Close Menu
    CONTACT

    Privacy Policy

    Who we are

    GDPR Subject Access Request, GDPR Consultant and GDPR SAR and this website, https://gdprsubjectaccessrequest.co.uk, are trading styles of Cobalt ICT Limited. As such, it is Cobalt ICT’s Privacy Policy which applies here; the most relevant sections of which are shown below. The full and most up-to-date version of our privacy policy is available to view on the Cobalt ICT website here

    Comments

    How we use your information

    This privacy policy tells you what to expect when Cobalt ICT Limited (Cobalt ICT) collects and uses your personal information.

    • How we use your data (Lawful basis)
    • Visitors to our websites
    • Terms and conditions of website use
    • Use of cookies by our websites
    • Security and performance
    • People who contact us via social media
    • People who email us
    • People who make a complaint to us
    • People who use Cobalt ICT’s services
    • People who may be recorded by our CCTV system
    • Job applicants, current and former Cobalt ICT employees
    • Complaints or queries
    • Access to personal information
    • Disclosure of personal information
    • You can also get further information on
    • Changes to this privacy notice
    • Address and contact information

    How we use your data (Lawful basis)

    We use various lawful bases for processing of personal data; primarily, for consultancy and business-to-business purposes, we rely on Contract and Consent bases (1 and 2 below). However, when working with sensitive data such as safeguarding and legal matters, we may also use three additional bases; Legitimate Interests, Vital Interests and Legal Obligation (3, 4 and 5 below).

    If you would like to know which legal bases we apply to your personal data, then please contact us via the contact form on this website.

    1. Contract basis for lawful processing is used for personal data relating to the execution of services and management of contracts for our clients and our former clients.

    Whilst you are a client we need to store and process certain personal data, such as your name, address, email address, telephone number and your payment details. We are required by law to hold accounting information for approx 7 years, but any other information that is no longer needed, and is not required to be kept by law, can be erased from our systems should you wish.

    When you become a client of Cobalt ICT it is sometimes necessary for us to share your personal data with some 3rd-party data processors (other companies or authorities), as outlined below in the section below entitled “People who use Cobalt ICT’s services”

    Your personal data would be shared with an actual or potential buyer (and its agents and advisers) in connection with an actual or proposed purchase, merger or acquisition of any part of our business.

    2. Consent basis is used when you choose to opt in to receive our direct marketing such as, but not limited to, email newsletters, promotions and events. This use of personal data applies to both customers and non-customers and is usually restricted to just your name, address, email address and telephone number.

    Any personal data that we collect and process from 1st March 2020 may also fall under these bases;

    3. Legitimate interests: where the processing is necessary for our legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

    4. Vital interests: the processing is necessary to protect someone’s life.

    5. Legal obligation: the processing is necessary for you to comply with the law – not including contractual obligations.

    You may opt out of receiving our newsletters and marketing at any time, whether a current customer or not. If you wish to opt out from direct marketing you will be able to do so via an unsubscribe link included in each marketing email or you can contact us using the information at the bottom of this page.

    Under the Contract and Consent bases of lawful processing you, subject to the note below, are entitled to the right to be forgotten (erased from our systems) and the right to ask us to transfer the personal data that you supplied us to another company. Please see the contact information at the bottom of this page if you wish to make such a request.

    Because of the detailed nature dealing with some personal data, particularly when dealing with Subject Access Requests, we may process sensitive personal information including, but not limited to; personal details, addresses, contact information, criminal records, police records, medical records, private documentation, personal messages, location information, photographs and social media information.

    Note: There are some circumstances when we are processing your personal data, such as in relation to private or criminal legal action, police action, a safeguarding issue, witness, person of interest or a victim of crime, we will most likely refuse any request to erasure or restriction. The Data Protection Act 2018 states that an organisation can refuse to erase or restrict your data in the following circumstances:

    • When keeping your data is necessary for reasons of freedom of expression and information (this includes journalism and academic, artistic and literary purposes).
    • When the organisation is legally obliged to keep hold of your data such as to comply with financial or other regulations.                                   
    • When the organisation is carrying out a task in the public interest or when exercising their official authority.
    • When keeping your data is necessary for establishing, exercising or defending legal claims.
    • When erasing your data would prejudice scientific or historical research, or archiving that is in the public interest.

