Privacy Information

Protecture Privacy information

What’s this?

Information for you about why and how your personal data is processed by Protecture.

FYI: some background details:

When we say “Protecture”, we mean “Protecture Limited”, the company that exists to provide data protection advice and support services to other organisations.

We’re registered as a Data Controller with the Information Commissioner’s Office and you can see our registration info here.

Our only business is to sell and deliver data protection support. We don’t trade, swap, or make money from personal data in any other way.

Data protection law gives you rights, and we want to make sure we’re doing right by you. If you have any questions, concerns or requests about your data, please do get in touch with us at dataprotection@protecture.org.uk or on 020 3691 5731

The sections below describe how your personal data is processed according to the relationship between you and Protecture. If you think there is any info missing, unclear or incorrect then please let us know so we can fix it.

The sections below tell you about the details of how personal data is processed by Protecture

ePrivacy details:

We use cookies to see how many new and unique visitors we get to this website, the paths visitors take around the site content and approximately what part of the world our website visitors are coming from. We do this by setting two cookies which act like a 'virtual sticker' on your computer so that we can tell one site visitor from another.

_pk_ses - the Matomo session cookie. Lasts for 30 minutes and allows us to see what path you take through the site content.

_pk_id - the Matomo ID cookie. This lasts for 13 months and lets us know whether you are a new or return visitor to the site.

Trackers

We also use some third-party services to enhance the functions of the site, which result in trackers being active. These don’t set cookies but they do send reporting data to the third party when you land on the page. You can block tracking of your online activity by using a tool such as PrivacyBadger, uBlockOrigin or Ghostery.

Data goes to:

  • Mailchimp because there is an email newsletter signup widget on the page. We will soon be moving our email marketing operations in-house.
  • Google The site uses Google Fonts – we’re working on eliminating that
  • Innocraft This is the cloud hosting for our Matomo server, which we use for site use analytics as described above
  • Cloudflare content delivery and load balancing to support smooth streaming of video content
  • Typekit for Adobe Fonts which are used by the theme plugin we use

Personal data

We will process your personal data to:

1. Keep the site secure and problem-free

How:

Our web hosting provider keeps logs of connections to this site so that we can detect and prevent malicious activity. The logs contain your IP address (which can reveal your geographical location), the date and time of your connection, the pages you’ve visited in what order and for how long, and the browser you’re using (which can reveal the device you’re using as well). We make no use of this data on an individual level unless the traffic looks like an attack, in which case we will block the connection.

Site traffic logs are kept for 3 months then deleted. If we’re investigating suspicious activity then we’ll keep the traffic logs for the time period until the investigation is over.

Why:

It’s in our interest – and yours – that our site is secure and working properly, so this processing of personal data is done on the basis of legitimate interests. We’ve done an assessment of this interest and how we balance that with your rights and freedoms. You can ask us for a copy of this assessment.

You have the right to object to this processing, in which case we will review the assessment and consider whether the security and performance of the website would be at risk if we stopped processing your data in this way.

2. Respond to ‘Contact us’ requests

How:

When you use the ‘Contact Us’ form to get in touch, the data is sent to us automatically by email from the web server. The data stays on the web server for a month in case the email service is interrupted, then is deleted automatically.

Why:

It’s useful for both Protecture and you, for us to be able to respond quickly and easily to enquiries, so this processing of personal data is done on the basis of legitimate interests. We’ve done an assessment of this interest and how we balance that with your rights and freedoms. You can ask us for a copy of this assessment.

You have the right to object to this processing, in which case we will review the assessment and consider what the impact to you and Protecture would be if we stopped processing your data in this way.

3. Understand how the website is used

How:

We use Matomo which is a privacy-respectful analytics platform, for analysing use of this website, . When you visit this site, our Matomo cookies are set on your computer and the following information is sent to our cloud-based Matomo account:

  • your IP address (which reveals your geographical location)
  • the site you came from (referrer)
  • the content you access
  • the type of device, system and browser you’re using
  • the pages you view, in what order and for how long
  • clicks on links within the site

We don’t use this to learn anything about who you are individually, and as a Data Processor, Matomo is not allowed to use the data in any way except to show us statistics about how this site is used. We have a Data Processing Agreement with Matomo that meets GDPR requirements.

