FibreCRM Privacy Policy

Version 1.0 | May 2018

 

 

Introduction:

 

The EU General Data Protection Regulations (GDPR) include rules on giving privacy information to data subjects in Articles 12, 13 and 14. These are more detailed and specific than in the DPA and place an emphasis on making privacy notices understandable and accessible. To that end FibreCRM has created a robust and transparent Privacy Notice, designed to adhere to the GDPR and provide the Data Subjects with the highest possible levels of assurance and confidence in the security standards FibreCRM applies to their personal data.

 

The GDPR focuses on ensuring that privacy information is clear and understandable for data subjects. The GDPR make explicit what has always been set out as good practice.

 

As expected under the GDPR, FibreCRM will provide information to data subjects about how it processes their personal data, in a format that is:

Underpinning this privacy notice is our Personal Information Management System (PIMS), a suite of our GDPR & Data Privacy Policies and Procedures. These 25+ documents represent our commitment to data security, and evidence our qualities in relation to adhering to the GDPR and surpassing its expectations where possible. These documents are available on request, and we ask that you contact our Data Privacy Lead (Richard Jackson) in the first instance.

 

 

 

 

 

 

 

 

 

 

 

 

Index:

 

  1. Data Controller

 

  1. Data Privacy Lead

 

  1. Purposes and Legal Basis for Processing

 

  1. Our Legitimate Interests

 

  1. Third Country Transfers

 

  1. Data Retention Periods

 

  1. Data Subject Rights under the GDPR

 

  1. Consent

 

  1. Complaints

 

  1. Data Subject Obligations

 

 

 

Simon Leek (Director of FibreCRM Ltd) is the Data Controller. Simon`s contact details are as follows:

 

Data Controller:

 

Address:                      FibreCRM Ltd

Tremough Innovation Centre

Penryn

Cornwall

TR11 5GR

 

Telephone:                  020 3598 0898

 

Email:                          dpo@fibrecrm.com

 

Website:                      www.fibrecrm.com

 

Twitter:                       @fibrecrm

 

Office Hours:               09:00 to 17:30 Monday to Friday

 

 

 

FibreCRM does not employ a Data Protection Officer (DPO), as under the GDPR we are not required to do so. However, we have assigned the role of “Data Protection Lead” (DPL) to an existing member of the FibreCRM team (Richard Jackson)

 

Richard is a Certified GDPR Practitioner (IBITGQ) and the role closely mirrors that of a DPO. We apply the same standards to the DPL position as the DPO role, and FibreCRM is committed to supporting our DPL and providing all the resources required to comply with the GDPR.

 

Contact Details:

 

DPL:                             Richard Jackson

 

Address:                      FibreCRM Ltd

Tremough Innovation Centre

Penryn

Cornwall

TR11 5GR

 

Telephone:                  020 3598 0898

 

Email:                          richard.jackson@fibrecrm.com

 

 

 

FibreCRM processes personal data for Customer Relationship Management (CRM) software.

 

CRM is a strategy for managing an organisation’s relationships and interactions with customers and potential customers (prospects and/or leads).

 

CRM is designed to allow a Data Controller to manage their customer/business relationships, as a tool for growth and business development, efficiency and integration with existing/other business software tools.

 

In its simplest form, CRM provides a central location for storing customer and prospect information, and that data can be shared with internal colleagues. CRM tracks the historical interactions with customers, through telephone calls, emails, meetings and documentation.

 

Typical CRM systems will provide tools such as:

 

 

FibreCRM will only process personal data where the data subject has either confirmed their consent for us to do so, or where there is a legitimate interest. In the instance of processing on the lawful basis of legitimate interest, FibreCRM will in every case carry out a full and robust Legitimate Interest Assessment (LIA) which will include/involve the ICO`s recommended 14-point check list, and the 3-stage balancing test – as follows:

 

 

Legitimate Interest as a Lawful Basis for Processing Personal Data:         

 

“Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, where the data subject is a child.”

 

 

Legitimate Interest 14-point Checklist:

  1. We have checked that legitimate interest is the most appropriate basis
  2. We understand our responsibility to protect the individual’s interests
  3. We have conducted a legitimate interest assessment (LIA) and kept a record of it, to ensure that we can justify our decision
  4. We have identified the relevant legitimate interests
  5. We have checked that the processing is necessary and there is no less intrusive way to achieve the same result
  6. We have done a balancing test (see below), and are confident that the individual’s interests do not override those legitimate interests
  7. We only use individuals’ data in ways they would reasonably expect, unless we have a very good reason
  8. We are not using people’s data in ways they would find intrusive or which could cause them harm, unless we have a very good reason
  9. If we process children’s data, we take extra care to make sure we protect their interests
  10. We have considered safeguards to reduce the impact where possible
  11. We have considered whether we can offer an opt out
  12. If our LIA identifies a significant privacy impact, we have considered whether we also need to conduct a DPIA
  13. We keep our LIA under review, and repeat it if circumstances change
  14. We include information about our legitimate interests in our privacy notice

