We help you to understand and use IT – to make your business, your job and your life better
Policy Version: 1.0 published 21st May 2018
Lucid Networks Ltd, registered in England number 07420251, whose registered office is at Greenheys Business Centre, Pencroft Way, Manchester Science Park, Manchester, M15 6JJ (referred to hereafter as “We” or “Us”) needs to collect and use certain types of personal data about people we come into contact with (hereafter referred to as a “data subject”) in order to carry on our work.
This personal data must be collected, stored and dealt with correctly, in accordance with relevant data protection laws and this policy sets out our commitment to dealing with that personal data correctly.
We collect, store and process information in line with the General Data Protection Regulation.
We are registered with the Information Commissioners office, registration number ZA295606
Data Subject – You, or any other living person who we store or process information about
Personal Data or Personally Identifying Information – Any information about a living individual that can be used on its own, or with other data, to identify them.
Processing – Doing any of the following with information: obtaining, recording, storing, updating, combining, analysing, sharing with or transferring to third parties.
Special Categories of Data or Sensitive Personal Data – Personal Data about racial or ethnic origin, political or religious beliefs, trade-union membership, biometric data, health, sex life or sexual orientation.
Filing Systems – Any structured set of data which allows access or retrievel of information by a set of criteria. They can include computer databases, paper based records or paper filing systems, and may be in one place, or spread over many places.
Data Controller – Person or organisation who determines what purposes personal information will be held or processed for.
Data Processor – Person or organisation who carries out processing of data on behalf of a data controller. The processor can be the same person or organisation as the controller or different.
Consent – Any freely given, specific, informed and unambiguous indication of the data subject’s wishes that they agree to the processing of personal data relating to him or her. Consent must be in the form of a clear statement or a clear affirmative action.
Data Breach – A failure of data security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data while it is stored, trasferred or processed
Subject Access Request – When a data subject contacts a data controller or data processor to ask what personal data is held about them, and how to access it
3. Management and Staff Responsibility
Overall – Managing Director
Data in our internal systems – Technical Director
Data in our financial and internal record keeping – Commercial Manager
Data in our marketing, events and website activities – Sales & Marketing Manager
In addition, we will:
4. Legal Principles
When we process personal data we will process it in line with the six data protection principles. Personal data will be:
5. How We Process Data
We are the Data Controller and Data Processor for the following types of data which we collect or hold on our systems.
Information which allows us to contact data subjects by various means and address them correctly, including name, gender, email addresses and other messaging handles, phone numbers, postal addresses at their place of business or other location they nominate, about our ongoing business dealings or potential business dealings. This data does not include special categories of personal information.
Contact data for the data subject, contact data of next of kin, plus any other information we may need to properly manage our relationships with employment candidates, our past and present employees and subcontractors. This data may include special categories of personal information.
Contact data required to contact the data subject for the purposes of marketing our products and services to them. This data does not include special categories of personal information.
Contact data and other information we need in order to provide our IT services to and keep records about those services and their performance. This data does not include special categories of personal information.
Information collected from computer or communication systems we manage, which allows us to verify the systems are working as expected, to investigate problems with those systems, and to protect ourselves and our customers against criminal or other unauthorised activity. This data does not include special categories of personal information.
We are not a Data Controller or a Data Processor for any data held on our customers’ on-premise or cloud hosted systems, unless there is a written agreement in place which states otherwise.
6. Data collection and Consent
Informed consent is when:
We will ensure that data is collected within the boundaries defined in this policy. This applies to data that is collected in person, or by completing a form.
When collecting data for the purpose of direct (email or telephone) marketing, we will explain to the data subject:
We will not seek or record consent for the collection of other types of data set out in this policy, because our lawful basis for processing this data is either:
7. Disclosure and Transfer
We may share data with local and national government, law enforcement, and other public agencies or bodies where we are required to do so by law.
The data subject will be made aware in most circumstances how and with whom their information will be shared. There are circumstances where the law requires or allows us to disclose data (including sensitive data) without the data subject’s consent. In these situations we will not seek or obtain consent.
Transfer to Suppliers
We may share data with our suppliers where it is necessary in order to carry out our lawful business and contractual obligations to them.
Specific examples include (but are not limited to):
8. Data Storage
Information and records stored in our systems relating to data subjects will be stored securely and will only be accessible to authorised personnel.
Information will be stored for only as long as it is needed or required by law and will be disposed of appropriately.
We will ensure all personal and company data is non-recoverable from any computer system previously used within the organisation, which has been passed on/sold to a third party or disposed of.
Wherever possible, personal data will be encrypted while it is stored at rest on our systems.
9. Data access
Subject Access Requests
Data subjects where we are the Data Controller for their data have the right to make a Subject Access Request to:
In order to get the quickest possible service, data subjects (or a third party acting on their behalf) should make a Subject Access Request in the following ways:
Subject access requests should include:
We will always verify the identity of the person making the Subject Access Request, or request for update or erasure of data before handing over any data. If the person making the request is not the data subject, they must show written evidence that they have the permission of the data subject to make the request.
There is no charge for Subject Access Requests, unless the requests are unfounded or excessive or repetitive in character – in which case we may charge a reasonable cost to satisfy the request.
Data subjects may make a Subject Access Request at any time by contacting us using the methods at the top of this section.
We will not be able to satisfy a Subject Access Request if:
We will provide any relevant data (or confirmation that we do not hold any data for which we are the data controller) within 30 days of receiving a Subject Access Request (the time limit will start from the time on the delivery docket or automated email response).
Updating or Erasing Data
We will take reasonable steps to ensure that personal data is kept up to date by asking data subjects whether there have been any changes whenever it is reasonably practical to do so.
Data subjects may at any time contact us using the methods at the top of this section to request that their personal data which we are the Data Controller for is erased.
We will not be able to update or erase personal data if:
Providing Personal Data
Wherever possible, we will provide data electronically, in standards-based formats (eg: Comma Separated Value, HTML, XML).
If we are unable to provide data in standards based formats, we will use another reasonable alternative, but we will always try to provide data in electronic form rather than paper.
We may be forced to provide some data on paper, for example, if our only method of storing the data is on paper.
All data will be encrypted using strong encryption while it is in transit.
Any complaints about this policy should be submitted in writing using one of the following methods:
by emailing [email protected] – our system will respond with a unique reference number for your request.
by writing to us at our address shown in section 1 of this policy, by recorded delivery.
We will aim to respond to any complaint within 30 days.
11. Persons under the age of 18
We do not employ, or undertake any business directly with or on behalf of persons aged under 18 years.
We will only store personal information about persons under the age of 18 if:
Under these circumstances, we will store and process only Contact information.
This policy will be updated and reviewed at least once per calendar year to reflect best practice in data management, security and control and to ensure compliance with any changes or amendments made to relevant legislation
Just complete this form and a member of our team will contact you to arrange: