This document explains how WiFi SPARK obtains, holds, uses and discloses information about people (‘Personal Data’) [1), the steps taken to ensure that it is protected, and also describes the rights individuals have in regard to their Personal Data handled by WiFi SPARK.
The use and disclosure of Personal Data is governed in the United Kingdom by the General Data Protection Regulation (‘GDPR’). WiFi SPARK is registered with the Information Commissioner as a ‘data controller’ for the purposes of GDPR. As such WiFi SPARK is obliged to ensure that the company handles all Personal Data in accordance with GDPR.
WiFi SPARK takes that responsibility very seriously and takes great care to ensure that Personal Data is handled appropriately in order to secure and maintain individuals’ trust and confidence in WiFi SPARK.
‘Personal Data’ is defined under GDPR. In practical terms, it means information handled by WiFi SPARK that relates to identifiable living individuals. The information can be held electronically or as part of paper records and can include photographs. For ease of readers, this document refers to the handling, use, holding etc of Personal Data.
WiFi SPARK is not the Data Controller for all WiFi services provided and any Subject Access or Amend Requests must be directed to the specific Data Controller for a service. If WiFi SPARK is the Data Controller, it is detailed on the specific User Experience for the service.
For some clients WiFi SPARK acts as a Data Controller. In these instances, WiFi SPARK either collects and controls Personal Data for the Legitimate Interests of both the Data Controller (WiFi SPARK) and the Data Subject or as part of a contract. This may be in the event that the service uses account-based authentication or where payments are taken for an enhanced service. This is detailed on the specific User Experience Portal for the service.
3. Why does WiFi SPARK handle Personal Data?
WiFi SPARK obtains, holds, uses and discloses Personal Data for the provision of services to support WiFi SPARK’s business. These include:
- Marketing including public relations, digital marketing and promotions
- Management of finance to and from WiFi SPARK including payments
- Internal review, accounting and auditing
- Management of complaints Management of information & communications technology systems
- Research, including surveys which may be carried out by an external agent
- Health and safety management
With regard to research, WiFi SPARK conducts satisfaction surveys to evaluate our performance and effectiveness. WiFi SPARK may contact individuals, such as service users and clients, or those reporting complaints to ask them for their opinion of the service we are providing. WiFi SPARK uses the information provided to improve services wherever possible.
4. Whose Personal Data does WiFi SPARK handle?
In order to carry out the purposes described in section 1 above WiFi SPARK may obtain, use and disclose (see section 7 below) Personal Data relating to a wide variety of individuals including the following:
- End Users of WiFi Services/Data Subjects
- Complainants, correspondents and enquirers
- Advisers, consultants and other professional experts
- Other individuals necessarily identified in the course of WiFi SPARK enquiries and activity
WiFi SPARK will only use appropriate Personal Data necessary to fulfil a particular purpose or purposes. It will collect the minimum information necessary to fulfil that purpose. Anyone working for WiFi SPARK may only use information which is necessary to carry out their official duties. Personal Data could be information which is held on a computer, in a paper record i.e. a file, as images, but it can also include other types of electronically held information.
5. What types of Personal Data does WiFi SPARK handle?
In order to carry out the purposes described under section 1 WiFi SPARK may obtain, use and disclose (see section 7 below) Personal Data relating to or consisting of the following:
- Personal details such as name, address and biographical details
- Account or payment details
- Financial details
- Goods or services provided
- Trade union membership
- References to manual records or files
- Information relating to health and safety
- Complaints and incident details
WiFi SPARK will only use appropriate Personal Data necessary to fulfil a particular purpose or purposes. Personal Data could be information which is held on a computer, in a paper record i.e. a file, as images, but it can also include other types of electronically held information.
6. Where does WiFi SPARK obtain Personal Data?
WiFi SPARK may obtain Personal Data from a wide variety of sources, including the following:
- Individual data subjects of a WiFi service
- Suppliers, providers of goods or services
- Persons making an enquiry or complaint
- Legal representatives
- Credit reference agencies
- Trade, employer associations and professional bodies
- Ombudsmen and regulatory authorities
- Openly available information from the internet
- Data Processors working on behalf of WiFi SPARK
WiFi SPARK may also obtain Personal Data from other sources such as its own correspondence.
