Our use of your Personal Information: Phillpotts Dowding Limited (Company Registration No:09088379) has its registered office at 16 Berkeley Street, Mayfair, London W1J 8DZ.
GDPR (General data protection regulation)
Data Protection Act 1998:
Under the current Data Protection Act 1998, and indeed the Information Commissioner’s Office Privacy Notices Code of Practice, privacy notices should be on any collection point where personal data is being collected from a Data Subject. Especially if being collected for a new purpose. In that notice Data Controllers should (at the very least) include the following;
● The identity of the Organisation in control of the processing;
● The purpose, or purposes, for which the information will be processed;
● Any further information necessary, in the specific circumstances, to enable the processing in respect of the individual to be ‘fair’ (in accordance with the 1st Principle).
The requirements also outline that this information must be clear and in ‘plain English’ and your purposes cannot be too vague. The less vague the purpose the less likely it’s going to be a valid consent (or indeed a valid notification if you are not relying on consent).
While privacy notices vary most of them aren’t that much longer than your average paragraph (the paragraph I’ve just written for example) and that, providing it’s clear, concise and meets your legal grounds for processing, is generally how privacy notices work under the Data Protection Act 1998. Further information on a Controllers processing is then often outlined in Terms and Conditions either in the contract paperwork or online.
The New World:
The GDPR builds on the current expectations around privacy notices but expands on the requirements based on the widened first principle which now specifically requires controllers to be transparent with their processing.
Article 13 Paragraph 1 (a-f) of the GDPR outlines that the following information should be provided to the data subject at the point of data collection;
(a) the identity and the contact details of the controller and, where applicable, of the controller’s representative;
(b) the contact details of the data protection officer, where applicable;
(c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
(d) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
(e) the recipients or categories of recipients of the personal data, if any;
(f) where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.
Depending on what processing is going on, Article 13 Paragraph 2 (a-f) states that controllers will also need to provide some of the following;
(a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
(b) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
(c) where the processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
(d) the right to lodge a complaint with a supervisory authority;
(e) whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;
(f) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Now if you are engaging in some quite complicated processing, like in the insurance industry for example, your new notices under GDPR are going to need to strike a balance between being ‘too much information’ and being far too simple and high level that they don’t actually meet your transparency requirements to demonstrate effective notice or consent.
Article 13 Paragraph 3 also outlines that should a controller seek to process personal data for purposes different to which it was collected the controller shall project the subject (prior to that processing commencing) information on that purpose and any other relevant information from paragraph 2.
I’ve attempted to ‘mock up’ what one of these new notices could look like. Now this is very much an imaginary one but if we assume that a controller is processing Personal Data for complex purposes their notice may look something like this;
This example is working on the assumption of a simple data processing arrangement. The more complex your data processing the more complex that notice and consent capture will need to be. But this must be comprehensible to the average consumer and cannot be a work of ‘legal-ee brilliance’ that makes no sense to those not trained in law.
I suspect that notices will allow ‘outlines of categories’ of types of processing and third parties however we shall see how big these categories can be. After all, the bigger the ‘bucket’ the less you are actually giving a robust ‘informed’ notice to a data subject.
In addition to all of this, Article 14 states that should you obtain Personal Data via a means not direct from the Data Subject themselves you also need to provide a notification to them (with some exceptions);
(a) within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed;
(b) if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to that data subject; or
(c) if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.
The requirement is to provide them with very similar information that you would provide to them if you collected the data directly. How you do this will be a matter of some discussion to come but excluding the reasons outlined in Article 14 (5) (a – d), if you aren’t collecting directly you will now need to take steps to advise and ‘notify’ the Data Subject of what you are up to.
You can disable and delete cookies by changing the appropriate setting within your browser’s ‘Help’, ‘Tools’ or ‘Settings’ menu. Please note that by disabling cookies you may not benefit from some of the features of our site. You can find out more about deleting or controlling cookies by visiting aboutcookies.org.
You can opt out of Google’s cookies by visiting Google’s Ads Settings. Alternatively, you can opt out of cookies by visiting the Network Advertising Initiative opt-out page.
We will only collect personal information about you if you send us an email enquiry via the ‘contact us’ facility or you register to receive our newsletter by email. In order for this to happen, you will need to fill out the online ‘contact us’ form or complete the registration details. The type of information being collected for an enquiry will be apparent from the layout of the ‘contact us’ form, which also tells you how this information will be used. The type of information collected to register to receive the newsletter by email will be apparent from the details requested when you register. The information collected when you register will only be used to email you our newsletter and for no other reason.
We take all reasonable precautions to protect our visitors’ information, both on and off line. If your personal information changes, please let us know and we will correct, update or remove any information that we hold about you on our active databases. We may however need to retain archive copies of that personal information for legal or audit purposes. If you have any queries regarding the way in which Phillpotts Dowding Limited handles data collected from you on this website, please visit the contact us page.
When might we disclose your Personal Information to others?
Please be assured that except for the reasons listed below, we will not disclose your Personal Information to others.
We may disclose your Personal Information to others in the following circumstances and/or for the following purposes:
● Where it is necessary for the provision of information or services to you
● Where we are required to do so by the courts or to comply with other legal, statutory and/or regulatory obligations including accounting and taxation requirements
● To prevent and/or detect crime
● Where we believe that you may be interested in the services offered by other organisations including our group companies. Please contact us if you would like details about these companies. If you do not wish to receive direct marketing from us, please write to us at Phillpotts Dowding Limited, 16 Berkeley Street, Mayfair, London, W1J 8DZ
● For credit reference purposes
Personal information collected from you so that you may receive our newsletter by email will only be disclosed to third parties who process this information on our behalf for administrative purposes; where we are required to do so by the courts or to comply with other legal, statutory and/or regulatory obligations including accounting and taxation requirements and to prevent and/or detect crime.
Please note that if you communicate with us electronically, including by e-mail, telephone or fax, this communication may be randomly monitored and/or recorded to protect the interests of our business and our customers. This includes for the purposes of maintaining customer/service quality standards, detection of and/or prevention of crime Phillpotts Dowding Limited policies and procedures (including our customer relations practices).
Requests for access to Personal Information
We are happy to provide you with details of the Personal Information which we process about you. To protect our customers’ personal information, we follow strict storage and disclosure procedures, which mean that we will require proof of identity from you prior to disclosing such information. We may charge a small administration fee in relation to any requests for access to personal information.
Please help us to keep your Personal Information current and accurate by contacting us if your Personal Information is or becomes inaccurate and/or out-of-date.
As you may be aware, no data transmission over the internet can be entirely secure. As a result, while we will always use reasonable endeavours to protect your Personal Information, we cannot guarantee the security of your Personal Information and the use of our Site (including the e-mail facilities) is at your own risk.
Last updated: March 2018