Data Protection

Privacy Notice

This privacy notice explains what you can expect when Waterstons collects and processes your personal information.

Here at Waterstons we take our responsibilities to protect your privacy very seriously and recognise our responsibility to handle, manage and secure your data appropriately and legally. We operate in compliance with the European General Data Protection Regulation (GDPR) and Data Protection Act 2018 (UK).

Waterstons are the Data Controller for the personal data we collect about our clients and their employees, potential new employees, seminar attendees and mailing list subscribers, and we are the processor for our project, managed services, service desk or hosting client’s data. This privacy notice explains what you can expect when Waterstons collects and processes your personal information.

Summary

Want more detail?

To see more about how we use your personal data, read the notice or notices which apply best to your relationship with us:

Visitors to our website
People who use our services
Prospective clients
Potential employees

ICO registration

Waterstons is registered with the Information Commissioner's Office (Z6192161).

Your rights

You have the following rights regarding your privacy and your personal data:

  • To be informed and understand how your data will be used, secured and managed.
  • To access your personal data we hold about you and understand how we process it.
  • To have your data kept accurate and up to date and to be disposed of securely when no longer required.
  • In some circumstances, restrict our processing of your data, and or to request we erase your personal data where this is appropriate.
  • To object to our processing or withdraw previously given consent.

Not all rights will apply to all processing, however if you want to exercise any of these rights, please just contact us.

If you have concerns or a complaint about how we handle your data please contact us and we will try to resolve the issue. If you remain unhappy with how we have resolved your concern or complaint you have the right to contact the Information Commissioner's Office for an independent review.

Contact us

If you have any questions or concerns about this Privacy Statement or how we handle your personal data, please contact us:

Cyber Team
Waterstons
Liddon House
Belmont Business Park
Durham
DH1 1TW

+44 0345 094 094 5
(We do not record our calls)

data.protection@waterstons.com

Changes to this privacy notice

We keep our privacy notice under regular review. This privacy notice was last updated on 15th May 2018.

Information Security

At Waterstons we take security seriously and are ISO 27001:2013 and Cyber Essentials Plus certified and committed to information security best practice. Waterstons will store, process and transmit (when necessary) your information securely, we will do this using encryption and recognised appropriate security controls. We will ensure our staff respect your data and your privacy and when no longer required we will dispose of your data in a secure manner using recognised deletion and sanitisation techniques, cross cut shredding or appropriately vetted disposal contractors.

Our preference is to use Transport Layer Security (TLS) to secure email communications using encryption; however we recognise some of you may not. We therefore run opportunistic TLS meaning if you also use it our communications will be encrypted and secure by default. But if you don’t communications will continue but they will not be encrypted and may not be entirely secure when passing over the internet. If you want to protect all emails and attached documents you send to us, we encourage you to set up opportunistic TLS also.

Phone calls are not encrypted or recorded however when we call you we collect Calling Line Identification (CLI) information. We use this information to help improve efficiency and effectiveness as well as for service desk reporting and troubleshooting performance issues. This information is retained for a maximum of 90 days.

If you have particular security requirements, please contact us to discuss how we can support you.

Retention

Data about clients: duration of your relationship with us, then 7 years.

Financial data: is kept for a minimum 7 years or if it relates to a client then the above retention will apply.

Further detail on specific retention periods can be provided on request.

Third parties

We will not transfer your personal data to third parties for their use or purpose without your permission, except in the following circumstances:

  • If required to by law or court order
  • If you do not pay your bills, we may choose to engage a third party to recover any money you owe us. We've never done this, but we want to keep this option open to us.

However we do have a small number of companies providing services to us and they process your data on our behalf:

  • Telehouse & Pulsant Group (Datacentre Providers)
  • Microsoft (Office 365 in Europe)
  • Iron Mountain (Offsite Backup Storage)
  • PHPDataShred (Secure Paper Disposal)
  • Primate (Public Website Hosting)
  • RMT (Auditors)
  • Muckles LLP (Legal Partners)
  • Restore PLC (Offsite Document Storage)

Visitors to our websites

What we hold

We generate log files from various servers: this will include an IP address assigned to you or, more likely, to someone who provides you with Internet access.

If you choose to sign up to an event via our events page we will also gather your name, job title, company name, email address and the way in which you heard about our event, so we can understand who is attending our event and how you came to hear about it. Should you choose to opt in to receive marketing on future events, we will add you to our mailing list to do so, you can of course opt out at any time by letting us know.

Using your information

Dealing with enquiries

We keep a record of enquiries received, to help us plan our business strategy and check that we are offering what potential clients want. We may also use your contact details to inform you of related products or services you may be interested in, however you can opt out at any time.

GDPR Legal Basis for processing:

Art. 6(a) Consent if you have asked us to provide you with information on a product and service and provided us with your details.

Art 6(f) Legitimate interests of Waterstons to generate business by maintaining contacts, generating proposals and communicating with prospective clients regarding their requirements. If you have previously requested information we may send you information about related products and services we offer (Marketing); however you can object to this at any time and we will add you to our suppression list and cease sending you such Marketing Communications.

