal data.
- No personal information will be in the “Subject” field of an email regardless of the recipient.
6.0 Information collected, use and retentionWestend on Sixth is the sole owner of the information collected. We will not sell, share, or lease this information to others in ways different from what is disclosed in this statement. Westend on Sixth collects information from our clients and prospects via email, websites, forums, telephone, mail and various web services. Information is collected when a prospect or client:
- enquires about our software or services
- purchases any of our software or services
- provides feedback by any media
- completes surveys or replies to expressions of interest
- registers for promotional events
- registers for hands on training, update seminars or webinars
- renews a software subscription or service subscription
- obtains any other service or product from us
- participates in special offers
- logs a support call
- accesses our website
- communicates in our forums
- provides feedback through our website
- assist with the resolution of software problems
- convert data from another software package to Westend on Sixth
- combine software data sets
6.1 Where is the data held?All client data from our application is stored on Rackspace and Google Cloud Platform (GCP) in the country of origin for the United Kingdom and Australia, respectively. Where the client is not in either of these countries, the client data will be held in either the United Kingdom and Australia depending on their geographic location. Our file servers are controlled by login user names and encrypted passwords.
7.0 What happens if you do not provide the information?Should the relevant information not be provided, clients may be disadvantaged as they may not receive software and product updates, support calls may not be able to be resolved and information may not be provided to the correct person.
8.0 Third party complianceWestend on Sixth will not sell, rent, trade or otherwise supply to third parties any personal data obtained from you unless you consent.
9.0 Aggregated dataWestend on Sixth may share unidentifiable aggregated demographic data with other organisations and may use the unidentifiable aggregated demographic data to provide clients with a better user experience.
10.0 Security measures in placeWestend on Sixth takes every precaution to protect our clients’ information. When clients submit sensitive information via our websites or client centre, information is protected both online and off-line. When our registration/purchase form asks users to enter sensitive information (such as credit card number), that information is protected. Westend on Sixth has security measures designed to protect against the loss, misuse and/or alteration of the information under its control. All client information is password protected. All paper files maintained are stored securely. All client data stored on our fileservers is controlled by login names and passwords. Client data is deleted once the support issue has been resolved or the conversion or combination of data is complete.
- Allowing us to identify your device, so that you are not treated as a new visitor each time you visit our website.
- Understand how visitors use the website to optimise the most effective website layout.
- Cookies assist in detecting and preventing security threats.
- Noting your browser capabilities.
- Third party cookie use by Google analytics and Pardot are used to collect marketing information which is collected anonymously and statistically. If you would like more information about the cookies used by these third parties, please see their individual cookie policies.
- Third party cookie use by Typekit to allow custom fonts on our website.
- Third party cookie use by YouTube to connect directly to the Westend on Sixth YouTube account which contains training videos of our software.
12.0 Use of Google Fonts Web APIOur website utilises Google Fonts API to provide a unified and visually pleasing textual experience for our users. Google Fonts is a service offered by Google LLC (“Google”) that allows websites to utilise high-quality fonts. By using Google Fonts, some information may be transferred to Google servers, which may be located in other countries. This section outlines how Google collects and uses data in relation to the Google Fonts Web API.
12.1 Data Collection by GoogleWhen you visit a page on our website that uses Google Fonts, your web browser automatically sends a request to Google’s servers. This request may include the following information:
- IP Address
- Browser type and version
- Operating System
- Referrer URL
- The time of the request