The directors of Small World Systems Limited are data controllers of the personal data collected by us.
All of these disclosures may involve the transfer of personal data to countries or regions without data protection rules similar to those in effect in your area of residence.
This website may, from time to time, contain links to other websites which are provided for your interest and convenience. We are only responsible for our own privacy and security practices and suggest that you check the privacy and security policies and procedures on each website you visit.
“personal data” is information about you which can be used alone, or combined with other information, to identify you personally. Where we refer to the fact that personal data Processing is necessary for the purposes of our Legitimate Interests, we will have assessed and checked before processing that those interests of ours are not overridden by your interests or by your fundamental rights and freedoms and you may object at any time, see section J below.
B. HOW, WHEN AND WHY DO WE COLLECT AND USE PERSONAL DATA?
- Legal grounds for collection of your personal data
We will only collect, use, retain and destroy your personal data when:
- it is necessary for our Legitimate Interests, in particular:
- responding to your queries;
- carrying out direct marketing;
- providing services and/or information to you and for you;
- transmitting personal information between staff for internal administration purposes;
- hosting and maintaining our website;
- providing technical support to you;
- preventing and detecting fraud and other criminal offences; and/or
- ensuring network and information security, as long as, in each case, these interests are in line with applicable law and your legal rights and freedoms;
- where you have given consent for processing your data for one or more specific stated purposes; and/or
- where this is necessary for compliance with Legal Obligations which apply to us and/or
- where this is necessary for the performance of our contract with you
- How we collect your personal data
Contact Forms – we may collect your personal data which you provide when you fill in forms on our website / in correspondence / face to face with us. This may include, for example, your name, position, company, contact details (such as business and personal emails, telephone number and business / home address), contents of your business card, and your personal preferences, choices and requirements specific to particular requests or services. In order to provide you with our services, we may collect personal data about you from our website, from telephone conversations, emails, SMS’s, and written and verbal communications. We may supplement the information that you provide, with other information that we obtain from our dealings with you.
Where permissible under applicable local laws, we may combine information that you have provided to us with other information that we already hold, or may come to hold, about you and which we have collected for our Legitimate Interests.
We may also collect personal data from your individual IP location. This is a function of our website that enables us to assess session information relating to the use of the website, such as the duration of the visit and the type of browser used. Such information is only used for us to evaluate use of the website, as well as for us to diagnose problems with our server and to administer the website.
We also require your payment details, contained either in a cheque drawn from your account, or your credit or debit card details, to facilitate the collection of authorised payments, and/or process any refunds due to you, and/or to repay any residual balances to you.
We would usually expect to keep a record of your contact details and details of any services we provide to you.
We may also record (provided we have your prior explicit consent) details of any disability, health needs or dietary requirements (i.e. special categories of personal data) that you may have at the time of booking a place, or accepting an invitation, to one of our events. This is to enable us to ensure your safety.
How we use your personal data
We may use any personal data that you provide to us in a way that is adequate, relevant, and not excessive:
- where legally required or permitted for specific stated purposes made clear at the point of collection or on particular pages of our website; and/or where we otherwise have legal bases for collection and use of your personal data as explained in more detail above.
- personal data may also be disclosed to law enforcement, regulatory, or other government agencies, or to other third parties, in each case to comply with legal or regulatory obligations or requests.
- personal data may be used to respond to your queries, and/or provide our services and/or information that you have requested.
If you choose not to provide personal data requested by us, we may not be able to provide you with the information and/or services you have requested or otherwise fulfil the purpose(s) for which we have asked for the personal data. Aside from this, your access to our services will remain unaffected.
- Events – if you register for one of our events, we will share your name, professional title and your business’s name with other people that are attending the same event, if you have signed a consent form to that effect.
- Marketing Opt-In– where you have provided us with your contact details, and have opted in to receive marketing or professional information from us, we may contact you by telephone, by email, by SMS, or by post, for any of these purposes relating to our services where legally permitted to do so. We will only contact you for these purposes where you have opted in to this. Your agreement to the use of your personal data for these purposes is optional and if you fail to provide your consent, your visit to and use of our services will not be affected.
