Who we are
Ardcairn Ltd is a company registered in Scotland No. SC599934. Our website address is: https://ardcairnassociates.com.
GDPR statement of compliance
Introduction and overview
We have studied the Information Commissioner’s Office (ICO) guidelines concerning compliance with the new General Data Protection Regulation (GDPR) rules. This document explains how Ardcairn Ltd complies.
Ardcairn Ltd is aware that GDPR comes into effect on 25th May 2018. All Associates and staff of the company have read and adhere to our data protection privacy policies.
Data we hold
We hold the following data:
- Email addresses, postal addresses and phone numbers of people or organisations who have contacted us and to whom we have replied – recorded in Google Apps and our online client management software (password protected).
- E-mail addresses of those who have signed up to marketing, such as newsletters (password protected).
Ardcairn Ltd has access to the following data:
- Names and self-identified descriptors (eg “CEO”) of people who have been a contact within an organisation with which we have worked – recorded in Google Apps and our online client management software (password protected).
Ardcairn Ltd and McElhinney and Co Ltd (our accountants, based in the UK) have access to the following data:
- Email addresses, postal addresses and bank details of organisations with whom we have worked – recorded in Google Apps and our online bookkeeping software FreeAgent (password protected).
We do not share this information with anyone outside of Ardcairn Ltd, our staff and relevant Associates, and McElhinney and Co Ltd.
Communicating private information
We have taken the following steps:
- Ensured staff and Associates are up to date with latest policy amendments and procedures.
Any individual or organisation may request to be informed on the data held by Ardcairn Ltd about them. We will update or delete this data subject to reasonable requests in order to comply with GDPR. Note that we have a legal requirement to retain some financial records for auditing purposes.
Subject access requests
We will respond to all requests for information within the one month compliance period. In order to action the request, please note that the individual or organisation will be requested to prove their identity.
Lawful basis for processing data
- When an individual or organisation contacts us via email, their email address is stored on our email servers.
- If an individual or organisation has opted into one of our email lists they have done so in the knowledge that they will receive regular updates via email. They may unsubscribe at any time.
- When people/organisations have entered into a working contract with us, their contact details are saved in our online client management software (password protected).
- When people/organisations have completed a working contract for us, their contact details are saved in our online client management software and our online bookkeeping software (password protected).
Any individual or organisation subscribed to our email lists can unsubscribe at any time by clicking the relevant link in one of our communications, or by contacting us via our website. These email addresses are retained as ‘unsubscribed users’ for a one-year period for auditing reasons.
Information held in our online bookkeeping software is stored solely for accounting purposes.
Individuals and organisations who subscribe to our email lists are over the age of 13. If we find that there are subscribers under this age, we will remove them from the list, explaining why we are doing so.
We aim to prevent data breaches by using strong passwords with two-factor authentication where available. If any organisations who we use as data processors are compromised we would take steps to follow their advice immediately, and inform the data subjects.
Data Protection by Design and Data Protection Impact Assessments
We have familiarised ourselves with the ICO’s code of practice on Privacy Impact Assessments.
Data Protection Officers
We have registered with the UK’s lead data protection supervisory authority, the Information Commissioner’s Office (ICO).
Our commitment to your privacy
We’re serious about protecting your personal data. This note explains:
- How we obtained your personal data;
- The personal data that we collect;
- Your personal data rights;
- Your right to object to our processing your personal data and withdrawing consent;
- How and when we use that personal data;
- Whether we share your personal data with anyone else;
- For how long will we keep your personal data;
- How you can access your personal data
If you have any questions or queries about this notice please contact us using our contact form below. Please head the query “FAO the Data Protection Officer (DPO)”.
How Ardcairn Ltd (“we”) use your information
Your privacy is important to us. We are committed to safeguarding the privacy of your information.
Why are we collecting your data?
When required we collect personal data to provide an appropriate level of service to you and to comply with the law regarding data sharing. In legal terms this is called ‘legitimate interests’. We collected your personal data when you corresponded with us during a sales process or signed up for one of our services. When it is required, we may also ask you for your consent to process your data. We never share your information with others, other than those who need the information to effectively complete our contracted work with you, such as our Associates.
