Digital Fineprint Limited – Privacy Statement
Digital Fineprint provides services which involve collecting data from publicly available online sources (such as Companies House). We process that data for the same purposes for which it was made publicly available. Information about our processing of personal data can be found below. We also collect and present that data to our customers under their instructions. Where this data includes personal data, our customer is the data controller and we are the data processor acting on their behalf.
Digital Fineprint is committed to protecting your data and information. We believe it is important to look after your data and allow you to retain control over how it is used.
We want to ensure that your data is processed fairly, lawfully, and in accordance with your rights under the General Data Protection Regulation (GDPR; EU 2016/679). Please read the full Privacy Statement carefully to understand our policies and practices regarding your information and contact our Data Protection Officer at privacy@digitalfineprint if you have questions.
Due to the nature of the services we provide to our clients, it may be necessary to hold and process personal data regarding the clients’ employees and customers. This personal data is covered by the General Data Protection Regulations 2016 (“GDPR”).
For the capture and use of data relating to clients’ employees and customers, there are some key legal requirements with which we need to comply. The purpose of this Privacy Statement is to set out how we meet these requirements and to ensure that every client who provides data to us understands the legal basis on which that data is held, what the data is used for, how it is stored and who has access to it.
The Privacy Statement is one element of how we fulfil the obligations of GDPR. This document should be viewed in conjunction with the following policies and procedures:
- Data Breach Notification Procedure
- Data Processing Agreement
- Record Retention and Protection Policy
GDPR is an extensive piece of legislation that seeks to protect the right to privacy of individuals. There are some key terms in relation to the approach that we are using in relation to GDPR. These are:
- Data Subject – the individual to whom the data relates;
- Personal Data – any information relating to an identified or identifiable person;
- Processing – any action performed with the personal data (collection, recording, sharing, storing, etc.);
- Controller – the person or entity who determines what data to collect and the use of that data;
- Processor – the person/people who collects and processes the data as per instructions from the Controller.
Key roles in data use
For provision of our services, the following roles fulfil duties under this Privacy Statement:
- Controller – our directors and employees
- Processors – our directors and employees
The six privacy principles
GDPR sets out six privacy principles with which we must comply. These principles are:
- Purpose Limitation – we must clearly state the reason that data is being held and can then only process data for that reason. If we want to use the data for a different reason to that for which the data was collected, then we must inform the client
- Data Minimisation – we must only collect the data that is needed
- Accuracy – we must take all reasonable steps to ensure that the data held is accurate
- Storage Limitation – we must only keep the data for as long as it is necessary
- Integrity and Confidentiality – we must take all reasonable steps to ensure that the data held is kept securely and is only shared with people who have a legitimate need to have access to it
- Lawfulness, fairness and transparency – we must have a legal basis for processing data and must be transparent about the data held, why it is held, how it is held, who has access to it and for how long it is retained
Our legal basis for processing data and how we will use it
GDPR states that data can only be processed for one of six reasons – consent, contract, legal obligation, vital interests, public task and legitimate interests. Of these, the reasons that we hold data relating to our clients’ employees and customers are:
- “Consent”, where consent is defined as where an “individual has given clear consent for us to process their personal data for a specific purpose”
- “Contract”, where contract is defined as “a lawful basis for processing data if a company is required to hold the data to fulfil their contractual obligations”
- “Legal obligation”, where legal obligation is defined as “the processing necessary for us to comply with the law (not including contractual obligations)”.
We will not sell your data to third-parties nor use the information held about you (and information about others) to provide you with advertising or other services that you have not requested.
The data that is typically held
- Website contact form
When you navigate our websites or contact us, we may request or you may choose to provide us with certain information. This may include Personal Information, such as name, company, job title, email address and records and copies of your correspondence with us.
If you contact us through one of our contact forms, we will assume you have a legitimate interest to do so. We will continue to hold your information for 24 months after your last interaction with us. You can request for your data to be erased at any point by emailing email@example.com.
We use third party solutions, WordPress and MailChimp, to store and manage our contact and e-newsletter requests.
- Customer account information
As a customer of our product, we may collect and process information such as your name, email address and company.
We will hold your information for the duration of our Agreement with either yourselves or your employer.
- Job application and employee information
We process and store Personal Information for the purpose of assessing your suitability for employment at Digital Fineprint and/or to fulfil our statutory obligations as an employer. This may include information such as your name, date of birth, employment and education history, contact information and information of a sensitive nature that you chose to disclose to us.
We use third-party processors, Workable and People HR, to manage our job applications and store our employee information.
We store relevant employee data for the duration of your employment and for the legally required amount of time after that.
We will hold your job application for a total of 12 months after our last communication. This does not affect your rights as an individual under GDPR.
- Usage details and cookies
When you visit www.digitalfineprint.com we may collect information about how our website is used. We do this to find out things such as the number of visitors to the various parts of the site so that we can improve our service to you.
