Privacy & Data Protection Policy
Calm Digital Ltd. (‘we’, ‘us’, or ‘our’) are committed to having the correct procedures in place to protect and respect your privacy, in line with the guidelines of the GDPR and the Data Protection Act 1998.
We may need to gather and use certain information about individuals. This Privacy Notice explains in detail the data we collect, along with how it is handled, stored and how we keep it safe. These individuals can include customers, suppliers, business contacts, employees, users of our clients’ websites and other people that the organisation has a relationship with or may need to contact.
The policy applies to all Calm Digital Ltd. employees and all Personal Data processed at any time by Calm Digital Ltd. The objective of the policy is to ensure that:
- We process Personal Data in compliance with the Data Protection Act 1998 and GDPR regulations.
- Calm Digital Ltd. and all its staff members are aware of all obligations and protocols when processing Personal Data.
- We protect the rights of the staff, customers and partners along with your own Personal Data.
- Calm Digital Ltd. protects itself from the risks of a data breach.
- Data Controller:
- The organisation that determines the manner and purposes for which Personal Data is to be processed.
- Data Processor:
- The organisation or individual who processes Personal Data on behalf of the Data Controller.
- Data Subject:
- An individual who is the subject of Personal Data (also referred to as ‘you’, ‘your’, ‘yourselves’).
- Personal Data:
- Information relating to an individual who can be directly identified from the information. Personal Data includes factual information as well as expressions of opinion or intentions.
- Personal Data Breach:
- Loss, theft or unauthorised access, use or disclosure of Personal Data.
3. Legal Basis For Data Collection
There are a number of various reasons that the law allows collection and process of personal data.
- Certain situations allow us to collect your personal data, such as when you tick a box that confirms you are happy to receive email newsletters, or ‘opt in’ to a service.
- Contractual Obligations:
- We may require certain information from you in order to fulfil our contractual obligations and provide you with the promised service.
- Legal Compliance:
- We’re required by law to collect and process certain types of data, such as fraudulent activity or other illegal actions.
- Legitimate Interest:
- We might need to collect certain information from you to be able to meet our legitimate interests - this covers aspects that can be reasonably expected as part of running our business, that will not have a material impact on your rights, freedom or interests.
4. Processing Data on Behalf of a Controller
The GDPR defines a “processor” as “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”. Therefore, the responsibilities described below may be assigned to an individual or may be taken to apply to the organisation as a whole.
The Data Processor has the following responsibilities:
- Ensure that all processing of personal data is governed by a contract or other legal act that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller
- Process the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third party or an international organisation
- Ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
- Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk associated with the processing of personal data
- Obtain the prior specific or general written authorisation of the controller before engaging another processor
- Assist the controller in the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights
- Delete or return all the personal data to the controller after the end of the provision of services relating to processing
- Make available to the controller all information necessary to demonstrate compliance with the obligations laid down in the GDPR and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller
- Maintain a record of all categories of processing activities carried out on behalf of a controller
- Cooperate, on request, with the supervisory authority in the performance of its tasks
- Ensure that any person acting under the authority of the processor who has access to personal data does not process them except on instructions from the controller
- Notify the controller without undue delay after becoming aware of a personal data breach
- Designate a data protection officer where required by the GDPR, publish their details and communicate them to the supervisory authority
- Support the data protection officer in performing their tasks by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge
5. Policy Scope
This policy applies to:
- The head office of Calm Digital Ltd.
- All branches of Calm Digital Ltd.
- All staff and volunteers of Calm Digital Ltd.
- All contractors, suppliers and other people working on behalf of Calm Digital Ltd.
It applies to all data that the company holds relating to identifiable individuals, even if that information technically falls outside of the Data Protection Act 1998. This can include:
- Names of individuals.
- Postal addresses.
- Email addresses.
- Telephone numbers.
- Company name.
- Bank account details (for a supplier).
- Business information.
- Details of interactions with our clients’ websites
- Along with any other information that relates to individuals.
6. Policy Statement
Calm Digital Ltd. will only collect and process information where we have gained consent, we have contractual obligations or legitimate interests, or for legal compliance. We will:
- Comply with the Data Protection Legislation and adhere to the following 8 Data Protection Principles:
- Must be processed fairly and lawfully.
- Must be obtained only for specific and lawful purposes.
- Must be adequate, relevant and not excessive.
- Must be accurate, and kept up to date.
- Must not be held for any longer than necessary.
- Must be processed in accordance with the rights of data subjects.
- Must be protected in appropriate ways.
- Must not be transferred outside the European Economic Area (EEA), unless that country or territory also ensures an adequate level of protection.
- Comply with the statutory requirement to maintain accurate entries on the Information Commissioner’s public register of Data Controllers which describes the purposes for which Personal Data is processed.
- Comply with all other relevant legal requirements which apply to its processing of Personal Data, including:
- Calm Digital Ltd.’s Disclosure of Personal Data to the Police and other Statutory Law Enforcement Agencies policy.
