What is the purpose of this Notice?
This Privacy Notice sets out how XYZ Reality Limited (“we”, “our”, “us”, “the Company”) handle the personal data of our Data Subjects (“you”).
This privacy notice describes how we collect and use personal information about you in accordance with the General Data Protection Regulation (GDPR).
XYZ Reality will act as a Data Controller for the lawful treatment of personal data. XYZ Reality is committed to protecting the privacy and security of your personal information.
The Data Protection Officer (DPO) is responsible for overseeing the privacy notice and as applicable, developing related policies and policy guidelines. For questions regarding the operation of this privacy notice please contact the DPO at firstname.lastname@example.org.
To be aware of how and why we are using such information and what your rights are under the data protection legislation, it is important that you read and retain this notice together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about you.
Data Protection Principles:
The Company complies with all data protection laws issued by the GDPR. All personal information we hold about our Data Subjects is:
- Used lawfully, fairly and in a transparent way
- Collected only for valid purposes and clearly explained
- Relevant and limited only to such purposes
- Kept only if necessary and required for such purposes
- Accurate and up-to-date
- Kept securely
The kind of information we hold about you:
Personal data, or personal information is defined as any information about an individual from which such individual can be identified. Personal Data, or Personal Information does not include data from which identification or identity has been removed (anonymous data).
Sensitive Personal Data requires a higher level of protection. Examples of this include information about a person’s health, sexual orientation and criminal convictions.
We may collect, store, and use the following categories of personal information about you:
- Name, Email Address, Contact Number and Job Title which we receive from, opt-in/consent forms, or from you when communicating with us via phone, post, e-mail, live chat or social media.
- Contact details, identification information, financial information, employment information and details included in any correspondence and information about you in connection with any matter on which we are engaged to advise our client (including biographical and personal/circumstantial details).
Situations in which we will use your personal information:
We will only use your personal information when the law allows us to and where we have a Legitimate Interest (defined below). Such use of personal information is compliant with GDPR Policies. Most commonly, your personal information is used in the following circumstances:
- The execution of a contract we have entered into with you
- Complying with a legal obligation
- For Legitimate Interests pursued by us or a third party
We may, in rare occasions, also use your personal information in the following situations:
- Where we need to protect your interests (or someone else’s interests).
- Where it is needed in the public interest [or for official purposes].
Where we have a Legitimate Interest:
We may use and process your personal data where it is necessary for us to pursue our legitimate interests as a business for the following purposes;
- to enter into and perform the contract we have with your business;
- to prevent fraud and other criminal activities;
- to verify the accuracy of the data that we hold about you
- to create a better understanding of you as a client
- to create a profile of you based on any preferences you have indicated
- to enable us to decide what products and services would be best suited for you
- to undertake analysis to inform our business and marketing strategy;
- to manage and deliver internal projects for business improvement;
- for network and information security purposes that enables us to take steps to protect your personal data against loss or damage, theft or unauthorised access;
- to comply with a request from you in connection with the exercise of your rights (for example, where you have asked us not to contact you for marketing purposes, we will keep a record of this on our suppression lists in order to be able to comply with your request);
- Carrying out conflict checks and ensuring we can provide services to you;
Where you have provided Consent:
Where you have given us your consent by accepting our cookies policies and privacy statement (via our Get Access & by subscribing to our product launch consent process) and where there is a Legitimate Interest, we will use and process your personal data.
By accepting our terms and conditions above you have also provided consent to our direct marketing, data security, data retention & data sharing policy to third parties which are outlined below.
Please note that your information may be used to send you details of our products or services that we have identified as likely to be of interest to you, based on the preferences you indicated to us when providing consent.
You have the right to withdraw your consent at any time. Please see Withdrawing your consent for further details.
Automated Decision Making:
Automated decision-making takes place when an electronic system uses personal information to decide without human intervention. We can use automated decision-making in the following circumstances:
- Where we have notified you of the decision and given you 21 days to request a reconsideration.
- Where it is necessary to perform the contract with you and appropriate measures are in place to safeguard your rights.
- In limited circumstances, with your explicit written consent and where appropriate measures are in place to safeguard your rights.
If we make an automated decision based on any sensitive personal information, we must have either your explicit written consent or it must be justified in the public interest, and we must also put in place appropriate measures to safeguard your rights.
You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified you.
We may have to share your data with third parties, including third-party service providers and other entities in the group. We require third parties to respect the security of your data and to treat it in accordance with the law. If we do, you can expect a similar degree of protection in respect of your personal information.
Why might you share my personal information with third parties?
We will share your personal information with third parties where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so.
How secure is my information with third-party service providers and other entities in our group?
All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.
When might you share my personal information with other entities in the group?
