Elevations Exhibition and Design Limited
WHO WE ARE
Elevations Exhibition and Design Limited is a limited company, registered in England and Wales. Its registration number is 02005670 and its registered office is at Brooklands Gate, Sywell Airport Business Park, Wellingborough Road, Sywell, Northampton, England, NN6 0BN
The expression “we”, where used in this Policy, means Elevations Exhibition and Design Limited and the expressions “us” and “our” should be read accordingly.
We are committed to protecting and respecting the privacy of customers, suppliers, their employees and workers and other individuals with whom it communicates. For the purposes of the relevant data protection legislation, including the General Data Protection Regulation, the “data controller” is Elevations Exhibition and Design Limited.
PURPOSES FOR WHICH WE COLLECT INFORMATION
We shall only use personal data to the extent that the law allows us to do so. Most commonly, we will use personal data in the following circumstances:
1. To provide products and services to an individual or to the organisation by which the individual is employed or engaged, either at the individual’s or his or her organisation’s request or in order to fulfil an existing contract;
2. Where we need do so in order to comply with a legal or regulatory obligation; or
3. Where it is necessary to do so for our legitimate interests pursued by us or a third party and the interests and fundamental rights of the individual do not override those interests. “Legitimate Interest” means our interest in conducting and managing our business to enable us to give the best service or product and a secure experience, and the interest of our business generally. We ensure that we consider and balance any potential impact on individuals and their rights before we process their personal data for our legitimate interests. We do not use personal data for activities where our interests are overridden by the impact on the individual (unless we have the individual’s consent or are otherwise required or permitted to do so by law).
TYPES OF PERSONAL DATA WE COLLECT
“Personal data” means any information which identifies (or from which we can identify) a natural person, as opposed to a company or other organisation. We may collect, use, store and transfer the following different kinds of personal data about individuals:-
• “Identity Data”, which comprises an individual’s first name, last name and title;
• “Contact Data”, which comprises an individual’s address, email address and telephone number(s);
• “Financial Data”, which comprises an individual’s bank account or payment card details;
• “Transaction Data”, which comprises details about payments made by an individual to us or by us to an individual (if the individual is a sole trader) or the organisation by which the individual is employed or engaged, and details of services that the individual or organisation has purchased from us;
• “Technical Data”, which comprises an individual’s IP address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the device(s) used to access our website;
• “Usage Data”, which comprises information about how an individual uses our website, products or services; and
• “Marketing and Communications Data”, which comprises an individual’s preferences in receiving marketing from us or third parties on our behalf, and the individual’s communication preferences.
Special Categories of Personal Data
“Special Categories of personal data” means information about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying an individual, data concerning an individual’s health or data concerning an individual’s sex life or sexual orientation.
The processing of Special Categories of personal data is prohibited except in certain limited circumstances. We do not collect or use Special Categories of personal data relating to individuals not employed by us.
Minimum Required Information
Where we need to collect personal data by law, or in order to provide products or services that we have agreed to provide to an individual or the individual’s organisation, and the individual fails to provide the minimum required data when requested, we may not be able to provide that advice or those services and may as a consequence have to cancel our agreement to provide the products or services in question. In that event we shall notify the individual or the organisation accordingly. For example, if the individual is a sole trader and has asked us to open a trading account, we may ask for details of trade references in order to assess the application and complete our identity, money laundering and credit checks before we are able to open an account for the individual.
HOW AND WHEN DO WE COLLECT PERSONAL DATA?
We may collect personal data on an individual in the following ways:
• Where the individual voluntarily provides it to us.
When an individual instructs us to provide products or services, agrees to receive communications from us, sends us an email, requests a price quotation or other information about us or the products or services that we provide, fills in forms on our website, completes one of our customer surveys or provides us with information about themselves when attending a seminar or other marketing event or communicates with us in any way, that individual is voluntarily giving us information that we collect. We also collect information given to us when we contact an individual for the purpose of providing products or services, providing a price proposal or other information or managing our business relationship with the individual or the individual’s organisation. That information may include an individual’s Identity Data, Contact Data, Financial Data, Transaction Data and Marketing or Communications Data.
• Information that we collect automatically.