We use a third-party service, Google Analytics, to collect standard internet log information and details of your behaviour patterns. This information is processed in a way which does not identify anyone. We do not make and do not allow Google to make, any attempt to find out the identities of those visiting our website.
Any Personal Information collected on our website is obtained via our contact forms. We will make it clear when we collect Personal Information and will explain what we intend to do with it.
Where we have collected and processed data on individuals who may be Directors of UK businesses, we have done so on the basis of legitimate interest. In doing so we have considered the following:
- We have checked that legitimate interests is the most appropriate basis
- We understand our responsibility to protect individual’s interests
- We have conducted a legitimate interests assessment (LIA) and kept a record of it, to ensure that we can justify our decision
- We have identified the relevant legitimate interests
- We have checked that the processing is necessary and there is no less intrusive way to achieve the same result
- We have done a balancing test, and are confident that the individual’s interests do not override those legitimate interests
- We only use individuals’ data in ways they would reasonably expect, unless we have a very good reason
- We are not using people’s data in ways they would find intrusive or which could cause them harm, unless we have a very good reason
- We have considered safeguards to reduce the impact where possible
- We have considered whether we can offer an opt out
- Although our LIA has not identified a significant privacy impact, we have conducted a DPIA regardless
- We keep our LIA under review, and repeat it if circumstances change
- We include information about our legitimate interests in our privacy information
‘Privacy by design’
We have adopted the principle of ‘privacy by design’ for our systems which collect or process personal data. We will ensure that the definition and implementation of all new or significantly changed systems (that collect or process personal data) will be subject to due consideration of privacy issues, including the completion of one or more data protection impact assessments. The data protection impact assessment will include:
- Consideration of how Personal Data will be processed and for what purposes;
- Assessment of whether the proposed processing of Personal Data is both necessary and proportionate to the purpose(s);
- Assessment of the risks to individuals in processing the Personal Data;
- Consideration of which controls are necessary to address the identified risks and demonstrate compliance with legislation.
Disclosure of your information
We may disclose your Personal Information to any partner of Digital Fineprint and/or a member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006.
We may disclose your Personal Information to third parties:
- in the event that we sell or buy any business or assets;
- if Digital Fineprint or substantially all of its assets are acquired by a third party;
- if we are under a duty to disclose or share your personal data in order to comply with any legal obligation or to protect the rights, property, or safety of Digital Fineprint, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection; or
- where previously mentioned in this policy.
Data Protection Officer
A defined role of Data Protection Officer is required under the GDPR if an organisation is a public authority, if it performs large-scale monitoring, or if it processes particularly sensitive types of data on a large scale. Based on these criteria, we have appointed a DPO and they can be reached using the firstname.lastname@example.org email address.
We always aim to be fair and proportionate when considering the actions to be taken to inform affected parties regarding breaches of personal data. In line with the GDPR, where a breach is known to have occurred which is likely to result in a risk to the rights and freedoms
of individuals, we will inform the relevant Data Protection Authority within 72 hours. This will be managed in accordance with our Data Breach Notification Procedure which sets out the overall process of handling information security incidents.
Under the General Data Protection Regulation (GDPR), you have rights as an individual, which you can exercise in relation to the information we hold about you.
- Right of access – you have the right to request a copy of the information that we hold about you.
- Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.
- Right to erasure – in certain circumstances you can ask for the data we hold about you to be erased from our records.
- Right to restriction of processing – where certain conditions apply to have a right to restrict the processing.
- Right of portability – you have the right to have the data we hold about you transferred to another organisation.
- Right to object – you have the right to object to certain types of processing such as direct marketing.
- Right to object to automated processing, including profiling – you also have the right to object or question automated processing or profiling.
- Right to judicial review – in the event that Digital Fineprint refuses your request under rights of access, we will provide you with a reason as to why. You have the right to challenge this with the Information Commissioner Office.
You can read more about these rights here – https://ico.org.uk/for-the-public/is-my-information-being-handled-correctly/
If you would like to exercise any of your rights as a data subject you can do so by contacting us at email@example.com.
Addressing compliance to the GDPR
To ensure that we comply with the accountability principle of the GDPR, we have ensured that:
- The legal basis for processing personal data is clear and unambiguous;
- There is appropriate communication with all clients regarding the data held;
- The Controllers and Processors involved in handling Personal Data understand their responsibilities for following good data protection practice;
- Routes are available to Data Subjects wishing to exercise their rights regarding personal data, and that such enquiries are handled effectively;
- Regular reviews of procedures involving Personal Data are carried out by our directors; and
- Privacy by design is adopted for all new or changed systems and processes.
Changes to this policy
Concerns and Questions
GDPR is new legislation and how the rules are interpreted will continue to evolve. We will continue to adopt best practices to ensure on-going compliance. Any concerns or questions relating to the way in which we process data should be raised via email to firstname.lastname@example.org. The issues will then be investigated and a response will be sent within 28 days of receipt of the email. To review a copy of Digital Fineprint’s Information Security Policy, please contact email@example.com.