Data collection and retention
1. What personal data is processed?
Dunstanville Limited collects only the minimum amount of personal information in order to handle business enquiries regarding our services. This includes full name, phone, email, and message. If the enquiry involves Dunstanville Limited visiting a personal or business address then this information is also stored as a reference for travel directions.
Through our website we also implement tracking ‘cookies’ to provide the best user experience for our visitors. Information gathered through ‘cookies’ includes: visitor numbers, page views, country of origin, time on site, device used. This information is not connected in any way to personal contact information received either through the contact form, direct emails or phone calls. The Dunstanville Limited website also uses third party ‘Business to Business’ tracking software which references a visitor’s IP address against a database of international businesses. The third party software provider is GDPR compliant and data about a business visiting our website is not connected to personal information and the individual user, and does not identify any personal IP addresses, mobile devices or any other data than that associated with the business.
You can learn more about ‘cookies’ here: https://ico.org.uk/your-data-matters/online/cookies/
2. How is that data collected and retained?
Personal data is collected through the contact forms within our website, direct emails and direct phone calls. The majority of information remains within our email system. The contact details provided by customers are also added into our accounting and invoicing software.
3. Is the data stored locally, on our servers, or both?
Personal data is collected and stored locally within our email client software, but that data is also referenced from an external email server via IMAP (Internet Message Access Protocol). Contact details for customers are also added into a cloud based accounting and invoicing software which uses an external server.
4. For how long is data stored, and when is the data deleted?
We audit and delete data every three years. Individuals can request at any time during the three year period a copy of the data we hold in relation to them, as well as request that the data is deleted immediately. For any information or deletion requests we can provide and/or delete the data within five working days (Monday - Friday) of the initial request.
5. Is the data collection and processing specified, explicit, and legitimate?
o Our data collection and processing is specified both on the contact page of our website, contact form confirmation agreement (checkbox) as well as within this PIA (Privacy Impact Assessment).
o The types of data collected, as well as how it is used are defined explicitly within this PIA.
o Dunstanville Limited only collect in the minimum amount of information in order to conduct our business operations. We only collect and use data that customers provide to us in agreement with our PIA. We never purchase personal contact information where the individual has not agreed to the data being used explicitly by Dunstanville Limited.
6. What is the process for granting consent for the data processing, and is consent explicit and verifiable?
7. What is the basis of the consent for the data processing?
Personal and business data collected via contact forms, direct emails and direct phone calls is only stored explicitly for internal use only within Dunstanville Limited. Data is only collected where it is required and essential for our business operations and there is no other reasonable way to achieve that purpose.
8. If not based on consent, what is the legal basis for the data processing?
The legal basis for storing any personal information where we have not been explicitly given consent is in the event of legal or civil proceedings; where we need to prove communications with the individual or business in order to collect payment or establish liability in relation to work undertaken by Dunstanville Limited.
9. Is the data minimized to what is explicitly required?
10. Is the data accurate and kept up to date?
The accuracy of the data is checked at the point where it’s is received by Dunstanville Limited. If for any reason incorrect contact information is received whereby it does not relate to the individual making the enquiry, then the data will be deleted and we will request the individual to submit a new enquiry. Business to business data is updated periodically to ensure we maintain the correct contact details with our existing clients. Contact details for individuals is not updated unless requested by the individual, but otherwise deleted at the three yearly audit.
11. How are users informed about the data processing?
Users are informed about how their data will be processed at the point of contact. This is either via confirmation and agreement by the individual using the contact form, or via the footer of our email communications.
12. What controls do users have over the data collection and retention?
By entering into communication with Dunstanville Limited via the contact form, direct emails or direct phone calls users agree that we can store their contact information data for business operations. At any time users, clients and private individuals can request a copy of what personal information we store and also request that it is deleted from all our internal systems.
Technical and security measures
1. Is the data encrypted, anonymized or pseudonymized?
Dunstanville Limited only collects the minimum data required for contacting private individuals and businesses. As this data is not stored within a single database or format where it can easily be extracted, at present we do not encrypt, anonymize or pseudonymise the data locally. However, data stored within third party hosting providers has encrypted access. By contacting Dunstanville Limited the user enters into an agreement that they are satisfied with our level of protection of their data. At any point a user can request their personal data be removed from our systems if they are not happy with the level of data security we use.
2. Is the data backed up?
Communications via email are backed up periodically (daily) via remote backups of our website hosting server. Contact and billing information for clients is stored within a third party cloud based accounting and invoicing software, which will also be backed up via the third party on a daily basis. Any data stored locally on computers within the office are backed up via third party cloud based data storage systems. We check that any third-party software providers are GDPR compliant and offer a suitable level of security in order to best protect the contact information we store.
