When we process your personal data (including where your personal data has been passed to us by somebody else, such as our client) we are required to comply with the General Data Protection Regulation 2016 (“GDPR”) and the Data Protection Act 2018 (the “DPA”) (the DPA and GDPR are together referred to as the “Data Protection Legislation”).
Your personal data includes all the information we hold that identifies you or is about you, including but not limited to your name, email address, postal address, date of birth, location data and in some cases opinions that we document about you. It also includes any sensitive information that we may hold about you, such as medical and health records (known as “special categories of data” in GDPR). We may hold special categories of data about you if we have received it from our client where the services they have requested from us relate to you or your case.
Everything we do with your personal data counts as processing it, including collecting, storing, amending, transferring and deleting it. We are therefore required to comply with the Data Protection Legislation to make sure that your information is properly protected and used appropriately.
This fair processing notice provides information about the personal data we process about you, why we process it and how we process it.
Pragma and Associates Limited (“Pragma”) is the data controller of the personal data you provide. We have nominated Laura Naughton to have day to day responsibility for ensuring we comply with the Data Protection Legislation and dealing with any requests we receive from individuals exercising their rights under the Data Protection Legislation. Laura can be contacted at firstname.lastname@example.org.
We may have received your personal data from one of our clients where the services they have requested from us relate to you or your case, in which case we will process your data in accordance with this fair processing notice.
Where you are one of our clients or suppliers, we process your personal data in order to fulfil the contract we have entered into with you, to receive services or goods from you, and/or to provide the services you have requested from us. We may also process your personal data to respond to any queries or comments you submit to us, including via our website.
If we need your personal data to enter into a contract with you or provide you with information you need, we may be unable to fulfil our obligations to you if you do not provide the information to us.
We process most of your information on the grounds of our legitimate interests (i.e. processing that is necessary to continue our relationship with you and to provide you with or receive from you (as applicable) services or products), the legitimate interests of a third party (such as our client), fulfilment of our contract with you or to comply with a legal obligation.
If none of the grounds set out above applies, we will obtain separate consent from you to the processing of your personal data, or we will ask our client to seek consent from you to pass us your data. You can withdraw your consent at any time. This will not affect the lawfulness of any processing we carried out prior to you withdrawing your consent.
We only transfer your personal data to the extent we need to. Recipients of your personal data include the subcontractors we use to provide elements of our services to you.
We do not transfer your personal data outside of the EEA.
We will retain your personal data for 10 years from the last date we provide services to you. Your information will be kept securely at all times. Following the end of the 10 year period, your files and personal data we hold about you will be permanently deleted or destroyed. If we are required to obtain your consent to send you marketing communications, any information we use for this purpose will be kept until you withdraw your consent (except that we will retain a copy on a suppression list to ensure no further communications are sent to you).
You benefit from a number of rights in respect of the personal data we hold about you. We have listed your rights below, and more information is available from the Information Commissioner’s Office website (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/). These rights apply for the period in which we process your data:
If you think we have processed your personal data unlawfully or that we have not complied with GDPR, you can report your concerns to the supervisory authority in your jurisdiction. The supervisory authority in the UK is the Information Commissioner’s Office (“ICO”). You can call the ICO on 0303 123 1113 or get in touch via other means, as set out on the ICO website – https://ico.org.uk/concerns/.
If you have any questions or would like more information about the ways in which we process your data, please contact Laura Naughton at email@example.com.