homeportfolionewspracticecontact    

Privacy Notice

This privacy Notice explains how we use any personal information we collect about you when you contact us by phone, send us an email or hard copy correspondence or visit any of our websites.

Topics:
- What information do we collect about you?
- How will we use the information about you?
- Marketing
- Access to your information and correction
- Other websites
- Changes to our privacy policy
- How to contact us


What information do we collect about you?

We collect personal information about you when you first contact us regarding a project or service you require and thereafter, if our services are commissioned, in more detail regarding your project brief, financial budgets, time constraints etc. Project data will e kept in archive for 6 years if contracts are under hand, 12 years if under seal, after which time it will be responsibly destroyed. Feasibility work which does not develop into a project will be disposed of after 6 years unless requested otherwise. We will also collect personal data from you if you supply us with information or products for payment of the same.

How will we use the information about you?

We collect information about you to process your order, manage your account and, if you agree, to email you about other services or projects or to explain the impact of new legislation we think may be of interest or relevant to you. We will not pass on your personal information for marketing purposes with others, but we may, in processing your order, send your details to, and also use information from credit reference agencies and fraud prevention agencies.

Marketing
We would like to send you information about projects and services of ours which may be of interest to you. You have a right at any time to stop us from contacting you for marketing purposes. If you no longer wish to be contacted for marketing purposes, please email us at: info@christopherscott.co.uk

Access to your information and correction
You have the right to request a copy of the information that we hold about you. If you would like a copy of some/all of your personal information, please email or write to us at the following address: Christopher Scott, East Quay, Kite Hill, Wootton Bridge, Isle of Wight, PO33 4LA or electronically via: info@christopherscott.co.uk. We may make a small charge for this service if multiple copies are required or if the request is discovered to be without foundation. We want to make sure that your personal information is accurate and up to date. You may ask us to correct or remove information you think is inaccurate.

Other websites
Our website contains links to other websites. This privacy policy only applies to our company websites so when you link to other websites you should read their own privacy policies.

Changes to our privacy policy

We keep our privacy policy under regular review and we will place any updates on our web pages. This privacy notice was last updated on 24 May 2018

How to contact us
Please contact us if you have any questions about our privacy policy or information we hold about you:
- by email: info@christopherscott.co.uk
- by post: Christopher Scott, East Quay, Kite Hill, Wootton Bridge, Isle of Wight, PO33 4LA


GDPR Data Protection Policy

1.0 Policy Statement
2.0 Definitions
3.0 Data Protection Principles
4.0 Types of Data Held
5.0 Employee Rights
6.0 Responsibilities
7.0 Lawful Bases of Processing
8.0 Access to Data
9.0 Data Disclosures
10.0 Data Security
11.0 Third Party Processing
12.0 International Data Transfers
13.0 Requirement to Notify Breaches
14.0 Training
15.0 Records
16.0 Data Protection Compliance


1.0 POLICY STATEMENT


1.1 Olivetina Ltd, trading as Christopher Scott, Rainey Petrie Architecture, The Planning and Development Hub and Invest IW, hereinafter termed ‘Olivetina’ are committed to a policy of protecting the rights and privacy of all individuals and organisations in accordance with the General Data Protection Act 2018 (GDPR), and this applies to all their third party contacts.

1.2 As a matter of good practice, other organisations and individuals working with Olivetina, and who have access to personal information, will be expected to have read and comply with this policy. It is expected that any members of staff who deal with external organisations will take responsibility for ensuring that such organisations sign a contract agreeing to abide by this policy.

1.3 Olivetina may have to collect and use information about people with whom we work. This personal information must be handled and dealt with properly, however it is collected, recorded and used, and whether it be on paper, in computer records or recorded by any other means.

1.4 Olivetina regard the lawful and correct treatment of personal information as very important to our successful operation and to maintaining confidence between us and those with whom we carry out business. We will ensure that we treat personal information lawfully and correctly.

1.5 To this end we fully endorse and adhere to the principles of the General Data Protection Regulation (GDPR).

1.6 This policy applies to the processing of personal data in manual and electronic records kept by us in connection with our business contacts as described below. It also covers our response to any data breach and other rights under the GDPR.

