Data privacy notice for clients and suppliers
Introduction
Voodoo Ltd is a Software development and digital consultancy company. We design, build and maintain websites, Apps and systems for many of our client organisations. We also provide email services and handle mailing lists for a few of our customers.
Our work entails processing data collected by our clients’ websites (e.g. via form submissions, cookies and analytics), and data provided to us directly by our clients (e.g. membership lists and mailing lists).
You may have been given a link to this page from one of our client organisations as part of their compliance with the General Data Protection Regulation (GDPR), which requires them to list who processes the data they control. This page provides information about how we process that data, which may include personal data about you. For the purposes of GDPR, we are a Data Processor for our clients, who are the Data Controllers.
Voodoo Ltd (“we”, “our”) are committed to protecting and respecting your privacy.
This policy and any other documents referred to in it set out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.
The rules on processing of personal data are set out in the General Data Protection Regulation (the “GDPR”).
1. Definitions
Data controller – a controller determines the purposes and means of processing personal data.
Data processor – a processor is responsible for processing personal data on behalf of a controller.
Data subject – a natural person.
Categories of data:
Personal data – the GDPR applies to “personal data”, meaning any information relating to an identifiable person who can be directly or indirectly identified, in particular by reference to an identifier (as explained in Article 6 of GDPR). For example, name, passport number, home address or private email address. Online identifiers include IP addresses and cookies.
Special categories of personal data – the GDPR refers to sensitive personal data as “special categories of personal data” (as explained in Article 9 of GDPR). The special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual. Other examples include racial and ethnic origin, sexual orientation, health data, trade union membership, political opinions, religious or philosophical beliefs.
Processing – means any operation or set of operations that is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Third party – means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
2. Who are we?
VOODOO LTD is the data controller. This means we decide how your personal data is processed and for what purposes. Our contact details are: Company no: 4325063 Registered in England and Wales; Registered office:
Henry Wood House
2 Riding House Street
Marylebone
London
W1W 7FA
United Kingdom. For all data matters, contact Peter Nicholls at info@voodoo.co.uk.
3. The purposes of processing your personal data
We process data on behalf of our clients in order to carry out the work they contract us to do (e.g. designing, building and maintaining their websites).
We use your personal data for the following purposes:
- To correspond with you
- To offer our services
- To enter into contract negotiations
- For the performance of any contract with you
- To send out invoices to clients and follow up on payment of these
- To make payments to suppliers
- To maintain our own accounts and records
- To adhere to legal requirements
- To inform individuals of news, events or activities
- You may give us information about you by filling in forms on our site www.voodoo.co.uk (“our site”) or by corresponding with us by phone, email or otherwise.
4. The categories of personal data concerned
With reference to the categories of personal data described in the definitions above, we may process some or all of the following categories of your data as needed:
- Personal data
- Contact information, which may include, for example, some or all of your name, business address, email address, Skype address, phone number, social media links
- Invoices sent by suppliers or generated by Voodoo Ltd for clients
- Photographs supplied by clients for the purposes of fulfilling a contract
- Photographs supplied by suppliers for the purposes of marketing
- Contractual information agreed between both parties
- Bank details supplied by yourself
- CVs supplied by yourself.
We have obtained your personal data in one or more of the following ways: directly from you when doing business with you (including previous business); through completing a webform on our website; from publicly available sources such as those published on company websites; collected from correspondence with others (e.g. other individuals in your organisation and you are cc’d); referrals from other clients or individuals; business cards from networking.
5. What is our legal basis for processing your personal data?
a) Personal data (article 6 of GDPR)
Our lawful basis for processing your general personal data is as follows:
Lawful basis | Personal data covered |
| CONTACT DETAILS. CONTRACTUAL INFORMATION WITH CLIENTS OR SUPPLIERS. PHOTOGRAPHS of clients for inclusion in publications for clients. BANK DETAILS for suppliers for remuneration as per terms of contract, or occasionally for clients if a refund is required. CVs of existing suppliers for performance of contract with client. Client owned Data that is anonymised |
| INVOICES – preparation and storage of invoices in accordance with HMRC requirements. |
| PHOTOGRAPHS OF SUPPLIERS for the purposes of marketing.* |
| CONTACT DETAILS of existing or potential customers or potential suppliers. We have conducted a Legitimate Interest Assessment (LIA) to verify that this is the correct lawful basis for the processing of these data. CVs of potential suppliers – used for assessment of suitability for potential assignments. We have conducted a Legitimate Interest Assessment (LIA) to verify that this is the correct lawful basis for the processing of these data. |
*A consent form is issued when obtaining the relevant photograph(s) as of 25 May 2018
More information on lawful processing can be found on the ICO website.
6. Sharing your personal data
Your personal data will be treated as strictly confidential and will be shared only with online contact management tools.
7. How long do we keep your personal data?
We keep your personal data for no longer than reasonably necessary and we retain your data only for the following purposes, and use the following criteria to determine how long to retain your personal data.
Personal Data | Retention | Purpose |
Contact details – clients and suppliers | Unlimited | Fulfilling our contract with you. Offering you relevant opportunities to engage us to work with you. |
Contractual information | Unlimited | Creating quotes and establishing working practices for current contracts. Taking steps to enter into contracts with you. |
Bank details – clients | Deleted after use | Only on occasion that a refund is required. |
Bank details – suppliers | Unlimited | For remuneration of current and future contracts. |
CVs – suppliers | 5 years | Decision making for future contracts. |
Invoices – clients | 7 years | For fulfilling our legal obligation to HMRC for accounting records. |
Invoices – suppliers | 7 years | For fulfilling our legal obligation to HMRC for accounting records. |
Photographs – suppliers | 7 years | Marketing. |
Photographs – clients | 7 years | In project archives for relevant projects. |
We identify and delete personal data in our possession which is controlled by our client organisations, when it is no longer needed for the performance of our contract with the client organisation.
