[Date of last review: 14th October 2022]
This policy summarises the key points about how Affinitext collects, uses and discloses personal data and ensures compliance with the laws and regulations throughout the world where we operate.
More information can be provided upon request. Defined words are in the Appendix at the end of this policy.
2. What is Personal data?
Personal data is information which relates to an individual and from which he or she can be identified either directly or indirectly through other data which Affinitext has or is likely to have in its possession. These individuals are sometimes referred to as data subjects.
Affinitext is the data processor for the personal data in providing the Affinitext Services and is the data controller of the personal data we process for Affinitext Marketing and Affinitext People personal data. Therefore, we are responsible for ensuring that our systems, processes, suppliers and Affinitext people comply with data protection laws in relation to the information we handle.
All Affinitext people must abide by this policy when handling personal data and must take part in any required data protection training. Any breach will be taken seriously and may result in disciplinary action.
We have a Data Protection Officer who oversees compliance with data protection laws and this policy and provides guidance and advice to Affinitext and Affinitext people as required.
In addition, our CEO oversees corporate compliance and the reporting of any failures to comply with legislative requirements, including data protection.
4. Principles of Data Protection
Affinitext has adopted the following principles to govern our use, collection and disclosure of personal data. These principles have been established to create a uniform standard across our business worldwide, taking account of the laws in the jurisdictions where we operate.
Affinitext’s core principles provide that personal data must:
- be processed fairly and lawfully and to the extent required under local law with valid and informed consent;
- be obtained for specific and lawful purposes;
- be kept accurate and up to date;
- be adequate, relevant and not excessive in relation to the purposes for which it is used;
- not be kept for longer than is necessary for the purposes for which it is used;
- be processed in accordance with the rights of individuals;
- be kept secure to prevent unauthorised processing and accidental loss, damage or destruction; and
- not be transferred to, or accessed from, another jurisdiction where these core principles cannot be met unless it is adequately protected. (See Transfer of Data).
5. Collection, Use and Disclosure
As a business, the type of data we collect and process falls into one of the following categories:
- personal data relating to potential customers, subscribers to our newsletters and other promotional materials;
- personal data obtained and created in relation to providing Affinitext Services; and
- personal data relating to Affinitext people.
Clauses 6-8 summarise how we collect and use personal data:
6. Subscribers to our newsletters and other promotional material
6.1 Types of data
Information such as name and business information (email address, job title, who you work for).
Additional information may be processed where it is provided by you, for example in correspondence, in connection with an event or in letting us know what areas you are interested in and when you wish to be contacted by us. This may include access or dietary requirements which may reveal information about your health or religious beliefs.
Our website may also collect your device’s unique identifier, such as an IP address.
Data is collected in our CRM system when you register to receive Affinitext updates, or we otherwise receive your contact details.
You will receive a notice when your details have been added to the CRM. You can revisit your profile at any time to amend your information or preferences or to provide additional details.
You will also be provided with the option to opt out and/ or be removed from the CRM with each marketing communication you receive from us.
Personal data will be used to:
- complete any request you may make;
- contact you with communications about Affinitext updates, breaking news, newsletters and event invitations which we think are relevant to your interests and in line with your preferences;
- make users’ experiences more efficient and understand how we can improve the services Affinitext provides; and
analyse what subjects are of interest to particular users so that we can improve the content in our newsletters and promotional material.
- may be transferred worldwide to our other offices, and to service providers who support the operation of our business;
- which is shared with service providers will be limited to that which is required for providing the service and will be adequately protected;
- will not be given to other third parties, apart from in limited circumstances such as, where we run a joint workshop or a roundtable and you book onto it.
7. Providing Affinitext Services
7.1 Subject matter of the processing
Personal data is processed solely for the purpose of entering into the Licence, creating and maintaining the Affinitext Online Library and providing access and support to users of the library.
7.2 Nature and purposes of the Processing
For the purposes of data protection, the only processing that Affinitext does is listed below:
1) For the purposes of the Licence, obtain the contact details of the Licencee representative for execution, notices and invoicing purposes.
2) For the purposes of creation and/or delivery of the Affinitext Online Library:
- convert any data contained in the documents supplied by the Licencee for conversion to Intelligent Document Format (‘IDF’) and attach those documents to the Affinitext Online Library in IDF and/or the original format supplied to Affinitext (‘IDF conversion’);
- all IDF conversion is carried out on, and all personal data resides on Affinitext-owned, Rackspace-managed, London-based or Sydney-based servers; or Oracle (Jeddah-based or Abu Dhabi-based servers (generally on the server closest to the customer location); and
- the Cenza Technologies’ Affinitext team, located in Chennai, runs the IDF conversion on these servers.
3) For the purposes of security, capture and store login IP addresses and login details and library usage information and statistics.
4) For the purpose of prompt continuity and recovery of service, unless the customer requests otherwise, Affinitext replicates data between its Rackspace London and Rackspace Sydney data centres, which are identical in terms of accreditations, security and controls.
5) For the purposes of Affinitext Online Library and user management:
- obtain and store the names, email addresses, office addresses and/or phone numbers of nominated Licencee contacts (‘Library Authorities’);
- communicate with Library Authorities via email, phone and/or site visits regarding training, library management and user management;
- obtain and store the names, email addresses, office address and/or phone numbers of users;
- communicate with users via email, phone and/or site visits to provide access to, training and support for the Affinitext Online Library;
- provision of a series of on-boarding emails after the initial set up of user;
- communicate with users via email, phone and/or site visits for Library support issues, refresher training, user tips, product updates and enhancements and other information about Affinitext which would assist the use of the Affinitext Online Library; and
- capture and store login details and library usage information and statistics.
