Privacy Notice

We are Firebird Data Protection Consultancy Limited (Firebird). We provide expert advice, guidance, training and outsourced Data Protection Officer services to organisations, to help them meet their obligations under the data protection legislation (General Data Protection Regulation (UK GDPR) and the Data Protection Act).

Firebird is a private limited company registered in England & Wales (10841251). Our registered address is 20-22 Wenlock Road, London N1 7GU. Our Data Protection Act registration number is ZA288370.

We are the data controller for the personal data we process about our enquirers, customer representatives, subscribers, customer leads, associates, website users, job applicants and employees. 

We sometimes process personal data as a 'data processor'.  This is when we act on behalf of our customers (eg when we perform the role of their outsourced Data Protection Officer). In these cases, we only handle personal data upon our customers' written instructions under a contract (data processing agreement) and any collection or use of that information is limited to the purpose of providing the service to our customer. The personal data we usually handle as an outsourced Data Protection Officer is often limited to names, contact details and information around queries, requests or complaints made to our customers , or to us directly, so we can assist our customers  in addressing these.

This privacy notice tells you what to expect when we handle personal data as a data controller. 

Our privacy promise to you

Transparency

We are committed to protecting and respecting your privacy. We will always tell you what data we’re collecting about you and how we use it and will never ask for more information than we need to. We will not share your data with any third parties, unless you have consented to this; they are a trusted partner working on our behalf; or the law requires us to, and we will never sell your data.

Security

We are committed to following industry best practices to ensure your data is stored safely and securely. We will protect the information we process about you from accidental or unlawful access, disclosure, loss, damage or destruction.

Control

We will always give you control over the communications you receive from us and you can stop or tell us you no longer wish to receive these at any time by emailing dpo@firebirdltd.co.uk

Most of the personal data we process is provided to us directly by you, for example when you:

• make an enquiry by email, phone or through our website 
• sign up to our newsletters, blogs and promotions
• apply to work with us
• work with us as an associate or employee
• use our website

We may also collect personal information about you indirectly, for example through:

• our customers
• public sources (e.g. websites and professional networking sites)
• recruitment agencies

Enquirers 

When someone contacts us asking about our services through our website, by email or over the telephone, we collect their name, contact details and the nature of their enquiry. We collect this information for our legitimate interests as a company,  ie to be able to respond to their enquiry and keep a record of our communications with them. We keep this information for 2 years from the date of the last communication.

Customer representatives

We collect the name and contact details of our customers and information about the service they have purchased. We need this information so we can fulfil our contract with the customer, or take steps at the request of the customer, prior to entering into a contract with them. We also collect this information for our legitimate interests in maintaining records for accounting, legal and insurance purposes. We keep this information for as long as we need to, to satisfy any contractual, legal, accounting, or reporting obligations, however this is usually archived and kept for 7 years after the contract has ended.

Subscribers 

We collect the name and contact details of people who want to subscribe to our newsletters, resources, blogs and promotions. We collect this information with the consent of the individual when they opt-in to receive these communications. If a person unsubscribes, we remove them from our mailing list but retain their contact details in a separate database. We need to retain this information for our legitimate interests, to ensure we do not contact them again in the future. We keep subscriber data until they unsubscribe, if the email address becomes invalid or if we no longer believe they want to receive our communications. We retain the contact details of those who have unsubscribed indefinitely.

Training delegates

We collect the name and contact details of individuals who enquire about or book onto our training sessions. We process this information to pursue our legitimate interests, ie to register the individual on the training and/or to let them know about future training events which we believe they may be interested in attending. Delegates can opt-out from receiving communications about future training events at any time by emailing DPO@firebirdltd.co.uk.  We keep delegate contact details for as long as we believe they may be interested in receiving communications about our training events, or until they unsubscribe.

Customer leads

We sometimes collect the name, job role and work contact details of employees working for potential customers, who we think would be interested in receiving information about our company’s services; this is known as ‘B2B’ or ‘business to business’ marketing. This information is only collected from public sources, such as company or school websites or where the employee has published their name, work profile and contact details on a networking site for professionals, (such as LinkedIn) and therefore would have a reasonable expectation that companies like us, may contact them to make introductions and market their services. 

We collect this information to pursue our legitimate interests, ie to be able to promote and market our services to potential new customers. Contact leads can opt-out from receiving communications from us at any time by emailing DPO@firebirdltd.co.uk

We keep this information for 2 years from the date of our last communication where the communication does not lead to a sale. If the communication does lead to a sale, this information will be retained in line with our retention period for customers (7 years after the contract has ended).

Associates

We collect information about our business associates, such as their name, contact details, experience, outcome of their criminal record check (DBS) (where required), service contract and bank details. We collect this information for our legitimate interests, to be able to assess the suitability of the individual and to enable us to fulfil our contract with them or to take steps at their request, prior to entering into a contract with them. We keep associate files for 7 years after their contract has ended.

Job applicants

We receive Curriculum Vitae (CVs) from people who apply for jobs with us. This will often include the individual’s name, contact details, experience, education and a personal statement to support their application. We collect this information for our legitimate interests ie to  assess the suitability of the individual and where relevant invite them to interview.  We also process this information in order to take steps at the request of the applicant prior to entering  into a contract with them.

Applicants who are not successful, prior to or after interview, their CV and application will be destroyed after 6 months, unless the applicant gives us their permission to retain this information for longer.  Information relating to successful applicants, will be retained on their employee file and held for the duration of their employment, plus a further 7 years after their contract has ended. 

Employees

We collect information about our employees, such as their name, date of birth, contact details, recruitment information, evidence of their right to work, outcome of their criminal record check (DBS), references, contract, bank details and other employment information. We collect this information to enable us to fulfil our contract with the employee or to take steps at the request of the employee, prior to entering into a contract with them. For example, to ensure they are paid; make pension and tax contributions on their behalf and provide employee services and benefits to them. We also collect this information to pursue our legitimate interests, for example to recruit employees, maintain a register of our employees (past and present) for insurance, legal, tax and pension purposes and to assist in the prevention or detection of crime (including fraud).

We sometimes collect ‘special category data’ about our employees, for example information about their disabilities, health and dietary needs or religious beliefs. We process this information to fulfil our contract  with the employee (or in order to take steps at the request of the data subject prior to entering into a contract with them) and to carry out our obligations or exercise our or our employees' rights in relation to employment, social security or social protection. We keep employee files for 7 years after the contract has ended.  

Website users

When you visit our website,  simple Cookies are used to help you navigate around our site and tell us how well our website is performing eg. it tells us how many visits we've had on our website and how many files have been downloaded within the last 30 days.   We collect this information in a way which does not identify anyone. We do not make any attempt to find out the identities of those visiting this website and will not associate any data gathered with any personally identifying information from any source. 

We collect this information for our legitimate interests to help you use our website and keep us informed about our website's performance. We keep this information for 30 days.  For more information, please see our Cookie Policy

We do not share your data with other organisations, unless it is necessary for our legitimate interests, legal, contractual, regulatory or law enforcement purposes. Where we use 'data processors’ to help us manage and store our data (cloud storage providers); promote our services (advertising/marketing companies) or help us deliver our services (business associates), we have Data Processing Agreements  in place, to protect any personal data they may have access to on our behalf.

Our data processors only act on our instructions and are carefully selected to ensure they have robust security measures in place and comply with the UK data protection legislation when processing personal data. 

Where we process your personal data as a 'data processor’ for our customers, your personal data (eg communications with us) may be shared with that customer, to enable us to fulfil our contract with them.

There may be times when we need to disclose personal data to other data controllers, for example:

• In the event that we sell our company or its assets
• If you provide us with your consent
• If we are under a duty to disclose your personal data, for example in response to a court order, request from law enforcement agencies or to report safeguarding concerns.
• To enforce or apply our terms and conditions and other agreements.
• To protect the rights, property, or safety of Firebird and its employees, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection.

We will never sell your personal data or share it in a way you would not reasonably expect.

Firebird only stores personal data on encrypted servers within the United Kingdom (UK).