Our Privacy Statement
This statement governs the collection, storage and use of personal information collected by Spirit UK Managed Services Ltd (‘SpirIT UK’), Company Registration Number: 7110570. Registered Address: 15 Norfolk Road, Seven Kings, Ilford, Essex IG3 8LQ. Registered in England.
We are required to provide you with the information in this privacy statement under applicable law which includes:
- Data Protection Act 1998, which will be replaced by the General Data Protection Regulation (EU) 2016/679 from 25 May 2018
- Privacy and Electronic Communications (EC Directive) Regulations 2003
What does SpirIT UK do?
SpirIT UK offers a complete IT service, providing customers with remote & onsite support as well as consultancy, professional services, expert advice and project management. As a managed service provider we are a GDPR data processor and on your behalf will perform the following activities:
- Onsite and remote support
- Backup & disaster recovery solutions
- Security patching and antivirus activities
- Security solutions to protect your systems
- Remote equipment monitoring
- Anti spam – mail cleaning & internet proxy
- Telephony services
The details of these contracted services are included in a schedule of works which will be agreed at the time of signing or renewing our contract with you.
How can we assist you in terms of GDPR?
As a GDPR processor we will assist you in fulfilling your own obligations as a data controller including:
- Data Protection Impact Assessments
- Data Subject Requests
- Data Breach Notification
Data breach notification
A personal data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
After we become aware of a personal data breach, the GDPR requires us to notify you without undue delay. We consider that all (confirmed) personal data breaches are in scope.
We have processes in place to quickly identify and contact our security team.
As a controller you have the following obligations:
- Notify the appropriate Data Protection Authority (DPA) within 72 hours of becoming aware of it for example, after we notify you. If you don’t notify the DPA within that time period, you’ll need to explain why to the DPA. This notice to the DPA is required even where there is a risk to individuals that is not likely to result in a high risk
- Notify the data subjects of the breach without undue delay
- Document the breach including a description of the nature of the breach—such as how many people were impacted, the number of data records affected, the consequences of the breach, and any remedial action your organisation is proposing or took
The personal information we collect or process
- Engagement data – data related to support tickets, contracts
- Website related data – for online visits and analytics
- Personal data collected or processed to fulfil the contracted service
We collect anonymised details about visitors to our website for the purposes of aggregate statistics or reporting purposes. However, no single individual will be identifiable from the anonymised details we collect for these purposes.
Third-party service providers
When may share or store personal data with third-party companies for them to facilitate and support us in the provision of the Service. This includes services such as:
- Cloud services provided by Microsoft or Google
- Cloud CRM services
- Cloud Accounting packages
- Credit reference, vetting and screening services
- Payment processors and software providers
- Cloud telephony services
- Cloud based remote support & monitoring tools
These organisations are appointed by us as data processors and authorised by us to act on our behalf. These organisations process information securely based on an agreement and do not have any independent rights to share this information. We evaluate our suppliers for compliance with GDPR and general security requirements. Should you require more details on any of the above please contact us at GDPR@spirituk.com
How long do we keep your information for?
For the duration of our engagement we will keep your personal data. After this period we will delete it except where it must be kept to comply with our legal obligations, resolve disputes, or enforce our agreements.
If you share our content through social media, for example by liking us on Facebook, following or tweeting about us on Twitter, those social networks will record that you have done so and may set a cookie for this purpose. In some cases, where a page on our website includes content from a social network, such as a Twitter feed, or Facebook comments box, those services may set a cookie even where you do not click a button. As is the case for all cookies, we cannot access those set by social networks, just as those social networks cannot access cookies we set ourselves.
Our systems automatically gather some anonymous information about visitors, including IP addresses, browser type, language, and the times and dates of webpage visits. The data collected cannot identify you and is as described above, for statistical analysis, to understand user behaviour, and to better administer the site.
Your information is held on cloud servers hosted by our providers (e.g. Google).Transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data when in our control or when we transmit, we cannot guarantee the security of the data you transmit; any transmission is at your own risk.
How do we keep your personal data secure?
All of our employees are familiar with our security policy and practices. Personal data is accessible to a limited number of qualified employees who are given a password in order to gain access to the information. We audit our security systems and processes on a regular basis.
We do not store any sensitive information directly but understand that this may be contained inside a data backup or visible to us when we are conducting our contracted duties. These activities are protected by passwords, two factor authentication and strong encryption protocols. Whilst we take commercially reasonable measures to maintain a secure site, electronic communications and databases are subject to errors, tampering and break-ins, and we cannot guarantee or warrant that such events will not take place and we will not be held liable for any such occurrences.
Your rights to your information
You have certain rights in relation to your personal information. If you would like further information in relation to these or would like to exercise any of them, please contact us at: GDPR@spirituk.com.
You have the right to request that we:
- update any of your personal information which is out of date or incorrect
- delete any personal information which we are holding about you
- restrict the way that we process your personal information
- prevent the processing of your personal information for direct-marketing purposes
- provide your personal information to a third-party provider of services
- provide you with a copy of any personal information which we hold about you, or
- consider any valid objections which you have to our use of your personal information
We will consider all such requests and provide our response within a reasonable period (and in any event within any time period required by applicable law). Please note, however, that certain personal information will be exempt from such requests in certain circumstances.
If an exception applies, we will tell you this when responding to your request. We may request you provide us with information necessary to confirm your identity before responding to any request you make. If you wish to contact us with respect to the above matters please email us at GDPR@spirituk.com
Third party sites
Complaints, questions and suggestions
We aim to meet the highest standards when collecting and using personal information. We take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. If you wish to complain about this policy or any of the procedures set out in it, please contact us at: GDPR@spirituk.com
In the EEA, you can also make a complaint to our supervisory body for data protection matters (the Information Commissioner’s Office in the UK) or seek a remedy through local courts if you believe your rights have been breached.
You can find details of how to do this on the ICO website at https://ico.org.uk/concerns/ or by calling their helpline on 0303 123 1113
Subscriptions are taken in compliance with UK Spam Laws detailed in the Privacy and Electronic Communications Regulations 2003. All personal details relating to subscriptions are held securely and in accordance with the GDPR.
Spirit UK processes your data when it is in our legitimate interests to do this and when these interests do not override your rights. Those legitimate interests include providing you with information on our services and events. Please see the section on ‘Your Interests’ for more information.
When we process your personal information for our legitimate interests, we will consider and balance any potential impact on you and your rights under data protection and any other relevant law. Our legitimate business interests do not automatically override your interests – we will not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).
Changes to this privacy statement
This privacy statement was last updated on 23rd May 2018.