Introduction and purpose
11 London (‘we’, ‘our’, ‘us’. ‘the Company’) is committed to protecting the privacy and security of your personal information.
This policy describes how we collect and use personal information about you, in accordance with the General Data Protection Regulation (GDPR).
Magnetic HCA Limited, trading as 11 London is a ‘data controller’. This means that we are responsible for deciding how we hold and use personal information about you. We are required under data protection legislation to notify you of the information contained in this policy.
This policy applies to past and present clients, suppliers and research participants. This policy does not form part of any contract that 11 London may have in place with you.
It is important that you read this policy, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information.
We have appointed a Privacy Officer to oversee compliance with this policy. If you have any questions about this policy or how we handle personal information, please contact the Privacy Officer in writing using the details below.
Email address: firstname.lastname@example.org
10 Turnham Green Terrace Mews,
Our company number is: 05599828
Our ICO registration number is: ZA172539
Changes to this policy
We reserve the right to update this policy at any time and we will provide you with a new policy when we make substantial updates.
1. The Data Protection Principles
We will comply with data protection law. The law says that the personal information that we hold about you must be:
1. Used in a lawful, fair and transparent way.
2. Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
3. Relevant to the purposes we have told you about and limited only to those purposes.
4. Accurate and kept up to date.
5. Kept only as long as necessary for the purposes that we have told you about.
6. Kept securely.
2. The kind of information that we hold about you
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (such as anonymous data).
There are some ‘special categories’ of more sensitive personal data which require a higher level of protection.
We collect, store and use some or all of the following categories of personal information about you:
(A) Basic personal information: name, title, address, telephone numbers, email addresses and gender.
(B) Payment details: national insurance number, bank account details, tax status information.
(C) Relationship details: start date of contract or relationship, location of usual place of business, key contacts basic personal information, job titles, transaction history, delivery details, service level preferences and qualifications.
(D) Research information: salary, education level, vehicle information, travel information.
(E) Monitoring: CCTV footage, swipe/fob records, PC login details, use of our IT and communications systems.
Typically we will hold information in categories A-C and E in relation to clients and suppliers and information in categories A, C and D in relation to research participants.
3. Additional categories of information
We may also collect, store and use the following ‘special categories’ of more sensitive personal information:
(F) Equality information: race or ethnicity, religious beliefs, disabilities and sexual orientation.
(G) Research information (health): medical conditions, dietary information, exercise information, prescription details, medical history, family medical history.
(H) Criminal records: criminal convictions and offences.
Typically we will hold information in categories F and H in relation to suppliers only and information in category G in relation to research participants only.
4. How we collect your personal information
We collect or determine personal information through our marketing, purchasing and research processes. The information is either provided directly by yourself as a potential client, supplier or research participant, or by an outsourcing agency or market research provider.
We collect personal information falling within categories D and G in the course of the research that you participate in.
We collect personal information falling within category E when you visit our premises or use our IT or communications systems.
5. How we use your personal information
We will only use your personal information when the law allows us to. The law says that we must identify a lawful basis for each use of your personal data. We rely on a number of lawful bases, including:
1. Where we have obtained freely given, specific, informed and unambiguous consent from you to use your personal information in certain ways.
2. Where we need to perform a contract that we have entered into with you.
3. Where we need to comply with a legal obligation.
4. Where it is necessary for us to use your personal information to pursue our legitimate interests (or those of a third party) and we believe that using your personal information in that way is not overridden by your interests or your fundamental rights.
Below, we have set out the purposes for which we use each category of your personal data and the lawful bases which are relevant to those purposes.
We use your basic personal information to contact you in the course of our relationship. Our lawful basis for this is our legitimate interest in communicating you for the purposes of our relationship.
We use your payment details to pay you money that we owe you and to deduct tax and national insurance contributions where applicable. Our lawful basis for this is to perform the contract that we have entered into with you.
We use your relationship details for business management, accounting, auditing and planning. We also use your relationship details to conduct service reviews, financial reviews, to manage service delivery, to assess suitability for particular contracts, to determine service requirements and to deal with legal disputes. Our lawful basis for this in relation to suppliers is our legitimate interest in ensuring that our financial resources are deployed effectively to ensure that our business prospers. Our lawful basis for this in relation to clients is our legitimate interest in providing the best possible service and maintaining strong client relationships. Our lawful basis for this in relation to research participants is our legitimate interest in the proper management of our research activities.
We use your research information to conduct research, test hypotheses and report findings to our clients. Our lawful basis for this is consent.
We use monitoring to conduct service reviews and manage performance, to ensure network and information security, including preventing unauthorised access to our systems and preventing malware distribution, to ensure compliance with our IT and communications policies, to gather evidence for possible complaints hearings and to deal with legal disputes. Our lawful basis for this is our legitimate interests in securing our information and systems and in ensuring that you are carrying out your obligations in accordance with our contract with you and our policies and procedures.