3. What are the technical and security measures at the host location?
Dunstanville Limited’s website is powered by Squarespace: please see https://www.squarespace.com/measures
Dunstanville Limited’s email accounts and domain are powered by Google: please see https://support.google.com/a/answer/60762?hl=en
1. Who has access to the data?
Access to data within Dunstanville Limited is restricted to relevant staff members who require the information in order to complete their assigned role within the business. Access to master control panels of third party software and hosting software is restricted to one director. This access is through secure strong encrypted passwords and limited only to certain devices relevant to business operations.
2. What data protection training have those individuals received?
Dunstanville Limited have trained all staff members in how to handle personal data which is provided to them as part of their role within the company, as well as their responsibilities for protecting information pertaining to personal contact details within devices (computers, phones) that they use on a daily basis.
3. What security measures do those individuals work with?
Employees are instructed to only use strong passwords for securing devices as well as accessing local and cloud based software. They are also instructed to periodically change passwords at least once every two months. All computers within the company have antivirus and malware software installed to reduce the risk of malicious attacks and external parties accessing the devices/data.
4. What data breach notification and alert procedures are in place?
Our service providers have data breach and malicious attack notification services in place. In the event of this, or breach of Dunstanville Limited’s internal systems we have a notification system setup to inform all our clients via email. If we believe any specific individuals or businesses data has been compromised we will begin a process of informing them as soon as possible by direct phone calls.
5. What procedures are in place for government requests?
In the event of a data breach and government request to inspect our data, we can provide the relevant information within five working days. The majority of data can be provided in spreadsheet or database format, along with supporting documents.
Subject access rights
1. How can an individual see a copy of the data Dunstanville Limited holds on them?
In line with GDPR, any individual or business can exercise their rights to access what data we hold on them. They can do this via contacting us directly by email or phone.
2. How does the data subject exercise their right to data portability?
The data we hold on individual private clients is minimal (full name, email, phone, address). This can be provided in a variety of formats (CSV, PDF, DOCX, Email). The individual can request which is their preferred format when contacting Dunstanville Limited.
3. How does the data subject exercise their rights to erasure and the right to be forgotten?
An individual can contact Dunstanville Limited to request their information is deleted from our systems. On request we will provide them with a copy of what data we hold, and also what systems the data has been removed from.
4. How does the data subject exercise their right to restrict and object?
At any time an individual can contact Dunstanville Limited to object to their personal information being processed within our systems. On request we will provide them with a copy of what data we hold, and also what systems the data has been removed from. Dunstanville Limited shall no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
1. Are the obligations of all data processors, including subcontractors, covered by a contract?
Dunstanville Limited, has entered into agreements with any/all subcontractors and third-party data processors to ensure we operate with only legitimate suppliers that comply with the GDPR guidelines and keep personal data protected throughout all our business operations.
2. If the data is transferred outside the European Union, what are the protective measures and safeguards?
Due to the nature of website hosting servers and cloud based software systems, data is likely to move outside of the European Union during day to day operations. To ensure the security of our customer’s person data we only use reputable providers for web services and ensure they meet the GDPR guidelines. Access to online cloud based software systems is done through a limited number of logins which all use the maximum level of password strength. Passwords are also changed periodically to reduce the risk of access being gained by unwanted parties.
1. What are the risks to the data subjects if the data is misused, mis-accessed, or breached?
Dunstanville Limited only stores the minimal amounts of personal contact data required to complete our business operations. In most cases this is limited to full name, phone, email and address. The main risk would be identity theft, but as this is same data is often commonly available through other means, such as online searches, the risk to an individual in the event of a data breach would be very minimal.
2. What are the risks to the data subjects if the data is modified?
The personal data that Dunstanville Limited store is only related to client contact information and does not form part of any online account, e-commerce system or otherwise. In the event of a data breach where personal data is modified within our systems, the risk to individuals is minimal and would not pose a threat to personal finances, privacy or identity theft.
3. What are the risks to the data subjects if the data is lost?
Personal contact data for our clients is backed up regularly and encrypted by the third party software systems. The likelihood of the data being lost permanently would be very small, and would not directly affect the individual beyond a delay in communications from Dunstanville Limited.
What are the main sources of risk?
The main source of risk would be unwanted access to our software, either through login details being obtained by a rogue party or data breach of the third party supplier. The result of which would at most be the data being harvested and sold on.
What steps have been taken to mitigate those risks?
To minimise access to any of our systems, all staff are instructed to only use the strongest level of secure passwords, and to change these periodically (roughly every two months). Passwords are unique to each system and user, and in the case of client’s control panel’s for online hosting, these are always changed from the default passwords set at time of purchase.