General Data Protection Regulation (GDPR) General Principles
Lawfulness, Fairness and Transparency: Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
Purpose Limitation: Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Data Minimisation: Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Accuracy: Personal data shall be accurate and, where necessary, kept up to date.
Storage Limitation: Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
Confidentiality and Security: Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Accountability: The controller shall be responsible for and be able to demonstrate compliance with the GDPR.
Blue Solutions Limited adopts a risk-based approach to GDPR (effective from 25 May 2018). The following sets out how we interpret and endeavour to comply with the above general principles and how they apply to our business and relationships with customers, suppliers, employees and other third parties.
Lawfulness, Fairness and Transparency
We will only request personal data that is specifically required to process an account or credit application, support request, enquiry, quote, order, renewal, return or for HR purposes. On request, our staff will endeavour to explain why personal data is being collected and how it will be used, but if you are dissatisfied with the explanation or seek further clarification, requests must be made to firstname.lastname@example.org. We aim to respond to emails sent to this email address within seven working days.
We will only use personal data collected for legitimate business purposes. This may include marketing of products and services that we sell and believe may be of interest to you. If you do not wish to receive marketing emails from us, you must use the unsubscribe link at the foot of any such email. If you do not wish to receive other forms of marketing from us, you must email email@example.com. We aim to respond to emails sent to this email address within seven working days. We will never use personal data to engage in marketing activity direct with an end-user (our customer’s customer). We will only ever use personal data to contact an end user for legitimate business purposes and with the explicit consent of our customer. We will never sell or give away personal data to any third party for the purposes of marketing. Any personal data provided to any third party will only be for the purposes of processing an account or credit application, support request, enquiry, quote, order, renewal, return or for HR purposes. The only exception to this would be where personal data is required or formally requested by the authorities (for example, HMRC or the Police).
We will not request any more information than is strictly necessary for the relevant purpose at the time of the request. In most instances this will be information requested from us by a third party (for example, from our credit insurers to process a credit application or from a software Vendor to process a license renewal).
We will use best endeavours to ensure that personal data is accurate. Where necessary (for example, when requesting a credit account or processing a license renewal) and from time to time we may make enquires to ensure that personal data held is accurate and up to date.
We will ensure that personal data is only stored electronically to minimise replication and assist data management. Where there is no alternative but to write down or print out personal data, this will be shredded as soon as practical following use or transfer to electronic media. Staff are forbidden to remove personal data from our offices in any format without the explicit permission of a director. Only IT staff and directors are permitted to use external storage devices. We will regularly review personal data we hold and delete it where we believe there is no legitimate business purpose to retain it. The duration for which we retain personal data will vary depending on the type of data and the reason it was collected. In some instances, personal data may be retained on a long-term basis (for example, if you subscribe for services, personal data may be retained for as long as you receive those services, and personal data that we need to retain for legal purposes will be retained for at least six years in accordance best practice and regulatory requirements).
Confidentiality and Security
We will employ best practice to ensure that personal data stored electronically is secure and this will be reviewed regularly. Our servers are located in a locked dedicated server room, only accessible by IT staff and directors. They are protected from malware, ransomware and other malicious attack by market-leading cyber-security software. Data on our servers is backed up and replicated offsite to secure UK datacentres. Personal data may also be stored in third party cloud services (for example, Microsoft Office 365).
We will take our responsibilities seriously and use best endeavours to ensure ongoing compliance with the general principles of GDPR, giving due consideration to the nature of our business and of the personal data we obtain and hold.
If you wish to enquire as to what personal data we hold, to request a copy, or removal from our systems, requests must be made to firstname.lastname@example.org. We aim to respond to emails sent to this email address within seven working days.