Privacy & Data Protection Policy

INTRODUCTION AND TERMS

MH (GB) Limited (which is trading under the name of Mactavish) (“We” or “Us”) are committed to protecting your personal data and privacy.

This privacy policy relates to how we use and collect personal data from you through your use of this website or when you purchase a product or service from us or work for us.

It also sets out to the way we use any of your personal information you might provide to us by telephone, in written correspondence (including all forms of electronic communications) and in person.

When you provide personal data to us, we are legally obliged to use your information in accordance with all applicable laws concerning the protection of such information. This includes the Data Protection Act 1998 and 2018 (DPA), and the General Data Protection Regulation 2016 (GDPR). We refer to these as “Data Protection Laws”.

This privacy policy is part of our terms of business. It is amended periodically as required and continuously published on https://www.mactavishgroup.com/privacy-policy/.

HOW YOU CAN CONTACT US

For the purpose the Data Protection Laws, the data controller is MH (GB) Limited, registered under company number 04099451.

If you wish to receive further information about our privacy policy, please write to us or call us using the following details:

MH (GB) Limited (trading as Mactavish)

Exeter office                                                     London office

Hertford House                                                 5 Chancery Lane

Southernhay Gardens                                       London

Exeter EX1 1NP                                                EC4A 1BL

Email: compliance@mactavishgroup.com

Telephone: 01392 344955/020 7406 7486 (to speak to Ian Glanville, Finance Director),

or 01392 344958 (to speak to Annette Soeller, Legal and Compliance Manager)

DATA WE COLLECT

Based on our type of business, we collect and process personal data. This data includes the following:

Identity Data – which includes first name, last name, professional title/position, organisation

Contact Data – which includes email address, telephone numbers, office address

Employment Data – which includes our employees previous, current and future employment details

Technical Data – which includes internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our website

Usage Data – which includes information about how you use our website

Marketing and Communications Data – which includes your preferences in receiving marketing from us and communication preferences.

Monitoring Data – which includes, for example, if you visit our Chancery Lane office in London your image may be recorded on CCTV for security purposes.

Additional Data

We also collect and use but do not share Aggregated Data (such as statistical or demographic data) for any purpose. Aggregated data is data that can be derived from your personal data but is not legally considered to be personal data as it will not directly or indirectly reveal your identity. We do not combine aggregated data with your personal data for any purpose.

Please note that occasionally we may collect and/or process other personal data.

We prefer to only collect data from you directly (with the exception of a third party acting solely on your behalf, for example a recruitment agency) but occasionally purchase GDPR compliant data-sets for outbound calling from third parties (which is restricted to Contact Data only).

We do not collect the following sensitive types of personal data about you: details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your genetic or biometric data.

IF YOU DO NOT PROVIDE US WITH YOUR PERSONAL DATA

We collect personal data either by law or under the terms of a contract we have with you. If you decide not to share required data with us when lawfully requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, provide you with our services or employ you).

HOW WE WILL USE YOUR DATA

We use information held about you to:

  • carry out our obligations arising from any contracts entered into between you and us and to provide our services
  • carry out research on our services, and
  • notify you about our services or changes to our services

We do not sell your data to anyone.

We share your data with third parties only where there is a legal obligation for us to do so. We will not process your personal data without your knowledge or consent unless we are required or permitted to do so by law.

You can ask us to stop sending you marketing messages at any time by following the opt-out links on any marketing message sent to you or by replying directly to the sender of a marketing message sent to you by us.

LAWFUL BASIS FOR COLLECTING & PROCESSING YOUR DATA

We only collect and process your data when lawfully permitted to do so.

The applicable lawful bases are:

Consent – in the first instance and where possible, we will seek to obtain your consent to process your data.

Contractual – this applies to processing of data necessary for the performance of a contract with you.

Legal Obligation – this applies to processing of data necessary to comply with the law (e.g. safeguarding our employees, visitors, contacts etc.)

Legitimate Interest – we only rely on legitimate interest where the processing of your personal data, in our opinion, does not affect your rights of freedom and is proportionate to our interests.

