This document explains how WiFi SPARK obtains, holds, uses and discloses information about people (‘Personal Data’) [1), the steps taken to ensure that it is protected, and also describes the rights individuals have in regard to their Personal Data handled by WiFi SPARK.
The use and disclosure of Personal Data is governed in the United Kingdom by the General Data Protection Regulation (‘GDPR’). WiFi SPARK is registered with the Information Commissioner as a ‘data controller’ for the purposes of GDPR. As such WiFi SPARK is obliged to ensure that the company handles all Personal Data in accordance with GDPR.
WiFi SPARK takes that responsibility very seriously and takes great care to ensure that Personal Data is handled appropriately in order to secure and maintain individuals’ trust and confidence in WiFi SPARK.
‘Personal Data’ is defined under GDPR. In practical terms, it means information handled by WiFi SPARK that relates to identifiable living individuals. The information can be held electronically or as part of paper records and can include photographs. For ease of readers, this document refers to the handling, use, holding etc of Personal Data.
WiFi SPARK is not the Data Controller for all WiFi services provided and any Subject Access or Amend Requests must be directed to the specific Data Controller for a service. If WiFi SPARK is the Data Controller, it is detailed on the specific User Experience for the service.
For some clients WiFi SPARK acts as a Data Controller. In these instances, WiFi SPARK either collects and controls Personal Data for the Legitimate Interests of both the Data Controller (WiFi SPARK) and the Data Subject or as part of a contract. This may be in the event that the service uses account-based authentication or where payments are taken for an enhanced service. This is detailed on the specific User Experience Portal for the service.
WiFi SPARK obtains, holds, uses and discloses Personal Data for the provision of services to support WiFi SPARK’s business. These include:
With regard to research, WiFi SPARK conducts satisfaction surveys to evaluate our performance and effectiveness. WiFi SPARK may contact individuals, such as service users and clients, or those reporting complaints to ask them for their opinion of the service we are providing. WiFi SPARK uses the information provided to improve services wherever possible.
In order to carry out the purposes described in section 1 above WiFi SPARK may obtain, use and disclose (see section 7 below) Personal Data relating to a wide variety of individuals including the following:
WiFi SPARK will only use appropriate Personal Data necessary to fulfil a particular purpose or purposes. It will collect the minimum information necessary to fulfil that purpose. Anyone working for WiFi SPARK may only use information which is necessary to carry out their official duties. Personal Data could be information which is held on a computer, in a paper record i.e. a file, as images, but it can also include other types of electronically held information.
In order to carry out the purposes described under section 1 WiFi SPARK may obtain, use and disclose (see section 7 below) Personal Data relating to or consisting of the following:
WiFi SPARK will only use appropriate Personal Data necessary to fulfil a particular purpose or purposes. Personal Data could be information which is held on a computer, in a paper record i.e. a file, as images, but it can also include other types of electronically held information.
WiFi SPARK may obtain Personal Data from a wide variety of sources, including the following:
WiFi SPARK may also obtain Personal Data from other sources such as its own correspondence.
In order to achieve our purposes, WiFi SPARK will handle Personal Data in accordance with GDPR. In particular, the company will ensure that Personal Data is handled fairly and lawfully with appropriate justification. WiFi SPARK will strive to ensure that any Personal Data used by the company or on WiFi SPARK’s behalf is of the highest quality in terms of accuracy, relevance, adequacy and non-excessiveness, is kept as up to date as required, is protected appropriately, and is reviewed, retained and securely destroyed when no longer required. WiFi SPARK will also respect individuals’ rights under GDPR (see Section 11 below).
Personal Data is handled securely at rest and in transit and in accordance with the requirements of GDPR. Where access and or amend requests are given the company will ensure that changes, once validated, are within the required timeframes.
WiFi SPARK takes the security of all Personal Data under the company’s control very seriously. WiFi SPARK will comply with the relevant parts of GDPR relating to security and seek to comply with Articles 32 – 34. WiFi SPARK will ensure that appropriate policies, training, technical and procedural measures are in place, including audit and integrity monitoring, to protect manual and electronic information systems from data loss and misuse, and only permit access to them when there is a legitimate reason to do so, and then under strict guidelines as to what use may be made of any Personal Data contained within them. These procedures are continuously managed and enhanced by the WiFi SPARK Information Security Team to ensure up-to-date security.
When Data Subjects provide information, they will be told what it will be used for and whom it will be shared with. WiFi SPARK may disclose, or enable access by other parties, including those from whom Personal Data is obtained as listed above. This may include disclosures to bodies or individuals working on behalf of WiFi SPARK such as support contractors or partners. However, WiFi SPARK will not supply these organisations with your information unless it is satisfied that equal measures are in place to protect the information from unauthorised access.
