Who are we?
Surevine builds secure, scalable collaboration solutions for the most security conscious organisations; joining people up and enabling collaboration on their most highly sensitive information. We do not currently host solutions for customers, so their highly sensitive information, likely containing Personal Data, is the responsibility of our customers or their hosting providers. We do build systems that allow our customers to easily comply with legislation such as the General Data Protection Regulation (GDPR) by providing features that allow users of our systems to view, amend and delete their Personal Data.
What do we mean by Personal Data?
Under the EU’s GDPR Personal Data is defined as:
“any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
At Surevine we never process (i.e. collect or use) Personal Data that falls under the GDPR special categories, e.g. racial, ethnic origin, political opinions, religious belief, philosophical beliefs, trade union membership, genetic data, biometric data, health data, data concerning a natural person’s sex life, or sexual orientation.
We do process Personal Data as described in section 3 below.
What Personal Data we would like to collect from you, and what we will with do with it?
We process (i.e. collect and use) your Personal Data in the following situations outlined below. In all cases we do not share your Personal Data with third-parties unless explicitly stated below:
- Visits to our website
When someone visits surevine.com we collect standard Internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make any attempt to find out the identities of those visiting our website. If we do want to collect personally identifiable information through our website, we will be up front about this, and let you know on the page that asks you for that information.
- Complaints in relation to data protection
When we receive a complaint from a person we make up a file containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint. We will only use the Personal Data we collect to process the complaint and to check on the level of service we provide. We usually have to disclose the complainant’s identity to whoever the complaint is about. This is inevitable where, for example, the accuracy of a person’s record is in dispute. If a complainant does not want information identifying him or her to be disclosed, we will try to respect that. However, it may not be possible to handle a complaint on an anonymous basis. We will keep Personal Data contained in complaint files in line with our retention policy. This means that information relating to a complaint will be retained for one year from closure. Similarly, where enquiries are submitted to us we will only use the information supplied to us to deal with the enquiry and any subsequent issues and to check on the level of service we provide.
- Job applicants
We will process the Personal Data you have shared for recruitment purposes only. If there is thought to be a good match, we will store this data securely, and we will not share it with anyone else unless your application progresses to the online assessment stage, which will be explained to you verbally on a call. If we ask you to participate in an online assessment, this requires your name and email address to be shared with a third-party vendor. We can not estimate the exact time period we will store this data (and keep access to your online assessment), but we will consider this period over when a candidate accepts our job offer for the position for which we are considering you. When that period is over, we will either delete your data or inform you that we will keep it in our database and the online assessment tool for future roles.
- Current and former employees
As part of your employment, Surevine will collect and store Personal Data about you. This information will be accessible to you while employed, and includes but is not limited to: proof of your identity, contact details, financial information for payroll and benefits, and contact information for your references. With your agreement, we will share only the necessary Personal Data with our benefits providers to enrol you into any benefit schemes. This includes our Group Pension Scheme, Group Life Scheme, Childcare Vouchers and Cycle Scheme, all of which are managed by third parties independently responsible for your data. On termination of your employment, Surevine will remove your immediate access to the information stored about you (as part of removing your access to our IT systems), but will continue to store this information in our archives. As outlined in section 7 below, you have rights to this data and can request action to be taken by us.
- Business events
Surevine attends various business-related events and may obtain individuals' business cards if legitimate interest has been shown. We will process the data shared for marketing and sales purposes. We may use your information to promote the use of our services and products, as well as our attendance at future events.
Legal basis for processing your Personal Data
We will always process the Personal Data you provide in a manner compliant with the EU’s GDPR and all other legislation applicable to our business in the jurisdictions in which we operate. We will strive to keep your information accurate and up to date, and not keep it for longer than is necessary. Your Personal Data will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle. It is the responsibility of our Data Protection Officer (DPO) to ensure Surevine is compliant with current legislation.
Our DPO is:
- Contact name: John Atherton
- Address: PO Box 1136, Guildford, Surrey GU1 9ND
- Email: firstname.lastname@example.org
- Telephone: +44 845 468 1066
We will not pass on your Personal Data to third parties, unless it explicitly stated in section 3 above.
We will process (store and use, as above) your Personal Data for one year unless otherwise stated in section 3 above.
As a data subject, defined in the GDPR, you are entitled to following rights:
- Right of access – you have the right to request a copy of the information that we hold about you;
- Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete;
- Right to be forgotten – in certain circumstances you can ask for the data we hold about you to be erased from our records;
- Right to restriction of processing – where certain conditions apply, you have a right to restrict the processing;
- Right of portability – you have the right to have the data we hold about you transferred to another organisation;
- Right to object – you have the right to object to certain types of processing such as direct marketing;
- Right to object to automated processing, including profiling – you also have the right to be subject to the legal effects of automated processing or profiling;
- Right to judicial review: you are authorised to bring a proceeding before a national court if you consider that your rights have been infringed as a result of unlawful processing of your personal data us [or any of third party organisation that we had shared your personal data with].
Enacting your rights
Individuals can find out if we hold any Personal Data by making a Subject Access Request (SAR). If we do hold information about you we will:
- give you a description of it;
- tell you why we are holding it;
- tell you who it could be disclosed to; and
- let you have a copy of the information in an intelligible form.
To make a SAR, for any Personal Data we may hold about you, please email our Data Protection Officer at email@example.com and we will respond with the process to follow.
If you are dissatisfied with the way your Personal Data is being processed, you can lodge a complaint with our Data Protection Officer.
If you are dissatisfied with the way your Personal Data is being processed or how we are handling your complaint, you have the right to directly lodge a complaint to Stuart Murdoch who is responsible for handling those complaints, at firstname.lastname@example.org
Changes to this Privacy Notice
We keep our privacy notice under regular review. This privacy notice was last updated on 23 May 2018 (Version 2.0).