Introduction
This Policy sets out the obligations, under internationally recognized privacy standards such as the Data Protection Act 2018 (“the Act”), of the Social Media Consulting Ltd trading as SP Index (“the Company” or “we”) regarding the management of:
– Visitors of the Website personal data; and
– Customers’ personal data.
Together, Visitors and Customers are referred to as “Customer” or “You”. Under the Act, “personal data” is defined as data which relates to a living individual who can be identified from that data or from that data and other information which is in the possession of, or is likely to come into the possession of, the data controller (the Company in this context), and includes any expression of opinion about the individual and any indication of the intentions of the data
controller or any other person in respect of the individual.
The Company is committed not only to the letter of the law but also to the spirit of the law and places a high premium on the lawful, fair, and transparent handling of personal data, respecting the legal rights and trust of persons with whom it deals.
The Company provides its Customers with information verification services on individuals based on their online public presence (‘the Services’) as per the Standard Agreement or Terms and Conditions of Services agreed upon between the Company and You (‘the Agreement’). The purpose for which our Services are used, as the case may be, is defined by the Customer and may include answering regulatory obligations; protection of assets, due diligence requirements, reputation and brand protection, and lastly the reduction of security risks.
This Policy sets out:
1. how the Company manages your personal data in connection with the use of our website, Social Media Resource Hub, and Social Media Decorum Portal (together referred to as ‘Website’), and the performance of our Services when the Company is acting as a data controller as defined in the Act; and
2. your rights with regards to the processing of your personal information.
1.What information do we collect, what are the purpose and lawful basis of personal data collection, and how long do we retain information for?
When a designated Social Media Decorum Portal’s Authorized User, or a representative of a Customer, or potential Customer visits our Website, contacts or requests information from us and/or when a Customer engages us with an Agreement to provide Services; we collect, as a data controller, personal information from the Customer in the course of our business, including through the Customer’s (or potential Customer’s) use of our websites, applications, and software in connection with provision of our services.
We will use Customer personal information solely for the purposes for which it was collected, unless we determine that another use is necessary and compatible with the original intent. If we need to use Customer personal information for a different, unrelated purpose, we will inform the Customer and explain the legal basis for doing so – in which case the Customer will have the right to object to the processing.
The below table depicts what information, as a data controller, that we collect, the purposes and the lawful basis of personal data collection, and how long do we keep the data for.
| Data Collected | Purpose of Collection | Legal Basis for Collection | Retention | |
|---|---|---|---|---|
| Marketing (Customers and Prospective Customers) |
- First and last name - Customer company represented - Professional email, telephone, and address - IP address - Web browser type and version - Operating system - URLs with referring site, Customer activity on Website, and exit site |
- Sending newsletters upon request - Responding to queries - Improving Website content - Enhancing marketing strategy - Conducting research and analysis |
Legitimate interest for business development purposes and Services’ improvements | Personal data is retained for a reasonable period, taking into account legitimate business needs to capture and retain such information. |
| Contract (Customers) |
- First and last name - Customer company represented - Professional email, telephone, and address - Professional telephone number - Correspondences - Authorized Users' name and email |
- Registering new Customers/users - Accepting orders - Fulfillment of services - Providing Customer support - Creating user accounts |
Contract to perform the Company’s Services | Personal data is retained for a period necessary to comply with applicable regulations and Agreement’s requirements. |
| Administration (Customers) |
- First and last name - Professional email, telephone, and address - Customer company represented |
- Legal and Financial compliance - Invoicing and managing payments |
Legal obligation for legal, financial, and tax purposes | Personal data is retained for a period necessary to comply with applicable regulations. |
The Website may use cookies from time to time. For more information about the Company’s use of cookies and how You can disable them, please see our Cookie Policy (https://sp-index.com/cookie-policy/). The Company is not responsible for the privacy practices of third-party websites, mobile apps or other digital services, including those that may be linked through the Website or services, and we encourage You to review the privacy policies or notices published thereon.
The Company processes, as a data processor, in the performance of its Services for and on behalf of its Customers, information relating to identified individuals (“Data Subjects”) in accordance with the Agreement, which also defines the data retention period. For example, information that may be processed by the Company includes the Data Subject’s name, date of birth, job title, contact information, education information, work history, online publicly available information to perform the Services and ensure maximum possible accuracy through the performance of the Services. The lawful bases for the data processing are determined by the Customer’s privacy policy or another relevant document and will vary depending on the type of information and the Customer’s purpose. Prior to placing an order, the Customer has evaluated the necessity, legality, and relevance of the Services by obtaining appropriate legal advice and guarantees that: the personal data is processed lawfully, fairly, and transparently with respect to the Data Subject; the Data Subject personal data is collected for specific, explicit, and legitimate purposes, and is not further processed in a way that is incompatible with those purposes; the personal data is adequate, relevant, and limited to what is necessary for the purposes for which it is processed; where applicable any necessary information notices, or other mandatory documents have been duly provided to or obtained from the Data Subject.
2. What are your rights?
You have the following rights in relation to the personal information we hold about You:
2.1 Access: You have the right to access personal information that the Company holds about You.
2.2 Rectification: You have the right to ask us to rectify information the Company holds about You if it is inaccurate or not complete.
