Haywood Sener is primarily a design agency providing creative services and website development to its clients. The Company also provides a limited number of clients with digital marketing consultancy.
As a small agency, we do not actively collect consumer data for our benefit. However due to the nature of some of our clients’ businesses we have in certain circumstances access to our client’s customer data.
It is important to note that Haywood Sener is not in the business of trading, selling or leasing any data. In addition to this we never share personal data collected by us or by our clients for any marketing purpose. The data we share with third parties is business critical and required for us to provide our service.
Haywood Sener Ltd, Registered Office C/o Ashfield Accountancy, First Floor, Woking, Surrey, GU21 5AJ. Company Registration number 08610890.
The purpose and lawful basis for processing your personal data
Information is required for a number of functional reasons within the business and each have a different lawful basis.
Existing Haywood Sener Customer
The data we access:
In addition to design related work, our business also often requires us to manage the hosting of websites or to help our clients plan and implement marketing activities to their clients. This requires our clients to provide us with access to systems which may contain personal data. This data may be related to the client itself or the client’s own customers.
We only use our clients personal data on relevant lawful grounds as permitted by the EU General Data Protection Regulation. We will hold our client’s information for three years from the termination of our contractual obligation, for legal records.
Data for our own business purpose:
Business Contact Details
Our clients’ personal data (any information which identifies them, or which can be identified as relating to them personally for example, name, address, phone number, email address) will be collected and used by us to provide our service. We only collect the personal data that we need and it is stored within our cloud based accounting software which is password protected.
We share data between our team and our clients via email correspondence. Internal emails are encrypted with Transport Layer Security (TLS). On request, we are able to implement TLS between our clients for secure email communications.
Design files and our client’s other working documents are stored securely in the cloud. Our third party cloud storage supplier is fully GDPR compliant and also adheres to the following international standards: HIPAA, SOC1™, (SSAE-16/ISAE-3402), SOC2™, SOC3™, ISO 27001, ISO 27018:2014 and FedRAMP.
Files are encrypted as they are written to disk using Data that is encrypted using 128-bit or stronger Advanced Encryption Standard (AES) as well as in transit to our cloud storage using HTTPS.
Data we are able to access to provide a service to clients:
Website hosting and access:
We manage and access our client’s websites hosted on our servers. These sites often contain our client’s own customers data.
- Joomla website CMS
- Client website cpanel
- Client email marketing via Mailchimp
- Google Analytics
- Google Adwords
- Social media accounts: Facebook, Linkedin and Twitter
- Google My Business
The Haywood Sener team are required to access the above data in order to provide a service to our clients. In addition to employees of the company we also employ freelance contractors who have signed NDA’s to cover their obligations to GDPR for Haywood Sener.
If data is downloaded, it is not shared with any partner or 3rdparty and it remains the sole property of the client. All sensitive data which includes our client’s customers details are password protected.
Data Access Security and Management
All passwords required by Haywood Sener are stored securely using an encrypted password management service which is fully GDPR compliant.
Previous Haywood Sener Customer
Employee of (or temporary or contract worker at) an existing Haywood Sener Customer
Personal data will have been provided by the employer, or collected directly. Employee name and contact details will be stored to enable us to deliver services to your organisation. We have a legitimate interest in being able to use client employee information in this way.
Personal information is held for three years from the expiry of our clients relationship with Haywood Sener, for legal purposes.
Supplier or Other Business Associated with Haywood Sener
Contact details will be held because we have a legitimate interest in supplier or associated business relations. We will aim to hold this information for three years since we were last in contact with you.
Data processors Haywood Sener Uses to Provide a Service
We use a number of different service providers (acting as “data processors”) who provide IT and system administration services to enable us to operate our business and the services we provide to our customers. In some instances personal data is transferred to (and stored by) these data processors, who generally fall under the following categories:
- our service providers and sub-contractors, including but not limited to payment processors, suppliers of technical and support services and cloud service providers;
- Website analytics service providers
- Server management providers
- Document storage service providers
- Email, contacts and calendar service providers
- Backup Solution providers
- Accounting software service providers
Other circumstances in which we may share personal data with third parties
We may also share your personal data with the following third parties in certain circumstances:
- We will share personal information with law enforcement or other authorities (such as tax authorities) if required by applicable law.
- We may share personal information with third parties to whom we may choose to sell, transfer, or merge parts of our organisation or our assets. Alternatively, we may seek to acquire other organisations or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice.
- We may share personal information with professional advisors such as lawyers, accountants or auditors in order for them to provide legal, accounting or auditing services to us.
International transfers of personal data, and the measures in place to safeguard it
We do not directly transfer any of our clients personal outside the European Economic Area (EEA). However, some of our data processors may do so and this section explains the impact of these international transfers and how your information is protected.
Many of our data processors operate “cloud-based systems”, which means the information is held in information data centres in different locations. All the cloud-based systems we use reserve the right to hold copies of our clients personal information outside the EEA to hold back-up copies, so they can guarantee recovery.
In each case we and/or our processors use one or more of the following means that are designed to help safeguard your privacy rights and give you remedies in the unlikely event of abuse:
- Certain processors may transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission. For further details, see European Commission: Adequacy of the protection of personal data in non-EU countries.
- Where personal data is transferred outside the EEA or countries the EC deems to have adequate privacy protection, we use specific contracts approved by the European Commission which give personal data the same protection it has in Europe. For further details, see European Commission: Model contracts for the transfer of personal data to third countries.
- Providers storing data in the US may be self-certified to the EU-US Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US. For further details, see European Commission: EU-US Privacy Shield.
Our clients personal data rights
Rights that can be excercised:
- update any Personal Information which is out of date or incorrect;
- delete any Personal Information which we are holding about you;
- restrict the way that we process Personal Information;
- provide Personal Information to a third-party provider of services; or
- provide a copy of any Personal Information which we hold.
Our clients have the following rights:
- To request a copy of all personal data we hold relating to them and we must provide this within 30 days;
- To require us to correct any records that are wrong;
- To require us to erase personal data and we must comply unless we need it for one of the purposes described above (for example, this might include the fact that we need to demonstrate performance of our contractual obligations.)
- To have your personal data transferred to another organisation, and we’re obliged to provide it to you in a clear and reasonable format.
Haywood Sener retains the right to keep data that is needed to establish, exercise or defend a legal claim.
Where we process data based on a “legitimate interest” (underlined in the section on Purpose and Lawful Basis, above) clients have the right to object to our processing of that data. From that point, data processing is stopped until we have determined whether our clients rights override our interests.
Our contractual requirement to use clients personal data
As a Haywood Sener customer we have to collect personal information to enable us to enter into a contract with our clients. As a customer of Haywood Sener we have a legitimate interest in using our client’s personal data to provide services. If a client requests restricted processing of personal data, it may render us unable to provide a service to the client. For this reason, we use our legitimate interests as the lawful basis for processing our clients’ data (which is why we do not ask for consent to process it.)
Automated processing of business data
Due to the fact Haywood Sener stores website data on our servers on behalf of our clients, we do act as a processor of this information. All clients have been informed of the data held on our servers. To comply with GDPR our clients have an obligation as a data controller provide us as the processor with a policy for how the data is managed. By default, we will store data for 3 months only.
In addition to this as a policy:
- Haywood Sener does not collect any IP address logs for any of its websites through its standard cpanel software.
- Haywood Sener does not backup form data for customer websites. Therefore, all backups stored securely and remotely to the Haywood Sener server contain no personal information within them.
Other purposes for processing personal data
Changes to this privacy notice
This privacy notice was created on 1st May 2018. We may change or update his privacy notice from time to time by amending this page and, where appropriate, notify you by email.
Your rights to lodge a complaint with the Regulator
At all times, you have the right to report a concern or lodge a complaint with the Information Commissioner’s Office. Please refer to the ICO at https://ico.org.uk/concerns/or by calling them on 0303 123 1113.
How to contact us
If you have any questions, concerns or just want some more information in relation to our privacy management, you can contact us in the following ways:
Telephone: 01276 300 333