What is the purpose of this document?
Ecrebo Limited is committed to protecting the privacy and security of your personal information. This privacy notice describes how we collect and use personal information about you during and after your working relationship with us, in accordance with the General Data Protection Regulation (GDPR). It applies to everyone whose personal data we process in our capacity as “data controller”, with the exception of our (current and former) employees, workers and contractors. It does not apply to data we hold as “data processor” on behalf of our clients.
This notice is not contractual and we may update it at any time. We may update this notice at any time but if we do so, we will provide you with an updated copy of this notice as soon as reasonably practical.
Data protection officer
We have appointed Michael Poyser as our data protection officer (DPO) to oversee compliance with this privacy notice. If you have any questions about this privacy notice or how we handle your personal information, please e-mail him at email@example.com.
Data protection principles
Ecrebo must comply with the principles relating to processing of personal data set out in the GDPR which, in summary, state that personal data shall:
The kind of information we hold about you and what we do with it
We collect contact details (name, address, e-mail address, telephone number, job titles and organisation details) of clients, potential clients, suppliers, advisers, collaborators and other stakeholders. This information may be used for the legitimate interest of communicating with you in relation to specific matters that you are involved in, or matters that you might be able to assist with. We may also contact you to keep in touch or make introductions.
We use the contact details of our shareholders to send them updates about the business and their investment in it as well as agreements, resolutions and documents relevant to their shareholding. We
also provide their name and shareholding details, as well as the name, home address, service address, date of birth, occupation and nationality of directors, to Companies House.
If you apply for a job with Ecrebo, we will keep your name, contact details, current salary and CV and may use these to contact you about applicable jobs.
We may share your personal information for our legitimate interests in the context of the possible sale, transfer or restructuring of the business. In this situation we will, so far as possible, share anonymised data with the buyer (and their group companies and professional advisers to the extent relevant) before the transaction completes. Once the transaction is completed, we will share your personal data with such recipients if and to the extent required under the terms of the transaction or required by law.
We may provide your personal details, as appropriate for our legitimate interests or to comply with our legal obligations, to our banks, accountants, auditors, insurers and professional advisers, who are not permitted to use this data for their own purposes.
We may share your personal information with our US subsidiary, Ecrebo Inc, to the extent that it forms part of our regular reporting activities on company performance, to achieve best practice across the businesses and to share know-how and market information, in the context of a business reorganisation or group restructuring exercise, and for system maintenance support and hosting of data.
Who may see your data
Our IT support and office management system providers have access to all data on our systems to provide their services to us for legitimate interests. We use G-Suite for our e-mail exchange, which is provided by Google. We only allow our third-party service providers to use your personal data for specified purposes and in accordance with our instructions.
Special categories of personal information
"Special categories" of particularly sensitive personal information, such as information about a person's health or sexual orientation, require higher levels of protection.
We are unlikely to store any “special category” data about you unless you specifically provide this to us and consent to us doing so.
If you are disabled, we may collect, store and use information regarding your disability in order to make adjustments to our premises or find a suitable alternative for meetings with you and to ensure your health and safety at our premises.
We will not store or use information about any criminal convictions and offences, unless you have provided your consent to it.
Any personal data may be held and used for establishing, exercising or defending legal claims.
In limited circumstances, we may approach you for your written consent to allow us to process other sensitive data. If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent.
Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information, whether sensitive or not.
Transferring information outside the EU
The e-mail system we currently use, Google G-Suite, is backed up in the USA but safeguards are in place as the provider is signed up to the standard data protection clauses adopted by the European Commission.
If you fail to provide personal information
If you fail to provide us with any personal data that we need in order to comply with our legal or contractual obligations or to operate the business appropriately, we may not be able to do business with you, depending on the specific data, why we need it and what risks the provision of it poses to your rights and freedoms.
Change of purpose
We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
We only send marketing correspondence to people who have opted in to this. If you wish to opt out at any time, please contact our Head of Marketing, Sarah Todd, at firstname.lastname@example.org.
Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention.
You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified you.
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. We limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
How long will you use my information for?
We will hold your personal data until we are satisfied that there is no longer any purpose for retaining it. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
If you apply for a job with Ecrebo, we will keep your name, contact details, current salary and CV on file for up to three years, although we may delete it before then if we do not anticipate any need for recruitment applicable to you within this time.
In some situations, we may anonymise data so that it no longer identifies you, in which case we may hold and use that data without notifying you.
Rights of access, correction, erasure, and restriction
You have a number of rights under the GDPR:
These are not absolute rights and are subject to specific conditions and depend on our processing purposes. If you are interested in using any of these rights, please contact our DPO.
You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
Your duty to inform us of changes
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes.
Right to withdraw consent
To the extent that any data processing is based on your consent, you may withdraw that consent at any time by notifying our DPO in writing (including e-mail).
If you are unhappy with any aspect of Ecrebo’s processing of your personal data, we ask that you talk to us about it first and discuss your concerns with our DPO, Michael Poyser. If you are not satisfied with the outcome, you may lodge a complaint with the Information Commissioner’s Office, the UK supervisory authority for data protection issues.