7.3 Duration of the processing
For the period from the date of the licence until termination of the Licence.
7.4 Type of Personal Data
Names, usernames, email addresses, telephone numbers, office addresses and/or IP addresses.
7.5 Categories of Data Subjects
Licencee company representatives, Library Authorities, Affinitext Online Library users and data subjects as contained in the original documents provided to Affinitext for IDF conversion and/or attachment.
7.6 Plan for return or destruction of the data once the processing is complete unless required by law to preserve that type of data
Destroyed 3 years after termination of the licence unless required to do so earlier by the customer or as otherwise required by law.
8. Affinitext People
8.1 Types of data
Personal data such as name, address, contact details, education and employment history; background checks (criminal), ID and right to work status; information relating to next of kin; financial information including bank details and identifiers (e.g. National Insurance numbers); records of your use of Affinitext’s IT systems; and swipe card data.
Personal data will be collected from a number of sources including your application form/CV; providers of background checks and referees; providers of occupational health services; tracking your use of Affinitext’s IT systems; notes and records kept throughout your employment including absences, expenses claims, questionnaires, performance reviews and details of any grievances/ disciplinary action; and swipe cards.
Personal data will be used for: human resources administration; assessing suitability, eligibility and/or fitness to work; learning and development; to ensure Affinitext’s information and offices are secure; and management purposes (including where necessary disciplinary purposes).
Photographs, education and career information may be used, with your permission, in marketing and promotional material for Affinitext including our website, brochures, bids and proposals.
Your personal data may be:
- may be to our global offices, and to service providers who support the operation of our business;
- stored within Affinitext’s information systems and within third party software applications and services which support the business (when information is shared with service providers it is limited to that which is required for providing the service and will be adequately protected);
- transferred to other third parties such as our insurers, legal and other professional advisors, regulators, administrators and government departments, who may be acting as data controller;
- shared with Affinitext’s customers for the purposes of proposing or providing Affinitext services.
9. Individuals’ Rights
Personal data must be processed in line with individuals’ rights, including the right to:
- request a copy of their personal data;
- request that their inaccurate personal data is corrected;
- request that their personal data is deleted and destroyed when causing damage or distress; and
- opt out of receiving electronic communications from Affinitext.
Should you wish to make a request in line with your rights as an individual, please forward it to the Data Protection Officer.
Affinitext people must notify or inform the Data Protection Officer immediately if they receive a request in relation to personal data which Affinitext processes.
10. How to Make a Complaint
You should direct all complaints relating to how Affinitext has processed your personal data to the Data Protection Officer.
Affinitext people must inform the Data Protection Officer immediately if they receive a complaint relating to how Affinitext has processed personal data so Affinitext’s complaints procedure can be followed.
Information security is a key element of data protection. Affinitext takes appropriate measures to secure personal data and protect it from loss or unauthorised disclosure or damage. Affinitext is ISO27001:2013 certified and it is a requirement that all Affinitext people comply with Affinitext’s IS policy, which is available on the Information Security pages.
12. Transfer of Data between Jurisdictions
As a global business, personal data may be transferred between our offices worldwide due to, for example, our shared IT systems and/or cross border working. We also use a number of suppliers in connection with the operation of our business and they may have access to the personal data we process. For example, an IT supplier may see our personal data when providing software support, or a company which we use for a marketing campaign may process contacts’ personal data for us. When contracting with suppliers and/or transferring personal data to a different jurisdiction, Affinitext takes appropriate steps to ensure that there is adequate protection in place and that the principles are adhered to.
13. Contact details:
Data Protection Officer, Affinitext (UK) Limited, Unit B, 81 Curtain Road, London, United Kingdom EC2A 3AG
Appendix – Definitions
Those services provided by Affinitext under Licence to customers
any person or organisation to whom Affinitext provides a service and who is identified as a client on Affinitext’s practice management system, regardless of whether time is recorded or a fee is charged;
an individual who is a contact of Affinitext, including any customer, any potential or former client, any supplier, any consultant, or any another professional advisor and any other contact of Affinitext;
Affinitext’s relationship management systems
recorded information whether stored electronically, on a computer, or in certain paper-based filing systems;
a person who or organisation which determines how personal data is processed and for what purposes. The equivalent term under the data protection law applicable to Hong Kong is ‘data user’, under the law applicable to Singapore it is simply referred to as an ‘organisation’; and under Australian law it is an ‘agency’ or ‘organisation’;
Data Protection Officer
the person designated as the Data Protection Officer of Affinitext from time to time who can be contacted at firstname.lastname@example.org ;
individual or you
the person whose personal data is being collected, held or processed;
Affinitext’s Information Security Policy;
please see the what is personal data section of this policy;
Affinitext people or Affinitext person
means employees, temporary workers, agency and casual workers, contractors, collaborators, volunteers and those on work placements providing services to/working for Affinitext;
process or processing
any activity that involves use of personal data. It includes obtaining, recording or holding the personal data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring personal data to third parties as a result of those third parties having access to it.