Mirbly Ltd – Website Privacy Statement
The Purpose of this privacy statement is to explain how Mirbly Ltd processes personal data to fulfil our data protection responsibilities. This statement will be supplemented by ‘specific to client’ privacy notices when needed. The scope of this statement covers all related activities by the staff of Mirbly Ltd referred to as Mirbly for the remainder of this document.
The Role of Mirbly in data protection terms is that of a data controller where it determines the purpose and use of personal data collected. Once received it becomes the responsibility of the Mirbly privacy manager (PM) to ensure that it is processed in accordance with the latest UK data protection legislation. You can contact the PM using firstname.lastname@example.org.
The personal data processed by Mirbly will be basic contact information for the purposes of responding to general enquiries, business development, setting up invoices and to administer course attendance. In some cases, it will also be necessary to collect financial data related to individuals. If Mirbly is not given all of the required personal data, it may result in an incomplete service being provided.
Mirbly’s duty of confidentiality means that Mirbly’s staff will treat your personal data with due respect and in confidence. We will only disclose it to those that need to know it. Mirbly uses reasonable organisational and technical measures to ensure personal data is kept secure. Mirbly also expects the same duty of confidentiality of all third parties with whom it shares personal data. Sharing is kept to a minimum and is reviewed regularly.
Mirbly processes personal data against a lawful basis as described below:
• To respond to your general enquiries, to promote our services and to be able to stay in touch once you have finished your course, we will use our legitimate interests
• To comply with our legal obligations, for example HMRC for tax records
• To fulfil our contractual obligations including their prior preparation to administer your attendance on the requested courses
• When processing a pre-defined purpose for which your consent has been sought prior to that processing commencing
In all cases the processing of personal data by Mirbly shall be:
• Processed lawfully, fairly and transparently
• Collected for specified, explicit and legitimate purposes
• Adequate, relevant and limited to what is necessary (and no more)
• Accurate and, when necessary, updated
• Kept for no longer than is necessary
• Processed in a manner that ensures appropriate security
Mirbly will share personal data, but only when absolutely necessary, with some or all of the following third parties:
• The Inland Revenue (HMRC)
• Accountants appointed by Mirbly
• Pro Trainings on-line training provider
• Third-party IT support company (maintenance only)
• Employers when requested to provide details of course attendance
• Unspecified recipients but only when compelled to do so for legal reasons
Please note that bookings may be made on your behalf for on-line training provided by Pro-Trainings. For further information about how Pro Trainings manage personal data, please refer to the privacy notice using https://www.protrainings.uk/privacy_policy
Mirbly follows a retention schedule to determine the length of time it holds different types of personal data. The retention schedule is shown below:
• Routine correspondence for casual enquiries in hard copy or in emails will be stored for one month
• Personal data relating to the administration of course attendance will be retained for a total of 10 years after the course finished
• Contact data is stored indefinitely unless a valid request to erasure is received from the interested data subject
• Financial records and invoices, which may include personal data, will be retained for 6 years after the end of the current tax year of processing
• By exception, documentation that includes personal data may be retained by Mirbly beyond the schedule, but only for a specific purpose and only when Mirbly believes there is a legitimate interest or a legal obligation to do so
At the end of the retention schedule Mirbly will either return, destroy or delete your personal data and any associated emails or relevant documentation. If it is technically impractical to delete electronic copies of personal data, it will put it beyond operational use. It should be noted that Mirbly allows up to 3 months after the retention schedule to complete the action.
The Mirbly website links to appropriate business websites of interest. If these are used, you should be aware that the Mirbly has no responsibility for the control, content or handling of your personal data by these other websites.
The General Data Protection Regulation defines the rights that you have (although these do not apply in all situations), For convenience, these rights are shown below:
• Right to be informed as to how your personal data is being processed by us and this is done through this statement or specific to customer privacy notices
• Right to access your personal data held by us which is done by making a ‘Data Subject Access Request’ (DSAR) to the privacy manager
• Right to rectification of your personal data if you believe we have collected it incorrectly or it needs to be updated
• Right to erasure of your personal data for which we no longer have a legitimate purpose to process
• Right to restrict processing under certain circumstances, during which time your personal data but will be out of operational use until the related matter is resolved
• Right to data portability of your personal data in a machine-readable version, as you have provided but only applicable to data provided with your consent or under contract
• Right to object to our processing your personal data for which it does not have a legal or contractual obligation
• Rights related to automated decision making and profiling (however Mirbly does not use these techniques in its decision making)
Further details on data subjects’ rights can be found on the Information Commissioner’s Office (ICO) website: https://ico.org.uk.
Raising concerns, exercising rights or making queries about our processing of your personal data can be done by contacting the privacy manager. Please be aware that we will need to determine your identity before responding fully, therefore, you may be asked for proof of ID or other material that, in context, will enable us to confirm your identity. Alternatively, you may wish to contact the ICO directly, using the details provided above