7. How does WiFi SPARK handle Personal Data?
In order to achieve our purposes, WiFi SPARK will handle Personal Data in accordance with GDPR. In particular, the company will ensure that Personal Data is handled fairly and lawfully with appropriate justification. WiFi SPARK will strive to ensure that any Personal Data used by the company or on WiFi SPARK’s behalf is of the highest quality in terms of accuracy, relevance, adequacy and non-excessiveness, is kept as up to date as required, is protected appropriately, and is reviewed, retained and securely destroyed when no longer required. WiFi SPARK will also respect individuals’ rights under GDPR (see Section 11 below).
Personal Data is handled securely at rest and in transit and in accordance with the requirements of GDPR. Where access and or amend requests are given the company will ensure that changes, once validated, are within the required timeframes.
8. How does WiFi SPARK ensure the security of Personal Data?
WiFi SPARK takes the security of all Personal Data under the company’s control very seriously. WiFi SPARK will comply with the relevant parts of GDPR relating to security and seek to comply with Articles 32 – 34. WiFi SPARK will ensure that appropriate policies, training, technical and procedural measures are in place, including audit and integrity monitoring, to protect manual and electronic information systems from data loss and misuse, and only permit access to them when there is a legitimate reason to do so, and then under strict guidelines as to what use may be made of any Personal Data contained within them. These procedures are continuously managed and enhanced by the WiFi SPARK Information Security Team to ensure up-to-date security.
9. Who does WiFi SPARK disclose Personal Data to?
When Data Subjects provide information, they will be told what it will be used for and whom it will be shared with. WiFi SPARK may disclose, or enable access by other parties, including those from whom Personal Data is obtained as listed above. This may include disclosures to bodies or individuals working on behalf of WiFi SPARK such as support contractors or partners. However, WiFi SPARK will not supply these organisations with your information unless it is satisfied that equal measures are in place to protect the information from unauthorised access.
Disclosures of Personal Data will be made on a case-by-case basis, using the Personal Data appropriate to a specific purpose and circumstances, and with necessary controls in place.
Where monies are due or outstanding WiFi SPARK reserves the right to use all the available information at its disposal to protect its business interests.
WiFi SPARK will not supply your information to any organisation for marketing purposes without your prior consent.
WiFi SPARK periodically undertakes surveys through online survey systems e.g. Survey Monkey. Respondents should satisfy themselves regarding the privacy notices associated with any third-party software provider.
WiFi SPARK will also disclose Personal Data to other bodies or individuals when required to do so by, or under, any act of legislation, by any rule of law, and by court order. WiFi SPARK may also disclose Personal Data on a discretionary basis for the purpose of, and in connection with, any legal proceedings or for obtaining legal advice.
10. Data Processing Notice as Data Controller
Article 13 of GDPR stipulates what information must be available to a Data Subject at the point of consent to Data Processing. Where WiFi SPARK is the Data Controller please see the following information:
Data Controller Name: WIFI SPARK LIMITED
Data Controller Email: firstname.lastname@example.org
Data Controller Website: www.wifispark.com
Data Protection Group Contact Email: email@example.com
Legal Basis for Data Processing: Service Dependent stipulated on the specific services’ User Experience Portal
Who has access to the Personal Data collected by Data Subjects?:
WIFI SPARK LIMITED
SYNAPTIX SOLUTIONS LTD
DATABARRACKS (UK) LTD
Any other partner detailed on a specific User Experience Portal
11. What are the rights of Data Subjects?
Under GDPR Individuals have the following rights:
The right to be informed
Data Subjects have the right to be informed about the collection and use of the Personal Data. This is a key element of transparency. This must include:
- The purposes of processing their Personal Data
- The retention periods for keeping the Personal Data
- The parties with access to the data
The information must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language.
The right to Access
Under GDPR, individuals will have the right to obtain:
- Confirmation that their data is being processed;
- Access to their personal data; and
- Other supplementary information – this largely corresponds to the information that should be provided in a privacy notice (see Article 15)
The right to Rectification
Individuals are entitled to have personal data rectified if it is inaccurate or incomplete. If the Personal Data has been disclosed to third-parties, each recipient must be contacted in order to inform them of the rectification - unless this proves impossible or involves a disproportionate effort. If asked to, Data Controllers must also inform the individuals about these recipients.
The right to Erasure (Right to be Forgotten)
The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing. The right to erasure does not provide an absolute ‘right to be forgotten’. Individuals have a right to have personal data erased and to prevent processing in specific circumstances:
- Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
- When the individual withdraws consent.
