The scope of this policy extends to our obligations under the General Data Protection Regulation (GDPR) and The Data Protection Act 2018. It covers all processing carried out by Qmulus Ltd is a data controller. For the avoidance of doubt, it does not cover processing for which Qmulus Ltd is acting as a data processor to another data controller unless stated otherwise.
For customers of Qmulus Ltd, this policy should be read in conjunction with our Terms & Conditions of business.
When processing personal data, Qmulus Ltd will uphold the rights and freedoms of data subjects by adhering to the following principles:
Personal data shall be:
Processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”);
Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (“purpose limitation”);
Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”);
Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of the data subject (“storage limitation”);
Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”).
As a data subject of company name GDPR gives you the following rights:
You also have the right to lodge a complaint about our processing of your personal data with the Information Commissioner’s Office (ICO). www.ico.org.uk
To exercise your rights as a data subject you should contact Ian Nicoll at email@example.com. It will be necessary for you to identify yourself and the nature of your request before we can deal with your enquiry. All requests related to your rights as a data subject are known as Subject Access Requests (SARs) and we will only deal with them in writing by post or by email. We will not be able to engage in this by telephone.
Article 4 of the GDPR defines “personal data” as,
“Any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”
Qmulus Ltd processes personal data about individuals in the following categories:
The personal data processed in each case is specified by a Privacy Notice at the point of data capture in the case of data supplied directly by the data subject (Article 13) or within 28 days of the use of the personal data if supplied indirectly, not by the data subject but by a third party (Article 14).
Items of personal data processed are (per category):
Providing primary services as a power systems engineering consultancy. Maintaining contact with clients and contractors and exchanging contract information between Qmulus Ltd, clients and 3rd parties involved in each project.
Qmulus Ltd uses third party service partners (“data processors”) to assist in the processing of personal data. As the data controller, Qmulus Ltd discloses certain items of personal data to these data processors. Each of these data processors is bound by contract to process personal data only in the way specified by the data controller and to support the data controller in upholding the rights and freedoms of the data subjects.
These data processors are located within the EEA and operate in accordance with the GDPR.
Website Hosting System: Allstrat Ltd with Heart Internet as a sub processor.
Email Processor 1: 1and1.
Administrative and operational processing: Microsoft Office 365.
Inbound call and message handling: KBVO Ltd.
Qmulus Ltd retains personal data only for as long as the purpose of processing demands (limitation principle). It is then deleted or destroyed in accordance with the company name Data Retention & Disposal Policy. Qmulus Ltd retains all customer and transaction detail for accounting purposes for a period of 6 years following the conclusion of the financial year in which the transaction occurred. All data is then securely destroyed using shredding for paper records and secure deletion for electronic records.
Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data, for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation is prohibited by GDPR.
Qmulus Ltd does not process sensitive data.
The website at Qmulus Ltd uses only essential first party cookies and does not process any of your personal data.
To raise a report of a data breach involving processing related to Qmulus Ltd please contact firstname.lastname@example.org or by telephone at 01463 226717
Ian Nicoll, Qmulus Ltd, 8 Crown Drive, Inverness
Changes to this policy will be made and published on the website at www.qmulus.com.
Effective from date: 1/7/2018