External Contacts Privacy Notice
mstep Limited takes its approach to data protection and privacy very seriously and we will make continual improvements wherever we can to processes, policies and internal staff education to ensure that our employees understand their roles, and the requirements we should be meeting as an organisation.
This Privacy Notice explains how we handle and process personal data that relates to External Contacts (i.e. non-employee data). If you have any questions or concerns, you can contact email@example.com)
This External Contacts Privacy Notice sets out what personal data we, mstep Limited, hold about you and how we collect and use it for the performance of contract and marketing purposes. It applies to anyone who is within our contacts database.
Please note: We will not necessarily hold, use or share all of the types of personal data described in this Privacy Notice in relation to you. The specific types of data about you that we will hold, use and share will depend upon our professional relationship with you.
We are required by data protection law to give you the information in this Privacy Notice. The Privacy Notice, together with additional information that we might publish from time to time explains how we collect and use your personal data.
This Privacy Notice applies from 25 May 2018, when the General Data Protection Regulation came into force. It does not give you any contractual rights. We may update this Privacy Notice at any time.
Who is the controller?
mstep Limited (101 Regents Park Road, London N1 8UR) is the “controller” for the purposes of data protection law. This means that we are responsible for deciding how we hold and use personal data about you.
Our Data Security Team consists of the Founder, Partner and Director (Representatives from other areas of the business will be co-opted as necessary). They are responsible for informing and advising us about our data protection law obligations and monitoring our compliance with these obligations. They also act as a point of contact if you have any questions or concerns about data protection (firstname.lastname@example.org).
What is personal data?
Personal data means any information relating to a living individual who can be identified (directly or indirectly) in particular by reference to an identifier (e.g. name, NI number, employee number, email address, physical features). It can be factual (e.g. contact details or date of birth), an opinion about an individual’s actions or behaviour, or information that may otherwise impact that individual in a personal or business capacity.
Data protection law divides personal data into two categories: ordinary personal data and special category data. Any personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health conditions, sexual life or sexual orientation, or biometric or genetic data that is used to identify an individual is known as special category data. (The rest is ordinary personal data).
What type of personal data do we hold about you?
We collect, hold and use some or all of the following types of ordinary personal data about you:
Biographical information including your name, title, contact details,
Publicly available information about you, such as your business social media presence
Lifestyle information including but not limited to interests
Events that you have attended with us or with an employee of mstep
If you have consented, we may use your personal data for the following reasons:
We may use your name, email address, postal address or telephone number for the following:
To invite you to one of our networking events.
To send you post-event follow up information.
To invite you to join a social media group (for example, a WhatsApp group). You will never be added to one without consent.
To share with our PR consultants if they are organising an event on our behalf. They do not have permission to share your details with any other parties and are contractually obliged to only use your data for the specific event.
To share your details with other event organisers, for example, if there is a joint event hosted with other companies.
To ensure that we invite you to relevant events, we may filter your details by sector, service, projects that you have worked on with us or lifestyle information.
We may occasionally send out Newsletters
We will only send you these if we have received your consent
We may use your name and email address to send you our latest news.
To ensure we only send you relevant, tailored content, we may filter your details by sector, service, or projects that you have worked on with us.
Photography and video is a key part of our marketing and communications. We may use a photograph or video of you within promotional content. We will only use these with explicit consent which would be associated with a single article. We would gain your explicit consent whenever this article was used.
We may ask you for your opinion on current events, market affairs, trends, projects or for feedback on our own service. This could be used to help improve our business performance, or for an external marketing campaign. In this instance, we may require your personal details. If such research does take place, it will have its own privacy notice associated and we will seek your explicit consent before taking part. We will only use these opinions with explicit consent which would be associated with a single article.
We may keep a record of your social media handles to help us keep your personal data up to date. For example, LinkedIn, which will show us that you have moved company.
For more information on how your personal data is used when applying for a job with us please visit the Job Applicant Privacy Notice.
What are our legal grounds for using your personal data?
Data protection law specifies the legal grounds on which we can hold and use personal data.
We rely on one or more of the following legal grounds when we process your ordinary personal data.
We need it to undertake a project (Performance of Contract), because you are involved with one of our projects as a member of the external team.
