1.1. Archive-Vault Limited (“we”, “us, “our”) is committed to ensuring that all Personal Data we handle is processed according to legally compliant standards of data protection and data security.
1.2. This policy and any other documents referred to in it sets out the basis on which we will process any Personal Data we collect from Data Subjects in the course of the provision of our Services.
2.1. The following definitions shall apply in this policy
3. THE PERSONAL DATA WHICH WE HANDLE AND STORE
3.1. In order to perform our Services we will collate, handle, store and process the Personal Data of our customers and of prospective customers who may enquire about the Services (“Client Personal Data”). The Client Personal Data may include the customer’s name, address, e-mail address and phone number and other registration information, including financial and credit card information which will store on our systems and use for the purposes of performing our Services. The legal basis for processing Client Personal Data is the performance of a contract when a customer agrees to buy the Services or our legitimate business interests, namely the proper administration of our Services.
3.2. In respect of the Client Personal Data we are the Controller for the purposes of Data Protection Laws.
3.3. In performing our Services we may be asked by our clients to store Property which may comprise of the Personal Data of Data Subjects who are not our customers but who have provided their Personal Data to our customer (“Third Party Personal Data”). In respect of the Third Party Personal Data we are the Processor for the Purposes of Data Protection Laws and our customer is the Controller. We shall process any Third Party Personal Data in compliance with Data Protection Laws and only in accordance with the customer’s instructions (except where required to do otherwise by law). The customer as Controller remains responsible for the Third Party Personal Data in line with Data Protection Laws and our obligations and responsibilities towards the customer is more governed in our Terms and Conditions of Business which can be found here.
4.1. Specifically, Data Protection Laws require that Personal Data:
4.1.1. is processed fairly and lawfully and transparently and, in particular, shall not be processed unless specific conditions are met;
4.1.2. is collected for specified, explicit and legitimate purposes as set out in the Data Protection Laws, and shall not be processed in any further manner incompatible with that purpose or those purposes;
4.1.3. is adequate, relevant and limited to what is necessary in relation to those purpose(s);
4.1.4. is accurate and, where necessary, kept up to date;
4.1.5. is not be kept for longer than is necessary;
4.1.6. is kept in a form which permits identification of the data subject for no longer than is necessary for the purpose(s);
4.1.7. is processed in accordance with the rights of data subjects under the Data Protection Laws; and
4.1.8. is kept secure by us, taking appropriate technical and other measures to prevent unauthorised or unlawful processing or accidental loss or destruction of, or damage to, Personal Data.
5. DATA SHARING
5.1. We will not disclose a Data Subject’s Personal Data to a third party without consent or unless we are satisfied that we are legally entitled to share such data under Data Protection Laws. Where we do disclose Personal Data to a third party, we will have regard to the data protection principles at clause 4.
5.2. We may also disclose Personal Data where such disclosure is necessary for compliance with other legal obligations to which we are subject, or in order to protect a data subject’s vital interests or the vital interests of another natural person.
6. RETAINING AND DELETING PERSONAL DATA
6.1. This clause sets out our data retention policies and procedure, which are designed to help ensure that we comply with our legal obligations in relation to the retention and deletion of Personal Data.
6.2. Personal Data that we process for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. We will retain Client Personal Data for as there is continued usage of the Services and after the customer ceases to use the Services for a period of 7 years.
6.3. In addition to the Client Personal Data retention period referred in 6.2 we will retain Client’s box file records and item history on our document management software for as long as there is continued usage of the Services and after the customer ceases to use the Services for a period of 7 years.
6.4. Where a prospective customer has enquired about our Services but has not continued to purchases our Services we will retain their Personal Data in case of any follow up enquiry from that organisation for a period of 2 years.
6.5. Notwithstanding the other provisions of this clause, we may retain Personal Data where such retention is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.
7. CONFIDENTIALITY AND DATA SECURITY
7.1. We take the confidentiality of our customers and the Data Subjects of whose Personal Data we store and process very seriously. Clause 11 of our Terms and Conditions of Business sets out our confidentiality obligations towards our Customers. We shall ensure that all of our employees, agents or subcontractors are subject to obligations of confidentiality corresponding to those.