Why:

To be able to make improvements to the website, it’s useful to us to know whether some pages or topics are more/less popular, what times of day the site is most accessed and from where in the world. Also, to make best use of our marketing resources; it’s useful for us to know how people arrive at our website in the first place - so this processing of personal data is done on the basis of legitimate interests. We’ve done an assessment of this interest and how we balance that with your rights and freedoms. You can ask us for a copy of this assessment.

You have the right to object to this processing, in which case we will review the assessment and consider what the impact to you and Protecture would be if we stopped processing your data in this way.

Third parties

The website is managed by external developers, and they sub-contract the web hosting to another company. Both providers are located within the UK and we have written GDPR-standard Data Processor requirements into our contract.

We'll process your personal data for...

1. Event booking administration and event management

How:

When you book a place on a Protecture event, we will need you to provide some contact information, payment information (if you are a non-subscriber), and information about your accessibility and dietary requirements.

We’ll keep the data for 6 years after the event (for non-subscribers) and for 6 years after the end of the subscriber relationship (for employees of Protecture subscribers) so that we can demonstrate to auditors and regulators that we are meeting our legal obligations, and to respond to any legal claims or actions that may arise from the event.

Why

We need this data to plan and organise the event, ensure that communications about it are sent to the right place, and take payment or allocate subscriber places; so this processing of personal data is done on the basis of legitimate interests. We’ve done an assessment of this interest and how we balance that with your rights and freedoms. You can ask us for a copy of this assessment.

You have the right to object to this processing, in which case we will review the assessment and consider what the impact to you and Protecture would be if we stopped processing your data in this way.

Asking for accessibility and dietary information is how we make sure that we are complying with the Equality Act and Health & Safety legislation when we arrange events. This processing is therefore done under the basis of ‘necessary to fulfil a legal obligation’.

More about this legal basis:

The exact legal basis for this is GDPR Article 6.1.c and Article 9.2.b, referencing the Health & Safety At Work Act 1974 section 4.2.

2. Promoting Protecture events and services

How

At the event, we will take photographs to record the event and promote our services on our website and social media. These will be taken from the back of the room and will be positioned carefully to ensure that the only faces visible are those of Protecture staff. If you would prefer not to be included at all then we will ask you to let us know at the start of the event.

Why

We want to promote the organisation in order to raise interest in future events and attract new subscribers, so this processing of personal data is done on the basis of legitimate interests. We’ve done an assessment of this interest and how we balance that with your rights and freedoms. You can ask us for a copy of this assessment.

You have the right to object to this processing, in which case we will review the assessment and consider what the impact to you and Protecture would be if we stopped processing your data in this way.

3. Answering queries, making improvements

How

At the end of the event, we will ask you to fill out a feedback form about your experience. You can choose whether you include your name and employer on the form, however as our events are run for small groups, it will be unlikely that your feedback can remain truly anonymous. We use the feedback to address concerns and queries, make improvements, and to also promote Protecture’s services if you have been kind enough to give us a testimonial.

We keep the comments (without attribution) permanently as part of our internal knowledge base so that we can apply the ‘lessons learned’ in future.

If we obtain sales leads from the feedback form (ie, you have asked us to get in touch to discuss the possibility of taking out a subscription), we’ll keep that information for 2 years after a sales conversation takes place if it does not result in a sale being made, or as part of the complete subscriber record if the outcome is a subscription purchase.

Testimonials are published on the Protecture website and our hard-copy marketing materials. We renew these every few years and archive previous testimonials permanently.

Why

It benefits event attendees for us to be able to understand how the event was experienced, as we can then choose suitable future venues, improve our presentation content or delivery and identify topics of particular interest to focus on, so this processing of personal data is done on the basis of legitimate interests. We’ve done an assessment of this interest and how we balance that with your rights and freedoms. You can ask us for a copy of this assessment.

You have the right to object to this processing, in which case we will review the assessment and consider what the impact to you and Protecture would be if we stopped processing your data in this way.

Testimonials are gathered and published only with your consent.

...we will process your personal data for managing the subscription

by:

  • providing access to member portal for content, support requests, compliance records
  • arranging meetings, training and events
  • giving data protection advice
  • checking in to discuss priorities, progress and renewals

How

When your organisation joins as a Protecture subscriber, we will provide login accounts to the website’s Member portal area for those that need them. For this, we will need the individuals’ names, job titles and email addresses.

The information in the “using this website” and “booking events” sections is also applicable to subscribers, so please do read them too.

