Privacy & Security
Cambridge Pianoforte LLP
GDPR Privacy Statement for Clients and Former Clients and their staff (irrespective of employment status)
WHAT IS THE PURPOSE OF THIS DOCUMENT?
Cambridge Pianoforte LLP takes the security and privacy of your data seriously. We need to gather and use information or ‘data’ about you as part of our business and to manage our relationship with you. We intend to comply with our legal obligations under the Data Protection Act 2018 (the ‘2018 Act’) and the EU General Data Protection Regulation(‘GDPR’) in respect of data privacy and security. We have a duty to notify you of the information contained in this policy.
This policy applies to Clients, Former Clients and their staff (irrespective of employment status)
Cambridge Pianoforte LLP is a "data controller". This means that we are responsible for deciding how we hold and use personal information about you and your teams. We are required under data protection legislation to notify you of the information we hold and to process it by way of this Privacy Statement.
This statement does not form part of any contract to provide services. We may update this statement at any time.
DATA PROTECTION PRINCIPLES
It may be necessary for you to provide us with certain personal data so that we can provide the requested products and services to you or your employer, fulfil any contractual relationship with you, inform you of our services, comply with applicable codes of practice and for the other purposes as set out in this statement where this is in our legitimate interests.
We will comply with data protection law current at the time and as defined by the Data Protection Act 1998 and the General Data Protection Regulations 2018. This says that the personal information we hold about you must be:
used lawfully, fairly and in a transparent way.
collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
relevant to the purposes we have told you about and limited only to those purposes.
accurate and kept up to date.
kept only as long as necessary for the purposes we have told you about.
We are accountable for these principles and must be able to show that we are compliant.
You too have an obligation to adhere to the principles of all current data protection legislation. If you give us information about someone in your organisation, you too must ensure that you have a lawful basis for doing so in accordance with the GDPR, for example, for us to provide services to you or to your employer. This is a legitimate business reason. You too should have issued, or been issued with, a privacy notice relating to each group of staff (irrespective of employment status) explaining what personal data in detail will be held and how such data will be processed. Such a privacy notice issued to staff will need to deal with the same elements that we deal with in this Privacy Statement.
THE KIND OF INFORMATION WE HOLD ABOUT YOU
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymised data).
There are "special categories" of more sensitive personal data which require a higher level of protection.
Sensitive personal data relates to the nine protected characteristics under the Equality Act of 2010, namely: gender, age, marital status, sexual orientation, gender reassignment, race, ethnic origin, disability, pregnancy and maternity, religion or religious beliefs plus biogenetic or biomedical data. We request that you do not provide us with sensitive personal data unless it is necessary for the work we are carrying out for you. However, to the extent that you do provide us with any sensitive personal data we shall only use that data for the purposes of our relationship with you. Further, when the relevant work is complete and there is no other legal reporting relationship - e.g. for HMRC in relation to specific payments, all personal information of any category, whether sensitive information or otherwise, will be deleted
We may, in the course of our work with you, collect, store, and use some or all of the following categories of personal information about you and your employees:
Personal contact details such as name, title, addresses, telephone numbers, and personal email addresses
Date of birth, nationality, gender
Opinions, preferences, feedback, complaints, comments and/or suggestions
Employment related information
Information necessary for legal compliance
Security related information such as proof of address
This list is not intended to be exhaustive and may be updated from time to time as our business needs and legal requirements dictate.
HOW IS YOUR PERSONAL INFORMATION COLLECTED?
We collect personal information about Clients and Client staff (irrespective of employment status) directly from both clients and client staff. This may include notes following conversations with you or others where we discuss our services and your requirements for example. We may also draw information from marketing databases, our website (in line with our GDPR compliant website policy), emails, telephone calls, the public domain and social media.
HOW WE DEFINE PROCESSING
‘Processing’ means any operation which is performed on personal data such as:
Collection, recording, organisation, structuring or storage;
Adaption or alteration;
Retrieval, consultation or use in the provision of our services to clients;
Assessment for suitability to a specific role;
· Disclosure by transmission, dissemination or otherwise making available;
· Alignment or combination; and
· Restriction, destruction or erasure.
This includes processing personal data which forms part of a manual filing system and any automated processing.
HOW WE WILL PROCESS YOUR PERSONAL DATA
We will only process your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
Where we need to perform the contract we have entered into with you, our client.
Where we need to comply with a legal obligation, such as reporting to HMRC.
Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
Where you have consented to us doing so for a specific purpose and to perform our services for you.
We may also use your personal information in the following situations, which are likely to be rare:
Where we need to protect your interests (or someone else's interests).
Where it is needed in the public interest or for official purposes.
Examples of situations in which we will process your personal information are listed below.
