Privacy Policy
1 Definitions
Personal Data – any information relating to an identified or identifiable natural person.
Processing – any operation or set of operations that is performed on Personal Data or on sets of Personal Data.
Data subject – a natural person whose Personal Data is being Processed.
Child – a natural person under 16 years of age.
We/us (either capitalised or not) - This document and references to “JJ Data Ltd.” and “we” and “us” apply equally.
2 Who We Are
JJ Data Ltd. is a company registered in England & Wales. Our company number is 16981168.
3 What We Do
We manually enter and upload data to proprietary cloud-based data management packages. To do this, our clients disclose personal data that they have collected from their customers. If required, we also communicate with customers on behalf of our clients. We may have to transfer information to other companies that perform specific actions at our request.
By using this site or/and our services, you consent to the Processing of your Personal Data as described in this Privacy Policy. This Privacy Policy is a part of our Terms and Conditions; by agreeing to Terms and Conditions you also agree to this Policy. In the event of collision of terms used in Terms and Conditions and Privacy Policy, the latter shall prevail.
4 The Law
JJ Data Ltd. is based in Wales and thus subject to the law applicable in England & Wales. In the case of data protection, the primary legislation in effect from 25th May 2018 is Regulation EU 216/679 (the General Data Protection Regulation), as well as the Data Protection Act 2018.
5 Data Protection Principles
JJ Data Ltd. follow these data protection principles:
Processing is lawful, fair, transparent - our Processing activities have lawful grounds. We always consider your rights before Processing personal data. We will provide you with information regarding Processing if you ask us.
Processing is limited to the purpose - our Processing activities fit the purpose for which your personal data was gathered.
Processing is done with minimal data - we only gather and process the minimal amount of personal data required for any purpose.
Processing is limited with a time period - we will not store your personal data for longer than needed.
We will do our best to ensure the accuracy of the data - most of the data we work with is disclosed to us by our clients. However, we do carry out checks to ensure it is accurate and up to date.
We will do our best to ensure the integrity and confidentiality of data - all our data is protected, as detailed in our Data Protection Policy.
6 Your Rights
As a Data Subject, you have the following rights:
Right to information - you have the right to know whether your personal data is being processed; what data is gathered, from where it is obtained and why and by whom it is processed.
Right to access - you have the right to access the data collected from/about you. This includes your right to request and obtain a copy of the personal data we hold on you.
Right to rectification - you have the right to request rectification or erasure of any of your personal data that may be inaccurate or incomplete.
Right to erasure - in certain circumstances, you can request that your personal data is erased from our records.
Right to restrict Processing - where certain conditions apply, you have the right to restrict the Processing of your personal data.
Right to object to Processing - in certain cases, you have the right to object to us Processing your personal data, for example in the case of direct marketing.
Right to object to automated Processing - you have the right to object to automated Processing, including profiling. You also have the right not to be subject to a decision based solely on automated Processing. This is a right that you can exercise whenever there is an outcome of the profiling that produces legal effects concerning or significantly affecting you.
Right to data portability - you have the right to obtain, from us, your personal data in a machine-readable format or, if it is feasible, as a direct transfer from one Processor to another.
Right to lodge a complaint - if we refuse your request under the Rights of Access, we will provide you with a reason as to why. If you are not satisfied with the way your request has been handled, please contact us.
Right for the help of supervisory authority - you have the right to the help of a supervisory authority and the right for other legal remedies, such as claiming damages.
Right to withdraw consent - you have the right to withdraw any given consent for the Processing of your personal data.
7 Where We Get Your Personal Information
Information about you may originate from different sources, including being collected directly from you. JJ Data Ltd. will disclose the source of any data held about you, on your request, if there is no overriding legal requirement not to do so. Such requests should be directed to the Data Protection Officer (DPO).
8 The Personal Data We Collect and How We Use It
When you visit our website
When you visit our website, certain personal information can automatically be collected from your device. This may include information like your IP address, device type, unique device identification number, browser type, broad geographic location (e.g. country or city-level location) and other technical information. We may also collect information about how your device has interacted with our website, including the pages accessed and links clicked. Collecting this information enables us to better understand the visitors who come to our website, where they come from and what content on our website is of interest to them. We use this information for our internal analytics purposes and to improve the quality and relevance of our website to our visitors. Some of this information may be collected using cookies and similar tracking technology, as explained further in our Cookie Notice.
