In order to conduct its business activities, it is necessary for London LHD Centre to act as a data controller with respect to gathering and using the personal data of individuals. These can include clients, suppliers, freelancers, employees and other person the company has a relationship with or may need to contact. This policy sets out how we collect, use and protect any information you give us when using our website and/or our services.
We are committed to safeguarding your privacy. Should we ask you to provide certain information, you can be assured that it will only be used in accordance with this policy. We may be required to update this policy from time to time in order to remain legal and compliant. You should check this page periodically to ensure that you are happy with any changes.
Why this policy exists
• Complies with GDPR and follows good practice
• Protects the rights of employees, freelancers, suppliers & clients
• Is open about how it stores and processes individuals’ data
• Protects itself from the risks of a data breach
What we collect
We may collect the following information:
Clients & Suppliers
• Name, company name and job title
• Contact information including telephone number and email address
• Business or personal address and postcode
• Other information relevant to your enquiry or to enable us to fulfil a contract
Employees and Freelancers
• Contact information including address, telephone number and email address
• Details of previous work and/or employment
• Other information to enable us to fulfil a contract or terms & conditions
Lawful reasons for processing
For Business to Business clients and contacts, our lawful reason for processing your personal information will usually in the first instance be “legitimate interests”. Under this we can process your information if we have a genuine and legitimate business reason and we are not harming any of your rights and interests.
Once you enter into a contract with us our lawful reason becomes “contractual obligation”. This also includes steps taken at your request before entering into a contract.
Freelancers & Employees
For Business to Consumer clients and contacts, our lawful reason for processing your personal information will usually be “contractual obligation” e.g. to supply services you have requested, or to fulfil obligations under an employment contract. This also includes steps taken at your request before entering into a contract.
What we do with the information we collect
We require this information to understand your needs and provide you with a better service and in particular, for the following reasons:
• To provide ongoing customer service and maintain internal record keeping including for accounting purposes
• To enable contact by email or phone in relation to the enquiry you have made with us
• To periodically send update emails about new products/services or other information relevant to your enquiry. You may unsubscribe from receiving these emails at any time by clicking the unsubscribe link which is included at the bottom of all our update emails
Employees and Freelancers
We require this information, in order to fulfil your employment contract.
We are required to keep documents, contracts etc. for the length of the contract as a minimum and for up to seven years afterwards as a maximum. We will determine this on a case-by-case basis after taking into account the individual circumstances and will only keep data which is necessary for us to fulfil our contractual obligations. Any personal data held by us for marketing updates will be kept by us until such time that you notify us you no longer wish to receive this information.
We are committed to ensuring that your information is secure and protected against unauthorised or unlawful processing, accidental loss, destruction and damage. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, technical and managerial procedures to safeguard and secure the information we collect.
Personal data stored in digital format is stored securely.
Despite all the controls we have put in place to address all the key GDPR principles, there is still always a risk a data breach may happen.
Our work for you may occasionally require us to pass your information to our service providers and for the purpose of delivering our services to you.
Where we are entering into an engagement with a third party, we will seek to be satisfied that they have secure measures in place so your privacy rights continue to be protected as outlined in this policy.
We only disclose information that is necessary to deliver our services and we never allow your personal data to be used by any third party for any market research, marketing or other commercial purposes.
Under GDPR law, we may be required to disclose your data for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person. We may also be required to disclose your personal data where such disclosure is necessary for the establishment or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.
In the unlikely event of this, the breach will be notified to all data subjects affected without undue delay. If appropriate, this will also be reported to the ICO within 72 hours of us becoming aware. The person who should be informed of any breaches is named at the bottom of this policy and is contactable by email at all times.
Your rights under GDPR
Your principle rights under GDPR are:
• The right to be informed
• The right of access
• The right to rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object
• The right not to be subject to automated decision-making, including profiling
This means you have the right to know what data we are holding for you at any time, the right to access this data, change it and/or have it removed from any further processing activity.
Subject access request
If you would like to contact us with a subject access request, please use the email address firstname.lastname@example.org with ‘GDPR Subject Access Request’ in the subject line. We will contact you within ten days of receiving this request.
If you are unhappy with the way your subject access request has been dealt with, you have the right to report a concern with a supervisory authority. In the UK, this is the Information Commissioner’s Office www.ico.org.uk/concerns.