Sabre MS Website Privacy Statement
The purpose of this privacy statement is to explain how Sabre MS processes all personal data to fulfil its data protection responsibilities. This statement will be supplemented by ‘specific to client’ privacy notices when needed.
The scope of this statement covers all related activities by the staff and associates/ consultants of Sabre MS referred to as SMS for the remainder of this privacy statement.
The role of SMS in data protection terms is that of a data controller where it determines the purpose and use of personal data collected. Once received it becomes the responsibility of the SMS privacy officer (PO), supported by an external DPO, to ensure that it is processed in accordance with the latest UK data protection legislation. The PO & the DPO can be contacted by email using firstname.lastname@example.org.
The sort of personal data processed by SMS will only be basic contact information for the purposes of networking, business development, preparing contracts and setting up invoices. Banking details will also be collected for the purpose of paying creditors.
SMS’ duty of confidentiality means that SMS staff will treat your personal data with due respect and in confidence. It is only disclosed to those that need to know it. SMS expects the same duty of confidentiality of all third parties with whom it shares your personal data.
Ordinarily SMS does not process your personal data outside the UK but when necessary, will take the appropriate measures to ensure it is done lawfully and securely.
SMS will always process personal data lawfully and in such instances as described below:
- To respond to your general enquiries, promote SMS services and to be able to stay in touch once any business commitments have ended, we will use our legitimate interests
- To comply with any legal obligation, for example HMRC for tax records
- When it is necessary for the performance of a contract and its prior preparation
- When processing for a pre-defined purpose for which your consent has been sought and recorded prior to that processing commencing
In all cases the processing of personal data by SMS shall be:
- Processed lawfully, fairly and transparently
- Collected for specified, explicit and legitimate purposes
- Adequate, relevant and limited to what is necessary (and no more)
- Accurate and, when necessary, updated
- Kept for no longer than is necessary
- Processed in a manner that ensures appropriate security
SMS will share personal data, but only when absolutely necessary, with some or all of the following third parties:
- Solicitors appointed by SMS
- The Inland Revenue (HMRC)
- Contractors/ associates, but only on a strict need to know basis
- Accountants appointed by SMS and only for accounting purposes
- Unspecified recipients but only when compelled to do so for legal reasons
SMS uses reasonable organisational and technical measures to ensure personal data is kept secure in line with its internal information security policies. For instance, SMS uses encryption to safeguard data when appropriate. Other than mobile phone contact data, all personal data in automated form is processed and backed up using an HM Government accredited supplier. Further details can be found under the ‘SERVER SECURITY’ section on the homepage of our website.
SMS follows a retention schedule to determine the length of time it holds different types of personal data. The retention schedule is shown below:
- Routine correspondence for casual and contract related business in hard copy or in emails will be stored for 3 years
- Personal data about former customers will be retained for 7 years after the cessation of the contract or last business-related contact, whichever is the later
- Contact data is stored indefinitely unless a valid request to erasure is received from the affected data subject
- Financial records and invoices, which may include personal data, will be retained for 6 years after the end of the current tax year of processing
- By exception, documentation that includes personal data may be retained by SMS beyond the schedule, but only for a specific purpose and only when SMS believes there is a legitimate interest or a legal obligation to do so
At the end of the retention schedule SMS will either return, destroy or delete your personal data and any associated emails or relevant documentation. If it is technically impractical to delete electronic copies of personal data, it will put it beyond operational use. It should be noted that SMS allows up to 3 months after the retention schedule to complete the action.
SMS websites may link to appropriate websites for your interest. If these are used, the visitor should be aware that the SMS has no responsibility for the control, content or handling of personal data by these other websites.
The UK General Data Protection Regulation defines the rights that you have (although these do not apply in all situations), For convenience, these rights are shown below:
- Right to be informed as to how your personal data is being processed by SMS – this is done through this statement or separate SMS privacy notices
- Right to access your personal data held by SMS which is done by making a ‘Data Subject Access Request’ (DSAR) to the SMS privacy officer/ DPO
- Right to rectification of your personal data if you believe SMS has collected it incorrectly or it needs to be updated
- Right to erasure of your personal data for which SMS no longer has a legitimate purpose to process
- Right to restrict processing under certain circumstances, during which time your personal data but will be out of operational use until the related matter is resolved
- Right to data portability of your personal data in a machine-readable version, as you have provided but only applicable to data provided with your consent or under contract
- Right to object to SMS processing your personal data for which it does not have a legal or contractual obligation
- Rights related to automated decision making and profiling (however SMS does not use these techniques in its decision making)
Further details on data subjects’ rights can be found on the Information Commissioner’s Office (ICO) website: https://ico.org.uk.
Raising concerns, exercising rights or making queries about SMS’ processing of personal data can be done by contacting the SMS privacy officer/ DPO. Please be aware that SMS will need to determine your identity before responding fully, therefore, you may be asked for proof of ID or other material that, in context, will enable SMS to confirm your identity. Alternatively, you may wish to contact the ICO directly, using the details provided above.