When you or your colleagues request support from Protecture, we will need the details of the question you are asking, which will often include mentions of individuals and their contact details and descriptions of data processing activities that include personal data. These come in to Protecture from our support tickets on the website, by email and by phone.

We keep the details of these interactions so that we can learn about your organisation’s challenges and risks in order to provide you with tailored support, to collaborate internally on finding the most suitable answers for you, and to enhance our understanding of data protection challenges, risks and solutions

Why

As all of these purposes are part of the subscriber relationship between your employer and Protecture, both organisations have a legitimate interest in this processing. You can ask us for a copy of this assessment.

You have the right to object to this processing, in which case we will review the assessment and consider what the impact to you and Protecture would be if we stopped processing your data in this way.

Third parties

We have Data Processing Agreements with our IT support supplier, cloud CRM provider, and cloud office providers which require them to comply with the requirements of Article 28 of the GDPR. Our cloud data is hosted within the EU only

Why did we get in touch?

If you've been contacted by Protecture to offer a conversation about our services, then it's because our research has indicated that you might be interested in what we have to offer.

How

When we do pre-sales research, we look at:

  • LinkedIn: names, job titles, employers, indications of professional interests based on comments and activity, and contact details to find people with job roles that indicate they are responsible for risk or compliance for their organisation
  • Companies House and the Charity Commission websites, to find the names, job titles, and contact details of people at organisations who are likely to benefit from Protecture's support
  • Twitter: to respond to direct enquiries from people who have been referred to, or heard of Protecture

Why

We want to offer our services to organisations which would benefit from having our support and be able to approach the most suitable person to discuss this with, so this processing of personal data is done on the basis of legitimate interests. We’ve done an assessment of this interest and how we balance that with your rights and freedoms. You can ask us for a copy of this assessment.

You have the right to object to this processing, in which case we will review the assessment and consider what the impact to you and Protecture would be if we stopped processing your data in this way.

If you apply to join our team

How

If you approach us to enquire about joining Protecture, or send us your CV in response to an advertised position, then we will review the information you’ve provided to determine whether your experience and/or qualifications indicate that you would be a good fit for the team here at Protecture. We would then get in touch to arrange an interview and tell you more about the process. If you change your mind during the process or your application is unsuccessful, we’ll ask you whether you want us to keep your details in case another opportunity comes up, otherwise we’ll delete them.

Why

It’s in your interest to apply for jobs, and in Protecture’s interest to find high-quality team members to join us, so this processing of personal data is done on the basis of legitimate interests. We’ve done an assessment of this interest and how we balance that with your rights and freedoms. You can ask us for a copy of this assessment.

You have the right to object to this processing, in which case we will review the assessment and consider what the impact to you and Protecture would be if we stopped processing your data in this way.

How our email marketing works

If you sign up to our email newsletters, we will send them to you until you unsubscribe or ask us to stop sending them.

Currently, our newsletters contain tracking pixels which tell us whether they have been opened, and unique URLs which tell us who has clicked on the links inside the email. This is the default behaviour of our email provider and we are unable to make the feature work on an opt-in only basis at the moment.

We want to offer our services to organisations which would benefit from having our support and be able to approach the most suitable person to discuss this with, so this functionality is useful to us but at the moment we can’t disable it for specific recipients.

We use the information about whether you have opened a newsletter, or clicked on the links inside the email, to help us identify and communicate with the most suitable person within your organisation.

If you don’t want this kind of tracking to be applied to the emails that you receive from us, you can change the settings in your email program to prevent remote images from being loaded, and access the content directly from our website rather than following the links.

When you sign up to our newsletter, the email provider (MailChimp) also uses your personal data for profiling, targeted advertising and commercial analytics. We want to be able to ask for your consent for this separately, but due to the way that Mailchimp works, that’s not possible. Because of this, we’re making preparations to change our email provider to a more privacy-friendly platform.

Why

We’ll send you the newsletter on the basis of consent; ie you have indicated to us that you want to receive these messages.

We keep records of who has unsubscribed from the newsletter list so that we comply with section 22 of the Privacy & Electronic Communications Regulations (PECR) by suppressing them, so this is a legal obligation.

If you email us directly rather than using the ‘Contact Us’ form on the website, we’ll use the data you’ve included to respond to your message. We’ll also keep the messages exchanged for our internal auditing and accounting records. We’ve done a legitimate interests assessment of our auditing and accounting activities, and how we balance that with your rights and freedoms. You can ask us for a copy of this assessment.

