Privacy Notice

We are required to tell you about your personal data that is being collected and used, how it is being collected and from who, what allows us to do this, how long we are keeping it and tell you about your rights. This privacy notice meets that requirement.

WHO ARE WE?

We are A Jolly Consulting (AJC), a company that provides a range of services for Cyber, Risk, Resilience and GDPR, and the governance of these.

We are a Limited company registered in England (Company No. 10204340) at 168 Shoebury Road, Southend-On-Sea, United Kingdom, SS1 3RQ We are the ‘Controller’ of the personal data and any other information collected. As a Controller we are registered as a data controller with the Information Commissioners Office (ICO) (registration no. ZA719700). AJC does not always act as a data controller; AJC also process data on behalf of other organisations and are then the data processor.

Although we are not required to do so, we have appointed a Data Protection Officer who can be contacted by email to dpo@ajollyconsulting.co.uk or write to us at our postal address of 168 Shoebury Road, Southend on Sea, SS1 3RQ.

If you want to know more about us, or have a question about our Privacy Notice, you can email dpo@ajollyconsulting.co.uk

WHAT DATA DO WE NEED AND WHY?

We collect personal data which may include:

• Your name;
• Contact details including email address;
• Bank details / accounts;
• Your IP address and any information collected by cookies such as location or how long you have been browsing our website will be collected.

We will only collect the personal from you that we need to be able to provide you with the services you have requested or to respond to your contact or enquiry.

We also need to collect some personal data if we work together and have agreed a contract.

We do collect your personal data for marketing purposes and to provide you with our newsletter which we send via Mailchimp. When you have chosen to provide this personal data to us this will be with your consent.

THE LEGAL REASONS

We have obligations and specific requirements for processing of personal data to enable us to provide our services. These obligations form what are known as the lawful or legal bases for the processing.

The specific ones that apply:

• When we agreed a contract with you to provide services we will process your personal data under the lawful basis of a Contract (article 6(1)(b) of GDPR);
• When we collect personal detail for enquiries this is with your consent which you can withdraw at any time (article 6(1)(a) of GDPR);
• When we collect your details for a newsletter or to be added to our mailing list this is with your consent which you can withdraw (or unsubscribe from) at any time (article 6(1)(b) of GDPR);
• To be able to pay your invoices, or to invoice you we collect personal data and other information. This is because we have legal obligation to record financial details to comply with UK financial regulations (article 6(1)(c) of GDPR) and we have a legitimate interest to collect details to ensure we are paying or invoicing the correct person or company (article 6(1)(f) of GDPR);
• We do collect some IP and cookie information to ensure that there is no suspicious activity on our website such as a cyber hack, and we have a legitimate interest to protect our website (article 6(1)(f) of GDPR).

HOW WE STORE YOUR DATA AND SECURITY

We make every effort to process personal data in the UK or EEA. We use secure electronic storage facilities located in the UK to store this data for the purpose of providing the services to you. Where we are unable to do this, we will ensure that we have contracts in place and have undertaken due diligence to be satisfied that your data is dealt with appropriately.

Any transfers of your data take place using all available and reasonable technical and secure services. This includes where we transfer any data with our contracted associates.

We have a number of technical, physical and organisational measures in place to protect your personal data as we know how important this is. This includes:

• Use of multi-factor authentication on our systems and devices where available.
• Use of encrypted devices with up-to-date software and antivirus implemented.
• Access to personal data on a need-to-know basis via unique logins and passwords.
• Policies, procedures, and audits are in place.

We are also Cyber Essentials Plus and ISO accredited.

HOW LONG WE KEEP IT

We only keep your personal data for as long as necessary, or to comply with any legal obligations we may have. For example, HMRC (Tax) and financial records are kept for the current financial year plus an additional 6 years after which time it will be destroyed; Contracts are kept for 6 years from the end date of the contract.

If you have consented to your information being used for marketing purposes, it will be kept until you inform us that you no longer wish to receive this marketing.

