Exigia Ltd. takes the security and privacy of client data very seriously. After all, one of the main proposes of the Company is to provide our clients with advice, guidance and support for their own security and data protection regimes.
2. What is in this notice?
This is our privacy notice, that tells you:
· what personal data we might collect about you
· how we might use that personal data
· when we might use your details to contact you
· what personal data of yours we might share with others
· your rights about the personal data you give us
3. Who are we?
We are Exigia Ltd., a small consultancy company, based in the UK, specialising in providing a range of services for SME clients, which includes information governance compliance, cyber security compliance and web services.
In the main, our clients are UK organisations working in the health and social care sector as providers or suppliers, alongside the NHS. We also serve charities, local government organisations such as parish councils and small businesses generally.
4. What personal data do we collect?
The personal data we may collect about you will vary depending on how you interact and engage with us. It may include the following:
a. General identification and contact information
We may collect your name, address, phone number, email address, IP address, user name, password, age, gender, date of birth.
b. Financial information
We may collect your name, bank account and sort code. For example, where you are a supplier we need to pay or a client we need to send a refund to.
d. Device information
We may collect some technical information from devices and applications you use when accessing our services (e.g. computers, mobiles, tablets, speakers web browsers etc. This might include IP addresses and device IDs. We will uniquely identify each instance of that use.
e. Marketing preferences
We may collect information if you access our services, such as how you use those services and the pages or articles you read.
f. Information if you communicate with us by mail, email, messaging, videoconferencing or our website
If you call, text, email or otherwise communicate with us, we may collect your name, location and a brief summary of your message or opinion. Please note this may include confidential information.
g. Location information
You may be asked for your address in order to offer you services and exchange information. We may also have information regarding your general geographic location based on your IP address.
h. Information on your activities outside if you submit a comment via a noticeboard, blog or other website facility
We will not normally collect any sensitive personal data from you (unless you provide it to us voluntarily), and will, in any event, ask for your express consent to hold this information if we need to do so.
Please do not submit such personal data or sensitive information if you do not wish us to collect it.
5. What information do we collect about you from other sources?
We may obtain additional information about you from trusted third parties and public sources.
6. How do we use your personal data?
We have to have a valid reason to use your . This is called a “lawful basis for processing”. We process for the following legal basis:
We use your personal data if we have your consent. We rely on consent for the following:
- to enable you to login to your account
- to tell you about products, events, services and promotions that we or our third party partners are offering
- to answer you when you have contacted us, or to respond to a comment or complaint
- for marketing purposes
- to send you notifications on your device if you have selected them
You have the right to withdraw consent at any time. Where consent is the only legal basis for processing, we will cease to process data after consent is withdrawn.
b. The processing is necessary to fulfil a contract
We may process your data when we need to fulfil a contract with you.
c. Legitimate Interest
We process your data when it is in our legitimate interest to do this and when these interests are not overridden by your data protection rights.
Our legitimate interests include:
- to improve our content, products, services and customer experiences by monitoring your use of our services and working with our suppliers to improve the products and services we offer, develop new content and services
- to create profiles for targeted advertising and marketing opportunities
- to ensure the security and integrity of our services
- to ensure that our websites and apps operate effectively
- to protect clients and other individuals and maintain their safety, health and welfare
- for market research
- to deal with your requests, complaints and enquiries
We will use your information to deliver targeted advertising about our services to you when you visit our websites.
d. Necessary to comply with a legal and regulatory obligations
We may process your personal data to comply with our legal and regulatory obligations e.g. preventing, investigating and detecting crime, fraud or anti-social behaviour and complying with law enforcement agencies.
7. Who else could have access to client personal data?
b. Our service providers (processors)
We may pass your personal data to our external third-party service providers who act either as our data processors or in exceptional cases as data controllers in their own right e.g. professional advisors.
