Last updated: November 2023
This policy addresses the use of personal data by Brown Graphics Limited of 221 Kings Road, Kingston upon Thames KT2 5JH, United Kingdom (“Brown Graphics”).
Where we enter into a contract with you in relation to goods or services further clauses in relation to privacy specific to that arrangement may be included. If those terms conflict with any of the provisions of this Privacy Notice the contractual terms will take precedence.
The terms of this notice may be amended from time to time so it is recommended that you return to this page regularly to ensure you remain informed as to how your personal data is processed.
Any questions you have in relation to this policy should be addressed to the company at that address or by email to email@example.com
This privacy notice (“notice”) applies to the processing of personal data by Brown Graphics in connection with any:
- “client services”: provision of products and services by Brown Graphics to actual and prospective clients;
- “supplier services”: provision of products and services to Brown Graphics by suppliers or service providers;
- “recruitment activities”: provision of the personal data of a candidate or individual (whether by such candidate or individual or by a third party, such as a recruitment agency) to provide services to Brown Graphics clients other than through a campaign for which other privacy terms are specifically provided;
- “use of our Website”: the processing of personal data by Brown Graphics in connection with the processing of personal data on the Brown Graphics website www.browngraphics.co.uk, including any personal data that website visitors may provide through the use of the website including use of our contact forms (“Website”).
References in this notice to “you” or “your” are references to individuals whose personal data Brown Graphics processes in connection with the items listed above. For the avoidance of doubt any reference in this policy to our “clients” or “suppliers” includes their employees or other staff whose personal details we process.
References in this notice to “Brown Graphics”, “we”, “us” or “our” are references to Brown Graphics Limited.
2. The Controller
A “controller” is a person or organisation who alone or jointly determines the purposes for which, and the manner in which, any personal data is, or is likely to be, processed. This notice is issued on behalf of Brown Graphics Limited as controller. Unless we notify you otherwise Brown Graphics Limited is the controller for your personal data.
3. Changes to your personal data
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us. If you do not provide us with the data we request or do not keep it up to date we may be unable to provide services to you. We will destroy personal data that we hold once it is no longer relevant to the purpose for which it was collected and in any case no later than 3 years after we last provided or received goods or services to or from you.
4. The personal data we collect about you
Personal data includes any information relating to an identified or identifiable natural person. It does not include data that cannot be linked in an individual (anonymous data).
We collect, use, store and transfer different kinds of personal data about you. We have grouped together the following categories of personal data to explain how this type of information is used by us. Not all categories of data are collected for each individual. These terms are used throughout this notice:
“Identity data”: including your first name, middle names, maiden name, last name, marital status, title, date of birth, passport number, photographic identification and gender;
“Contact data”: including your billing address, delivery address, email address and telephone number;
“Financial data”: including your bank account and payment card details;
“Services data”: including details about payments to and from you and other details of services you have purchased from us or we have purchased from you;
“Technical data”: includes technical information collected when you access our Website, including your internet protocol (IP) address or domain names of the devices utilised, your browser type and version, uniform resource identifier (URI) address, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you are using;
“Professional information”: including your job title, email address, phone number and addresses;
“Professional history”: including your previous positions and professional experience.
5. How your personal data is collected
We use different methods to collect personal data from and about you, including through the channels set out below:
Direct interactions: you give us your personal data in your direct interactions with us. This may be (i) by filling in forms on our Website; (ii) by corresponding with us by email or post, or (iii) by speaking to us in person or over the telephone.
Website, electronic portals and platforms, and marketing: you give us your personal data when you use our Website. We also collect your personal data by using server logs and other similar technologies.
Third-party sources: we receive Identity Data, Contact Data, Financial Data, and Professional Information about you from third parties, when:
- we provide our client services or other parties send us your personal data to enable the provision of those service;
- we conduct our “know your customer” and other background checks;
- you provide your personal data to a third party for the purpose of sharing it with us, for instance recruitment agencies and consultants may provide your personal data to us for recruitment activities; and
- we interact with governmental or regulatory bodies or other authorities (for instance, HM Revenue and Customs) in relation to you or on your behalf.
In relation to the use of our Website, we may also receive Technical Data from analytics providers such as Google based outside the EU.
6. How we use your personal data
We will only process (i.e. use) your personal data as legally permitted and as set out below.
We use your personal data in the following circumstances:
- “performance of a contract”: where we need to perform a contract which we are about to enter into or have entered into with you as a party or to take steps at your request before entering into such a contract;
- “legal or regulatory obligation”: where we need to comply with a legal or regulatory obligation that we are subject to;
- “legitimate interests”: where you would anticipate the use of the data such as the use of couriers to send material to you or where it is necessary for our interests (or those of a third party), provided that your fundamental rights do not override such interests such as to identify fraud or security issues with our website;
- “consent”: where you have provided your consent to processing your personal data.
Where we rely on consent to process your data you may withdraw such consent at any time.
The following sets out the ways in which we use your personal data and the legal bases we rely on to do so. Where appropriate, we have also identified our legitimate interests in processing your personal data.
We may process your personal data for more than one legal basis depending on the specific purpose for which we are using your personal data. Please contact us if you would like to know more about the specific legal basis we are relying on to process your personal data where more than one ground has been set out below.
In relation to our client services:
Purpose and/or activity: to deliver client services.
Type of data: identity data; contact data; financial data; services data; technical data; professional information.