We need it to comply with a legal obligation (Legal Obligation), e.g. If you are involved with one of our projects as a member of the external team we are required to retain your details for the duration of the contract i.e. for 6 years for a signed contract or 12 years for a contract signed under deed or under seal.
You have granted consent (Consent) that we may process your personal data to provide you with newsletters or tailored invites to events.
What type of special category personal data do we hold about you? Why? And on what legal grounds?
We will only collect, hold and use limited types of special category data about you, as described below.
Since special category data is usually more sensitive than ordinary personal data, we need to have an additional legal ground (as well as the legal grounds set out in the section on ordinary personal data, above) to collect, hold and use it. The additional legal grounds that we rely on to collect, hold and use your special category data are explained below for each type of special category data.
Criminal records information/DBS checks
Due to our work with education providers (Schools, Colleges and Universities), and community groups we may ask you to complete a DBS or Security Clearance. For the majority of our External Contacts we do not collect this data. However, should our clients require you to have these checks to enter their premises or work on their projects we will inform you. In the context of the Performance of Contract we will use this information to assess your suitability to form part of an External Team for projects where these checks need to be in place e.g. schools, government schemes etc. Our additional legal ground for using this information is that of Legal Obligation.
How do we collect your personal data?
You provide us with most of the personal data about you that we hold and use, for example on a business card, email signature or through verbal discussions.
Some of the personal data we hold and use about you is generated from internal sources following a Business Development meeting/event. For example, we may record that you enjoy cycling or that you have particular sector experience.
Some of the personal data about you that we hold and use may come from external sources. We may also obtain information about you from publicly available sources, such as your LinkedIn profile or other media sources.
Who do we share your personal data with?
We will not share your personal data with anyone, with the exception of certain third parties who act as data processors working on our behalf. These are:
Facilitators of our group mailing, to which you have consented, who shall have demonstrated GDPR compliance.
We share any of your personal data that is relevant, where appropriate, with our legal and other professional advisers, in order to obtain legal or other professional advice about matters related to you or in the course of dealing with legal disputes with you or your company. Our legal grounds for sharing this personal data are that: it is in our legitimate interests to seek advice to clarify our rights/obligations and appropriately defend ourselves from potential claims; it is necessary to comply with our legal obligations/exercise legal rights in connection with contract; and it is necessary to establish, exercise or defend legal claims.
How long will we keep your personal data?
If you are involved with a project (i.e. part of an external team), we are required to retain your details for the duration of the contract i.e. for 6 years for a signed contract or 12 years for a contract signed under deed or under seal. However we may need to retain these for a maximum of 15 years after the project has been completed and closed, if there are specific legal circumstances associated with a contract that require us to hold your personal data.
If you are not involved in a project but you have provided your consent for us to hold your personal data for the purposes of contacting you for Event invitations or providing you with a copy of our newsletter, then your consent will be requested again after approximately 2 years.
You have a number of legal rights relating to your personal data, which are outlined here:
The right to make a subject access request. This enables you to receive certain information about how we use your data, as well as to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
The right to request that we correct incomplete or inaccurate personal data that we hold about you.
The right to request that we delete or remove personal data that we hold about you where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
The right to object to our processing your personal data where we are relying on our legitimate interest (or those of a third party), where we cannot show a compelling reason to continue the processing
The right to request that we restrict our processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it.
The right to withdraw your consent to us using your personal data. As described above, we do not normally rely on your consent as the legal ground for using your personal data. However, if we are relying on your consent as the legal ground for using any of your personal data and you withdraw your consent, you also have the right to request that we delete or remove that data, if we do not have another good reason to continue using it.
The right to request that we transfer your personal data to another party, in respect of data that you have provided where our legal ground for using the data is that it is necessary for the performance of a contract or that you have consented to us using it (this is known as the right to “data portability”).
The right to object to a decision based on profiling/solely automated decision-making, including the right to voice your opinion, and obtain human intervention in the decision-making.
If you would like to exercise any of the above rights, please contact the Data Security Team (email@example.com) in writing. Note that these rights are not absolute and in some circumstances we may be entitled to refuse some or all of your request.
If you have any questions or concerns about how your personal data is being used by us, you can contact us on firstname.lastname@example.org).
Note too that you have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues. Details of how to contact the ICO can be found on their website: https://ico.org.uk