6. Special Categories
‘Special categories’ of particularly sensitive personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. Below we have identified the further justification on which we are relying to process your special category personal data. We have in place an appropriate policy and safeguards which we are required by law to maintain when processing such data.
We use equality information for equal opportunities monitoring and to ensure that our premises and communications are accessible. Our lawful basis for this is our legitimate interest in ensuring that we attract, maintain and support a diverse client base and supply chain. Our further justification is that it is in the public interest to ensure meaningful equal opportunities monitoring and reporting.
We use research information (health) for conducting research, testing hypotheses and reporting findings to our clients. Our lawful basis for this is consent. Our further justification is explicit consent to use such sensitive data for this purpose. (In this instance, the law recognises that consent can be both a lawful basis and a further justification).
We use criminal records to make decisions about appointment and to check that you are legally allowed to perform any obligations you may owe to us as part of our relationship. Our lawful basis for this is our legitimate interest in ensuring the suitability of suppliers and others for the function they perform. Our further justification is that it is in the public interest to protect the public against dishonesty, unfitness or mismanagement.
7. If you fail to provide personal information
If you fail to provide certain personal information when we request it, we may not be able to perform our contract with you properly (such as paying you) or we may be prevented from achieving our legitimate interests (such as to ensure the safety and accessibility of our premises for people of differing abilities).
8. Change of purpose
We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another purpose and that purpose is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the lawful basis which allows us to do so.
9. Automated decision-making
Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. We are allowed to use automated decision-making where we have notified you of the decision and given you 21 days to request a reconsideration, where it is necessary to perform a contract with you or with your explicit written consent.
We will not make any decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified you.
10. Data sharing
We may have to share you data with third parties, including clients, third-party service providers and other entities in the group. We require all third parties to respect the security of your data and to treat it in accordance with the law.
‘Third parties’ includes third-party service providers (including contractors and designated agents) and other entities within our group. The following activities are carried out by third-party service providers: digital development, market research, communications consultancy, email hosting and cloud storage.
All third parties are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow third parties to use your personal data for their own purposes. We only permit them to access your personal data for specific purposes and in accordance with our instructions, or in the case of clients for the specific purposes that we have agreed with them in advance.
We may share your personal information with other third parties, for example in with a potential purchaser in the context of a potential sale or restructuring of the business. We may also need to share your personal information with a regulator to comply with the law.
We may transfer your personal information outside the EU. If we do, you can expect a similar degree of protection in respect of your personal information.
We will transfer the personal information that we collect about you to the following countries outside the EU: USA, Switzerland and additional non-EU Google Data center locations, a list of which is available here .
Transfers will always be subject to adequate safeguards.
These safeguards may take the form of an adequacy decision. Adequacy decisions are made by the European Commission in respect of certain countries. An adequacy decision means that the countries to which we transfer your data are deemed to provide an adequate level of protection for your personal information. The European Commission has issued adequacy decisions in respect of Switzerland and the USA (subject to the EU-US Privacy Shield rules).
To ensure that your personal information does receive an adequate level of protection in the absence of an adequacy decision, we will put in place binding corporate rules or standard contractual clauses approved by the European Commission or the ICO to ensure that your personal information is treated by those third parties in a way that is consistent with and respects the EU and UK laws on data protection. If you require further information about these protective measures, please contact our Privacy Officer at email@example.com.
11. Data security
We have put in place appropriate security measures to protect your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those people who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.
We have put procedures in place to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
12. Data retention
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal accounting, or reporting requirements.
We retain personal information, excluding health and safety information for the period of our relationship with you and for 7 years after the relationship terminates.
We retain health and safety information permanently.
In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.
13. Changes to your data
It is important that the personal information we hold about you is accurate and up to date. Please keep us informed if your personal information changes during your working relationship with us. If your personal information changes, please contact our Privacy Office at firstname.lastname@example.org.
14. Your rights
Under certain circumstances, by law you have the right to:
Request access to your personal information. This is commonly known as a subject access request. This enables you to receive a copy of the personal information we hold about you and to check that we are processing it lawfully.
Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
Request the transfer of your personal information to another party.
Request the reconsideration of an automated decision. This enables you to ask us to reconsider a decision that was made solely by automated means or to ask for human intervention.
If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, request that we transfer a copy of your personal information to another party or request the reconsideration of an automated decision, please contact our Privacy Officer at email@example.com.
You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
Where you have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact our Privacy Officer at firstname.lastname@example.org. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to.
If you have any concerns over how we use your data, please contact our Privacy Officer in the first instance at email@example.com
If you are not satisfied that we have addressed your concerns adequately, you have the right to lodge a complaint with the ICO. Their contact details are below:
Information Commissioner’s Office
Tel: 0303 123 1113