Security and performance

Waterstons uses a third party service to help maintain the security and performance of the Waterstons website, as well as to determine website visitor behaviour and help us plan our business strategy, this helps us tailor our services and ensure they are relevant to our prospective client’s needs. To deliver this service it processes the IP addresses of visitors to the Waterstons website.

Use of cookies by the Waterstons website

When someone visits www.waterstons.com we use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website.

You can read more about how we use cookies on our Cookies page.

GDPR Legal Basis for processing:

Art. 6(f): Legitimate interests where it is in the business interests of Waterstons to secure our IT infrastructure, improve the services we offer and gather data to aid business strategy planning.

People who use our services

What data we hold

As our client we will hold the following information about you:

  • Names, job roles and contact information of your employees
  • Information about your business activities and in some cases your clients/customers
  • Information and documents about your matters or enquiries, including communications with you
  • Billing and payment information

Using your information

We use the information we hold about you and your business to provide the best service we can, to communicate with you regarding projects, products or services we are providing or to inform you of other related products or services you may be interested in.

We also use your information to bill you, and keep track of payments.

GDPR Legal Basis for processing:

Art. 6(a) Consent if you have asked us to provide you with information on upcoming events and related news via our mailing list.

Art. 6(b) Contractual requirement to fulfil our contracts with you and communicate with you regarding that contract.

Art 6(f) Legitimate interests of Waterstons to generate business by maintaining contacts, generating proposals and communicating with clients regarding their requirements and making you aware of other related products and services you may be interested in (Marketing); however you can object to this at any time and we will add you to our suppression list and cease sending you such Marketing Communications, you may still receive service communications. If the need arises we may also rely on legitimate interests for the recovery of unpaid debts.

Prospective Clients

What data we hold

If you contact us, we will hold the following information about you:

  • Your name, identity and contact information
  • Information about your business activities
  • Information and documents about your enquiries, including communications with you

We also generate log files from various servers: this will include an IP address assigned to you or, more likely, to someone who provides you with Internet access.

Using your information

We use the information we hold about you and your business to provide the best service we can, to communicate with you regarding services you may be interested in and to inform you of other related products or services you may be interested in.

GDPR Legal Basis for processing

Art. 6(a) Consent if you have asked us to provide you with information on upcoming events and related news via our mailing list.

Art 6(f) Legitimate interests of Waterstons to generate business by maintaining contacts, generating proposals and communicating with prospective clients regarding their requirements. If you have previously requested information we may send you information about related products and services we offer, however you can opt out at any time.

Dealing with enquiries

If you give us a ring or make contact by email, we will follow up on your enquiry and see if there is a way in which we can help you. We keep a record of enquiries received, to help us plan our business strategy and check that we are offering what potential clients want.

GDPR Legal Basis for processing

Art 6(f) Legitimate interests of Waterstons to generate business by maintaining contacts, generating proposals and communicating with prospective clients regarding their requirements. If you have previously requested information we may send you information about related products and services we offer, however you can object to this at any time and we will add you to our suppression list and cease sending you such Marketing Communications.

Technical data

We may use the logs from our servers to help maintain security, as well as to determine website visitor behaviour and help us plan our business strategy, this helps us tailor our services and ensure they are relevant to our prospective client’s needs.

GDPR Legal Basis for processing:

Art. 6(f): Legitimate interests where it is in the business interests of Waterstons to gather data to aid business strategy planning.

Potential Employees

What data we hold

If you contact us to apply for employment, we will hold the following information about you:

  • Your name and contact information
  • Resume including qualifications, education and previous experience and employers and your referees contact details, as well as anything else you choose to tell us.

If you submit electronically we may also generate log files from various servers: this will include an IP address assigned to you or, more likely, to someone who provides you with Internet access.

Using your information

Considering your application for Employment

We will use your resume or any information you or a recruitment agency provide to us to consider you for employment. If you are unsuccessful we will retain this information for 12 months after the recruitment exercise has ended and then they will be securely destroyed. If you are employed these will become part of your personnel file.

GDPR Legal Basis for processing

Art. 6(a) Consent if you have applied for employment, we will use these to consider your application.

Art 6(f) Legitimate interests of Waterstons to securely and fairly manage recruitment to ensure we employ the right people for our company and we will use your details to make the appropriate checks.

ID Vetting checks

If you are offered a job we will need to carry out verification check on you.

We retain identity verification information for as long as you are an employee.

GDPR Legal Basis for processing:

Art. 6(a) Consent for external vetting checks.

Art. 6(c): Legal obligation where we have to do this processing to comply with legal and regulatory obligations relating to your right to work in the UK.

Art 6(f): Legitimate interests where it is in Waterston’s interests to ensure prospective employees are appropriately vetted.

Technical data

We may use the logs from our servers to assist in our firm's security, as well as to determine website visitor behaviour and help us plan our business strategy, this helps us tailor our services and ensure they are relevant to our prospective client’s needs.

GDPR Legal Basis for processing:

Art. 6(f): Legitimate interests where it is in the business interests of Waterstons to gather data to aid business strategy planning and ensure our systems are protected.

Questions or concerns? Contact our Cyber Team on 0345 094 094 5, email data.protection@waterstons.com or write to us via our postal address which you can find in the footer