Julia Franckh Consulting Ltd (JFC) is committed to protecting the privacy of everyone who shares their personal information with Julia Franckh or the Limited Company.
Scope of this policy.
What data is processed.
Data that is not processed.
Lawful basis and purpose of processing.
Sharing of personal data.
Safeguarding of personal information.
How long we keep personal data.
Data subject legal rights.
Right to access information.
Process for responding to data subject requests.
Data stored outside the European Economic Area (EEA).
Scope of this policy
JFC takes full responsibility for the personal information it processes. Privacy will be protected, and personal information never disclosed, unless with explicit consent, where it is necessary for the legitimate interests of the business (and this has been communicated clearly to the data subject), or where this is required by law. JFC will only use personal data for the purpose which it was disclosed, and securely delete / destroy it once it is no longer required.
What data is processed
Personal data means any information capable of identifying an individual. It does not include anonymised data. In the course of carrying out its business, JFC processes the following personal data:
- Names, email addresses, mobile numbers and billing address from clients and prospective clients
- Personal information from clients in support of design and development of deliverables
- Name and email address for newsletter subscribers
Data that is not processed
- Visitors to the website may make use of social media platforms to follow JFC’s pages or post their own images or information. These include Instagram, Twitter, Facebook. JFC has no access to content posted in this way on third party platforms.
Lawful basis and purpose of processing
Sharing of personal data
Some ‘sharing’ is inherent in the processing of data, for example: emails sent to JFC will be processed by Google as the email provider.
JFC uses a cloud hosted provider (Dropbox) to store all records of the business. A contract is in place to protect the security of data held in this way, and appropriate security measures are employed.
JFC makes use of a mailing list held on MailChimp. Consent to go onto the list is sought from subscribers at the point they sign up to receive mailings from JFC, which is confirmed via a link sent to the subscriber via email. Subscribers may opt out of mailings at any time, by clicking the link at the bottom of each mailing, or contacting JFC directly via email. MailChimp has agreed with JFC a data processing contract to protect the security of data processed.
Professional advisors may have access to JFC’s data in the course of performing their duties (these may include lawyers, auditors, insurers, bankers, accountants).
HMRC, regulators and other authorities may require reporting of processing activities in certain circumstances, and HMRC may audit JFC’s financial books and records.
Other than described above, personal data would only be shared with a third party with the explicit consent of the individual concerned or, exceptionally, where there is a legal obligation to share the information, for example if there is a court order for its disclosure. In this situation, JFC would notify the individual that their information is to be shared, unless this notification is prohibited by law.
All third parties processing data for JFC are required to respect the security of personal data shared with them, and treat it in accordance with the law. Contracts are in place with all processors which protect the security of data and require them only to process personal data for specific purposes and in accordance with JFC’s instructions.
Safeguarding of personal information
JFC has taken suitable measures to safeguard and secure data collected. These are compliant with the General Data Protection Regulation (GDPR).
In the unlikely event that personal information is compromised, data subjects will be informed as required in the GDPR.
How long we keep personal data
JFC will only retain personal data for as long as necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. In deciding how long to keep data, JFC considered:
- The amount, nature, and sensitivity of the personal data
- The potential risk of harm from unauthorised use or disclosure of personal data
- The purposes for which she processes the personal data and whether it is possible to achieve those purposes through other means
- The applicable legal requirements
Description of data
Data subject legal rights
Under certain circumstances, individuals have rights under data protection laws. These include the right to:
- Request access to their personal data
- Request correction of their personal data
- Request erasure of their personal data
- Object to processing of their personal data
- Request restriction of processing of their personal data
- Request transfer of their personal data (where it has been processed using automated means, which does not apply to JFC)
- Withdraw consent for processing
These rights are set out fully here. Data subjects always have the right to complain to the Information Commissioners Office.
Right to access information
Individuals have the right to access any personal data that relates to them which JFC holds, and to be given the following information:
- The reason why the data is held
- The source of the data (if not directly from the individual themselves)
- Whether it has been disclosed to anyone else, and if so, who
- How long it will be stored
- The right to request that the data be updated, or deleted, or processing restricted in any way
- The right to lodge a complaint to the Information Commissioners Office
- Whether any automated decision-making was used to process the data
This is called a ‘subject access request’. The process is set out below.
Process for responding to data subject requests
Any data subject requests received will be recorded. The individual making the request will be contacted and their identity confirmed, if necessary by a telephone conversation, or by being asked to supply written evidence of their identity.
Subject access requests
There will be a full review of all data held by JFC to collate any personal data relating to the data subject. JFC will make an assessment of whether it can be immediately disclosed, or whether disclosure may adversely affect the rights and freedoms of another individual. Information about a third party will not be disclosed, and this will be edited out of documents.
Nothing will be disclosed that might prejudice a legal investigation, or where disclosure would breach some other legal duty. Specialist advice will be sought if there is any concern about whether disclosure should not be made.
The general rule is that material should be disclosed within 30 days of the request being made, although if it will take longer to prepare the disclosure then the subject must be contacted within 30 days, and informed of the delay and likely timescale for disclosure. Disclosure must be made within 90 days of the request.
If no information is held about the data subject then they will be informed.
If information is held but no disclosure is made then the data subject will be informed that no action will be taken on their request, and that they have the right to complain to the ICO.
A brief description of the disclosure will be recorded, together with the timing of any disclosure, and any non-disclosed material, with reasons given for non-disclosure.
Exercising the other data subject rights (erasure, correction etc)
JFC will consider the request, and what action should be taken in response. The data subject will be given information about the action that will be taken, or will be told that no action will be taken.
A response will usually be sent to the data subject within 30 days of the request being made, although if it will take longer to decide what action to take then the subject will be contacted within 30 days, and informed of the delay and likely timescale for a response. Information must be supplied within 90 days of the request.
If no action is taken, or the action is not satisfactory, the data subject has the right to complain to the Information Commissioners Office.
Data stored outside the European Economic Area (EEA)
Countries outside of the European Economic Area (EEA) do not always offer the same levels of protection to personal data, so European law has prohibited transfers of personal data outside of the EEA unless the transfer meets certain criteria.
JFC makes use of third party service providers are based in the United States so their processing of personal data will involve a transfer of data outside the EEA. In order to protect data subjects, such transfers only take place with providers who have signed up to the EU –US Privacy Shield: These are:
- Google (provides Gmail and Google Analytics) certificate here
- Squarespace (website platform) certificate here
- Dropbox (cloud hosting of documents) certificate here
- GoDaddy (website hosting) certificate here
- Mailchimp (newsletter / campaigns service) certificate here
There is information about the Shield here.
This policy was drafted on 20th May 2018 and approved by the Director for JFC Consulting Ltd on 24th May 2018.