21six Ltd (“We”) are committed to protecting and respecting your privacy.
Our registered company number is 08739174 and our registered company address is 21six Group, The Barn, Calcot Mount, Calcot Lane, Curdridge, Hampshire, SO32 2BN
Questions, comments and requests regarding this Privacy Notice are welcomed and should be addressed to firstname.lastname@example.org. If you wish to contact us by phone, the general number is +44 (0) 2380 62 0088
For the purpose of Data Protection legislation, the Data Controller is 21six Ltd. The contact details for the Representative for data protection are Brian Penniall, +44 (0)2380 62 0088, email@example.com
Purpose of this Privacy Notice
This notice sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it. We keep certain basic information when you visit our website and recognise the importance of keeping that information secure and letting you know what we will do with it.
This policy only applies to our site. Our site may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.
Information we may collect from you
In the context of GDPR, Personal Data means, ‘Any information relating to an identified or identifiable natural person, including by means of an identification number or one or more factors specific to an individual’s physical, physiological, mental, economic, cultural or social identity (including IP addresses and cookie strings).’
Sensitive Personal Data means data relating to more specific, personal data that should be treated with extra protection and care. This includes information such as: –
- genetic data
- biometric data
- data relating to racial or ethnic origins
- data relating to political opinions, religious or philosophical beliefs trade-union membership data
- data concerning health
- data concerning a person’s sex life, sexual orientation
- criminal offence data
However, if we seek to collect sensitive personal data from you, we will seek your explicit consent first or in the course of collecting that data.
Sources of Personal Data
We may collect and process the following personal data about you: –
- Information that you provide by filling in forms on 21six.com. This includes information provided at the time of registering to use our site, subscribing to our service or requesting further services. We may also ask you for information when you report a problem with our site.
- If you contact us, we may keep a record of that correspondence.
- We may also ask you to complete surveys that we use for research purposes, although you do not have to respond to them.
- Details of your visits to our site including, but not limited to, traffic data, location data, weblogs, operating system, browser usage, downloads and other communication data, whether this is required for our own billing purposes or otherwise and the resources that you access.
IP Addresses and Cookies
We may collect information about your computer, including where available your IP address, operating system and browser type, for system administration and to report aggregate information to our advertisers. This is statistical data about our users’ browsing actions and patterns, and does not identify any individual and we will not collect personal information in this way. However, where an IP address or cookies means that a user is identifiable, we will treat this as a personal data and will secure it in the appropriate way.
We may obtain information about your general internet usage by using a cookie file which is stored on the hard drive of your computer. Cookies contain information that is transferred to your computer’s hard drive. They help us to improve our site and to deliver a better and more personalised service. They enable us:
- To estimate our audience size and usage pattern
- To store information about your preferences, and so allow us to customise our site according to your individual interests
- To speed up your searches
- To recognise you when you return to our site
21six Limited uses the following cookies: –
- _gat_gtag_U# – Google Analytics used for performance
- _gat_gtag_U# – Google Analytics used for performance
- _ga – Google Analytics used to distinguish unique users
- _gid – Google Analytics used to values to pages used
Purposes of Processing
Our legitimate interest for collecting and processing your information is in order to provide, understand, and improve our Services.
Our lawful basis for processing the data is that the processing is necessary for our legitimate business interests or the legitimate interests of a third party.
We use data held about you in the following ways: –
- To ensure that content from our site is presented in the most effective manner for you and for your computer
- To provide you with information, products or services that you request from us or which we feel may interest you, where you have consented to be contacted for such purposes
- To carry out our obligations arising from any contracts entered into between you and us
- To allow you to participate in interactive features of our service, when you choose to do so
- To notify you about changes to our service
Storage and Transfer of Personal Data
We understand our obligation to ensure that appropriate technical and organisations measures are taken to prevent unauthorised or unlawful processing, loss, damage or destruction of personal data. Therefore, we will ensure that relevant personal data is in a secure location, only accessed by authorised individuals, only processed by authorised individuals and cannot be lost, damaged or destroyed.
We confirm that: –
- All information you provide to us is stored on our secure servers
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access, in line with GDPR, as set out above.
We engage service providers to perform functions and provide services to us e.g. to help us understand and improve the use of our Services, such as Google Analytics. We may share your private personal information with such service providers subject to obligations consistent with this privacy notice and any other appropriate confidentiality and security measures, and on the condition that the third parties use your private personal data only on our behalf and in line with our instructions.
