Data Protection and Privacy Notice
This Notice outlines the data protection policies and procedures Polymath Consulting Ltd. has adopted and to which Polymath Consulting Ltd. abide to ensure Polymath Consulting Ltd. is GDPR compliant. The purpose of this Notice and any other documents referred to in it, is to clearly list and identify the legal requirements, procedures and rights which must be established when Polymath Consulting Ltd. obtain, process, transfer and/or store your personal data. This Notice will assist you in understanding the obligations, responsibilities and rights which arise from the Data Protection Laws.
Everyone has rights with regard to the way in which their personal data is handled. In order to operate efficiently Polymath Consulting Ltd. need to collate and use information about the people with whom Polymath Consulting Ltd. work. This includes current, past and prospective employees, clients, and others with whom Polymath Consulting Ltd. communicate.
Polymath Consulting Ltd. regard the lawful and correct treatment of personal information as integral to successful operation and to maintaining the confidence of the people Polymath Consulting Ltd. work and communicate with. To this end Polymath Consulting Ltd. fully endorse and adhere to the principles of the relevant Laws.
Polymath Consulting Ltd. is not registered as a Data Controller on the Register kept by the Information Commissioner’s Office.
Definitions in this Privacy Notice
- Data: Information stored electronically, on a computer, server or in certain paper-based filing systems.
- Data Controller: Polymath Consulting Ltd. has determined the purposes for which, and the manner in which, your Personal Data is processed. The Data Controller has overall responsibility for compliance with the Data Protection Laws. Any questions about the operation of this Notice or any concerns that the Notice has not been followed should be referred in the first instance to Polymath Consulting Ltd. at 11 Horsell Park Close, Woking, Surrey, GU21 4LZ
- Privacy Manager: The CEO of Polymath Consulting Ltd. is the appointed officer who is responsible for awareness-raising, training staff and informing and advising the Data Controller, Data Processors and Data Users how to ensure compliance with the enactments, and to monitor that compliance. Polymath Consulting Ltd. can be contacted at 11 Horsell Park Close, Woking, GU21 4LZ.
- Data Processor: Any person or organisation that is not a Data User that processes personal data on Polymath Consulting Ltd. behalf and in accordance with Polymath Consulting Ltd.’s specific instructions. The definition could include suppliers who handle personal data on Polymath Consulting Ltd.’s behalf.
- Data Subjects: All living individuals about whom Polymath Consulting Ltd. hold Personal Data. All Data Subjects have legal rights concerning the processing and storage of their personal information.
- Data users: Employees and Directors of Polymath Consulting Ltd., and Consultants & Suppliers engaged by Polymath Consultants, work involves processing your Personal Data. Data users are responsible for the proper use of the data they process and must protect the data they handle in accordance with this Notice.
- The Enactments: The Data Protection Act 1998 (the Act) up to and until 25 May 2018 after which The General Data Protection Regulations 2017 (GDPR) will apply, both of which regulate the way in which all Personal Data is held and processed.
- Personal Data: Information which can be used to directly or indirectly identify a living individual.
- Processing: Any activity in which the data is used, including (but not limited to) obtaining, recording, organising, amending, retrieving, using, disclosing, erasing, destroying and/or holding the data. The term “processing” also includes transferring personal data to third parties.
- Supervisory Authority: The Authorised Body which is empowered to govern and manage how the GDPR is implemented and abided by in a particular EU state. In the case of the UK the Supervisory Authority is the: Information Commissioner’s Office.
- Sensitive Personal Data: This includes information about a person's race, ethnicity, political opinions, convictions, religion, trade union membership, physical and/or mental health, and sexual preference. Sensitive personal data can only be processed with the express written consent of the person concerned
In accordance with the GDPR anyone processing Personal Data must comply with the six principles of good practice. These provide that Personal Data must:
- be processed fairly, lawfully and transparently;
- only be used for the purpose for which it was collected;
- be adequate, relevant and not excessive for the purpose for which it is being processed;
- be accurate and kept up-to-date;
- not be kept longer than necessary to fulfil the purpose of its collection; and
- be kept secure and protected from unauthorised processing, loss, damage or destruction (which includes the data not being transferred to a country or territory outside the European Economic Area unless the Personal Data is adequately protected and/or consent of the Data Subject has been provided).
1. Fair, Lawful and Transparent Processing
For Personal Data to be processed lawfully, the basis for the processing must be one of the legal grounds set out in the Enactments. These include, among other things, your written consent to the processing, or that the processing is necessary for the performance of Polymath Consulting Ltd.’s consulting and service contract with you.
In the event Polymath Consulting Ltd. collect Personal Data directly from you, this Notice should assist in informing you about:
- The purpose or purposes for which Polymath Consulting Ltd. intend to process your Personal Data.
- The types of third parties, if any, with which Polymath Consulting Ltd. may share or disclose your Personal Data.
- The means with which you can limit Polymath Consulting Ltd. processing and disclosure of your Personal Data.
If Polymath Consulting Ltd. receive Personal Data about you from other sources, Polymath Consulting Ltd. will provide you with this information as soon as possible thereafter.
When sensitive personal data is being processed, additional conditions and securities must be in place to ensure protection.
2. Processing for Limited Purposes
In the course of Polymath Consulting Ltd.’s business, Polymath Consulting Ltd. shall process the Personal Data Polymath Consulting Ltd. receive directly from you (for example, by you completing forms, sending Polymath Consulting Ltd. papers or from you corresponding with Polymath Consulting Ltd. by mail, phone, email or otherwise) and your Personal Data which Polymath Consulting Ltd. receive from any other source.
Polymath Consulting Ltd. shall only process your Personal Data to fulfil and/or enable Polymath Consulting Ltd. to satisfy the terms of Polymath Consulting Ltd. obligations and responsibilities in Polymath Consulting Ltd. role as contracted or for any other specific purposes permitted by the Enactments. Should Polymath Consulting Ltd. deem it necessary to process your Personal Data for purposes outside and/or beyond the reasons for which it was originally collected, Polymath Consulting Ltd. will contact you first, to inform you of those purposes and Polymath Consulting Ltd. intent and may also apply for your consent.
3. Adequate, Relevant Non-Excessive Processing
Polymath Consulting Ltd. will only collect and process your Personal Data as required to fulfil the specific purpose/s of Polymath Consulting Ltd. contract and agreements with you.
4. Accurate and up to date data
Polymath Consulting Ltd. shall ensure that all Personal Data held is accurate and up to date and will check the accuracy of any Personal Data at the point of collection and at regular intervals afterwards. If you become aware that any of your Personal Data is inaccurate, you are entitled to contact Polymath Consulting Ltd. and request that your Personal Data is amended. Polymath Consulting Ltd. will take all reasonable steps to destroy or amend inaccurate or out-of-date data.
5. The Timely Processing of the Data
Polymath Consulting Ltd. will not keep Personal Data longer than is necessary for the purpose or purposes for which it was collected. Once Personal Data is no longer required, Polymath Consulting Ltd. will take all reasonable steps to destroy and erase it.
6. Keeping Your Personal Data Secure
Polymath Consulting Ltd. employees, directors and suppliers are bound to Polymath Consulting Ltd. privacy policies, procedures and technologies which maintain the security of all your Personal Data from the point of collection to the point of destruction.
Polymath Consulting Ltd. maintain data security by protecting the confidentiality, integrity and availability of your Personal Data, and when Polymath Consulting Ltd. do so Polymath Consulting Ltd. abide by the following definitions:
- Confidentiality: Polymath Consulting Ltd. ensure that the only people authorised to use your personal data can access it.
- Integrity: Polymath Consulting Ltd. will make certain that your Personal Data is accurate and suitable for the purpose for which it is processed.
- Availability: Polymath Consulting Ltd. has established procedures which mean only Polymath Consulting Ltd. authorised Data Users should be able to access your Personal Data if they need it for authorised purposes.
- Polymath Consulting Ltd. also maintain security procedures which include, but are not limited to:
- Secure lockable physical building which shall be kept locked if it holds your personal data.
- Methods of disposal. Paper documents containing Personal Data are shredded and digital storage devices shall be physically destroyed when they are no longer required.
- Data Users shall be appropriately trained and supervised in accordance with this Notice which include requirements that computer monitors do not show confidential information to passers-by and that Data Users log off from or lock their PC/electronic device when it is left unattended.
- My computers have appropriate password security, boundary firewalls and effective anti-malware defences. Polymath Consulting Ltd. routinely back-up electronic information to assist in restoring information in the event of disaster and Polymath Consulting Ltd. software is kept up-to-date with the latest security patches.
- One or all of the following measures shall be applied to the personal data held; separating the personal data and/or pseudonymisation and/or the encoding of the data
- Polymath Consulting Ltd. will ensure that this Notice is kept updated in response to any amendments to the Law.
Polymath Consulting Ltd. shall take appropriate security measures against unlawful and/or unauthorised processing of personal data, and against the accidental loss of, or damage to, your Personal Data.