Disclosures of Personal Data will be made on a case-by-case basis, using the Personal Data appropriate to a specific purpose and circumstances, and with necessary controls in place.
Where monies are due or outstanding WiFi SPARK reserves the right to use all the available information at its disposal to protect its business interests.
WiFi SPARK will not supply your information to any organisation for marketing purposes without your prior consent.
WiFi SPARK periodically undertakes surveys through online survey systems e.g. Survey Monkey. Respondents should satisfy themselves regarding the privacy notices associated with any third-party software provider.
WiFi SPARK will also disclose Personal Data to other bodies or individuals when required to do so by, or under, any act of legislation, by any rule of law, and by court order. WiFi SPARK may also disclose Personal Data on a discretionary basis for the purpose of, and in connection with, any legal proceedings or for obtaining legal advice.
Article 13 of GDPR stipulates what information must be available to a Data Subject at the point of consent to Data Processing. Where WiFi SPARK is the Data Controller please see the following information:
Data Controller Name: WIFI SPARK LIMITED
Data Controller Email: firstname.lastname@example.org
Data Controller Website: www.wifispark.com
Data Protection Group Contact Email: email@example.com
Legal Basis for Data Processing: Service Dependent stipulated on the specific services’ User Experience Portal
Who has access to the Personal Data collected by Data Subjects?:
WIFI SPARK LIMITED
SYNAPTIX SOLUTIONS LTD
DATABARRACKS (UK) LTD
Any other partner detailed on a specific User Experience Portal
Under GDPR Individuals have the following rights:
Data Subjects have the right to be informed about the collection and use of the Personal Data. This is a key element of transparency. This must include:
The information must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language.
Under GDPR, individuals will have the right to obtain:
Individuals are entitled to have personal data rectified if it is inaccurate or incomplete. If the Personal Data has been disclosed to third-parties, each recipient must be contacted in order to inform them of the rectification - unless this proves impossible or involves a disproportionate effort. If asked to, Data Controllers must also inform the individuals about these recipients.
The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing. The right to erasure does not provide an absolute ‘right to be forgotten’. Individuals have a right to have personal data erased and to prevent processing in specific circumstances:
Individuals have a right to ‘block’ or suppress processing of personal data.
When processing is restricted, Data Controllers & Processors are permitted to store the personal data, but not further process it.
Data Controllers can retain just enough information about the individual to ensure that the restriction is respected in future.
Data Controllers & Processors will be required to restrict the processing of personal data in the following circumstances:
Individuals have the right to object to:
Data Controllers & Processors must stop processing the personal data unless:
This must be “explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information”.
The GDPR has provisions on:
GDPR applies to all automated individual decision-making and profiling.
Article 22 of GDPR has additional rules to protect individuals if you are carrying out solely automated decision-making that has legal or similarly significant effects on them.
The Data Controller must identify whether any of processing falls under Article 22 and if so, make sure that you:
WiFi SPARK makes automated decisions based on Personal Data and media downloaded from our corporate web site in order to provide sector-specific direct marketing. Please note that this is from resources on WiFi SPARK’s web site only, not from WiFi services. Specific opt-in is required for this decision making and direct marketing at the time of download.
If individuals have any concerns regarding the way their Personal Data is handled by WiFi SPARK or the quality (accuracy, relevance, non-excessiveness etc) of their Personal Data they are encouraged to raise them with WiFi SPARK’s Data Protection Team.
FAO Data Protection Team
WiFi SPARK 5 Cranmere Court
Matford Business Park
If you wish to update your information as a Data Controller, please follow this link: www.wifispark.com/update
Supervisory Authority The Information Commissioner is the independent regulator responsible for enforcing GDPR and can provide useful information about GDPR’s requirements. They should also be contacted if a Data Subject wishes to raise a concern with regard to how Personal Data is controlled or processed.
The Information Commissioner’s Office may be contacted using the following:
The Information Commissioner’s Office
0303 123 1113
WiFi SPARK keeps Personal Data as long as is necessary for the particular purpose or purposes for which it is held and will be disposed of in a secure manner when no longer needed. The periods for retention of information are specified in WiFi SPARK’s Retention Schedule, however payment details are kept inline with the requirements for HMRC, and where WiFi SPARK is the Data Controller of a Guest WiFi Service for a particular client, we keep Personal Data for 6 months after the last time the service was used. Where this situation is relevant, the specific sites portal details this.
WiFi SPARK may monitor or record and retain telephone calls, text, emails and other electronic communications to and from WiFi SPARK in order to deter, prevent and detect inappropriate or criminal activity, to ensure security and to assist its Business Purposes.