The following outlines the policy and commitment to user privacy by our company, Public Services Publishing Ltd (PSP), in connection with data privacy laws.
The General Data Protection Regulation (GDPR) came into force on 25th May 2018 and increases accountability and transparency about individuals’ data protection and it’s important that PSP lets you know why we hold personal information about you, what information we hold, and your rights in connection with that information.
The majority of our clients are corporate or public-sector clients (e.g. local authority libraries) and therefore we believe that strictly the GDPR does not apply in these circumstances however we want to ensure we adopt the best practices that we can.
Why we hold your personal information?
The GDPR specifies a number of legal grounds (i.e. the legal basis) when personal information can be held. These are:
• Consent: where an individual gives express consent to PSP for us to hold your personal information.
• Contractual obligation: the vast majority of the personal information that PSP holds is covered by this basis. PSP offers annual subscriptions to two online legal websites:
– Law&Rights (www.lawandrights.co.uk)
– Law&Business (www.lawandbusiness.co.uk)
Our clients contract with PSP to provide them with annual subscriptions. The standard subscription period runs from 1 April until 31 March. Under the GDPR, fulfilling such a contract is a lawful basis for PSP to have your personal information.
• Legitimate interest: this includes commercial interests. PSP has assessed our legitimate interests in order to comply with the GDPR. The marketing use of prospective clients’ data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object. This includes including letting people know about current and new products (i.e. current clients and former clients (up to 3 years after the expiration of their subscription or taking a product e.g. L&R book). Contact will primarily be by email although may also be by post. Emails may be followed up by telephone calls.
• Lawful compliance: where access is required by a regulatory body (e.g. invoices provided to our accountants for the preparation of our year end accounts).
What personal information do we hold?
‘Personal data’ is defined under the GDPR as any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier.
For our clients, PSP only has the information that was provided to us by an organisation on taking out or maintaining the subscription. This will be the name, job title, organisation name, work address, work telephone number, work email address of staff concerned with the subscription. We do not collect or retain any personal information about users to our L&R, L&B or CE websites.
We promise never to share this personal information with any other parties without your express permission unless it is for lawful compliance.
For prospective clients or other interested parties, they will receive information about services and products that they will use in a work capacity. It may also be beneficial to them to use in a personal capacity to gain information about legislation which affects them as an individual.
For prospective clients or other interested parties, this will only be their name, job title, organisation name, work address, work telephone number and work email address.
If payment for a subscription, service or product is made by credit or debit card, we never retain any card details.
How we process your information and why?
PSP will only use your personal data for the following reasons:
– To administer your subscriptions to our services and products.
– To respond to your requests or enquiries.
– With your consent, we will use your personal data to keep you informed by email and post about relevant products and services. You are free to opt out of hearing from us at any time.
– To send you relevant, personalised communications by email and post (which are sometimes followed up by a telephone call) in relation to updates, offers, services and products. We’ll do this on the basis of our legitimate business interest.
– To send you communications required by law or which are necessary to inform you about our changes to the services we provide you.
– To comply with our contractual or legal obligations to share data.
Data is not shared with any other third party unless the person’s express consent is given, it is required to administer your subscription (e.g. send books directly to you from the printers) or access is required to comply with our legal obligations (e.g. invoices provided to our accountants).
We do not carry out any automatic processing of your data (i.e. where no human has reviewed the outcome and criteria for the decision).
How we protect your data?
We know how much data security matters to all our clients. With this in mind we treat your data with the utmost care and take all appropriate steps to protect it.
Access to your personal data is password-protected and kept securely, and credit or debit card details are not retained by us.
How long will we hold the information?
PSP will hold the personal data for the length of the subscription period in order to fulfil our contractual obligations. If and when our contract ends, we propose to retain and archive the information for another 3 years to let you know about new services and possible discounts for former clients.
For marketing purposes, PSP will hold the data for up to 3 years.
Your rights as an Individual
As an individual, you have the following rights:
2. Right of access: to the personal data we hold about you, free of charge in most cases.
3. Right to rectification: the correction of your personal data when incorrect, out of date or incomplete.
4. Right to erasure: to have your personal data deleted and forgotten unless it is required for contractual obligations or for lawful compliance.
5. Right to restrict processing: to ensure that only just enough information is collected for the required purpose.
6. Right to object: if the processing is based on legitimate interest (marketing) and PSP will stop using your data. This right does not apply where we have a contractual obligation to process your data e.g. to administer a L&R subscription.
Under the GDPR, the rights to data portability and in relation to automated decision-making do not apply as PSP does not use any automated decision-making or profiling.
You have the right to request a copy of any information about you that PSP holds at any time, and also to have that information corrected if it is inaccurate. To ask for your information, please contact our Data Protection – Chief Operating Officer, PO Box 68848, London SE26 4BX or email firstname.lastname@example.org
If we choose not to action your request we will explain to you the reasons for our refusal.
Your right to withdraw consent
Whenever you have given us your consent to use your personal data, you have the right to change your mind at any time and withdraw that consent. This right does not apply where we have a contractual obligation to process your data e.g. to administer a L&R subscription.
Where we rely on our legitimate interest for marketing
In cases where we are processing your personal data on the basis of our legitimate interest for marketing, you can ask us to stop for reasons connected to your individual situation. We must then do so unless we believe we have a legitimate overriding reason to continue processing your personal data.
You have the right to stop the use of your personal data for direct marketing activity through all channels, or selected channels. We must always comply with your request.
Checking your identity
Contacting the Regulator
If you feel that your data has not been handled correctly, or you are unhappy with our response to any requests you have made to us regarding the use of your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office.
You can contact them by calling 0303 123 1113.
Or go online to www.ico.org.uk/concerns (opens in a new window; please note we can’t be responsible for the content of external websites).
If you are based outside the UK, you have the right to lodge your complaint with the relevant data protection regulator in your country of residence.
If you have any questions that haven’t been covered, please contact our Data Protection Officer who will be pleased to help you:
Address: Data Protection – Chief Operating Officer, PO Box 68848, London SE26 9BX
This notice was last updated on 10 May 2018.