This notice explains how we may use personal data which we obtain about you. It sets out who we are, how and why we collect, store, use and share your personal data and the basis on which we do so. It also explains your rights in relation to personal data and explains how to contact us or the supervisory authority should it be necessary.
2. Who we are and how to contact us
SECOTI Limited is based Bath, UK. We are a Limited Company registered in England & Wales with registration number 11215344.
Our website may be found here: www.secoti.com
If you have any queries about our policy or wish to exercise any of the rights described in it, you should contact:
Data Protection Officer: Aldith Carter
Address: 11 Laura Place, Bath, BA2 4BL
3. Key terms
a. Personal data – any information relating to an identified or identifiable individual.
b. Special category personal data – information revealing an individual’s racial or ethnic origin, data about ethnic origin, religious, philosophical, and political beliefs, trade union membership, health and genetic data and data concerning a person’s sex life and sexual orientation.
Our use of personal data is regulated by the Data Protection Act 2018 and the UK General Data Protection Regulation (GDPR).
5. The personal data we may collect about you
We may collect the following types of personal data about you:
- Identity and contact details (e.g. Company name, Contact Name, email address)
- Financial and transaction data (e.g. bank/building society details, payment card details and details of payments from and to others).
- Technical and usage data (including information about how individuals use our website).
- Information used to provide our services (eg. information provided to us by or on behalf of our clients or otherwise provided to us or generated by us in the course of providing services to our clients).
6. How we collect your personal data
We collect personal data in various ways, including:
- Directly from you via electronic means (e.g. email and instant messaging), post, telephone and in person.
- From third parties with your consent.
- IT systems which we use (e.g. automated monitoring of our website, our computer network and electronic communications systems). For further information, see ‘Cookies, online forms & third-party websites’ below.
7. How we use your personal data
- Under the UK GDPR the lawful bases we rely on to use your personal data are: we have a contractual obligation with you or your company; to perform a contract with you or your company or in order to take steps at your request before entering into a contract.
- We have a legal or regulatory obligation.
- We have a legitimate business interest. A legitimate business interest is when we have a business or commercial reason to use your personal data, as long as this is not outweighed by your own interests and rights. For example, legitimate business interests include: fraud prevention, ensuring network and information security, identifying possible criminal acts, etc.
8. Who we will share your personal data with
We may share your personal data with certain trusted third parties including:
Where we are legally obliged to, personal data may also be shared with regulatory authorities (including the Information Commissioner’s Office (‘ICO’) and the courts, tribunals, government agencies and law enforcement agencies. We will use reasonable endeavours to notify you before we do this, unless we are legally restricted from doing so.
9. How we protect your personal data
We take all reasonable steps to protect your personal data but cannot guarantee the security of any data you disclose to us online. Please note that email is not a secure medium and should not be used to send confidential or sensitive information. You accept the inherent security risks of providing information over the Internet and will not hold us responsible for any breach of security unless this is due to our negligence or willful default.
In line with the data protection laws and any applicable guidance, we use a variety of technical and organisational measures to prevent unauthorised access, loss, use, disclosure, alteration or destruction of personal data.
We have put in place appropriate training measures to inform our staff about keeping personal data secure.
We have also put in place procedures to deal with any suspected data breach. We will notify you and any applicable regulator of a suspected personal data breach where we are legally obliged to do so.
11. Transferring your personal data out of the UK
To deliver services to you, it may sometimes be necessary for us to share your personal data outside the United Kingdom (‘UK’). For example, this may happen:
- Where your and our service providers are located outside the UK.
- If you are based outside the UK.
Where we transfer personal data outside the UK, we ensure that it is permissible under the special rules governing such transfers under UK data protection legislation. These special rules may include where a data protection “adequacy decision” has been made by the UK which found that the country where your personal data is transferred offers essentially the same level of data protection that exists in the UK. They may also include where we have reached a binding agreement containing Standard Contractual Clauses with the organisation to whom we transfer your personal data ensuring that it will provide the same level of data protection as the UK.
12. Data storage & retention period
SECOTI holds personal data in physical and electronic forms. Where data is held in physical form, it is stored securely either on our premises or in secure off-site storage. Where data is held electronically, it is securely stored on our servers which are located in the UK and Eire.
SECOTI will process personal data in accordance with its records retention practices or as long as required by the terms of a contract. In setting retention periods, we take account of the purpose for which personal data was collected and any legal and regulatory obligations on us to retain information, limitation periods for legal action and our business purposes.
Where it is no longer necessary to retain your personal data, we will delete or anonymise it.
13. Your rights to access personal data
You have the right to receive information about the personal data which we hold about you.
You may do this by making a written request known as a ‘data subject access request’.
If you are concerned that any of the information we hold on you is incorrect, please contact us (see ‘Data subject rights’ below).
14. Data subject rights
Under the UK GDPR you have a number of important rights which you may exercise unless some national law prevents us from complying. Where you do exercise your rights, this will be free of charge. In summary, your rights include:
- Access – you have the right to request a copy of the information that we hold about you (see ‘Your rights to access personal data’ above).
- Rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.
- To be forgotten – in certain circumstances you can ask for the data we hold about you to be erased from our records.
- To restrict processing – where certain conditions apply to have a right to restrict the processing.
- Portability – you have the right to have the data we hold about you transferred to another organisation.
- To object – you have the right to object to certain types of processing such as direct marketing.
- To object to automated processing, including profiling – the right not to be subject to a decision based solely on automated processing that produces legal effects concerning you, or similarly, which significantly affects you.
If you would like to exercise any of your rights, please write to Data Protection, SECOTI 11 Laura Place, Bath, BA2 4BL, or email us: aldith@SECOTI.com.
- Let us have enough information to identify you (i.e. your full name, address and matter number);
- Provide us with proof of your identity and address (e.g. a copy of your driving licence or passport and a recent utility or credit card bill);
- Inform us which right you wish to exercise; and
- Let us know the information to which your request relates, including any applicable matter number(s), if you have them.
15. Cookies, online forms & third-party websites
When accessing our website, SECOTI collects standard internet log information for statistical purposes and to provide the website experience.
Please visit the cookies page on our website for further information.
When we collect personal data, for example via an online form, we will explain what we intend to do with it.
17. Questions and complaints
Although we would hope that we could resolve any concern that you may have, the UK GDPR also gives you the right to lodge a complaint with the supervisory authority for data protection issues. In the UK, the supervisory authority is the ICO.
The ICO’s website is: www.ico.org.uk. The ICO’s telephone number is: 0303 123 1113