7.2. In respect of the Personal Data will take appropriate security measures against unlawful or unauthorised processing, and against the accidental loss of, or damage to, the Personal Data.
7.3. We will put in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. Personal data will only be transferred to a data processor if he agrees to comply with those procedures and policies, or if he puts in place adequate measures himself.
7.4. We will maintain data security by protecting the confidentiality, integrity and availability of the personal data, defined as follows:
7.4.1. Confidentiality means that only people who are authorised to use the data can access it.
7.4.2. Integrity means that Personal Data should be accurate and suitable for the purpose for which it is processed.
7.4.3. Availability means that authorised users will be able to access the data if they need it for authorised purposes.
8. DATA SUBJECT’S RIGHTS
8.1. In this clause 8, we have summarised the rights that Data Subjects have under the Data Protection Laws. Some of the rights are complex, and not all of the details have been included in our summaries. Accordingly, Data Subjects should read the relevant laws and guidance from the regulatory authorities for a full explanation of these rights.
8.2. The principal rights of Data Subjects under Data Protection Laws are:
8.2.1.the right to access;
8.2.1. the right to rectification;
8.2.2. the right to erasure;
8.2.3. the right to restrict processing;
8.2.4. the right to object to processing;
8.2.5. the right to transfer your personal data;
8.2.6. the right to complain to a supervisory authority; and
8.2.7. the right to withdraw consent.
8.3. Data Subjects have the right to confirmation as to whether or not we process their Personal Data and, where we do, access to the Personal Data, together with certain additional information. That additional information includes details of the purposes of the processing, the categories of personal data concerned and the recipients of the Personal Data. Providing the rights and freedoms of others are not affected, we will supply to Data Subjects a copy of their Personal Data.
8.4. Data Subjects have the right to have any inaccurate Personal Data about them rectified and, taking into account the purposes of the processing and to have any incomplete personal data about them completed.
8.5. In some circumstances Data Subjects have the right to the erasure of their personal data without undue delay. Those circumstances include: the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed; the Data Subjects withdraw consent to consent-based processing; the processing is for direct marketing purposes; and the personal data has been unlawfully processed. However, there are certain general exclusions of the right to erasure. Those general exclusions include where processing is necessary: for exercising the right of freedom of expression and information; for compliance with a legal obligation; or for the establishment, exercise or defence of legal claims.
8.6. In some circumstances Data Subjects have the right to restrict the processing of their Personal Data. Those circumstances are: a Data Subject contests the accuracy of the Personal Data; we no longer need the Personal Data for the purposes of our processing, but you require personal data for the establishment, exercise or defence of legal claims; and you have objected to processing, pending the verification of that objection. Where processing has been restricted on this basis, we may continue to store the Personal Data. However, we will only otherwise process it: with your consent; for the establishment, exercise or defence of legal claims; for the protection of the rights of another natural or legal person; or for reasons of important public interest.
8.7. Data Subjects have the right to object to our processing of their personal data on grounds relating to their particular situation, but only to the extent that the legal basis for the processing is that the processing is necessary for: the performance of a task carried out in the public interest or in the exercise of any official authority vested in us; or the purposes of the legitimate interests pursued by us or by a third party.
8.8. Data Subjects have the right to object to our processing of their personal data for direct marketing purposes (including profiling for direct marketing purposes). If you make such an objection, we will cease to process the Personal Data for this purpose.
8.9. If Data Subjects consider that our processing of their personal information infringes Data Protection Laws, they have a legal right to lodge a complaint with a supervisory authority responsible for data protection. In the UK this is the Information Commissioner’s Office.
8.10. To the extent that the legal basis for our processing of personal information is consent, Data Subjects have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing before the withdrawal.
9.1. We may update this policy from time to time by publishing a new version on our website.
10. OUR CONTACT DETAILS
10.1. We are registered in England and Wales under registration number 05939594 and our registered office is at Cedar House, 41 Thorpe Road, Norwich.
10.2. Our email address is firstname.lastname@example.org
10.3. We can be contacted by post or email using the addresses given above.