The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and came into effect on 25 May 2018.
How the law protects you
Data protection laws state that we are only able to process personal data if we have valid reasons to do so. The reasons we process your personal data include, but not limited to, your consent, performance of a contract, billing and to contact you.
What information do we collect?
In general terms, we collect information about you to enable us to:-
• Administer our relationship with you, provide services and respond to enquiries.
• To comply with contractual obligations we have with you.
• Enable business development including sending newsletters and information updates.
• Process applications for employment.
• Deliver requested information to you about our services.
• Ensure the billing of any services and obtain payment.
• Process and respond to any complaints.
• Enable us to meet our legal and other regulatory obligations imposed on us.
The information we need for these purposes is known as “personal data”. This includes your name, company, address (work or home), email address, telephone and other contact numbers and financial information. We collect this in a number of different ways, for example, by email, via our website, telephone or letter.
We also process sensitive information such as racial or ethnic origin.
We will seek your permission if we need to record any of your sensitive personal data on our systems.
How do we use the information
We use the data we collect from you for the specific purpose listed in the table below:-
Purpose for processing data
Legal basis for processing data
Third party organisations with whom data is shared
To administer our relationship with you, to provide services and respond to enquiries
To meet the requirement of a contract.
Only where a project requires it and only after prior consent is given.
To ensure the billing of any procured services by you and obtain payment.
To meet the requirement of the contract.
Government VAT and tax inspectors, external auditors, internal auditors, insurance companies.
To communicate with you on newsletters and event invitations which are relevant to your interests.
To seek explicit consent prior to sending individuals the information and in line with preferences.
To process and respond to complaints
To meet a legal obligation
We will keep your personal data for the duration of the period you are a client/employee of MDA. We shall retain your data only for as long as necessary in accordance with applicable laws.
We may keep your data for between 6 to 12 years. We may not be able to delete your data before this time due to our legal/regulatory and/or accountancy obligations. We assure you that your personal data shall only be used for the purposes stated herein.
We may send you marketing material where you are a business client and we consider the marketing material to be relevant to you or where you are a business client we have previously provided you with our services and you have not opted out of receiving such communication.
Where you are an individual prospective client we will only provide you with marketing material where you have provided your express consent.
You can update your marketing preferences by emailing firstname.lastname@example.org.
Under the terms of the data protection legislation, you have the following rights:-
Right to be Informed
Right to Access
You have the right to ask us for a copy of any personal data that we hold about you. This is known as a “Subject Access Request”. Except in exceptional circumstances (which we would discuss and agree with you in advance), you can obtain this information at no cost. This information with be sent within one month of your request.
To make a Subject Access Request, please write to our Group Data Protection Officer, at MDA Consulting Ltd, 13-15 Carteret Street, London SW1H 9DJ DPOenquiries@mdaconsulting.co.uk.
Right to Rectification
If any of the information that we hold about you is inaccurate, you can contact the Group Data Protection Officer, at MDA Consulting Ltd, 13-15 Carteret Street, London SW1H 9DH DPOenquiries@mdaconsulting.co.uk.
Right to be Forgotten
From the 25 May 2018, you can ask that we erase any/all personal information that we hold about you. Where it is appropriate that we comply, your request will be fully actioned within one month.
Right to Object
You have the right to object to:
1. The continued use of your data for any purpose listed above for which consent is identified as the lawful basis for processing i.e. you have the right to withdraw your consent at any time.
2. The continued use of your data for any purpose listed above for which the lawful basis of processing is that it has been deemed legitimate.
Right to Restrict Processing
If you wish us to restrict the use of your data because:
1. You think it is inaccurate but this will take time to validate
2. You believe our data processing is unlawful but you do not want your data erased
3. You want us to retain your data in order to establish, exercise or defend a legal claim
4. You wish to object to the processing of your data but we have yet to determine whether this is appropriate
Please contact the Group Data Protection Officer, at MDA Consulting Ltd, 13-15 Carteret Street, London SW1H 9DJ DPOenquiries@mdaconsulting.co.uk
Right to Data Portability
If you would like to move, copy or transfer the electronic personal data that we hold about you to another organisation, please contact our Group Data Protection Officer, at MDA Consulting Ltd, 13-15 Carteret Street, London SW1H 9DJ DPOenquiries@mdaconsulting.co.uk
Right to Withdraw Consent
If you would like to withdraw consent, please contact our Group Data Protection Officer, at MDA Consulting Ltd, 13-15 Carteret Street, London SW1H 9DJ DPOenquiries@mdaconsulting.co.uk
None of the information that we collect, process or store is transferred outside of the European Economic Area (EEA). We do not normally share your personal data with anyone outside the EEA, however, we may do so when a particular circumstance or the Services we provide to you requires us to do so.
For the avoidance of doubt, we do not and never shall sell your personal data to third parties for marketing or advertising purposes. However, we will only ever share information about you that is necessary to provide the service and we have specific contracts in place, which ensure your personal data is secure.
Data Privacy and Security
We ensure that data protection is a key consideration for all new and existing IT systems that hold personal data. Where any concerns, risks or issues are identified, we conduct relevant impact assessments in order to determine any actions that are necessary to ensure optimum privacy and an active information security work programme.
This helps us to:-
a. Ensure all IT facilities are protected against damage, loss or misuse
b. Protect against potential breaches of confidentiality
c. Awareness of the requirements for information security, confidentiality and integrity of the information that is handled
d. Optimum security of our Website
Where we Store Your Personal Data
We follow accepted ISO standards to store and protect the personal data we collect including the use of encryption if appropriate. All information you provide to us is stored on our secured servers within the UK/EEA
Cookies and Links to Other Websites
We process your data for administration, billing, support and the provision of services. This is achieved mainly by use of email and written communications.
Office 365 for email.
Office 365 email shares data with third party infrastructure in the EEA.
We use standard email all UK based.
Dedicated Servers, Virtual Servers, CloudNX platform
We process your data for administration, billing, support and the provision of services.
Or you have the right to lodge a complaint with the Information Commissioner’s Office who may be contacted at www.ico.org.uk/concerns/
Information Commissioner’s Office
Cheshire SK9 5AF
Tel: 0303 123 1113
MDA Consulting Ltd
Head Office: 13-15 Carteret Street, London SW1H 9DJ