By submitting your personal data, you agree to this transfer, storing or processing. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this privacy notice, as outlined above. We understand that under the General Data Protection Regulation (GDPR) which applies from 25th May 2018, any organisations who process data for EU (“European Union”) data subjects have to act in accordance with the GDPR even if they are located outside of the EU. This means they have to secure, hold, process etc. data properly in line with the legislation.
Disclosure of your information
We may disclose your personal information to third parties: –
- In the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets
- If we are under a duty to disclose or share your personal data in order to comply with any legal obligation, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction
- If you have been referred to us through one of our partnerships, we may provide our partners with statistical data about your usage
Retention Periods for Personal Data
We understand our obligation not to keep data for any longer than is necessary for the purpose it was obtained. We will keep the data referred to in this Privacy Notice for 12 months. After this we will securely destroy it.
Objections to Processing
You have the right to ask us not to process your personal data for marketing purposes. We will inform you (before collecting your data) if we intend to use your data for such purposes or if we intend to disclose your information to any third party for such purposes. You can exercise your right to prevent such processing by checking certain boxes on the forms we use to collect your data. You can also exercise the right at any time by contacting us at firstname.lastname@example.org
Access to information, Withdrawal of Consent, Rectification of Data & Right of Erasure
You also have the right to:
- Access information held about you. Your right of access can be exercised by raising a ‘Subject Access Request’
- At any time, withdraw your consent to us holding data about you or to having information sent to you
- Request for your data to be rectified. Where you identify that your personal data is incorrect, or incomplete, you can request correction, deletion, or modification of your personal data
- Request that your data is erased in certain circumstances
If you wish to exercise any of the above rights, please send an email to email@example.com requesting this, and we will advise you accordingly. We will follow a reasonable process set out under GDPR including advising you of our decision, and any recourse you may have to complain.
Following a discovery of any data breach (when personal data allowing an individual to be identified is processed without authorisation, and which may result in its security being compromised), consideration will be made regarding whether the matter needs to be reported to the Information Commissioner’s Office (ICO) and whether individuals who are potentially affected need to be informed.
Right to Complain to Supervisory Authority
If you wish to raise a concern about our use of your information (and without prejudice to any other rights you may have), you have the right to do so with your local supervisory authority. The Information Commissioner’s Officer (ICO) is the UK’s independent body set up to uphold information rights and you can find out further information about them by going to https://ico.org.uk/
Changes to our Privacy Notice
Any changes we may make to this document in the future will be posted on this page and, where appropriate, notified to you by e-mail. However, we advise that you check this page regularly to keep up to date with any necessary changes.
This notice was last updated on 24th May 2018.
The Company is committed to working in accordance with the General Data Protection Regulation and with the highest standards of ethical conduct.
This policy outlines the rules, behaviours and standards required of the organisation, employees, workers and third parties working on behalf of the Company in relation to the collection, retention, transfer, disclosure, use and destruction of any personal data. All workers will be responsible for data protection and must abide by the rules and policies of the Company.
Personal Data and Sensitive Personal Data
There are two types of personal data that fall under the GDPR and for which the Company, its employees, workers and third parties are responsible for. These are:
- Personal Data
This is defined as any information relating to an identified or identifiable natural person. Identification can be by means of “an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.” This will include IP addresses and cookie strings.
- Sensitive Personal Data
Sensitive personal data includes data relating to genetic and biometric data as well as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, data concerning health or a person’s sex life, sexual orientation or criminal offences.
Data Protection Principles
The Organisation is committed to adhering to the Data Protection Principles which state:
1. Data must be processed lawfully, fairly and in a transparent manner.
2. Data must be obtained for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
3. Data processed must be adequate, relevant and limited to what is necessary.
4. Data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure data that are inaccurate, are erased or rectified without delay.
5. Data must not be kept for longer than is necessary for the purposes for which the data are processed.
6. Data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage, using appropriate technical or organisational measures.
Information is kept and processed about individuals for legal purposes (such as for payroll), for administration purposes and for the purposes of day-to-day people-management. The Company is aware that in order to process personal data, or sensitive personal data, the Company must rely on the data being:
- necessary for the performance of a contract, or;
- in preparation for a contract, or;
- to comply with our legal obligations, or;
- for our legitimate business interests or;
- to perform a task carried out in the public interest or in the exercise of an official authority.
If the organisation wishes to hold and process data which does not fall within conditions listed above, then it will seek to obtain the consent of the individual.
If it is necessary to obtain consent then the Company will write to the individual to ask for consent, ensuring that the consent is:
- Freely given, specific, informed and unambiguous.
- Separate from other terms.
- Clear and in plain language.
- As easy to give as to withdraw.
- ‘Explicit’ for sensitive data.
- Given in a way that can be evidenced.
- Unless consent to processing data is critical to the performance of a contract, the performance of a contract will not be made conditional on the basis that consent is given.
- This policy applies to the processing of Personal Information by any employee and or controllers or processors of 21six Limited.
- All Personal Information where 21six Limited is the Controller regardless of whether processed by 21six Limited or by a Processor engaged by 21six Limited;
- All Personal Information that 21six Limited is a Processor of on behalf a Controller or other Processor;
- The details of any Processors used (where 21six Limited is the Controller) or direct Sub-Processors used (where 21six Limited is the Processor);
Rights of Data Subjects
The Company will recognise that individuals have the following rights under data protection legislation:
- the right to be informed, which encompasses the obligation on employers to provide transparency as to how personal data will be used;
- the right of access;
- the right to rectification of data that is inaccurate or incomplete;
- the right to be forgotten under certain circumstances;
- the right to block or suppress processing of personal data; and
- the new right to data portability which allows employees to obtain and reuse their personal data for their own purposes across different services under certain circumstances.
Right of Access
Individuals have the right to access the information stored about them. Employees can ask for access to their own personal details held electronically or held manually. Employees who wish to see their records should give notice electronically, in writing, addressed to the Group Operations Director at firstname.lastname@example.org. The Company has up to 1 month to provide the information following the subject access request, which it will usually do in electronic format.
In complex cases, or where there are numerous related requests, the Company will liaise with the individual to inform them of progress of their request(s), and if it is not possible to complete this within 1 month, the Company will inform the individual of the delay, the reasons for the delay and reserves the right to extend the timescale for completion by up to a further 2 months.
In the event that data is retained with third parties, the Company will ensure that the request is communicated and actioned by the third party in line with the timescales outlined above, unless impossible or if it would require disproportionate effort.
The Company reserves the right to charge a fee or to refuse to respond to a request if it is manifestly unfounded or excessive. Similarly, the Company reserves the right to withhold personal data if disclosing it would adversely affect the rights and freedoms of others.
Rectification of Data
The Company is committed to keeping data that is accurate and up to date. Data will be checked for accuracy where possible, and any data that is in accurate, out of date or unnecessary will be corrected or erased as appropriate.
Where an individual identifies that their personal data is incorrect or incomplete, or where they are aware that their personal data has changed, they must inform the organisation as soon as possible. The organisation will then take steps to rectify any inaccuracies as soon as possible, and at the latest within 1 month.
In complex cases, or where there are numerous cases, the Company will liaise with the individual to inform them of progress of their request, and if it is not possible to complete this within 1 month, the Company will inform the individual of the delay and the reasons for the delay and reserves the right to extend the timescale for completion by up to a further 2 months.
In the event that data has been disclosed to third parties, the Company will ensure that the request for rectification is communicated and actioned by the third party in line with the timescales outlined above, unless this is impossible or if it would involve disproportionate effort.
The Right to be Forgotten
Also known as ‘the right to erasure’, the right to be forgotten doesn’t provide an absolute right to be forgotten, but data subjects have a right to have personal data erased and to prevent processing in some circumstances i.e.
- Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
- When the individual withdraws consent.
- When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing.
- The personal data was unlawfully processed.
- The personal data has to be erased in order to comply with a legal obligation.
- The personal data is processed in relation to the offer of information society services to a child.
If you wish to ask for your own personal data to be partially/fully erased and no longer processed, please write to the Group Operations Director with full details of your request. The Company has up to 1 month to respond to you and either delete the data or explain why it is unable to comply with your request. Circumstances where the Company may be unable to comply include where it is required to retain the information by law, or if the data is needed in connection with legal proceedings.
In complex cases, or where there are numerous related requests, the Company will liaise with you to inform you of progress of the request, and if it is not possible to respond to this within 1 month, the Company will inform you of the delay, the reasons for the delay and reserves the right to extend the timescale for completion by up to a further 2 months, if necessary.
In the event that data is retained with third parties, the Company will ensure that the request is communicated and if appropriate actioned by the third party in line with the timescales outlined above.
Security of Data
The Company is committed to taking steps to ensure that personal data is protected, and to prevent any unauthorised access, accidental loss, destruction, unlawful processing, equipment failure or human error, and will do this through the continual monitoring of our security systems and by regular training and awareness raising.
Any data breaches or near misses, will be managed according to the procedures documented in our Data Protection Breach Reporting Policy and Procedure.
The Company is committed to ensuring that subject data is kept for no longer than necessary and only kept as long as it’s relevant and necessary for legitimate purposes. As soon as data is no longer necessary for the purposes for which it was originally collected, it will be securely deleted, unless it is necessary to keep the data for some other legitimate reason.
The Company does not intentionally keep data longer than necessary and when data is no longer required, the Company is committed to securely deleting it as soon as possible.
For more information and our retention guidelines, please refer to our Data Retention Policy.
All staff are responsible for data protection and should be alert to any actual, suspected, threatened or potential data protection breaches. As soon as a data protection breach has been discovered, the member of staff should contact a member of the Board to facilitate the completion of a Data Protection Breach Reporting Form (to the fullest extent possible at that time), which provides full details concerning the breach. This form should then be passed to the Group Operations Director as soon as possible and within 24 hours of the discovery of the breach.
For more information regarding managing data protection breaches, please refer to the Data Protection Breach Reporting Policy and Procedure.
Transferring Personal Data to a Country Outside the EEA
For operational purposes the business may be required to transfer data to countries outside of the EEA where JellyFish is processing information on behalf of a controller.
On occasion you may wish to allow your data to be transferred to another Organisation either by you receiving the data and transferring it, or by the data being transferred directly.
This right to data portability only applies to data that you have provided to the Organisation, where the data processing is based either on your consent or the performance of the contract and where the processing is carried out by automated means, and it will only be transferred where it is technically feasible to do so.
If you wish to make a request for your data to be transferred, you must write to the Group Operations Director, who will respond to you within 1 month. If the requests are numerous or complex we reserve the right to extend this timescale by a further 2 months. If we are unable to complete your request, we will write to you to inform you why, along with your right to complain to the Information Commissioner’s Office (ICO).
Objections to Personal Data Processing
You have the right to object to data processing where the Organisation is:
- processing information based on its legitimate business interests, or the performance of a task in the public interest/exercise of official authority (including profiling)
- processing for the purposes of scientific/historical research and statistics.
If you wish to object to processing, you should write to the Group Operations Director outlining the grounds relating to your particular situation and we will stop the processing unless we have compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is in relation to legal claims. If we are unable to agree to your request, we will write to inform you why, along with your right to complain to the ICO.
Organisational Data Protection Measures
The Organisation is committed to ensuring the security of your data and to processing it in line with the Data Protection rules. As such, the organisation will:
- Ensure that all staff are aware of their responsibilities and the Organisation’s obligations and responsibilities in relation to data protection.
- Ensure that all staff and individuals/Organisations who handle data on behalf of the organisation are appropriately trained and receive refresher training on a regular basis.
- Ensure that all staff and individuals/Organisations who handle data on our behalf are regularly monitored, assessed and reviewed.
- Ensure that all Organisations who handle data on our behalf are carrying out data processing in line with the Data Protection rules.
- Regularly review the Organisation’s methods of data collection, handling, processing and storage.
- Continually promote a culture whereby data protection is adopted as an every-day work ethic. Where the use of passwords, encryptions, locked unattended monitors and mobile devises are regularly monitored, reviewed and continually upgraded.
Privacy Impact Assessments
As part of the Company’s ongoing commitment to ensuring maximum protection for personal data, the Company will undertake Privacy Impact Assessments where appropriate. Privacy Impact Assessments will help the Organisation consider the processing that is being undertaken, the risk to data subjects and most importantly the measures that need to be taken to minimise the risks. Privacy Impact Assessments will be overseen by the Group Operations Director and will be reviewed on a 3- yearly cycle, unless it is deemed that a more frequent review is necessary.
Responsibility for Data Protection
The Organisation has appointed the Group Operations Director to support the organisation with managing Data Protection and will work with the remaining Executive Board in this respect. Any queries or concerns can be addressed directly to the Group Operations Director.
We are committed to monitoring this policy and will update it as appropriate, on an annual basis or more frequently if necessary.
Any queries or concerns can be addressed directly to the Group Operations Director at email@example.com.