GDPR Articles 13 and 14
DATA COLLECTED FROM DATA SUBJECT (GDPR ARTICLES 13 AND 14):
This information shown below does not apply to Tillr Technology employees that are subject to other conflicting legislations such as those covering UK employment and tax.
GDPR, Article 13, Para. 1(a)
The Controller: The contact details of the person who decides how and why your personal data is used (the ‘Controller’) are: Paul Romer-Ormiston WeWork Moorgate, 1 Fore St Ave,London, EC2Y 9DT United Kingdom +44 (0)20 7993 5858 email@example.com
GDPR, Article 13, Para. 1(b)
The Data Protection Officer: The contact details of the person responsible for ensuring that Tillr Technology understand how to provide adequate protection over your personal data is Paul Romer-Ormiston. Address, email and telephone number are the same as for the ‘Controller’, above.
GDPR, Article 13, Para. 1(c)
Processing Purpose and Legal Basis: Your personal data was provided to Tillr Technology, by yourself, for the purpose of learning more about our products and services. The reason we are legally able to use your personal data is that you gave us your consent for this sole purpose.
GDPR, Article 13, Para. 1(d)
Legitimate Interests of the Controller: After a Right to Erasure instruction. Tillr Technology will retain your basic identity in the event that you tell us you no longer wish to be contacted (your Right to Erasure), so that we know not to contact you in future in the case where your identity finds its way back onto our contacts database from another legally-compliant source. If you do not wish us to retain this basic identity for this ‘Legitimate Interest’ purpose, please contact our controller (contact details above) to instruct us to carry out a full deletion.
GDPR, Article 14, Para 1(d)
Categories of personal data: The only category of personal data stored about you is your ‘Personally Identifiable Information’ (sometimes referred to as PII) – generally speaking, this means your name or online identifier and your contact details.
GDPR, Article 13, Para. 1(e)
Categories of recipients: Representatives of potential business-to-business customers. This personal data is gathered specifically for identifying any business that may be interested in our products and services (direct marketing to businesses).
GDPR, Article 13, Para. 1(f)
Transfer of your personal data to non-EU countries: Tillr Technology do not transfer your personal data outside of the EU. Your personal data, whilst under our care, shall be fully protected by the requirements of GDPR.
GDPR, Article 13, Para. 2(a)
Personal Data storage period: Your personal data shall be stored until you inform us that you no longer have an interest in our products and services, in which case your personal data shall be blocked from further use within one calendar month, or erased, if you have notified us that you wish your personal data to be erased. Where we have not heard from you or your employer for a period of up to 6 months, we shall assume you are not interested in our products or services, and block your personal data from further use until such time as you notify us otherwise.
GDPR, Article 13, Para. 2(b)
Your rights: Your rights with regard to your personal data are listed below: (i) View/correct: You have the right to request from our controller – see 1(a) above – a copy of the personal data we store about you, as well as the right to have your personal data corrected where it is wrong or has changed.(ii) Block/Erase: If you do not wish to be contacted again, you can request us to (1) block your data from future use, or (2) erase your data entirely. Our default is blocking from future use, as this ensures we will not accidentally contact you again if your name somehow appears on our list of direct business contacts. If you ask us to erase your data, we will totally erase all records we have about you, from all of our systems, backups and archives, including paper copies. Therefore, there is a possibility that we may obtain your personal details from another source in future, and try to contact you again, in error, so we recommend blocking instead of total erasure. You also have the right to request that we restrict the use to which we put your personal data – for instance, you may want us to contact you solely for the product or service you have expressed an interest in, not any other or future products or services we may think of interest to you, that fall under a similar interest area.(iii) Objection: You have the right to object to our processing of your personal data, in which case we will review the personal data we store about you, and the processing that was carried out on your personal data, and we shall aim to resolve your objection to mutual satisfaction as a priority.(iv) Data Portability: You have the right, under ‘data portability’ rules, to ask us for an electronic copy of any personal data we obtained from you.
GDPR, Article 13, Para. 2(c)
Withdrawal of consent: Where you have given us your consent to process your personal data, you may withdraw this consent at any time, verbally or in writing. We prefer in writing, for our records. When you withdraw your consent, we shall not use your personal data again without you providing your consent to do so. Withdrawal of your consent does not affect the legality of our processing of your consented personal data in the past.
GDPR, Article 13, Para. 2(d)
Right to complain: If at any time, you are unhappy with the way we have processed your personal data, please feel free to contact us and we will do our best to make things right. However, you have the right to raise a complaint with the UK Supervisory Authority. At the time of writing (2017), the equivalent of the UK Supervisory Authority is the Information Commissioner’s Office.
GDPR, Article 13, Para. 2(e)
Statutory or contractual requirement: Your personal data is not required for any statutory or contractual requirement.
GDPR, Article 14, Para 2(f)
Source from which we obtained your personal data: Your personal data was obtained from a direct communication from you, as a request for information about our products and services. We do not use purchased marketing lists, and our online tracking technology is only used to identify interest from the company that you work for, not you as an individual – i.e. a business-to-business marketing lead.
GDPR, Article 13, Para. 2(f)
Automated individual decision-making, including profiling: Tillr Technology do not carry out any form of automated individual decision-making about you (“making a decision solely by automated means without any human involvement”). Also, Tillr Technology do not carry out any form of profiling about you (“automated processing of personal data to evaluate certain things about an individual”).
GDPR, Article 14, Para 3
GDPR Article 13, Para. 3
Further processing. Tillr Technology shall not further process any of your personal data, outside of the purpose for which it was provided.
GDPR, Article 13, Para. 4
GDPR Preamble (39) GDPR Categories of Personal Data, and Preamble (75)
The risks to you if your personal data is stolen (breached) from our ultra-secure servers: The risks associated with sharing the Personally Identifiable Information (PII) that we hold about you (in the unlikely event that your personal data were stolen from our ultra-secure servers) are listed below. Note that the probabilities stated are generalised; you should always consider your own circumstances in relation to the risks stated, as there are always circumstances that would put your personal risk outside the ones generalised below. Also, consider whether the Personally Identifiable Information we store about you is already freely available on the internet, for instance on business social media such as your LinkedIn pages, and hence whether the breach of this personal data from Tillr Technology has added any personal risk to you.
Illegal direct marketing. Probability: High.
The thieves could use your personally identifiable information (PII) to carry out direct marketing to you, and (being criminals) they probably won’t stop if you ask them to. We recommend you change any leaked details where feasible, such as your email address, any online account user IDs, social media account IDs, etc.
Financial gain/fraud/identity theft. Probability: Medium.
Knowing who you are and how to contact you could open you up to receiving emails with fake internet links so they could pretend to be your bank, and steal your bank login details. Or they could apply for a credit card in your name. Whilst your natural caution against such suspicious emails may protect you, the leaking of your PII to criminals is not desirable, of course. Again, we recommend that you change your email address or implement a white list filter on your incoming emails, and remain extra vigilant for at least 12 months.
Terrorism. Probability: Very Low to Low.
A risk of terrorism directed towards you would be unlikely to apply unless other categories of personal data also leaked, maybe affiliating you with radical beliefs, or targeting you as having extreme wealth. Unless you are already famous, then the leakage of your PII is unlikely to result in terrorism. If you have any concerns over this risk, we recommend you discuss them at your earliest opportunity with the Police.
Industrial espionage. Probability: Low to Medium (see wording below).
Industrial espionage is where a competitor to your employer tries to gain access to your employer’s company secrets. This could be achieved by the criminal pretending to be you. This risk is more likely where you are a key member of staff for your employer, that has access to valuable trade secrets, and where your role in your employer organisation is known outside of the company. If you believe that this risk applies to you, then we would advise that you discuss this with the employers’ physical and IT security team(s).