We will share your personal information with other entities in our group as part of our regular reporting activities on company performance, in the context of a business reorganisation or group restructuring exercise, for system maintenance support and hosting of data .We will share personal data relating to your participation in any share plans operated by the company with other entities in the group for the purposes of administering the share plans.
What about other third parties?
We may share your personal information with other third parties, for example in the context of the possible sale or restructuring of the business. In this situation we will, so far as possible, share anonymised data with the other parties before the transaction completes. Once the transaction is completed, we will share your personal data with the other parties if and to the extent required under the terms of the transaction.
Transferring Information Outside The European Economic Area:
We do not envisage that we will transfer your personal data outside of the EEA (meaning the EU 27-member states, the UK, Norway, Iceland and Liechtenstein), however we will notify you in writing if this position changes.
- Your personal data and special category personal data may be stored in a variety of locations, including: electronically on our secure servers/in hard copy form in access-restricted, locked filing cabinets.
- We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions, and they are subject to a duty of confidentiality.
- We have put in place procedures to deal with any suspected or actual data security breach and will notify you and the Information Commissioner’s Office (“ICO”) of a suspected breach where we are legally required to do so.
- Whenever we propose using new technologies, or where processing is construed as ‘high risk’, we are obliged to carry out a data protection impact assessment which allows us to make sure appropriate security measures are always in place in relation to the processing of your personal data.
How long will you use my information for?
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.
Rights of access, correction, erasure, and restriction:
Your duty to inform us of changes-
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us.
Your rights in connection with personal information-
Under certain circumstances, by law you have the right to:
- Request Access to your personal information (known as “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
- Request Correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- Request Erasure of personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below):
- Withdrawing your consent : Where we rely on your consent as the legal basis for processing your personal data, as set out under How we use your personal data, you may withdraw your consent at any time by emailing email@example.com (please use “Withdrawal of consent” as the subject heading of your email). If you would like to withdraw your consent to receiving any email communications as described under providing consent to which you previously opted-in, you can do so using our Unsubscribe tool at the footer of the email. If you withdraw your consent, our use of your personal data before you withdraw your consent is still lawful.
- Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
- Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
- Request the transfer: Where we rely on your consent as the legal basis for processing your personal data or need to process it in connection with your contract, as set out under How we use your personal data, you may ask us to provide you with a copy of that data in a structured data file. We will provide this to you electronically in a structured, commonly used and machine-readable form, such as a CSV file. You can ask us to send your personal data directly to another service provider, and we will do so if this is technically possible. We may not provide you with a copy of your personal data if this concerns other individuals or we have another lawful reason to withhold that data.
If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact DPO in writing.
Complaining to the UK data protection regulator:
You have the right to complain to the Information Commissioner’s Office (ICO) if you are concerned about the way we have processed your personal data. Please visit the ICO’s website for further details.
Marketing and other Communications:
You will only receive Centralised Communications from XYZ Reality (including information about our products and services, and other news/announcements) if you indicate to us a preference (“opt-in”) to do so. You will be invited to complete a client consent/opt-in process by email as a result of any of the following:
- You or your employer becoming a client of XYZ Reality;
- You are providing a business card directly to an employee of XYZ Reality at (for example) a trade or networking/business event;
- You have given consent via another medium (for example, the website opt-in form)
We will never share your information with third party partners for their own marketing uses, although we may use service providers to assist us with our own marketing.
What is Direct Marketing:
Direct marketing consists of any promotional, publicity or communications activity sent directly to individuals or companies intended to promote the firm’s products and services.
How does XYZ Reality use direct marketing?
- XYZ Reality uses email and e-marketing via a CRM system, send information directly to its potential clients and contacts including news on products and services (“Centralised Communications.”)
- This information is not sent automatically, and you are not obliged to receive it. XYZ Reality operates an “opt-in” policy for its Direct Marketing which means we only send you Centralised Communications where we have your express consent to do so.
- We never sell or share personal data to third parties.
What if I don’t want to receive information anymore?
If you would like to withdraw your consent to receiving any Centralised Communications to which you previously opted-in, you can do so using our Unsubscribe tool at the footer of the email.
How do you keep my details accurate?
We do not rely on your consent to receive Centralised Communications indefinitely. You will receive an email from us at intervals of no less than 4 years where you will be asked to re-confirm your consent and preferences for legal topics and disciplines to ensure that the data we hold about your preferences, and your contact details, are current and accurate.
Who do I contact if I have any questions about XYZ Reality’s Direct Marketing policy?
Please write to the Head of Privacy and Data Protection at XYZ Reality, Unit 076-077, Salisbury House, Finsbury Circus, London, EC2M 5SQ. Our email address for data protection queries is firstname.lastname@example.org. If you would prefer to speak to us by phone, please call 02070813009.