Polymath Consulting Ltd. shall only transfer your Personal Data to a Data Processor (a Data User outside Polymath Consulting Ltd. business) if the Processor agrees to comply with Polymath Consulting Ltd. procedures and policies, or if the Processor puts in place security measures to protect Personal Data, which Polymath Consulting Ltd. consider adequate and are in accordance with the Enactments.
Transferring the Personal Data out of the EEA
Polymath Consulting Ltd. shall only transfer any Personal Data Polymath Consulting Ltd. hold to a country outside the European Economic Area ("EEA"), if one of the following conditions applies:
- The country to which your Personal Data shall be transferred ensures an adequate level of protection and can ensure your legal rights and freedoms.
- You have given your consent that your Personal Data is transferred.
- The transfer is necessary for one of the reasons set out in the Enactments, including the performance of a contract between you and Polymath Consulting Ltd., or to protect your vital interests.
- The transfer is legally required on important public interest grounds or for the establishment, exercise or defence of legal claims.
- The transfer is authorised by the ICO and Polymath Consulting Ltd. has received evidence of adequate safeguards being in place regarding the protection of your privacy, your fundamental rights and freedoms, and which allow your rights to be exercised.
- The Personal data Polymath Consulting Ltd. hold may also be processed by staff operating outside the EEA who work for one of Polymath Consulting Ltd. suppliers. Those Data Users may be engaged in, among other things, the fulfilment of contracts with you, such as the processing of payment details and/or the provision of support services.
How Polymath Consulting Ltd. Will Use Your Personal Data
Polymath Consulting Ltd. will only collect and process your Personal Data to the extent that it is needed to fulfil Polymath Consulting Ltd. operational and contractual needs or to comply with any legal requirements.
Polymath Consulting Ltd. shall access and use your Personal Data in accordance with your instructions and as is reasonably necessary:
- to fulfil Polymath Consulting Ltd. contractual obligations and responsibilities to you;
- to provide, maintain and improve Polymath Consulting Ltd. consultancy and other services;
- if Polymath Consulting Ltd. intend to use your personal data for the advertising and marketing of Polymath Consulting Ltd. services. Polymath Consulting Ltd. shall seek your separate express consent and you are entitled to opt out of these services at any time; and
- to respond to your requests, queries and problems;
- to inform you about any changes to Polymath Consulting Ltd. services and related notices, such as security and fraud notices.
When Polymath Consulting Ltd. May Share Your Personal Data
There are times when Polymath Consulting Ltd. may need to share your Personal Data. This section discusses how and when Polymath Consulting Ltd. might share your Data.
In the course of Polymath Consulting Ltd. fulfilling Polymath Consulting Ltd. role as your service partner it will be necessary for Polymath Consulting Ltd. to disclose your Personal Data in certain situations:
- In Polymath Consulting Ltd.’s role as contracted Polymath Consulting Ltd. may need to share your Personal Data with certain bodies to fulfil Polymath Consulting Ltd.’s contract with you such as your suppliers, your customers, contractors and sub-contractors, and other governmental, regulatory bodies.
- If Polymath Consulting Ltd. are under a duty to disclose or share your Personal Data in order to comply with any legal obligation, lawful requests, court orders and legal process.
- To enforce or apply any contract or other agreement with you.
- To protect Polymath Consulting Ltd. rights, property, or safety and that of others, in the course of investigating and preventing money laundering and fraud.
Your Rights and Requests Concerning Your Personal Data
Polymath Consulting Ltd. will process and manage all your Personal Data in line with your rights; in particular your rights to:
- request access to any data Polymath Consulting Ltd. hold about you;
- prevent the processing of your Personal Data for direct-marketing purposes, if so instructed;
- ask to have inaccurate Personal Data amended;
- be forgotten, and have all relevant Personal Data erased (subject to Polymath Consulting Ltd. overriding legal obligations);
- prevent processing which is likely to cause damage or distress to you or anyone else;
- request certain restrictions on the processing of your Personal Data;
- receive a copy of your Personal Data and/or request a transfer of your Personal Data to another Data Controller;
- not be subject to automated decision making;
- be notified of a data security breach which affects your rights and freedoms, without undue delay;
- if you have provided your express consent that your Personal Data may be processed for marketing and advertising purposes, you are entitled to withdraw that consent. Such a withdrawal will not affect any processing of the data completed before consent was withdrawn; and
- to make certain requests to Polymath Consulting Ltd. concerning how your Personal Data is managed.
Access and portability requests
You are entitled to request access to your Personal Data unless providing a copy would adversely affect the rights and freedoms of others.
You can also request information about the different categories and purposes of data processing; recipients or categories of recipients who receive your Personal Data, details on how long your Personal Data is stored for, information on your Personal Data's source and whether the Data Controller uses automated decision-making.