Please see below a list of our general activity types (including lawful basis)

Activity Type:

Registration of a new customer

Type of data we collect:

  • Identity Data
  • Contact Data

Lawful basis we rely on:

  • Contract
  • Consent

To deliver and improve our services to you including

  • Provision of project reports/analyses

Type of data we collect:

  • Identity Data
  • Contact Data
  • Marketing & Communications Data

Lawful basis we rely on:

  • Contract

Managing our relationship with you including

  • informing you about changes to our business and services
  • managing staff

Type of data we collect:

  • Identity Data
  • Contact Data
  • Marketing and Communications Data
  • Employment Data

Lawful basis we rely on:

  • Contract
  • Consent

To deliver and improve our website and marketing of our services to you

Type of data we collect:

  • Identity Data
  • Contact Data
  • Technical Data
  • Usage Data
  • Marketing & Communications Data

Lawful basis we rely on:

  • Consent
  • Legitimate Interests (to develop our services and grow our business)

HOW WE SHARE INFORMATION AND WHO WITH

We keep your information within our organisation except where disclosure is required or permitted by law or when we use third party service providers (data processors) to supply and support our services to you.

We have contracts in place with our service providers. This means that they cannot do anything with your personal data unless we have instructed them to do so as required or permitted by law (for example, based on your consent). They will not share your personal data with any organisation apart from us. They will hold it securely and retain it for the period we instruct.

Service providers which may receive your personal data from us are:

  • Our accountants
  • Our bank
  • Our email provider and our IT support
  • Our office management/premises management provider
  • Those Identification and Verification providers (Disclosure & Barring services) we might use from time to time

Please note that third parties may provide us with your personal data (for example, recruitment agents), in particular when acting on your behalf.

WHERE YOUR DATA IS HELD

Your data is stored by us and our processors in the UK, EEA or in a country where an adequacy decision has been made by the European Data Protection Board (EDPB). Where we transfer your personal data outside of the EEA, we will ensure that all appropriate technological and organisational measures are in place to provide your data with the levels of protection as required under the Data Protection Laws.

We operate out of two offices, London and Exeter. Data is shared regularly between these offices and we take the appropriate steps to ensure your data is fully protected when transferred between our offices.

APPLICATIONS TO WORK FOR US

If you apply to work for us, we may receive data about you from third parties (recruitment agents, referees etc). We will keep the details of your application and any additional information provided to us by you or others only during the recruitment process. Once a role has been filled and you have not been successful your personal data will be securely deleted from our system.

HOW LONG WE KEEP DATA

We maintain a data retention schedule. If you wish to make an inquiry regarding how long we keep certain data, please submit a written request to the contact details provided in this policy.

YOUR RIGHTS

Under the Data Protection Laws your rights are:

  • To be Informed – we must make our privacy policy available and accessible to you to keep information about how we process your data transparent.
  • To have Access to your data and request Portability of your data – you are entitled to find out what details we may hold about you and why and we are aiming to be fully transparent in terms of what data we are holding and giving individuals access such data. You can make a formal request to us anytime by writing to us using the contact details provided in this policy. If we do not hold information about you, we will confirm this in writing using the contact details you will have provided us with when contacting us. If we do hold your personal data, we will respond in writing within 21 days of your request (if submitted in accordance with this policy). The information we will supply you with will include:
    • Confirmation whether your data is being processed
    • Verification of the lawfulness and the purpose of the processing
    • Confirmation of the categories of personal data being processed
    • Confirmation of the type of recipient to whom the personal data has been or will be disclosed
    • A copy of the data in a format we feel is suitable for disclosure or reasonably required by you
  • To request Rectification – we are obliged to correct or update your details which we will do without delay provided you make a request in writing to the contact details provided in this policy setting out which data is incorrect or out of date
  • To request Erasure – (also known as the right to be forgotten) which applies under specific circumstances and we require a request for erasure of your personal data to be made in writing to the contact details provided in this policy. As without certain data we might not be able to fulfil our legal obligations, a request for erasure will be decided strictly on an individual basis.
  • To Restrict Processing – which means you can limit or block the processing of your personal data by us. A request for restricted processing must be made in writing to the contact details below. As we might not be able to fulfil our legal obligations if processing of your data is restricted, a request to restrict processing will be decided strictly on an individual basis.
  • To Object to Direct Marketing, Automated decision making and profiling – please note we do not use automatic decision making or profiling
  • To Complain about the processing of your personal data – if you wish to express your concerns about the processing of your personal data by us, please contact us using the details provided in this policy. You also have the right to complain to the Information Commissioners Office following their standard process as set out on their website, http://www.ico.gov.uk.

Please note that you may need to provide identification in order to prove who you are when contacting us in respect of your rights under the Data Protection Laws.