*’personal data’ meaning any information related to home or work (name, email, address etc..) relating to an identifiable person who can be directly or indirectly identified by reference to an identifier.
Special category data is personal data which the GDPR says is more sensitive, and so needs more protection such as information related to, health, religious views, sexual orientation
The EU GDPR Regulation has been enacted in the UK by the new Data Protection Act 2018 replacing the 1998 Data Protection Act.
The Privacy and Electronic Communications Regulations (PECR)
CloudTrade operates globally but its headquarters are based in the UK making the legislation above relevant to its activities and all the personal data that it stores and processes. We communicate with individuals (including sole-traders and partnerships), but most of our communication is business to business (B2B) related and we have considered this when assessing our responsibilities to privacy.
Data Control and Information Sharing
CloudTrade acts as both a Data Controller where we collect and process personal information and as a Data Processor where we process the personal information whilst carrying out contracted activities, namely those of extracting, mapping and transferring data related to Business to Business transactions.
CloudTrade uses other GDPR compliant Data Processors to enable us to conduct our business activities. These include but are not limited to; software and cloud service providers to host and operate our data systems (Sugar CRM), including email (Office 365), our data processing platforms (Microsoft Azure), data warehousing, helpdesk (Zendesk) file sharing (Sync), password security (LastPass), web hosting (MODX/Linux) and design agencies, HR and payroll services (People Manager), auditing, banking, telephone answering service, webinar and online meeting services (GoTo Meeting/GoTo Webinar), marketing CRM and marketing platform (Hubspot) website management, website advertising and analytics (Google Analytics/Webmaster/Adwords) and third party contracted staff.
We will keep information about you confidential and we will from time to time share data across our organisation, for example for the purposes of audit and compliance monitoring. We will only use information provided for the purpose it was given and in compliance with the following stated lawful bases. We will only disclose your information with other third parties with your express consent except for the following categories of third parties:
- Insurance companies, loss assessors, regularity authorities and other fraud prevention agencies for the purposes of fraud prevention and to comply with any legal and regulatory issues and disclosures.
- Data processors; contractors and advisors that provide a service to us or act as our agents on the understanding that they keep the information confidential
- Anyone to whom we may transfer our rights and duties under any agreement we have with you
- Any legal or crime prevention agencies and/or to satisfy any regulatory request if we have a duty to do so or if the law allows us to do so.
- Where appropriate CloudTrade will have data processing agreements or clauses in place with those who process data for us and with those we process data for.
CloudTrade operates a management system and has accreditation for ISO27001 for Information Security. You can find out more about our accreditations here.
Transfer of Personal Data Outside the European Economic Area (EEA)
CloudTrade uses data processors to deliver our products and services who do store and transfer data outside the EU in compliance with the GDPR; certificating to privacy shield standards and or use of other recognised controls such as legal frameworks or model contract clauses.
Data may be processed by staff operating outside the European Economic Area who work for us or for one of our suppliers.
Personal data is only transferred and processed in countries or territories outside the EEA that are recognised as ensuring adequate levels of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Lawful base for data collection and processing
CloudTrade collects and processes personal data under four of the six lawful bases as follows. The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these will apply in every instance of processing and communicating with a contact at CloudTrade.
(a) Consent: the individual has given clear consent for CloudTrade to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract CloudTrade has with an individual, or because they have asked CloudTrade to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for CloudTrade to comply with the law (not including contractual obligations).
(d) Legitimate interests: the processing is necessary for the legitimate interests of CloudTrade or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
Information CloudTrade Collects and Processes
INFORMATION PROVIDED BY YOU
You provide CloudTrade with personal data (such as name, email address, telephone number, organisation name, job role, postal address, supplier number, customer number, account number) by post or paper, through website forms, by telephone, face to face meetings including events, email, live web platforms (such as Skype) or social media accounts to; make a specific enquiry, access gated information, subscribe to company news, to show interest in our products and services, use our product and service support tools (transaction portal or reporting portal) or to request helpdesk services.
If your specific consent is required, CloudTrade will ask for it at point of contact. Where specific consent is required CloudTrade will provide you with the tools to manage your consent preferences or to unsubscribe (for example, when receiving marketing information or updates about our products and services). Alternatively you can contact the CloudTrade Data Protection Officer to make an unsubscribe request at email@example.com
INFORMATION CLOUDTRADE GETS FROM OTHER SOURCES
CloudTrade, obtains and processes personal data as part of its contracted services to channel partner organisations and their customers or to direct customers. As part of that data extraction, mapping and transfer service CloudTrade will legitimately process personal data within the data it processes for those customers (for example their trading partners information on invoices we process).
Where CloudTrade does this, it is done under the lawful basis of contract or legitimate interest and as a data processer for our customer where it is their responsibility to have a lawful basis to pass that information to us.
CloudTrade also collects non-personally identifiable information to monitor performance of its website and to offer you online services using cookies as set out in our cookies policy below.