    Marketing: We will not sell or pass your details to any 3rd-parties for marketing purposes, we respect your privacy. You will not be automatically opted in to any marketing campaigns that we run. We aren’t running any newsletters at this time, but if you would like to opt in to receive any future newsletters, promotions and hear about upcoming events then please let us know using by using the contact form on our website. (You can unsubscribe at any time).

    Visitors to our websites

    When someone visits gdprsubjectaccessrequest.co.uk or cobalt-ict.com we use a third-party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website for legitimate purposes. If we do want to collect personally identifiable information through our website, we will be up front about this. We will make it clear when we collect personal information and will explain what we intend to do with it.

    Terms and conditions of website use

    The content of the pages of our websites is for your general information and use and is subject to change without notice. Your use of any information or materials on this website is entirely at your own risk, for which we shall not be liable, and it shall be your own responsibility to ensure that any products, services or information available through this website meet your specific requirements. This website contains material which is owned by or licensed to us. This material includes, but is not limited to, written content, the design, layout, look, appearance and graphics. Reproduction is prohibited other than in accordance with ‘fair use’ as set out by the Digital Millennium Copyright Act (DMCA). Unauthorised use of this website may give rise to a claim for damages and/or be a criminal offence.

    Note: We do not enter in to any contracts, purchases or sales agreements without clear, written consent – whether via telephone, email or any other means – and, in relation to purchases, any orders we place must be accompanied by a valid Purchase Order issued by us.

    Use of cookies by GDPR Subject Access Request or Cobalt ICT

    Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site. Our websites use cookies for Google Analytics purposes and to keep track of logged in users. No personally identifiable information is collected via our cookies. An option to reject cookies is presented to people on their first visit to our websites.

    Security and performance

    Our websites use integrated applications to help maintain the security and performance of the website. To deliver this service it processes the IP addresses of visitors to our website and logs and blocks any IP addresses that make unauthorised attempts to log in or that try to examine the non-public content. In order to reduce spam and trace any abuse, our website also logs the IP address of those sending us emails via the Contact form.

    People who contact us via social media

    Interaction with us via social media means that you will be creating information such as sending direct messages, mentions, comments and likes this data is processed and retained by the social media network themselves, as defined within their own privacy policies. We may from time to time use a third-party providers to manage our social media interactions. If you send us a private or direct message via social media the message will be stored by that provider for up to two years..

    People who email us

    Any email sent to us, including any attachments, may be monitored and used by us for reasons of security and for monitoring compliance with office policy. Email monitoring or blocking software may also be used. Please be aware that you have a responsibility to ensure that any email you send to us is within the bounds of the law.

    We use SSL/TLS encrypted email between our email applications and email servers, please ensure that your email application also uses SSL/TLS to help ensure end-to-end privacy of any data being sent. For more sensitive data we can send and receive information using SendSafely or via PGP encrypted email, ask us for more information on how to use either solution.

    People who make a complaint to us

    When we receive a complaint from a person we create a file containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint.

    We will only use the personal information we collect to process the complaint and to check on the level of service we provide. We may at times compile and publish statistics showing information like the number of complaints we receive, but not in a form which identifies anyone.

    We usually have to disclose the complainant’s identity to whoever the complaint is about. This is inevitable where, for example, the accuracy of a person’s record is in dispute. If a complainant doesn’t want information identifying him or her to be disclosed, we will try to respect that. However, it may not be possible to handle a complaint on an anonymous basis.

    We will keep personal information contained in complaint files in line with our retention policy. This means that information relating to a complaint will be retained for two years from closure. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.

    People who use our services

    GDPR Subject Access request and Cobalt ICT offer various services to our customers. We have to hold the details of the people who have requested our services in order to provide it to them. However, we only use these details to provide the service the person has requested and for other closely related purposes. For example, we might use information about people who have requested a service to carry out a survey to find out if they are happy with the level of service they received.

    We use software from third-party data processors to manage projects, accounts and to process payments. These data processing companies are, where appropriate, Data Protection Act 2018, GDPR, PECR and or PCI-DSS compliant. They include, but are not limited to, QuickFile, Trello, Paymo, Expensify and payment processors of GoCardless, Stripe and Paypal. Further information on these companies can be found on their websites or supplied by us upon request.

