1. IDENTITY AND CONTACT DETAILS
Please click here to find out more about Blake Consultants. Our registered address is Elizabeth House, 13-19 London Road, Newbury, Berkshire RG14 1JL, United Kingdom. Our telephone number is +44 (0) 7775 791682. You can contact us by email using firstname.lastname@example.org. We are a limited company registered no. 07188057 (England and Wales).
Our designated supervisory authority under the Data Protection Act 2018 and the UK’s General Data Protection Regulation (GDPR) is the Information Commissioner’s Office (ICO). We are based in the United Kingdom.
To contact the individual in charge of Data Protection in our company please use the details shown.
2. WHAT DATA WE PROCESS
Blake Consultants processes data on our:
- Prospects and partners,
- Current and potential suppliers.
2.1.1 Working with clients
We process information on individuals who are clients of Blake Consultants services, or those looking to engage with us and use our services. We process this data so that we can engage with the individuals to provide their organisations with our services, or we process the data as we are taking steps to enter into a contract to provide these services. We capture information on these individuals through the various mechanisms used to engage with them.
The information we capture on these individuals will include basic contact details such as name, telephone number and email address, some more technical information that is captured when our website is used (e.g. cookies and IP addresses), and occasionally postal address, so that we can contact them and set up meetings and engage in work with them.
We use the legal basis of ‘contract’ to process this data.
We do not capture special category information on these individuals.
2.2 PROSPECTIVE CUSTOMERS AND PARTNERS
Blake Consultants captures information on individuals who we believe could have a need for our services (prospective customers) and partners (also called referrers), whose current clients could have a need for our services. We use this data for direct marketing to the individuals who are corporate employees of the organisations that we target.
We can either capture this data directly from the individuals in the process of selling to them, from their engagement on our website, or we can licence this data from reputable data providers.
The information we capture on these people will include basic contact details such as name, telephone number, email address, postal address and some more technical information that is captured when our website is used (e.g. cookies and IP addresses).
We do not process special category data on these individuals.
It is in our interests to process this data so that we can obtain further clients and so ‘legitimate Interests‘ is the basis for processing we rely on for processing this type of personal data. We have conducted our gating and balancing tests to determine whether our legitimate interests do not outweigh the rights and freedoms of the individuals we are targeting.
Where regulations mandate that that we must obtain consent from individuals, for example if the data subject is not an employee of a corporate business (not a ‘corporate subscriber’) and we intend to use email to communicate, then we will use the lawful basis of Consent to process data to promote our services.
This lawful basis of consent can include the use of a ‘soft opt-in’ where the individuals we are targeting have engaged our services within the past 2 years.
We process information on our staff in two ways. We define ‘staff’ from the perspective of data protection to include employees, contractors and consultants working on projects for our company.
2.3.1 Employment contract
We process data so that we can manage the staff that work for Blake Consultants. We can also process data under this category where the individual is taking steps to enter into a contract with us (for example where we are recruiting for a position in Blake Consultants). We capture this information in the course of recruiting and ‘on-boarding’ an individual to work with us.
The information we capture for this reason will include basic contact details such as name, telephone number, email address, postal address and other details needed to process payments in relation to the contracts such as bank account details and national insurance numbers. We will also capture information that relates to the any applications for roles within Blake Consultants, for example employment history and references from previous employers, through documents provided to us (for example CVs) and through information captured in interviews. We also capture data so that we can appraise employee performance and timekeeping which we may do through meetings and other mechanisms.
We use the legal basis of ‘contract’ to process this data.
2.3.2 Employee contract and our legal obligations
We are required to process some data when managing employee contracts under a separate reason for processing, namely so that we can carry out our legal obligations. For example, where we pass information to the HMRC to inform them of the salaries we have paid to our employees, or establish eligibility to work in the UK.
The information we capture and process for this reason includes identifiers such as NI numbers, and contact details including addresses.
We can capture special category information (for example health-related information when people are off sick, or when evaluating our duties under equalities regulations). The reason we process this data is when it is necessary to do so for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protection. We have an appropriate policy document in place relating to this special category data.
2.3.3 Employment operations
We also process information on staff and their next of kin where it is in Blake Consultants’ interest to do so for operational efficiency. As examples: so that we can keep staff up-to-date with Blake Consultants news, maintain a list of the staff’s next of kin for communication in the event of an emergency, or to create business cards for staff, or use their photographs on our organisation’s web pages. We capture this information as a part of the employee ‘on-boarding’ process and we update the data at regular intervals.
The type of data that we process for this need includes name, email address, telephone number and images of the individual.
We use the lawful basis of ‘legitimate interests’ to process this data. We have completed the specification, gate analysis and balancing tests specified under GDPR for this data.
We do not capture special category information on this data.
If the data on staff or next of kin is ever used in an emergency, then we may process this data using a legal basis of ‘vital interests’.
We process information on suppliers so that we can purchase goods and services from them. We capture this information either from recommendations or by using data provided by the suppliers on their web sites or directories.
We capture individuals’ names, email addresses and telephone numbers on current or prospective suppliers.
We use the lawful basis of ‘contract’ to process this data.
