GDPR Compliance Notice

 

Your personal information is in your control

From 25 May 2018 the General Data Protection Regulation (furthermore referred to as GDPR) comes into force for all organisations who deal with individuals who reside in the EU (and United Kingdom even after we leave the European Union).  This new regulation significantly enhances the control you have over your data, who has it, and how it can be used.


Anything Air Handling respects your privacy and your rights under the GDPR

The GDPR provides the following rights for individuals:

 

The right to be informed

When you use our website we use Google Analytics, with anonymised collective data, to measure which parts of our website are most popular, which is inline with our Website Tracking and Cookies procedure. 

When you contact us with an enquiry your details are stored in our computer system.  These details will be used for the purpose of responding to your enquiry and the basis for any contract you go on to have with us. 

We may also use your email address to send you targeted emails or phone calls, if you give us your permission.  We send targeted emails using a GDPR approved provider and we have procedures in place to make sure if you opt-out they are notified so you do not receive any more emails from them.

You can opt in and opt out at any time using our forms, or clicking Unsubscribe on any of our marketing emails.

 

The right of access

Just as under the former Data Protection Act you have a right to see if the information we hold on you.  However, unlike the DPA, we are no longer allowed to charge you an admin fee to provide you with this information, unless you repeatedly request it.

The GDPR states that the reason for allowing individuals to access their personal data is so that they are aware of, and can verify the lawfulness, of the processing.

Under some circumstances we have the right to refuse your request, but if we do we will give you a reason, and you have the right to complain to the Information Commissioners Office if you do not agree.

All requests for access will be responded to within one calendar month.

If we hold a considerable amount of information regarding you we reserve the right to ask you to narrow down what information you would like from us.

If you wish to receive a copy of the information we hold on you please fill out our Data Access Request form or email gdpr@aahuk.com.

 

The right to rectification

If the personal information we hold on you is incorrect, or incomplete, you have a right to have it corrected.  This will typically be at no charge.

You can either fill out our Data Correction form, email corrections@aahuk.com or speak to any member of staff on the telephone or in person.  Once you have made contact we will make the required change and notify you within one calendar month.

Under some circumstances we have the right to refuse your request, but if we do we will give you a reason, and you have the right to complain to the Information Commissioners Office if you do not agree.

 

The right to erasure

Also known as "the right to be forgotten", this gives you the right to have your information expunged from our records.

You can only have your data erased if:

  • the personal data is no longer necessary for the purpose which you gave it to us for, such as when a contract has been completed and you are no longer involved
  • we are relying on consent as our lawful basis for holding the data, and you withdraw your consent
  • we are relying on legitimate interests as our basis for processing, you object to the processing of your data, and there is no overriding legitimate interest to continue this processing
  • we are processing your personal data for direct marketing purposes and you object to that processing

You can either fill out our Data Erasure form, email forget@aahuk.com or speak to any member of staff on the telephone or in person.  Once you have made contact we will delete your details, notifying any third party we may have passed your information to (for the purposes of carrying out our legal duty in a contract) and notify you within one calendar month.

Under some circumstances we have the right to refuse your request, but if we do we will give you a reason, and you have the right to complain to the Information Commissioners Office if you do not agree.

 

The right to restrict processing

You have the right to request that we restrict the processing of your personal information.

You can only exercise this right under the following conditions:

  • if you contest the accuracy of your personal data you can request we don't process your data until we have verified the accuracy of it
  • if you think your data has been unlawfully processed, and you oppose erasure, you can request we restrict processing
  • if we no longer need your personal data, but you need us to keep it in order to establish, exercise or defend a legal claim
  • if you have objected to us processing your data and we are considering whether our legitimate grounds override those of yours

You can either fill out our Processing Restriction form, email restrict@aahuk.com or speak to any member of staff on the telephone or in person.  Once you have made contact we will mark your records as restricted, tell any third party who processes your data on our behalf, and notify you within one calendar month

Your right to restrict processing can be used in conjunction with other rights (such a rectification and objection).

Under some circumstances we have the right to refuse your request, but if we do we will give you a reason, and you have the right to complain to the Information Commissioners Office if you do not agree.

In most cases the restriction would only be temporary, but we are required to notify you before we lift the restriction and why we are lifting it, but you have the right to complain to the Information Commissioners Office if you do not agree.

 

The right to data portability

You have the right to ask us to provide the information we have on you in a format that can be passed to someone else.  This would be provided free of charge.

The information we hold will vary person by person, so we will ask you what information you would like.

If we don't think we would be able to satisfy a request, possibly due to the information not being presentable in a structured, machine readable, way then we would let you know and you have the right to complain to the Information Commissioners Office.

Under some circumstances we have the right to refuse your request, but if we do we will give you a reason, and you have the right to complain to the Information Commissioners Office if you do not agree.

You can either fill out our Portability form, email port@aahuk.com or speak to any member of staff on the telephone or in person to initiate your request.

 

The right to object

You have the right to object to:

  • processing based on legitimate interests (including profiling)
  • direct marketing (including profiling)
  • processing for the purpose of scientific / historical research and statistics

Unless we can provide you with a reason not to, which you have a right to object to the Information Commissioners Office, we will immediately stop processing your data.

To object you must give a reason relating to your particular situation.

You can either fill out our Objection form, email object@aahuk.com as we are unable to accept these requests verbally.

 

Rights in relation to automated decision making and profiling

The only automated decision making that we carry out relates to credit accounts.  We do not pass any personal information to our Bank, but our bank will process director details in their decision making.  They are bound by the same GDPR rules as us.

We never make solely automated decisions, as a Director will always review the output from the bank and make a decision from that.

You have the right to request to not be subjected to an automated decision making process, which you will need to inform us of before entering into a contract with us.

 

Data Protection Officer

Under the definitions of the GDPR we are not required to appoint a Data Protection Officer.  In line with the requirements all of our staff have been fully trained on GDPR and will receive continuing professional development on it.

 

How we keep your data safe

Our core systems are stored on-site in our secure server room, on a secure server than requires extremely complex passwords to access.  We do not use any cloud solution (Azure, G Suite, etc.) for storing this information.  We have regular backups that go off-site.  Our server sits behind a number of security appliances to protect your data from external interference.

We have appliances in place that will detect an unlikely event of a data breach and we have written policies to notify the Information Commissioners Office within 72 hours, if necessary.  If it is decided that any breach would affect your rights and freedoms then you will contacted by ourselves without any undue delay.

We do use third parties for some of our legitimate business activities, but we have agreements in place with them to ensure our requirements are met under GDPR as data processors.