Zenito Limited (“We“) is committed to ensuring that your privacy is protected.
You may be asked to provide personal data whilst you are in contact with us. Personal data is information that can be used to identify or contact you. You do not have to provide the personal data that we request, however, if you choose not to, we may not be able to provide you with the services that you have requested.
If we combine personal data with non-personal data, the combined information will be treated as personal data for as long as it remains combined. Personal data does not include data where the identity has been removed (anonymous data).
For the purpose of the General Data Protection Regulations ((EU) 2016/679) and any national implementing laws, regulations and secondary legislation (“Data Protection Legislation”) the data controller is Zenito Limited a company registered in England and Wales with company registration number 11930813 whose registered office is at 27 Old Gloucester Street, London, WC1N 3AX.
Personal data that we collect in relation to you
The personal data we collect may include (but is not limited to):
Your email address and contact information; and
Your internet protocol address or other online identifiers.
We do not collect any special categories of personal data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.
How we collect your personal data
If you contact us (by telephone, e-mail, instant messenger or voice over IP) we will collect your personal data and process it in accordance with the processes outlined in this policy. This may include discussing matters with you in relation to an enquiry about our services or a contract that we may enter into with you.
How we use your information
We will only process your personal data if we have a legal basis for doing so, as outlined in this policy or as notified to you at the time we collect your personal data, and for the purposes for which it was collected for, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you prior to commencing that processing and we will explain the legal basis which allows us to do this. Please note that we may process your personal data without your knowledge or consent, where this is required or permitted by law.
Your personal data may be shared with third parties, including (but not limited to) the following:
third parties where we are under a duty to disclose your personal data to comply with any legal obligation, or to appropriate regulators or other law enforcement organisations;
third parties to whom we choose to sell, transfer, or merge parts of our business or our assets; and
third party suppliers to us, including (for example) insurance providers, auditors and our IT providers.
If your personal data is to be shared with any other third parties, we will take steps to protect your personal data. Your personal data will not be shared with third parties for third party marketing purposes.
On what basis we process your personal data
We are not allowed to process your personal data unless we have a legal basis for doing so.
There are four main legal bases that we rely on when it comes to processing someone’s personal data. These are:
“Legitimate interest” – this is where we need to process your personal data, for example, if we need to contact you because you have raised a general query with us or where we are in contact with you about this or similar issues, or, in terms of your IP address and any information gathered via “Cookies”, to aid your use and navigation of our website (www.zenito.co.uk). We may also have a legitimate interest to contact you about services that may be of interest to you as part of any marketing campaign.
“Necessary for performing a contract” – this is where if we are in a contract with you (or about to enter into a contract with you and you have requested certain pre-contract details) and we need to use your personal details to complete this contract – for example, we might need to use your e-mail address to communicate with you.
“Consent” – this is where we set out specific circumstances where we want to process your personal data and request your consent for this. We will make sure that your consent is explicit. We will usually ask you to tick a box (or similar) to confirm that you have provided your consent. You can withdraw your consent at any time by sending an email to email@example.com.
“Compliance with a legal obligation” – this is where we might need to process your personal data in order to comply with a common law or statutory obligation, such as disclosures for compliance with HMRC requirements, requirements relating to money laundering or other such disclosures. We will only process your personal data for this reason if it is necessary and we would not otherwise be able to comply with that legal obligation without such processing.
Marketing: As mentioned above, we may market to you on the basis that we have legitimate interests to market our business and we may have identified the organisation that you work for as a business that we would like to market to. We will therefore rely on legitimate interests as our legal basis for processing your personal data that may be connected to your organisation’s contact records for this purpose, however we will balance this against your rights as a data subject and will no longer market to you if you wish to unsubscribe from receiving such marketing communications directly to your contact details. Alternatively, where we do not have a legitimate interest to market to you, then we will seek your consent to do so, which will then be our legal basis for contacting you in that way.
Where we store your personal data
Some of the third parties which we work closely with are based outside of the European Economic Area (“EEA”) so their processing of your personal data will involve a transfer of data outside of the EEA.
Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
we will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission;
where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US.
While we do our best to protect your personal data, we cannot guarantee the security of any information that you transmit to us.
Under Data Protection Legislation, in certain circumstances you have the following rights in relation to your personal data:
Right to access. You have the right to request access to information held about you. We will provide you with a copy of your personal data held by us free of charge (providing your request is not excessive or for multiple copies, in which case we may charge a reasonable fee to cover our costs) and certain information about the processing of your personal data and the source of such data (if not directly collected from you by us). You also have the right to request that your personal data is transferred to a third party.
Right to object to data processing. You may withdraw your consent to the processing of your personal data at any time by contacting us. Upon receipt of your notification, we shall promptly stop any processing of your personal data and (if requested by you) erase such information if we are not required to retain it for legitimate business or legal purposes.
Right to restrict processing. You may ask us to suspend the processing of your personal data in the following circumstances:
if you do not think your personal data is accurate;
where we are found to be processing unlawfully but you do not want us to erase your personal data;
where you need us to continue holding your personal data to establish, exercise or defend legal claims; or
you have objected to our use of your personal data but we need to verify whether we have overriding legitimate grounds to use it.
Right of rectification and right of erasure. You have the right to request that we correct or erase any inaccuracies in your personal data if such information would be incomplete, inaccurate or processed unlawfully.
Where we are relying on consent to process your personal data, you may withdraw consent at any time. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain services to you. We will advise you if this is the case at the time you withdraw your consent.
You can exercise these rights at any time by contacting us at firstname.lastname@example.org. We may reject requests that are unreasonable or require disproportionate effort (for example, such a request would result in a fundamental change to our existing practice) or risk the privacy of others.
Our site may, from time to time, contain links to and from third party websites. Please note that we are not responsible for the privacy practices of any websites other than our own.
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
Personal data retention
We may retain information about you, including personal data, for the period necessary to fulfil the purposes for which it was first collected unless a longer retention period is required or permitted by law. In determining data retention periods, we take into consideration contractual obligations, legal obligations and the expectation and requirements of our customers. When personal data is no longer needed, we will securely delete or destroy it.
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
If you have any cause for complaint about our use of your personal data, please contact us using the details provided above and we will do our best to solve the problem for you. If we are unable to help, you also have the right to lodge a complaint with the UK’s supervisory authority, the Information Commissioner’s Office (www.ico.org.uk).
Last updated: 22 October 2019