Data Protection Privacy Notice
Welcome to summ.it Assist LLP’s Privacy Notice, referred to in this document as “summ.it”, “the Company” or “We”.
Here at summ.it we respect your privacy and are highly committed to protecting your personal data.
When we refer to “your” personal data we are referring to you personally and, where it is applicable, to any individuals who are connected to your business, such as employees, consultants or workers, who you request that we process data for, in the provision of our services.
The General Data Protection Regulation (GDPR) is the latest EU data privacy and protection framework which is effective from 25th of May 2018.
summ.it deliver customised business solutions for ambitious SME’s in the areas of Accounting, Human Resources, Payroll, IT and Training and, in the effective delivery of these services, we accept that we are a processor of personal data and, in some cases, special categories of personal data.
We identify that the processing of such data is fundamental to the delivery of our
services and commit to complying with data protection law which requires us to process personal data using the following principles;
- It will be used lawfully and fairly;
- It’s use, storage and removal will be transparent;
- It will be collected for valid purposes that have been clearly explained to you and not used for other purposes, unknown to you;
- It will be accurate and kept up to date;
- It will be kept securely; and
- It will only be kept for as long as is necessary.
We are committed to GDPR compliance and take our obligations seriously by building them into our day to day and strategic processes, some of which you want to consider when conducting your assessment of summ.it from a GDPR point of view.
summ.it Data Protection Privacy Notice – Version 1 – May 2018
Who to Contact
This Policy sets out basic information; however, you may have specific questions or wish to exercise your legal rights.
We have set up a designated e-mail address for GDPR purposes, therefore, please use this or any of the contact details below;
summ.it assist LLP
Neil Smith, Head of IT
2nd Floor, 3 Hardman Square, Spinningfields, Manchester, M3 3EB
0161 837 6207
If you believe that we have collected or processed your personal data incorrectly, you do have the right to make a complaint to the relevant body, the Information Commissioners Office (ICO) (www.ico.org.uk) however we would appreciate the chance to deal with your concerns and so please contact us in the first instance.
What is “Personal Data”?
Personal data means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
Special Categories of Personal Data
There are also special categories of personal data as identified by GDPR which includes information relating to; racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership status, genetics, biometrics (for ID), physical or mental health, sexual life or sexual orientation and criminal activity, including alleged, proceedings, convictions or sentences.
In general, we do not collect any Special Categories of Personal Data about you, unless you are a Candidate or an Employee, in which case a separate Applicant Privacy Notice and an Employee Privacy Notice are available.
As a client, in particular one who accesses our HR or Payroll services, it is also necessary to collect and process some special categories of personal data regarding individuals who are connected to our clients, such as Contractors or Employees.
summ.it Data Protection Privacy Notice – Version 1 – May 2018
The collection and processing of this data is limited to the provision of services to our clients to enable us to provide payroll and HR advisory services and in fulfilling our contract with them.
When do we collect and process personal data?
We may collect and process personal data in a variety of ways, the main ways are identified below and are examples, but this may not be an exhaustive list.
- Interact with us directly via a telephone call, in-person discussion, networking event etc.
- Visit our website or social media channels;
- Sign up to our marketing mailing list;
- Attend one of our events or seminars;
- Become a prospective client;
- Become a client;
- Apply for a work placement, work experience or job with us;
- Become an Employee;
- Work with us in a business relationship capacity such as a consultant, referrer, supplier or any other third party
Keeping it Accurate
In fulfilling our GDPR commitments, it’s important that the personal data we hold about you is accurate and up to date. As such, please keep us informed of any changes so that we can update our records and maintain our all-important relationship with you.
The Types of Data we Collect
We may collect, use, store and transfer a variety of personal data about you during our relationship with you.
We have attempted to group these together however, again this cannot be exhaustive;
summ.it Data Protection Privacy Notice – Version 1 – May 2018
The services you purchase from summ.it and payments made including transactions.
Addresses, e-mail, social media, telephone numbers.
Bank accounts, passwords for access to bank accounts and financial software packages, credit card or other payment methods, financial, salary and other payroll records.
First names, surname, maiden name, usernames, marital status, title, date of birth, gender, photographic ID, national insurance numbers, passport details, driving licence details and other special categories of personal data.
Marketing & Communications
e-mail, social media identity, survey responses and your preferences in what M&C information you wish to receive from us.
Username and passwords.
Your IP address and information about the technology on the devices you use when you access our website or social media platforms.
How you use our website, social media platforms and your usage of our products and services.
Failing to provide Personal Data
Where we need to collect personal data by law or under the terms of a contract that we have with you, and you fail to provide the data when requested, we may not be able to perform the contract.
In such cases, having exhausted all avenues, we may be unable to start providing services or cancel the services however this will only occur following formal notification with an opportunity to rectify matters.
Reasons why we use your Personal Data and Consent
We will only use your Personal Data lawfully and most commonly when we need to perform the contract which we have entered into with you, where we need to comply with a legal or regulatory obligation or where it is necessary for our legitimate interests (and your interests do not override ours).
As such generally, except for some marketing activities, we do not rely upon consent as a legal basis for processing your Personal Data.
