This privacy notice tells you what to expect us to do with your personal information when you make contact with us or use one of our services.
This notice is layered. So, if you wish, you can easily select the reason we process your personal information and see what we do with it.
We'll tell you:
The first part of the notice is information we need to tell everybody
Pindar Creative is the controller for the personal information we process, unless otherwise stated.
There are many ways you can contact us, including by phone, email, live chat and post.
Our postal address:
Unit 8A, Alton House Office Park
Telephone number: 01296 390100
For general contact please use this page of our website.
Our Data Protection Officers are Carl Thomas and Vaughan Humphries. You can contact them at firstname.lastname@example.org or via the postal address above. Please mark the envelope 'Data Protection Officer'.
Most of the personal information we process is provided to us directly by you for one of the following reasons:
We also receive personal information indirectly, in the following scenarios:
If it is not disproportionate or does not prejudice, we'll contact you to let you know we are processing your personal information.
Under data protection law, you have rights we need to make you aware of. The rights available to you depend on our reason for processing your information.
You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process.
You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.
You have the right to ask us to erase your personal information in certain circumstances.
You have the right to ask us to restrict the processing of your information in certain circumstances.
You have the right to object to processing if we are able to process your information because the process forms part of our public tasks, or is in our legitimate interests.
This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another, or give it to you. The right only applies if we are processing information based on your consent or under, or in talks about entering into a contract and the processing is automated.
If we are processing your information for criminal law enforcement purposes, your rights are slightly different. Please see the relevant section of the notice.
You are not required to pay any charge for exercising your rights. We have one month to respond to you.
Please contact us at email@example.com if you wish to make a request, or contact our helpline on 01296 390100.
We will not share your information with any third parties for the purposes of direct marketing.
We use data processors who are third parties who provide elements of services for us. We have contracts in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct.
In some circumstances we are legally obliged to share information. For example under a court order or where we cooperate with other European supervisory authorities in handling complaints or investigations. We might also share information with other regulatory bodies in order to further their, or our, objectives. In any scenario, we'll satisfy ourselves that we have a lawful basis on which to share the information and document our decision making and satisfy ourselves we have a legal basis on which to share the information.
In our capacity as UK supervisory authority for data protection, there are some circumstances where we must cooperate with and help other supervisory authorities in the EEA, in handling complaints and investigations. This may lead to sharing personal information if it is relevant to the complaint or investigation.
Where we provide links to websites of other organisations, this privacy notice does not cover how that organisation processes personal information. We encourage you to read the privacy notices on the other websites you visit.
We work to high standards when it comes to processing your personal information. If you have queries or concerns, please contact us at firstname.lastname@example.org and we'll respond.
We may impose a restriction on your access to our services if it's necessary to protect our staff from unacceptable behaviour as defined in our 'Managing customer contacts' policy.
The legal basis we rely on to process your personal data is article 6(1)(e) of the General Data Protection Regulation (GDPR), which allows us to process personal data when this is necessary to perform our public tasks as a regulator.
If the information you provide us in relation to your single point of contact contains special category data, such as health, religious or ethnic information the legal basis we rely on to process it is article 9(2)(g) of the GDPR, which also relates to our public task and the safeguarding of your fundamental rights. And Schedule 1 part 2(6) of the DPA 2018 which relates to statutory and government purposes.
If we do this, we'll explain to you the restriction we have applied and why we feel it's necessary. We'll create a record of the restriction for administration purposes, so relevant staff members know the restriction is in place. This will include your name, contact details and a description of why we have imposed a restriction.
The decision to impose a restriction will be taken, and reviewed, by a manager. We'll write to you explaining why we've applied the restriction. We'll review the restriction periodically. We'll remove it if we feel your behaviour has changed or if you no longer communicate with us.
We may provide a single point of contact if you and we (or both) believe it will help to create a better outcome for all concerned.
The legal basis we rely on to process your personal data is article 6(1)(e) of the GDPR, which allows us to process personal data when this is necessary to perform our public tasks as a regulator.
A decision will be made by a manager to give you a single point of contact. This may be where you have several complaints and we believe it will be more efficient for us to deal with them in this way. We'll make a record of the fact that you have a single point of contact. All relevant staff will know about using it to manage communications between our office and you. It will include your name, contact details and a description of the need to have a single point of contact. We'll review this requirement from time to time.
When you call our our business, we collect Calling Line Identification (CLI) information. This is the phone number you are calling from (if it's not withheld). We hold a log of the phone number, date, time and duration of the call, but do not audio-record the call itself. We hold this information for 90 days.
We use this information to understand the demand for our services and to improve how we operate. We may also use the number to call you back if you have asked us to do so, if your call drops, or if there is a problem with the line. We may also use it to check how many calls we have received from it.
We don't audio record any calls, but we might make notes.
We also hold statistical information about the calls we receive for a number of years, but this does not contain any personal data.
Social Media data will not be shared with any other organisations and remains on the platform of origin.
We see all this information and decide how we manage it. For example, if you send a message via social media that needs a response from us, we may process it in our case management system as an enquiry or a complaint. (Please see the relevant section on the left.)