Our providers may include:
- accountants, auditors, lawyers, other professional advisors,
- IT systems, support and hosting service providers
- printing, advertising, marketing, market research and analysis service providers
- website analytics, technical engineers, data storage and cloud providers and similar third party vendors and outsourced service providers that assist us in carrying out business activities.
These third parties (and any subcontractors they may be permitted to use) have agreed not to share, use or retain your personal data for any purpose other than as necessary for the provision of our services. For further information on our processors and sub-processors please refer to the list of Our Data Processors.
c. Government authorities and third parties
As required by law or regulation
d. Other third parties
8. Relating to children and minors
Our services are not directed towards individuals under the age of 18. We do not knowingly use or process the personal data of children under 13 years of age either directly or indirectly.
9. How long do we keep your information for?
We hold personal data for different purposes and the length of time we keep it will vary depending on the services or products we are providing. We will only keep your data for a reasonable period of time, which is based on the purpose for which we are using it. Once that purpose has been fulfilled, we will securely delete that data or anonymise it (so that neither we, nor anyone else, can tell that the data relates to you) unless we are required to retain the data longer for legal, tax or accounting reasons.
To determine the period we store personal data, we always stick to these principles:
- we design our services so that we do not hold your longer than we need to or have to
- we think about what type of information it is, the amount collected, how sensitive or intrusive it might be and any legal requirements
10. International transfers of your personal data
Personal data which you supply to us is generally stored and kept inside the European Economic Area and nearly all within the United Kingdom.
However, due to the nature of our business and the technologies required, your personal data may be transferred to a third party service provider outside the EEA. These countries may not have the same data protection laws, including a lower level of protection.
If we need to transfer your personal data in this way we will take steps to ensure adequate privacy and security, including, where appropriate, data minimisation, anonymisation and pseudonymisation. We will undertake due diligence on the recipients and their country's privacy laws and place data recipients under contractual obligations to take care of your data, for example by using EU standard contractual clauses (SCCs) or their equivalent.
11. Your rights in relation to how we use your personal data
Data Protection laws give you certain rights in respect of your personal data. You have the following rights:
Right to rectificationThe right to have your personal data corrected if it is inaccurate or incomplete. You can also manage some of this yourself if you have registered with us via our website.
Right of accessYou have the right to obtain your personal data from us. This is referred to as a data subject access request.
Right to be erasure (“right to be forgotten”)You have the right to be forgotten.
Right to portabilityYou have the right to move, copy or transfer certain personal data
Right to restrict processingYou have the right to restrict the use of your personal data in certain circumstances
Right to opt-out of automated individual decision-making (including “profiling”)You have the right not to be subject to a decision based solely on automated processing, including profiling, which significantly affects you or produces legal effects.
See our separate Cookies Policy, which also contains some guidance on managing cookies.
13. What we will not do
For the avoidance of doubt
- We will not automatically log personal data nor link information automatically logged by other means with personal data about specific individuals
- We will not sell your personal data to anyone
- We will not share your personal data with anyone without your expressed permission unless permitted or required to do so by law
- We will co-operate with you to enable you to speedily exercise your rights over your personal data
14. Acting as your data processor
This notice applies to our processing of your personal data. We may also act on your behalf as a (data) processor or sub-processor of other personal data which you control. This notice does not apply to those activities, and you should refer instead to the relevant contract between us.
15. Contact us and complaints
The data controller responsible for your personal data is Exigia Ltd.
If you do not think we are handling your personal data adequately, you have the right to lodge a complaint with the Information Commissioner’s Office. Further information, including contact details, are available at ico.org.uk.
16. Data Protection Act notification
In order to comply with current legislation, The Company maintains a Data Protection Act Registration No. ZA019088. Further information is available at the Information Commissioner's website - ico.org.uk
17. Changes to our privacy notice
This Privacy Notice will be amended from time to time if we make any important changes in the way that we collect, store and/or use personal data. We will notify you where required.
Last updated: 04 January 2021