Opt-in must cover both your particular organisation and the type of communication you want us to use (e.g. call, email, text).
Opt-in must involve some form of positive action – for example, ticking a box and you should fully understand that you are giving us consent.
Marketing Opt-Out – if you have opted in, you are entitled to opt-out from receipt of marketing communication at any time and free of charge by using the contact details provided on the website or by using the “unsubscribe” option included in any marketing e-mail or other marketing material received from us.
Children’s privacy protection
We understand the importance of protecting children’s privacy in the interactive online world. Our website is not designed for or intentionally targeted at children of 16 years of age or younger. It is not our policy to collect or maintain intentionally any information (including photographs) about anyone under the age of 16 without the express specific consent of the parent or guardian.
C. HOW LONG DO WE RETAIN PERSONAL DATA? WHEN IS IT DELETED?
After finishing your case, we will store files and any other papers about it for whatever period we consider reasonable in the circumstances; or as we have to do by law or any regulatory authority; whichever is longest.
This destruction policy does not apply to any papers that you ask us to hold or return to you (providing you have paid all charges and expenses due to us). We will not destroy original documents if you ask us to keep them in safe custody.
D. HOW AND WHEN DO WE SHARE PERSONAL DATA WITH THIRD PARTIES?
1.Some services that we provide, require the involvement of third parties. We have carefully selected these third parties and taken steps to ensure that your personal data is adequately protected.
- Sharing within our organisation
When we intend to use your personal data for a new purpose, we will let you know about this.
- Sharing with Service Providers
- any other terms and conditions of supply (i.e. our letter of engagement and terms of business),
- third-party service providers,
- our own professional advisers who are bound by confidentiality codes, and
- when we are legally obliged by law or by any appropriate regulatory authority to disclose your personal data including, where necessary, for the purposes of preventing and detecting fraud, other criminal offences and/or to ensure network and information security
- b) We will not normally share your personal data with any other organisation, however, some of your chosen services and events may be provided by or held at premises of third parties and we may need to provide limited information to them to enable you to take part.
- c) We will keep all information about you, your business and affairs confidential unless you tell us to release information, or we are required to release information by law or any regulatory authority or we must release information because of the nature of the work that we are carrying out for you.
- d) personal data may also be disclosed to other third parties in order to respond to your requests or inquiries, as part of a corporate transaction or where those parties handle information on our behalf.
- e) In order to carry out work for you, we may need to collect information about you to pass to third parties (e.g. to other service providers) for the purposes of supplying services to you. This may involve the transfer of information outside the European Economic Area (“EEA”). We will let you know if we need to transfer your personal data to any third-party service providers located outside the EEA.
- Anti-Money laundering regulations
The Anti-Money Laundering Regulations 2007 say we must, in most cases, gather evidence of the identity of our clients.
As a result, we will do an independent computer identity check on you with another service provider and we may ask you to show us some form of personal or business documents (as required by the Regulations), including photo ID, to check your identity.
The service provider who carries out the check will record the fact that we have carried out a search and may also use the details from our search in the future to help other companies confirm people’s identities.
The service provider may also reveal your information to a Credit Reference Agency to confirm your identity. That Agency may keep a record of the search, but they will not carry out a credit check and your credit rating will not be affected. We use these third-party search agencies and to obtain information about you for these purposes only.
E. DIRECT MARKETING
We may notify you of relevant technical or legal changes as part of our contract or to help us deliver our services to you. We do not regard this as direct marketing but keeping you updated.
If necessary we may send out reminders to you requesting information needed to provide our services to you. The responsibility for filing your documentation is yours, but we assist with reminders as part of our contract with you. We do not regard this as direct marketing but keeping you updated.
If we are asking people to consent to receive direct marketing for our products or services, then, in addition to the GDPR requirements, specific rules apply to this under the Privacy and Electronic Communications Regulations (PECR). We will have a separate unticked opt-in box for this, prominently displayed.
Consent may not be needed under PECR to undertake direct marketing by post mail but we consider gaining your consent to do this is good practice, treating post mail marketing in the same way as e-mail marketing.
