- 1. Introduction
- 2. When do we collect your personal data?
- 3. What personal data do we collect and use?
- 4. Your obligations to your customers
- 5. Automated Decision Making
- 6. Data Sharing
- 7. Data Security
- 8. Data Retention
- 9. Rights of Access, Rectification and Erasure
- 10. Right to Withdraw Consent
- 11. Changes to this notice
# 1. Introduction
Aiimi is committed to protecting the privacy and security of the personal data of our clients and the data of their individual customers. In accordance with the Data Protection Act 2018 this privacy notice sets out how we collect, use, store and dispose of the personal data provided to us by our clients to conduct data activities on their behalf.
With respect to any personal data of your customers that you provide to us, we would be a “data processor”, which means we hold data on behalf of you, as the Data Controller, to carry out an operation or set of operations, such as consultation of that data.
This notice is provided so that you, our clients, are aware of what personal data we hold and how we use it. It is also provided to our employees so they understand their obligations for storing, using and disposing of the data provided to Aiimi. It is provided from Aiimi’s perspective, herein referred to as “we” and “our” for our customers and their staff, herein referred to as “you” and “your”.
# 2. When do we collect your personal data?
2.1 Your Personal Data
We collect your data when you first become an Aiimi customer and on various other occasions when you make contact with us (or when we need to contact you) either directly such as by phone or email, or via an electronic medium such as visiting our web-site. We collect your personal data to enable us to carry out our contract with you and to provide you with the most relevant information.
2.2 Your Customers' Data
As part of our engagement with you, we may be asked to analyse the data of your customers to provide insight on your customer base, support decision making and achieve your strategic objectives. On these occasions the information regarding each individual customer will be kept to a minimum and will be specific to the use case you’ve engaged us to work on.
# 3. What personal data do we collect and use?
3.1 Your Personal Data
When we ask you for personal data, we will make clear to you why the data is needed. The personal data we may collect and use includes your contact details e.g. your name, address, telephone number, and email address.
|Use||Basis of Use|
|To provide you with our services, including confirmation of your instructions to ensure we carry them out accurately. And to improve our products and services.||Our legitimate interest in carrying out a contract with you.|
|To process your payment for our services.||Our legitimate interest in carrying out a contract with you.|
|To provide you with the information you have requested from us.||Our legitimate interest in carrying out a contract with you.|
|We may cite you as a referee in tenders and proposals, including the use of case studies of our work with you, unless you tell us otherwise.||Our legitimate interest to ensure we are able to present tenders and proposals that demonstrate our work and provide references.|
3.2 Your Customers' Personal Data
In accordance with your requirements of our engagement with you, we may need to access or receive the personal data of your customers.
The data we may ask for in relation to your customers will vary according to your requirements, but will typically include information such as customer identifiers, location information, transactional history and the like.
|Use||Basis of Use|
|To analyse the data you provide us in response to your requirements||Our legitimate interest in carrying out a contract with you.|
# 4. Your obligations to your customers
4.1 Change of purposes
In accordance with the DPA you should have provided a Data Privacy Notice to your customers advising them how their data will be collected, stored, managed and processed, as well as any 3rd parties you will be providing the data to.
If our engagement with you is not included in your existing Data Privacy notice, you are obliged to update your data privacy notice to inform your customers of these activities.
# 5. Automated Decision Making
Automated decision making occurs when an electronic system uses personal data to make decisions without human intervention. An example of this is where a customer record is selected by an algorithm for a direct marketing or customer communication campaign based on a set of parameters.
The GDPR allows organisations to make automated decisions in the following circumstances:
- Where it is necessary to perform a contract with the customer, and their rights have been safeguarded;
- Where it is authorised by European Union or Member state law applicable to Aiimi or to you, our customer;
- When the customer has given explicit written consent, and their rights have been safeguarded
We do not envisage that we will need to make any additional decisions using an automated process, however you will be notified in writing if this changes. As part of our engagement with you, we may conducting profiling activities using the personal data you have provided, however this will be agreed with you and documented in the Statement of Work that we have in place with you.
