Client services privacy policy : Tuesday, April 30, 2024
Last updated: April 2024
Background
51Degrees.mobi Limited (“we”, “us”, “our”) understands that your privacy is important to you and that you care about how your personal data is used. We respect and value the privacy of everyone whose personal data we collect and process in the course of providing services to our clients (“Client Services”).
This privacy policy describes how we handle personal data we receive about you where you are an end user of a website operated by one of our clients.
We will only collect and use personal data in the ways that are described here, and in a way that is consistent with our obligations and your rights under the law. Please read this Privacy Policy carefully.
This policy was last updated on the date that appears at the top of this page.
1 About Us
51Degrees.mobi Limited is the company that operates the Cloud Services and is a limited company incorporated in England under company registration number 07397529, whose registered address is located at 51Degrees, Davidson House, Forbury Square, Reading, Berkshire, RG1 3EU, United Kingdom.
When we receive your personal data, we do so in connection with either one of the arrangements described below, as agreed in advance with our clients.
Processor arrangement. Where we receive and process your personal data only for the purposes of providing our online, cloud-based services to a client (“Cloud Services”) then we will not make any decisions over that data and instead process that data on behalf of our client on their instructions only. Please see https://51degrees.com/pricing for further information regarding these services. Where this arrangement applies, we do not store your personal data for longer than required to provide the Cloud Services to the applicable client whose website is the source of that data (“Client”). This client will be the controller of your personal data for the purposes of data protection law. This means that the Client decides why and how your personal data is processed and their privacy policy (and not this policy) will apply. Consequently, please refer to the relevant website’s privacy policy for details regarding the Client’s handling of your personal data where this arrangement applies.
Controller arrangement. Where we receive and process your personal data for dual purposes (to provide the Cloud Services to the Client as well as to make subsequent use of that data in connection with Client Services we provide to other clients) then:
we are ‘joint controllers’ with the Client for the processing of your personal data involved in providing our Cloud Services to that client (the collection of that data and transmission of personal data to the client). This is because we are receiving your personal data for purposes relating to both our and our Client’s businesses, which we have jointly agreed with the client. As ‘joint controllers’, under applicable data protection laws our clients are jointly responsible with us for the processing of the personal data we receive about you in connection with the Cloud Services. We are not responsible in relation to the Client’s processing of your personal data that it receives from us (see further the final paragraph in this Part 1 below). We do not receive any contact information about you when we receive your personal data and have no direct control over the content of our clients’ websites. For this reason, we make it a condition when providing our Cloud Services that our client agrees to take primary responsibility under all applicable data protection laws for our processing of your personal data to provide the Cloud Services and to comply with those laws, except in relation to the security of that data whilst in our care. In particular, we agree with our clients that it is their responsibility to obtain your consent for our processing to provide the Cloud Services and in relation to any of the rights listed in Part 9 ‘What Are My Data Protection Rights?” that you choose to exercise. You can find out more about the essence of our arrangement with our clients in this policy;
we are an independent controller in relation to any processing of your personal data when using this to provide Client Services to other clients. This is because we (alone) decide why and how this data is used without the involvement of the Client;
our Client is an independent controller in relation to any other personal data that it processes about you, including any personal data it receives from us. To find out more about a particular Client’s personal data handling, please refer to its privacy policy, which is usually accessible from the website you are visiting.
2 What Does This Policy Cover?
This Privacy Policy applies only to our receipt and use of your personal data in connection with our Client Services including our Cloud Services.
You can find out more about our Client Services by visiting https://51degrees.com/ but in summary, these are online services that we offer to website operators who use the services in connection with their websites (each a “Client Site”) for a variety of uses (including but not limited to obtaining information to tailor content or for website optimisation on the Client Sites, insight and/or analytics purposes), as disclosed in their privacy policies.
We make use of the personal data we collect whilst operating the Cloud Services to provide other Client Services i.e. additional products and services that we provide to our clients.
