Privacy Policy

Chiltern GRC are committed to ensuring we comply to the new General Data Protection Regulation (GDPR) as a data processor.

What information do we collect?

Chiltern GRC collects the following information about you relating to bookings and billing. This includes:

• Name
• Address
• Email Address
• Telephone

Storing your data

Your private data may be stored electronically on our servers that are based in the UK. Our computers are protected by password and anti-virus programs, and they can only be accessed by our staff members.

Why we process personal data?

Your data will be used for delivery of services requested by you. It may also be as correspondence data should we need to contact you. The legal basis of processing the correspondence data is the legitimate interest to perform a service, requested by you from us.

Your data will be used as transaction data and it may be used for financial records such as VAT invoices and it will be kept for 6 years. The legal basis of this processing are the “legal obligations” to which Chiltern GRC is subject.

Sharing your details

Chiltern GRC does not share your private data with any other third party.

Deleting your data

Once your private data is no longer relevant/needed Chiltern GRC will permanently delete the electronic files.

Data breaches

Chiltern GRC has standard procedures to protect your details against data breaches such as passwords for electronic files, that are periodically changed (every 3 months).

We back-up your data by creating an electronic copy of each document that is securely stored on our server based in the UK, that is protected by password and anti-virus program.

Chiltern GRC understands the legal requirement to report a data breach to ICO (Information Commissioner's Office) in a maximum 72 hours from the event. We also commit to inform every person that has been affected by the data breach.

Amendments

We may update this policy in order to improve our data management.

Your Rights

As a data subject you have the following rights:

• To be informed about how, why and on what basis that information is processed.
• To obtain confirmation that your information is being processed and to obtain access to it and certain other information, by making a subject access request - your request will be answered in a maximum 14 days.
• To have data corrected if it is inaccurate or incomplete.
• To have data erased if it is no longer necessary for the purpose for which it was originally collected/processed, or if there are no overriding legitimate grounds for the processing (the right to be forgotten).
• To restrict the processing of personal information where the accuracy of the information is contested, or the processing is unlawful (but you do not want the data to be erased), or where the employer no longer needs the personal information, but you require the data to establish, exercise or defend a legal claim.
• Object to the processing of your data where Chiltern GRC is relying on its legitimate interest as the legal ground for processing.

If you wish to exercise any of the rights above, please contact our data protection officer.