• Telephone conversations
We record all telephone calls received out of office hours on our voice-mail system. This is done for security purposes, in particular in order to ensure the security and safety of our staff, and also for the purpose of keeping a record of the call for customer relationship management purposes. Through these calls we may collect primarily Identity Data, Contact Data, Transaction Data or Marketing and Communications Data.
• Information from other sources.
From time to time we may obtain information about an individual from third party sources, such as public databases (for example, Companies House), and other third party data providers. We take steps to ensure that such third parties are legally permitted or required to disclose such information to us. Examples of the information that we may receive from other sources include: demographic information, device information (such as IP addresses), location, and online behavioural data (such as, page view information and search results and links) from analytics providers and search engine providers (for example, Google based outside the EU). We use this information, alone or in combination with other information (including personal data) that we collect, to enhance our ability to provide relevant content to the individual and to develop and provide the individual or the organisation with other relevant products and services.
HOW WE USE PERSONAL DATA
We have set out below a description of all the ways in which we intend to use any personal data, and the legal bases on which we intend to rely on in order to do so. We have also identified what our Legitimate Interests are where appropriate. Further information about how we assess our Legitimate Interests against any potential impact on the individual in relation to specific activities can be obtained by contacting us at Katherine.email@example.com. We may use and disclose personal data for the following purposes:
a) Provision of products and services
In processing an individual’s order (or opening a trading account) whether placed for the individual’s account or on behalf of the individual’s organisation, we will use the individual’s Identity Data, Contact Data, Financial Data, Transaction Data and Marketing and Communications Data in order to provide the individual or organisation (as he case may be) with our products and services, which includes managing, processing and despatching orders as well as processing payments. We will also use this information to manage customer or credit accounts and to keep adequate records of the customer’s past purchases, as well as to contact the individual regarding orders placed.
b) To manage our relationship with customers
We may send to an individual technical information or information relating to the use or maintenance of products. This is necessary in order to enable the customer to use our products safely and effectively. We also keep records of conversations that we have had in the past in order to maintain and develop our relationship with the individual or organisation.
c) To manage our website
We may use the information that we collect in order to deliver relevant website content and to measure or understand the effectiveness of current content. We may also use data analytics to improve our website, products and services, customer relationships and experiences. This is in order for us to be able to study how clients use our products or services and develop them, to grow our business and to inform our business development strategy.
e) To administer and protect our business and this website
We may also use an individual’s persona data in order to protect our business and our website, and to help us to monitor or improve the advice or services that we offer. This includes troubleshooting, statistical and data analysis, testing, system maintenance, support, reporting and hosting of data. We also use personal data to improve our website so that content is presented in the most effective manner for individuals and their computers, and as part of our efforts to keep our site safe and secure. This is necessary for the running of our business, provision of administration and IT services, network security and prevention of fraud. We may also need to use personal data in the context of a business reorganisation or restructuring exercise.
f) Other purposes
We shall only ever use personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another lawful reason and that reason is compatible with the original purpose. If an individual requires an explanation of why we are using personal data or the legal basis on which we are using it, a request may be made by contacting us at Katherine.firstname.lastname@example.org or +44 (0) 1604 899848 Should we ever need to use personal data for an unrelated purpose, we shall notify the individual and shall explain the legal basis which allows us to do so. Please note that we may process personal data without the individual’s knowledge or consent where this is required or permitted by law.
WHEN MAY WE SHARE PERSONAL DATA?
We require all third parties to respect the security of personal data and to treat it in accordance with the law. We do not allow our third-party suppliers or service providers to use personal data of which we are the controller for their own purposes and only permit them to process it for specified purposes and in accordance with our instructions. We shall not share personal data with any third parties for marketing purposes without the individual’s express consent. We may, however, share personal data with third parties in the following circumstances:
(a) Service Providers
We will share personal data with service providers where this is necessary in order to provide the individual or organisation with products or services that the individual or organisation has ordered. Examples of Service Providers include payment processors, hosting services, suppliers, sub-contractors and delivery services. We may also need to share personal data with third party software or IT support providers for the purpose of system administration, data security, data storage, back up, disaster recovery and IT support.
(b) To transfer information in the case of a sale, merger, consolidation, liquidation, reorganisation, or acquisition
(d) To protect the rights, property, or safety of our business and other customers
We reserve the right to disclose or share an individual’s personal data in order to comply with any legal or regulatory requirements, enforce our terms and conditions (or any other agreement we enter into with the individual or organisation), or to protect the rights, property, or safety of our business and other customers. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction. We may also need to share information with HM Revenue & Customs, regulators and other authorities acting as processors based in the United Kingdom, who require reporting of processing activities in certain circumstances. We may also share an individual’s personal data with our professional advisers including lawyers, bankers, auditors, accountants and insurers based who provide legal, financial and banking, audit, insurance, accounting and consultancy services.
We may occasionally transfer personal data outside the European Economic Area (“the EEA”) in the ordinary course of our business, where it is within our Legitimate Interests or we are under a legal obligation to do so. In all such cases we shall ensure that an adequate degree of protection is afforded to such data by ensuring that at least one of the following safeguards is implemented:
• We will only transfer personal data to countries which the European Commission has decided provide an adequate level of protection for personal data. For further details, see European Commission: Adequacy of the protection of personal data in non-EU countries.
• Where we use certain Service Providers, we may use specific contracts approved by the European Commission which give personal data the same protection that it receives in Europe. For further details, see European Commission: Model contracts for the transfer of personal data to third countries.
• Where we use providers based in the US, we may transfer personal data to them if they are part of the Privacy Shield Network, which requires the provision of a level of protection acceptable to the European Commission of personal data shared between the Europe and the US. For further details, see European Commission: EU-US Privacy Shield.
WHERE WILL WE STORE PERSONAL DATA?
All personal data that provided to us is stored on our internal software and (in some instances) accounting software. We use our best endeavours to ensure that all personal data is treated securely and in accordance with this Policy and comply with the relevant data protection legislation within the United Kingdom. This includes examining the security procedures of our service providers.
We have put in place appropriate security measures to prevent personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify individuals affected and any applicable regulator of a breach where we are legally required to do so.
Please note that the transmission of information via the internet is not completely secure. Although we shall do our best to protect all personal data, we cannot guarantee the security of data transmitted to our site; any transmission is at the individual’s own risk. Once we have received an individual’s personal data, we shall use effective safeguarding procedures and security features to try to prevent any unauthorised access to it.
HOW LONG WILL WE RETAIN PERSONAL DATA?
We will only retain personal data for as long as necessary to fulfil the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of personal data, the purposes for which we process it and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances we may anonymise an individual’s personal data (so that it can no longer be associated with the individual) for research or statistical purposes in which case we may use this information indefinitely without further notice.
In some circumstances an individual can ask us to delete his or her data: see the “Right to be Forgotten” section below for further information.
Under certain circumstances, an individual has the following rights:
- to request that we provide the individual with a copy of the personal data that we hold about him or her (“Access Request”);
- to request that we rectify any personal data that we hold about an individual (“Right to Rectification”);
- to request that we erase any personal data that we hold about an individual (“Right to be Forgotten”);
- to restrict the level of processing we carry out with an individual’s personal data (“Restriction of Processing”);
- to obtain from us all personal data that we hold about an individual in a structured, machine readable form, and have this information transmitted to another organisation (“Data Portability”);
- to object to our processing personal data in certain ways (“Right to Object”); and
- to withdraw consent at any time to our processing of his or her personal data.
Please see the relevant sections below for further details on an individual’s rights as a data subject.
Any of these rights may be exercised by contacting us at Katherine.email@example.com or +44 (0) 1604 899848. An individual also has the right to lodge a complaint with the Information Commissioner’s Office if unhappy in any way with how we have treated his or her personal information. We would, however, appreciate the opportunity to deal with an individual’s concerns before a complaint is made to the Information Commissioner’s Office, and would therefore ask individuals please to contact us in the first instance.
We shall comply with any request made under this section as soon as possible, and normally within one month from the date on which the request is received. However, if necessary, for example if the request is particularly complex or we receive a number of similar requests, we may extend this period by an additional two months, but we shall notify the individuals who have made if we need to do this.
Individuals will not usually have to pay a fee to access personal data (or to exercise any of their other rights). However, please note that where we receive requests under this section which are manifestly unfounded or excessive, for example because they are repetitive in nature, we may:
- charge a reasonable fee taking into account the administrative costs of providing the information or taking the action requested; or
- refuse to act on the request.
We may need to request specific information from an individual to help us confirm an individual’s identity and verify his or her right to access their personal data (or to exercise any other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact an individual to ask for further information in relation to the individual’s request in order to speed up our response.
An individual has the right to request a copy of the information that we hold about him or her at any time. This enables the individual to receive a copy of the personal data that we hold and to check that we are lawfully processing it. Please note that in most circumstances, we shall not make a charge for this. However, we may charge a reasonable fee based on administrative costs for any further copies requested.
Right to Rectification
An individual has the right at any time to ask us to rectify any personal data that we hold about him or her and which is incorrect or incomplete. This enables the individual to have corrected any incomplete or inaccurate data that we hold, though we may need to verify the accuracy of the any new data that the individual provides to us.
If we have disclosed any incorrect or incomplete data to any third parties, we shall inform them of any necessary amendments or corrections made to the personal data of the individual concerned.
Right to be Forgotten
An individual has the right at any time to ask us to erase the personal data that we hold about him or her if:
- it is no longer necessary for us to handle that personal data for the purpose for which it was originally collected;
- the individual has withdrawn consent for us to hold that personal data (where consent was the basis on which it was collected or used);
- the individual objects to the processing of the data and there is no lawful overriding reason for us to continue processing it;
- the personal data was unlawfully processed; or
- we have to erase the personal data in order to comply with a legal obligation.
Please note, however, that we may not always be able to comply with a request of erasure for specific legal reasons: in that event we shall inform the individual of those reasons at the time when erasure is requested.
Restriction of Processing
An individual may ask us to restrict how we use his or her data in the following circumstances:
- where the individual believes that the personal data we hold about him or her is inaccurate, he or she may ask that we refrain from using that data until we can verify the accuracy of it;
- where we have unlawfully processed personal data, the individual may ask that we restrict our usage of it rather than erase it completely; or
- where the individual has objected to our use of his or her personal data but we need to verify whether we have overriding legitimate grounds to use it.
Where we no longer need to hold personal data, the individual may nevertheless require us to retain it for the purpose of establishing, exercising or defending a legal claim; or
An individual has the right to obtain from us all personal data which he or she previously provided to us in a structured, commonly used and machine readable form, provided that such data was processed based on the individual’s consent, or for the purpose of a contract between us, and the processing was carried out by automated means. This right only applies to automated information for which the individual originally provided consent for us to use or where we used the information to perform a contract with the individual personally.
This will allow an individual to move, copy or transfer personal data easily from one IT environment to another (for example, if the individual wishes to change legal advisers). Alternatively, we can transmit such data directly to another organisation.
Please note that we shall not be able to comply with a data portability request if this will affect the rights and freedoms of others.
Right to Object
An individual has the right to object, on grounds relating to his or her particular situation, to our processing of his or her personal data where we are doing this for the performance of a task carried out in the public interest (about which we shall have advised the individual, if applicable), or where we are carrying out processing for the purposes of legitimate interests pursued by us.
An individual also has the right at any time to ask us not to process his or her personal data for direct marketing or profiling purposes (to the extent that such profiling is related to such direct marketing). We shall have informed the individual prior to obtaining his or her personal data whether we intend to process that personal data for this purpose, or if we intend to disclose it to any third party for such purposes.
If we process personal data for automatic decision making or profiling purposes (i.e. to analyse or predict an individual’s personal preferences or transaction history, and such profiling is automated) we shall inform the individual in advance, and will only do this where this is a necessary condition of entering into a contract between the individual and us, or where the individual has given us explicit consent to do so.
Right to Withdraw Consent
Where an individual has given consent to the processing by us of any personal data, he or she has the right to withdraw that consent at any time. However, this will not affect the lawfulness of any processing carried out before consent is withdrawn. If an individual withdraws consent, we may no longer be able to provide legal advice or services to the individual or to the individual’s organisation. We shall advise the individual (and, if applicable, may inform other individuals in the same organisation) if this is the case at the time when consent is withdrawn.
In addition to any other way in which we make available to individuals the ability to withdraw consent to the processing of personal data, an individual may also withdraw consent at any time by contacting us at Katherine.firstname.lastname@example.org