HOW CLOUDTRADE PROCESSES DATA AND HOW LONG CLOUDTRADE KEEPS THE PERSONAL INFORMATION
CloudTrade will only keep your personal information for as long as it is needed for the purposes that it was obtained and lawfully processed first.
For example, CloudTrade will keep information whilst a contract is in place and for a period afterwards, to see if you might use our services again in the future. We will then delete the data other than where it is lawfully kept for audit and legal reasons.
CloudTrade will retain prospect information for as long as a specific enquiry is being answered. Other prospects will be regularly reviewed for engagement and deleted where engagement with communication is not sustained, subject to an individual right to unsubscribe or be forgotten at any time.
Website and Cookies
Some of our pages are created using our marketing platform Hubspot. These use essential/necessary and consent banner cookies to track browsing activity and monitor performance. You can read more about these cookies here.
You will find links to third party websites on our website. These websites should have their own privacy policies which you should check.
A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your computer if you agree. Cookies contain information that is transferred to your computer’s hard drive.
We collect information through cookies to ensure the content of the website and the website pathways work as effectively as possible. We use the following cookies to help us achieve this:
STRICTLY NECESSARY COOKIES
These are cookies that are required for the operation of our website and are completely anonymous. Below are examples of when or why we will use these cookies:
to help the website to function and enhance the look and feel of the website;
to ensure you are always provided with a quick and responsive browsing experience;
our web servers to respond to your actions on the website or browsing the website.
The website would not be able to work without it; and they also help to improve navigation around our website and allow you to return to pages you have previously visited.
Allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works. Below are examples of when we will use these cookies:
statistical information and log data about the number of visits to certain pages on the site;
the pages you viewed and activities you carried out during your visit;
the time and date of your visit; the duration you stayed on a certain page;
and the path taken whilst on the site.
These are used to recognise you when you return to our website. This enables us to personalise our content for you, name and remember your preferences. Below are examples of when we will use these cookies:
- as soon as you visit the website, a cookie on your device will identify you have returned to the website and record your preferences;
remembering your choice of language or region;
- and when submitting a comment to one of our blogs, the information you enter is remembered to make it easier for you to comment next time.
HOW TO TURN COOKIES OFF
If you want to delete cookies that are already on your device, you can do this by deleting your browser history or visit www.aboutcookies.org. You can also block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our site.
You can learn more about Google Analytics or opt out if you wish. Google Analytics data is automatically deleted 26 months after your last visit.
Any social media posts or comments placed on our social media accounts (such as Twitter and Linked IN)) will be shared under the terms of the relevant social media platform on which they are written and could be made public.
Any blog, review or other posts and comments you make about us our products and services on any or our blogs, reviews or user community services will be shared with all other members of that service and the public at large.
We recommend you should review the terms and conditions and privacy policies of the social media platforms you use. That way, you will understand how they will use your information, what information relating to you they will place in the public domain, and how you can stop them from doing so if you are unhappy about it.
We do research online the social media accounts of marketing and sales contacts to better understand the relevance of our products and services to your business and job role and will only record additional information such as your linked in address or job title on our CRM database if we have a lawful base to do so, such as ‘contract’, ‘legitimate interest’ or have requested your consent.
Data Subject Rights
ACCESS AND PORTABILITY
You have the right to make a subject access request to see personal data held across CloudTrade systems about you. If a request is made to CloudTrade as the controller of your data we will promptly provide a copy of the data in a structured, common, machine-readable format (such as PDF). Our response will include details of the personal data we hold about you as well as:
Sources from which the data was obtained;
The purpose for processing the information including the lawful bases; and
Persons or entities with whom we are sharing the information.
You as the data subject have the right to transfer this data to another data controller without hindrance or consequence.
MODIFICATION AND DELETION
You can ask us to modify your data if it is inaccurate or incomplete. You have the right to be forgotten and can request that CloudTrade delete all personal data that we control about you without undue delay. Where CloudTrade is the data processor of your data under the lawful bases of ‘contract’ or ‘legitimate interest’ on behalf of a CloudTrade customer we will refer you to the data controller for these requests. The right to deletion is not absolute, and can depend on the context of the request, so it doesn’t always apply.
Note: When personal information is deleted, anonymized analytic data will remain. For example website visits or email response metrics but the personal information will no longer be available and CloudTrade will not be able to link that to a person.
CloudTrade will respond promptly to any subject data request and always within 30 days.
Contacting CloudTrade with Questions, Requests or Complaints
If you would like to make a data subject request, have any questions or queries about personal information, this policy or information security at CloudTrade or wish to make a complaint, please contact the Data Protection Officer at CloudTrade, 1-2 Hatfield’s, London, SE1 9PG or email firstname.lastname@example.org
The Information Commissioners Office (ICO) is the regulator for information security in the UK and can be contacted here.