Your personal data – what is it?
“Personal data” is any information about a living individual which allows them to be identified from that data (for example a name, photographs, videos, email address, address, full IP address, etc.). Identification can be by the information alone or in conjunction with any other information. The processing of personal data is governed by [the Data Protection Bill/Act 2017 the General Data Protection Regulation 2016⁄679 (the “GDPR”) and other legislation relating to personal data and rights, such as the Human Rights Act 1998.
Your rights and your personal data
When exercising any of the rights listed below, in order to process your request, we may need to verify your identity for your security. In such cases we will need you to respond with proof of your identity before you can exercise these rights.
- The right to access information we hold on you
At any point you can contact us to request the information we hold on you as well as why we have that information, who has access to the information and where we obtained the information from. Once we have received your request we will respond within one month.
There are no fees or charges for the first request but additional requests for the same data may be subject to an administrative fee.
- The right to correct and update the information we hold on you
If the data we hold on you is out of date, incomplete or incorrect, you can inform us and your data will be updated.
- The right to have your information erased
If you feel that we should no longer be using your data or that we are illegally using your data, you can request that we erase the data we hold.
When we receive your request we will confirm whether the data has been deleted or the reason why it cannot be deleted (for example, because we need it for our legitimate interests or regulatory purpose(s)).
- The right to object to processing of your data
You have the right to request that we stop processing your data. Upon receiving the request we will contact you and let you know if we are able to comply or if we have legitimate grounds to continue to process your data. Even after you exercise your right to object, we may continue to hold your data to comply with your other rights or to bring or defend legal claims.
- The right to data portability
You have the right to request that we transfer some of your data to another controller. We will comply with your request, where it is feasible to do so, within one month of receiving your request.
- The right to withdraw your consent to the processing at any time for any processing of data to which consent was sought.
You can withdraw your consent easily by telephone, email, or by post (see contact details below).
The right to object to the processing of personal data where applicable.
The right to lodge a complaint with the Information Commissioner’s Office or your country equivalent.
How we use your information
We use the information we collect in various ways, including to:
- Provide, operate, and maintain our Services;
- Understand and analyze how you use our Services;
- Develop new products, services, features, and functionality;
- Communicate with you, either directly or through one of our partners, including for customer service, to provide you with updates and other information relating to the Service, and for marketing and promotional purposes;
- Process your transactions;
- Find and prevent fraud; and
- For compliance purposes, including enforcing our Terms of Service, or other legal rights, or as may be required by applicable laws and regulations or requested by any judicial process or governmental agency.
Visitors to our websites
When you visit Secfirst.org you are visiting a website hosted using Amazon Web Services in Dublin, Ireland. (See “Use of data processors,” below.)
We utilise a open-source tool, Matamo, to collect standard internet log information and details of visitor journeys. We do this to find out things such as the number of visitors to the various parts of the site and see what users think is most useful. This information is only processed in a way which does not identify anyone; for example, full IP addresses are not collected and data is deleted after three months at most. We also respect do-not-track and advise everyone we know (we do it ourselves) to use tools such as VPNs, uBlock Origin and Privacy Badger.
The tool is hosted on a Digital Ocean instance in The Netherlands. (See “Use of data processors,” below.)
We use a third party provider, Mailchimp, to deliver occasional e-newsletters. We gather statistics around email opening and clicks using industry standard technologies including clear gifs to help us monitor and improve our e-newsletter. (See “Use of data processors,” below.)
People who contact us via social media
We utilise Facebook, Twitter, Instagram (no idea why we do that because it’s mostly pictures of people posing and trying to look cool), Linkedin and Hootsuite to manage our social media interactions with the public.
If you send us a private or direct message via social media the message will either be immediately deleted, if sensitive, or held for a maximum of one month. It will not be shared with any other organisations.
People who email us
We use standard measures Transport Layer Security (TLS) to encrypt and protect email traffic. If your email service does not support TLS, you should be aware that any emails we send or receive may not be protected in transit.
We will also monitor any emails sent to us, including file attachments, for viruses or malicious software. We use PGP where possible and most of our internal communication utilises end-to-end encryption.
People who message us
When possible we utilise end-to-end encrypted tools to increase the security of our communication, including Signal and WhatsApp.
Job applicants, current and former employees
Security First is the data controller for the information you provide us unless otherwise stated. If you have any queries about the process or how we handle your information please contact us at firstname.lastname@example.org.
Use of data processors
Data processors are third parties who provide elements of our services for us. We have contracts in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct.
Amazon Web Services:
Complaints or queries
Security First tries to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.
This privacy notice was drafted with brevity and clarity in mind. It does not provide exhaustive detail of all aspects of Security First’s collection and use of personal information. However, we are happy to provide any additional information or explanation needed. Any requests for this should be sent to the address below.
If you want to make a complaint about the way we have processed your personal information, you can contact us at email@example.com.
Access to personal information
Security First tries to be as open as it can be in terms of giving people access to their personal information. Individuals can find out if we hold any personal information by making a ‘subject access request’ under the Data Protection Act 1998 or the GDPR when it comes into force on the 25th May 2018.
If we do hold information about you we will:
• give you a description of it;
• tell you why we are holding it;
• tell you who it could be disclosed to; and
• let you have a copy of the information in an intelligible form.
To make a request to the Security First for any personal information we may hold you need to put the request in writing addressing to our Data Protection Officer.
If you agree, we will try to deal with your request informally, for example by providing you with the specific information you need over the telephone.
If we do hold information about you, you can ask us to correct any mistakes by, once again, contacting our Data Protection Officer.
Transfer of Data Abroad
Any electronic personal data transferred to countries or territories outside the EU will only be placed on systems complying with measures giving equivalent protection of personal rights either through international agreements or contracts approved by the European Union.
If we wish to use your personal data for a new purpose, not covered by this Notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Where and whenever necessary, we will seek your prior consent to the new processing.
Links to other websites
This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.
Changes to this privacy notice
We keep our privacy notice under regular review. This privacy notice was last updated on 12th May 2018.
How to contact us
Data Protection Officer,
Global Security First Ltd.
Ground Floor, 2 Woodberry Grove,