    Additionally, should payments fall past due we may have to pass your name, contact details, payment and account information to a 3rd-party debt collection company.

    People who may be recorded by our CCTV system

    Our office is based within space provided by The Office Group/Fora who utilise CCTV cameras within their premises and on the perimeter areas adjacent to their premises to protect clients, employees, property and visitors. Video is recorded on a central CCTV system and is stored for up to 90 days after which time it is automatically overwritten. Should the need arise, copies of recordings may need to be given to the authorities to aid in any investigation – this will be done within the guidelines issued by the Information Commissioners Office.

    Job applicants, current and former employees

    When individuals apply to work at Cobalt ICT, we will only use the information they supply to us to process their application and to monitor recruitment statistics. Where we want to disclose information to a third party, for example where we want to take up a reference or obtain a ‘disclosure’ from the Disclosure and Barring Service we will not do so without informing them beforehand unless the disclosure is required by law.

    Personal information about unsuccessful candidates will be held for up to 12 months after the recruitment exercise has been completed, it will then be destroyed or deleted. We may retain de-personalised statistical information about applicants to help inform our recruitment activities, but no individuals are identifiable from that data.

    Once a person has taken up employment with Cobalt ICT, we will compile a file relating to their employment. The information contained in this will be kept secure and will only be used for purposes directly relevant to that person’s employment. Once their employment with Cobalt ICT has ended, we will retain the file in accordance with the requirements of our retention schedule and then delete it.

    Complaints or queries

    Cobalt ICT tries to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.

    This privacy notice was drafted with brevity and clarity in mind. It does not provide exhaustive detail of all aspects of Cobalt ICT’s collection and use of personal information. However, we are happy to provide any additional information or explanation needed. Any requests for this should be sent to the address below.

    Should you feel that we have handled your personal data incorrectly or that we haven’t been able to provide a suitable answer to your query about the data we hold for you, then you can make a complaint to the ICO at www.ico.org.uk quoting our company registration reference of ZA331857

    Access to personal information

    Cobalt ICT tries to be as open as it can be in terms of giving people access to their personal information. Individuals can find out if we hold any personal information by making a SAR, ‘subject access request’, using our Contact form. Except for in certain situations, detailed above, we are legally obliged to attempt to provide such information within 30 days of your request, free of charge. However where a request is manifestly unfounded or excessive we may charge a reasonable fee for the administrative costs of complying with the request. We may also charge a reasonable fee if an individual requests further copies of their data following a request, based on the administrative costs of providing further copies.

    If we do hold information about you we will:

    give you a description of it;
    tell you why we are holding it;
    tell you who it could be disclosed to; and let you have a copy of the information in an intelligible form.
    If you agree, we will try to deal with your request informally, for example by providing you with the specific information you need over the telephone.
    If we do hold information about you, you can ask us to correct any mistakes by contacting us via our Contact form.

    Disclosure of personal information

    In most circumstances, we will not disclose personal data without consent. However, when we investigate a complaint, for example, we will need to share personal information with the persons or organisation concerned and with other relevant bodies.

    You can also get further information on:

    agreements we have with other organisations for sharing information;

    circumstances where we can pass on personal data without consent for example, to prevent and detect fraud and to produce anonymised statistics;

    our instructions to staff on how to collect, use and delete personal data; and how we check that the information we hold is accurate and up to date.

    Links to other websites

    This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.

    Changes to this privacy notice

    We keep our privacy notice under regular review. This privacy notice was last updated on 9th April 2024.

    9th April 2024: Improved readability and changed wording from providing a contact email address to using the Contact form on this website

    19th September 2019: Added the term ‘Data Protection Act 2019’ and removed a specific mention of the GDPR so that the policy reads more clearly post-Brexit.

    13th April 2018: Tidied the order of some sections to improve readability

    1st March 2020: Added three additional legal bases for processing new data (Legitimate Interests, Vital Interests and Legal Obligation) as explained within the privacy policy. 

    22nd May 2022: Simplified the wording and provided clarification around Subject Access Requests relating to investigative and journalistic work.

    Address and contact information

    You can write to us at:

    Cobalt ICT Limited
    White Collar Factory
    1 Old Street Yard
    London
    EC1Y 8AF

    Or email us via the Contact page