GDPR and Privacy Overview
The following page outlines the Market Avenue Limited (MAL) policy in compliance with the Data Protection Act 1998 (DPA) and the General Data Protection Regulation (GDPR).
The policy ensures good practice in data handling and the protection of business and personal information. Data is processed fairly and lawfully and covers the implications for staff, clients and suppliers.
Under GDPR personal data is defined as information that can be used to identify someone, directly or indirectly. This includes IP address, cookies, location data, name, and email address.
MAL is considered to be ‘controllers’ for our own data and ‘processors’ of data for our clients:
- A controller determines the purposes and means of processing personal data
- A processor is responsible for processing personal data on behalf of a controller
This page is written in laymen’s terms but we have provided links to some of our corporate policies.
- Privacy, Cookies, Social Networking Policies – full corporate policy
- Systems used
- Website terms of usage – corporate social responsibility, accessibility and environmental policies
What information we hold about you
We store contact data on our business operating systems (CRM) such as name, email address, telephone number, company address, website and social media profiles (if applicable). Notes are kept on how we first came in contact with you, including historical notes from meetings and telephone conversations.
How we hold data
Stored information is electronic only and is maintained within a secure and encrypted online storage facility and a GDPR compliant cloud-based project management system.
Sensitive information such as website and social media profile logins are securely saved on a two-level password protected document within a secure access-only online storage facility.
If you alter your data after providing it to us, please inform us. From time to time, we may contact you to check the information is correct.
All data is retained for as long as you use our services. We may retain some data after you have ceased using our services to comply with legal obligations (including law enforcement requests), to meet regulatory requirements, maintain security, prevent fraud and abuse, resolve disputes, enforce our business terms, offer new features you may be interested in. If none of these obligations apply, personal data will be deleted within 24 months of our contract end.
Your personal details are never passed to a third party without your prior consent.
How we use data – its purpose
The lawful basis for processing client data is for ‘Contract’ purposes and thereby necessary. Data is used to ensure that we are efficient in our working practices and online platforms we use to deliver services.
Existing clients are contacted by their preferred/accepted means of communication (aside from face to face meetings) such as email, telephone call, text message or an instant chat platform. Communication is to keep you informed of project related developments and news of services that may suit your business.
The lawful basis for processing non-client data is also ‘Consent’ because the individual has given clear consent for us to process their personal data for a specific purpose.
Consent is always voluntary, specific and informed, and unambiguous.
How we collect data
Client data is provided at the time a contract commences. Data held that does not pertain to existing clients will have been freely submitted via one of our social media channels, through a double opt-in email, or from a face to face business event.
We may have been passed personal data such as a name or telephone number from a mutual contact if the person felt there was a legitimate interest or reason for us to discuss business. Any such information will not be held on our business file unless a ‘contract’ is issued or ‘consent’ given.
We do not collect the data of persons under the age of 16 years. If work requires the usage of personal data, such as photographs of children, the client will need to provide proof of consent to use.
Please see our Cookies policy and website terms here.
Consent to receive information can be withdrawn at any time via email preferences or by contacting us here. All information will be removed from our systems in accordance to our debrief process.
You have the right to access the data we hold for you and to request its deletion, rectification, restriction and portability.
Any access requests will be fulfilled within 30 days. MAL has the right to refuse access with full written details as to why within 30-days. You have the right to complain against such a refusal.
Market Avenue Limited Processes
Every client will undergo an onboarding process in order for us to gather sufficient information to conduct services professionally and effectively.
Should a project come to an end, a debrief process is followed to remove data from our daily storage facility and project management boards. Project work and data will be stored on an external backup hard drive for up to five years. Personal data will be kept on file, in accordance to any ‘contract’ or ‘consent’ implications for up to five years. During this period, you can still request all data to be removed.
The systems we use
We use a number of systems to deliver client facing services and internal business processes. You can find all systems and their respective privacy policies by clicking here.
The devices we use
- Desktop computers – Mac and PC
- Laptop computers – Mac and PC
- Tablets – iPad and Kindle
- Mobiles – iPhone and Android
Who processes data within MAL?
Employed MAL personnel have access to all client data that is specific to the projects they work on. Personnel have been trained on the requirements of GDPR and adhere to the necessities of company cyber insurance policies.
The designated person, responsible for data protection compliance is Anna Woolliscroft, MAL owner and sole shareholder.
Who processes data outside of MAL?
MAL work with a small number of trusted external colleagues to enhance our creative service offering. Non Disclosure Agreements are issued to all external organisations. Colleagues do not have the same access to client data as employed personnel and all work is filed, proofed and distributed by MAL employees.
Where the data is processed
All data processing and usage is conducted from inside the UK.
Privacy Impact Assessment (PIA)
Processes in place to guard against data breaches
Our website is secured and SSL certified.
All devices are password protected, encrypted and backed-up. Anti-virus, anti-spyware and firewall protection systems are installed on all computers systems with daily system checks, and required system updates are installed immediately. Equipment is insured and used on private property or during client meetings.
Client data is stored within the cloud and not on a desktop. All mobile devices have a remote wipe feature if lost or stolen.
Sensitive data is encrypted when sent via email.
MAL has the following insurance policies in place:
- Public/products liability
- Employers’ liability
- Cyber and data risks
- Professional liability
Cyber and data risk insurance specifically relates to good practice for data processing and IT.
MAL has a duty to report certain types of data breaches to the relevant supervisory authority within 72 hours, unless the breach is harmless and poses no risk to the individual. If a breach is concluded to be high risk, we will inform the individuals impacted.
Changes to the collection, storage and usage of data
If MAL are involved in a structural reorganisation, merger, acquisition or sale, your information may be transferred as part of that deal. We will notify you by email or formal letter of any such change and outline your choices before the event.
Should you wish to contact us over any concerns you may have about our services or policy, please email us here.
Our full details:
Market Avenue Limited
Registered business address: Rowan Suite, Second Floor, 7 Trinity Place, Midland Drive, Sutton Coldfield, B72 1TX
Contact details: 01543 897121
Company Registered No. 6820331
VAT No. GB 946795265.
Business owner: Anna Woolliscroft