Privacy policy document

ALEXANDER JAMES DEVELOPMENTS LIMITED T/A ALPHA GROUP

On 25th May 2018, the UK introduced a raft of new data protection legislation – parts of the EU regulation – the GDPR (General Data Protection Regulation); Data Protection Act 2018 and e-privacy regulations as well as Fees Regulations.

To be compliant with the new legislation and avoid the inevitable fines regime, I have reviewed current measures in place for the company and have drafted new texts to take the new requirements into account.  The suggested text is in a different font and colour purely for ease of reference.

The company should have a Notification in place with the Information Commissioner’s Office (ICO)

 
PRIVACY NOTICE

This should go on the website under its own tab “Privacy & Cookies”.  It is the main Privacy Notice for the company…others will appear on the footer of emails and forms that collect data.  This Privacy Notice replaces any previous Data Protection Policy and Cookie Policy and should appear on the website:

 

PRIVACY & COOKIES

Alexander James Developments Limited is based at The Water Works, Moors Close, Great Bentley, Essex CO7 8QN.   We may process “personal data” and/or “special category data” (as defined in UK data protection legislation) as part of our contracted services and/or for our administration.  Information is kept while it remains relevant to the reason for collection and/or if there is a statutory retention period.  All feasible security measures are in place.

Data may be shared with third parties as part of our contracted services, for administrative purposes and/or if we are required by law to do so.  We cannot accept any liability for any processing conducted by a third party outside our remit.

As required by law, we have conducted a cookie audit on our website.  Cookies are internet files utilised by websites to communicate.  We use analytical cookies to monitor and improve our website and social media website advertising for our own company.  None of the cookies we use are intrusive into your system.

None of the above affects your rights under the legislation, in particular your right to access the data we hold on you.  If you wish to request a copy of your data, please submit it in writing/email to the Company.    Please include enough information to enable us to identify you and search for appropriate data.

If you are dissatisfied with this policy, have queries about our data protection procedures or wish to lodge a complaint, please contact the company in the first instance.  Thereafter you have the right to submit a complaint to the Supervisory Authority, the Information Commissioner’s Office (ICO):

The Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow

Cheshire SK9 5AF

COOKIES

There is currently a Cookie Bar on the website.  Cookie Bars are ONLY required if the non-essential cookies utilised are intrusive on the user’s system.  The company website does NOT use such cookies and therefore I recommend that the cookie bar be removed.  Despite assertions to the contrary in the relevant ICO guidance, the public have NOT understood Cookie bar use and they have proved continuously to be a “restraint” on the users entering the website.  This is why I recommend their removal when not needed, as in this case.

There is a separate cookie policy on the website.  There is no legal requirement for a separate cookie policy.  The requirement is to conduct a cookie audit and collate the results within the Privacy Notice as I have done above.  Therefore, I recommend the removal of the cookie policy altogether.

 

EMAIL PRIVACY NOTICE

Email privacy notices are required to meet the Privacy and Telecommunications Regulations 2003, the Companies Act 2007 and the GDPR.  Therefore, I respectfully suggest that the following be added to the existing footer on all outgoing emails as a default:

“The Internet is not a secure system.  If you are not the intended recipient of this email, please notify the sender and delete all copies.  All personal data herein are processed in accordance with UK data protection legislation.  Further details are available on our Privacy Notice or from the Company.
 

FORMS ON PAPER

I recommend that the following text be built into forms produced by the company:

“Any personal data/special category data herein is processed in accordance with UK data protection legislation”.
 

FORMS ON WEBSITE:

There is a Customer Enquiry form on the website. It does have a privacy notice there, and it does restrict the company’s use of the data.  The suggested wording here allows the company to utilise the data more fully (eg for marketing   – see below). Please include the following privacy notice near the Submit button:

“All personal data are processed in accordance with UK data protection legislation.  All feasible security measures are in place.”

 

MARKETING

When the legislation came into force on 25th May 2018, there was – and still remains – much confusion about the issues of “consent”.  The only time the company must actively seek consent for using personal data (such as email addresses or IP addresses) is when you are marketing electronically to potential customers with whom you have had no previous contact.  If you want to send some marketing information or do some work for someone who has completed the enquiry form on the website – that is “contact” and you are at liberty to do so without seeking further consent.  NOTE: all such emails must include an “unsubscribe” feature which must be adhered to!  Everyone has the right to “unsubscribe” from any communications at any time – but this is not the same as seeking consent in the first place.

Currently the wording on the “Enquiry form” on the website, restricts your use of the data.  The problem with “ we do not share your data with anyone else” is that you cannot then share it with the Accountant (if external), Bank (for electronic payments ) or the Authorities – if they ask for it and you cannot refuse them! – so it becomes very complicated.  The Privacy Notice and the Short notice for the online form have been worded so that this is not required but the legal requirements are still met.

