Call us on 03450 21 21 51

SRM Solutions
Privacy Policy

Privacy Policy

Security Risk Management Ltd (SRM) take the privacy of your data seriously and understand our obligations to ensure it is handled and managed in a secure and legal manner. This Privacy Policy explains how we use any personal information we collect about you. SRM are the Data Controller for the personal data we collect and process for our clients (and their employees), potential clients and new employees. We are the Data Processor for the services we provide to our clients.

What is this Privacy Policy for?

This Privacy Policy relates to all personal data processed by SRM, and governs the way privacy is handled to ensure that SRM operate within the law. This Privacy Policy details the areas where user privacy is relative and outlines the obligations & requirements of SRM, its users, the website and website owners. Furthermore, the way SRM processes, stores and protects user data and information is also detailed within this policy.

Additional Information:

How will we use the information about you?

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

  • Where we need to perform the contract we are about to enter into or have entered into with you.
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
  •  Where we need to comply with a legal obligation.

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

If you no longer wish to be contacted in relation to the services we provide, please download the SRM Data Subject Rights Request Application Form and complete this document. Please then send it to gdpr@srm-solutions.com. Alternatively once completed, send to SRM at the address detailed at the end of this notice.

We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so.  We have also identified what our legitimate interest are, where appropriate.

Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data.  Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.

Data Processing

Type Data Processed Purpose Legal Basis for Processing Data Retention
Website Users We collect information about you to deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you. This information includes:
• Name
• Email address
• Contact number
This allows us to inform you of any potential updates to such services that SRM provide. Website usage information is collected using cookies. Sales contacts may be sourced from publicly available social media sources. This also allows us to study how customers use our products/ services, to develop them, to grow our business and to inform our marketing strategy. LEGITIMATE INTERESTS; processing is necessary under the legitimate interests of the Data Controller or a third party, unless these interests are overridden by the individual’s interests or fundamental rights. 3 years
Client Contracts We collect information about you to facilitate contact and communications associated with the service/s provided. This information may include: • Name • Business address • Business email address • Business contact number • Information regarding trading, billing, service and usage history • Job title and department • Answers to security questions This allows us to provide appropriate communications in conjunction with the contractual obligations for the service/s provided and its delivery. CONTRACTUAL;  processing of personal data is necessary for the performance of a contract to which the individual is a party or for the Data Controller to take pre-contractual steps at the request of the individual. 3 years
Contract Performance During the performance of a contract we may process information such as:
• User IDs and passwords • Employment history • Employee number • Racial or ethnic origin • Political opinions • Religious or philosophical beliefs • Trade union membership • Lifestyle and sexual orientation data • Genetic data • Biometric data where processed to uniquely identify a person
This allows us to perform our contract and process information that forms part of an investigation or is discovered as part of a penetration test or other service during which we may gain access to personal information. CONTRACTUAL; processing of personal data is necessary for the performance of a contract. 3 years
Potential Customers We collect information about you to facilitate contact and communications associated with the request made. This information includes: • Name • Company Address • Email address • Contact number • Business Type This allows us to obtain an understanding of the requirements and potential scope of work to allow the development of an appropriate service work assessment and ‘quote’ to undertake such work. CONTRACTUAL; processing of personal data is necessary for the performance of a contract to which the individual is a party or to take pre-contractual steps at the request of the individual. 3 years
Potential Employees We collect information about you to facilitate initial assessment of candidate suitability for role. This information includes: • Name • Address • Email address • Contact number • Previous/current experience • Qualifications This allows us to facilitate assessing experience, qualifications and potential suitability to fulfil an advertised or future job roles. CONTRACTUAL;  processing of personal data is necessary for the performance of a contract to which the individual is a party or for the Data Controller to take pre-contractual steps at the request of the individual. 6 months of decision

Your Rights

The Right to be Informed

We are obliged to provide clear and transparent information about our data processing activities. This has been provided within this Privacy Policy and any related communications we may send you.

The Right of Access

You may request a copy of the personal data we hold about you free of charge. Once validation and verification of your identity has been conducted and where necessary the authority of any third-party requestor, we will provide access to the personal data we hold about you as well as the following information:

a) The purposes of the processing
b) The categories of personal data concerned
c) The recipients to whom the personal data has been disclosed
d) The retention period or envisioned retention period for that personal data
e) When personal data has been collected from a third party, the source of the personal data

However, if there are exceptional circumstances that mean we can refuse to provide the information, we will explain them. If such a request is deemed to be non-serious or irritating, SRM reserve the right to refuse them. If responding to such a request is likely to require additional time and effort or incurs unreasonable costs (which you may have to meet), we will inform you.

