Introduction
- Pure Research Limited (08336061) with registered office at Park House, Charlton Court Place, Maidstone, Kent ME17 3AN (the “Company”, “we”, or “us”) is committed to working in accordance with the Data Protection Act 2018 (“GDPR”) and with the highest standards of ethical conduct.
- This policy outlines the rules, behaviours and standards required of the Company, employees, workers and third parties working on behalf of the Company in relation to the collection, retention, transfer, disclosure, use and destruction of any personal data. All workers will be responsible for data protection and must abide by the rules and policies of the Company.
- Capitalised terms not defined herein, shall bear the meaning under the GDPR.
Personal Data and Sensitive Personal Data
- The Personal Data, as defined under the GDPR, which we process includes certain information which can be used to identify the person in question (“Data Subject”, or “you”).
- Although we don’t currently collect and/or process Sensitive Personal Data, we shall inform you should this change, as well as the further protections that we would implement.
- The Personal Data we collect and Process about you is set out below.
Personal Data
The Company collects and processes the following personal data, either as a Data Processor or Data Controller:
- Name
- Title
- Role
- Email Addresses
- Telephone Numbers
Purpose/Activity
- Raising awareness of our brand and communicating to you about specific products/services that may be of interest;
- To use data analytics to improve our products/services, marketing, customer relationships and experiences.
- To make suggestions and recommendations to you about goods or services that may be of interest to you and are related to the information or services we have previously provided.
When and how data is collected
Data is collected from you directly when you contact us requesting information.
Lawful Basis
Legitimate Interest
Third-party links
We may provide links to third-party websites or resources. We do not control these third-party websites and we are not responsible for their privacy statements. We encourage you to read the privacy notice of every website visited.
Other Non-Personal Data
This is data where your identity has been removed (anonymised data). We use such data for our own purposes.
Keeping in touch with you
- Where we have reason under legitimate interest to update you about our services we may reasonably do so. You may opt out at any time.
- Where you request us to add you to a subscription list to receive certain information we will do so and communicate with you in your chosen method as applicable. You may request to be removed from such lists at any time.
- We will not share your Personal Data with other companies.
Rights of Data Subjects
- You have the following rights under the GDPR, which are further explained below:
- the right to be informed, which encompasses the obligation to provide transparency as to how Personal Data will be used;
- the right of access;
- the right to rectification of data that is inaccurate or incomplete;
- the right to be forgotten under certain circumstances;
- the right to block or suppress processing of Personal Data; and
- the right to data portability which allows parties to obtain and reuse their Personal Data for their own purposes across different services under certain circumstances.
- Where you wish to exercise any of the above rights, you should contact us, the Data Controller, at [email protected].
Data Protection Principles
The company is committed to adhering to the Data Protection Principles which state:
- Data must be processed lawfully, fairly and in a transparent manner.
- Data must be obtained for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
- Data processed must be adequate, relevant and limited to what is necessary.
- Data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure data that are inaccurate, are erased or rectified without delay.
- Data must not be kept for longer than is necessary for the purposes for which the data are processed.
- Data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage, using appropriate technical or organisational measures.
Right of Access
- Data Subjects have the right to access the information stored about them. A Data Subject can ask for access to their own personal details held electronically or held manually. A Data Subject who wishes to see their records should give notice to the Data Protection Officer at [email protected]. The Company has up to 1 month to provide the information following the subject access request, which it will usually do in electronic format.
- In complex cases, or where there are numerous related requests, the Company will liaise with the Data Subject to inform them of progress of their request(s), and if it is not possible to complete this within 1 month, the Company will inform the Data Subject of the delay, the reasons for the delay and reserves the right to extend the timescale for completion by up to a further 2 months.
- In the event that data is retained by third parties, the Company will ensure that the request is communicated and actioned by the third party in line with the timescales outlined above, unless impossible, or if it would require disproportionate effort.
- The Company reserves the right to charge a fee or to refuse to respond to a request if it is manifestly unfounded or excessive. Similarly, the Company reserves the right to withhold Personal Data if disclosing it would adversely affect the rights and freedoms of others.
Rectification of Data
- The Company is committed to keeping Personal Data accurate and up to date. Personal Data will be checked for accuracy where possible, and any Personal Data that is inaccurate, out of date or unnecessary will be corrected or erased as appropriate.
- Where a Data Subject identifies that their Personal Data is incorrect or incomplete, or where they are aware that their Personal Data has changed, they must inform the Company as soon as possible. The Company will then take steps to rectify any inaccuracies in a timely manner, and at the latest within 1 month.
- In complex cases, or where there are numerous cases, the Company will liaise with the Data Subject to inform them of progress of their request, and if it is not possible to complete this within 1 month, the Company will inform the Data Subject of the delay and the reasons for the delay and reserves the right to extend the timescale for completion by up to a further 2 months.
- In the event that Personal Data has been disclosed to third parties, the Company will ensure that the request for rectification is communicated and actioned by the third party in line with the timescales outlined above, unless this is impossible or if it would involve disproportionate effort.
The Right to be Forgotten
- Also known as ‘the right to erasure’, the right to be forgotten doesn’t provide an absolute right to be forgotten, but Data Subjects have a right to have Personal Data erased (we may keep anonymised data) and to prevent processing in some circumstances i.e.
- Where the Personal Data is no longer necessary in relation to the purpose for which it was originally collected/processed.
- When the Data Subject withdraws consent.
- When the Data Subject objects to the processing and there is no overriding legitimate interest for continuing the processing.
- The Personal Data was unlawfully processed.
- The Personal Data has to be erased in order to comply with a legal obligation.
- The Personal Data is processed in relation to the offer of information society services to a child.
- If a Data Subject wishes their Personal Data to be partially/fully erased and no longer processed, they should write to the Data Protection Officer with full details of their request. The Company has up to 1 month to respond to you and either delete the data or explain why it is unable to comply with your request. Circumstances where the Company may be unable to comply include where it is required to retain the information by law, or if the Personal Data is needed in connection with legal proceedings.
- In complex cases, or where there are numerous related requests, the Company will liaise with the Data Subject to inform them of the progress of the request, and if it is not possible to respond to this within 1 month, the Company will inform the Data Subject of the delay, the reasons for the delay and reserves the right to extend the timescale for completion by up to a further 2 months, if necessary.
- In the event that Personal Data is retained by third parties, the Company will ensure that the request is communicated and if appropriate actioned by the third party in line with the timescales outlined above.
Security of Data
- The Company is committed to taking steps to ensure that Personal Data is protected, and to prevent any unauthorised access, accidental loss, destruction, unlawful processing, equipment failure or human error, and will do this through the continual monitoring of its security systems and by regular training and awareness raising.
- Any data breaches will be managed according to the Company’s procedures documented in its Data Protection Breach Reporting Policy and Procedures.
Data Retention
- The Company is committed to ensuring that subject Personal Data is kept for no longer than necessary and only kept as long as it’s relevant and necessary for legitimate purposes. As soon as Personal Data is no longer necessary for the purposes for which it was originally collected, it will be securely deleted, or otherwise made inaccessible, and/or anonymised, unless it is necessary to keep the Personal Data for some other legitimate reason.
- The Company does not intentionally keep Personal Data longer than necessary and when Personal Data is no longer required, the Company is committed to securely deleting it as soon as practicable.
Data Breaches
- The Company has ensured that all its staff are trained in relation to the protection of Personal Data, are responsible for data protection, and are alert to any actual, suspected, threatened or potential data protection breaches. As soon as a data protection breach has been discovered, the member of staff shall act in accordance with our Data Protection Breach Reporting Policy and Procedure.
- For more information regarding how we manage data protection breaches, please refer to the Data Protection Breach Reporting Policy and Procedure.
Third party Data Processors
In providing the Services, we currently engage the following parties, both of whom we have assessed to ensure GDPR compliance:
- Heroku
- Amazon Web Services (AWS)
- Hubspot
Data Portability
- This right to data portability only applies to Personal Data that you have provided to the Company, where the data processing is based either on your consent or the performance of a contract and where the processing is carried out by automated means, and it will only be transferred where it is technically feasible to do so.
- If you wish to make a request for your data to be transferred, you must write to the Data Protection Officer, and we will respond to you within 1 month. If the requests are numerous or complex we reserve the right to extend this timescale by a further 2 months. If we are unable to complete your request, we will write to you to inform you why, along with your right to complain to the Information Commissioner’s Office (ICO).
Objections to Personal Data Processing
- You have the right to object to data processing where the Company is:
- processing information based on its legitimate business interests, or the performance of a task in the public interest/exercise of official authority (including profiling)
- direct marketing
- processing for the purposes of scientific/historical research and statistics.
- If you wish to object to processing, you should write to the Data Protection Officer outlining the grounds relating to your particular situation and we will stop the processing unless we have compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is in relation to legal claims. If we are unable to agree to your request, we will write to inform you why, along with your right to complain to the ICO.
Data Protection Measures
The Company is committed to ensuring the security of your data and to processing it in line with the Data Protection rules. As such, the Company will:
- Ensure that all staff are aware of their responsibilities and the Company’s obligations and responsibilities in relation to data protection.
- Ensure that all staff and individuals/organisations who handle data on behalf of the Company are appropriately trained and receive refresher training on a regular basis.
- Ensure that all staff and individuals/organisations who handle data on our behalf are regularly monitored, assessed and reviewed.
- Ensure that all organisations who handle data on our behalf are carrying out data processing in line with the Data Protection rules.
- Regularly review the Company’s methods of data collection, handling, processing and storage.
Privacy Impact Assessments
As part of the Company’s ongoing commitment to ensuring maximum protection for personal data, the Company will undertake Privacy Impact Assessments where appropriate. Privacy Impact Assessments will help the Company consider the processing that is being undertaken, the risk to data subjects and most importantly the measures that need to be taken to minimise the risks. Privacy Impact Assessments will be overseen by the Data Protection Officer and will be reviewed on a 3- yearly cycle, unless it is deemed that a more frequent review is necessary.
Data Protection Officer
The Company has appointed a Data Protection Officer, who will support the Company to manage Data Protection and will work with the Executive Board in this respect. Any queries or concerns can be addressed directly to the Data Protection Officer on [email protected].
Monitoring
We are committed to monitoring this policy and will update it as appropriate, on an annual basis or more frequently if necessary.
Any queries or concerns can be addressed directly to the Data Protection Officer [email protected].
Last updated 30th June 2021
1st July 2021, VERSION 2.01