You have the right to object to this processing, in which case we will review the assessment and consider what the impact to you and Protecture would be if we stopped processing your data in this way.

Your rights

Data protection law gives you rights to help you understand and control how personal data about you is used. This section explains what these rights are and what Protecture has in place to help you exercise them.

Your rights are.....

You have the right to have a clear explanation of the processing of your personal data provided to you – we hope that’s what we have achieved with this privacy information!

If you consider that we’ve done a good job with this, please let us know by giving us a thumbs-up in the ‘Feedback’ section. If you’re not satisfied with this privacy information, give us a thumbs-down and do please get in touch to let us know what we can do better. The thumbs indicator is anonymous (we don’t link it to your IP address) and it helps us demonstrate compliance with Articles 12-14 of the GDPR.

Exercising this right is known as "making a subject access request:

You have the right to ask us:

  • whether we are processing your personal data
  • why we are doing so
  • under what lawful basis we are processing your data
    the categories of personal data about you which we are processing
  • whether the data is being sent outside the EU
  • the names of any other Data Controllers your data has been passed to, and the purpose and lawful basis for the transfer
  • how long we’re going to keep the data, or what criteria we’ll use to decide whether to keep it
  • for a copy of the data we are processing.

We’d much appreciate if you would use this form to make a subject access request, as this allows us to identify and handle requests consistently, however you don't have to use the form – a phone call, a social media message or an email are also ways of making the request. We’ll need to ask you for some information to make sure the request is valid though, so it would save time to use our form from the start.

Objecting to direct marketing

You have the right to ask us to stop processing your personal data for direct marketing purposes, and if you make this request we will stop sending you marketing and exclude your data from any analytics or reporting we do for marketing. We'd rather keep your contact details on our suppression lists so that if we do collect your data again in the future, we can be sure to exclude you from receiving our marketing materials however if tell us that you prefer us to stop all marketing-related processing of your personal data, then we will remove your details from these lists.

Objecting to processing based on legitimate interests

You can object to any processing of your personal data where that processing is based on legitimate interests. When you make an objection, we will revisit the balancing test that was done for the original Legitimate Interests Assessment and decide on a case-by-case basis whether we should cease the processing of your personal data.

If we consider that we have compelling interests that outweigh your preferences (which might be to keep our IT systems secure, or maintain auditing and accounting records) then we will explain our reasoning to you.

This right is sometimes referred to as "the right to be forgotten". It only applies in narrow circumstances, where -

  • you have withdrawn your consent and there is no further legitimate interest in continuing to process the data,
  • your objection to our processing under legitimate interests outweighs those interests,
  • the processing of your personal data is no longer necessary,
  • there is a law that requires the data to be deleted, or
  • the processing is unlawful (we work hard to make sure this is never the case!)

- you have the right to have your data erased from our systems and files.

We can’t erase any data which we are required by law to process, but we will highlight and explain this to you if your request includes this data.

Under some circumstances, you can limit how your personal data is used by us

If -

  • the personal data we are processing is inaccurate
  • our processing is unlawful
  • the data is no longer necessary for the original purpose of processing but needs to be kept for potential legal claims, or
  • you have objected to processing carried out under legitimate interests and we’re still in the process of determining whether there is an overriding need to continue processing

- you have the right to restrict the processing. This means that the data will only be processed:

  • with your consent,
  • for the establishment, exercise or defence of legal claims, to protect someone else’s rights, or
  • if there is an important public interest justification for processing

The right of data portability says that you can ask for any data that we process by automated means (which means ‘using a computer’) which

  • you provided to us either on the basis of consent or
  • because it was necessary for a contract that you are directly a party to;

-to be provided back to you in a computer-based format, or sent directly to another Data Controller.

This is mostly intended for you, the individual end user or consumer, to be able to switch providers without your data being held hostage.

We don’t do any automated decision-making or automated profiling, but if we did, you would have the right to ask us to explain the logic behind any such decisions and for the decision to be reviewed by a human being, if the decision had an effect on your rights or freedoms.

Rectification

If any of the data we hold on you is inaccurate or out of date, please let us know so that we can correct it as quickly as possible.

Complaints

If you’re not happy with any aspect of how we process your personal data, please let us know so that we can make things right. If you’re not satisfied with our response, you can make a complaint to the Information Commissioner’s Office.