The Telephone Preference Service (TPS) is a free service available to you run by the Direct Marketing Association (DMA). It stops your telephone number being available to organisations, including charity and voluntary organisations, who may telephone you with sales or marketing calls.
If consent was not obtained at the point that we first captured your personal data then it is our policy to send out a notice to contacts when seeking your consent for direct marketing.
F. PRIVACY AND ELECTRONIC COMMUNICATIONS REGULATIONS (PECR)
PECR cover several areas:
- Marketing by electronic means, including phone, text messages, emails or any other type of electronic communication. PECR does not apply to postal mail marketing, but we apply similar procedures.
It is our policy to comply with the PECR, which run alongside the GDPR.
Obtaining consent for direct marketing by post or electronic communication
- We use opt-in boxes, not pre-ticked
- We ask for your consent to pass details to third parties for marketing and name those third parties
- We record when and how we got your consent, and exactly what it covers
G. INTERNATIONAL TRANSFERS
The transfer of your personal data may involve your personal data being sent outside the EEA, to locations that may not provide the same level of protection as those where you first provided the information e.g. if your personal data is held on “the cloud”.
However, we will only transfer your personal information outside the EEA:
- where the transfer is to a place that is regarded by the European Commission, or appropriate supervisory data protection authority, as providing adequate protection for your personal data; or
- where we have put in place appropriate safeguards, for example by using a contract for the transfer which contains specific data protection provisions that have been adopted by the European Commission or a relevant supervisory data protection authority, or
- where you have consented to this, or
- there is another legal basis on which we are entitled to make the transfer.
Our website is hosted on servers in the EEA. We take the security of your personal data seriously. We have strict procedures and security features in place to ensure that our paper and computer systems and databases are protected against unauthorised use, loss and damage and guarded against access by unauthorised persons. Information storage is on secure computers in a locked and certified data centre and personal data is encrypted wherever possible.
We undergo periodic reviews of our security policies and procedures to ensure that our systems are secure and protected. However, as the transmission of information via the Internet can never be completely secure, we cannot guarantee the security of your information transmitted to or from us.
- Photographs of individuals
It is our policy not to ask for consent from our staff to be the subject of photographs, but state that no photograph will be taken other than for our Legitimate Interests insofar as these are not over-ridden by fundamental rights and freedoms of staff. Staff may object at any time if that is their wish.
Informal Photographs (“snaps”) of an office summer outing event (or an inter-office sports match) put on by the firm, showing staff enjoying themselves are part of our Legitimate Interests, as are photos of a member of staff for putting on our office website under ‘About the Team’.
Private photos by staff, only of each other and not including clients, for exclusively private use, are not subject to this privacy notice.
Clients and professional / business contacts (“contacts”).
The key point is that all consent must be opt-in consent – there is no such thing as ‘opt-out consent’. Clear affirmative action of consent means the contacts must take deliberate action to opt in. There will be separate tick boxes (not pre-ticked). It is our policy to give separate “granular” options to consent separately to separate purposes, unless this would be unduly disruptive or confusing. People may wish to consent to their information being used for one purpose but not another.
Posed photographs with contacts e.g. in front of their office after a great success, for a press release or for putting on our website.
The parties in the photo must have provided clearly implied consent to the processing for this stated purpose only. Not for our ongoing PR unless that purpose is stated. It is our policy to keep consents under review and refresh them if our purposes or activities evolve beyond what we originally specified.
K. YOUR RIGHTS
If you wish to:
- access, confirm, correct, rectify, update, supplement, anonymise, block, restrict or delete your personal data;
- object to our use of your personal data;
- if you have any questions about our processing of your personal data; or
- if you would like to transfer your personal data from us to another person or business,
please contact us.
We will provide you with all rights in relation to your personal data to which you are entitled under applicable law. If you are unhappy with the way that we have handled your personal data, you can make a complaint to the Information Commissioner’s Office responsible for data protection in the UK. Contact details are typically available online, or alternatively you may ask us for assistance.
M. HOW TO CONTACT US