1.1 Atlas Mapping Limited (“we”, “us, “our”) is committed to ensuring that all Personal Data we handle is processed according to legally compliant standards of data protection and data security.
1.2 This policy and any other documents referred to in it sets out the basis on which we will process Personal Data. It also applies to the use of our Vision software which is accessed via our website at https://www.vision-mapping.com/ (“Site”).
2.1 The following definitions shall apply in this policy
Controller the people who or organisations which determine the purposes for which, and the manner in which, any Personal Data is processed. The Controller is responsible for establishing practices and policies in line with Data Protection Laws.
Data Protection Law means: (a) prior to 25 May 2018, the Data Protection Act 1998; (b) from 25 May 2018, the GDPR or any legislation which amends, re-enacts or replaces it in England and Wales.
Data Subject an individual who is the subject of Personal Data.
Personal data any information relating to an identifiable natural person who can be directly or indirectly identified in particular by reference to an identifier.
Processing or Process any activity that involves the use of Personal Data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties.
Processor any person or organisation that is not a data user that processes personal data on our behalf and on our instructions.
Services franchise territory mapping and related software services
3. THE PERSONAL DATA WHICH COLLECT AND PROCESS AS A CONTROLLER
3.1 In order to perform our Services we will Process (collate, handle and store) the Personal Data of our customers and of prospective customers who may enquire about the Services
3.2 The information which we collect from our customers and prospective customers includes:
3.2.1 Information you provide us: This may include:
(a) information you give us about you by filling in enquiry forms on the Site;
(b) information you provide when you register to use the Services and/or our Software;
(c) information when you report a problem with the Site or our Services;
(d) the information you give us upon registration which may include your name, address, e-mail address and phone number, username, password and other registration information, including financial and credit card information.
The legal basis for this Processing this data is the performance of a contract when you sign up to use the Services or our legitimate interests, namely the proper administration of our Site, Software and Services.
3.2.2 Information we collect in connection with your use of our Services: We collect information about the Services that you use and how you use the Site and our Software. When you use the Services we automatically collect and store information. This information may include:
(a) your browser type and version;
(b) length of visit;
(c) page views and navigation paths, as well as information about the timing, frequency and pattern of your use of the Services;
(d) device-specific information, including the type of mobile device you use, a unique device identifier (for example, your Device's IMEI number, the MAC address of the Device's wireless network interface);
(e) mobile network information or your mobile operating system.
This usage data may be Processed for the purposes of analysing the use of the Services. The legal basis for this Processing is our legitimate interests, namely the proper administration of our Software, our Site and Services.
3.2.3 Information contained in or relating to any communication that you send to us: We will collect correspondence data from you that may include the communication content and metadata associated with the communication.
The correspondence data may be Processed for the purposes of communicating with you and record-keeping. The legal basis for this Processing is consent.
3.3 In addition to the specific purposes for which we may Process Personal Data as set out in this Section 3, we may also process any Personal Data where such Processing is necessary for compliance with a legal obligation to which we are subject, or in order to protect the vital interests of our customers or the vital interests of another natural person.
4. THE PERSONAL DATA WHICH PROCESS AS A PROCESSOR
4.1 Our customers and users of our Software and Services will upload mapping datasets to our Software (or we may do this on their behalf as part of our Services). In some instances, these datasets may contain Personal Data of third part Data Subjects such as address fields or other personally identifiable information (“Third Party Personal Data”).
4.2 In respect of the Third Party Personal Data we are the Processor for the purposes of Data Protection Law and our customer is the Controller.
4.3 We shall process any Third Party Personal Data in compliance with Data Protection Law and only in accordance with the customer’s instructions (except where required to do otherwise by law). The customer as Controller remains responsible for the Third Party Personal Data in line with Data Protection Law and our obligations and responsibilities towards the customer are set out in our Terms and Conditions of Business which can be found here: www.atlas-mapping.com/terms-conditions.
5.1 Specifically, Data Protection Laws require that Personal Data:
5.1.1 is processed fairly and lawfully and transparently and, in particular, shall not be processed unless specific conditions are met;
5.1.2 is collected for specified, explicit and legitimate purposes as set out in the Data Protection Laws, and shall not be processed in any further manner incompatible with that purpose or those purposes;
5.1.3 is adequate, relevant and limited to what is necessary in relation to those purpose(s);
5.1.4 is accurate and, where necessary, kept up to date;
5.1.5 is not be kept for longer than is necessary;
5.1.6 is kept in a form which permits identification of the data subject for no longer than is necessary for the purpose(s);
5.1.7 is processed in accordance with the rights of data subjects under the Data Protection Laws; and
5.1.8 is kept secure by us, taking appropriate technical and other measures to prevent unauthorised or unlawful processing or accidental loss or destruction of, or damage to, Personal Data.
