Client Data Privacy Notice
Under data protection law, individuals have a right to be informed about how iCT4 Limited uses any personal data that we hold about them. We comply with this right by providing ‘Privacy Notices’ (sometimes called ‘Fair Processing Notices’) to individuals where we are processing their personal data.
Under the EU’s General Data Protection Regulation (GDPR) personal data is defined as:
“any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
This Privacy Notice explains how we, iCT4 Limited, collect, store and use personal data from our clients.
We, iCT4 Limited with registered address at C/O Bishop Fleming, Chy Nyverow, Newham Road, Truro, TR1 2DP are the ‘Data Controller’ for the purposes of data protection law.
Our Data Protection Representative (DPR) (see ‘Contact us’ below) is responsible for ensuring that this notice is made available to data subjects prior to iCT4 Limited collecting / processing their personal data. All employees of iCT4 Limited who interact with data subjects are responsible for ensuring that this notice is drawn to the data subject’s attention and their consent to the processing of their data is secured.
The personal data we hold
Personal data that we may collect, use, store and share (when appropriate) about you includes, but is not restricted to:
- Contact details including full name including title, job role, email address, landline and mobile numbers, billing / delivery address
- Financial details including bank account details for processing payments
- Technical details including usernames and passwords
- Recordings including screen recordings whilst undertaking remote support
- Marketing information including photographs for PR only after receiving full consent for each photograph shoot and its intended usage, marketing preference eg participation in email distribution
- CCTV footage around iCT4 offices
- Data about your use of iCT4 Limited’s information and communications system
We do not collect, store or use information about you that falls into "special categories" of more sensitive personal data. These types of information include (where applicable), race, ethnicity, religious beliefs, sexual orientation, political opinions, trade union membership, health, including any medical conditions, sickness records, criminal records or offences.
Why we use this data
The purpose of processing this data is to help us run iCT4 Limited and to provide an outstanding service to our customers, we will only use personal data when the law allows. The below schedule sets out the nature, type, category and description of the purpose of the processing.
Description and types of client data
Lawful basis of processing
Financial – invoicing, statements, remittance
Contractual and legitimate interests
Emailing marketing material such as promotions and services that may be of interest
Consent, contractual and legitimate interests to develop services and customers. To ensure compliance all mailings will have a clear and easy to operate opt out message / function.
Delivery of an order / service
Contractual and legitimate interests
Emailing service messages / alerts / updates to ensure customers are kept up to date with service updates such as system upgrades
Contractual and legitimate interests
Contractual and legitimate interests
Changes to terms and conditions / policies
Legal obligations and contractual
Our lawful basis for using this data
We only collect and use personal information about you when the law allows us to. Most commonly, we use it where we need to:
- Fulfil a contract we have entered into with you
- Comply with a legal obligation
Less commonly, we may also use personal information about you where:
- You have given us consent to use it in a certain way
- We need to protect your vital interests
Where you have provided us with consent to use your data, you may withdraw this consent at any time. We will make this clear when requesting your consent and explain how you go about withdrawing consent if you wish to do so.
Some of the reasons listed above for collecting and using personal information about you overlap, and there may be several grounds which justify iCT4 Limited’s use of your data.
Collecting this information
We collect personal information via phone, post, email and in person. Types of interactions that would gather information includes but not limited to:
- Creating an account as part of the helpdesk signup process
- Apply for services and / or products
- Subscribe to our newsletters
- Part of a tradeshow or promotional event providing your details for future follow up
We take data security very seriously to ensure your personal data is not lost, used, disclosed, accessed or altered in any unauthorised way. To enable us to provide this security we have implemented the below security measures:
- Customer data is held in multiple databases within the EU and is encrypted at rest and in transmission and only ever accessed over a secure encrypted channel
- Two Factor Authentication (2FA) has been enabled and enforced on all our systems that support this feature. Systems that do not currently support 2FA, we are working with the third parties to encourage them to implement this key feature.
- All company owned mobile devices are encrypted and accessible only via a secure password / pin and set to auto wipe or lockout after a number of incorrect entry attempts.
We have implemented procedures to deal with actual or suspected data breach and will notify you and the ICO where we are legally required to do so.
