WHAT IS THE PURPOSE?
At Mercorr it is our responsibility to ensure that we collection, process, store and disposal of personal data in line with The General Data Protection Regulations (GDPR). We feel that the development of GDPR is positive and, redressing the balance of power between customers and companies, and making us strive to be better.
We recognise the need to commit to innovate and continually improve our GDPR Policy to enhance our performance and to ensure we fulfil our compliance obligations.
WHO IS RESPONSIBLE?
This policy has been developed by the management team at Mercorr to demonstrate our commitment to innovate and continually improve our performance against GDPR.
All employees, including the management team, are responsible for following the framework of this policy and by participating and contributing to its success through their actions.
WHAT WILL WE DO?
At Mercorr when we say we are going to do something – we do it. This is what we are going to do to ensure that our GDPR Policy delivers against its purpose;
WHAT TYPES OF DATA DO WE COLLECT?
Personal Data: We collect basic personal data about you, including name, email address and phone number etc.
Payment Data: We collect payment data that is needed to process payments.
Business Data: We collect further business information that is processed within a contractual relationship with Mercorr, such as non-personal business addresses, phone numbers and email addresses. This may also include any instructions given, payments made or other such requests.
Special Categories Data: We may collect Special Categories of personal data for the purposes of arranging access to an event, meeting or seminar. This may include asking you to provide information about your health for the purposes of being considerate of any disabilities or any special dietary requirements that you may have. Any use of this information is based on your consent; if you choose not to provide this information to us, we will be unable to make any necessary precautions.
Publicly Available Data: We may collect data from publicly available sources, such as credit reference agencies or any regulatory agencies, including the Environment Agency.
HOW DO WE COLLECT YOUR DATA?
We collect your data via several means, including:
- When you or your business engages us to provide services to you;
- When you or your business browse, make an enquiry or otherwise interact with us via our website, by email or by telephone;
- When you attend a Mercorr event or office;
- When we attend your premises to provide services;
- When you or your business offer to provide or provide services to Mercorr;
- In some circumstances, we may collect data about you from a third-party source, such as validating your business’s credit rating when looking to provision services to you.
WHY DO WE NEED YOUR DATA?
We need your data in order to provide you with the services you have requested, as well as provide you with on-going organisational updates, such as contractual terms, legislative updates and service updates. We do not collect any personal data from you that we do not need to provide and oversee this service for you. You may choose not to provide your personal data to us, however, this may prevent us from providing you with what you request, and we will notify you accordingly.
WHAT IS THE LEGAL BASIS FOR PROCESSING YOUR DATA?
Depending on which of the above Permitted Purposes we use your personal data for, we may process your data on one or more of the following legal grounds:
- for the legitimate interest reasons;
- because processing your data is required to meet our legal obligations (e.g. to keep records for tax purposes) and contractual obligations we may have with you or your business;
- in certain limited circumstances with your express consent.
WHO DO WE SHARE YOUR DATA WITH?
We may share your personal data with third-parties to help us meet our legal obligations and contractual obligations to you or your business, these may include:
- our service partners that provide services on our behalf;
- credit rating, debt collection and similar agencies;
- government and law enforcement organisations, including the Environment Agency and Her Majesty’s Revenue and Customs (HMRC). Mercorr take your privacy very seriously and will never disclose, share or sell your data without your express consent, unless we are required to do so by law.
HAVE YOU GIVEN CONSENT?
When we run marketing campaigns, promotions and similar events, we promise not to contact you unless you have explicitly expressed your interest (known as consent) or are considered a legitimate interest.
Consent is considered valid for 24 months from the last date of the last amendment.
Legitimate interest, where the following tests are satisfied.
- Where a clear benefit to the business is demonstrable
- Where a potential benefit to the end customer is identifiable
- It is considered that no harm or distress will result from the communication
- Participation and response to previous campaigns is considered
- The customer is not opted out of the communication type
HOW LONG DO WE KEEP YOUR DATA?
Our standard policy is to retain data and information for only as long as it is necessary to meet the purpose(s) for which it is collected (e.g. UK tax law dictates the retention period for financial data). After this time has passed, it is then disposed of in a methodical and secure way.
HOW DO WE ENSURE DATA IS ACCURATE?
We work hard to ensure that the data we hold is accurate and we will contact you to ensure this remains true, however if you are aware of any inaccuracies please do let us know and we will be happy to make an amendment. This is in addition to your right to rectification.
WHAT HAPPENS IF WE CHANGE HOw WE PROCESS DATA?
