It’s important to us at Ph.Creative that we let you know what personal data we hold about you, and how we collect and use it. This Privacy Notice tells you all you need to know.
Under data protection law, we need to give you the information in this Privacy Notice. It’s important that you read it carefully, together with any other information that we might give you from time to time about how we collect and use your personal data. It’s also important that you read our Data Protection Policy as well, which explains our obligations in relation to personal data and how we keep it secure.
This Privacy Notice applies from 25 May 2018, when the General Data Protection Regulation came into force. We may update this Privacy Notice at any time.
Who controls the data we collect about you?
Ph.Creative is the “controller” for the purposes of data protection law, which means that we are responsible for deciding how we hold and use personal data about you.
As part of this responsibility, we’ve appointed a Data Protection Champion who can be contacted via [email protected]. The champion is responsible for informing and advising us about our data protection law obligations and monitoring our compliance. They’re your first point of contact for any questions or concerns about data protection.
What type of personal data do we hold about you?
This needs careful reading. Basically, personal data is any information relating to a living individual who can be identified (directly or indirectly) in particular by reference to an identifier (e.g. name, company they work for, email address, physical features). It can be factual (e.g. contact details or date of birth), an opinion about an individual’s actions or behaviour, or information that may otherwise impact that individual in a personal or business capacity.
So, therefore we may hold various types of personal data about you, including, for example your name, email address, postal address and contact telephone number.
Like most websites, ours uses ‘cookies’ to store information on your computer. Some of these cookies are essential to make our site work, and others help us to improve by giving us some insight into how the site is being used. These cookies are set when you submit a form or interact with the site by doing something that goes beyond clicking some simple links.
We also use some non-essential cookies to anonymously track visitors or enhance your experience of this site. If you're not happy with this, we won't set these cookies but you’ll be missing out on some nice features of the site that will be unavailable to you.
We also use Google Analytics to track Users and Active Users metrics, to get a better idea of how many users engaged with our site, the popular pages, and so on.
Just so you know, to allow Google Analytics to determine which traffic belongs to which user, a unique identifier associated with each user is sent with each hit. This identifier is a single, first-party cookie named _ga that stores a Google Analytics client ID.
If you are unhappy about this happening, you can easily adjust your browser settings to control third-party cookies.
Data protection law divides personal data into two categories: ordinary personal data and special category data. Any personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health conditions, sexual life or sexual orientation, or provides biometric or genetic data that is used to identify an individual is known as special category data. And all the rest is ordinary personal data.
Why do we hold your personal data and on what legal grounds?
We hold and use your ordinary personal data purely for business administration purposes. This will include such things as meeting our contractual obligations, the management of your account, and day-to-day business activities such as quotations or invoicing.
Data protection law specifies the legal grounds on which we can hold and use personal data.
Most commonly, we rely on one or more of the following legal grounds when we process your personal data:
- Where we need it to perform the contract we have entered into with you (performance of the contract) a contract for services or another type of contract.
- Where it is necessary for our legitimate interests, and your interests and fundamental rights do not override those interests (legitimate interest). This may include, for example, sending information now and then regarding products and services that may be of interest to you.
How do we collect your personal data?
We don’t go looking for it. You provide us with most of the personal data about you that we hold and use, face to face, over the phone or online. Other personal data about you that we hold and use is generated by you in the course of carrying out our duties. For example, during email correspondence with our staff.
Some of the personal data we hold and use about you is provided by or generated from internal sources during the course of running our business. It could be when colleagues refer to you in emails or documents, for example.
What is the purpose of collecting this data?
We use this data to provide great services to you as an individual or to your company, for administrative purposes, and to send communications from time to time regarding products and services that you might be interested in, with your agreement.
If you give us someone else’s personal data
Sometimes, you might provide us with another person’s personal data, such as the details of a colleague. If this happens, we require you to tell your colleague, or whoever it may be, that you are giving us some of their personal data. You must also give them our contact details and let them know that they should contact us if they have any questions or concerns about how we’ll use their data.
Who do we share your personal data with?
We absolutely 100% never share your personal data with third parties without first asking your permission.
Consequences of not providing personal data
We only store the data that we actually need to administer your account. So, if we do not have your data we may not be able to meet your account requirements.
How long will we keep your personal data?
We will not keep your personal data for longer than we need it for our legitimate purposes. We take into account these criteria when determining the appropriate retention period:
- the amount, nature, and sensitivity of the personal data
- the risk of harm from unauthorised use or disclosure
- the purposes for which we process your personal data and how long we need the particular data to achieve these purposes
- how long the personal data is likely to remain accurate and up-to-date
- for how long the personal data might be relevant to possible future legal claims
- any applicable legal, accounting, reporting or regulatory requirements that specify how long certain records must be kept
It’s difficult to specify ahead of time precisely how long we will keep particular items of personal data. We often keep particular items of your personal data for less time than we first thought, but there may also be circumstances in which we need to keep particular items of your personal data for a longer period than first thought. We will be guided always by the requirement to keep your personal data for as long as we are required to do so to comply with legal, accounting, reporting or regulatory requirements.
Also, for some types of personal data, it’s more appropriate to decide retention periods on a case by case basis, while still using the criteria described above. We base these decisions on relevant circumstances, again taking into account the criteria listed above.
Solely automated decision-making
Solely automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. However, currently we don’t use solely automated decision-making.
Transferring personal data outside the EEA
An overseas transfer of personal data takes place when the data is transmitted or sent to, viewed, accessed or otherwise used in, a different country. Data protection law restricts transfers of personal data to countries outside of the European Economic Area (EEA) because the law in those countries might not provide the same level of protection to personal data as the law in the EEA. To ensure that the level of protection afforded to personal data is not compromised, therefore, we are only able to transfer your personal data outside the EEA if certain conditions are met, as explained below.
We may transfer some of your personal data to the following countries outside the EEA: United States of America.
- There is an adequacy decision by the European Commission in respect of The USA. This means that The USA is deemed to provide an adequate level of protection for your personal data.
You have a number of legal rights relating to your personal data:
- The right to make a subject access request. You’ve the right to receive certain information about how we use your personal data, as well as to receive a copy of it and to check that we are processing it lawfully.
- The right to request that we correct incomplete or inaccurate personal data that we hold about you.
- The right to request that we delete or remove personal data that we hold about you where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove it you have exercised your right to object to processing , as explained below.
- The right to object to our processing your personal data where we are relying on our legitimate interest (or those of a third party), where we cannot show a compelling reason to continue the processing
- The right to request that we restrict our processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or to understand the reason for processing it.
- The right to request that we transfer your personal data to you or to another party, in a structured format. This right applies in respect of data that you have provided where our legal ground for using the data is that it is necessary for the performance of a contract, or that you have consented to us using it. This is known as the right to “data portability”.
- The right to object to a decision based on profiling/solely automated decision-making, including the right to voice your opinion, and obtain human intervention in the decision-making.
If you would like to exercise any of the above rights, please contact our Data Protection Champion via email at [email protected] in writing. Note that these rights are not absolute, and in some circumstances, we may be entitled to refuse some or all of your request. But please get in touch and we will work with you to sort things out as best we can to comply with the regulations.
In fact, if you have any questions or concerns at all about how your personal data is being used by us, you can contact the Data Protection Champion(s) via email at [email protected].
Finally, please remember as well that you have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), which is the UK supervisory authority for data protection issues. Details of how to contact the ICO can be found on their website: https://ico.org.uk
Thanks for taking the time to read this privacy notice.