Everyone has rights with regard to the way in which their personal data is handled. During the course of our business activities we will collect, store and process personal data about our customers, suppliers and other third parties, and we recognise that the correct and lawful treatment of this data will maintain confidence in the organisation and will provide for successful business operations.
Data users are obliged to comply with this policy when processing personal data on our behalf. Any breach of this policy may result in disciplinary action.
About this Policy
The types of personal data that 121 Near Me (“we”, “our”) may be required to handle include information about current, past and prospective [advertisers, clients, customers, users, suppliers, employees] and others that we communicate with.
The personal data, which may be held on paper or on a computer or other media, is subject to certain legal safeguards specified in the Data Protection Act 1998 (UK) (“DPA”) and other regulations.
This policy and any other documents referred to in it sets out the basis on which we will process any personal data we collect from data subjects, or that is provided to us by data subjects or other sources.
This policy does not form part of any employee’s contract of employment and may be amended at any time.
This policy sets out rules on data protection and the legal conditions that must be satisfied when we obtain, handle, process, transfer and store personal data.
Data Protection Terms
“data” means information stored electronically or in certain paper-based filing systems.
“data controller” means the organisation that determines the purposes for which, and the manner in which any personal data are, or are to be, processed. They are responsible for establishing practices and policies in line with the DPA. We are the data controller of all personal data used in our business for our own commercial purposes.
“data processor” means a third party (such as a supplier or contractor) that acts on the instructions of the data controller. We, as the data controller, remain legally responsible for processing performed by a data processor. Employees are not data processors.
“data subject” means a person who is identified or identifiable from data that is in our possession or is likely to come into our possession in the future.
“data users” mean those of our employees and contractors whose work involves processing personal data. Data users must protect the personal data they handle in accordance with this policy and any applicable data security procedures at all times.
“personal data” means data relating to a living data subject. Personal data can be factual (for example, a name, address or date of birth) or it can be an opinion about that person, their actions and behaviour.
“processing” means everything that can be done with data during it’s lifecycle from collection to destruction.
“sensitive personal data” means information about a person’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition or sexual life, or about the commission of, or proceedings for, any offence committed or alleged to have been committed by that person, the disposal of such proceedings or the sentence of any court in such proceedings. Sensitive personal data can only be processed under strict conditions, including a condition requiring the express permission of the person concerned.
Data Protection Principles
Anyone processing personal data must comply with the eight enforceable data protection principles. These provide that personal data must be:
Processed fairly and lawfully;
Processed only for a specified and lawful purpose;
Adequate, relevant and not excessive for the purpose;
Accurate and up to date;
Not kept longer than necessary for the purpose;
Processed in accordance with Data Subjects’ rights;
Kept secure; and
Not transferred to people or organisations situated in countries without adequate protection.
Fair and Lawful Processing
In the course of our business, we may collect and process personal data received directly from a data subject (for example, by completing forms or by corresponding with us by mail, phone, email or otherwise) and received from other sources (including, for example, business partners, sub-contractors in technical, payment and delivery services, credit reference agencies and others).
For personal data to be processed fairly the data subject must have been provided with the FPN and the data collection cannot deceive or mislead as to the purpose of the processing.
If we receive personal data about a data subject from other sources, we will provide the data subject with the FPN as soon as possible thereafter.
The FPN will inform the data subject about the:
Data controller’s identity and contact details;
Purpose(s) of the processing and lawful basis relied upon for storing personal data;
Period for which data will be stored;
Existence of rights to request access, rectification, erasure or to object to processing;
Right to lodge a complaint with the Information Commissioner’s Office (“ICO”), and ICO’s contact details;
Recipients or categories of recipients of the Personal Data;
Intention to transfer data to another country and the level of protection in the destination country;
Whether provision of data is voluntary or mandatory, and consequences of failing to provide the data;
Existence of any profiling; and
Existence of processing activities with a high risk.
For personal data to be processed lawfully, it must be processed on the basis of one of the legal grounds set out in the DPA. These include, among other things, the data subject’s consent, or that the processing is necessary for the performance of a contract with the data subject, for the compliance with a legal obligation to which the data controller is subject, or for the legitimate interest of the data controller or the party to whom the data is disclosed.
When sensitive personal data is being processed, additional conditions must be met.
Specified and Lawful Purpose
We will ensure our ICO notification is accurate and up-to-day.
We will only process personal data for the specific purpose(s), or in a manner compatible with the purpose(s), notified to the data subject when we first collect the personal data or as soon as possible thereafter (ie in accordance with the FPN provided to the data subject).
We will only process personal data in a manner compatible with the purpose for which it was obtained.
Adequate, Relevant and Not Excessive
We will ensure that adequate personal data is collected to satisfy the purpose(s) notified to the data subject, especially where the purpose(s) have an impact upon the data subject.
We will only collect personal data to the extent that it is required for the specific purpose(s) notified to the data subject.
Accurate and Up-to-date
We will check the accuracy of any personal data at the point of collection and at regular intervals afterwards. We will take all reasonable steps to destroy or amend inaccurate or out-of-date data.
We will provide data subjects with the means to obtain a copy of, and correct any inaccuracies in, their personal data.
Timely Processing
We will not keep personal data longer than is necessary for the purpose(s) for which it was collected. We will take all reasonable steps to destroy, or erase from our systems, all data which is no longer required.
Data Subject’s Rights
We will process all personal data in line with data subjects’ rights, in particular their rights to:
Access to a copy of the information comprising their personal data;
Object to processing that is likely to cause or is causing damage or distress;
Prevent processing for direct marketing;
Object to decisions being taken by automated means; and
Have inaccurate personal data rectified, blocked, erased or destroyed.
We will put in place means and procedures to enable data subjects to exercise their rights without excessive delay or expense.
Data Security
We will take appropriate technical and organisational security measures against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data.
Personal data will only be transferred to a data processor if they agree in a written contract to maintain appropriate security measures.
External Transfers
We may transfer any personal data to a State (country) outside the European Economic Area (“EEA”), provided that one or more of the following conditions applies:
The country to which personal data is transferred ensures an adequate level of protection for the data subjects’ rights and freedoms;
The data subject has given consent;
The transfer is necessary for one of the reasons set out in the DPA, including the performance of a contract with the data subject, or to protect the vital interests of the data subject;
The transfer is legally required on important public interest grounds or for the establishment, exercise or defence of legal claims; and/or
Adequate safeguards have been put in place to protect the rights of data subjects.
Subject to the requirements in this clause, personal data we hold may also be processed by staff operating outside the EEA who work for us or our suppliers and contractors.
Disclosure and Sharing
We may share personal data we hold with any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in Section 1159 of the Companies Act 2006 (UK).
We may also disclose personal data we hold to third parties:
In the event that we sell or buy any business or assets, in which case we may disclose personal data we hold to the prospective seller or buyer of such business or assets;
If we or substantially all of our assets are acquired by a third party, in which case personal data we hold will be one of the transferred assets;
In order to comply with any legal obligation, or in order to enforce or apply any contract with the data subject; or to protect our rights, property, or safety of our employees, customers, or others;
For the purposes of fraud protection and credit risk reduction; and
In accordance with the FPN.
Direct Marketing
We will only send direct marketing materials consistent with the recipient’s consent.
We will only make marketing lists available to third parties for direct marketing purposes within the scope of the recipient’s consent.
All direct marketing materials will include relevant particulars of the business and any promotional offer, be clearly identifiable as a commercial communication, and will provide the recipient the ability to withdraw or modify their consent.
Data Subject Access Requests
Data subjects must make a formal request for information we hold about them. This must be made in writing. Employees who receive a written request should forward it to their manager immediately.
When receiving telephone enquiries, we will only disclose personal data if the following conditions are met:
We will check the caller’s identity to make sure that information is only given to the data subject or their authorised representative.
We will suggest that the caller put their request in writing together with proof of identification if we are not sure about the caller’s identity and where their identity cannot be checked.
Compliance and Disciplinary Action
Compliance with this policy is mandatory for all our employees who process personal data. Failure to comply may result in disciplinary action up to and including termination of employment.
Changes to this Policy
We reserve the right to change this policy at any time without notice.