3 What Data Do We Use?
We may obtain some or all of the following personal data from you if the operator of the website you are visiting is our client and has integrated our Cloud Services into their website (collectively, “Device Data”):
The internet protocol (IP) address from which you are connecting to the Client Site
The model and type of device you are using to access the Client Site
The type and version of the operating system, browser and other software applications that you are using on your device to access the Client Site
The website address of the Client Site you are visiting and referrer HTTP headers
The location (by way of longitude and latitude) from which you are accessing the Client Site
IP address routing information relating to your visit
Device Data is automatically collected from you when you visit a Client Site and, where the Client is required to do so by law, where you have provided your consent to the Client for this data to be obtained from your device. We require all our clients to include a notice in their privacy policies to ensure that the operation of our Cloud Services is brought to your attention, and to make clear whether a processor or controller arrangement applies. See further Part 1 ‘About Us’ above.
None of the Device Data can by itself be used by us to identify your real-world identity such as your name or email address and we include restrictions in the agreements with our clients prohibiting them from providing any information about you that would allow us to do so.
Our Cloud Service may use your browser’s session storage and/or session cookies which we consider to be essential to improve operational performance for our Clients. By default, session cookies will not be written unless enabled by the Client Site, where it is their responsibility to obtain your consent.
Your browser will clear any session storage and/or session cookie data once the visit to the Client Site ends. This session storage and/or session cookie is only accessible by us.
If you correspond with us or otherwise contact us in connection with the policy, we will also collect any personal data included in those communications (“Correspondence”).
4 How Do You Use My Personal Data?
To comply with data protection laws, our clients (and us too, where we are also a controller) must always have a legal reason (known as a ‘lawful basis’ under data protection law) for using your personal data.
In respect of any processing of your personal data for the purposes of us providing the Cloud Services to our clients/our clients receiving the Cloud Services, we and any client with whom we are a joint controller, process your personal data only where our client has obtained your prior consent. As we do not receive any contact information about you when we receive your personal data and have no direct control over the content of any Client Sites, the client whose Client Site you are visiting is responsible for obtaining your consent.
You have the right to withdraw your consent at any time. Please see further Parts 9 and 10 of this policy below.
In respect of any further processing of your personal data that we process as an independent controller in connection with our Client Services, we process this on the lawful basis that the processing is necessary for us to pursue a legitimate interest relating to our business – the development and provision of current and new services to our clients to grow our business. The only exception to this is where we process your Correspondence and other personal data on the lawful basis that it is necessary to comply with our legal obligations (e.g. for the purposes of dealing with complaints or complying with your requests where you exercise your legal rights - see Part 9 for further details).
We may anonymise the Device Data to provide Client Services to our clients. Once the Device Data is anonymised it is no longer your personal data and cannot be converted back into your personal data.
5 How Long Will You Keep My Personal Data?
We will not keep your personal data for any longer than is necessary in light of the reason(s) for which it was first collected. Your personal data will therefore be kept for the following periods (or, where there is no fixed period, the following factors will be used to determine how long it is kept):
We retain your Device Data indefinitely as the nature of the Client Services we provide means that we, in part, rely on access to historic data. As mentioned above, none of the Device Data is linked to your real-world identity such as your name or email or postal address. If we no longer require any Device Data for the purposes set out in this policy, we will delete this data in accordance with our legal obligations.
We retain your Correspondence Data for 7 years from the date we receive it (or if related to a claim or legal request, 7 years from the end of the conclusion of that claim or request)
The only exceptions to the periods mentioned above are where:
you exercise your right to have your personal data erased (where it applies) and we do not need to hold it in connection with any of the reasons permitted or required under the law (see further Part 9 ‘What Are My Data Protection Rights?’);
you exercise your right to require us to retain your personal data for a period longer than our stated retention period (see further Part 9 ‘What Are My Data Protection Rights?’);
we bring or defend a legal claim or other proceedings during the period we retain your personal data, in which case we will retain your personal data until those proceedings have concluded and no further appeals are possible;
the terms of our contract with our client require that we delete, destroy or return your personal information sooner; or
in limited cases, existing or future law or a court or regulator requires us to keep your personal data for a longer or shorter period.