We may also ask if you wish to receive more information about our services. If you do, you will have to opt-in to this service, by clicking a consent box. If you have previously agreed to us using your personal information for direct marketing purposes, you may change your mind at any time by writing to or emailing us at info@jjdataltd.com.
We may use your personal information to send you promotional information about third parties which we think you may find interesting, if you tell us that you wish this to happen. We will not sell, distribute or lease your personal information to third parties unless we have your permission or are required by law to do so.
When you telephone or write to us
JJ Data Ltd. stores and uses information that could be used to identify a living person. The information collected will vary, depending on the purpose of your call or letter/email. The purpose of this storage and use will vary depending on the area of the business that it pertains to. Where consent is required or used as the basis for storage and use of personal information, this will be clearly communicated and you have the right to withdraw it at any time.
When you work for us
We store information relating to employees and contractors so that we have adequate records to be able to contact, manage and pay you, and meet our legal obligations as an employer.
Only certain authorised personnel within the company have access to this information. This information may include your name, date of birth, home address, e-mail address, telephone number, banking details and other information. In addition, we collect data concerning your health, so we can make any necessary adjustments for your benefit and so that we may pass relevant information on to emergency services and healthcare professionals in the event of an illness or accident at work.
This information may be sent to another company working on our behalf (where the relationship is defined by a contract), and they are not permitted to use the information in any way we have not explicitly asked them to.
When you become our client
When you become our client, we will require certain information about you and/or your company, in order to legitimately conduct business on your behalf. This will include your business and/or trading name, registered address, telephone number, certain banking information (for the Processing of invoices/payments) and the personal information of named contacts eg. name(s), contact details (s). We will process and store this information for as long as the business relationship lasts and/or the time period as set by organisations, such as HMRC.
You will also agree, through a Data Disclosure Agreement, to share the personal data of your customers, so that we may carry out debt recovery services on your behalf. In this agreement, you undertake that you have informed your customers that their data may be shared with us, for this purpose. In return, we commit to Processing that data in a safe and protected manner.
When we buy things from you
If we buy goods and/or services from you, we may store names and business contact details of individual people working for your business. This is necessary to ensure we can contact the relevant people and maintain a relationship to the benefit of both our and your business. This information may include name, billing address, postal address, e-mail address, telephone, financial and other information.
When we deliver services
To deliver business services to our clients, we collect, store and use personally identifiable information including names, addresses, telephone numbers, email addresses, financial details and other demographic information, as far as it is necessary for the provision of that service.
Publicly Available Information
We might gather information about you that is publicly available. This may be information pertaining to your directorship of a company or your registered address.
Other Information
We reserve the right to anonymise personal data gathered and to use any such data. We will use data outside the scope of this Policy only when it is anonymised. We might process your personal data for additional purposes that are not mentioned here but are compatible with the original purpose for which the data was gathered. To do this, we will ensure that:
* the link between purposes, context and nature of personal data is suitable for further Processing.
* further Processing would not harm your interests and
* there would be an appropriate safeguard for Processing.
Automated Decision Making
We don’t currently utilise automated decision-making functions within its business. A Data Protection Impact Assessment (DPIA) would be carried out before any automated Processing (including profiling) activities were to be undertaken.
9 Data Retention
Except where a legal obligation to retain data exists, JJ Data Ltd. does not store personal information for any longer than is necessary for its defined purpose. If you express that you no longer wish to have your information used for the purpose under which we hold it, we may need to continue storing certain identifiers to ensure your information does not re-enter our systems at a later date. This data is stored apart from data that is in current use, is clearly labelled and access to it is restricted.
Data we hold on behalf of our clients will be held for up to 2 years, unless it is needed for longer to complete the delivery of the service we have agreed to provide or legislation requires us to. When data is no longer to be retained, its removal, deletion or erasure will be performed according to processes suitable for the medium. For example, paper documents will be securely shredded, data will be deleted from internal systems and we will overwrite (wipe) hard disks.
10 Data Storage and Security
We do our best to store information relating to our business on computer systems rather than in paper files, although it is often necessary to print certain documents, especially where legal documents are concerned. While these and similar items are ordinarily transferred quickly in sealed envelopes or given directly to the recipient, storage of them is managed by authorised staff who ensure that unauthorised persons do not have direct access. Most information is however, stored in computer systems. We apply an information security management system in accordance with the requirements of ISO 27001. Critical systems such as those relating to finance and service delivery are regularly backed up and/or continuously mirrored to protect against data loss and are physically located in secure premises.