Where we have used consent as a lawful basis, you can withdraw this at any time and we will delete any data that we are not legally obliged to keep.

From time to time we may contact you to confirm your wish to either continue to hold your data or to confirm deletion of your personal data. If we are unsuccessful in contacting you, we will automatically delete your personal data from our systems.

We have a retention schedule which details specific retention periods and you can ask us about this if you would like to know more.

SHARING YOUR DATA

With your knowledge, we share your data / limited data with our contracted associates to enable us all to provide you with services or to meet our obligations. We have a contract in place with them which includes obligations for processing of any personal data and confidentiality.

We use MS Teams for meetings. If it is agreed that the meeting can be recorded, this may be shared with others at A J Consulting or within your own organisation. We will always inform you of any recording before it starts.

If we have a technical problem, we may need to allow access to our systems by our technical support team who work within our confidentiality policies, and we restrict access to a ‘need to know’ basis to enable them to resolve the technical issues only.

We may also need to share your data with others if we are required to do so by law or we are ordered to do so by a Court or a regulator.

We do not sell or trade your personal data in any way.

OVERSEAS TRANSFERS

We do not intend to transfer your personal data to third countries outside of the UK or EEA. If we do have to, for example, to obtain technical support, we will ensure that we have all appropriate security and safeguards in place as required by the data protection laws in the UK and EEA, and in line with our obligations as a responsible data controller and Data Processor of your personal data.

If we are required to transfer your personal data to countries outside the UK or EEA we will only do this if that country has an adequate level of protection for personal data, or for the US, we have appropriate International Data Transfer Agreement Clauses in place as these provide similar protections.

AUTOMATED DECISION MAKING AND PROFILING

We do not make automated decisions on your data, nor do we use your data for profiling purposes. We do not use your data for profiling purposes.

WHAT ARE YOUR RIGHTS?

Subject to some legal exceptions, you have a number of rights under the data protection legislation or local legislation.

• a right of access to your personal data held by us, also called a Subject Access Request.
• a right to rectify any personal data held by us that you believe is incorrect.
• a right to erase any personal data that we no longer have a legitimate purpose to process (right to be forgotten).
• a right to restrict the processing of your personal data subject to certain condition and obligations.
• a right of access to a machine-readable version of your data (data portability). There are conditions that apply to this right, but we will endeavour to give you a portable version of any of your data where possible.
• a right to object to us processing any of your data that we do not have a legal or contractual obligation to process.
• a right to prevent any wholly automated decisions or profiling involving your data – We do not use wholly automated decision-making techniques and do not undertake profiling.

We do not charge for exercising your rights and we are obliged to respond with one month (subject to exceptions). You can exercise any of these rights by contacting us at  dpo@ajollyconsulting.co.uk

Where you have provided personal data with consent, you can withdraw this consent at any time. Please send an email to dpo@ajollyconsulting.co.uk with the subject “withdraw consent” if you wish to do this.

More information on your rights can be found on the Information Commissioner’s website at www.ico.org.uk.

COOKIES AND SIMILAR TECHNOLOGIES?

Please note that we use cookies and similar technologies to enhance your browsing experience, analyse website traffic, and personalize content. These technologies may collect information about your device, browsing activities, and usage patterns, which may include but are not limited to IP addresses, browser types, and operating systems.

COMPLAINTS

If you wish to raise a complaint on how we have handled your personal data, you can contact our Data Protection Officer as we would like the opportunity to resolve this with you. They will investigate the matter.

If you are not satisfied with our response or believe we are processing your personal data in a way that is not in accordance with the law you can complain to the Information Commissioner’s Office at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, Telephone 0303 123 1113 (local rate) or by completing their online form at https://ico.org.uk/make-a-complaint/

CHANGES TO THIS PRIVACY POLICY  

We may change this Privacy Notice from time to time and recommend that you revisit this when you next contact us. (Last reviewed February 2024).