Privacy Policy

At Gwythan Ltd. we are committed to keeping your data private and
secure, and will act in accordance with the General Data
Protection Regulation (GDPR)
, Data Protection Act,
the Privacy and Electronic Communications Regulations (PECR),
and further amendments to ePrivacy regulations resulting from the
implementation of GDPR as they come into force.

We are also registered as a Data Controller, under the Data
Protection Act, with the Information Commissioners Office, for the
purposes of Data Protection, and we are also a Data Processor on
behalf of our clients.

This Privacy Notice explains what personal data we collect and
how we store and use the data that we hold. The lawful basis for
processing the data is to fulfil our contractual obligations with
our clients and to respond to the enquiries of potential clients.

Who we are

Gwythan Ltd.
Registered in England and Wales.
Registered Company Number: 07894749
Registered Address: Kemp
House, 160 City Road, London, EC1V 2NX
Telephone number:
0560 386 6101
Named contact: Kevin Ashbridge – Director

About the General Data Protection Regulation (GDPR)

This privacy notice is written in accordance with the General
Data Protection Regulation.

The General Data Protection Regulation is a regulation in EU law
on data protection and privacy for all individuals within the
European Union. It was adopted on 14 April 2016, and after a
two-year transition period, became enforceable on 25 May 2018.

It gives individuals the right to:

  • be informed about how we use their personal data;
  • have access to the personal data that we hold;
  • request that their personal data is amended if it is
    inaccurate or incomplete;
  • request that their personal data be erased where there is no
    compelling reason for its continued use;
  • object to their personal data being used for direct marketing
    purposes;
  • request that the processing of their data be restricted;
  • obtain and reuse their personal data for their own purposes
    across different services e.g. to move, copy or transfer their
    data from one IT environment to another in a safe and secure way;
  • not be subject to automated decision-making or profiling;
  • object to their personal data being processed.

We must comply with these rights and after someone gives their
consent for us to use their personal data this consent may be
withdrawn by them at any time.

What we collect

Primarily, we collect the contact details of the clients or
people that we work with so that we are able to contact them as
part of the legitimate relationship that we have with them. This
includes the full names, job titles, telephone numbers, addresses
or email addresses of our own suppliers, and the staff, customers,
suppliers, partners, students, governors or other representatives
of our clients when we need this data to fulfil our contractual
duties.

We also collect or process:

  • the name and contact details of individuals who complete the
    contact forms on our websites, or who telephone, email or write
    to us enquiring about our products or services;
  • photographs of staff, students, customers, partner
    representatives or others which may have been used within a
    brochure, report, newsletter, social media, website or any other
    form of communication, including press releases, that we produce
    or manage when acting on a client’s behalf;
  • details relating to the conduct of a staff member if we are
    asked to assist with a crisis communication which relates to that
    staff member. This may include their full name, job title,
    contact details and details of their personal circumstances;
  • details relating to the injured party, or affected
    individuals, if we are asked to assist with a crisis
    communication which relates to the actions of our client. This
    may include their full name, job title, contact details and
    details of their personal circumstances;
  • log-in details for the email accounts, websites or other
    portals or systems which our clients provide in order for us to
    access information that we need to fulfil our duties under the
    contract that we have with them. By default this may give us
    access to personal data which we may not necessarily need to
    access, use or process;
  • details of the staff or students who are listed within our
    PolicyViewer platform and other online platforms which includes
    their full name and email address;
  • the names, job titles and contact details of journalists and
    other media contacts.

What we don’t collect

Although our clients may give us access to their own IT systems,
or electronic and hard copy files as part of them enabling us to
fulfill our obligations under the contract, we do not remove or
process personal data relating to staff, customers, parents,
students, partners or others, with whom we have no relationship
under the working relationship or agreement that we have with
them, from these systems. We also do not store any hard copy or
electronic copies of these records on our premises or within our
own IT systems. We only process or use data that is directly
related to the role that we are undertaking. All other information
is considered to be confidential and out of the scope of our use.

What do we use the data for?

We use the data that we hold to:

  • respond to people who have made an enquiry about our products
    or services;
  • evaluate the suitability of prospective clients and our
    ability to provide a suitable product or service that best meets
    their needs;
  • contact our own suppliers, partners or media contacts, and the
    staff, customers, suppliers or other stakeholders of our clients
    so that we can perform our duties under the contract;
  • provide the PolicyViewer service, which uses the names and
    email addresses of staff or students in order for the system to
    notify staff or students of school policies;
  • make people aware of our products or services if they have
    given us permission to do so;
  • make people aware of our own offers and promotions if they
    have given us permission to do so;
  • send newsletters or updates to people who have given us
    permission to do so;
  • produce quotations, proposals and invoices, and to maintain a
    record of our financial transactions with clients as part of our
    accounting processes;
  • gain an understanding of our website traffic and how and when
    people are using our websites. This includes, amongst other
    things; details of the device used to access the website, the
    rough location of the user, the actions they take on the website
    and the source of their visit e.g. via a particular search
    engine, 3rd party website or advertisement.

Who do we share this data with?

