Privacy Notice in Line with General Data Protection Regulations (May 2018)
Data Controller: Amy Huskisson
AV Wellbeing Ltd provides education and training services based at 29, Arboretum Street, Nottingham, NG1 4JA (registered office). This privacy notice provides information about the personal information we process about you as a data controller, in compliance with the General Data Protection Regulation (GDPR).
Please contact Amy Huskisson at firstname.lastname@example.org with any questions or requests about the personal information we process.
We are committed to protecting your rights to privacy. They include:
Right to be informed about what we do with your personal data;
Right to have a copy of all the personal information we process about you;
Right to rectification of any inaccurate data we process, and to add to the information we hold about you if it is incomplete;
Right to be forgotten and your personal data destroyed;
Right to restrict the processing of your personal data;
Right to object to the processing we carry out based on our legitimate interest;
GDPR Lawful Basis for Data Storage / Processing: ‘Legitimate Interests’ 6 (1) (f)
The information we hold can include the following:
Full name, address, telephone numbers and email addresses.
We also process personal data pursuant to our legitimate interests in running our business such as invoices and receipts, accounts, VAT and tax returns, insurance policies and related documents.
All information as noted above is stored in locked or password protected locations and will never be shared with third parties. You have a right to request access to your personal information held on file. Further details of this right, along with other individual rights can be found in the GDPR guidance document published by the ICO (Information Commissioners Office). All personal data will only be retained for as long as you are a client of AV Wellbeing Ltd. If you cease business with us, only basic contact details will be retained, in case we need to contact you about past billing at a future date. All other personal data will be securely disposed of.
Privacy of Clients
GDPR Lawful Basis for Data Storage / Processing: ‘Legitimate Interests’ 6 (1) (f) – with legal authority under article 10.
As per Article 6 (1) (f) “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
In many cases, an individual has consented to the transfer of their personal data to us. Where an individual has consented, he or she may easily withdraw it by contacting AV Wellbeing directly.
Personal data is retained, where necessary, for two years in compliance with our business obligations. Administrative data is retained for up to six years as necessary, in the unlikely event there are queries from HMRC and the VAT commissioner. Where it is not necessary to retain the data for six years, it is destroyed as soon as possible.
Personal data relating to employees who have left our employment is also retained for up to
six years as necessary. This is the time limit for bringing a breach of contract claim. In some
case we destroy it as soon as the employee leaves.
Whom do we share personal data with?
We share personal data internally strictly on a need to know basis. Special category data and personnel files held electronically are encrypted with restricted access. Hard copy special category and other personal data is stored securely with restricted access.
We do not share personal data with anyone external to the organisation, other than with:
HMRC and the VAT Commissioner as they required
Information Commissioner’s Office
If you have any concerns about the way your personal information has been processed,
please contact Amy Huskisson above. Alternatively, you may contact the Information
Commissioner’ s Office on 0303 123 1113.
This is not an absolute right and only applies in certain circumstances e.g. if no longer necessary for the purpose originally collected for, consent is withdrawn and there is no overriding legitimate interests to continue processing the data.
This is not an absolute but may apply if the data has been unlawfully processed, there are concerns regarding the accuracy or legitimate grounds for processing the personal data.