Privacy Notice – Website
Version: May 24, 2018
Bootneck Tees known as Bootneck Tees
Exchange House
33 Station Road
Liphook
GU30 7DW
UKThis data privacy notice only relates to personal data exchanged via https://bootnecktees.com.
We process the following data for the provision of this service:
The data Privacy Data Other data Your data collected as part of access to our site and the platform it resides upon · Your IP address (we cannot tell if this will identify you or your company so we will treat it as personal information) · Browser connection string
· Browser type
· Platform or system type
· Usage information (pages visited, length of time spent, referral location)
The data you share with us as part of the contact us form · Representatives Names
· Representatives telephone numbers (mobile or landline)
· Representatives email addresses
· Company Name
· Specific information to allow us to be able to respond to your query which may or may not contain personal data.
Note:Payment card (debit or credit card) information via Stripe Payment Gateway as Bootneck Tees accept credit or debit cards. For more information relating on how Stripe handles your data: https://stripe.com/guides/general-data-protection-regulation
The processing of data and this privacy notice only relates to https://bootnecktees.com.
The data
Purpose
Legal Basis
Your data collected as part of access to our site and the platform it resides upon
Detection and prevention of crime, improvement of the site based on access methods, availability and capacity planning of our website.
6.1.f – processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
The data you share with us as part of the contact us form
To allow you to interact with us, you can provide your contact information to us. We will use this data to contact you to be able to deal with your request.
If you are seeking a quote or to find out more about our services then this will be processed under 6.1.b
If you are requesting information for a subject access request then we will process your data under 6.1.a for the purpose that you state, and only for the purpose that you state.
6.1.b – processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
or if not trying to enter into a contact with Bootneck Tees will process your data under
6.1.a – the data subject has given consent to the processing of his or her personal data for one or more specific purposes
The controller is a consultancy company that provides Consultancy services To ensure that our processing of data is fair to you we have used a Legitimate Interests Assessment (LIA) to evaluate our requirements against the impact to you as a data subject. We maintain this assessment as part of this privacy notice to show fair, reasonable, proportionate, open, honest and transparent processing of your data. The assessment is as follows:
Area
Test
Response
The legitimate interest(s)
Who benefits from the processing? In what way?
We both benefit, as analysis of how and where you connect to our site means that we can improve it for you and optimise this to most customers browsers, platforms, languages and locations. We also use it to safeguard both you and us by recording your connection data should anything go wrong.
Are there any wider public benefits to the processing?
Yes. In the detection and prevention of crime, we can provide law enforcement with enhanced information to help protect other websites and users on the wider internet.
How important are those benefits?
We have an obligation to report crime and help the community at large prevent further crime or damage.
What would the impact be if you couldn’t go ahead?
We would remove our website from the public facing internet as we could not meet the requirement of confidentiality, integrity and availability of this service to our customers. This is of critical importance to us being a security consultancy company.
Would your use of the data be unethical or unlawful in any way?
No. We will use the data in two ways:
1. Pseudonymised for website stats to improve the website for users;
2. IP address and connection information for the detection and prevention of crime that would be shared with law enforcement if a data breach or security incident with the website occurred.
necessity test
Does this processing help to further that interest?
Yes. The analysis of how and where you connect to our site means that we can improve it for you and optimise this to most customers browsers, platforms, languages and locations. We also use it to safeguard both you and us by recording the data should anything go wrong. This way we can investigate and provide any relevant information to law enforcement.
Is it a reasonable way to go about it?
Yes. These methods used by us are the same as for most global websites. As security consultants we recommend that our customers collect this data to be able to provide evidence should unauthorised access to their systems happen so that investigation can occur, and law enforcement can be provided with appropriate information.
Is there another less intrusive way to achieve the same result?
No. We collect only the minimum level of information necessary to both improve and protect the website.
Balancing test
What is the nature of your relationship with the individual?
There may or may not be a relationship with the individual. This will be unknown at the time of interaction and data collection.
Is any of the data particularly sensitive or private?
No. The data that is collected is not overly sensitive from a data privacy standpoint. As every computer and device connected to the Internet is assigned an Internet Protocol (IP) address – which is recorded in most places you visit on the internet. The data from a security point of view could be quite sensitive and therefore, will be protected in line with Article 32 – technical and organisational security measures.
Would people expect you to use their data in this way?
Yes. Analytics of this nature are used on most websites globally in the way that Bootneck Tees will use this information. Recording of logging and connection information is recommended by most global security best practice standards.
Are you happy to explain it to them
Yes. This Legitimate Interest Assessment, documents our interests and is published as part of our data privacy notice.
Are some people likely to object or find it intrusive?
People may object to this, and have the right to do so. Individuals always have the right not to use our website and can seek our information from partners or other sources on the internet that are not under our direct control.
What is the possible impact on the individual?
We will know their IP address, which could reveal their approximate location to us. Bootneck Tees will also know specifics about the web browser and system that they have used to connect to us and their usage patterns on our websites, pages visited, length of time on the site etc. This data will be appropriately safeguarded to ensure it cannot be misused, and will not be used for any other purposes than stated.
How big an impact might it have on them?
The impact will be low to the individual, unless they have committed a crime, at which point their data would be reported to law enforcement and other authorities like the ICO as appropriate.
Are you processing children’s data?
Not knowingly. This is a corporate website that is only designed for use by people with an interest in Bootneck Tees or the services that we offer. No service we offer is aimed at Children.
Are any of the individuals vulnerable in any other way?
Not knowingly. This is a corporate website that is only designed for use by people with an interest in Bootneck Tees or the services that we offer. No service we offer is aimed at vulnerable groups.
Can you adopt any safeguards to minimise the impact?
All safeguards in line with the requirements of the GDPR will be in place, and all data will be protected in line with Article 32 – technical and organisational security measures.
