Privacy notice for clients and 3rd parties

As part of our obligations under the General Data Protection Regulations (GDPR), we’ve published a new Privacy Notice to make it easier for you to find out how we use and protect your information and information about individuals who are connected to your business.

This Privacy Notice is to let you know how Malcolm Hollis promise to look after your personal information.  This includes what you tell us about yourself, what we learn by having you as a client or working with you as a service provider, and the preferences you make about what type of marketing you want us to send you.  This Privacy Notice explains how we do this and tells you about your privacy rights and how the law protects you where we process your personal data.

We won’t be changing the ways we use this information, but the new Notice will provide you with additional details such as:

  • The types of information Malcolm Hollis collects about you and individuals connected to your business, and how we use it.
  • The legal grounds for how we use personal information.
  • Increased rights which individuals have in relation to the information we hold about them.
  • How we keep information secure.

Our privacy promise

We promise:

  • To keep your data safe and private,
  • Not to sell your data,
  • To give you ways to manage and review your marketing choices at any time.

Data Protection law will change on 25 May 2018 and this Privacy Notice sets out most of your rights under the new regulation.   We may make further updates before 25 May 2018 and will periodically review this notice for accuracy in the future.

We will process all personal data in accordance with the following principles:

  • (a)    all personal data must be processed lawfully, fairly and in a transparent manner;
  • (b)    all personal data must be collected for one or more specified, explicit and legitimate purposes and not processed in a manner incompatible with those purposes;
  • (c)    all personal data shall be restricted to what is adequate, relevant and limited for those purposes;
  • (d)    all personal data shall be kept accurate and up to date (and reasonable steps must be taken to erase or rectify inaccurate personal data);
  • (e)    all personal data must be kept for no longer than is necessary for those purposes;
  • (f)     all personal data must be protected by appropriate technical and organisational security measures to prevent unauthorised or unlawful processing and accidental loss, destruction or damage.

Malcolm Hollis as the data controller will be responsible for compliance with these principles and must be able to demonstrate its compliance.

Who does this Privacy Notice relate to?

This Privacy Notice relates to all Malcolm Hollis clients, who are a business (and individuals associated with them) or individuals, all 3rd party businesses and individuals who work with Malcolm Hollis to provide a service of whom may be a supplier, contractor, sub-contractor or referrer of business for example.

Individuals connected to your Business

When providing you with our services we will collect information on individuals connected to your business.  This information may be collected from you or other independent sources.  All relevant individuals will have access to this Privacy Notice and if you, or anyone else on your behalf, has provided or provides personal information to us on an individual connected to your business, you or they must first ensure that you or they have the authority to do so.

Which products and services does the Privacy Notice relate to?

The notice applies to all products and services offered and provided by Malcolm Hollis. This includes:

What type of personal information does the Privacy Notice relate to?

Malcolm Hollis will only request details that are genuinely required e.g. in order to carry out our obligations to you or for the purposes of our balanced, genuine business interests.

Data may include:

  • Name,
  • Business contact details including mobile/landline numbers, email address and business address,
  • Role title, position and responsibility details,
  • Additional information around the nature of your role, this may include qualifications and experience that you wish to tell us about,
  • Sex/gender,
  • Photographs taken at events,
  • CCTV footage if you attend our premises,
  • Hobbies and interests,
  • Personal preferences including dietary requirements, personal details linked to an event (e.g. shoe size for a bowling evening), details around physical ability (e.g. ability to swim for a sailing event), or travel preferences (this list is not exhaustive, however, only appropriate types of data will be collected depending on the processing activity),
  • Open data / public records which includes data that you have made freely available in a public domain such as via social media or publications and news articles,
  • Permissions – so we can record how you would like to receive information from us, or if you would prefer not to,
  • Extra information that you choose to tell us.

Please note that the above list of categories of personal data we may collect is not exhaustive.

