Privacy statement
- General
- At dxw we are committed to keeping your personal data safe and secure. As a result, we have been ISO27001 certified since 2011 and have robust and secure procedures for the handling of personal information. Our certification means we have achieved the international standard for managing risks to the security of information we hold. This includes data we process for clients, marketing material to support our objectives, and personal information fulfil our contractual obligations. Our ISO27001 certification demonstrates dxw’s commitment to information security (including the transfer of data), and to the responsible use of data and data retention.
- dxw is both a Data Controller – for data it collects to support the running of its business. And a Data Processor, where it processes information on behalf of its client, who is the Data Controller.
- We have appointed a Data Protection Officer (DPO) who has ultimate responsibility within dxw for making sure data is treated in accordance with this privacy policy. Our DPO can be contacted by emailing DPO@dxw.com
- This document sets out to explain what information we collect, why we do so, and how we manage it.
- Data processors we use
- We use a number of cloud based products that serve as Data Processors. These help us in the running of the company to meet our contractual obligations.
- Some of these products will process information outside of the European Economic Area. As part of our role as a Data Controller we review what information is being processed and ensure that the arrangements are GDPR compliant.
- If we are not satisfied with their level of compliance we will end the contract.
- What data we hold
- As a data controller, we hold personal information for a variety of contractual reasons. These include:
- Information to help us deliver a contract to a client. This can include information that is commercially sensitive.
- Information about our staff to help us meet our contractual obligations to them, as well as to advance our legitimate business interests. For example being able to pay them, keeping records of our decisions and providing a suitable and safe working environment.
- Information on user research participants which we use to deliver a contract to a client. Not only do we apply our data protection principles to this information, we also employ our ethical principles to the gathering of good and justifiable research data.
- Personal data voluntarily provided to us, by past, present and potential clients, in order to keep them informed of our work through marketing
- Personal data voluntarily provided to us by people who apply for a role at dxw (whether an open vacancy or not)
- How we use our data
- Data we hold as a controller is kept in a variety of cloud based software systems, each with its own data processing and security policies. These are managed in accordance with section 2 above.
- We assume consent when any of the above information has been voluntarily provided to us. This includes;
- Applications for a vacancy at dxw (whether an open role or “general application”)
- Applications to receive marketing material from us
- Applications to participate in user research
- Requests for proposals to conduct new client work
- The use of all information will be limited to its intended use, such as to fulfil a contractual obligation, or to apply for a job vacancy.
- The use of data beyond the intended use, will require explicit consent from the owner of that information. In this instance, dxw will contact the information owner and seek consent for the new use.
- As part of our commitment to data protection and ISO27001, dxw provides learning and development to its staff around the handling of personal data, and also has processes in place to flag potential breaches.
- Personal information will be kept in a fashion which permits identification of its subjects, and only for the purposes for which the personal information was intended.
- We keep personal data for no longer than is necessary to fulfil our contractual obligations specified in this policy.
- Your rights
- You may have a number of rights concerning the data we hold about you. If you wish to exercise any of these rights, please contact our Data Protection Officer as set out above.
- The right to be informed. You have the right to be provided with clear, transparent and easily understandable information about how we use your information and your rights. This is why we’re providing you with the information in this policy.
- The right of access. You have the right to obtain access to your information.
- The right to rectification. You are entitled to have your information corrected if it is inaccurate or incomplete.
- The right to erasure. Enables you to request the deletion or removal of certain information that we hold about you.
- The right to restrict processing. You have rights to ‘block’ or ‘suppress’ further use of your information. When processing is restricted, we can still store your information, but will not use it further.
- The right to data portability. You have the right to obtain your personal information in an accessible and transferrable format so that you can re-use it for your own purposes across different service providers.
- The right to lodge a complaint. You have the right to lodge a complaint about the way we handle or process your information.
- The right to withdraw consent. If you have given your consent to anything we do with your information (i.e. to deliver a contract, meet our obligations as an employer, or justifiably means to run our business) you have the right to withdraw that at any time. Withdrawing consent will not however make unlawful our use of your information while consent had been apparent.
- The right to object to processing. You have the right to object to certain types of processing, including processing for direct marketing and profiling.
- You may have a number of rights concerning the data we hold about you. If you wish to exercise any of these rights, please contact our Data Protection Officer as set out above.
- Data processing on behalf of our clients,
- dxw is a cloud hosting specialist, and processes information at the request of our client, who will be the Data Controller.
- Upon agreeing a contract for cloud hosting, dxw will be the data processor for the service, and a Data Protection Officer will the point of contact for the client to ensure GDPR compliance.
- Each dxw contract will form the basis of a Data Protection Agreement for that service. This means that dxw will:
- have adequate information security in place;
- not use sub Processors without consent of the Controller;
- cooperate with the relevant Data Protection Authorities in the event of an enquiry;
- report data breaches to the Controller without delay;
- keep records of processing activities undertaken outside your control;
- comply with EU transborder data transfer rules;
- help the Controller to comply with data subjects rights;
- assist the Data Controller in managing the consequences of data breaches;
- delete or return all personal data at the end of the contract at the choice of the Controller;
- inform the Controller if the processing instructions infringe GDPR.
- The processing we are doing will include the storing, displaying and amending the personal data collected by the service that we host for you
- Any data that dxw processes on the behalf of the Controller, will be held within the European Economic Area or the UK.
- Information provided to us independent of the service we are processing, but which is required to meet our contractual obligations, will be treated as per our data controller guidance. This should be done through the formal communication channel (as per the contract).