1.7 This policy applies to the personal data of prospective clients, existing and former clients, other professional consultants, and or contractors. These are referred to in this policy as relevant individuals or ‘third parties’.

2.0 DEFINITIONS

2.1 Personal data
Information that relates to an identifiable person who can be directly or indirectly identified from that information, for
example, a person’s name, identification number, location, online identifier.

Data processing
Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval,
consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination,
restriction, erasure or destruction

3.0 DATA PROTECTION PRINCIPLES

3.1 Under GDPR, all personal data obtained and held by us must be processed according to a set of core principles. In accordance with these principles, we will ensure that:
1. Processing will be fair, lawful and transparent
2. Data be collected for specific, explicit, and legitimate purposes
3. Data collected will be adequate, relevant and limited to what is necessary for the purposes of processing
4. Data will be kept accurate and up to date. Data which is found to be inaccurate will be rectified or erased without delay
5. Data is not kept for longer than is necessary for its given purpose
6. Data will be processed in a manner that ensures appropriate security of personal data including protection against unauthorised or unlawful processing, accidental loss, destruction or damage by using appropriate technical or organisation
measures
7. We will comply with the relevant GDPR procedures for international transferring of personal data

4.0 TYPES OF DATA HELD

4.1 We keep personal data on third parties in order to carry out effective and efficient processes. We keep this data in project files (both hard copy and electronically) relating to each individual/company and the project we are currently working on
together. We also hold data exclusively within our computer systems, for example, our client contact database.

4.2 Specifically, we hold the following types of data:
1. Personal details such as name, address, phone numbers
2. Details relating to pay administration such as bank account details
3. Information relating to our employment with you, including:
i) Project title and description
ii) Financial appraisals/cost estimates of relevant projects
iii) The terms and conditions of our employment
iv) Project Contract Information including Valuations, Project Drawings and Specifications, some of which may contain sensitive business information and details.

4.3 All of the above information is required for our processing activities. More information on those processing activities are included in our privacy notice.

5.0 THIRD PARTY RIGHTS

5.1 You have the following rights in relation to the personal data we hold on you:
1. The right to be informed about the data we hold on you and what we do with it.
2. The right of access to the data we hold on you. More information on this can be found in the section headed “Access to Data” below and in our separate policy on "Subject Access Requests”.
3. The right for any inaccuracies in the data we hold on you, however they come to light, to be corrected. This is also known as ‘rectification’.
4. The right to have data deleted in certain circumstances. This is also known as ‘erasure’.
5. The right to restrict the processing of the data.
6. The right to transfer the data we hold on you to another party. This is also known as ‘portability’.
7. The right to object to the inclusion of any information.
8. The right to regulate any automated decision-making and profiling of personal data.

5.2 More information can be found on each of these rights in our separate policy on third party rights under GDPR.

6.0 RESPONSIBILITIES


6.1 In order to protect the personal data of relevant individuals, those within our business who must process data as part of their role have been made aware of our policies on data protection.

6.2 We have also appointed employees with responsibility for reviewing and auditing our data protection systems.

7.0 LAWFUL BASES OF PROCESSING

7.1 We acknowledge that processing may only be carried out where a lawful basis for that processing exists and we have assigned a lawful basis against each processing activity.

7.2 Where no other lawful basis applies, we may seek to rely on the third parties’ consent in order to process data.

7.3 However, we recognise the high standard attached to its use. We understand that consent must be freely given, specific, informed and unambiguous. Where consent is to be sought, we will do so on a specific and individual basis where appropriate. Third Parties will be given clear instructions on the desired processing activity, informed of the consequences of their consent and of their clear right to withdraw consent at any time.

8.0 ACCESS TO DATA

8.1 As stated above, third parties have a right to access the personal data that we hold on them. To exercise this right, they should make a ‘Subject Access Request’. We will comply with the request without delay, and within one month unless, in accordance with legislation, we decide that an extension is required. Those who make a request will be kept fully informed of any decision to extend the time limit.