 

 

Three Stage Balancing Test:

 

  1. FibreCRM identifies the legitimate interest(s). This is achieved through balanced consideration:

 

  1. FibreCRM applies the necessity test. This considers:

 

  1. FibreCRM carries out a balancing test. We consider the impact of our processing and whether this overrides the interest we have identified. We find it helpful to consider the following:

 

 

 

 

FibreCRM`s core business activity is the provision and subsequently product support for Customer Relationship Management (CRM) software. Our primary clients are accountancy practices, a strong market sector for CRM. On that basis our generic legitimate interest is as follows (in the case of each Data Subject we conduct a specific Legitimate Interest Assessment (LIA), the following statement is a broad description of our lawful basis for processing persona data:

 

 

 

 

 

 

FibreCRM will, on occasion, need to transfer personally identifiable data outside the EEA, to third countries or international organisations. This is necessary due to the need to access appropriate CRM product expertise which not always available in the EEA, and is for the benefit of our clients and data subjects. FibreCRM closely monitors the findings and recommendations of the Article 29 Working Party, in relation to guidelines and recommendations on data transfers, binding corporate rules and contractual clauses.

 

 

 

FibreCRM respects and adheres to all six GDPR principles of personal data processing, and based on data retention we refer to the principle of Data Minimisation.

 

Data Minimisation is a principle that states that data collected and processed should not be held or further used unless this is essential for reasons that were clearly stated in advance to support data privacy. In the General Data Protection Regulation (GDPR), this is defined as data that is adequate and/or relevant.

 

On that basis, FibreCRM retains data only for as long as is required, and at the point there is a) no requirement for retaining that data and/or b) it becomes irrelevant to the original purpose for processing – that data is erased.

 

 

 

The GDPR provides the following rights for individuals:

In each instance and with respect to each of the 8 data subject rights, FibreCRM has created a clear and transparent set of policies and procedures. These are designed to demonstrate our compliance under the GDPR, provide the data subject with the rights they are entitled to, and maintains our data protection standards and culture. These policies and procedures are freely available on request, please contact Richard Jackson (DPL) for further information.

 

 

FibreCRM does not rely on Consent as our lawful basis for processing personal data, however if at any stage we do rely on Consent as our lawful basis – we will ensure that the Data Subject is afforded the opportunity to withdraw their consent, as easily as it was to give their Consent initially.

 

 

Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority (ICO in the United Kingdom), in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.

The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78.

 

Should the data subject desire to lodge a complaint with the ICO in relation to a perceived infringement to the GDPR in respect of data that relates to them, FibreCRM provides information to guide the data subject towards how to manage this complaint.

 

In more details, the complaint will progress in this manner:

 

 

 

 

 

 

 

 

FibreCRM processes personal data only where there is a lawful basis to do so, and it every instance provides the data subject with a clear and straightforward route to “opting out” of that data processing or to request to have their data erased.

 

There is no obligation on the data subject to provide the personal data, and there are no consequences of failure to provide it to FibreCRM.

 

 

ICO Helpline:                   

 

 

 

 

ICO Scotland:

The Information Commissioner’s Office – Scotland
45 Melville Street
Edinburgh
EH3 7HL

 

Telephone: 0303 123 1115

Email: Scotland@ico.org.uk

 

 

 

 

 

 

 

 

 

 

ICO Wales:

 

Information Commissioner’s Office – Wales
2nd Floor, Churchill House
Churchill Way
Cardiff
CF10 2HH

 

Telephone: 029 2067 8400
Email: wales@ico.org.uk

 

ICO Northern Ireland

 

The Information Commissioner’s Office – Northern Ireland
3rd Floor
14 Cromac Place,
Belfast
BT7 2JB

Telephone: 028 9027 8757 / 0303 123 1114
Email: ni@ico.org.uk

 

 

 

How we Protect your Information:

 

We adopt appropriate data collection, storage and processing practices and security measures to protect against unauthorized access, alteration, disclosure or destruction of your personal information, username, password, transaction information and data stored on our Site.

Sensitive and private data exchange between the Site and its Users happens over a SSL secured communication channel and is encrypted and protected with digital signatures.

 

Changes to this Privacy Policy:

 

FibreCRM Limited has the discretion to update this privacy policy at any time. When we do,

we will post a notification on the main page of our Site, revise the updated date at the bottom of this page. We encourage Users to frequently check this page for any changes to stay informed about how we are helping to protect the personal information we collect.

 

Contacting us

 

If you have any questions about this Privacy Policy, the practices of this site, or your dealings with this site, please contact us at:

FibreCRM Limited
http://www.fibrecrm.com

Address:          Tremough Innovation Centre
Tremough Campus
Penryn
Cornwall
TR10 9TA
United Kingdom

 

Telephone:      +44(0)203 598 0898
Email:              legal@fibrecrm.com