Personal data will be collected, stored and processed for the following purposes:

  • In order to provide the Services to the Client;
  • In order to be provided with the services of a 3rd party,
  • In order to comply with legislation for the prevention of money laundering;
  • In order to maintain adequate accounting and financial records and to invoice the Client as and when appropriate;
  • To allow Malcolm Hollis to invite the Client, 3rd Party and/or Contact Persons to any events organised alone or jointly by Malcolm Hollis
  • To obtain credit checks and or references in relation to the Client, if necessary;
  • To carry out any other activities that may be ancillary or related to the above. (For marketing, advertising, or research purposes contact by email and text message).

Lawful processing basis – definitions

Under the GDPR, we must justify a lawful basis for processing your personal data.  The most common basis are explained below.

  • Legitimate interest – using people’s data in ways they would reasonably expect in the context of our business, and which have a minimal privacy impact, or where there is a compelling justification for the processing.
  • Contractual – where we need to fulfil our contractual or agreement obligations to you, or you have asked you to do something before entering into a contract (e.g. provide a quote).
  • Consent – asking you to ‘opt-in’ as a preference where we may not have a balanced interest between the service we are offering and the interests you may have.

For further information, please visit the ICO website: www.ico.org.uk

Guide to the General Data Protection Regulation (GDPR) > Lawful Basis for Processing

Reasons for processing your personal data

We will use this personal data in order to carry out activities, some of which will include marketing purposes, event invitations and carrying out our contractual duties to you.

If Malcolm Hollis requests sensitive personal data we will ensure that the correct lawful basis for processing is used and, when consent is required, that this can easily be both freely given and withdrawn and your appropriate preferences recorded.  If we haven’t had to gain consent, you will still be able to exercise your right to object (see section ‘Your rights under GDPR’).

All individual personal data is regarded as company confidential data and will be handled appropriately at all times.

Processing Activity Justification for Processing Primary Lawful Processing Basis
Collecting personal data for new clients/3rd parties e.g. receiving a business card, exchanging details at events We conclude that data has been given to Malcolm Hollis in order to update you about our services and events Legitimate Interest
Buying in mail lists To offer our services and invite clients to events where there is a balanced business interest Legitimate Interest
Responding to requests for work, quotes and tenders Necessary in order to commence with a business prospect, processing would be expected by the client or 3rd party Legitimate Interest /Contractual
Carrying our work related requests and activities in line with an existing contract/agreement To carry our duties in line with contractual/agreement related obligations. To give relevant updates to clients/3rd parties and conduct billing activities. Contractual
Adding or amending contact details in our management system In order to keep records up to date, fulfil contractual obligations, carry out data cleansing activities Legitimate Interest
Maintaining purchase history on client records In order to continue offering relevant services, ensuring records are kept up to date Legitimate Interest
Conduct marketing activities to prospective clients, invite clients to events and promote campaigns To carry out marketing activities, inform clients of relevant services available, attend relevant events and give company and industry updates Legitimate Interest /Consent
Conduct marketing activities to existing contacts, invite clients/3rd parties to events and promote campaigns To carry out marketing activities, inform clients/3rd parties of relevant services available, attend relevant events and give company and industry updates Legitimate Interest
Update attendance records for events Assist with future marketing activities and identify which events are of interest to clients and 3rd parties Legitimate Interest
Record responses to questionnaires To maintain business relationships and monitor the quality and relevance of our services Contractual
Address any requests from clients or 3rd parties To ensure clients/3rd parties receive the appropriate level of information requested.
To identify trends linked to repeated issues and improve our service and relationship with contacts
Legitimate Interest
To address complaints from clients or 3rd parties To comply with legal and regulatory requirements.
To resolve situations where the contact is dissatisfied and assess any measures of redress where justified.
To identify trends linked to repeated issues and improve our service and relationship to clients and 3rd parties.
Legal / Contractual

Click here to see a list detailing the type of activity and what we process, why we process it and the lawful basis for us doing do.