The categories of information that we may collect and hold include:
- Personal information (such as name, telephone number, address and email address)
- Corporate information (such as company name, address, email address, bank details)
How and when we use your personal data
We’re committed to using your personal data responsibly and lawfully. Here’s what we do with your personal data:
- We will use it to ensure we deal with your enquiries quickly and efficiently.
- We will use it to establish ongoing communication with you regarding the provision of a good relationship with you and your company.
Your personal data is stored within the UK or on platforms including Google Applications that have Privacy Shield and/or other features to ensure we can them in ways compliant with the GDPR in general, and our privacy and data retention policies specifically.
Google Apps’ Privacy Sheild Certification is here: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI
To help us to maintain the accuracy of the personal data that we hold please let us know if we hold out of date or inaccurate information about you.
Storing your data
We hold your data for varying lengths of time depending on the type of information in question but in doing so we always comply with Data Protection legislation. We will hold your data for six years from the end of contracted business relationship or the date of last correspondence, whichever is the later.
Who do we share your information with?
We will not share your information with third parties without your consent unless the law requires us to do so or as necessary for own legitimate interests or those of other persons and organisations eg:
- For good governance, conducting, accounting, managing and auditing our business operations
Sharing your personal data
There are only a few occasions where we will share your personal data with a third party. They are:
- Where we’re required to disclose it by law – to government bodies for example.
- Where we need to do so in order to complete a contractually agreed services using 3rd party tools (when integrating a 3rd party data service or development tool for example). [Example – with our professional advisors (who are required to keep confidential your data)].
- Associates, subcontractors and other persons who help us to provide our products and services.
- Companies and other persons providing services to us.
- To protect the security or integrity of our business operations.
- Payment systems, where it is necessary to process transactions.
Requesting access to your personal data
Under Data Protection legislation, you have the right to request access to information about you that we hold. To make a request for your personal information contact our Data Protection Officer (DPO).
You also have the right to:
- object to processing of personal data that is likely to cause, or is causing, damage or distress
- prevent processing for the purpose of direct marketing
- object to decisions being taken by automated means
- in certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed; and
- claim compensation for damages caused by a breach of the Data Protection regulations.
For further information on how your information is used, how we maintain the security of your information and your rights to access information we hold on you please get in touch with our Data Protection Officer using the contact details below.
If you have a concern about the way we are collecting or using your personal data, you should raise your concern with us in the first instance or directly to the Information Commissioner’s Office at https://ico.org.uk/concerns/
To discuss anything in this privacy notice, please contact our Data Protection Officer: using our contact form below. Please head the query “FAO the Data Protection Officer (DPO)”.
DATA PROTECTION POLICY
“Data Protection Legislation” means the Data Protection Act 1998, the Privacy and Electronic Communications Regulations (EC Directive) Regulations 2003 (SI 2426/2003 as amended), and all applicable laws and regulations, including any replacement UK or EU data protection legislation relating to the Processing of Personal Data, including, where applicable, the guidance and codes of practice issued by the Information Commissioner’s Office.
The Data Protection Legislation (“the Legislation”) is concerned with the protection of human rights in relation to personal data. The aim of the Legislation is to ensure that personal data is used fairly and lawfully and that where necessary the privacy of individuals is respected. As part of regular business activities, Ardcairn Ltd will collect, store and process personal data about our staff, Associates, clients and suppliers and other third parties and we recognise that the correct and lawful treatment of this data will maintain confidence in Ardcairn Ltd. This policy sets out the basis on which we will process any personal data we collect from data subjects, or that is provided to us by data subjects or other sources.
The Data Protection Officer (“DPO”) is responsible for ensuring compliance with the Legislation and with this policy.
Any questions about the operation of this policy or any concerns that the policy has not been followed should be referred in the first instance to the DPO.
What is personal data?
Personal data is defined as data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the the data controller.
Processing personal data
All personal data should be processed in accordance with the Legislation and this policy. Any breach of this policy may result in disciplinary action.
Processing includes obtaining, holding, maintaining, storing, erasing, blocking and destroying data.
Personal data is data relating to a living individual. It includes employee data. It will not include data relating to a company or organisation, although any data relating to individuals within companies or organisations may be covered. Personal data can be factual (for example a name, address or date of birth) or it can be an opinion about that person, their actions and behaviour.
