Introduction

This GDPR (General Data Protection Regulation) policy outlines the data protection practices and procedures implemented by Ashtrot LTD (“the MSP”) to ensure compliance with the GDPR and protect the personal data of our clients and their customers. This policy applies to all employees, contractors, and third-party service providers working on behalf of the MSP within the United Kingdom. 

Scope

This policy applies to all personal data processed by the MSP, whether stored electronically or in hard copy format, and covers all stages of the data lifecycle, including collection, processing, storage, and destruction, as required by the GDPR. 

Definitions

  1. Personal Data: Any information relating to an identified or identifiable natural person.
  2. Data Controller: The natural or legal person who determines the purposes and means of the processing of personal data.
  3. Data Processor: The natural or legal person who processes personal data on behalf of the data controller.

Data Protection Principles

The MSP is committed to adhering to the following data protection principles, as outlined in the GDPR: 

  1. Lawfulness, fairness, and transparency: Personal data is processed lawfully, fairly, and in a transparent manner, ensuring individuals are informed about the processing activities.
  2. Purpose limitation: Personal data is collected for specified, explicit, and legitimate purposes and is not further processed in a manner incompatible with those purposes.
  3. Data minimisation: Personal data is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.
  4. Accuracy: Personal data is accurate and, where necessary, kept up to date. Reasonable steps are taken to rectify or erase inaccurate or incomplete data.
  5. Storage limitation: Personal data is kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.
  6. Integrity and confidentiality: Personal data is processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and accidental loss, destruction, or damage.

Data Controller and Data Processor Responsibilities

  1. The MSP may act as either a data controller or a data processor, depending on the specific circumstances of the processing activities. The responsibilities of the MSP are as follows:
    • Data Controller: When acting as a data controller, the MSP will ensure that personal data is collected and processed in compliance with applicable data protection laws. This includes obtaining the necessary consents, providing adequate information to data subjects, and implementing appropriate security measures to protect personal data. 
    • Data Processor: When acting as a data processor on behalf of a client, the MSP will process personal data only as instructed by the client and take appropriate technical and organisational measures to protect the data.
    • The MSP will maintain a record of processing activities that includes information about the categories of personal data processed, the purposes of processing, the recipients of the data, and any cross-border transfers, as required by the GDPR.

Data Subject Rights

The MSP recognises and respects the data subject rights provided under the GDPR, including: 

  1. Right to be informed: Data subjects have the right to be informed about the collection and use of their personal data.
  2. Right of access: Data subjects have the right to access their personal data and obtain information about how it is being processed.
  3. Right to rectification: Data subjects have the right to request the correction of inaccurate or incomplete personal data.
  4. Right to erasure: Data subjects have the right to request the deletion or removal of their personal data in certain circumstances.
  5. Right to restrict processing: Data subjects have the right to restrict the processing of their personal data in certain circumstances.
  6. Right to data portability: Data subjects have the right to request the transfer of their personal data to another organization or receive it in a structured, commonly used, and machine-readable format.
  7. Right to object: Data subjects have the right to object to the processing of their personal data in certain circumstances.
  8. Right to lodge a complaint: Data subjects have the right to lodge a complaint with the Information Commissioner’s Office (ICO) if they believe their rights have been infringed.

Data Security Measures

The MSP is committed to implementing appropriate technical and organizational measures to ensure the security of personal data and protect against unauthorized access, loss, or destruction. These measures include: 

  1. Regular risk assessments and reviews of security controls.
  2. Access controls and user authentication mechanisms to limit data access to authorized personnel.
  3. Encryption and pseudonymization of personal data where applicable.
  4. Regular data backup procedures to ensure data integrity and availability.
  5. Ongoing staff training and awareness programs to promote data security best practices.
  6. Incident response and data breach management procedures to promptly address any security incidents or breaches.

International Data Transfers 

If the MSP transfers personal data to countries outside the European Economic Area (EEA), appropriate safeguards will be implemented, as required by the GDPR, to ensure an adequate level of protection for the transferred data. This may include the use of EU Standard Contractual Clauses, binding corporate rules, or other approved mechanisms for international data transfers. 

Data Protection Officer (DPO) 

The MSP will appoint a Data Protection Officer (DPO) who will be responsible for overseeing the organization’s data protection practices, providing guidance, monitoring compliance, and serving as a point of contact for data subjects and the supervisory authority (ICO). 

Policy Review and Updates 

This GDPR policy will be regularly reviewed and updated to ensure ongoing compliance with the GDPR and any changes to applicable data protection laws. Employees and relevant stakeholders will be informed of any updates to this policy and associated procedures.

 

Generated privacy notice – general business

Ashtrot Managed IT Services customer privacy notice

Registered name: Ashtrot Ltd

This privacy notice tells you what to expect us to do with your personal information.

Contact details

Email

hello@ashtrot.co.uk

What information we collect, use, and why

We collect or use the following information for service updates or marketing purposes:

  • Names and contact details
  • Addresses
  • Location data
  • IP addresses
  • Website and app user journey information

Lawful bases and data protection rights

Under UK data protection law, we must have a “lawful basis” for collecting and using your personal information. There is a list of possible lawful bases in the UK GDPR. You can find out more about lawful bases on the ICO’s website.

Which lawful basis we rely on may affect your data protection rights which are in brief set out below. You can find out more about your data protection rights and the exemptions which may apply on the ICO’s website:

If you make a request, we must respond to you without undue delay and in any event within one month.

To make a data protection rights request, please contact us using the contact details at the top of this privacy notice.

Our lawful bases for the collection and use of your data

Our lawful bases for collecting or using personal information for service updates or marketing purposes are:

  • Consent – we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.

Where we get personal information from

  • Directly from you
  • Market research organisations
  • Suppliers and service providers

How long we keep information

12 months

Who we share information with

Data processors

Accountant

This data processor does the following activities for us: Payroll information

We have a joint controller relationship with Facebook. We process your personal information with that joint controller for the following reason: For monitoring how people interact with our website and for measuring the effectiveness of ads.

How to complain

If you have any concerns about our use of your personal data, you can make a complaint to us using the contact details at the top of this privacy notice.

If you remain unhappy with how we’ve used your data after raising a complaint with us, you can also complain to the ICO.

The ICO’s address: 

Information Commissioner’s Office

Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline number: 0303 123 1113

Website: https://www.ico.org.uk/make-a-complaint

Contact Information 

For any questions, concerns, or requests related to data protection and the GDPR, individuals can contact the MSP’s designated Data Protection Officer (DPO) HERE.

Date of Last Policy Review: November 2024