What we mean by marketing

  • Using your personal information by way of contact details in order to inform you and your business about new services, events and conduct campaigns,
  • Profiling your data in order for us to justify why we have previously processed your data and why we would continue to do so,
  • To identify what type of marketing information we believe may be of use to you and what you may be interested in,
  • We will only use your information for marketing purposes when we justify our reasons to be a lawful basis using either ‘legitimate interest’ or ‘consent’.
  • We will only use your information for marketing purposes where you have not ‘opted out’ or otherwise indicated a preference not to hear from us,
  • We may periodically ask you to review your preferences about how we contact you and will make it easy for you to change your mind.

GDPR and PECR – electronic marketing

The GDPR and Privacy and Electronic Communications Regulations (PECR) cross over when it comes to identifying a lawful basis of processing personal data.  GDPR does not replace PECR, however, it may affect whether we use legitimate interest in order to continue contacting you, or will need to ask for consent.  This means we will have to factor certain circumstances like whether you work within a corporate organisation or are perhaps a partnership or sole trader.  We will also consider our approach depending on whether or not you have ever used our services in the past, if you have ever opted out of our marketing activities, we consider that contacting you may impact you in a negative way or that you may be likely to object.

When we don’t need to ask for your consent, we will always give you the opportunity to opt out/object.

Your rights under GDPR

Changes to the regulation mean that every individual whose personal data is processed now has more rights about how their information is used, and why.

Your rights include:

  • Asking us to tell you what data we hold about you and requesting a copy.  This is called a Subject Access Request.  We will not charge for this unless a request is manifestly unfounded or excessive, particularly if it is repetitive, or if further copies are requested.  We will have 1 month to comply with your request.
  • Objecting to your personal information being processed.  You may also ask us to delete it (known as ‘the right to be forgotten’) and we will consider all such requests.  If there are legal reasons for us keeping your data despite your request, we will discuss this with you.
  • Asking us to amend or stop using your information because it’s inaccurate or you want to restrict how we process it.
  • You have the right to be informed about the collection and use of your data,
  • Asking us to move, copy or transfer your personal data easily from one IT environment to another, in a safe and secure way, without hindrance to usability.

Please contact us if you wish to speak to us about this.

Consequences of not providing us with certain data

Providing Malcolm Hollis with certain levels of personal data is the choice of the individual of which that data belongs.  You may choose not to give us certain information we ask for, or ask us to delete or stop using information that we already hold on you, and this is your right to do so.  However, we may have overriding interests or obligations concerning certain data and we must also highlight some possible consequences of us not be able to process certain data belonging to you.

  • We may not be able to keep you informed about our new products and services or any relevant changes,
  • We may not be able to keep you up to date with industry or regulatory changes, news and market reports,
  • We may not be able to keep you informed around any upcoming events or invite you to our events, or as a guest to accompany us to 3rd party events,
  • We may not be able to fulfil our contractual obligations to you in order to provide our service,
  • We may not be able to continue using your products or services,
  • We may not be able to consider new business with you or arrange networking opportunities to benefit both you and us.

Withdrawing consent

If we have asked for your consent at any time and you now wish to withdraw it, please contact us and we will update our records accordingly.

Please remember that if you withdraw consent we may not be able to continue offering you our products and services, however, if this is the case we will discuss this with you.

If we are processing your data using the lawful processing basis of ‘legitimate interest’ you will not have given us ‘consent’ to process this data, however, you still have the right to object (see section ‘Your Rights Under GDPR‘).

If you have any questions please contact us.

How to complain

If you are not happy about how we are processing, or have processed, your personal information then you are able to raise a compliant with us.  Also, if you have instructed us around how to process your data in terms of your individual rights and you are not happy, please let us know.

How long we will keep your data for

Whilst you are still an active client of Malcolm Hollis, we still have regular contact with you and you haven’t instructed us to delete your data, we will continue to retain your data in a secure environment.

We will retain, cleanse and delete you data in line with our Data Retention Policy, an extract can be found here.

Circumstances that will result in us keeping your data outside of these retention periods includes legal and regulatory reasons.

How we keep your data secure

Security of your personal data is vitally important to Malcolm Hollis and we strive to maintain security in many ways:

  • Testing and reviewing our systems, networks and locations that process data,
  • Maintaining security policies and procedures which are tested and reviewed periodically,
  • Ensuring employees are given the tools and training to handle data responsibly,
  • Controlling access to data across various levels including system and application access, physical access and 3rd party access, robust password management procedures and access only granted on a ‘need to know’ basis,
  • Ensuring data is periodically cleansed, archived or deleted in line with policy,
  • Malcolm Hollis are certified to the Cyber Essential standards and working towards the ISO27001 certification,
  • Employees undergo screening upon joining Malcolm Hollis and training is mandatory for topics such as information security and data protection,
  • Ensuring data is encrypted both in transit and at rest,
  • Information assets are logged and equipped with up to date antivirus software,
  • Data is regularly backed up and stored in a secure environment,
  • Data breaches and security incidents are reported in line with policy and are followed up with analysis, risk assessments and corrective action where necessary.

In line with our security obligations we would also ask that you notify us of any changes to your data so we can keep our records as accurate as possible.

Transfers outside the EEA

We will only transfer personal data outside the EU subject to appropriate safeguards.  These safeguards will usually consist of standard data protection clauses which we will adopt and implement with the relevant data processor or third party service provider; we will inform you in advance if other safeguards are to apply.

Data from 3rd parties we work with

We work with various industries and may receive your contact details as a referral in some cases by other businesses.  We will only process your data when there is legal justification for doing so e.g. where we reasonably believe it is in within our balanced business interests.

Parties we share data with

We may share your data with companies such as the following:

  • Regulators and other authorities,
  • Any party linked with you or your business’s product or service,
  • Companies we have a joint venture or agreement to co-operate with, where appropriate to do so, such as contractors, sub-consultants and consultants,
  • Companies who conduct requested credit checks on our behalf,
  • Organisations that introduce you to us,
  • Companies that we introduce you to, where appropriate to do so,
  • Companies you ask us to share your data with,
  • The Malcolm Hollis group of registered offices.

We also have to share information or data in order to:

  • Meet any applicable law, regulation, legal process or enforceable governmental request,
  • Meet our contractual clauses for the purpose of audit,
  • Enforce applicable policies, including investigations,
  • Detect, prevent, or otherwise address fraud, security or technical issues,
  • Protect against harm to the rights, property or safety of our users, the public or to Malcolm Hollis and/or as required or permitted by law.

Use of cookies

Personal data may be collected when individuals fill in forms on our websites or by corresponding with us by phone, e-mail or otherwise. This includes information provided when an individual registers to use our websites, subscribes to our service, or makes an enquiry.

For more information, please visit our Cookie Policy available on our website.

Changes to our Privacy Notice

We may need to make changes to our policies and notices from time to time where the processing of personal data is impacted.  When we have made changes we will update the Privacy Notices on our website for you to read.

Malcolm Hollis contact details

If you have any questions, require further information or wish to complain, please contact us.

You can contact our Data Protection Manager

Email:  data.protection@malcolmhollis.com

Phone:  00800 2266 2247

If you wish to write to one of our offices, please follow this link: http://www.malcolmhollis.com/contact/

Or post to: Battersea Studios, 08-82 Silverthorne Road, London. SW8 3HE

Data protection regulators (supervisory authorities)

UK (Lead Authority)

The Information Commissioner (ICO) is the UK regulator of the Data Protection Act 1998 and now the regulator for the GDPR.

www.ico.org.uk

Germany

Berliner Beauftragter für Datenschutz und Informationsfreiheit

https://www.datenschutz-berlin.de//

Spain

Spanish Data Protection Agency (Agencia Española de Protección de Datos) (AEPD)

www.agpd.es

Republic of Ireland

Data Protection Commissioner

www.dataprotection.ie

Netherlands

Dutch Data Protection Authority – Autoriteit Persoonsgegevens

https://autoriteitpersoonsgegevens.nl/nl