We may retain anonymised data derived from your personal data for as long as we require it for our business purposes. Such anonymised data will not identify you and may be derived from personal data in respect of which you have exercised your legal rights of erasure or restriction.
6 Where Do You Store or Transfer My Personal Data?
All information you provide to us may be transferred to countries outside the UK and European Economic Area (“EEA”). These countries may not have similar data protection laws to the UK and so may not protect the use of your personal information to the same standard. If we transfer your information outside of the UK and EEA, we will take steps to ensure that appropriate security and legal measures are taken with the aim of ensuring that your privacy rights continue to be protected as outlined in this Privacy Statement. These steps include ensuring the non-UK/EEA countries to which transfers are made have been deemed adequately protective of your personal information under data protection law, imposing contractual obligations on the recipients of your personal information using provisions formally issued by relevant bodies for this purpose and/or ensuring that the recipients are subscribed to ‘international frameworks’ that aim to ensure adequate protection. Please contact us using the details at the end of this Privacy Statement for more information about the protections that we put in place and to obtain a copy of the relevant documents.
7 Security
The security of your personal data is essential to us, and to protect your data, we take a number of important measures, including use of computer servers in a controlled, secure environment which is protected from unauthorised access, use or disclosure and when personal data is transmitted to or from us, it is securely encrypted.
8 Do You Share My Personal Data?
Device Data is automatically collected from you when you visit a Client Site and transmitted to us. We share your Device Data with the client to whom we provide our Cloud Services and, where we have a controller arrangement in place, with other clients to whom we provide Client Services.
We may share your personal data with other companies in our group for administration purposes and to provide the Cloud Services. This includes subsidiaries and our holding company and its subsidiaries.
We may disclose your information to our third party service providers, agents and subcontractors (collectively, “Suppliers”) for the purposes of providing services to us or directly to you on our behalf, including the hosting or other operation and maintenance of our Cloud Services. Our Suppliers can be categorised as follows:
Recipient / relationship to us | Industry sector (and sub-sector) |
---|---|
Cloud software system providers, including database and document management providers | IT (Cloud Services) |
Customer care/services providers | Customer Services (Support) |
Facilities and technology service providers including scanning and data destruction providers | IT (Data Management) |
Legal, security and other professional advisers and consultants | Professional Services (Legal & Accounting) |
Website and data analytics platform providers | IT (Data Analytics) |
Website and App developers | IT (Software Development) |
Website hosting services providers | IT (Hosting) |
If any of your personal data is required by a third party, as described above, we will take steps to ensure that your personal data is handled safely, securely, and in accordance with your rights, our obligations, and the third party's obligations under the law.
If any personal data is transferred outside of the UK and EEA, we will take suitable steps in order to ensure that your personal data is treated just as safely and securely as it would be within the UK/EEA and under relevant data protection laws, as explained above in Part 6.
In limited circumstances, we may disclose your personal information to other third parties as follows:
any third party who is restructuring, selling or acquiring some or all of our business or assets or otherwise in the event of a merger, re-organisation or similar event; and
if we are under a duty to disclose or share your information in order to comply with any legal or regulatory obligation or request, including by the police, tribunals, courts, government authorities or regulators.
9 What Are My Data Protection Rights?
Under relevant data protection laws, you have the following rights, some of which may only apply in certain circumstances:
9.1 The right to be informed about our collection and use of your personal data. This Privacy Policy should tell you everything you need to know, but you can always contact us to find out more or to ask any questions using the details in Part 11.
9.2 The right to access the personal data we hold about you. Part 10 will tell you how to do this.
9.3 The right to have your personal data rectified if any of your personal data held by us is inaccurate or incomplete. Please contact us using the details in Part 11 to find out more.
9.4 The right to be forgotten, i.e. the right to ask us to delete or otherwise dispose of any of your personal data that we have. Please contact us using the details in Part 11 to find out more.