2.3 Erasure: You can request that the Company erases your personal data. We will keep basic data to identify You and retain it solely for preventing further unwanted processing.
2.4 Restrict Processing: You have the right to ask the Company to restrict how we process your data. This means we are permitted to store the data but not further process it. We keep just enough data to make sure we respect your request in the future.
2.5 Object to processing: Where processing is based on legitimate interests, You have the right to object to the Company processing your data. The Company will discontinue processing your data, unless we can demonstrate compelling legitimate grounds for the processing. We will keep basic data to identify You and retain it solely for preventing further unwanted processing.
2.6 Portability: Where processing is based on consent or performance of a contract, You have the right to data portability. The Company must allow You to obtain and reuse your personal data for your own purposes in a safe and secure way without this effecting the usability of your data. This right only applies to personal data that You have provided to the Company as the Data Controller.
2.7 Right to withdraw consent: If the Company relies on Customer consent for processing Customer personal information, the Customer has the right to withdraw Customer consent at any time.
2.8 Right to lodge a complaint: If a Customer has any concerns about our privacy practices, including how we have handled Customer personal information, Customers can report this to the Information Commissioner’s Office (ICO). The ICO is the supervisory authority that regulates handling of personal information in the UK. Customers can contact them by:
2.8.1 Online request https://ico.org.uk/
2.8.2 Phone on 0303 123 1113
2.8.3 Post to Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF
Please contact privacy@sp-index.com to request access, rectification, or erasure, or to restrict processing, to object to processing, to request data portability.
In respect of the rights mentioned above, in some cases we may require verifiable request before action can be taken in respect of Customer personal information and our processes. The verifiable request must:
- Provide sufficient information that allows us to reasonably identify the Customer (or Customer
representative); and - Describe the request with sufficient detail that allows Company to properly understand,
evaluate, and respond to it.
Please note that some of these rights may be limited where the Company has an overriding interest or legal obligation to continue to process the data.
Automated decisions are defined as decisions about individuals that are based solely on the automated processing of data and that produce legal effects that significantly affect the individuals involved. The Company does not make automated decisions using personal data.
3. Do we share your personal data?
We do not share, sell, or distribute your personal data without your consent or in accordance with this Policy.
We may sometimes contract with the third parties for business support services. These may include for example, information technology support, payment processing, and marketing services. If any Customer personal data is required by a third party, as described above, we will take steps to ensure that Customer
personal data is handled safely, securely, and in accordance with Customer rights, the Agreement, and the regulation. As of today, we may be disclosing information to the following third parties:
- Microsoft Solutions (Ireland) for hosting Company data (Infrastructure Azure) and through the use of Teams (Modern Work);
- Payment software for issuing and managing invoices;
- Third party applications for marketing, e.g. live chat service.
In some limited circumstances, we may be legally required to share certain personal data, which might include Customer personal data, if we are involved in legal proceedings or complying with legal obligations, a court order, or the instructions of a government authority.
We may need to disclose the personal information provided by the Customer if we dispose of our business, in which case we may disclose that Customer personal information to the prospective buyer of our business.
4. The security measures we take
We are committed to keeping Customer personal information protected which we achieve by implementing technical measures specific to our business activity. These measures protect personal information from unauthorized access, accidental loss, improper use or disclosure.
The Company’s information system is built on Microsoft Azure which is ISO/IEC 27001 certified, meaning that the IT infrastructure and the Company’s use of Microsoft services are certified security standards which include encryption, access management, network security, and monitoring.
In addition, the Company has implemented:
- Policies and procedures for covering information security, access control, incident management, and business continuity;
- Thorough access control by implementing multi-factor authentication and user management using a role-based access control;
- A risk assessment to identify and assess risks to the Company’s information assets; and
- Regular trainings, phishing campaigns, and pen testing.
5. International Transfers
We will only store Customer personal data within the United Kingdom and European Economic Area (the “EEA”). The EEA consists of all European Union member states, plus Norway, Iceland, and Liechtenstein. This means that Customer personal data will be fully protected under the UK Data Protection Legislation or to equivalent standards by law.
If any personal data is transferred outside of the EEA, we ensure a similar degree of protection is afforded to it as it would be under the Act. Such degree of protection can be provided through: adequacy regulations, or putting in place one of the appropriate safeguards such as the international data transfer agreement. In addition, we will perform a transfer risk assessment and personal information will be shared only when the Company is satisfied that the data subjects of the transferred data, the relevant protections under the Act are not undermined.
6. Contact details
If Customers have any comments or questions about our privacy policy or our processing of Customer personal information, please contact the Company’s Data Protection Officer at privacy@sp-index.com.
7. Implementation of this policy and changes
Any changes made to this policy from time to time will be published on our Website. To ensure You remain up to date about how your personal information is used, please ensure that You periodically review the policy available at all times on the Website.
This Policy has been updated and approved and is authorised by:
Name: Martin Hardy
Position: Executive Director
Date: 22 July 2024
Due for Review by: 31st January 2025
