Privacy Statement

Introduction


Everyone has rights as to the way in which their personal data is handled. In order to operate efficiently we need to collate and use information about the people with whom we work. This includes current, past and prospective clients and others with whom we communicate. We take the lawful and correct treatment of personal information very seriously and are bound by the relevant data protection laws; most recently The General Data Protection Regulations 2017 (GDPR).

We are registered as a Data Controller on the Register kept by the Information Commissioner’s Office; ICO.

Our Contact Details :
 

Laura Sykes, is the controller responsible for your personal data at Number Jungle.
  
Laura is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact Laura using the details set out below:

Contacts.JPG

What type of information we have

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
 
We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

Identity Data : which includes first name and last name, National insurance number, UTR, Passport or driving licence and date of birth.

Contact Data : which includes postal address, email address and telephone numbers.

Technical Data : which includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access the Number Jungle website.

 

How do we get this information

Direct interactions: You may give us your Identity and Contact details by filling in forms or by corresponding with us by post, phone, email or otherwise.

Automated technologies or interactions. As you interact with our website, we may automatically collect Technical Data about your equipment, browsing actions and patterns.

What we do with the information

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

Where we need to perform the contract we are about to enter into or have entered into with you.

Where we need to comply with a legal or regulatory obligation.

The Detail

In accordance with GDPR the processing of Personal Data must comply with the six principles of good practice. These provide that Personal Data must:

 

1 Fair, Lawful and Transparent Processing

For Personal Data to be processed lawfully, it must be with your written consent or be necessary for the performance of our contract with you.

2 The Purpose for which it was collected

Personal data collected is primarily for contractual necessity and compliance with legal obligations.

3 Adequate, Relevant and not Excessive

If we receive Personal Data about you from other sources, we will provide you with this information as soon as possible thereafter. When sensitive personal data is being processed, additional conditions and securities must be in place to ensure protection.

4 Accurate and up to date data

We shall ensure that all Personal Data held is accurate and up to date and will check the accuracy of any Personal Data at the point of collection and at regular intervals afterwards. If you become aware that any of your Personal Data is inaccurate, you are entitled to contact us and request that your Personal Data is amended. We will take all reasonable steps to destroy or amend inaccurate or out-of-date data.

5 Timely Processing of the Data

We will not keep Personal Data longer than is necessary for the purpose or purposes for which it was collected. Once Personal Data is no longer required, we will take all reasonable steps to destroy and erase it.  We will review the retention of personal data at regular intervals and it is unlikely that this data will be kept beyond 7 years.

6 Keeping Your Personal Data Secure

Number Jungle will strive to follow procedures and technologies which maintain the security of all your Personal Data from the point of collection to the point of destruction.

  • We will endeavour to make sure that only the people authorised to use your personal data can access it.

  • We will make every effort to ensure that your Personal Data is accurate and suitable for the purpose for which it is processed.

  • We also maintain security procedures which include, but are not limited to:

o   Secure lockable desks and cupboards. Desks and cupboards shall be kept locked if they hold your personal data.

o   Methods of disposal; Paper documents containing Personal Data are shredded and digital storage devices shall be physically destroyed when they are no longer required.

o   Computer monitors will not show confidential information to passers-by and PC’s are logged off when it is left unattended.

  • All computers have appropriate password security, boundary firewalls and effective anti-malware defences. We routinely back-up electronic information to assist in restoring information in the event of disaster and our software is kept up-to-date with the latest security patches.

  • We shall take appropriate security measures against unlawful and/or unauthorised processing of personal data, and against the accidental loss of, or damage to, your Personal Data.


When We May Share Your Personal Data

There are times when we may need to share your Personal Data in the course of us fulfilling our contract with you.  It will be necessary for us to disclose your Personal Data in certain situations, such as:

  • In our role as your bookkeeper we may need to share your Personal Data with certain bodies to fulfil our contract with you such as your suppliers, contractors and sub-contractors, HMRC, ICB and other governmental, regulatory bodies.

  • If we are under a duty to disclose or share your Personal Data in order to comply with any legal obligation , lawful requests, court orders and legal process.

 

Your Rights and Requests Concerning Your Personal Data


We will process and manage all your Personal Data in line with your rights; in particular your rights to:

  • Request access to any data we hold about you.

  • Prevent the processing of your Personal Data for direct-marketing purposes, if so instructed.

  • Ask to have inaccurate Personal Data amended

  • Be forgotten, and have all relevant Personal Data erased (subject to our overriding legal obligations).

