Our policy as Data Controllers
Data controller and Data Protection Officer
Considered Creative is run by Emma and Tom Hardwidge trading as Considered Creative.
Emma Hardwidge is the nominated Data Protection Officer and can be contacted by email email@example.com if you require further information, would like information about the data we hold for you or to be removed from our records.
How do we collect your personal data?
Almost all of the data we collect comes direct from you when you contact us. Occasionally your data may have been passed to us by a mutual friend or colleague who thinks we could work together.
We never source our data from publicly available sources or third party vendors.
What legal basis are we relying on to process your personal data?
Some of the data we collect comes under legal obligation, we are required to have names and addresses for invoicing purposes.
Some of the data we collect is given by consent, this includes any personal data you have given to us in the course of normal business activity which we need to contact you about projects and office hours.
Where we have been contacted by you regarding potential work we rely on legitimate interest to keep your data on record. You have expressed an interest in working with us and may like to be informed about other projects we are working on which may be relevant to you. You may also like to be keep informed of our opening hours over holiday periods.
What personal data do we collect?
We keep a small amount of information about all our clients both current and past and those who have made enquiries about working with us. This usually includes:
- Address (for invoicing purposes)
- Email Address
- Telephone Numbers
Why do we collect this data?
Generally we need to be able to get hold of you to discuss work and send invoices. We also use your information to send you emails regarding our opening times over holiday periods.
Less regularly we may wish to share projects we have been involved with and if you’re lucky you might also get a Christmas card.
Do we share your data?
Your data is only ever shared with your consent where it is necessary to carry out business services. In rare circumstances we might pass your email address to one of our suppliers who can handle any problems while we are out of the office. We will always ask for your permission.
How long do we keep your data
You data is kept by us indefinitely as many of our clients work with us for years, many also return to us after a break and it is helpful to have your details on record. This information is also often held within our accounts (invoices and quotes) which we are required to keep for accounting purposes.
Security of your personal data
Your personal data may be stored in any of the following locations:
- On our personal office computers
These are password protected with only Tom and Emma having access.
- On our personal mobile devices
These are password protected with only Tom and Emma having access.
- On our web server
We will ensure that any chosen supplier provides sufficient security measures to protect any data held.
- Within our ECRM system Campaign Monitor
Details on their security measures can be found here https://www.campaignmonitor.com/trust/security/
In the unlikely event of any data breaches these will be reported to you as soon as we are aware of them.
Accuracy of Personal Information
We make reasonable efforts to keep any personal data in our possession or control, which is used on an ongoing basis, accurate, complete, current and relevant, based on the most recent information available to us.
It is the responsibility of each individual to ensure that the personal data relating to them is accurate, complete and current.
Access to personal information
To request access to Personal Information that we hold about you, we require that you submit your request in writing at the e-mail address above.
We will endeavour to provide your requested personal data within 30 days of receiving your access request. If we cannot fulfil your request, we will provide you with a written explanation of why we had to deny your access request.
Your right to be forgotten
You have the right for your data to be removed from our records at any time however some information may need to be retained for accounting purposes e.g. Names and addresses of businesses on invoices.
If you wish to unsubscribe from emails sent out from our ECRM system you can do this at any time by contacting us via the email address above.
Under 13 year olds
Our website is not intended or designed to attract children under the age of 13. We do not knowingly collect personally identifiable data from or about any person under the age of 13. If you are under 13 years old and wish to ask a question or use this site in any way which requires you to submit your personal information, please get your parent or guardian to do so on your behalf.
Making a complaint
Please feel free to contact us at the email address above if you have any questions or concerns regarding your personal data stored by Considered Creative. If we fail to address these concerns you have the right to make a formal complaint to the Information Commissioners Office www.ico.org.uk/
In common with many commercial organisations we monitor the use of our website by collecting aggregate information. We may automatically collect non-personal information about you such as the type of internet browsers you use, the pages you visit or the website which directed you to our site. You cannot be identified from this information and it is used only to assist us in providing an effective service on our website.
Cookies are small files which are sent to your web browser and stored on your computer’s hard drive. These allow you to carry information across our site without having to re-enter it; it also enables us to analyse web traffic and improve our online services. They cannot be used to identify you. You may set your web browser to notify you of cookie placement requests or to decline cookies completely. You can delete the files that contain cookies; those files are stored as part of your internet browser.
Updating our policy
Our Policy as Data Processors
What information do we have access to?
Many of our clients act as Data Controllers and as such we are often given access to this data.
This may be because:
- it is stored on our rented web server
- it is stored within an ECRM system for which we have been given access
- a client has provided us with the data to use for their own marketing purposes
What type of information does this include?
- Email addresses
- Telephone numbers
- Dates of birth
- Pseudonyms (authors)
- Truncated credit card details i.e. last 4 digits
- Where data has been collected through a website form, it is possible that the user may have also submitted additional, unsolicited personal information.
Data processing within the our organisation is occasional and is unlikely to risk the rights and freedoms of individuals; or involve the processing of special categories of data or criminal conviction and offence data.
How is this information transferred if at all?
Most data we have access to resides within:
- Our rented web server
- Third-party ECRM systems
- Our clients’ own web servers
When a data transfer is required, it is usually exported from web-based database, downloaded, and then uploaded into another web-based database.
Where clients require us to export the data for their own use, it may be emailed to them, uploaded to a secure location within their website for them to access or transferred to them via a third-party file sharing system like WeTransfer, Hightail or Dropbox.
Where possible, temporary data is deleted once the transfer has been completed.
Is this information shared outside of Considered Creative and the Data Controller?
Written consent would be sought from the Data Controller if it was necessary to share data in order to carry out the business needs of the client.
What are the potential risks of data breaches?
We do not have access to any financial or medical information, so risks would be limited to misuse of the data types stated above.
What do we do to minimise these risks? What security measures do we have in place.
- Our personal devices and computers are password-protected.
- Websites have up-to-date security processes in place to prevent hacking.
- Where possible, temporary data is deleted once it has been transferred.
- We advise our clients to have up-to-date SSL certificates installed on their web servers to prevent unencrypted data from being intercepted as it is transferred.
- The wireless internet connection in our office is encrypted.
- If any passwords are compromised, they are updated without undue delay.
What would we do in the event of any data breach?
As soon as we become aware of a data breach, every action will be taken to mitigate any data misuse and prevent any similar breached occurring. We will also notify the relevant Data Controller without undue delay.
Who is the data protection officer
Emma Hardwidge is the nominated Data Protection Officer and can be contacted by email firstname.lastname@example.org.