A “Data Subject” is a living individual who can be identified from the personal data or from additional information held or obtained. This can include a potential or existing client, supplier or partner.
“Personal Data” (“PD”) or “Personally identifiable information (PII)“ is any information that relates to an identifiable person (or “Data Subject”) and that can be used to identify the person directly, or indirectly when used with other information. It includes, but is not limited to:
- A person’s name
- Job title
- Postal or email address
- IP address, e.g. online identifier
- Vehicle registration number
- Bank details
There are “Special Categories” of personal data and these include but are not limited to data revealing:
- Race or ethnicity
- Religious or philosophical beliefs
- Trade union membership
- Sexual orientation
- Genetic or biometric data
“Processing” relates to all actions or handling of personal data by manual or automated means, e.g. data collection, erasure and destruction plus everything in between including recording, use, disclosure, sharing and storage.
A “Data Controller” is an individual or organisation who:
- decides to collect or process personal data;
- decides what the purpose or outcome of processing is to be;
- decides what personal data should be collected;
- decides which individuals to collect personal data about;
- whose data subjects are potential and existing clients, suppliers and partners of Thought Machine; and
- has a direct relationship with the data subjects.
Thought Machine is considered a Data Controller when it processes client, supplier and partner personal data.
Data Protection Principles
Thought Machine is committed to comply with the principles of data protection enumerated in the GDPR and other data protection regulations. Thought Machine will make every effort possible to comply with these principles. Personal data must:
- be processed lawfully, fairly and in a transparent manner (Lawful, fair and transparent);
- be obtained only for a specific, lawful purpose (Purpose limitation);
- be adequate, relevant and limited to what is necessary (Data minimisation);
- be accurate and, where necessary, kept up to date (Accuracy);
- not be held for any longer than necessary (Storage limitation); and
be protected and safeguarded in appropriate ways (Integrity, confidentiality and security).
Client, Supplier and Partner Personal Data
As a Data Controller, Thought Machine collects personal data for the sole purpose of contacting and maintaining relationships with its clients, suppliers and partners. The personal data mainly consists of contact details for prospective and existing clients. The type of personal data that is retained includes the following:
- Contact information such as your name, company name, job title, and address
- Email address
- Contact or phone number
- CCTV (any visitors who have entered Thought Machine offices)
Legal Basis for Processing Client, Supplier and Partner Personal Data
Thought Machine processes personal data fairly and lawfully, the data that is processed is done transparently and with consent when applicable, this generally means that Though Machine will not process personal data without consent. In the event a lawful basis cannot be determined for data collection, the data should not be collected or processed.
How Thought Machine collects client, supplier and partner personal data:
- The data provided to Thought Machine by clients, suppliers and partners - Thought Machine will collect this data in a number of ways for example contact through the website, post, telephone, email and any other means.
- The data is collected automatically - this can be done when Thought Machine engages with clients via an electronic means.
- For the purposes of marketing, Thought Machine also buys contact details. The personal data obtained is under lawful basis as it is in the interest of third parties to know about Thought Machine’s product offerings and services.
How We Use Client, Supplier and Partner Personal Data
Thought Machine may use client, supplier and partner personal data to:
- Develop and manage our relationship with potential and existing clients, suppliers and partners. This may include (i) delivering services or carrying out work that a client, supplier or partner has requested or that we are contractually obligated to do so and (ii) providing information about Thought Machine product offerings and services that may be of interest to them
- Communicate with potential and existing clients, suppliers and partners. This may include (i) informing our clients or partners of Thought Machine product offerings and services that may be of interest to them; (ii) providing information about relevant Thought Machine products or services, including, for example, pricing information, invoices, shipping or production information; and (iii) responding to questions or inquiries from our clients, suppliers or partners.
Thought Machine may also use client, supplier and partner personal data for other uses consistent with the context in which the information was collected or with your consent.
Thought Machine may anonymize or aggregate any of the information we collect and use it for any purpose, including for research and product development purposes. Such information will not individually identify any of our clients, suppliers or partners.
Sharing and Transferring Personal Data
Thought Machine will only disclose information about its clients, suppliers and partners to third parties if we are legally obliged to do so or where we need to comply with our contractual agreements to our clients. Where we have the requirement to use an intermediary, Thought Machine will ensure that they are fully compliant with GDPR (or equivalent based on jurisdiction) before engaging with them.
Thought Machine may also share any personal data with third parties or service providers that we use or hire to support our business. These third parties are required to use the personal data we share with them only to perform services on our behalf and to treat client, supplier and partner personal data in compliance with all applicable privacy and data protection laws.
The information Thought Machine has on its clients, suppliers and partners will not be kept longer than it is needed and Thought Machine will take all reasonable steps to delete information when it is no longer required.
Thought Machine will store client, supplier and partner personal information for as long as is reasonably necessary for the purposes for which it was collected, as explained in this notice. In some circumstances we may store your personal information for longer periods of time, for instance where we are required to do so in accordance with legal, regulatory, tax, accounting, or necessary technical requirements.
In specific circumstances we may store your personal information for longer periods of time so that we have an accurate record of your dealings with us in the event of any complaints or challenges, or if we reasonably believe there is a prospect of litigation relating to your personal information or dealings.
Thought Machine takes privacy seriously and takes every reasonable measure and precaution to protect and secure client, supplier and partner personal data from unauthorised access, alteration, disclosure or destruction.
Data Subject Rights
Data Subjects have a number of rights in relation to the personal data that we hold. These rights include:
- The right to be informed - to know what information is being processed about the data subject.
- The right of access - to check what data is being held about the data subject.
- The right to rectification - gives the data subject the right to correct errors in the information that is held.
- The right to erasure - under certain circumstances the employee can ask for their personal data to be permanently erased. This is ‘the Right to be Forgotten’. This would apply if the personal data is no longer required for the purposes it was collected for, or the data subject’s consent for the processing of that data has been withdrawn.
- The right to restrict processing - the data subject can stop or halt the processing of their information if they deem it’s being used illegally or the data is not correct.
- The right to object - the data subject can object to information being used if it is not being used in the manner for which it was collected, e,g.: profiting, automation, marketing.
- Rights in relation to automated decision making and profiling - Thought Machine must respect the rights of individuals in relation to automated decision making and profiling.
- Right to data portability - Thought Machine must provide individuals with their data so that they can reuse it for their own purposes or across different services. Thought Machine must provide it in a commonly used, machine-readable format.
If a data subject has provided consent for the processing of PII, they have the right (in certain circumstances) to withdraw that consent at any time which will not affect the lawfulness of the processing before their consent was withdrawn. For any complaints, requests or queries, data subjects should contact email@example.com.
The Data Protection Officer is entrusted with monitoring and enforcing compliance with all data protection laws so as to ensure that personal data that is collected and processed is handled appropriately.
The Data Protection Officer can be contacted via the following e-mail address: firstname.lastname@example.org