Legal basis for processing: performance of a contract; legal or regulatory obligation; legitimate interests: ensuring that you are provided with the best client services we can offer, and securing a prompt payment of any fees, costs and debts in respect of our services.
Purpose and/or activity: to manage payments, fees and charges and to collect and recover money owed to us.
Type of data: identity data; contact data; financial data; professional information.
Legal basis for processing: performance of a contract; legitimate interests: ensuring we can manage payments, fees and charges and to collect and recover money owed to us.
Purpose and/or activity: to manage our relationship with you which will include notifying you about changes to our terms of business.
Type of data: identity data; contact data; profile data; marketing and communications data; professional information.
Legal basis for processing: performance of a contract; legal or regulatory obligation; legitimate interests: ensuring we can notify you about changes to our terms of business.
Purpose and/or activity: to interact with governmental or regulatory bodies or other authorities in relation to you.
Type of data: identity data; contact data; financial data; services data; professional information.
Legal basis for processing: performance of a contract; legal or regulatory obligation; public interest.
In relation to our supplier services:
Purpose and/or activity: to check whether we would have a conflict of interest in appointing you as a supplier.
Type of data: identity data; contact data.
Legal basis for processing: legal or regulatory obligation; legitimate interests: ensuring we (and all other parties concerned) understand any conflict of interest which may arise for us in a matter.
Purpose and/or activity: manage payments, fees and charges and to collect and recover money owed to us.
Type of data: identity data; contact data; financial data; professional information.
Legal basis for processing: legal or regulatory obligation; performance of a contract; legitimate interests: ensuring we can manage payments, fees and charges and to collect and recover money owed to us.
In relation to use of our website:
Purpose and/or activity: to manage and protect our business and our website, including improving data security, troubleshooting data and systems, system maintenance and testing, data hosting and reporting.
Type of data: identity data; contact data; technical data.
Legal basis for processing: legitimate interests: ensuring the efficient and secure running of the website, including through maintaining information technology services, network and data security.
Purpose and/or activity: to use data analytics to improve our website, our services, marketing, customer relationships and experiences.
Type of data: technical data.
Legal basis for processing: legitimate interests: reviewing how clients use and what they think of our website, improving our Website and identifying ways to grow our business.
7. Change of purpose
We will only use your personal data for the purposes for which we collected it unless we have your consent or are acting in compliance with an overriding law such as for the prevention of fraud.
8. Third-party marketing
We do not share your personal data with any organisations outside of Brown Graphics for marketing purposes.
9. Disclosures of your personal data
We will not generally share your personal data with third parties without your express consent however there are occasions when we may have to share your personal data with other organisations for the purposes for which we collected the personal data such as a client, professional advisors or other service providers or for the smooth running of our own organisation such as IT or financial professionals or as required by law such as for the prevention of crime.
Other than where the disclosure has been required by law we require any person or entity to whom we disclose personal data to respect the confidentiality and security of your personal data and to treat it in accordance with applicable laws and regulations. We do not allow such recipients of your personal data to use it for their own purposes, and we only permit them to process your personal data for specified purposes and in accordance with our instructions.
10. International transfers
Our servers are in the United Kingdom and all processing of your personal data by us is undertaken in the United Kingdom. In some cases, however other service providers with whom we are cooperating to provide services to you or the client for whom we have recruited you, may be based in other countries or use servers based abroad. Where this is the case we will only share the minimal amount of personal data necessary for the purpose of processing and, where possible, we will share the personal data in an anonymised form.
Whenever we transfer your personal data out of the EEA and/or the UK, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
- we will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the UK Government; and/or
- where we use certain service providers, we may use specific contracts approved by the UK Government, which aim to give personal data the same protection it has within the UK.
Please contact us if you would like further information about the specific mechanism used by us when transferring your personal data out of the UK.
11. Data security
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing.
We ensure that those who have permanent or regular access to personal data, or that are involved in the processing of personal data, are trained and informed of their rights and responsibilities in when processing personal data.
12. Your legal rights
Under certain circumstances, you have rights under data protection laws in relation to your personal data. It is Brown Graphics policy to respect your rights and Brown Graphics will act promptly and in accordance with any applicable law, rule or regulation relating to the processing of your personal data.
Details of your rights are set out below:
- right to be informed about how personal data is used – you have a right to be informed about how we will use and share your personal data
- right to access personal data – you have a right to obtain confirmation of whether we are processing your personal data, access to your personal data and information regarding how your personal data is being used by us;
- right to have inaccurate personal data rectified – you have a right to have any inaccurate or incomplete personal data rectified;
- right to have personal data erased in certain circumstances – you have a right to request that certain personal data held by us is erased. This is not a blanket right to require all personal data to be deleted. We will consider each request carefully in accordance with the requirements of any laws relating to the processing of your personal data;
- right to restrict processing of personal data in certain circumstances – you have a right to block the processing of your personal data in certain circumstances. This right arises if you are disputing the accuracy of personal data, if you have raised an objection to processing, if processing of personal data is unlawful and you oppose erasure and request restriction instead or if the personal data is no longer required by us but you require the personal data to be retained to establish, exercise or defend a legal claim;
- right to data portability – in certain circumstances you can request to receive a copy of your personal data that you provided to us in a commonly used electronic format. This right only applies to personal data that you have provided to us (for example by completing a form or providing information through a website).
You may exercise any of your rights at any time by contacting us on firstname.lastname@example.org. You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
We try to respond to all legitimate requests within one calendar month. Occasionally it may take us longer than one calendar month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.