Personal data for use in a one-off short-term contract is deleted soon after completion of the contract (e.g. we delete a mailing list provided to us for a single mailing after it has been sent out).
Some of our contracts with client organisations last for many years, and some of these include personal data (e.g. membership lists administered from websites which we maintain). We encourage and assist our clients in implementing good practice with the personal data collected by, and administered by their websites. Membership and mailing lists are kept up-to-date and data on unsubscribed individuals is not retained, unless necessary for compliance (e.g. to prevent inadvertently emailing somebody who has opted out).
When deleting personal data, we take steps to delete all copies beyond reasonable possibility of restoration, including copies on backups. Digital data is deleted securely by overwriting it, and data on paper physically destroyed.
8. Providing us with your personal data
a) You are under no statutory or contractual requirement or obligation to provide us with your personal data below.
- Potential customer: contact details.
- Supplier: contact details, CVs, photographs and bank details.
- Clients: photographs are required only for some contracts, where the client wishes their photographs to appear in the publication.
But failure to provide data will have the following consequences:
- Potential customer: we will not be able to offer relevant opportunities for you to use our services.
- Supplier CVs and bank details: we will not be able to offer you work or pay you for your services.
- Any photographs not provided cannot be included in your publication.
b) We require your personal data below as it is a statutory or contractual requirement, or a requirement necessary to enter into a contract.
- Existing customers: contact details, contractual information (including information necessary for invoicing).
- Suppliers: invoices in order to be paid; contractual information.
9. How is your data processed and where is it stored
Under GDPR, organisations are prohibited from transferring personal data outside the UK, European Economic Area or Switzerland, to third countries and international organisations, except where the European Commission has determined that an adequate level of protections are afforded to individuals.
The US government has a certification scheme called Privacy Shield, which provides assurance that such protections are in place.
We host our clients’ websites on servers in the UK managed by two companies: Rackspace, a US company and AWS Europe. However, in both cases we use European data centres and the Backups of data from these websites are stored in encrypted form, both on servers within the EU owned by AWS Europe and Rackspace, and on our own computers. In both cases we do not use the Privacy Shield process as our data does not leave the UK and EU data centres. You can access both Companies GDPR compliance statements here:
https://www.rackspace.com/gdpr
And
https://aws.amazon.com/compliance/gdpr-center/
A variety of third-party plugins and analytics services are in use on our clients websites. Some of these collect personal data (e.g. through cookies). We check the GDPR compliance of these companies and services, and make adjustments where necessary to ensure compliance. A full list of cookies set by each client’s website should be provided on their site.
Most of our clients websites include contact forms, where website users can submit data to contact our clients and use their services. Most of the data entered by users into these forms is personal data, and in a few cases is sensitive personal data.
Mailing and membership lists belonging to our clients may be administered directly from their websites, or may be collected by their websites and administered by a third-party email company, MailChimp (based in the USA). This company has declared their compliance with GDPR. Most of our clients using these services manage their own lists, but we assist some of them directly with their mailings and list management.
Data supplied to us by clients exists on Google Cloud services via G-Suite and on the online projects management systems we use. Primarily, this comprises email, which again we host on Google G-Suite which is compliant with the latest GDPR regulations you can access their document “Google Cloud & the General Data Protection Regulation (GDPR)” Here:
https://cloud.google.com/privacy/gdpr
For comparison, you can view the information about cookies and personal data collected by our own website
You can also view a list of the third-party sub-processors we may use to process data on behalf of our client organisations. Please note that not all of these third party sub-processors are used for every client, just a subset will be in use.
9. Your rights and your personal data
Unless subject to an exemption under the GDPR, you have the following rights with respect to your personal data.
- The right to request a copy of the personal data that we hold about you.
- The right to request that we correct any personal data if they are found to be inaccurate or out of date.
- The right to request that your personal data is erased where it is no longer necessary to retain such data.
- The right to request that we provide you with your personal data and where possible, to transmit that data directly to another data controller (known as the right to data portability, where applicable, i.e. where the processing is based on consent or is necessary for the performance of a contract with the data subject and where the data controller processes the data by automated means).
- The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing.
- The right to object to the processing of personal data (where applicable, i.e. where processing is based on legitimate interests or the performance of a task in the public interest/exercise of official authority; direct marketing and processing for the purposes of scientific/historical research and statistics).
- The right to withdraw your consent to the processing at any time, where consent was your lawful basis for processing the data.
10. Automated Decision Making
We do not use any form of automated decision making in our business.
11. Further processing
If we wish to use your personal data for a new purpose, not covered by this Data Privacy Notice, then we will provide you with a new notice explaining this new use prior to commencing the processing, and setting out the relevant purposes and processing conditions.
12. Changes to our privacy notice
Any changes we may make to our privacy notice in the future will be posted on this page and, where appropriate, notified to you by email. Please check back frequently to see any updates or changes to our privacy notice.
13. What would happen in the event of a personal data breach
If we become aware of a personal data breach involving data we process for one of our client organisations, we will notify the client organisation without undue delay. As the Data Controller, our client organisation is then responsible for following its own data breach procedures, and informing the Information Commissioner Office and those affected by the breach where necessary. As a Data Processor, we have a role in assisting our client with the subsequent investigation and remedial work.
14. How to make a complaint
To exercise all relevant rights, queries or complaints, please in the first instance contact Peter Nicholls at info@voodoo.co.uk.
If this does not resolve your complaint to your satisfaction, you have the right to lodge a complaint with the Information Commissioner’s Office on 0303 123 1113 or via email https://ico.org.uk/global/contact-us/email/ or at the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, England.