The General Data Protection Regulation (‘GDPR’) is effective from 25th May 2018.
In preparation for GDPR, Bellisimos Academy LTD. (‘t/a Bellisimos’) acknowledges its responsibility to develop and maintain business-wide awareness of the rights of individuals to be empowered and protected in terms of data privacy.
We have consulted broadly and implemented processes, procedures and training to ensure that a legal basis for the processing of personal data underpins all business practices at Bellisimos.
We recognise that there are a small number of circumstances in which personal data may be processed and that the GDPR clarifies the responsibilities of companies as far as the processing (collection, storage, maintenance and use) of personal data is concerned.
Bellisimos is actively working on its GDPR strategy and considers this to be an ongoing endeavour that will continue to be operational beyond the enforcement date of 25th May 2018. We will continually strive to ensure that personal data privacy is embedded as routine practice on a perpetual basis.
The Bellisimos board of Directors have appointed a Data Controller, responsible for the general management and security of data, and ongoing compliance with the GDPR.
Bellisimos has undertaken to ensure that all staff receive training in the concepts and requirements of data protection law. Staff will be expected to embrace the ethos of data protection law and to adopt practices in the workplace that reflect the company’s commitment to ensuring that the rights of individuals are respected and protected at all times.
Bellisimos’s internal policy for data protection requires any products, services or systems adopted by the company (relating in any way to the processing of personal data) to undergo an assessment to establish that they do not contravene the company’s policies to maintain compliance with the GDPR.
Bellisimos has implemented training and processes to enable staff to recognise and respond to data Subject Access Requests (‘SARs’). Staff will understand the significance of undertaking identity checks prior to responding to requests for data portability and the rectification and erasure of personal data.
Further to this, Bellisimos appreciates that its products and services are likely to form part of the controls and processes that its clients’ businesses will implement in order to fulfil their own GDPR obligations.
If you are employed by an organisation that is a Bellisimos client, prospective client, business partner, supplier or associate, it is possible that we might record data about you (in which case, you become the ‘data subject’ in the context of the GDPR).
A list of responses to questions frequently asked by ‘data subjects’ follows:
Where and how will the data about me be recorded?
We will collect and store information about you when you visit our website; enquire about our products and services via an online form or by telephone; when you email us or when you meet with us.
We may supplement the information we hold about your business (or you as an individual if you are a sole trader or corporate entity of some kind) with information from third parties such as Graydon, LinkedIn and other publicly available platforms.
When you visit our website, we will collect electronic ID data such as your Internet Protocol (IP) address. We collect information about your browsing habits on our websites using ‘cookies’. Further information is available about this on our website ‘Privacy’ page, accessible via a link on the foot of the page.
Your data is likely to be recorded in our Customer Relationship Management (CRM) database system. There may also be emails that you have sent to us (and that we have sent to you) recorded in our CRM system and within our email server database.
If you are a sole trader or consumer client, it is probable that we will hold a record which relates to you within our accounting software database as well.
Our CRM, Email and Accounting databases are all maintained within a secure location in the European Union.
We may also record your email address, name and company name in our mass email broadcasting system (which is a secure cloud-based database).
What data do Bellisimos hold about me?
Our CRM system is configured to provide for the recording of the following personal information:
Full name Name Prefix Title Type of Role Any preference which you have expressed relating to the receipt of marketing materials from us via email or direct mail Phone number(s) Email address(s) Postal address (usually a business address, unless you work from home)
In addition, we may have attached to your record in our CRM system:
Documents that you have sent us Emails that you may have sent to us or we have sent to you Notes that we have made as outcomes from interactions with you (telephone conversations and meetings) Details of any future planned activities that we have with you
Records held within our accounting system will include a history of transactions (including sales orders, invoices and financial status information that relates specifically to your trading history with us). These may be regarded as ‘personal’ if you are a sole trader or a corporate entity of some kind.
How does Bellisimos ensure data security?
All our database systems are password protected and access is only afforded to those with a legitimate reason for so doing.
All users are required to have a domain user name and password to authenticate against the security model for access to our databases. Password policies determine that these must be changed with a high degree of frequency and they must also have a pre-determined level of complexity.
All portable computers are encrypted with the AES encryption algorithm in cipher block chaining with a 256 bit key.
Where corporate systems are available to staff (exclusively) via the internet, all web services are secured via SSL/TLS certificate security certificate and all internet data transactions are encrypted as a consequence.
Remote workers are only able to access data services within our corporate network via secure Virtual private Network (VPN).
What do you do with my information?
We use your information for the following purposes:
To communicate with you in relation to the products and services that your employer has contracted with us to provide. To monitor our levels of customer service and manage the way in which we support you (if your employer is our customer). To understand our customers’ needs and requirements. To advise you of other products and services that we offer which we feel may be of benefit to you and/or your employer. To alert you to events and news that we feel might be relevant and/or useful to you.
With whom do you share my information?
We will never share your information with a third party without your express permission, unless we are required to do so by law.
Do you process sensitive personal data?
We do not directly process data which the Data Protection Act 1998 defines as ‘sensitive personal data’. As a business to business (B2B) company, most data recorded within our systems is of a corporate nature.
How will you use my information to contact me?
We may contact you by telephone (via a business phone number where it has been provided, and sometimes via a mobile phone), by post (to your business address), by email (via a business email address if you have provided us with one) or by Social Media platform (such as LinkedIn, Facebook or Twitter).
Will you send me marketing information?
We will only send you marketing information about other products and services that we (ourselves) offer. Most of our marketing communications are broadcast via an email marketing platform. This platform includes an ‘unsubscribe’ link.
You may use this link to inform us that you no longer wish to receive email marketing messages from us or you may alert us to this via phone on 0333 444 0634, email to [email protected] or in writing (to our address in Cardiff).
Can I see the information that you hold about me?
If you would like a copy of the personal information that we hold about you, simply call us on 03334440634 or write to us at Bellisimos, 19 Wyndham Arcade, Cardiff, CF10 1FH.
We will acknowledge the request as soon as we receive it and will provide a full response within 30 calendar days of our acknowledgement.