The Right to Rectification

When you believe we hold inaccurate or incomplete personal information about you, you may exercise your right to correct or complete this data. This may be used with the right to restrict processing to make sure that incorrect/incomplete information is not processed until it is corrected.

The Right to Erasure (the ‘right to be forgotten’)

The right to erasure does not provide an absolute ‘right to be forgotten’. Individuals have a right to have personal data erased and to prevent processing in specific circumstances:

  • Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
  • When the individual withdraws consent.
  • When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing.
  • The personal data was unlawfully processed (i.e. otherwise in breach of the General Data Protection Regulation ((EU) 2016/679) and the Data Protection Act 2018).
  • The personal data may be erased in order to comply with a legal obligation.

The Right to Restrict Processing

You may ask us to stop processing your personal data. We will still hold the data, but will not process it any further. This right is an alternative to the right to erasure. If one of the following conditions applies you may exercise the right to restrict processing:

a) The accuracy of the personal data is contested

b) Processing of the personal data is unlawful

c) We no longer need the personal data for processing but the personal data is required for part of a legal process

d) The right to object has been exercised and processing is restricted pending a decision on the status of the processing.

The Right to Data Portability

This allows individuals to obtain and reuse their personal data to be transferred to another controller or processor. This allows the movement, copying or transferring personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability. This must provide the personal data in a structured, commonly used and machine-readable form. This can be transmitted directly from one controller to another, where technically feasible.

The Right to Object

You have the right to object to our processing of your data where:

  • Processing is based on a legitimate interest (or that of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms;
  • Processing is for the purpose of direct marketing;
  • Processing is for the purposes of scientific or historic research;
  • Processing involves automated decision-making and profiling.

In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.

The Right to Withdraw

You have the right to withdraw your consent to our processing of your data at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

International Transfers

We do not transfer your personal data outside the European Economic Area.

Marketing

We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising.

Promotional offers from us

We may use your personal data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you (we call this marketing).

You will receive marketing communications from us if you have requested information from us or purchased services from us and you have not opted out of receiving that marketing.

Third-party marketing

We will get your express opt-in consent before we share your personal data with any third party for marketing purposes.

Opting out

You can ask us to stop sending you marketing messages at any time by contacting us at any time.

Where you opt-out of receiving these marketing messages, this will not apply to personal data provided to us as a result of a product/service purchase or contract with us.

Cookies

Cookies are text files placed on your computer to collect standard internet log information and visitor behaviour Information. This information is used to track visitor use of the website and to compile statistical reports on website activity For further information visit: www.aboutcookies.org or www.allaboutcookies.org or http://www.google.com/policies/privacy/

Your browser can be set to not accept cookies and the above website/s provide details of how cookies can be removed. However, be mindful that such removal may impact the website and some features may not function as expected.

Other websites

Our website contains links to other websites. This privacy policy only applies to this website so when you link to other websites, please ensure you have familiarised yourself with their privacy policies.

Social Media Platforms

Communication, engagement and actions taken through external social media platforms that the SRM website and SRM participate on are custom to the terms and conditions as well as the privacy policies held with each social media platform respectively. Users are advised to use social media platforms wisely and communicate / engage upon them with due care and caution in regard to their own privacy and personal details. This website nor its owners will ever ask for personal or sensitive information through social media platforms and encourage users wishing to discuss sensitive details to contact them through primary communication channels such as by telephone or email. The SRM website may use social sharing buttons which help share web content directly from web pages to the social media platform in question. Users are advised before using such social sharing buttons that they do so at their own discretion and note that the social media platform may track and save your request to share a web page respectively through your social media platform account.

Shortened Links in Social Media

The SRM website and SRM through their social media platform accounts may share web links to relevant web pages. By default, some social media platforms shorten lengthy URLs (web addresses). Users are advised to take caution and good judgement before clicking any shortened URLs published on social media platforms by this website and its owners. Despite the best efforts to ensure only genuine URLs are published many social media platforms are prone to spam and hacking and therefore this website and its owners cannot be held liable for any damages or implications caused by visiting any shortened links.

Changes to our privacy policy

We keep our privacy policy under regular review and we will place any updates on this web page. This privacy policy was last updated on 23 August 2019.

How to contact us

Please contact us if you have any questions about our privacy policy or information we hold about you: By email: gdpr@srm-solutions.com or write to us at: Data Protection Team, Security Risk Management Ltd (SRM) Grainger Suite Dobson House Gosforth Newcastle upon Tyne NE3 3PF.

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.