5.2 Lawfulness and fairness. Personal data must be Processed lawfully, fairly and in a transparent manner in relation to the Data Subject. Data Protection Law allows Processing for specific purposes, some of which are set out below:
5.2.1 the Data Subject has given his or her Consent;
5.2.2 the Processing is necessary for the performance of a contract with the Data Subject;
5.2.3 to meet our legal compliance obligations.;
5.2.4 to protect the Data Subject's vital interests;
5.2.5 to pursue our legitimate interests for purposes where they are not overridden because the Processing prejudices the interests or fundamental rights and freedoms of Data Subjects.
5.3 Purpose limitation and minimisation: Personal Data must be collected only for specified, explicit and legitimate purposes. It must not be further Processed in any manner incompatible with those purposes. We use Personal Data for new, different or incompatible purposes from that disclosed when it was first obtained unless we have informed the Data Subject of the new purposes and they have Consented where necessary. Personal Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed.
5.4 Accuracy: Personal Data must be accurate and, where necessary, kept up to date. It must be corrected or deleted without delay when inaccurate. We will ensure that the Personal Data we use and hold is accurate, complete, kept up to date and relevant to the purpose for which we collected it.
5.5 Storage limitation: Personal Data must not be kept in an identifiable form for longer than is necessary for the purposes for which the data is processed. We will not keep Personal Data in a form which permits the identification of the Data Subject for longer than needed for the legitimate business purpose or purposes for which we originally collected it including for the purpose of satisfying any legal, accounting or reporting requirements.
5.6 Protecting Personal Data: Personal Data must be secured by appropriate technical and organisational measures against unauthorised or unlawful Processing, and against accidental loss, destruction or damage. We will implement and maintain safeguards appropriate to our size, scope and business, our available resources, the amount of Personal Data that we own or maintain on behalf of others and identified risks (including use of encryption where applicable). We will implement reasonable and appropriate security measures against unlawful or unauthorised Processing of Personal Data and against the accidental loss of, or damage to, Personal Data.
6. DATA SHARING
6.1 We will not disclose a Data Subject’s Personal Data to a third party without consent or unless we are satisfied that we are legally entitled to share such data under Data Protection Laws. Where we do disclose Personal Data to a third party, we will have regard to the data protection principles at clause 5.
6.2 In order to perform our duties and deliver our service, we may share your Personal Data with the following organisations, and for the following purposes:
Address fields which may contain Personal Data will be passed into an API in circumstances where we are geocoding the data outside the UK.
We use a cloud storage provider as a technology service providers to store data for us and help us provide the Services. The cloud storage provider is acting in accordance with our instructions and under our control.
Sub-Contractors e.g. developers
We may from time to time use software developers who are independent contractors to help develop our software. Where such third parties are engaged (and will have access to Personal Data) we will ensure that these third parties are subject to appropriate confidentiality and data protection provisions.
6.3 We may also disclose Personal Data where such disclosure is necessary for compliance with other legal obligations to which we are subject, or in order to protect a data subject’s vital interests or the vital interests of another natural person.
7. INTERNATIONAL TRANSFERS OF YOUR PERSONAL DATA
7.1 In this Section 7, we provide information about the circumstances in which your personal data may be transferred to countries outside the European Economic Area (EEA).
7.2 The provider of our mapping API system, Google is situated in the United States. The European Commission has made an "adequacy decision" with respect to the data protection laws of the United States based upon the adequacy of the EU-U.S. Privacy Shield. Transfers to the United States will be protected by the EU-U.S. Privacy Shield which implements appropriate safeguards for protecting the fundamental rights of anyone of the EU whose personal data is transferred to the United States.
7.3 This clause relates to processing carried out by us and our sub-processors (see clause 6 above) and does not cover any processing which may be carried out by a user’s internet service provider.
8. RETAINING AND DELETING PERSONAL DATA
8.1 This clause sets out our data retention policies and procedure, which are designed to help ensure that we comply with our legal obligations in relation to the retention and deletion of Personal Data.
8.2 Personal Data that we process for any purpose or purposes shall not be kept for longer than is necessary for that purpose.
8.3 We will retain Personal Data which we have collected from our customers (as more particularly set out in clause 3.2.1 and 3.2.2 above) for as there is continued usage of the Services.
8.4 For our customers who instruct us with project based work where a project has finished or a customer ceases to use our services the “Project File” containing the customer’s data (including Personal Data and input mapping data) will be retained for a period of 3 years after which time it shall be deleted unless there is a legitimate business reason to retain it for longer.
8.5 For those customer using our Vision Software where they cease to be a subscribing user of the software we will delete their data including any organisation data sets they were using on the software soon after they terminate their licence with us.