We do not capture special category information on this data.
2.5 ANY RECIPIENT OR CATEGORIES OF RECIPIENTS OF THE PERSONAL DATA
Blake Consultants pass data on to other data controllers for the following purposes:
- For data relating to those applying to be members of staff or for staff who have found other employment after the end of a contract, we share data with third parties to obtain and provide references.
- We share data with organisations with which we have a legal obligation to share data (for example HMRC or where we are required to share data with parties involved in the legal disputes in which we are representing our clients).
- We share data on staff with organisations where we are acting as an intermediary between the staff and an organisation providing benefits to the staff member (for example pension providers).
We will not transfer your data to countries outside the UK to destinations that are not considered ‘adequate’ by relevant legislation without additional safeguards. Any additional safeguards that are required and obtained are documented in our internal data protection policy.
We transfer data to other organisations who are processors of data that we control. We maintain a list of Blake Consultants data processors and ensure that we have data processing agreements between Blake Consultants and the data processor. Where relevant and if the data processor transfer data outside of the UK and EEA, we obtain commitment from the data processors that additional safeguards are in place. Again, these are documented in our data protection policy.
2.6 RETENTION PERIOD OR CRITERIA USED TO DETERMINE THE RETENTION PERIOD
- We will retain information on clients for 6 years after an engagement as we will need to retain this information for financial and legal purposes.
- We will retain information that we use on prospective customers for the purposes of direct marketing where we use legitimate interests as a lawful basis for processing the data for as long as we believe the data is valid, and the prospective customer has not objected to our processing of the data.
- We will retain information that we use on prospective customers for the purposes of direct marketing where we use consent as a lawful basis for processing the data for 3 years after the latest interaction with the individual.
- We will retain the details of the suppliers or partners for as long as we might have a need for the services that the supplier or partner offer.
More details on data retention periods for data we hold on staff members can be found in our internal documents (our employee handbook), and these can be summarised as:
- We will retain some information on staff members for 7 years after their employment with us ends, as we need to retain information on staff members for legal reasons.
- We will retain information on individuals who we have details on for recruitment purposes for 6 months after the job role that they were being considered for has been filled. If we believe that their details may be suitable for future roles, we will obtain their consent to retain their CVs for longer periods.
Other employee-related data in the categories below will be stored:
- Pay records – three years
- Working time records – two years
- Sickness absence records – three years
- Family leave records – three years
- Health and safety records – three years
- Management information such as performance records, conduct records, file notes or similar – six months.
If any of these data retention timescales clash with legal or contractual obligations then these other obligations will override the retention timescales outlined above.
All records are disposed of securely when deleted. We will review the data before deletion to make sure that there are no special factors that we need to take account of in the deletion of the records.
3. HOW WE LOOK AFTER DATA
We take reasonable technical and procedural precautions to prevent the loss, misuse or unauthorised alteration of personal data.
We protect our IT system from cyber attack. Access to your personal data is password-protected, available to relevant personnel only, and sensitive data is secured by encryption. We regularly monitor our system for possible vulnerabilities and attacks.
We do not publish the details of the safeguards we use to protect the personal data that we control as this could reduce the effectiveness of those safeguards.
A cookie is a small file which asks permission to be placed on your computer’s hard drive. Once you agree, the file is added and the cookie helps analyse web traffic or lets you know when you visit a particular site. You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the website. By law, we may not place cookies on your computer without your consent, unless they are strictly necessary to the operation of the service that we provide on the website.
We use traffic log cookies to identify which pages are being used. This helps us analyse data about web page traffic and improve our website in order to tailor it to customer needs. We only use this information for statistical analysis purposes and then the data is removed from the system.
We use Google Analytics to monitor how our website is being used so we can make improvements. Our use of Google Analytics requires us to pass to Google your IP address. In particular, Google may use the data collected to contextualise and personalise the ads of its own advertising network. you can opt out of Google Analytics by using this link: https://tools.google.com/dlpage/gaoptout?hl+en=GB.
5. OTHER WEBSITES
6. YOUR RIGHTS
Blake Consultants recognises the rights of individuals as defined in the General Data Protection Regulation.
We will always seek to uphold those rights and the links provided should help you to communicate with us to exercise those rights, where relevant.
- Your right to be informed (this document and further information in communications we might send to you). For more information, please click here.
- Your right of access. For more information, please click here
- Your right to rectification. For more information, please click here.
- Your right of erasure (right to be forgotten). For more information, please click here.
- Your right of restriction of processing. For more information, please click here.
- Your right to data portability. For more information, please click here.
- Your right to object. For more information, please click here.
We do not carry out decision-making and profiling based solely on automated means without any human involvement. For more information on your rights related to automated decision making, including profiling, please click here.
To send us email communications exercising or to discuss any aspect of the rights outlined, please click on the ‘rights of…’ links, or contact us on the details shown in the Identity and Contact Details section.
We recognise your right to lodge a complaint with a supervisory authority. You can access the ICO’s website from this link.
You can access a list of contact details for the EEA’s supervisory authorities using this link.
7. VERSION CONTROL
Initials of reviewer
20 Jun 2022
Initial draft of document