- Calm Digital Ltd.’s Information and Records Management Policy.
- Calm Digital Ltd.’s Information Security Policy.
- Calm Digital Ltd.’s Code of Conduct.
- Implement appropriate structures, systems and processes to manage all Personal Data fairly and lawfully.
- Be transparent about how Personal Data is processed, providing clearer privacy notices at the point it is collected, providing users with an option.
- Ensure that procurement processes and contractual arrangements with external service providers also adhere to adequate measures to ensure compliance with the Data Protection Principles.
- Approach the identification, control, mitigation and elimination of Privacy risk in the same way as financial and operational risk.
- Provide customers with an opportunity to opt in to receiving future marketing communications at the point at which their Personal Data is collected and provide a simple process to unsubscribe should they change their mind.
- Ensure that requests from customers to change the use of their data for the purposes of marketing/ the provision of service updates are acted upon promptly.
- Not disclose Personal Data to third parties except where disclosures are permitted or required by law.
- Label Personal Data in accordance with its Information Security Classification Standard for protectively marking information.
- Ensure that any complaint about Calm Digital Ltd.’s processing of Personal Data or non-compliance with the policy will be passed to the Privacy and Data Protection Team. The complaint will then be dealt with promptly in accordance with the Privacy and Data Protection Complaints Handling Procedure.
- Provide training to any relevant member of staff and ensure that training is kept up to date.
- View serious or repeated breached of this policy by a Calm Digital Ltd. employee as misconduct that will be managed and resolved in accordance with relevant disciplinary policies and procedures.
Privacy By Design
Calm Digital Ltd. has adopted the principle of privacy by design and will ensure that the definition and planning of all new or significantly changed systems that collect or process personal data will be subject to due consideration of privacy issues, including the completion of one or more data protection impact assessments.
The data protection impact assessment will include:
- Consideration of how personal data will be processed and for what purposes
- Assessment of whether the proposed processing of personal data is both necessary and proportionate to the purpose(s)
- Assessment of the risks to individuals in processing the personal data
- What controls are necessary to address the identified risks and demonstrate compliance with legislation
Use of techniques such as data minimisation and pseudonymisation will be considered where applicable and appropriate.
It is Calm Digital Ltd.’s policy to be fair and proportionate when considering the actions to be taken to inform affected parties regarding breaches of personal data. In line with the GDPR, where a breach is known to have occurred which is likely to result in a risk to the rights and freedoms of individuals, the relevant supervisory authority will be informed within 72 hours. This will be managed in accordance with our Information Security Incident Response Procedure which sets out the overall process of handling information security incidents.
7. What kind of data do we collect, and when?
Information that you may give us:
You may provide us with information about yourself through the use of on site forms, through speaking with a staff member on the phone, via email, by letter or in person. This includes information that you give us when you use our website, subscribe to our services, participate in any discussions via social media or report an issue with our website.
This information may include but is not limited to: your name, email address, phone numbers, addresses, gender, company name, position in company, bank account details (for a supplier), or confidential business information.
Information that we may collect:
When you visit our website, we measure visits using Google Analytics and standard web server log files. These record which pages you visit, how you arrived at the site, and other basic information about your computer. All this information is anonymous and we do not make any attempts to find out the identities of those visiting the website.
When acting as a Data Processor on behalf of the Data Controller, we may gather details regarding interactions with our clients’ websites. This information would be provided by the Data Controllers and would be subject to the Data Controllers’ own Privacy Notices.
Details of your URL
We may gather information about your visit to our website including the URL clickstream to and from the website, the date and time, pages viewed, length of page visit, interaction with those pages, their response times, any errors, your exit behaviour from the website and if you called directly from viewing the website on mobile, we may collect your mobile number.
Cookies & Google Analytics
Google Analytics sets cookies on your device to function. These cookies do not personally identify you and the data these services collect is anonymous. We use these services and the data they collect to make our website better.
Any email sent to Calm Digital Ltd., including any attachments, may be monitored and used by us for reasons of security and for monitoring compliance with office policy. Email monitoring or blocking software may also be used. Please be aware that you have a responsibility to ensure that any email you send to us is within the bounds of the law.
Information we may be given from other sources
We may have access to certain information if you use any of the other services we provide or if you interact with our social media pages.
We may also work with some third parties that you have permitted to share the information they hold about you with us, such as: business partners, subcontractors, payment services, ad networks, analytics providers, search engine providers, credit reference agencies, so we could receive information about you from them if it is necessary.
Data may also be collected from publicly available sources (i.e. land registry) when you have given your consent to share this information or if it is available as a matter of law.
Your image may be recorded on CCTV as you enter the Boho One building from either the front or rear entrance, for security purposes only. We do not have access to this footage, however you may contact the Boho One building on 01642 248692 for more information.
8. How we may use your data
Calm Digital Ltd. may use your information to:
- Carry out obligations arising from contracts entered between Calm Digital Ltd. and the data subject/ company.