We use Transport Layer Security (TLS) to encrypt and protect email traffic in line with government guidance on email security. Most webmail such as Gmail and Hotmail use TLS by default.
We'll also monitor any emails sent to us, including file attachments, for viruses or malicious software. You must ensure that any email you send is within the bounds of the law.
When you visit www.pindarcreative.co.uk, we use a third-party service, Google Analytics, to collect standard internet log information and details of visitor behavior patterns. We do this to find out such things as the number of visitors to the various parts of the site. This information is only processed in a way that does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website.
If we do collect personal data through our website, we'll be upfront about this. We'll make it clear when we collect personal information and we'll explain what we intend to do with it.
This means that we are in the process of updating the tool which, by default, requires explicit opt in action by users of our website. This will apply to the non-necessary cookies. We will ensure any necessary cookies for functionality and security are marked so that they are not deleted by the tool.
We use a third-party web application firewall from WatchGuard to help maintain the security and performance of our website. The service checks that traffic to the site is behaving as would be expected.
The service will block traffic that is not using the site as expected. To provide this service, WatchGuard processes site visitors' IP addresses.
We also log IP addresses and query strings that the servers generates to allow us to monitor these against attacks. no personal data is captured.
Selcom hosts our website in the UK and does not hold traffic information unless requested (normally during an attack)
The purpose for implementing all of the above is to maintain and monitor the performance of our website and to constantly look to improve the site and the services it offers to our users. The legal basis we rely on to process your personal data is article 6(1)(f) of the GDPR, which allows us to process personal data when its necessary for the purposes of our legitimate interests.
As we are processing your personal data for our legitimate interests as stated above, you have the right to object to our processing of your personal data. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it.
For more information on your rights, please see 'Your rights as an individual'.
We meet visitors at our office, including:
If your visit is planned, we'll send your name and visit information to reception before your visit – so that we can print a personalised badge for your arrival.
If you arrive without an appointment, you will be given a generic visitor badge.
You must wear a pass throughout your visit.
We ask all visitors to sign in and out at reception.
We have Wi-Fi on site for the use of visitors. We'll provide you with the address and password.
We record the device address and will automatically allocate you an IP address whilst on site. We also log traffic information in the form of sites visited, duration and date sent/received.
We don't ask you to agree to terms, just to the fact that we have no responsibility or control over your use of the internet while you are on site, and we don't ask you to provide any of your information to get this service.
The purpose for processing this information is to provide you with access to the internet whilst visiting our site. The legal basis we rely on to process your personal data is article 6(1)(f) of the GDPR, which allows us to process personal data when its necessary for the purposes of our legitimate interests.
Our purpose is to investigate and take action in line with our ISO policies.
The legal basis we rely on to process your personal data is article 6(1)(e) of the GDPR, which allows us to process personal data when this is necessary to perform our tasks as a business.
We need information from you to investigate your complaint properly, so our complaint forms are designed to prompt you to give us everything we need to understand what's happened.
When we receive a complaint from you, we'll set up a case file. This normally includes your contact details and any other information you have given us about the other parties in your complaint.
We need to know the details of your complaint so we can investigate it and fulfil our regulatory function.
We will use your personal information to investigate your complaint and check on our level of service. We compile and publish statistics showing information like the number of complaints we receive, but not in a form that identifies anyone.
No third parties have access to your personal information unless the law allows them to do so. However, if you have made a complaint about an organisation, we usually have to disclose your identity to them. This is so we can clearly explain to them what you think has gone wrong and if necessary advise them how to put it right. This also means we may receive information about you from them.
If you don't want information that identifies you to be shared with the organisation you want to complain about, we'll try to respect that. However, it is not always possible to handle a complaint on an anonymous basis so we'll contact you to discuss this.
If you are acting on behalf of someone making a complaint, we'll ask for information to satisfy us of your identity and if relevant, ask for information to show you have authority to act on someone else's behalf.
We are acting in our capacity to investigate your complaint, so you have the right to object to our processing of your personal data. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it.
When you contact us to make an enquiry, we collect information, including your personal data, so that we can respond to it and fulfil our regulatory responsibilities.
The legal basis we rely on to process your personal data is article 6(1)(e) of the GDPR, which allows us to process personal data when this is necessary to perform our public tasks as a regulator.
We need enough information from you to answer your enquiry. If you call the helpline, we won't make an audio recording of it and we won't usually need to take any personal information from you. But in certain circumstances we may make notes to provide you with a further service as required.
If you contact us via email or post, we'll need a return address for response.
We'll set up a case file on our case management system to record your enquiry and so we can get it to the correct area of the business to be dealt with. We'll also keep a record of our response. We use the information supplied to us to deal with the enquiry and any subsequent issues that may arise, and to check on the level of service we provide.
We are acting in our official capacity to respond to your enquiry, so you have the right to object to our processing of your personal data. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it.
Our purpose for processing this information is to assess your suitability for a role you have applied for.
