privacy policy

1. Privacy Policy

 

Integrated IT Solutions Ltd recognises the difference between a Privacy Policy and a Privacy Notice (or statement) and ensures that we meet the regulatory, legal and best practice requirements for both formats. For the purposes of this document, we use the term Privacy Policy to provides the business, its staff and any associated entities with our operational and organisational approach to protecting data and complying with the General Data Protection Regulation (GDPR) and any relevant data protection laws.

 

This document is our Data Protection & Privacy Policy and includes how we comply with the GDPR principles, the manner in which we process data, guidelines and procedures for ensuring that data subjects can exercise their rights and our approach to data protection by design and default. This policy provides detail on how we apply the principles, what procedures we follow in the compliance with the Regulation and any specific individual and/or departmental responsibilities, including those of the Data Protection Officer (DPO) and is fundamentally used as an internal reference document.

 

We have a user-friendly version of our Privacy Policy on our website, which also includes details about the cookies used on the site. The Privacy Policy on the site is in an easy to see and accessible place and is in addition to our legally required Privacy Notice; more details of which are noted below.

 

1.1 Privacy Notice

 

Our Privacy Notice is separate from our Data Protection & Privacy Policy and is provided to individuals at the time we collect their personal data (or at the earliest possibility where that data is obtained indirectly). Our Privacy Notice includes the Article 13 & 14 (section 1.1 of this policy) requirements as set out in the GDPR and provides individuals with all the necessary and legal information about how, why and when we process their data, along with their rights and obligations.

 

Our Privacy Notice is designed to be a public declaration of how Integrated IT Solutions Ltd applies the data protection principles to data that we process. It is provided to all individuals whose data we process (i.e. customers, employees and third-parties etc) and contains only the information specific to the individual and as required by law. The notice is easily accessible, legible, jargon-free and is available in several formats, dependant on the method of data collection: -

 

  • Via our website

  • Linked to or written in full in the footer of emails

  • Worded in full in agreements, contracts, forms and other materials where data is collected in writing or face-to-face

  • In employee contracts and recruitment materials

  • Verbally via telephone or face-to-face

  • Via SMS

  • Printed media, adverts and financial promotions

·         Digital Products/Services

·         On Mobile Apps

 

With lengthy content being provided in the privacy notice and with informed consent being based on its contents, we have tested, assessed and reviewed our privacy notice to ensure usability, effectiveness and understanding. 

 

  1. Privacy Notices are drafted by the Data Protection Officer using the GDPR requirements and with Supervisory Authority guidance

  2. We utilise a select customer base to test the Privacy Notice in its varying formats and provide a feedback form for completion, verifying the below points: -

 

  1. How did you use the Privacy Notice (e.g. website, agreement, orally)?

  2. Did you find the information in the Privacy Notice easy to read, understand and access?

  3. Did you gain a full understanding of how we intend to use your data, who it will be shared with and what your rights are?

  4. Did you feel confident in giving consent to use your personal data after reading the notice information? 

  5. Was there anything you did not understand?

  6. Did you find any errors?

  7. What, if anything, would you like to see changed about the Privacy Notice?

 

  1. All feedback responses are saved with a copy of the used Privacy Notice and improvements are made and recorded where applicable

  2. Re-testing is carried out on a new set of customers to ensure variety and independent assessment and verification

  3. After a successful test, the acceptable Privacy Notice is rechecked against the GDPR and Supervisory Authority regulations and guidelines to ensure it still complies and is adequate and effective

  4. The final Privacy Notice(s) are then authorised by Senior Management/Director(s) before being rolled out

 

Where we rely on consent to obtain and process personal information, we ensure that it is: -

 

  • Displayed clearly and prominently

  • Asks individuals to positively opt-in

  • Gives them sufficient information to make an informed choice

  • Explains the different ways we will use their information

  • Provides a clear and simple way for them to indicate they agree to different types of processing

  • Includes a separate un-ticked opt-in box for direct marketing

 

1.2 Personal Data Not Obtained from the Data Subject

 

Where Integrated IT Solutions Ltd obtains and/or processes personal data that has  been obtained directly from the data subject, Integrated IT Solutions Ltd ensures that the information noted in section 1.6 of this policy is provided to the data subject  of our obtaining the personal data

 

In addition to the information provided to the data subject in section 1.5, we also provide information about: -

 

  • The categories of personal data

  • The source the personal data originated from and whether it came from publicly accessible sources  

 

Where the personal data is to be used for communication with the data subject, or a disclosure to another recipient is envisaged, the information will be provided at the latest, at the time of the first communication or disclosure. Where Integrated IT Solutions Ltd intends to further process any personal data for a purpose  than that for which it was originally obtained, we communicate this intention to the data subject prior doing so and where applicable, process only with their consent.