Day to day management of your relationship with us including general communication and administration and processing any request for information;
In fulfilling the services you have asked us to provide;
Business management and planning, including accounting and auditing;
Evaluating quality and compliance including compliance with this Privacy Statement;
Marketing activities as detailed below;
For tracing and the recovery of debts;
Dealing with legal disputes involving you, or your employees, workers and contractors, including accidents at work;
Retaining records of our dealings and transactions and where applicable, using such records for the purposes of establishing past or present compliance with contractual obligations, addressing any query or dispute that may arise, protecting our reputation; and
Any other legitimate reason that we share with you from time to time.
Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information.
Change of purpose
We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so or otherwise seek your consent.
Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
Processing personal data for the above purposes may entail sharing the information with the employees, contractors, agents and professional advisers of Cambridge Pianoforte LLP. Cambridge Pianoforte LLP only permits these groups to use your personal data in line with the reasons for which it was collected and processed and does not allow any disclosure or use of personal data for any incompatible purpose. These groups are not permitted to use any personal data provided by Cambridge Pianoforte LLP for their own purposes.
We have checked that all our providers of services to us are in line with GDPR compliance. We require third parties to respect the security of your data and to treat it in accordance with the law.
Transfer of Data outside the EEA
Cambridge Pianoforte LLP does not transfer personal data outside of the European Economic Area (EEA). If this situation were to change we would inform you in writing.
It may be necessary on occasion to transfer your data outside of the European Economic Area (EEA). In event that it is required, the Company would limit the disclosure of the information to only that which is necessary for the performance of its legitimate business needs such as fulfilling a specific project for a client based outside the EEA. The Company will follow the principles of the GDPR in the processing of your data with third parties outside the EEA. In countries not covered by an adequacy decision by the European Commission the recipient country will need to demonstrate their compliance with our data protection policy, will be subject to data protection requirements through their servicing or engagement agreement with us and will need to confirm that they manage personal data in line with our requirements.
Why might you share my personal information with third parties?
We will share your personal information with third parties where required by law, or where we have another legitimate interest in doing so, or where you have requested specific services from us which require the use of a third-party provider to fulfil the contract.
Which third-party service providers process my personal information?
Butlers Piano removals
How secure is my information with third-party service providers?
All our contractors/consultants are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.
What about other third parties?
We may share or transfer your personal information with other third parties, for example in the context of the possible sale or restructuring of the business. Any transfer will be subject to the agreement of the third party to this Privacy Statement and any processing being only in accordance with this Privacy Statement. We may also need to share your personal information with a regulator or to otherwise comply with the law.
We have put in place the following measures to protect the security of your information.
Cambridge Pianoforte LLP holds your personal data in accordance with the security provisions of the UK GDPR data protection legislation. Our data is stored electronically and only locally and is password protected. Our staff only process personal data in line with the GDPR, and have a confidentiality clause in their signed contract. If you have any questions about data security or retention please contact us by email at [INSERT ADDRESS].
Approved third parties, as above, will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure and in line with GDPR.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
RIGHTS OF ACCESS, CORRECTION, ERASURE, AND RESTRICTION
Your duty to inform us of changes
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during our working relationship with you or your staff, or should your circumstances change.
Your rights in connection with personal information
Under certain circumstances, by law you have the right to:
Request access to your personal information (commonly known as a "subject access request"). This enables you to receive a copy of the personal information we hold about you, to check that it is accurate. If, however, you believe that we should delete your personal data, please inform us in writing of your reasons.
Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
Request the transfer of your personal information to you or another controller; this right only being applicable where our processing of your data is based either on your consent or in the legitimate performance of a contract.
If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact: Iain Kilpatrick, Cambridge Pianoforte LLP, 10-12 Kings Hedges Road, Cambridge, CB4 2PA. Verification, updating or amending personal data will take place as soon as is reasonably practical.
No fee usually required
You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee for time spent if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request.
What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
How long will you use my information for?
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including the ongoing provision of services for which we are contracted, and for the purposes of satisfying any legal, accounting, or reporting requirements including the handling of any complaints or claims.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you. Once you are no longer a client, we will retain and securely destroy your personal information in accordance with applicable laws and regulations. A certain amount of personal data may need to be retained in order to meet requirements such as reporting to HMRC.
If you believe that we should delete your personal data, please contact us as above providing your reasons.
RIGHT TO WITHDRAW CONSENT
In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact us as above. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
CHANGES TO THIS PRIVACY STATEMENT
We reserve the right to update this Privacy Statement at any time, and we will provide you with a new Privacy Statement when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.
If you have any questions about this Privacy Statement, please contact Iain Kilpatrick, Cambridge Pianoforte LLP, 10-12 Kings Hedges Road, Cambridge, CB4 2PA
Last updated: 01 June 2020