Website Privacy Statement
The Purpose of this privacy statement is to explain how VMit processes all personal data to fulfil its data protection responsibilities. This statement will be supplemented by ‘specific to client’ privacy notices when needed. Brief definitions of data protection, personal data and processing can be found at the end of this statement.
The scope of this statement covers all related activities by the staff of VMit trading as VMit Ltd, referred to as VMit for the remainder of this privacy statement.
The Role of VMit in data protection terms is that of a data controller where it determines the purpose and use of personal data collected. Once received it becomes the responsibility of the VMit privacy manager (PM) to ensure that it is processed in accordance with the latest UK and EU data protection legislation.
The PM can be contacted by email using firstname.lastname@example.org or by writing to the UK office at Suite 1, Wensum Mount Business Centre, Low Road, Hellesdon, Norwich, Norfolk, NR6 5AQ.
The sort of personal data processed by VMit is directly provided to us by the user, eg email address, name, work address and telephone number, and therefore has been provided by you with your consent. Normally you will only provide such details if you purchase services from us, or sign up to our free e-newsletter.
VMit’ duty of confidentiality means that VMit staff will treat client and employee data with due respect and in confidence. It is only disclosed to staff that need to know it. VMit uses reasonable organisational and technical measures to ensure personal data is kept secure.
VMit also expects the same duty of confidentiality of all third parties with whom it shares personal data, including contractors. Sharing is kept to a minimum and reviewed regularly.
VMit processes personal data against a lawful basis and such instances are described below:
- To respond to your general enquiries, we will use our legitimate interests;
- To comply with any legal obligation;
- When it is necessary for the performance of a contract and its prior preparation; and
- When processing a pre-defined purpose for which your consent has been sought and recorded prior to that processing commencing.
In all cases the processing of personal data by VMit shall be:
- Processed lawfully, fairly and transparently;
- Collected for specified, explicit and legitimate purposes;
- Adequate, relevant and limited to what is necessary (and no more);
- Accurate and, when necessary, updated;
- Kept for no longer than is necessary; and
- Processed in a manner that ensures appropriate security.
VMit will share personal data, but only when absolutely necessary, with some or all of the following third parties:
- Solicitors appointed by VMit;
- The Inland Revenue (HMRC);
- Contractors, but only on a strict need to know basis;
- Accountants appointed by VMit and only for accounting purposes; and
- Unspecified recipients but only when compelled to do so for legal reasons.
VMit will process your data in different places but mostly within the European Economic Area (EEA). First line personal data processing takes place in the UK, but it is backed up using reputable cloud service providers in the EEA. Email is processed using a reputable web-based provider and mobile phone contacts are stored on both office IT equipment and mobile phones. It should be noted that no personal data is stored on any of VMit’ website servers.
VMit safeguards all business and personal data in encrypted form, in so far that it is possible. Other than mobile phone contact data, all data in automated form is backed up with a cloud service provider certified to the ISO 27001 Information Security Management System (ISMS) standard.
VMit follows a retention schedule to determine the length of time it holds different types of personal data. The retention schedule is shown below:
- Routine correspondence for casual and contract related business in hard copy or in emails will be stored for 3 years;
- Contact data is stored indefinitely, whilst in regular use, unless a valid request to erasure is received from the interested data subject;
- Financial records and invoices, which may include personal data, will be retained for 6 years after the end of the current tax year of processing; and
- By exception, documentation that includes personal data may be retained by VMit beyond the schedule, but only for a specific purpose and only when VMit believes there is a legitimate interest or a legal obligation to do so.
At the end of the retention schedule VMit will either return, destroy or delete your personal data and any associated emails or relevant documentation. If it is technically impractical to delete electronic copies of personal data, it will put it beyond operational use. It should be noted that VMit allows up to 2 months after the retention schedule to complete the action.
- You can opt out of having your activity recorded by Google Analytics by installing the Google Analytics opt-out browser add-on.
- For more information on the privacy practices of Google, please visit the Google Privacy & Terms web page: http://www.google.com/intl/en/policies/privacy/
VMit websites may link to appropriate websites for our interest. If these are used, the visitor should be aware that the VMit has no responsibility for the control, content or handling of personal data by these other websites.
The General Data Protection Regulation defines the rights that you have (although these do not apply in all situations), For convenience, these rights are shown below:
- Right to be informed as to how your personal data is being processed by VMit– this is done through this statement or separate VMit privacy notices;
- Right to access your personal data held by VMit which is done by making a ‘Data Subject Access Request’ (DSAR) to the VMit privacy manager;
- Right to rectification of your personal data if you believe VMit has collected it incorrectly or it needs to be updated;
- Right to erasure of your personal data for which VMit no longer has a legitimate purpose to process;
- Right to restrict processing under certain circumstances, during which time your personal data but will be out of operational use until the related matter is resolved;
- Right to data portability of your personal data in a machine-readable version, as you have provided but only applicable to data provided with your consent or under contract;
- Right to object to VMit processing your personal data for which it does not have a legal or contractual obligation;
- Rights related to automated decision making and profiling (however VMit does not use these techniques in its decision making);
Further details on data subjects’ rights can be found on the Information Commissioner’s Office (ICO) website: https://ico.org.uk.
Raising concerns, exercising rights or making queries about VMit’ processing of personal data can be done by contacting the VMit privacy manager. Please be aware that VMit will need to determine your identity before responding fully, therefore, you may be asked for proof of ID or other material that, in context, will enable VMit to confirm your identity. Alternatively, you may wish to contact the ICO directly, using the details provided above.
What data protection, personal data and processing means
The term data protection, put simply, means the protection of personal data against misuse and abuse. Personal data means any information relating to an identified or identifiable natural person, also referred to as a ‘data subject’. Processing has a very wide interpretation and means any operation which is performed on personal data or on sets of personal data whether or not by automated means. This includes, inter alia, collection, recording, storage, adaptation, retrieval, actual use, dissemination or otherwise making available, restricting, erasure or destruction.