Examples of personal data are employee details, including employment records, names and addresses and other information relating to individuals, including supplier details, any third-party data and any recorded information including any recorded telephone conversations, video calls, emails or CCTV images.
Staff and Associates who process data on behalf of Ardcairn Ltd should assume that whatever they do with personal data will be considered to constitute processing. Individuals should only process data:
- If they have consent to do so; or
- If it is necessary to fulfil a contractual obligation or as part of the employer/employee relationship; for example, processing the payroll
- If neither of these conditions are satisfied, individuals should contact the Data Protection Compliance Manager before processing personal data.
Compliance with the Legislation
Staff and Associates who process data on Ardcairn Ltd’s behalf have a responsibility for processing personal data in accordance with the Legislation. Anyone who has responsibility for processing personal data must ensure that they comply with the data protection principles in the Legislation. These state that personal data must:
- be obtained and used fairly and lawfully
- be obtained for specified lawful purposes and used only for those purposes
- be adequate, relevant and not excessive for those purposes
- be accurate and kept up to date
- not be kept for any longer than required for those purposes
- be used in a way which complies with the individual’s rights (this includes rights to prevent the use of personal data which will cause them damage or distress, to prevent use of personal data for direct marketing, and to have inaccurate information deleted or corrected)
- be protected by appropriate technical or organisational measures against unauthorised access, processing or accidental loss or destruction
- not be transferred outside the UK or European Economic Area unless with the consent of the data subject or where the country is determined to have adequate systems in place to protect personal data.
Monitoring the use of personal data
Ardcairn Ltd are committed to ensuring that this data protection policy is put into practice and that appropriate working practices are being followed. To this end the following steps will be taken:
- Staff and Associates who deal with personal data are expected to be aware of data protection issues and to work towards continuous improvement of the proper processing of personal data;
- Staff and Associates who handle personal data on a regular basis or who process sensitive or other confidential personal data will be more closely monitored;
- Staff and Associates must evaluate whether the personal data they hold is being processed in accordance with this policy. Particular regard should be given to ensure inaccurate, excessive or out of date data is disposed of in accordance with this policy;
- An annual report on the level of compliance with or variance from good data protection practices will be produced by the company. Data breaches will be recorded and investigated to see what improvements can be made to prevent recurrences.
Handling personal data and data security
- FreeAgent Accounting Software https://www.freeagent.com/website/privacy
- Google Apps https://policies.google.com/privacy
- Monday Client Management Software https://monday.com/terms/privacy
We will ensure that staff and Associates who handle personal data are adequately trained and monitored.
Security policies and procedures will be regularly monitored and reviewed to ensure data is being kept secure.
Where personal data needs to be deleted or destroyed, adequate measures will be taken to ensure data is properly and securely disposed of. This will include destruction of files and back up files and physical destruction of manual files. Particular care should be taken over the destruction of manual sensitive data (written records) including shredding or disposing via specialist contractors.
All data will be stored in a secure location and precautions will be taken to avoid data being accidentally disclosed. Any agent employed to process data on our behalf will be bound to comply with this data protection policy by a written contract. Personal data stored on a laptop should be password protected.
The rights of individuals
The Legislation gives individuals certain rights to know what data is held about them and what it is used for. In principle everyone has the right to see copies of all personal data held about them. There is also a right to have any inaccuracies in data corrected or erased. Data subjects also have the right to prevent the processing of their data for direct marketing purposes.
Any request for access to data under the Legislation should be made to the DPO in writing. In accordance with the Legislation we will ensure that written requests for access to personal data are complied with within 30 days of receipt of a valid request.
When a written data subject access request is received the data subject will be given a description of a) the personal data, b) the purposes for which it is being processed, c) those people and organisations to whom the data may be disclosed, d) be provided with a copy of the information in an intelligible form.
No sensitive data will be requested, gathered or stored by Ardcairn Ltd.
Changes to this policy
We reserve the right to change this policy at any time. Where appropriate we will notify data subjects of those changes by mail or email.
Policy adopted on 2/3/20.
FAO of the DPO
Our associate consultants are based in the UK, USA and Europe. Each brings unique expertise. Please get in touch so we can connect you with the right person for you.