8.2 No charge will be made for complying with a request unless the request is manifestly unfounded, excessive or repetitive, or unless a request is made for duplicate copies to be provided to parties other than the employee making the request. In these circumstances, a reasonable charge will be applied.

8.3 Further information on making a subject access request is contained in our Subject Access Request policy.

9.0 DATA DISCLOSURES

9.1 The Company may be required to disclose certain data/information to any person. The circumstances leading to such disclosures include:
1. Any Statutory Parties involved in Project work, such as Planning, Building Regulations, Utilities, Environment Agency etc.
2. Any specialist consultants brought in to resolve specific issues
3. To assist and report on safe operations on site in compliance with Health and Safety Regulations or to carry out Principal Designer Services.
4. The smooth operation of any third party insurance policies or pension plans.
5. To assist law enforcement or a relevant authority to prevent or detect crime or prosecute offenders or to assess or collect any tax or duty.

9.2 These kinds of disclosures will only be made when strictly necessary for the purpose stated.

10.0 DATA SECURITY

10.1 All our employees are aware that hard copy personal information should be kept in a locked filing cabinet, drawer, or safe.

10.2 Employees are aware of their roles and responsibilities when their role involves the processing of data. All employees are instructed to store files or written information of a confidential nature in a secure manner so that are only accessed by people who have a need and a right to access them and to ensure that screen locks are implemented on all PCs, laptops etc. when unattended. No files or written information of a confidential nature are to be left where they can be read by unauthorised people.

10.3 Where data is computerised, it should be coded, encrypted or password protected both on a local hard drive and on a network drive that is regularly backed up. If a copy is kept on removable storage media, that media must itself be kept in a locked filing cabinet, drawer, or safe.

10.4 Employees must always use the passwords provided to access the computer system and not abuse them by passing them on to people who should not have them.

10.5 Personal data relating to employees should not be kept or transported on laptops, USB sticks, or similar devices, unless prior authorisation has been received. Where personal data is recorded on any such device it should be protected by:
1. Ensuring that data is recorded on such devices only where absolutely necessary.
2. Using an encrypted system — a folder should be created to store the files that need extra protection and all files created or moved to this folder should be automatically encrypted.
3. Ensuring that laptops or USB drives are not left where they can be stolen.

10.6 Failure to follow the Company’s rules on data security may be dealt with via the Company’s disciplinary procedure. Appropriate sanctions include dismissal with or without notice dependent on the severity of the failure.

11.0 THIRD PARTY PROCESSING

11.1 Where we engage third parties to process data on our behalf, we will ensure, via a data processing agreement with the third party, that the third party takes such measures in order to maintain the Company’s commitment to protecting data.

12.0 INTERNATIONAL DATA TRANSFERS


12.1 Data must not be transferred to countries outside the European Economic Area without the explicit consent of the organisation or individual. Olivetina will take particular care when publishing information on the Internet as it can be accessed from anywhere in the globe.

13.0 REQUIREMENT TO NOTIFY BREACHES

13.1 All data breaches will be recorded on our Data Breach Register. Where legally required, we will report a breach to the Information Commissioner within 72 hours of discovery. In addition, where legally required, we will inform the individual whose data was subject to breach.

13.2 More information on breach notification is available in our Breach Notification policy.

14.0 TRAINING


14.1 New employees must read and understand the policies on data protection as part of their induction.

14.2 All employees receive training covering basic information about confidentiality, data protection and the actions to take upon identifying a potential data breach.

14.3 The nominated data controller/auditors/protection officers for the Company are trained appropriately in their roles under the GDPR.

14.4 All employees who need to use the computer system are trained to protect individuals’ private data, to ensure data security, and to understand the consequences to them as individuals and the Company

15.0 RECORDS

15.1 The Company keeps records of its processing activities including the purpose for the processing and retention periods in its HR Data Record. These records will be kept up to date so that they reflect current processing activities.

16.0 DATA PROTECTION COMPLIANCE

16.1 Our Data Protection Officer is: Sue Atkinson (Mrs)

Our Data Systems Manager is: Andrew Nordbrusch of Wight Computing