  • If we are lawfully permitted to do so, and acting on a
    client’s behalf, we may pass on the contact details of
    individuals including their name, job title, address, telephone
    number, email address, and photographs of these individuals, or
    others, to journalists when we are submitting a press release.
  • If we are lawfully permitted to do so, and acting on a
    client’s behalf, we may pass on the contact details of
    individuals including their name, job title, address, telephone
    number and email address to our own suppliers, but only if the
    supplier has an adequate Privacy Notice and security measures in
    place.
  • Our hosting provider ‘Liquid Web’ hosts websites that we have
    produced. If your website is hosted with them then, by default,
    any information contained within it (either on the public pages
    or within password-protected areas) will reside on their servers.
    Please note that we use their European data centre for our sites
    NOT their data centres in the United States.
  • The name and job title of the relevant ‘addressee’ staff
    member on our invoices will be, by default, shared with FreeAgent
    Central Limited, the provider of the accounting package that we
    use which is called ‘FreeAgent’. These do not include contact
    details such as email addresses and telephone numbers but they
    will include the organisation’s name and address.

We may also, if lawfully requested or permitted to do so, share
data with the UK government, HM Revenue and Customs, debt
collection agencies, police forces or courts.

How do we protect your data?

  • As much as possible we use our clients’ own systems for
    sending and receiving emails that may contain personal data. For
    example; by having our own email address at their business or
    school so that sensitive email exchanges occur within their own
    IT infrastructure.
  • We ensure our anti-virus software is properly installed and
    kept up-to-date.
  • Our computers and mobile phones are password protected and
    never left unlocked when unattended.
  • We change all of our passwords regularly and do not use the
    same password for different systems.
  • Log-ins and access details are stored within password
    protected areas to provide a second layer of protection.
  • We do not send personal data via methods which are not
    encrypted.
  • Information which we no longer need to fulfil our contractual
    obligations is deleted from our systems, even if we are still
    working with the client.
  • Data that we hold will be deleted when the contract comes to
    an end, or when the client stops using our products or services.
  • If we dispose of a computer then all data is removed prior to
    its disposal.
  • Users have the option to accept Cookies when visiting our
    websites and our Cookies Policy is available to view which
    explains what Cookies are, which Cookies we use and how we use
    them.
  • If we design and produce a website on a client’s behalf then
    we will ensure that the website is protected with SSL.
  • If we design and produce a website on a client’s behalf, and
    arrange the hosting, then the website will be hosted with a
    company that has a European data centre, high security standards
    and a robust Privacy Notice and security measures in place.

How long do we keep the data for?

The data is only kept for as long as we are providing products
or services to the client. With the exception of information which
is needed for accountancy purposes, or if an individual has
opted-in to receive future communication, we will remove all
personal data that we hold when the contract comes to an end, or
when they opt-out or stop using our products or services. However,
if someone has stopped using our products or services and we have
not yet received full payment for the products or services that
were used then we will need to retain their contact details until
the full payment has been made.

If you are a supplier then we will hold your data until we no
longer need, or want to use, your products or services, or until
you ask us to erase the data that we hold.

As a UK based Ltd Company, we must keep financial records for 6
years from the end of the last company financial year they relate
to. This means that we will have a record of the names, job titles
and contact details of the people who appear on quotations,
purchase orders, invoices and remittance notices for this period
of time.

The rights of our clients as Data Controllers and our role as Data Processors

Our clients are Data Controllers and as part of fulfilling our
duties, we may have to process data on their behalf as the Data
Processor.

As a company we will:

  • act in accordance with this Privacy Notice;
  • act with transparency;
  • provide complete confidentiality;
  • act in accordance with your own Privacy Notice and abide by
    the rules, terms or conditions that you provide so that you are
    able to comply with your own data protection and confidentiality
    requirements;
  • not use another Data Processor without your prior written
    consent;
  • only process data in the way that is necessary for us to
    fulfil our obligations under the contract;
  • contact you and the ICO immediately if there is a data breach,
    providing full details of how it happened, why it happened, the
    impact, and what we are doing to ensure that it cannot happen
    again.

As a client you:

  • have the right to have access to the data that we hold;
  • have the right to restrict the data that we hold and the
    access to that data;
  • have the right to request an amendment to the data that we
    hold;
  • have the right to object to the data being processed or how it
    is being processed;
  • have the right to request that the data be erased;
  • must not ask us to hold or process data in a way that is
    unlawful.

Transferring data outside of the EU

If we ever have the need to transfer data to a country outside
of the EU then we will ensure that this complies with data
protection law and that the company has adequate safeguards.
However, this is only likely when you or the client requests such
processing under the working relationship or contract that we have
with you, and when we have a valid reason for doing so.

Our expectations of our suppliers

We expect our suppliers to:

  • be committed to keeping personal data private and secure, and
    act in accordance with the General Data Protection Regulation
    (GDPR), Data Protection Act, the Privacy and Electronic
    Communications Regulations (PECR), and further ePrivacy
    directives resulting from the implementation of GDPR as they come
    into force;
  • be registered as a Data Controller under the Data Protection
    Act with the Information Commissioners Office for the purposes of
    Data Protection if applicable;
  • act with complete transparency with regards to data
    protection;
  • act with complete confidentiality, never disclosing
    information about our clients to others who are not directly
    involved in the delivery of the products or services that you are
    providing to us.

Who to contact

If you have any enquiries or requests related to the data that
we may hold about you then you can contact us in the following
ways:

By telephone: 0560 386 6101
By email: admin@gwythan.com
By letter: Gwythan Ltd, Kemp House, 160 City Road, London, EC1V
2NX

If you request a copy of the data that we hold then we will
provide this within 21 days of the request and we will ask that
you verify your identity before we release the data.

Data Protection Officer

Our Data Protection Officer is the Company Director, Kevin
Ashbridge: admin@gwythan.com

How to complain

In the first instance, please contact our Data Protection Officer who is listed above. You can also submit your complaint to
the Information Commissioner by using the following contact
details:

Telephone: 0303 123 1113
Address: Information Commissioner’s
Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF