This policy sets out the basis on which we will process any personal data that we collect from you, or that you provide to us to protect and respect your privacy
For the purpose of the Data Protection Act 1998 (Act) / EU General Data Protection Regulation 2016 (GDPR), the data controller is Michelle Jones, MEB Design Ltd, at the Kent office.
1. Individuals whose data we collect and process
We collect and process data from a range of individuals, for the purpose of our legitimate business interests as defined in Article 6.1 of the GDPR, including:
- Members of staff (Staff).
- Job applicants (Potential Staff).
- Individuals such as our clients who are end users of our services (End Users).
- Individuals who we judge may become end users of our services (End Users).
- Individuals whose services we employ or may consider using to carry out our services (Contractors).
- Individuals who form part of the design teams for projects on which we work or provide specialist services for our projects (Specialists).
- Individuals who may form part of the design teams for projects on which we will work or will need to provide specialist services for our projects (Specialists).
2. Information we process about individuals
We collect and process relevant data about Individuals such as:
- Information you provide by filling in any forms we require, or that you send to us for our legitimate business use.
- If you contact us about our services, and we need to keep a record of that correspondence.
- Information we prepare – such a contact lists for project teams or attendees noted in the minutes of meetings.
- Information we prepare and circulate – such as guest lists – relating to the management of our legitimate marketing activities.
- If you allow us to use your name as a reference or testimony for marketing purposes and obtaining new clients.
- If you offer us a service, and we want to keep a record of that correspondence.
- Details of any transactions you carry out with the company.
- Any information incidental to that listed above.
Sensitive data information is only collected from staff for health and safety reasons, or to meet specific briefs for clients (physical or mental health conditions), or for tracking our diversity profile as a company (racial / ethnic origins).
3. Information we process about end users
Information is processed for our use only; and is not shared with any uninvolved third party without consent.
4. Retention and deletion
MEB Design Ltd retains your information while you remain of interest to our legitimate business purposes. We will retain your information unless you request that your details be deleted. We will only contact you if we believe the information we intend to send you could be of ‘legitimate interest’ to you or your company.
We keep information for the following typical length of time:
- Members of staff – for as long as legally required including after leaving the company.
- Job applicants – no longer than a year.
- Individuals who are end users of our services (End Users) – for as long as our liabilities last for that project (normally 6 years under hand or 12 years under seal) plus a suitable period.
- Individuals who may become end users of our services – a suitable period after last contact.
- Individuals whose services we employ to carry out our services – for as long as legally required.
- Individuals who form part of the design teams for projects on which we work – for as long as our liabilities last for that project (normally 6 years under hand or 12 years under seal) plus a year.
Subject to applicable law, MEB Design Ltd may retain information:
- If there is an unresolved issue relating to your account, such as an outstanding invoice on your account.
- If necessary for its legitimate business interests, such as fraud prevention.
- If we are required to by applicable law; and/or in aggregated and/or anonymised form.
Any personal information in hard format will be shredded.
5. IP addresses, cookies and similar technologies
6. Where we store individual’s personal data
We retain hard copies of some personal staff information and this is kept under lock and key in the office or out of the office in a secure location.
7. Security and control of data
All electronic information you provide us is stored securely and is accessible only by you if you are an Authorised User(s) of our software. Once we have received your information whether collected by us or on our own, or on our customer’s behalf, we will use strict procedures and security features in order to reduce the risk of unauthorised access.
Data breaches will be reported within 72 hours of discovery and the person(s) notified.
We note that the transmission of information via the internet is not completely secure. Any transmission you send us is at your own risk.
8. Personal data on social media
Use of personal information on social media sites is subject to this policy and our social media policy.
9. How we use your information
We use information held about you in the following ways:
- To provide you with information or services that you request from us or which we feel may interest you.
- To carry out our obligations arising from any contracts entered into between you and us.
- To notify you about changes to our service.
- We do not disclose personal information about individuals to advertisers or sell your information to any other organisation for marketing purposes.
10. Sharing your information
We will not share your information with third parties except:
- Our accountants.
- When, by your agreement, you allow us to use your name as a reference or testimony for marketing purposes and obtaining new clients.
11. Accessing your information
The Act gives you the right to access information held about you. You can find out if we hold any personal information about you by making a “data subject access request” under GDPR 2016. If we hold information about you we will:
- Give you a summary of it.
- Tell you why we are holding it.
- Tell you who it could be disclosed to.
Any formal subject access request should be made in writing to the data controller as above. This will be provided FOC. However we may charge a reasonable fee for repetitive, unfounded, or excessive requests or additional copies.
12. How can you update or change your information?
If at any time you wish to change your information, you can contact us, providing updated information. If you wish to opt out of any notifications, invitations and communications you can contact us and we will ensure you do not receive any more communications.
13. Links to other sites
Our website will, from time to time, contain links to and from the websites of our partner networks and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.
15. Personal information held temporarily on equipment outside the office
Sometimes personal information will be taken out of, or accessed, outside the office. This information will be password protected.
16. Data subject rights
- Right to Rectification – the right to request the controller rectify inaccurate personal data.
- Right to Object – the right to object to processing based on either public interests or legitimate interests. Processing will stop, unless the controller demonstrates compelling grounds for continuing the processing or that the processing is necessary in connection with the controller’s legal rights.
- Right to Object to Direct Marketing.
- Right to be Forgotten – the right to have the controller erase personal data without undue delay. Contingent on the occurrence of one of the following:
- The data is no longer necessary;
- The data subject withdraws consent (and consent is the legal basis for processing);
- Controller has no overriding grounds for continuing processing against the objectification;
- Processing was unlawful;
- Erasure is necessary under EU or national law.
- Right to Restrict Processing – the right to have the controller restrict processing if:
- The accuracy of the data is contested;
- Processing is unlawful;
- The controller no longer needs the data for its original purpose, but needs it for legal purposes;
- Erasure is pending.
- Right of Data Portability – the right to receive a copy of your data in a commonly used machine-readable format for transfer to another controller.