On 25 May 2018, the General Data Protection Regulation came into force across the European Union. A significant number of rules concerning the processing of personal data now apply to data controllers in the UK. As a business owner (and, therefore, a data controller), it is vital to not only make sure my business complies with the new regulation but to ensure client data is handled in a prudent and professional manner. Every time I am entrusted with data, it is my duty to ensure all reasonable measures are taken to safeguard the confidentiality of that information. In this document, I shall outline the types of data collected, how it is processed and details of how you can request information on what data is held about you or your business.
Who am I?
The purpose of my business is to offer translation and/or proofreading services to clients upon request. I am registered as a sole trader and am subsequently the sole data controller with regard to any personal information collected during the course of my professional activities.
What information do I collect?
According to the GDPR, ‘personal data’ is understood as any information that relates to a natural person. In this case, a ‘natural person’ can also mean a business. In order to run my business, I may request the following personal data from clients:
This data will never be collected without a client’s consent: when a client contacts me with a specific request (either via telephone or email), I may register their name and contact details in order to carry out the translation request. Upon successful completion of a project, I will request further information (address and, if applicable, a tax or VAT registration number) for the purpose of invoicing. There are no active cookies in use on my website.
Sometimes it may be necessary for a client to provide sensitive personal data or confidential information in order for an assignment to be completed. In such cases, I will take appropriate measures to ensure this data is not shared (intentionally or unintentionally) with third parties. This includes the use of an encrypted email server and up-to-date virus protection software. If a client provides confidential information as part of a request for an estimate of costs and decides not to proceed, I shall delete all files noted as confidential. I shall also delete any or all files upon the client’s request.
How do I use personal information?
I process personal information solely for
What legal basis do I have for processing your personal data?
Under the GDPR, I have ‘legitimate interests’ for processing personal data. These are:
When do I share personal data?
In the majority of cases, I do not share any personal data with third parties; however, this may be necessary in some cases (e.g. if I need to enlist the services of another professional to meet a client’s request). In such cases, I will obtain the client’s consent before any personal information is shared with third parties and, where appropriate, provide the client with the contact details of this third party. This will not affect your rights as a data subject under the GDPR.
Where do I store and process personal data?
Any personal data processed by my business will only be stored within the European Economic Area.
How do I secure personal data?
The following measures are in use to ensure data security:
How long will I keep your personal data for?
Under the GDPR, personal data may not be kept for longer than reasonably necessary. However, an ongoing business relationship may require personal information relating to a client to be kept for the duration of this professional relationship (i.e. I may need to refer back to past projects; previous translations/proofread texts may need to be retained for the purpose of compiling a translation memory or termbase). I will also retain contact details and invoicing details for the duration of the business relationship.
Upon a client’s request, I shall dispose of all relevant documentation by secure deletion of electronic files and the shredding of any hard copies unless I am required under UK tax law to retain this documentation/information for tax purposes.
Your rights in relation to personal data
Under the GDPR, you (the ‘data subject’) have the right to access and control your personal data. This includes:
In compliance with the GDPR, I keep a record of all personal data held (a ‘data retention document’). You can submit a request to me directly to find out what information is held regarding yourself or your business. However, this data can only be shared if doing so does not breach any other confidentiality regulations.
A data subject may also request that data concerning their natural person be deleted, but this will only be carried out if I am not required to retain this information in order to comply with other relevant regulations or laws.
If you have any questions or queries regarding the collection, processing and storage of your personal data, please contact me on the following address: firstname.lastname@example.org.