  • Prevent processing which is likely to cause damage or distress to you or anyone else

  • Request certain restrictions on the processing of your Personal Data.

  • Receive a copy of your Personal Data and/or request a transfer of your Personal Data to another Data Controller.

  • Be notified of a data security breach which affects your rights and freedoms, without undue delay

  • To make certain requests to us concerning how your Personal Data is managed.


Access and portability requests

You are entitled to request access to your Personal Data unless providing a copy would adversely affect the rights and freedoms of others.

You can also request information about the different categories and purposes of data processing; recipients or categories of recipients who receive your Personal Data, details on how long your Personal Data is stored for and information on your Personal Data's source.  You also have the right to “Data Portability” rights which includes the right to request a copy of your Personal Data be sent to you or transmitted to another Data Controller.


Correction requests

You are entitled to request we correct or complete your inaccurate or incomplete Personal Data without undue delay and we will update the information and erase or correct any inaccuracies as required.


Erasure requests

You can exercise your “right to be forgotten" and can request we erase your Personal Data. Once receiving a request, we must erase the Personal Data without delay, unless an exception applies that permits us to continue processing your data. Details of such exceptions are contained in the Legislation and include situations where we might need to retain the information to carry out our official duties and/or comply with legal obligations and/or for the establishment of exercising or defending legal claims, or it is in the public interest to retain your Personal Data.

Restriction requests

You may request restrictions be applied to the processing of your Personal Data for some specific reasons such as you contest the accuracy of the data, the processing is unlawful or if we no longer need to process your Personal Data. You can also request restrictions be applied if the processing is being done for public interest or third party reasons.

If such a request is received we can continue to store your Personal Data, but may only process it under certain circumstances, such as: you give consent for us to continue processing your data, we need to establish, exercise, or defend legal claims or we need to protect the rights of another individual or legal entity or for important public interest reasons.

Objection requests

You may also object to your Personal Data being processed under certain circumstances, including for direct marketing purposes and profiling related to direct marketing.

If we receive such an objection we will stop processing your Personal Data unless we can show a compelling legitimate ground for processing your Personal Data which overrides your interests and the basis of your request.


Queries and Requests

If a query or request is received by telephone we will only verbally disclose Personal Data when we can confirm the caller’s identity.  To ensure that data is only given to a person who is entitled to receive it we will suggest that the caller put their request in writing to assist in establishing the caller’s identity, and to enable us to clearly record the nature of the request and to assist in further identity checks. When responding to written requests Personal Data will only be disclosed if we can confirm the identity of the sender and/or sufficient supporting evidence is provided by the sender establishing their identity.

Where the request is manifestly unfounded or excessive we reserve the right to charge a fee of £30.00 for the administrative costs of complying with the request. Requests for multiple copies of data will also incur a fee off £10 per copy.

We will strive to respond to all queries and requests within a reasonable time. If we fail to take any action within a month you are entitled to request an explanation from us as to why no action was taken and you may make a complaint.

You do have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact Laura Sykes in the first instance.

Changes to our Data Protection Policy

We keep our privacy policy under regular review and reserve the right to amend and update the policy as required. Where appropriate, we will notify you of those changes by mail, email and/or by placing an updated version of the policy on our website

 

Definitions in this Privacy Notice

  • Data: Information stored electronically, on a computer, server or in certain paper-based filing systems.

  • Data Subjects: All living individuals about whom we hold Personal Data. All Data Subjects have legal rights concerning the processing and storage of their personal information.

  • The Legislation: The Data Protection Act 1998 (the Act) up to and until 25 May 2018 after which The General Data Protection Regulations 2017 (GDPR) will apply, both of which regulate the way in which all Personal Data is held and processed.

  • Personal Data: Information which can be used to directly or indirectly identify a living individual.

  • Processing: Any activity in which the data is used, including (but not limited to) obtaining, recording, organising, amending, retrieving, using, disclosing, erasing, destroying and/or holding the data. The term “processing” also includes transferring personal data to third parties.

  • Supervisory Authority: The Authorised Body which is empowered to govern and manage how the GDPR is implemented and abided by in a particular EU state. In the case of the UK the Supervisory Authority is the: Information Commissioner’s Officer.

  • Sensitive Personal Data: This includes information about a person's race, ethnicity, political opinions, convictions, religion, trade union membership, physical and/or mental health, and sexual preference. Sensitive personal data can only be processed with the express written consent of the person concerned.