9.5 The right to restrict (i.e. prevent) the processing of your personal data.
9.6 The right to object to us using your personal data for a particular purpose or purposes.
9.7 The right to data portability. This means that, if you have provided personal data to us directly, we are using it with your consent or for the performance of a contract, and that data is processed using automated means, you can ask us for a copy of that personal data to re-use with another service or business in many cases.
9.8 Rights relating to automated decision-making and profiling. We do not use your personal data in this way.
9.9 The right to withdraw your consent. The collection and transmission of your personal data to us is based on your consent which you can withdraw at any time. Any processing of your personal data before you withdraw your consent will remain lawful provided it otherwise meets all necessary legal requirements. Please see Part 10 ‘How Can I Exercise My Data Protection Rights?’ for details regarding how to withdraw your consent.
For more information about our use of your personal data or exercising your rights as outlined above, please contact us using the details provided in Part 11 below.
Further information about your rights can also be obtained from the Information Commissioner's Office or your local Citizens Advice Bureau.
If you have any cause for complaint about our use of your personal data, you have the right to lodge a complaint with the Information Commissioner's Office.
10 How Can I Exercise My Data Protection Rights?
If you wish to exercise any of the data protection rights listed above in Part 9 in relation to our Cloud Services, please contact the operator of the website that you have visited in the first instance.
We specifically require our clients to provide you with a feature on their Client Sites to allow you to withdraw your consent to use of Device Data for the purposes of the Cloud Services. Once you withdraw your consent, we will no longer receive Device Data via the relevant Client Site. Please see below regarding use of Device Data that we have already received prior to your withdrawal request.
If you wish to exercise any of the data protection rights listed above in Part 9, in respect of which we are an independent controller (as described in Part 1 above), including the right to know what personal data we have about you, you can simply ask us using our contact details. Any such requests are known as "data subject rights requests".
We may ask you for information to verify your identity at the time you first contact us and, where applicable, may ask you to help us with focusing our search for your data, where possible.
In respect of Device Data, owing to its nature, we are unlikely to be able to identify which of that data relates to you without further information. In respect of processing where a controller arrangement applies, where you are able to provide this information (either directly to us or the relevant client), we will comply, where applicable, with our legal obligations to fulfil your data subject rights requests, including where you withdraw your consent. In respect of any Device Data that we cannot link to you, we shall be under no obligation to provide access or to delete, restrict or otherwise fulfil any other type of data subject rights request.
You can make a data subject rights request by contacting us using any method of communication. However, to allow us to smoothly and efficiently deal with your rights requests, please make your request in writing and send this by email or post to us to the relevant addresses shown in Part 11.
We do not usually charge for a dealing with a data subject rights request. If your request is 'manifestly unfounded or excessive' (for example, if you make repetitive requests) a fee may be charged to cover our administrative costs in dealing with your request.
We and our clients will use technical means to fulfil consent withdrawal requests, which will usually apply within 48 hours of your request. Otherwise, we will respond to your data subject rights request within one calendar month of receiving it. Normally, we aim to provide a complete response, including a copy of your personal data within that time. In some cases, however, particularly if your request is more complex, more time may be required up to a maximum of three months from the date we receive your request. You will be kept fully informed of our progress and the timescales envisaged for our resolution of your request.
11 How and to Whom Can I Send Queries and Complaints?
If you have any queries or complaints regarding our use of your personal data in relation to our provision of Cloud Services, please contact the operator of the website that you have visited in the first instance.
In respect of any queries or complaints you have in respect of our processing of your personal data for which we are an independent controller (as described in Part 1 above), including to make a data subject request, please use the following details:
Email address: contactus@51degrees.com.
Postal Address: 51Degrees, Davidson House, Forbury Square, Reading, Berkshire, RG1 3EU.
12 Changes To This Privacy Policy
We may change this Privacy Policy from time to time. This may be necessary, for example, if the law changes, or if we change our Client Services or business in a way that affects the way we process or handle your personal data.
Any changes will be posted on this website so we recommend that you check this page regularly to keep up-to-date.