- When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing.
- The personal data was unlawfully processed (i.e. otherwise in breach of the GDPR).
- The personal data has to be erased in order to comply with a legal obligation.
- The personal data is processed in relation to the offer of information society services to a child.
The right to Restrict Processing
Individuals have a right to ‘block’ or suppress processing of personal data.
When processing is restricted, Data Controllers & Processors are permitted to store the personal data, but not further process it.
Data Controllers can retain just enough information about the individual to ensure that the restriction is respected in future.
Data Controllers & Processors will be required to restrict the processing of personal data in the following circumstances:
- Where a Data Subject contests the accuracy of the personal data, you should restrict the processing until you have verified the accuracy of the personal data.
- Where an individual has objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and you are considering whether your organisation’s legitimate grounds override those of the individual.
- When processing is unlawful and the individual opposes erasure and requests restriction instead.
- If you no longer need the personal data but the individual requires the data to establish, exercise or defend a legal claim.
The right to Data Portability
- The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.
- It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
- Some organisations in the UK already offer data portability through the ‘midata’ and similar initiatives which allow individuals to view, access and use their personal consumption and transaction data in a way that is portable and safe.
- It enables consumers to take advantage of applications and services which can use this data to find them a better deal or help them understand their spending habits.
The right to Object
Individuals have the right to object to:
- Processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
- Direct marketing (including profiling); and
- Processing for purposes of scientific/historical research and statistics.
Data Controllers & Processors must stop processing the personal data unless:
- They can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual; or
- The processing is for the establishment, exercise or defence of legal claims.
- Data Subject must be informed of their right to object “at the point of first communication” and in the privacy notice.
This must be “explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information”.
The right to be informed of any Automated Decision Making, including Profiling
The GDPR has provisions on:
- Automated individual decision-making (making a decision solely by automated means without any human involvement); and
- Profiling (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision-making process.
GDPR applies to all automated individual decision-making and profiling.
Article 22 of GDPR has additional rules to protect individuals if you are carrying out solely automated decision-making that has legal or similarly significant effects on them.
- Necessary for the entry into or performance of a contract; or
- Authorised by Union or Member state law applicable to the controller; or
- Based on the individual’s explicit consent.
The Data Controller must identify whether any of processing falls under Article 22 and if so, make sure that you:
- Give individuals information about the processing;
- Introduce simple ways for them to request human intervention or challenge a decision;
- Carry out regular checks to make sure that your systems are working as intended.
12. Automated Decision Making in Practice
WiFi SPARK makes automated decisions based on Personal Data and media downloaded from our corporate web site in order to provide sector-specific direct marketing. Please note that this is from resources on WiFi SPARK’s web site only, not from WiFi services. Specific opt-in is required for this decision making and direct marketing at the time of download.
13. Lodging a Concern
If individuals have any concerns regarding the way their Personal Data is handled by WiFi SPARK or the quality (accuracy, relevance, non-excessiveness etc) of their Personal Data they are encouraged to raise them with WiFi SPARK’s Data Protection Team.
FAO Data Protection Team
WiFi SPARK 5 Cranmere Court
Matford Business Park
If you wish to update your information as a Data Controller, please follow this link: www.wifispark.com/update
Supervisory Authority The Information Commissioner is the independent regulator responsible for enforcing GDPR and can provide useful information about GDPR’s requirements. They should also be contacted if a Data Subject wishes to raise a concern with regard to how Personal Data is controlled or processed.
The Information Commissioner’s Office may be contacted using the following:
The Information Commissioner’s Office
0303 123 1113
14. How long does WiFi SPARK retain Personal Data?
WiFi SPARK keeps Personal Data as long as is necessary for the particular purpose or purposes for which it is held and will be disposed of in a secure manner when no longer needed. The periods for retention of information are specified in WiFi SPARK’s Retention Schedule, however payment details are kept inline with the requirements for HMRC, and where WiFi SPARK is the Data Controller of a Guest WiFi Service for a particular client, we keep Personal Data for 6 months after the last time the service was used. Where this situation is relevant, the specific sites portal details this.
WiFi SPARK may monitor or record and retain telephone calls, text, emails and other electronic communications to and from WiFi SPARK in order to deter, prevent and detect inappropriate or criminal activity, to ensure security and to assist its Business Purposes.