HewardMills – Privacy Notice

Who we are

HewardMills Ltd is a Data Protection Officer (DPO) service which provides the best available DPO support for organisations globally. It provides regulatory advice to help clients comply with data protection laws and regulations including the GDPR, ePrivacy Regulations and cybersecurity requirements as well as the legal and regulatory requirements arising from emerging technologies (collectively our ‘Services’).

We want to tell you what happens when we use information about you (your ‘personal data’) when you use our website, use our Services or apply for a job.

HewardMills Ltd is the controller of the personal data we process, unless otherwise stated. HewardMills is registered with the UK data protection regulator – the Information Commissioner’s Office (ICO) with registration number: ZA340211. If you have any questions about this privacy notice or our privacy practices, please contact us in any of the following ways:

  • By email at:dpo@hewardmills.com
  • By post at: 77 Farringdon Road, London EC1M 3JU
  • By phone at: +44 20 4540 5853

When you visit our website

What are we doing?

When you visit our website, we use a plug n cookie that helps us disable all cookies. As such, you can browse our site without being tracked.

What personal information is collected?

No personal information is collected through the use of this cookie. However, if you contact us via email on our website, we will collect your contact information and use it in accordance with the explanation provided below.

Who do we share it with?

We do not share your contact information collected through the website with third parties.

What is our legal basis for doing this?

In providing your contact information to us you consent to the use of that information for our business purposes and to respond to your inquiry.

Automated Decision-making

HewardMills does not engage in automated decision making when you visit our website.

When you contact us or use our Services

What are we doing?

When you get in touch with us, or start using our Services, we use your personal data to respond to you or help you understand our Services. If you become a client, we will also process some of your financial data as necessary for invoicing and payment.

What is the information?

The information is likely to be your contact details, any financial details relevant to payments and whatever else you choose to provide to us, so that we can reply to you or provide you with a Service.

Where do we keep it?

We use various service providers to deliver our Services to you, such as Microsoft case management systems, and cloud storage and hosting providers for business purposes. We also use a suite of communication tools appropriate and suitable to our business needs.

Who do we share it with?

We share financial information with our bank, financial professionals such as accountancy services, government bodies such as HM Revenue & Customs (HMRC) and where we have a legal obligation to do so.

What is our legal basis for doing this?

Where you are discussing becoming our client or become our client, the legal basis for processing that data is contract. Where we are required to process the data for statutory obligations or common law, we use the legal basis of legal obligation.

Automated Decision-making

There is no automated decision making about you when you contact us or use our services.

When you book a Health Check

What are we doing?

When you get in touch with us to schedule a meeting with one of our local expert to hear about our Health Check Service, and subsequently book a Health Check Service, we use your personal data to contact you and deliver the Service.

What is the information?

The information is likely to be your contact details, any information necessary to deliver and invoice the Health Check.

Where do we keep it?

We use various service providers in relation to our Health Check Service, such as Unbounce, Calendly, Microsoft case management systems, cloud storage and hosting providers. We also use a suite of communication tools appropriate and suitable to our business needs.

Who do we share it with?

We share financial information with our bank, financial professionals such as accountancy services, government bodies such as HM Revenue & Customs (HMRC) and where we have a legal obligation to do so.

What is our legal basis for doing this?

Where you are discussing becoming our client or become our client, the legal basis for processing your data is contract. We use your personal data in our legitimate interest as part of the administration and management of our relationship with you, Where we are required to process the data for statutory obligations or common law, we use the legal basis of legal obligation.

Automated Decision-making

There is no automated decision making about you when you contact us or use our Audit Service.

Dedicated Web Site and Cookies

Our service providers Unbounce and Calendly use cookies. Detailed information is provided upon opening of the dedicated web pages.

When you apply to work with us

What are we doing?

When you get in touch with us to apply for a job, we process information about you to understand whether you are suitable for the role.

What is the information?

The information is likely to be your contact details and information about your work history included in your CV and covering letter.

Where do we keep it?

We use Microsoft as our cloud provider to hold information. We may also keep some information in hard copy. Where your application is unsuccessful, we keep your CV for six months before deletion, unless you tell us otherwise.

Who do we share it with?

We will only share information as part of the work application process where there is a need to obtain references.

What is our legal basis for doing this?

Where we are considering your application, we use the legal basis of contract. On some occasions, we may need to process special categories of personal data where we have an employment law obligation to do so for your future employment with us.

Automated Decision-making

There is no automated decision making about you when you apply to work with us.

International transfers

As part of our Services to you we may transfer personal data to service providers and/or other parts of our offices located around the world. Whenever we transfer your personal data which requires adequate safeguards in place, we ensure a similar degree of protection is afforded to it by ensuring the appropriate safeguard is implemented.

We will transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission. For transfers outside of the European Economic Area (EEA), we use specific mechanisms, such as Standard Contractual Clauses approved by the European Commission.

Data Security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality. Such security measures include but not limited to access controls and password protection security. We work with service providers to ensure an appropriate level of security is in place for the requirements of the business.

Data Retention

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

When we determine the appropriate retention period for personal data we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

Your rights

Under certain circumstances you have rights under data protection laws in relation to your personal data. You have the following rights over your personal data.

  • Request access to your personal data. This is known as a subject access request where you can request access to information, we may hold on you.
  • Request correction of your personal data. This means you can ask us to correct personal data which may be incorrect, out of date or incomplete.
  • Request erasure of your personal data. In some circumstances you may have your data deleted. For example, when you withdraw consent, or object and we have no overriding legitimate interests to hold your data. Similarly, we may carry out your request for erasure when the purpose for processing your personal data has come to an end.
  • Object to processing of your personal data.
  • Request restriction of the processing your personal data.
  • Request transfer of your personal data. This is known as the right to portability where we can provide to you or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format.
  • Where you have given HewardMills consent to use your personal information for any of the above-mentioned purposes, you have the right to withdraw that consent at any time.

In the event where we send marketing communications of interest to you, you will have the right to opt-out of marketing at any time.

How to make a request

To make this sort of request, please contact us directly. You will not have to pay a fee to access your personal data or to exercise any of the other rights. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

We may have to verify your identity to ensure we are fulfilling a request to the correct person, should there be a need to verify your identity will let you know. Our time limit to respond to your request is one month and if we are not able to respond within the timeframe, we will let you know.

Raising concerns and complaints

Where you have a concern, we would want to have the opportunity to resolve it, so please contact us in the first instance by emailing dpo@hewardmills.com. Under data protection laws you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of alleged infringement.

Privacy notice updates

We may update this privacy notice from time to time in response to legal, technical or business developments. Where we make any substantial changes to the processing of your personal data, we shall inform you through the most appropriate medium.

Privacy notice last updated January 2021