You also have “Data Portability” rights which include the right to request a copy of your Personal Data be sent to you or transmitted to another Data Controller.
You are entitled to request Polymath Consulting Ltd. correct or complete your inaccurate or incomplete Personal Data without undue delay and Polymath Consulting Ltd. will update the information and erase or correct any inaccuracies as required.
You can exercise your “right to be forgotten” and can request Polymath Consulting Ltd. erase your Personal Data. On receiving a request Polymath Consulting Ltd. must erase the Personal Data without delay, unless an exception applies that permits Polymath Consulting Ltd. to continue processing your data. Details of such exceptions are contained in the Enactments and include situations where Polymath Consulting Ltd. might need to retain the information to carry out Polymath Consulting Ltd. official duties and/or comply with legal obligations and/or for the establishment of exercising or defending legal claims, or it is in the public interest to retain your Personal Data.
You may request restrictions be applied to the processing of your Personal Data for some specific reasons such as you contest the accuracy of the data, the processing is unlawful or if Polymath Consulting Ltd. no longer need to process your Personal Data. You can also request restrictions be applied if the processing is being done for public interest or third party reasons.
If such a request is received Polymath Consulting Ltd. can continue to store your Personal Data, but may only process it under certain circumstances, such as: you give consent for Polymath Consulting Ltd. to continue processing your data, Polymath Consulting Ltd. need to establish, exercise, or defend legal claims or Polymath Consulting Ltd. need to protect the rights of another individual or legal entity or for important public interest reasons.
You may also object to your Personal Data being processed under certain circumstances, including for direct marketing purposes and profiling related to direct marketing.
If Polymath Consulting Ltd. receive such an objection Polymath Consulting Ltd. will stop processing your Personal Data unless Polymath Consulting Ltd. can show a compelling legitimate ground for processing your Personal Data which overrides your interests and the basis of your request.
Your Telephone Queries and Requests
When receiving telephone enquiries, in which Personal Data is requested Polymath Consulting Ltd. will only verbally disclose Personal Data held on Polymath Consulting Ltd. systems if Polymath Consulting Ltd. can confirm the caller's identity so as to ensure that the data is only given to a person who is entitled to receive it.
Polymath Consulting Ltd. may suggest that a caller put their request in writing to assist in establishing the caller’s identity, and to enable Polymath Consulting Ltd. to clearly record the nature of the request and to assist in further identity checks.
If Polymath Consulting Ltd. has reasonable doubts about the identity of the person making the request, Polymath Consulting Ltd. may request additional information to confirm the caller’s identity.
Your Written Queries and Requests
When responding to written requests Personal Data will only be disclosed if Polymath Consulting Ltd. can confirm the identity of the sender and/or sufficient supporting evidence is provided by the sender establishing their identity.
Responding to Your Requests
Upon receiving a request from you concerning your Personal Data, Polymath Consulting Ltd. will respond within one month of receiving the request by email (unless you request a response in an alternative format).
If Polymath Consulting Ltd. is unable to immediately comply with your request Polymath Consulting Ltd. will inform you within Polymath Consulting Ltd. response stating whether Polymath Consulting Ltd. need to extend Polymath Consulting Ltd. response time (for up to a maximum of two months), along with an explanation for the delay.
If Polymath Consulting Ltd. do not take any action within one month after receiving your request, you are entitled to request an explanation from Polymath Consulting Ltd. as to why no action was taken and you may make a complaint to the ICO: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow Cheshire SK9 5AF (Tel: 0303 123 1113) (email. firstname.lastname@example.org)
When responding to Personal Data requests Polymath Consulting Ltd. will provide the information without an administrative fee. Once the GDPR comes into force, Polymath Consulting Ltd. will not be entitled to charge for the provision of your personal data, unless the requests are manifestly unfounded or excessive, particularly if it is repetitive in which case Polymath Consulting Ltd. may refuse to act on the request, or apply further fees to cover the associated administrative costs.
If you feel that your questions or concerns regarding your Personal Data have not been dealt with adequately or that your request has not been fulfilled by Polymath Consulting Ltd., you can use Polymath Consulting Ltd. complaints procedure, by emailing Polymath Consulting Ltd. at email@example.com
If, at the conclusion of Polymath Consulting Ltd. complaints procedure you do not feel that Polymath Consulting Ltd. has adequately dealt with your complaint you may make a complaint directly to ICO: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow Cheshire SK9 5AF (Tel: 0303 123 1113) (email. firstname.lastname@example.org).
Changes to Polymath Consulting Ltd. Data Protection Policy