We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure, we have put suitable physical,
electronic and managerial procedures in place to safeguard and secure the information we collect and/or is disclosed to us. We use safe protocols for communication and transferring data (such as HTTPS). We use anonymising and pseudonymising where suitable. We monitor our systems for possible vulnerabilities and attacks.
It is our policy that data stored electronically be protected from unauthorised access, accidental deletion and malicious hacking attempts. In addition to internal processes, we employ third-party service providers to manage elements of this. Even though we try our best we cannot guarantee the security of information. However, we promise to notify suitable authorities of data breaches. We will also notify you if there is a threat to your rights or interests. We will do everything we reasonably can to prevent security breaches and to assist authorities should any breaches occur. We are registered with the Information Commissioner’s Office.
11 Who Else can Access your Personal Data
In some cases, personal data about you is shared with our trusted partners to ensure we can provide our service to you as a client or fulfil legal obligations or enhance your customer experience. We only work with partners who can ensure an adequate level of protection to your personal data. We disclose your personal data to third parties or public officials when we are legally obliged to do so. We might disclose your personal data to third parties if you have consented to it or if there are other legal grounds.
12 Data Transfers
JJ Data Ltd. currently don’t (but may) make transfers of personal data outside the United Kingdom, including out of the European Economic Area. Such cases may be due to the physical location of a digital service provider that is storing data on our behalf, whose services are regulated by terms compatible with this policy and our compliance with applicable law. JJ Data Ltd. has, where local data protection regulations so require, put in place security measures for the export of personal data from its jurisdiction. Where local data protection regulations so require, JJ Data Ltd. has made arrangements with entities receiving your personal data such that they shall ensure that security measures are in place and that your personal data is processed only in accordance with EU Data Protection laws.
13 Privacy by Design and Data Protection Impact Assessment (DPIA)
We are required to implement ‘Privacy by Design’ measures when processing personal data by implementing appropriate technical and organisational measures (like pseudonymisation) in an effective manner, to ensure compliance with data privacy principles. We will assess what ‘Privacy by Design’ measures can be implemented on all programmes/systems/processes that process personal data by considering the following:
(a) the state of the art.
(b) the cost of implementation
(c) the nature, scope, context, and purposes of processing; and
(d) the risks of varying likelihood and severity for rights and freedoms of data subjects posed by the processing.
In addition, we will also conduct DPIAs with respect to high-risk processing. We will always conduct a DPIA (and discuss the findings with the DPO) when implementing major system or business change programmes involving the processing of personal data including:
(e) use of new technologies (programme memes, systems, or processes) or changing technologies (programmes, systems, or processes).
(f) automated processing including profiling and automated decision making.
(g) large scale processing of sensitive data; and
(h) large scale, systematic monitoring of a publicly accessible area.
(k) an assessment of the risk to individuals; and
(l) the risk mitigation measures in place and demonstration of compliance.
14 Training and Audit
It is our policy to ensure that all our staff have undergone adequate training to enable them to comply with data privacy laws. We regularly review all the systems and processes under our control to ensure that we comply with this Privacy Notice and check that adequate governance controls and resources are in place to ensure proper use and protection of personal data.
15 Minors
We do not knowingly (nor do we intend to) collect information from children, nor do we target children with our services.
16 How to Contact Us
JJ Data Ltd. is committed to safeguarding your privacy and our Data Protection Officer (DPO) is the main contact for anyone who wants to discuss matters covered under this policy or the law, including any person whose personal data we have come into contact with and used or stored, whether for our own purposes or on behalf of another company. If you make an enquiry or request about your data, we will first ask for confirmation of your identity, before we divulge any information. We reserve the right to make a small charge of £10.00 for each Subject Access Request that you make.
You can email: info@jjdataltd.com
Or write to:
JJ Data Ltd
3, Glan-y-Llyn
North Cornelly
CF33 4EF
17 Complaints
If you have any concerns about how your data is being processed by us or any of our third parties, please contact us in the first instance and we will attempt to resolve any issues. We are governed by the Office of the Information Commissioner (ICO) in the United Kingdom. In the event that you wish to make a complaint about how your personal data is being processed by us or any of our third parties, or how your complaint has been handled, you may contact the supervisory authority:
The Information Commissioners Office (The ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Tel: 0303 123 1113
18 Changes to this Privacy Policy
We reserve the right to make changes to this policy at any time, for any reason. However, we will review and update this policy periodically or from time to time in response to legal, technical or business developments. If material changes are made, they will be updated via the business website.