- Provide you with information, products and services that you request from us.
- Provide you with information about other goods and services that we offer that are similar to those you have already purchased, enquired about, or that we would recommend.
- Administer our website and for internal operations such as troubleshooting, data analysis, testing, or for research purposes.
- To improve our website in order to ensure that content is presented in the most effective manner for you and your computer.
- To develop and test the products and services we provide you with.
- To allow you to interact with features of the service.
- To help us keep our website safe and secure.
- To measure the effectiveness of advertising served to you.
- To process payments.
- To prevent fraudulent or other illegal actions.
If necessary, legal and in your best interests, we may share your personal information with selected third parties including:
- Business partners, suppliers and sub-contractors for the performance of any contract we enter into with them or you.
- Analytics and search engine providers that assist us in improving our website.
- Credit reference agencies for the purpose of assessing your credit score where this is a condition of us entering into a contract with you.
When might this be necessary?
- In the event that we sell any business or assets, in which case data may be disclosed to the seller or buyer of such business/assets.
- In the circumstance that Calm Digital Ltd. or all its assets are acquired by a third party. Personal information would be one of the transferred assets.
- If we have a duty to disclose information in order to comply with legal obligations.
- In order to apply agreements between us, to protect our rights, property, safety and customers. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
It is the responsibility of all employees at Calm Digital Ltd. who work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible.
- Data is held in as few places as necessary. Staff are advised against creating any unnecessary data sets and if this is required they must dispose of this data by either shredding the paper copy or thoroughly deleting the additional copy.
- Staff take every opportunity to ensure that data is updated. For instance, by confirming a customer’s details when they call, or if they change their contact information in their email footer.
- Calm Digital Ltd. make it easy for data subjects to update the information Calm Digital Ltd. holds about them. A data subject may request request access, a change or request the right to be forgotten at firstname.lastname@example.org. We would aim to update this data or delete this data as promptly as possible within 14 days but no longer than 30 days.
- Data is updated as inaccuracies are discovered. For instance, if a customer can no longer be reached on their stored telephone number, it is removed from the database.
- The marketing manager ensures that marketing databases are checked against industry suppression files every six months.
You have the right to contact us at any time to to correct the data we hold about you. For example, if you had recently married and changed your name, we will update this and inform any relevant third parties or suppliers who need to also update records.
9. How long will we keep your data?
When we collect your personal data, we will only retain it for as long as is necessary for its purpose.
When it is no longer necessary for this data to be retained, it will either be completely deleted or completely anonymised, for example by aggregation with other data so that it may be used in a non-identifiable way for statistical analysis.
- Contracts: for two years after your contract has ended
- Database backups are retained for 30 days before being automatically deleted
10. Who do we share your data with?
Sometimes we may share your personal data with trusted third parties, for example business partners or for fraud management.
We may share your data with:
- Third party systems for delivering email and SMS messages
- Law enforcement bodies
11. Where might your data be processed?
Sometimes we may need to share your personal data with third parties and suppliers outside the European Economic Area (EEA) such as the USA. If this is necessary, we have procedures in place to ensure that this data receives the same process as we follow for the EEA. We will treat the information the same as we would for EAA companies under the stipulations of this Privacy Notice.
12. Your rights
You have the right to:
- Be informed.
- We will make you aware of the type of processing your data may be subject to.
- Request access to your personal data.
- This will be free of charge, however if the request is onerous and unreasonable we may submit it to the ICO for review. The request may then become chargeable at £10 per hour. Where possible we will aim to complete this request within 14 days, and no later than 30 days. For particularly large requests we may request an extension from the ICO to complete the task.
- The correction of your personal data.
- For example if the information is out of date or incomplete.
- Withdraw consent/ Erasure.
- This is applicable where we have no legitimate overriding interest, contractual obligations, or once the data retention period has come to an end.
- Request that we stop using your data for direct marketing.
- You can do this by clicking the unsubscribe button in any email communication we send you.
- If information is required and the request is reasonable we will provide the information in a widely accessible format.
You can direct your subject access requests or correction requests to: email@example.com or
Data Protection Officer,
Calm Digital Ltd.,
Bridge Street West,
If we choose not to action your request we will explain to you the reasons for our refusal. If the task is deemed onerous and unreasonable by the ICO, we may ask you to reduce your request to something more specific or alternatively, if approved by the ICO, the full request may become chargeable.
To protect your information, we will require you to verify your identity before we proceed with any request. If you have authorised a third party to make this request (such as a solicitor) on your behalf, we must still be provided with verification of your identity and reasonable proof that they have your permission to act on their behalf. We will provide the requested information directly to the subject of the data subject access request and not to the third party.
Our website may contain links to and from websites we partner with such as advertisers or affiliates. If you do follow these links, it is important to be aware that these websites use their own privacy policies so Calm Digital Ltd. will be unable to accept any responsibilities for these policies.
13. Updates | Changes To Our Policies