Can you offer an opt-out?
Yes. It is possible for the individual to opt out of analytics information by using the Google Analytics opt-out Browser add-on that can be found at: https://support.google.com/analytics/answer/181881?hl=en. For other data collected by the webserver directly like the IP address and connection string there is no opt out that is offered for this information.
Data is shared as part of the usage of the website with two companies outside of Bootneck Tees that allow us to process your data. These are:
Type of company
Purpose
Google Analytics
Google provide the analytics service that allows Bootneck Tees to review the usage of its website. This includes approximate location information, IP address, usage statistics. This service is provided by Google under their standard contract of service that Bootneck Tees cannot change. Therefore, Bootneck Tees must rely on Google’s privacy statements. Google Analytics privacy policy can be found at: https://support.google.com/analytics/answer/6004245?hl=en
Microsoft
Contact information that you pass us from the website is emailed from our website to our sales and account managers. All data remains within Microsoft and its O365 services. This data is secured using TLS 1.2 for transport layer security and encrypted on disk at rest that Microsoft do not have access to. This service is provided by Microsoft under their standard contract of service that Bootneck Tees cannot change. Therefore, Bootneck Tees must rely on Microsoft’s privacy statements. These can be found at: https://products.office.com/en-us/business/office-365-trust-center-privacy
There may be occasions where data is shared with other types of organisations for the following purposes:
Type of company
Purpose
Penetration testing / security validation
Penetration testing companies during testing the security of this website. This will be covered by NDA and your data will not be exposed to risk during this process.
Insurers / solicitors
For the purposes of defending any claim that is brought against us by you we may need to share information with our insurers or legal representatives.
Licensing agencies / auditors
During audit for the commercial licenses we hold our auditors may require onsite review of the data. Any data that is to be taken offsite and out of our control will be anonymised so that your personal data is not exposed to risk during this process.
Law enforcement or other legal body (ICO etc.)
For the detection and prevention of crime, or to comply with statutory obligations we may be required to share information with law enforcement, government or other legal bodies as required by law.
These recipients are either covered with a contract between them and Bootneck Tees which includes a Non-Disclosure Agreement and data privacy agreement, or by law.
To deliver services to you there may be a requirement to use specialist companies that are based outside of the UK. In this regard, Bootneck Tees is relying on the legal derogation that any transfer would be necessary for the performance of a contract between the individual and the organisation or for pre-contractual steps taken at the individual’s request. Bootneck Tees will assess these companies and ensure that they meet the same requirement and safeguards as you would expect from Bootneck Tees in the UK.
All IT solutions in use by the company are administered and controlled in the UK. All safeguards that are in place for the UK staff such all technical and organisational controls will be fully enforced
Your data will be retained for the following time periods:
Purpose
Retention period or how we calculate the retention period
Your data collected as part of access to our site and the platform it resides upon
Analytics data will be maintained for 26 months from the date of collection in line with Googles updated data retention policies that can be found at: https://support.google.com/analytics/answer/7667196.
Data on the platform will be retained for one year from the date of collection in line with internationally recognised good practice standards and in conforming with Bootneck Tees’ controls including the Data handling, Retention and Disposal Policy.
The data you share with us as part of the contact us form
If 6.1.b is used as the legal basis for processing then your data will be retained for the lifetime of the contract between us plus six years to be able to defend any insurance claims against us.
If 6.1.a is used to respond to a query that you have and there is no contractual basis for us processing your data then this will be kept for the lifetime of the request. We will maintain enough data to prove that we have complied with your requirements for one year to demonstrate our response if challenged.
Under the General Data Protection Regulation, you have rights, and our objective is to enable these appropriately. Your rights in relation to this service are as follows:
Purpose
Legal Basis
The right to be informed
We will publish this notice on our website and will also include this as part of our contract with you. This notice will serve as our information to you on your rights and how we use your data
The right of access
You have the right to know what information we hold on you for this service. If you seek this information then please contact us and we can provide this once we have established your identity.
The right to rectification
If any of the information that we hold upon you is inaccurate then please let us know and we will rectify this.
The right to erasure
Your right to erasure of data is not absolute and data will be retained in line with the data retention policy that is stated as part of this notice.
The right to restrict processing
You have the right to ask us to stop processing your data for a given time and we have the right to restrict your access and processing using the website. This will either be because you ask us to, or there is a dispute valid reason to do so. If practical we will inform you if we restrict processing your data for any time, the reason behind this and any effects that this will have upon you.
The right to data portability
You will have no rights to data portability where 6.1.f legitimate interests are used as our legal basis for processing of your data. In relation to 6.1.b contract or 6.1.a consent you can request the data from us as the controller and we will agree a format with you if this data can be provided to you lawfully.
The right to object
You have the right to object to the processing that we undertake. Please see the section ‘Your right to complain’ below for instructions on how to do this.
Rights in relation to automated decision making and profiling
Automated decision making is not used so will not affect your rights and freedoms.
Where consent (lawful basis of processing 6.1.a) is used to process your data for your website request you have the right to withdraw the request or ask us to stop processing your data. We will tell you of the implications of doing this as we would not be able to process your request. For all other operations of the website these rely on contract or our legitimate interests as a controller. For these activities there is no ability to withdraw consent for this service, as consent is not our legal basis for processing for these cases.
You have the right to complain – although we should be complying with our obligations so that you don’t have to! However, if you feel that you need to then we would ask you to complain to us in the first instance:
+44 845 165 0290
However, you always have the right to complain to our supervisory authority. We are based in the UK and our Supervisory Authority is the UK Information Commissioners Office, and more information can be found here:
https://ico.org.uk/concerns/
Automated decision making is not used so will not affect your rights and freedoms.