 

STAFF LIABILITY

I have not seen the Staff handbook or any email/acceptable use policy that may be in existence.  However, there is a requirement to “train” staff on requirements and to this end they should be aware that they are personally responsible for the content of emails if it is considered personal data.  This is usually included in the Staff handbook/email policy or Acceptable Use policy.  It may be useful to include the following definitions as well:

“Personal data” – any information relating to a natural person

“Special category data” – such as medical.

 
ACCOUNTABILITY

Under the GDPR, Companies are now required to keep an “Accountability” document within their administrative documentation.  This document needs to contain certain elements and can be issued if required.  To meet these requirements, I recommend that the text below is kept in a folder in the Company administration.

 

ACCOUNTABILITY

Alexander James Developments Limited is based at The Water Works, Moors Close, Great Bentley, Essex CO7 8QN.   We may process “personal data” and/or “special category data” (as defined in UK data protection legislation) as part of our contracted services and/or for our administration.  Information is kept while it remains relevant to the reason for collection and/or if there is a statutory retention period.  All feasible security measures are in place.

Data may be shared with third parties as part of our contracted services, for administrative purposes and/or if we are required by law to do so.  We cannot accept any liability for any processing conducted by a third party outside our remit.

There is a data retention schedule in place.  This will allow the company to locate data quickly if required as well as documenting the Retention Policy for data.

There are technical security measures in place – encryption where necessary and restriction of access to data to maintain integrity and privacy.  This is in place for both manual data and electronically-held data.  To protect data and for ease of usage, we utilise cloud services – all feasible security measures are in place.

 Organisational measures such as policies and directions for staff when entering data. Training for staff is on an informal basis through the Staff Handbook/staff policies is in place.  There are agreements with third party service providers to ensure data are secure.  All manual data is secured as required with access restricted. “

 

PROCEDURES FOR RESPONDING TO REQUEST FOR SUBJECT ACCESS

Any written request for personal information  – by a customer for their information or a member of staff – should be processed in accordance with data protection legislation.

This document is designed to help you through the process.

Once a request for personal information is received by the company, the time limit for responding starts!  This is only 28 days under the General Data Protection Regulation so it is important that the request is passed to a central co-ordinator as soon as possible.   The receipt should be acknowledged.

Do you have enough information in the Request to identify the subject of the data to be found?  Are you sure that the person making the request has the legal right to do so .  You can ask for more information if you need it.

Search through all systems ( manual or electronic) for information.  Then go through all the documents to extract the personal information to be disclosed. Remember that expressions of opinion count.  It is not about disclosing whole documents, but the relevant data within those documents.

THIRD PARTIES – any data about someone other than the data subject is a third party.  You should seek the consent of a third party to disclose their data IF it cannot be deleted from the data without destroying the data itself.  In most cases this should be possible.  You are responsible for the information the company holds so just make sure that the Response includes details of where you got the information from.

You need to assess what is disclosable in each case.

RESPONSE

In the Response, you need to state that you are disclosing what is held and possible to disclose under the legislation.  You can withhold anything given to you by the requester but offer a copy if they wish it.  You can decide to include it but make sure the Requester is aware of what is the source of the data.

You should give the Requester the opportunity to request a review by the company  on what’s been disclosed if they think you haven’t released everything you should.  They also have the right to go to the Information Commissioner’s Office as well and you should provide contact details for them.
 
ADAVISTA, as a specialist consultancy in the field, can provide assistance with this matter if it ever arises.
3. Embedded Content
Pages on this site may include embedded content, like YouTube videos, for example. Embedded content from other websites behaves in the exact same way as if you visited the other website. These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website. Below you can find a list of the services we use:
Facebook
The Facebook page plugin is used to display our Facebook timeline on our site. Facebook has its own cookie and privacy policies over which we have no control. There is no installation of cookies from Facebook and your IP is not sent to a Facebook server until you consent to it. See their privacy policy here: Facebook Privacy Policy .
Twitter
We use the Twitter API to display our tweets timeline on our site. Twitter has its own cookie and privacy policies over which we have no control. Your IP is not sent to a Twitter server until you consent to it. See their privacy policy here: Twitter Privacy Policy .
Youtube
We use YouTube videos embedded on our site. YouTube has its own cookie and privacy policies over which we have no control. There is no installation of cookies from YouTube and your IP is not sent to a YouTube server until you consent to it. See their privacy policy here: YouTube Privacy Policy.
4. Cookies
This site uses cookies – small text files that are placed on your machine to help the site provide a better user experience. In general, cookies are used to retain user preferences, store information for things like shopping carts, and provide anonymised tracking data to third party applications like Google Analytics. Cookies generally exist to make your browsing experience better. However, you may prefer to disable cookies on this site and on others. The most effective way to do this is to disable cookies in your browser. We suggest consulting the help section of your browser.
Necessary Cookies (all site visitors)
  • cfduid: Is used for our CDN CloudFlare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. See more information on privacy here: CloudFlare Privacy Policy.
  • PHPSESSID: To identify your unique session on the website.
Necessary Cookies (Additional for Logged in Customers)
  • wp-auth: Used by WordPress to authenticate logged-in visitors, password authentication and user verification.
  • wordpress_logged_in_{hash}: Used by WordPress to authenticate logged-in visitors, password authentication and user verification.
  • wordpress_test_cookie Used by WordPress to ensure cookies are working correctly.
  • wp-settings-[UID]: WordPress sets a few wp-settings-[UID] cookies. The number on the end is your individual user ID from the users database table. This is used to customize your view of admin interface, and possibly also the main site interface.
  • wp-settings-[UID]:WordPress also sets a few wp-settings-{time}-[UID] cookies. The number on the end is your individual user ID from the users database table. This is used to customize your view of admin interface, and possibly also the main site interface.
5. Who Has Access To Your Data
If you are not a registered client for our site, there is no personal information we can retain or view regarding yourself. If you are a client with a registered account, your personal information can be accessed by:
  • Our system administrators.
  • Our supporters when they (in order to provide support) need to get the information about the client accounts and access.
6. Third Party Access to Your Data
We don’t share your data with third-parties in a way as to reveal any of your personal information like email, name, etc. The only exceptions to that rule are for partners we have to share limited data with in order to provide the services you expect from us. Please see below:
Envato Pty Ltd
For the purpose of validating and getting your purchase information regarding licenses for this theme, we send your provided tokens and purchase keys to Envato Pty Ltd and use the response from their API to register your validated support data. See the Envato privacy policy here: Envato Privacy Policy.
Ticksy
Ticksy provides the support ticketing platform we use to handle support requests. The data they receive is limited to the data you explicitly provide and consent to being set when you create a support ticket. Ticksy adheres to the EU/US “Privacy Shield” and you can see their privacy policy here: Ticksy Privacy Policy.
7. How Long We Retain Your Data For
When you submit a support ticket or a comment, its metadata is retained until (if) you tell us to remove it. We use this data so that we can recognize you and approve your comments automatically instead of holding them for moderation. If you register on our website, we also store the personal information you provide in your user profile. You can see, edit, or delete your personal information at any time (except changing your username). Website administrators can also see and edit that information.
8. Security Measures
We use the SSL/HTTPS protocol throughout our site. This encrypts our user communications with the servers so that personally identifiable information is not captured/hijacked by third parties without authorization. In case of a data breach, system administrators will immediately take all needed steps to ensure system integrity, will contact affected users and will attempt to reset passwords if needed.
9. Your Data Rights
General Rights
If you have a registered account on this website or have left comments, you can request an exported file of the personal data we retain, including any additional data you have provided to us. You can also request that we erase any of the personal data we have stored. This does not include any data we are obliged to keep for administrative, legal, or security purposes. In short, we cannot erase data that is vital to you being an active customer (i.e. basic account information like an email address). If you wish that all of your data is erased, we will no longer be able to offer any support or other product-related services to you.
GDPR Rights
Your privacy is critically important to us. Going forward with the GDPR we aim to support the GDPR standard. AncoraThemes permits residents of the European Union to use its Service. Therefore, it is the intent of AncoraThemes to comply with the European General Data Protection Regulation. For more details please see here: EU GDPR Information Portal.
10. Third Party Websites
ThemeREX may post links to third party websites on this website. These third party websites are not screened for privacy or security compliance by AncoraThemes, and you release us from any liability for the conduct of these third party websites. All social media sharing links, either displayed as text links or social media icons do not connect you to any of the associated third parties unless you explicitly click on them. Please be aware that this Privacy Policy, and any other policies in place, in addition to any amendments, does not create rights enforceable by third parties or require disclosure of any personal information relating to members of the Service or Site. AncoraThemes bears no responsibility for the information collected or used by any advertiser or third party website. Please review the privacy policy and terms of service for each site you visit through third party links.
11. Release of Your Data for Legal Purposes
At times it may become necessary or desirable to AncoraThemes, for legal purposes, to release your information in response to a request from a government agency or a private litigant. You agree that we may disclose your information to a third party where we believe, in good faith, that it is desirable to do so for the purposes of a civil action, criminal investigation, or other legal matter. In the event that we receive a subpoena affecting your privacy, we may elect to notify you to give you an opportunity to file a motion to quash the subpoena, or we may attempt to quash it ourselves, but we are not obligated to do either. We may also proactively report you, and release your information to, third parties where we believe that it is prudent to do so for legal reasons, such as our belief that you have engaged in fraudulent activities. You release us from any damages that may arise from or relate to the release of your information to a request from law enforcement agencies or private litigants. Any passing on of personal data for legal purposes will only be done in compliance with laws of the country you reside in.
Go To Top