 

Whilst we follow best practice in the provision of the information noted in section 1.4 of this policy, we reserve the right not to provide the data subject with the information if: -

 

  • They already have it and we can evidence their prior receipt of the information

  • The provision of such information proves impossible and/or would involve a disproportionate effort

  • Obtaining or disclosure is expressly laid down by Union or Member State law to which Integrated IT Solutions Ltd is subject and which provides appropriate measures to protect the data subject's legitimate interest

  • Where the personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy

 

1.3 Employee Personal Data

 

As per the GDPR guidelines, we do not use consent as a legal basis for obtaining or processing employee personal information. Our HR policies have been updated to ensure that employees are provided with the appropriate information disclosure and are aware of how we process their data and why. 

All employees are provided with our Staff Handbook which informs them of their rights under the GDPR and how to exercise these rights. 

 

1.4 The Right of Access

 

We have ensured that appropriate measures have been taken to provide information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 (collectively, The Rights of Data Subjects), relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language.

 

Such information is provided free of charge and is in writing, or by other means where authorised by the data subject and with prior verification as to the subject’s identity (i.e. verbally and/or electronically).

 

Information is provided to the data subject at the earliest convenience, but at a maximum of 30 days from the date the request is received. Where the retrieval or provision of information is particularly complex or is subject to a valid delay, the period may be extended by two further months where necessary. However, this is only done in exceptional circumstances and the data subject is kept informed in writing throughout the retrieval process of any delays or reasons for delay.

Where we do not comply with a request for data provision, the data subject is informed within 30 days of the reason(s) for the refusal and of their right to lodge a complaint with the Supervisory Authority. 

 

1.5 Subject Access Request

 

Where a data subject asks us to confirm whether we hold and process personal data concerning him or her and requests access to such data; we will provide them with: -

 

·         The purposes of the processing

·         The categories of personal data concerned

·         The recipients or categories of recipient to whom the personal data have been or will be disclosed

·         If the data has or will be disclosed to a third countries or international organisations and the appropriate safeguards pursuant to the transfer

·         Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period

·         The existence of the right to request rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing

·         The right to lodge a complaint with a Supervisory Authority

·         Where personal data has not been collected by Integrated IT Solutions Ltd from the data subject, any available information as to the source and provider

·         The existence of automated decision-making, including profiling and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject

 

Subject Access Requests (SAR) are passed to the 'Data Protection Officer/Compliance Officer' as soon as received and a record of the request is noted. The type of personal data held about the individual is checked against our Information Audit to see what format it is held in, who else has it has been shared with and any specific timeframes for access.

 

SARs are always completed within 30-days and are provided free of charge. Where the individual makes the request by electronic means, we provide the information in a commonly used electronic format, unless an alternative format is requested.

 

Please refer to our external Subject Access Request Procedures for the guidelines on how an SAR can be made and what steps we take to ensure that access is provided under the GDPR.

 

1.6 Data Portability

 

Integrated IT Solutions Ltd provides all personal information pertaining to the data subject to them on request and in a format that is easy to disclose and read. We ensure that we comply with the data portability rights of individuals by ensuring that all personal data is readily available and is in a structured, commonly used and machine-readable format, enabling data subjects to obtain and reuse their personal data for their own purposes across different services.

 

To ensure that we comply with Article 20 of the GDPR concerning data portability, we keep a commonly used and machine-readable format of personal information where the processing is based on: -

  • Consent pursuant to point (a) of Article 6(1)

  • Consent pursuant to point (a) of Article 9(2)

  • A contract pursuant to point (b) of Article 6(1); and

  • the processing is carried out by automated means

 

Where requested by a data subject and if the criteria meet the above conditions, we will transmit the personal data directly from Integrated IT Solutions Ltd to a designated controller, where technically feasible.

 

We utilise the below formats for the machine-readable data: -

  • HTML

  • CSV

  • XML

  • XHTML

 

All requests for information to be provided to the data subject or a designated controller are done so free of charge and  of the request being received. If for any reason, we do not act in responding to a request, we provide a full, written explanation within 30 days to the data subject or the reasons for refusal and of their right to complain to the supervisory authority and to a judicial remedy.

 

All transmission requests under the portability right are assessed to ensure that no other data subject is concerned. Where the personal data relates to more individuals than the subject requesting the data/transmission to another controller, this is always without prejudice to the rights and freedoms of the other data subjects.