The legal basis we rely on for processing your personal data is article 6(1)(b) of the GDPR, which relates to processing necessary to perform a contract or to take steps at your request, before entering a contract. The legal basis we rely on to process any information you provide as part of your application which is special category data, such as health, religious or ethnic information is article 9(2)(b) of the GDPR, which also relates to our obligations in employment and the safeguarding of your fundamental rights and article 9(2)(h) for assessing your work capacity as an employee. And Schedule 1 part 1(1) and (2)(a) and (b) of the DPA2018 which relates to processing for employment, the assessment of your working capacity and preventative or occupational medicine.
We'll use all the information you provide during the recruitment process to progress your application with a view to offering you an employment contract with us, or to fulfil legal or regulatory requirements if necessary.
We will not share any of the information you provide with any third parties for marketing purposes.
We'll use the contact details you give us to contact you to progress your application. We'll use the other information you provide to assess your suitability for the role.
We do not collect more information than we need to fulfil our stated purposes and will not keep it longer than necessary.
The information we ask for is used to assess your suitability for employment. You don't have to provide what we ask for but it may affect your application if you don't.
We ask you for your personal details including name and contact details. We'll also ask you about previous experience, education, referees and for answers to questions relevant to the role. Our recruitment team will have access to all this information.
You will also be asked to provide equal opportunities information. This is not mandatory – if you don't provide it, it won't affect your application. We won't make the information available to any staff outside our recruitment team, including hiring managers, in a way that can identify you. Any information you provide will be used to produce and monitor equal opportunities statistics.
Our hiring managers shortlist applications for interview. They will not be provided with your name or contact details or with your equal opportunities information if you have provided it.
We may ask you to participate in assessment days; complete tests or occupational personality profile questionnaires; attend an interview; or a combination of these. Information will be generated by you and by us. For example, you might complete a written test or we might take interview notes. This information is held by us.
If you are unsuccessful after assessment for the role, we may ask if you would like your details retained in our talent pool. If you say yes, we would proactively contact you should any further suitable vacancies arise.
If we make a conditional offer of employment, we'll ask you for information so that we can carry out pre-employment checks. You must successfully complete pre-employment checks to progress to a final offer. We must confirm the identity of our staff and their right to work in the United Kingdom, and seek assurance as to their trustworthiness, integrity and reliability.
You must therefore provide:
If we make a final offer, we'll also ask you for the following:
Some roles require a higher level of security clearance – this will be clear on the advert or job description (or both).
Our Code of Conduct requires all staff to declare if they have any potential conflicts of interest, or if they are active in a political party. If you complete a declaration, the information will be held on your personnel file. You will also need to declare any secondary employment.
Final recruitment decisions are made by hiring managers and members of our recruitment team. We take account of all the information gathered during the application process.
Any online testing is marked and a result is generated automatically. However, if you wish to challenge the mark you have received, the result can be checked manually.
Our purpose for collecting the information is so we can provide you with a service and let you know about upcoming events and latest news.
The legal basis we rely on for processing your personal data is your consent under article 6(1)(a) of the GDPR.
Your name and email address.
We use your email address to send you our E-newsletter.
We only use your details to provide the service.
We gather statistics around email opening and clicks using industry standard technologies including clear gifs to help us monitor and improve our e-newsletter.
You will receive a confirmation email once you have submitted your details and then the newsletters monthly.
We rely on your consent to process the personal data you provide to us for marketing purposes. This means you have the right to withdraw your consent, or to object to the processing of your personal data for this purpose at any time. If you do that, we'll update our records immediately to reflect your wishes.
Yes – we use MailChimp and Salesforce to deliver the e-newsletters.
Our purpose for processing your personal data is so we can fulfil your information request to us.
The legal basis for this is article 6(1)(C) of the GDPR, which relates to processing necessary to comply with a legal obligation to which we are subject.
We need information from you to respond to you and to locate the information you are looking for. This enables us to comply with our legal obligations under the legislation we are subject to:
When we receive a request from you, we'll set up an electronic case file containing the details of your request. This normally includes your contact details and any other information you have given us. We'll also store on this case file a copy of the information that falls within the scope of your request.
If you are making a request about your personal data, or are acting on behalf of someone making such a request, then we'll ask for information to satisfy us of your identity. If it's relevant, we'll also ask for information to show you have authority to act on someone else's behalf.
We'll use the information supplied to us to process your information request and check on the level of service we provide.
If the request is about information we have received from another organisation – regarding a complaint, for example – we'll routinely consult the organisation/s concerned to seek their view on disclosure of the material.
We compile and publish statistics showing information such as the number of requests we receive, but not in a form that identifies anyone.
We hold the names and contact details of individuals acting in their capacity as representatives of their organisations, across the business. If this relates to interactions regarding our regulatory functions, the legal basis is article 6(1)(e) of the GDPR. If the interactions relate to suppliers, contracts, buildings management, IT services etc., the legal basis is article 6(1)(c) of the GDPR for any legal obligation or article 6(1)(f) because the processing is within our legitimate interests as a business.
We keep our privacy notice under regular review to make sure it is up to date and accurate.
This policy was last reviewed and update on 23 April 2020.