Guardian Support are committed to safeguarding the privacy of our website visitors; in this policy we explain how we will treat your personal information.

By using our website and agreeing to this policy, you consent to our use of cookies in accordance with the terms of this policy.

Introduction

This Policy sets out the obligations of Bushell Investment Group Business Services Limited, TA Guardian Support, regarding data protection and the rights of data subjects in respect of their personal data and sensitive personal data under EU Regulation 2016/679 General Data Protection Regulation (“GDPR”).

Guardian Support is classified as the Data Controller and or Data Processor for information that is supplied to us in the performance of a contract with us or due to an identified legitimate business interest.

What is personal Data?

The GDPR defines “personal data” as any information relating to an identified or identifiable natural person (a “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

What is Special Category Data

Sensitive personal data/special categories of data means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data, data concerning health, and individual’s sexual orientation and criminal convictions.

This Policy sets the Company’s obligations regarding the collection, processing, transfer, storage, and disposal of personal data.

The Company is committed not only to the letter of the law, but also to the spirit of the law and places high importance on the correct, lawful, and fair handling of all personal data, respecting the legal rights, privacy, and trust of all individuals with whom it deals.

The Data Protection Principles

This Policy aims to ensure compliance with the GDPR. The GDPR sets out the following principles with which any party handling personal data must comply. All personal data must be:

The Rights of Data Subjects

The GDPR sets out the following rights applicable to data subjects:

What Information do we hold and the legal basis for processing such Data?

The GDPR seeks to ensure that personal data is processed lawfully, fairly, and transparently, without adversely affecting the rights of the data subject.

Client Data/Authorised Contact Data

We collect the following personal information when contacted about our services as part of the sales process and/or in the performance of our contract with you, therefore we have assessed that there is a legitimate business reason for holding such data:

Client Employee Data

As our core service is the provision of confidential HR, Employment Law and Health and Safety advice, documentation and legal services, as your legal advisors it is necessary for us to hold information regarding client employees in the performance of our advisory obligations under contract with you and to assist clients in complying with their legal obligations as an employer/controller.

Information held will include:

Supplier information

In order to become an approved supplier, we will hold business data on our approved supplier list.

Such data includes:

How we use information

Client Data/Authorised Contact Data

In order to enter into a contract with you or to fulfil our contractual obligations your information will be used as follows:

Sales When contacting about our services details will be held on our sales proformas and within our Sales CRM system in order to obtain a quote for services
Authorised Contact As a confidential advisory service your details are held on an authorised contacts form within your client account to ensure that only authorised contacts are able to access advice and services, and payments. We will also add you to our birthday list should partial date of birth be provided, although this is not mandatory.
Legal Updates & Marketing Under your contract you will be provided with electronic legal updates, blogs, special offers via our mailer. As such you will be added to our data base for these purposes. Should you cease to be a client your name and email details will be retained on the mailer as it has been assessed that such information is business information and you will retain a legitimate business interest. However should you wish to cease receiving such information there is the ability to unsubscribe, which will automatically remove you from any mailing lists.

Client Employee Data

As our core service is the provision of confidential HR, Employment Law and Health and Safety advice, documentation and legal services, as legal advisors it is necessary for us to hold information regarding client employees in the performance of our advisory obligations under contract and to assist clients in complying with their legal obligations as an employer/data controller.

Third Parties

Personal information will only be provided to third parties with explicit consent of our clients i.e booking training with 3rd Party suppliers (via booking forms), arranging Occupational Health Appointments (if applicable), or making business introductions.

Accuracy of Data and Keeping Data Up-to-Date

The Company shall ensure that all personal data collected, processed, and held by it is kept accurate and up-to-date. This includes, but is not limited to, the rectification of personal data at the request of a data subject. The accuracy of personal data shall be checked when it is collected and at regular intervals thereafter. If any personal data is found to be inaccurate or out-of-date, all reasonable steps will be taken without delay to amend or erase that data, as appropriate.

Should you believe such information is not accurate nor up to date you should contact:

Wendy Curlett – Operations Director
Guardian Support
8th Floor, Lyndon House
58-62 Hagley Road
Birmingham
B16 8PE

The Company shall rectify the personal data in question, and inform the data subject of that rectification, within one month of the data subject informing the Company of the issue. The period can be extended by up to two months in the case of complex requests. If such additional time is required, the data subject shall be informed.
In the event that any affected personal data has been disclosed to third parties, those parties shall be informed of any rectification that must be made to that personal data.