# 6. Data Sharing
We will not share your personal data, or the personal data of your customers with other organisations, except where we have a requirement to store your data on a hosted system that we use for the day to day operation of our business. An example of this is our Office 365 tenancy with Microsoft and our CRM system hosted by Hubspot. Aiimi maintains a register of such service providers in accordance with Article 30 of the GDPR and reviews the data privacy safeguards that the suppliers implement and the data processing agreements between our organisation and the service provider on an annual basis.
# 7. Data Security
We have put in place measures to securely protect your personal information:
- to prevent your personal data, or the personal data of your customers, from being lost, used or accessed in an unauthorised way
- to deal with any suspected data security breach, and will notify you and any applicable regulator of a suspected breach where are legally required to
- data provided to by you to us is done in a secure manner
These measures include:
- Accessing your data from a secure FTP site or SSL protected hosted service such as Office 365;
- Holding your customer data in a secure project workspace that is ring-fenced from other data received from other customers;
- Running secure virtual servers for data analytics projects that are commissioned solely for use on an individual customer engagement;
- Securely wiping or returning data to you at the completion of an engagement.
# 8. Data Retention
8.1 How long will you use my information for?
We will store and use your data as long as you are a customer of Aiimi’s. Your personal data will only be collected, stored and used to service Aiimi’s contract with you and your organisation.
Your contact information may be stored for a longer period in order for us to contact you with information about a product or service that we have reasonable grounds to believe that you will be interested in. You may ask us to remove your contact details, however in this case we will typically retain a record of your contact details in order to ensure that you are not contacted via these methods in the future. Your details will be recorded with a tag that states “Do not contact”.
8.2 How long will you use my customers' data for?
The personal data of your customers will only be retained for as long as necessary to fulfil the purposes of our engagement with you and will be destroyed following completion of our engagement (as per the Statement of Work or individually agreed Security Protocol).
# 9. Rights of Access, Rectification and Erasure
9.1 Informing us of changes
Please inform us if your personal data changes during your working relationship with us. This will help us ensure that your data is correct, and we are able to fulfil our contract with you.
9.2 Your rights relating to your personal data
In line with the Data Protection Act, in certain circumstances, you have several rights with respect to your personal data. You can:
- Request access to your personal data. This is known as a Data Subject Access Request and enables you to ask about and receive a copy of your personal data that we hold and check that we are processing it lawfully.
- Request correction of your personal data that we hold, this enables you to have any incomplete or incorrect information we hold about you corrected.
- Request erasure of your personal data. This enables you to ask us to delete or remove personal information where we no longer have a legitimate reason for storing it.
- Object to processing of your personal data where we are relying on a legitimate interest (either of Aiimi or a third-party) and you have a reason which makes you want to object to processing on this ground
- Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of your personal data, for example if you want to establish the accuracy of your data or understand the reason for us processing it.
- Request the transfer of your personal data to another party, for example if you want to transfer your data to a new service provider.
If you wanted to exercise any of your rights, we may ask for specific information from you to confirm your identity and ensure your right to access this information. We will never disclose any of your personal data to anyone acting on your behalf. This is to protect your personal data and ensure it is not disclosed to any person who does not have the right to access it.
If you would like to exercise any of the above rights, please contact the Aiimi’s Information Governance Committee, who jointly perform the functions of a Data Protection Officer in writing. We will not ask you to pay a fee to exercise any of these rights. However, we may charge a fee if we consider your request is unfounded or excessive. In some circumstances we can refuse to comply with your request, this is most likely to be the case where we are satisfied that the personal data we hold is accurate or where the request is repetitive in nature.
# 10. Right to Withdraw Consent
In the future there may be limited circumstances where we will ask for your consent to the collection, processing and transfer of your personal information of your personal data for a specific purpose; you have the right to withdraw your consent for that specific processing activity. If you would like to withdraw your consent, please contact Aiimi’s Information Governance Committee in writing at the address on our website.
# 11. Changes to this notice
We will review this notice on an annual basis, or when we are advised of regulatory changes, whichever is the soonest. Following the reviews we may update this notice. The current in force version of this will always be available on our website. We may also communicate with you in other ways about the processing of your personal data.