We will carry out a Data Protection Impact Assessment (DPIA) for all new projects and/or new uses of personal data which involve the use of new technologies or where processing is likely to result in a high risk to rights and freedoms under GDPR.
DPIA’s will address the following:
- The type of personal data that will be collected, held and processed
- The purpose(s) for which personal data is to be used
- A change in the parties who are involved in the process
- Risks posed to data subjects
- Proposed measures to minimise and mitigate identified risks
WHAT ARE YOUR RIGHTS?
As an individual, you have certain rights over your personal data, which as a data controller Mercorr are responsible for fulfilling these rights.
- Right of subject access: You have the right to request a copy of the personal data that we hold on you, this is known as a subject access request.
- Right to rectification: You have the right to rectify inaccurate information that we hold.
- Right to erasure (right to be forgotten): You have the right to request the personal data that we hold on you is removed and deleted.
- Right to restrict processing: You have the right to request that we suspend the processing of your data.
- Right to data portability: You have the right to request a copy of the personal data in our system.
- Right to object: You have the right to limit how we use your data.
IS YOUR DATA SAFE?
Data security - processing of data
As our customer, we have a legitimate interest in retaining and using this information to provide the contracted services. We promise to keep this information secure by using the best technological solutions available. We promise not to sell your personal data and restrict our data processing to meet the commitments to customers in the provision of services and any legal requirements incumbent upon us.
We will ensure that any processing of your data is performed securely and is protected against unauthorised access, unlawful processing and against accidental loss, destruction or damage.
If we employ a third party to assist in processing your data, we shall ensure they comply with all GDPR and this Policy.
Data security - use of personal data
We promise to ensure that the following measures are taken with respect to the use of personal data:
- No personal data will be shared informally and if an employee, sub-contractor or third-party requires such information a formal request shall be submitted via the appropriate channels
- No personal data will be transferred to an employee, sub-contractor or third-party without authorisation
- Personal data will be handled with care and will not be left unattended or on view to authorised employees, sub-contractors or third-parties.
- If personal data is viewed on a computer and the user leaves the computer unattended they will ensure that the computer is locked first.
- Where personal data held by the Company is used for marketing purposes, it is the responsibility of the Marketing department to seek authorisation from a Director who will ensure appropriate consent or legitimate interest is present.
Data security - information technology
We promise to ensure that the following measures are taken in respect of IT Security:
- All employees will receive unique credentials which shall not be shared with other employees, sub-contractors and third-parties. If a sub-contractor or third-party requires access to our system, they will be provided with a dedicated account provisioned using the principle of least privilege.
- All software will be kept up-to-date
- No software will be installed that is not approved by a Director
Data security - disposal of datay
When disposing of personal data, we promise to do so securely by;
- Data stored on file servers shall be securely deleted.
- Where hardware is retired from the business we will securely delete all data storage using Microsoft’s Secure Delete (SDelete) application which implements the Department of Defence clearing and sanitizing standard DOD 5220.22-M.
- Personal data in hardcopy format shall be securely destroyed on-site using appropriate shredders.
- Where third-parties hold data on our behalf we will ensure that data disposal mechanisms are GDPR compliant.
HOW DO WE TRANSFER YOUR DATA TO A COUNTRY OUSTIDE THE EAA?
We promise to limit the transfer of personal data outside of the EEA, and where this is necessary we shall only use third-parties that implement the GDPR compliant EU-US Privacy Shield Framework (https://www.privacyshield.gov/).
WHAT HAPPENS IF THERE IS A BREACH?
We will do our best to prevent data breaches, however if a breach does occur we will;
- All personal data breaches will be reported to the Data Protection Officer.
- If a personal data breach occurs and that breach is likely to result in a risk to the rights and freedoms of data subjects (e.g. financial loss, breach of confidentiality, discrimination, reputational damage, or other significant social or economic damage), the Data Protection Officer will ensure that the Information Commissioner’s Office is informed of the breach without delay, and in any event, within 72 hours after having become aware of it
- If a personal data breach is likely to result in a high risk to the rights and freedoms of data subjects, the Data Protection Officer will ensure that all affected data subjects are informed of the breach directly and without undue delay
- Data breach notifications shall include the following information:
- The categories and approximate number of data subjects concerned
- The categories and approximate number of personal data records concerned
- The name and contact details of the Company’s Data Protection Officer (or other contact point where more information can be obtained)
- The likely consequences of the breach
- Details of the measures taken, or proposed to be taken, to address the breach including, where appropriate, measures to mitigate its possible adverse effects.