We believe that direct marketing and communication with current clients is a fundamental part of our contractual commitment as our “news” includes changes to employment and business law and so we rely on this legitimate interest to
automatically put you on our mailing list, with the option for you to opt out at any time.
If you are not an existing client, we will ask you to opt in and therefore consent to receiving our marketing and communication information. The newsletter sign up section on our website clearly asks you to opt in to receiving marketing and communication from us.
We generally do not share your personal data with any other company for marketing purposes but in the unusual event that we do, we will obtain your express consent for this.
If you are on our mailing list, you have a clear and easy way to opt out at any time. If you opt out of marketing and communication with us, then we will continue to process your personal data in the provision of our services and your e-mail address will be retained, but not used, on our chosen online mailing software for record keeping purposes unless you specifically request for this to be deleted.
Disclosure of your Personal Data
We may have to share your Personal Data for the purposes of providing our services.
These include, but this is list is not exhaustive;
- Service and software providers such as Zoho (CRM), Pension Portals, XpertHR, Belbin, Microsoft, Egnyte, Sage, Xero, Iris etc who act as processors;
- Professional Advisers acting as processors including lawyers, insurance brokers, tax specialists, auditors, insurers, business consultants, recruitment agents,
banks and insurers, based in the UK, who provide consultancy, banking, legal, insurance and accounting services;
- HM Revenue & Customs, Regulators, Money Laundering Agents and other authorities based in the UK who require reporting of processing activities;
- Third Party providers for marketing or event booking services such as Mailchimp, Surveymonkey, Google or similar;
We require all third parties to respect the security of Personal Data and to treat it in accordance with the Law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process it for the specified purposes and in accordance with our strict instructions.
We seek to ensure that all of our chosen third-party providers are GDPR compliant or equivalent.
Transferring Data outside of the EEA and our Mauritius Office
We are based in the UK and do not transfer your personal data outside of the EEA except where this is necessary for the performance of our contract with you.
Where we do, we will make sure that suitable safeguards are in place, by agreeing expressed contractual arrangements, to ensure that the provider is GDPR compliant or equivalent.
We have an office in Mauritius which is located outside of the EEA and which processes Personal Data in respect of our finance, payroll and IT services for clients.
The business is a 100% owned subsidiary of summ.it assist LLP and all people working in this location are employed on a permanent basis and have undergone the relevant checks to ensure that they are qualified and have passed UK standard employment eligibility and suitability tests to work in such an environment, handling client personal and confidential data.
All Mauritian based employees are trained to UK GDPR standards and work in a paperless office environment. All electronic data is stored either on the same software systems as UK (for example: Xero, Sage, Iris etc) and all other electronic documentation is stored on Egnyte, our chosen cloud storage system which is GDPR compliant and managed by our in-house IT Team based in the UK.
Our in-house IT team have put together appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.
Our strategy on data security includes physical access controls, restriction of access to and encryption of data stored on automatically updated systems, protected by hardware and software firewalls, antimalware solutions and multi-layered business continuity and disaster recovery strategies.
We only engage with GDPR-compliant providers of cloud systems such as Microsoft, Egnyte and Amazon and data is only held on our UK and cloud providers’ systems with no data held in Mauritius.
In addition, our internal controls mean that we limit access to your personal data to those employees, agents, contractors and other third parties on a “need to know” basis.
If they process your personal data as part of their role they do so under a duty of confidentiality and having been trained on our data protection standards which are in line with GDPR.
If requested, we send client documentation, reports or e-slips to a designated e-mail address with password protection however where possible we use portals.
We have put in place procedures to deal with any suspected or actual data breach and will notify you where we are required to do so.
We are highly confident in the security of our systems however it’s good to have an extra level of security. As such, we have cyber insurance cover which provide £1m of cover.
We will only retain your Personal Data, and that which belongs to individuals connected with your business, for as long as is necessary to fulfil our contract with you or for the purposes of satisfying a legal, accounting or regulatory requirement.
We assess retention on a case by case basis however; our minimum periods of retention for retaining personal data are;
- For the entire period that you are a client or have a business relationship with us;
- For two years after you have ceased being a client or having had a business relationship with us in which case all personal data will be deleted with the exception of basic information such as client name, services used, main contact name and contact details and any relevant information which we feel may be of mutual benefit in the future;
- For 6 years plus, current year in the cases of financial or payroll information.
In the case of marketing and communications; we will retain and process this indefinitely until such time that you opt out.
In some cases, we may anonymise your personal data so that it can no longer be associated with you, for research or statistical purposes and we may use this information indefinitely without further notice to you.
Your Legal Rights
You have the right to;
- Request Access to your personal data, commonly referred to as a data subject access request or DSAR which enables you to receive a copy of the personal
data we hold on you and to check that it is being lawfully processed;
- Request Correction of your personal data which enables you to have any incomplete or inaccurate data corrected;
- Request Erasure of your personal data. This allows you to ask us to delete or remove personal data where there is no good reason for us to continue processing it. Please note that whilst we wish to comply with this as much as possible, it may be difficult to agree to this if we are required to continue processing for a legal reason(s); however we will notify you of this.
If you wish to exercise any of these rights, please contact us.
You can download a PDF or this page.