Erasure of Personal Data

Data subjects have the right to request that the Company erases the personal data it holds about them in the following circumstances:

Data Retention

The Company shall not keep personal data for any longer than is necessary, usually at least 6 years in light of the purpose or purposes for which that personal data was originally collected, held, and processed.

When personal data is no longer required, all reasonable steps will be taken to erase or otherwise dispose of it without delay.

In relation to electronic mailing, name and email address of authorised contacts will remain on our database indefinitely as it is deemed that there is a legitimate business interest. However, individuals will be able to unsubscribe from these electronic emails by pressing the unsubscribe button, which will automatically remove their data.

Secure Processing

The Company shall ensure that all personal data collected, held, and processed is kept secure and protected against unauthorised or unlawful processing and against accidental loss, destruction, or damage.

Accountability and Record-Keeping

The Company’s Data Protection Officer is Wendy Curlett, Operations Director, Guardian Support, 8th Floor Lyndon House, 58 – 62 Hagley Road, Birmingham, B16 8PE, Telephone Number: 0845 26 26 260.

The Data Protection Officer shall be responsible for overseeing the implementation of this Policy and for monitoring compliance with this Policy, the Company’s other data protection-related policies, and with the GDPR and other applicable data protection legislation.

The Company shall keep written internal records of all personal data collection, holding, and processing, which shall incorporate the following information:

Data Protection Impact Assessments

The Company shall carry out Data Protection Impact Assessments for any and all new projects and/or new uses of personal data which involve the use of new technologies and the processing involved is likely to result in a high risk to the rights and freedoms of data subjects under the GDPR.

Data Protection Impact Assessments shall be overseen by the Data Protection Officer and shall address the following:

Data Subject Access

Restriction of Personal Data Processing

Data subjects may request that the Company ceases processing the personal data it holds about them. If a data subject makes such a request, the Company shall retain only the amount of personal data concerning that data subject (if any) that is necessary to ensure that the personal data in question is not processed further.

In the event that any affected personal data has been disclosed to third parties, those parties shall be informed of the applicable restrictions on processing it (unless it is impossible or would require disproportionate effort to do so).

Data Portability

The Company processes personal data using automated means. For example all authorised contacts registered for our services will have their nominated emails addresses added to our automated mailing list to receive legislative updates via a newsletter, company blogs in addition to any product offers or company updates as deemed appropriate. This is in performance of the contract.

Where data subjects have given their consent to the Company to process their personal data in such a manner, or the processing is otherwise required for the performance of a contract between the Company and the data subject, data subjects have the right, under the GDPR, to receive a copy of their personal data and to use it for other purposes (namely transmitting it to other data controllers).

To facilitate the right of data portability, the Company shall make available all applicable personal data to data subjects in electronic format.

Where technically feasible, if requested by a data subject, personal data shall be sent directly to the required data controller.

All requests for copies of personal data shall be complied with within one month of the data subject’s request. The period can be extended by up to two months in the case of complex or numerous requests. If such additional time is required, the data subject shall be informed.

Objections to Personal Data Processing

Data subjects have the right to object to the Company processing their personal data based on legitimate interests, direct marketing (including profiling).

Where a data subject objects to the Company processing their personal data based on its legitimate interests, the Company shall cease such processing immediately, unless it can be demonstrated that the Company’s legitimate grounds for such processing override the data subject’s interests, rights, and freedoms, or that the processing is necessary for the conduct of legal claims.

Where a data subject objects to the Company processing their personal data for direct marketing purposes, the Company shall cease such processing immediately.

Where a data subject objects to the Company processing their personal data for scientific and/or historical research and statistics purposes, the data subject must, under the GDPR, “demonstrate grounds relating to his or her particular situation”. The Company is not required to comply if the research is necessary for the performance of a task carried out for reasons of public interest.

Automated Decision-Making

The Company does not use personal data in automated decision-making processes.

