1. What is the purpose of this document?
Mason Advisory Limited of North West Wing, Bush House, Aldwych, London WC2B 4PJ, the data controller for the purposes of the Data Protection Act 2018 (‘We’, ‘Us’, ‘Our’) are committed to protecting and respecting your privacy.
This Privacy Notice sets out how we will collect and process data from you or receive and process data that you provide to us, in accordance with all applicable data protection legislation in force from time to time including, but not limited to, the Data Protection Act 2018 and any replacement legislation and the General Data Protection Regulation (Regulation (EU) 2016/679).
2. Data Protection Principles
Mason Advisory adheres to the following principles
- lawfulness, fairness & transparency
- purpose limitation – ensuring data is handles for specific, explicit and legitimate purposes
- data minimisation – ensuring the data we use is limited to what is relevant and necessary
- accuracy – ensuring data is accurate and up to date
- storage limitation – ensuring the data is retained for no longer than necessary
- integrity and confidentiality – ensuring data is appropriately protected.
3. The Categories of Information we hold about you
For customers, we will hold personal data, including names and contact details of individual employees (including those in procurement and finance roles), Companies House data which may include personal addresses of directors, and project-related data, which will depend on the nature of the work being undertaken, but which may include the following in relation to employees: names and job roles; work-related telephone numbers and addresses; organisation charts (which may include photos); performance-related data; remuneration data; contract-related details; telephone billing data and call records; information relating to Internet and IT usage; and any other data deemed necessary to undertake the work commissioned by our customers, subject to their agreement.
For job applicants, we will hold personal data, including names and contact details; CVs and applications; details required to make any necessary payments, where applicable; we may review social media accounts of applicants; and we will hold feedback gathered from interviews.
We will also hold special category data if you have disclosed information about your health or disabilities in line with the Equal Opportunities Act 2010, or if you have disclosed criminal convictions.
If an applicant is successful, some of this data may be retained for a longer period, in line with the separate processing notice issued to employees.
4. How is your personal information collected?
We will collect contact details via our website if you choose to disclose them; we will collect customer data directly from customer sources; we will collect applicant information including CVs via the website, LinkedIn or email; we may collect data from applicants’ social media accounts.
5. The lawful basis on which we process this information
For customers and job applicants, processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
6. How we will use information about you
We use information we hold about you in the following ways:
- to carry out our obligations arising from any contracts we have entered into with you and to provide you with the information, products and services that you request from us
- to maintain our accounts and records, to undertake research and to support and manage our employees
- to provide you with information about other products and services we offer that are similar to those that you have already purchased or enquired about
- to provide you, or permit selected third parties to provide you, with information about products or services we feel may interest you
- to notify you about changes to our service
- to assess your suitability to work for us.
7. Data sharing
We will share your personal information with third parties where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so.
“Third parties” includes third-party service providers (including contractors and designated agents).
This includes our IT service provider and IT systems providers; our website provider; certification bodies; and subcontractors and associates. The following activities are carried out by third-party service providers: provision of document management system; provision of pipeline management system; website hosting and maintenance; payment processing; financial auditing; information security auditing; quality auditing; consulting work.
All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.]
8. Data security
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
9. Data retention
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. Details of retention periods for different aspects of your personal information are available from our Data Protection Compliance Manager who can be contacted at email@example.com. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
For customers, project-related data will be retained for a minimum of six years in line with our liabilities; contact details will be kept for up to three years after completion of the contract.
For job applicants, we will keep data for a maximum of six months.
In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you. We will retain and securely destroy your personal information in accordance with applicable laws and regulations.
10. Your individual rights
Your right to access information:
You can find out if we hold any personal information about you by making a ‘subject access request’ under the Data Protection Act 2018. If we do hold information about you, we will:
- give you a description of it;
- tell you why we are holding;
- tell you who it has been disclosed to; and
- let you have a copy of the information in an intelligible form.
You may also have the right for your personal information to be transmitted electronically to another organisation in certain circumstances.
You can request access to the information we hold about you at any time by contacting Alex Sowerby at firstname.lastname@example.org.
If you believe that any of the personal information we hold about you is incorrect, you have the right to ask us to rectify that information at any time.
You may also have the right, in certain circumstances, to request that we delete your personal information, to block any further processing of your personal information or to object to the processing of your personal information. There are some specific circumstances where these rights do not apply and we can refuse to deal with your request.
If we are processing your personal information based upon your consent (e.g. as part of our marketing or promotional activities or to make a voluntary referral to an external agency), you have the right to withdraw your consent at any time.
If you require any further information about your right to rectification, erasure, restriction of or object to processing or you wish to withdraw your consent please email us at email@example.com.
We take any complaints we receive about the collection and use of personal information very seriously. We would encourage you to bring it to our attention if you think that our collection or use of information is unfair, misleading or inappropriate. You can make a complaint at any time by contacting us CEO@masonadvisory.com.
If you think our collection or use of personal information is unfair, misleading or inappropriate or if you have concerns about the security of your personal information, you also have the right to make a complaint to the Information Commissioner’s Office. You can contact the Information Commissioner’s Office at the following address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
12. Changes to this privacy notice
We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.
If you have any questions about this privacy notice, please contact Alex Sowerby, Data Compliance Management Officer, by emailing firstname.lastname@example.org.