8.6 Where we are processing any Personal Data as a Processor on behalf of our customers we will upon termination of our contract with our customer request that the customer notifies us whether it requires us to return all the Personal Data at its expense within 30 days of termination of the contract or whether it requires us to delete all the Personal Data as soon as reasonably practicable. We shall not be required to delete any such Personal Data which we are required to retain for compliance with a legal obligation.
8.7 Notwithstanding the other provisions of this clause, we may retain Personal Data where such retention is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.
9. CONFIDENTIALITY AND DATA SECURITY
9.1 We take the confidentiality of our customers and the Data Subjects of whose Personal Data we store and process very seriously. We shall ensure that all of our employees, agents or subcontractors are subject to obligations of confidentiality.
9.2 In respect of the Personal Data will take appropriate security measures against unlawful or unauthorised processing, and against the accidental loss of, or damage to, the Personal Data.
9.3 We will put in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. Personal data will only be transferred to a data processor if he agrees to comply with those procedures and policies, or if he puts in place adequate measures himself.
9.4 We will maintain data security by protecting the confidentiality, integrity and availability of the personal data, defined as follows:
9.4.1 Confidentiality means that only people who are authorised to use the data can access it.
9.4.2 Integrity means that Personal Data should be accurate and suitable for the purpose for which it is processed.
9.4.3 Availability means that authorised users will be able to access the data if they need it for authorised purposes.
10. DATA SUBJECT’S RIGHTS
10.1 In this clause 10, we have summarised the rights that Data Subjects have under the Data Protection Laws. Some of the rights are complex, and not all of the details have been included in our summaries. Accordingly, Data Subjects should read the relevant laws and guidance from the regulatory authorities for a full explanation of these rights.
10.2 The principal rights of Data Subjects under Data Protection Laws are:
10.2.1 the right to access;
10.2.2 the right to rectification;
10.2.3 the right to erasure;
10.2.4 the right to restrict processing;
10.2.5 the right to object to processing;
10.2.6 the right to transfer your personal data;
10.2.7 the right to complain to a supervisory authority; and
10.2.8 the right to withdraw consent.
10.3 Data Subjects have the right to confirmation as to whether or not we process their Personal Data and, where we do, access to the Personal Data, together with certain additional information. That additional information includes details of the purposes of the processing, the categories of personal data concerned and the recipients of the Personal Data. Providing the rights and freedoms of others are not affected, we will supply to Data Subjects a copy of their Personal Data.
10.4 Data Subjects have the right to have any inaccurate Personal Data about them rectified and, taking into account the purposes of the processing and to have any incomplete personal data about them completed.
10.5 In some circumstances Data Subjects have the right to the erasure of their personal data without undue delay. Those circumstances include: the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed; the Data Subjects withdraw consent to consent-based processing; the processing is for direct marketing purposes; and the personal data has been unlawfully processed. However, there are certain general exclusions of the right to erasure. Those general exclusions include where processing is necessary: for exercising the right of freedom of expression and information; for compliance with a legal obligation; or for the establishment, exercise or defence of legal claims.
10.6 In some circumstances Data Subjects have the right to restrict the processing of their Personal Data. Those circumstances are: a Data Subject contests the accuracy of the Personal Data; we no longer need the Personal Data for the purposes of our processing, but you require personal data for the establishment, exercise or defence of legal claims; and you have objected to processing, pending the verification of that objection. Where processing has been restricted on this basis, we may continue to store the Personal Data. However, we will only otherwise process it: with your consent; for the establishment, exercise or defence of legal claims; for the protection of the rights of another natural or legal person; or for reasons of important public interest.
10.7 Data Subjects have the right to object to our processing of their personal data on grounds relating to their particular situation, but only to the extent that the legal basis for the processing is that the processing is necessary for: the performance of a task carried out in the public interest or in the exercise of any official authority vested in us; or the purposes of the legitimate interests pursued by us or by a third party.
10.8 Data Subjects have the right to object to our processing of their personal data for direct marketing purposes (including profiling for direct marketing purposes). If you make such an objection, we will cease to process the Personal Data for this purpose.
10.9 If Data Subjects consider that our processing of their personal information infringes Data Protection Laws, they have a legal right to lodge a complaint with a supervisory authority responsible for data protection. In the UK this is the Information Commissioner’s Office.
10.10 To the extent that the legal basis for our processing of personal information is consent, Data Subjects have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing before the withdrawal.
11.1 We may update this policy from time to time by publishing a new version on our website.
12 OUR CONTACT DETAILS
12.1 We are registered in England and Wales under registration number 07476407 and our registered office is at 8a Cyrus Way, Cygnet Park, Hampton, Peterborough, PE7 8HP.
12.2 Our email address is firstname.lastname@example.org
12.3 We can be contacted by post or email using the addresses given above.