Profiling

Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to an individual, in particular to analyse or predict aspects concerning that person’s performance at work, economic situation, health, personal preferences, interest’s relatability, behaviour, location or movements.

The Company does not use personal data for profiling purposes.

Cookies

We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners, who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services.

Our website uses Google Analytics and Google Retargeting in order to compile reports on activity on our website. Google stores this information on servers in the USA and the transfer of such data is governed by the EU-US privacy shield framework. Google may also transfer this information to third parties where required to do so by law. Google will not associate your IP address with any other information held by Google.

By continuing to use our website you consent to our cookies. This privacy policy only applies to this website. Should any blogs and legal updates contain links to other sites or news stories you should read their own specific privacy policy.

Should you wish to reject or block the use of cookies, you can do so at any time, usually by clicking the “help” on your browser. Cookies are specific to individual browser so if you use more than one browser you will need to delete cookies on each. Please be aware that by rejecting cookies it may reduce the functionality of website features.

Data Security – Transferring Personal Data and Communications

The Company shall ensure that the following measures are taken with respect to all communications and other transfers involving personal data:

Data Security – Storage

The Company shall ensure that the following measures are taken with respect to the storage of personal data.

Data Security – Disposal

When any personal data is to be erased or otherwise disposed of for any reason (including where copies have been made and are no longer needed), it should be securely deleted through shredding and or deletion of electronic formats (ensuring that information is still not contained within a deleted box and is permanently wiped).

Data Security – Use of Personal Data

The Company shall ensure that the following measures are taken with respect to the use of personal data:

Data Security – IT Security

The Company shall ensure that the following measures are taken with respect to IT and information security:

Organisational Measures

The Company shall ensure that the following measures are taken with respect to the collection, holding, and processing of personal data:

Transferring Personal Data to a Country Outside the EEA

The Company may from time to time transfer (‘transfer’ includes making available remotely) personal data to countries outside of the EEA, should it be deemed necessary in the performance of the contract i.e if the client has an international office.

The transfer of personal data to a country outside of the EEA shall take place only if one or more of the following applies:

The transfer is to a country, territory, or one or more specific sectors in that country (or an international organisation), that the European Commission has determined ensures an adequate level of protection for personal data;

The transfer is to a country (or international organisation) which provides appropriate safeguards in the form of a legally binding agreement between public authorities or bodies; binding corporate rules; standard data protection clauses adopted by the European Commission; compliance with an approved code of conduct approved by a supervisory authority (e.g. the Information Commissioner’s Office); certification under an approved certification mechanism (as provided for in the GDPR); contractual clauses agreed and authorised by the competent supervisory authority; or provisions inserted into administrative arrangements between public authorities or bodies authorised by the competent supervisory authority;

The transfer is made with the informed consent of the relevant data subject(s);

The transfer is necessary for the performance of a contract between the data subject and the Company (or for pre-contractual steps taken at the request of the data subject);

The transfer is necessary for important public interest reasons;

The transfer is necessary for the conduct of legal claims;

The transfer is necessary to protect the vital interests of the data subject or other individuals where the data subject is physically or legally unable to give their consent; or

The transfer is made from a register that, under UK or EU law, is intended to provide information to the public and which is open for access by the public in general or otherwise to those who are able to show a legitimate interest in accessing the register.

Data Breach Notification

All personal data breaches must be reported immediately to the Company’s Data Protection Officer.

If a personal data breach occurs and that breach is likely to result in a risk to the rights and freedoms of data subjects (e.g. financial loss, breach of confidentiality, discrimination, reputational damage, or other significant social or economic damage), the Data Protection Officer must ensure that the Information Commissioner’s Office is informed of the breach without delay, and in any event, within 72 hours after having become aware of it.

In the event that a personal data breach is likely to result in a high risk to the rights and freedoms of data subjects, the Data Protection Officer must ensure that all affected data subjects are informed of the breach directly and without undue delay.

Data breach notifications shall include the following information:

Implementation of Policy

This Policy shall be deemed effective as of 25th May 2018. No part of this Policy shall have retroactive effect and shall thus apply only to matters occurring on or after this date.

Name: Brendan Wincott
Position: Managing Director
Date: 25th May 2018
Due for Review by: 25th May 2019

 

You can download the privacy policy here

Share this: