Privacy Notice Overview
Coast Technology Limited (“we” or “us”) is committed to data protection and data privacy. With the enforcement of the General Data Protection Regulation (GDPR) commencing 25th May 2018, we have undertaken a readiness assessment/program for GDPR, taking the entire business, they way we handle data and the way in which we use it to provide our services and manage business operations into review.
- How we use your information
This privacy notice tells you what to expect when Coast Technology Limited collects personal information. It applies to information we collect about:
- visitors to our website;
- customers (including prospects) who use (or contemplate using) out products and services, including those who subscribe to our marking information, newsletters or request a publication from us (electronic and physical distribution);
- complainants and other individuals in relation to a data protection complaint or enquiry;
- job applicants, current, and former employees
- Website Visitors
When someone visits www.coasttechnology.co.uk or www.morpethcomputers.co.uk we use Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website. If we do want to collect personally identifiable information through our website, we will be up front about this. We will make it clear when we collect personal information and will explain what we intend to do with it.
We may also deploy third party marketing services which source business data of our visitors – e.g. business name, financial details, business telephone number etc, which is not restricted activity under GDPR. Where we obtain and process personal data – e.g. names and email address of key decision makers, and stakeholders, this activity is compliant under GDPR because we rely on the provision for your legitimate interest in our products or services from the pro-active visit by your organisation which your data subject is employed. In summary, we are only interested in business and individual identity due to what we perceive to be a legitimate interest in what you’re offering. If this isn’t the case, it is your responsibility to inform us accordingly.
We use a third-party provider, Mailchimp, to deliver our marketing material, including e-newsletters. We gather statistics around email opening and clicks using industry standard technologies to help us monitor and make improvements. For more information, please see Mailchimp’s privacy notice.
2.3 Security and performance
Coast Technology Limited uses a third party service to help maintain the security and performance of the its website. To deliver this service it processes the IP addresses of visitors to the website.
- People who contact us via social media
- People who call our offices
When you call us, we collect Calling Line Identification (CLI) information and record all inbound calls. We use this information to help improve our efficiency and effectiveness, and also to aid in dispute resolution.
Call recordings and CLI information are held in the Google Cloud system.
Call recordings are held for 90 days, and then deleted.
- People who email us
We use Transport Layer Security (TLS) to encrypt and protect email traffic in line with government. If your email service does not support TLS, you should be aware that any emails we send or receive may not be protected in transit.
We will also monitor any emails sent to us, including file attachments, for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send is within the bounds of the law.
- Current Customers, Previous Customers, Prospects, and Suppliers
Current customers, previous customers, prospects, and suppliers fall under the GDPR section of lawful basis for processing.
We will process data for all instances listed, this will generally be data regarding the company it’s requirements and the contact details of the person requesting the services.
We will lawfully process the data of any person working for/on behalf of the company they work for in order to carry out the obligations of the contract between us and the company they work for. In order to comply with the contract, we may process any of the following information:
- Full Name – Used to identify the subject within the company
- Email Address – In order to communicate with the subject, for:
- Support Requests
- Invoicing/Account Queries
- Project Implementation
- Access Requests
- Mobile Number
- Direct Dial Number
- Business Address
6.1 Where the data subject’s information may be processed
We use a range of third party systems to manage the processes within our company, these systems can store and process the information which is listed above.
Where a third-party system is in use they are the Data Processor and we remain the Data Controller. Data will be processed outside of the European Economic Area only when the third-parties (i) are located in a third country or territory recognised by the EU Commission to have an adequate level of protection; or (ii) have entered into Standard Contractual Clauses with the Processor; or (iii) have other legally recognised appropriate safeguards in place, such as the EU-US Privacy Shield or Binding Corporate Rules.
Currently we the following third parties as Data Processors and further information regarding them can be found in their specific Privacy Notice, Data Processing Agreement, and Terms:
- Xero – Cloud based accountancy software (xero.com)
- GoCardless – Cloud based Direct Debit management (gocardless.com)
- Directli – Cloud based Direct Debit management (directli.co.uk)
- Quotient – Cloud based quoting system (quotientapp.com)
- Capsule CRM – Cloud based CRM system (capsulecrm.com)
All other systems that we use to process data are based in our premises and are secured according to Cyber Essentials and IASME standard.
Coast Technology holds Cyber Essentials and IASME certifications. (www.iasme.co.uk)
- People who make a complaint to us
When we receive a complaint from a person we make up a file containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint.
We will only use the personal information we collect to process the complaint and to check on the level of service we provide. We do compile and publish statistics showing information like the number of complaints we receive, but not in a form which identifies anyone.
We usually have to disclose the complainant’s identity to whoever the complaint is about. This is inevitable where, for example, the accuracy of a person’s record is in dispute. If a complainant doesn’t want information identifying him or her to be disclosed, we will try to respect that. However, it may not be possible to handle a complaint on an anonymous basis.
We will keep personal information contained in complaint files in line with our retention policy. This means that information relating to a complaint will be retained for two years from closure. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.
Similarly, where enquiries are submitted to us we will only use the information supplied to us to deal with the enquiry and any subsequent issues and to check on the level of service we provide.
- Job applicants, current and former employees
Coast Technology Limited is the data controller for the information you provide during the process unless otherwise stated. If you have any queries about the process or how we handle your information please contact us at firstname.lastname@example.org
8.1 What will we do with the information you provide to us?
All of the information you provide during the process will only be used for the purpose of progressing your application, or to fulfil legal or regulatory requirements if necessary.
We will not share any of the information you provide during the recruitment process with any third parties for marketing purposes or store any of your information outside of the European Economic Area. The information you provide will be held securely by us and/or our data processors whether the information is in electronic or physical format.
We will use the contact details you provide to us to contact you to progress your application. We will use the other information you provide to assess your suitability for the role you have applied for.
8.2 What information do we ask for, and why?
We do not collect more information than we need to fulfil our stated purposes and will not retain it for longer than is necessary.
The information we ask for is used to assess your suitability for employment. You don’t have to provide what we ask for but it might affect your application if you don’t.
8.3 Application stage
Where we use an online application system, this will be collected by a data processor on our behalf (please see below).
We ask you for your personal details including name and contact details. We will also ask you about your previous experience, education, referees and for answers to questions relevant to the role you have applied for. Our recruitment team will have access to all of this information.
You will also be asked to provide equal opportunities information. This is not mandatory information – if you don’t provide it, it will not affect your application. This information will not be made available to any staff outside of our recruitment team, including hiring managers, in a way which can identify you. Any information you do provide, will be used only to produce and monitor equal opportunities statistics.
Our hiring managers shortlist applications for interview. They will not be provided with your name or contact details or with your equal opportunities information if you have provided it.
We might ask you to participate in assessment days; complete tests or occupational personality profile questionnaires; and/or to attend an interview – or a combination of these. Information will be generated by you and by us. For example, you might complete a written test or we might take interview notes.
If you are unsuccessful following assessment for the position you have applied for, we may ask if you would like your details to be retained in our talent pool for a period of six months. If you say yes, we would proactively contact you should any further suitable vacancies arise.
8.6 Conditional Offer
If we make a conditional offer of employment we will ask you for information so that we can carry out pre-employment checks. You must successfully complete pre-employment checks to progress to a final offer. We are required to confirm the identity of our staff, their right to work in the United Kingdom and seek assurance as to their trustworthiness, integrity and reliability.
You will therefore be required to provide:
- Proof of your identity – you will be asked to attend our office with original documents, we will take copies.
- Proof of your qualifications – you will be asked to attend our office with original documents, we will take copies.
- You may be asked to complete a criminal records declaration to declare any unspent convictions.
- We will contact your referees, using the details you provide in your application, directly to obtain references
- We will also ask you to complete a questionnaire about your health. This is to establish your fitness to work. This may be done through a data processor (please see below).
If we make a final offer, we will also ask you for the following:
- Bank details – to process salary payments
- Emergency contact details – so we know who to contact in case you have an emergency at work
- Membership of a Pension scheme – so we can send you a questionnaire to determine whether you are eligible to re-join your previous scheme.
The data provided under section 7.6 at this stage may be stored outside of the European Economic Area by a data processor (please see below).
8.7 User of data Processors
Data processors are third parties who provide elements of our recruitment service for us. We have contracts in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct.
If you become an employee, further information about our third-party data processors is available via an Employee data privacy notice.
8.8 How long is the information retained for?
If you are successful, the information you provide during the application process will be retained by us as part of your employee file for the duration of your employment plus 6 years following the end of your employment. This includes your criminal records declaration, fitness to work, records of any security checks and references.
If you are unsuccessful at any stage of the process, the information you have provided until that point will be retained for 6 months from the closure of the campaign.
Information generated throughout the assessment process, for example interview notes, is retained by us for 6 months following the closure of the campaign.
Equal opportunities information is retained for 6 months following the closure of the campaign whether you are successful or not.
8.9 How we make decision about recruitment?
Final recruitment decisions are made by hiring managers and members of our management team. All of the information gathered during the application process is taken into account.
You are able to ask about decisions made about your application by speaking to your contact within Coast Technology Limited or by emailing email@example.com
- People who use our services (Customers)
We must hold the details of the people who have requested the provision of our services in order to provide it. However, we only use these details to provide the service the person has requested and for other closely related purposes. For example, we might use information about people who have requested information to carry out a survey to find out if they are happy with the level of service they received.
When we engage with a business client this falls outside of the scope of the General Data Protection Regulation and any personally identifiable information that is needed as part of that agreement will be identified and explicit consent obtained at the time.
- Your Rights
Under GDPR and the Data Protection Act 1998, you have rights as an individual which you can exercise in relation to the information we hold about you.
You can read more about these rights here – https://ico.org.uk/for-the-public/is-my-information-being-handled-correctly/
- Complaints or queries
Coast Technology Limited tries to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.
This privacy notice was drafted with brevity and clarity in mind. It does not provide exhaustive detail of all aspects of Coast Technology Limited’s collection and use of personal information. However, we are happy to provide any additional information or explanation needed. Any requests for this should be sent to the address below.
If you want to make a complaint about the way we have processed your personal information, you can contact our Data Protection Officer on 0191 580 0220 or via firstname.lastname@example.org
- Access to personal information
Coast Technology Limited endeavours to be as open as it can be in terms of giving people access to their personal information. Individuals can find out if we hold any personal information by making a ‘subject access request’ under the Data Protection Act 1998. If we do hold information about you we will:
- give you a description of it;
- tell you why we are holding it;
- tell you who it could be disclosed to; and
- let you have a copy of the information in an intelligible form.
To make a request to Coast Technology Limited for any personal information we may hold you need to put the request in writing addressing it to our Data Protection Officer, in writing to the address provided below.
If you agree, we will try to deal with your request informally, for example by providing you with the specific information you need over the telephone.
If we do hold information about you, you can ask us to correct any mistakes.
- Disclosure of personal information
In many circumstances we will not disclose personal data without consent. However, when we investigate a complaint, for example, we will need to share personal information with the organisation concerned and with other relevant bodies. We will also share personal information if required by law, for example to aid a law enforcement or government organisation enquiry or investigation. We will consider in all applications:
- agreements we have with other organisations for sharing information;
- circumstances where we can pass on personal data without consent for example, to prevent and detect crime and to produce anonymised statistics;
- our instructions to staff on how to collect, use and delete personal data;
- how we check that the information we hold is accurate and up to date.
- Changes to this privacy notice
We keep our privacy notice under regular review. This privacy notice was last updated on 15th May 2018.
- How to contact us
Data Protection Officer
Coast Technology Limited
Coast Technology Limited
Join the conversation