The Data Protection Principles
All personal data must be:
- Processed lawfully, fairly, and in a transparent manner in relation to the data subject;
- Collected for specified, explicit, legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
- Accurate, kept up to date; having regard to the purposes for which they are processed, is erased or rectified without delay;
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the Regulation in order to safeguard the rights and freedoms of the data subject;
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
What Personal Data do we collect?
We may Access, Collect, Delete, Process, Store or Transmit different kinds of Personal Data about you which we have grouped together as follows:
- Identity Data includes first & last name, title, data of birth, Passport/ Driving licence details.
- Contact Data includes billing address, delivery address, email address and telephone numbers.
- Marketing Data includes your preferences in receiving marketing from us and our business partners and your communication preferences.
We do not collect any Special Category Data.
Where do we get your Personal Data from?
We obtain your data via a number of methods. You may provide us with the Personal Data we hold by filling in forms or by corresponding with us by post, phone, email or otherwise. This will include information that you provide when you apply for products or services, complete and sign (electronically or by hard copy) our order form or contracts, request marketing to be sent to you or contact us through our website or complete a feedback survey or form.
We may also have received this information from publicly available sources, such as Companies House, or from third party sources including, for example, your employer, or the business you are engaged by, to whom we provide or obtain products or services.
Additionally, if you are likely to be the individual, or one of a group of individuals within the organisation where you work, who would expect to be contacted for business communications purposes, we may obtain your data via a specialist ‘b2b’ data provider.
Finally, if we provide telephony services to you, we may have issued some of this data to you e.g. your business mobile number.
What is the legal basis and purpose for our holding your Personal Data?
The Personal Data we hold and process is either necessary for the performance of a contract to which you are party (or in order to take steps at your request prior to entering into a contract), or it is necessary for our legitimate interests (or those of a third-party) and your interests and fundamental rights do not override those interests. Additionally, we may process your data where we need to comply with legal or regulatory obligations.
We do not rely on consent as a legal basis for processing your Personal Data in relation to sending Direct Marketing communications with you via email, SMS or post, however you have the right to object to Direct Marketing at any time by contacting us either by phone on 020 7503 3000 or email at the following email address: email@example.com
What do we do with your Personal Data?
Depending on our relationship with you, Aurora will process your data for a variety of purposes. We use your information to facilitate the following elements of our business operation:
What don’t we do with your Personal Data?
We do not use your information for profiling or automated decision making.
We do not knowingly collect data relating to children.
We do not sell your Personal Data to anyone.
We do not share your Personal Data with third parties unless they are providing services to us under contract or disclosure is permitted, or required, by law.
Who else do we give access to your Personal Data and why?
To facilitate our business operation, we need to share some or all of your Identity Data or Contact Data with some of our business partners.
Where your data is shared, we require all parties to provide sufficient guarantees that they have the appropriate technical and organisational measures in place to protect your Personal Data in accordance with the Regulations. We do not allow our business partners to use your Personal Data outside of the specific purpose for which we have instructed them.
Our business partners may include:
Service Providers, Application Providers, b2b data providers, Cloud Computing and Infrastructure Providers, Billing and invoicing Providers, Professional advisors, HM Revenue & Customs, regulators and any other authorities.
We need to share some or all of your Personal Data with some of our business partners in order to keep a record of your marketing preferences.
All business partners will process your Personal Data acting as either a Joint Controller or Processor, and may be based inside and/or outside the EEA (see below for information relating to storage of your data outside the EEA).
Where do we store your Personal Data?
We store all of your Personal Data inside the EU.
Where we have shared your Personal Data with a business partner, subject to the requirements below, your information may be processed by staff operating outside the EU who work for us or for one of our suppliers. That staff may be engaged in, among other things, the fulfilment of contracts with you, the processing of payment details and the provision of support services. Therefore, we may transfer some or all of your personal information to a country outside the European Economic Area (“EEA”).
The transfer may only take place, however, provided that one of the following conditions applies:
- The country to which the personal data are transferred ensures an adequate level of protection for the data subjects’ rights and freedoms.
- The data subject has given his/her consent.
- The transfer is necessary for one of the reasons set out in the Data Protection Act or GDPR, including the performance of a contract between us and you, or to protect your vital interests.
- The transfer is legally required on important public interest grounds or for the establishment, exercise or defence of legal claims.
- The transfer is authorised by the relevant data protection authority where we have adduced adequate safeguards with respect to the protection of your privacy, your fundamental rights and freedoms, and the exercise of your rights.
How we protect your Personal Data?
The personal information we hold has been assessed using a Data Protection Impact Analysis (DPIA). The DPIA is used to measure the potential risk to the personal information we hold relating to your freedoms and rights as individuals and any potential impact, if the information were breached or lost.
By carrying out the DPIA, Aurora Managed Services Ltd have implemented appropriate and proportionate measures to mitigate or lower those risks.
All Aurora staff are routinely trained on GDPR regulations during the course of their employment and new employees complete the required training on induction.
Staff processing data which would be considered to be of moderate to high risk to the rights and freedoms of individuals receive additional tailored regular training, and at commencement of employment with Aurora.
In addition, Aurora Managed Services Ltd have created or updated the following plans/policies:
- Breach Management Plan
- Data Protection Policy
- Data Retention
- IT Acceptable Use Policy
These policies have been updated to ensure administrative, electronic and physical security measures have been put in place to ensure the information we collect about you is protected from access by unauthorised persons and protected against unlawful processing, accidental loss, destruction and damage.
A copy of these documents are available on request.
How long do we keep your Personal Data?
We will retain your personal information for the duration that your employer or the business you are engaged by, to whom we provide or obtain products or services, works with Aurora Managed Services Ltd and for a further 36 months, with the exception of any accounting records that are required to be kept for 84 months.
What are your Personal Data rights?
If at any point you believe the personal information we hold on you is incorrect, you want us to correct or delete that information, or you no longer want us to hold that information or contact you, you can exercise your rights under the current Data Protection laws. You may contact us at any time, to:
- request that we provide you with a copy of the personal data which we hold about you;
- request that we update any of your personal data which are inaccurate or incomplete;
- request that we delete any of your personal data which we are holding;
- request that we restrict the way that we process your personal data;
- request that we provide your personal data to you or a third-party provider of services in a structured, commonly-used and machine-readable format;
- object to us processing personal data based on our legitimate interests, including profiling; or
- object to us processing your personal data for direct marketing purposes.
Your request must include your name, email address and postal address and we may request proof of your identity. Please allow at least 30 days for us to process your request.
Please note, we will not be able to delete information that is required to maintain our business purpose or that is required to facilitate a contract that is in place between your company and Aurora Managed Services Ltd.
For more information about your personal data rights, please visit the Information Commissioner Office website at: //ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/individuals-rights/
Who do I contact if I have an issue with my Personal Data that you hold?
We are not required to appoint a Data Protection Officer (DPO) under GDPR however the person responsible for ensuring compliance with GDPR, the act and this Privacy Statement can be contacted below:
Telephone number: 020 7503 3000
E-mail address: DPO@aurora.co.uk
Postal address: Unit 10, 11 & 12, Mead Lane Industrial Estate, Merchant Drive, Hertford, Hertfordshire, SG13 7BH
If you wish to raise a complaint on how we have handled your personal data, please contact our GDPR team in the first instance.
If you are not satisfied with our response or believe we are processing your personal data not in accordance with the law, you can complain to the Information Commissioner’s Office (ICO). Their helpdesk number is 0303 123 1113.