We will only keep your personal data for as long as necessary to fulfil contractual, legal and financial obligations along with maintaining your data for services that you have opted to receive such as marketing. We maintain an internal data retention schedule which all staff adhere to.
We may share your personal data with third-party service providers contracted to iCT4 Limited in the course of dealing with you. Any third parties that we may share your data with are obliged to keep your details securely, and to use them only to fulfil the service they are contracted for. When they no longer need your data to fulfil this service, they will dispose of the details in line with GDPR procedures.
Third parties that we may share your personal data with include prospective companies that we may merge, transfer or sell our company, if this were to happen the data obtained would still be used as set out in this document. Other third parties would include suppliers to allow us to fulfil orders and contracts. The shared data is only permitted to be used for the purposes originally instructed to the third party, the third party is not permitted to use this data for their own purposes.
Where it is legally required, or necessary (and it complies with data protection law) we may share personal information about you with:
- Suppliers – to meet our contractual requirements to fulfil services, such as offsite backups and internet connectivity provision
- Central government and our local authority – to meet our legal obligations to share certain information with it, such as safeguarding concerns
- Financial organisations – to enable them to provide the service we have contracted them for, such as bank account details to enable paying of invoices
Accessing your data
As a customer of iCT4 our engineers, as part of your contract, will have remote access to your school / businesses network and data to fulfil contractual requirements including aspects such as backup configuration (restoration / backing up of data), server migrations and support requests where the customer will request assistance with for example excel documents that may contain sensitive / personal information. Our engineers all undergo data protection / GDPR training and are required to commit to a confidentially statement therefore any data that they may come across as part of their day to day duties are required to maintain confidentiality. When accessing your systems remotely all our connections are audited and a connection log is maintained, connection to your systems is limited to iCT4 staff who all have individual logins which is also protected by two factor authentication.
Transferring data internationally
We will not transfer personal data to a country or territory outside the European Economic Area unless the prior written consent of the client has been obtained and we will do so in accordance with data protection law.
How to access personal information we hold about you
Individuals have a right to make a ‘subject access request’ to gain access to personal information that iCT4 Limited holds about them. At any point while we are in possession of or processing your personal data, you, the data subject, have the following rights:
|Right of access||
You have the right to request a copy of the information that we hold about you.
|Right of rectification||
You have a right to correct data that we hold about you that is inaccurate or incomplete.
|Right to be forgotten||
In certain circumstances you can ask for the data we hold about you to be erased from our records.
|Right to restriction of processing||
Where certain conditions apply to have a right to restrict the processing.
|Right of portability||
You have the right to have the data we hold about you transferred to another organisation.
|Right to object||
You have the right to object to certain types of processing such as direct marketing.
|Right to object to automated processing, including profiling||
You also have the right to be subject to the legal effects of automated processing or profiling.
|Right to judicial review||
In the event that iCT4 Limited refuses your request under rights of access, we will provide you with a reason as to why. You have the right to complain as outlined below.
All of the above requests will be forwarded on should there be a third party involved in the processing of your personal data. If you would like to make a request, please contact our DPR. You will be required to provide identification acceptable ID includes passport, driving license, birth certificate or utility bill (dated within last 3 months).
- If you make a subject access request, and if we do hold information about you, we will:
- Give you a description of it
- Tell you why we are holding and processing it, and how long we will keep it for
- Explain where we got it from, if not from you
- Tell you who it has been, or will be, shared with
- Let you know whether any automated decision-making is being applied to the data, and any consequences of this
- Give you a copy of the information in an intelligible form
You may also have the right for your personal information to be transmitted electronically to another organisation in certain circumstances.
We take any complaints about our collection and use of personal information very seriously.
If you think that our collection or use of personal information is unfair, misleading or inappropriate, or have any other concern about our data processing, please raise this with us in the first instance.
To make a complaint, please contact our data protection Representative. Alternatively, you can make a complaint to the Information Commissioner’s Office:
- Report a concern online at https://ico.org.uk/concerns
- Call 0303 123 1113
- Or write to: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
If you have any questions, concerns or would like more information about anything mentioned in this privacy notice, please contact our Data Protection Representative (DPR).
Data Protection Representative - Jonathan Jenkin firstname.lastname@example.org