Privacy Policy

Section A

We understand that your privacy is important to you and that you care about how your Personal Data is used. This policy sets out how we will collect and process any Personal Data we collect about you after completing a survey, visiting our website or enquiring about our Services.

By visiting https://www.smithhenderson.com or using our Services, you are accepting and consenting to the practises described in this policy.

In this Privacy Policy, a reference to:

  • smith+henderson, we, us or our means Smith & Henderson Ltd of 10 Linford Forum, Rockingham Drive, Milton Keynes, MK14 6LY, UK and any of its related bodies;
  • Employer or Service Provider means, in relation to you, the person or entity that has contracted with smith+henderson to allow you to use smith+henderson services;
  • Survey respondent or invitee means the person providing information through a smith+henderson survey or our Platform
  • Services means our technology Platform, employee or service provider surveys or consulting services, and our websites (smithhenderson.com, www.engagementdashboard.co.uk, www.bestfranchiseawards.co.uk),
  • Platform means our survey tool, dashboards and analytics modules where you may administer surveys, complete these or access the results.
  • Data Protection Legislation means (whilst they are in force) the Data Protection Act 1998; the EU General Data Protection Regulation (“GDPR”); and any successor legislation to the Data Protection Act 1998 or the GDPR and any other applicable laws and regulations relating to the Processing of Personal Data and privacy.
  • Personal Data, Data Controller, Data Processor, Data Subject and Process are as defined in the Data Protection Legislation.

 

The person with responsibility for our data protection compliance is the Data Privacy Manager and they can be contacted via emailing support@smithhenderson.com.

We will act in respect of Personal Data to comply with the six principles of the GDPR, which are:

  • Lawfulness, fairness and transparency;
  • Purpose limitation;
  • Data minimisation;
  • Accuracy;
  • Storage limitation;
  • Integrity and confidentiality.

You have rights in respect of how your Personal Data can be Processed, which are detailed below.

DATA SECURITY

We have put in place measures to prevent your Personal Data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your Personal Data to those of our people and other third parties who have a business need to know. They will only Process your Personal Data on our instructions and where they have agreed to treat the information confidentially and to keep it secure. We have put in place procedures to deal with any suspected data security breach and will notify you and the ICO of a suspected breach where we are legally required to do so.

 

YOUR RIGHTS

Under certain circumstances, you have the right by law to:

  • Request access to your Personal Data. This enables you to ask to receive a copy of the Personal Data that we hold about you and to check that we are lawfully Processing it.
  • Request correction of the Personal Data that we hold about you.
  • Request erasure of your Personal Data.
  • Object to Processing of your Personal Data where we are relying on our legitimate interest and there is something about your particular situation which makes you want to object to Processing on this ground. You also have the right to object where we are Processing your personal information for direct marketing purposes.
  • Request the restriction of Processing of your Personal Data.
  • Request the transfer of your Personal Data to another party.

 

COLLECTION, USE AND DISCLOSURE OF PERSONAL DATA

We collect and Process data for the following reasons:

  1. Personal Data collected and created in relation to our employee or service provider survey services; and
  2. Personal Data relating to people who have asked to receive our newsletters and other information services or marketing materials; and
  3. Personal Data relating to our people, which means those people working for our company, or providing services to us, or potentially working or providing services to us, including employees, consultants, temporary or casual workers and contractors.

All of our employees are required to abide by our Privacy Policy when handling Personal Data and will be provided with appropriate data protection training. Any breach of data protection will be taken seriously and may result in disciplinary action. Our Data Privacy Manager will provide the advice and guidance to our people on data protection issues, as is required.

 

LINKS FROM OUR WEBSITE

Our websites may, from time to time, contain links to and from the websites of third parties that we permit to make such links. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. We recommend that you check these policies before you submit any Personal Data to these websites.

 

CHANGES TO YOUR PERSONAL DATA

It is very important that the personal information that we hold about you is accurate and current. Please tell us if your personal information changes during your relationship with us.

 

WHERE WE STORE YOUR PERSONAL DATA AND HOW THIS IS PROCESSED

The way your data is stored and Processed will depend on the nature of it and how we have received it:

  • All Personal Data directly related to performing our Services and provided by survey respondents is only Processed within the EEA. Section B (For our Survey Respondents) provides more information, including when this data is disclosed to third parties and how long it is retained for

 

  • Some Personal Data gathered through other sources, such as when you download an e-book or guide through our website, may be Processed outside of the EEA, provided this is adequately protected, as required by the GDPR, by trusted suppliers under the EU-US Privacy Shield and Swiss-U.S. Privacy Shield regimes. See Section C.

 

THE GROUNDS ON WHICH WE HOLD PERSONAL DATA

In order to Process Personal Data, we must have valid legal grounds to hold and manage it in accordance with Data Protection Legislation.

In relation to our clients, it is likely that our legal ground will be that we are Processing their Personal data in order to perform the services under our contract with them.

In relation to our employees, our grounds for Processing their Personal Data may be both (1) under contract; and (2) our legitimate interest in holding the data (for example, the need to hold certain employee records).

Where individuals have asked to be added to our database, our reason for holding their data may be based on their consent (as well as in certain circumstances on our legitimate interest).

Where our Processing of Personal Data is based on the Data Subject’s consent, it may be possible for the Data Subject to withdraw that consent (and thereby our ground for holding their Personal Data). In that event, we will stop the Processing of their Personal Data.

We may only share your Personal Data with third parties on the same basis: where we have valid legal grounds to do so. So, we may share your Personal Data where necessary to perform a contract with you, where it is in our legitimate interest to do so or when you have specifically consented to it.

Finally, there are some other valid grounds for Processing (or sharing) Personal Data : (i) where there is a legal obligation that we must; (ii) where it is of vital interest that we should share the Personal data (to protect someone’s life); or (iii) where it is part of a public task or official function.

 

Section B

FOR OUR SURVEY RESPONDENTS

We are the data Processer of the Personal Data supplied to us by our clients, who remain the Data Controller in respect of their Personal Data. We are therefore responsible for making sure that our systems, Processes and people comply with the relevant data protection laws as a Data Processor of that Personal Data.

Collection:

When entering into an agreement with smith+henderson, your employer or service provider may share with us, or upload directly to our Platform, certain demographic and Personal Data, which may for example, include name, age, gender, email address, job title, level of seniority, department, work or service start date, and primary location.

The other data we collect about you is provided by you in the survey itself:

  • Survey data: we store the survey data (questions and answers) respondents complete or submit via our Platform
  • Other data you submit: we may collect your personal information or data if you submit it to us in other contexts. For example, by giving us a testimonial, by entering a contest or entering into correspondence with us

Each time you complete a survey or use our Platform, we may collect information about you including, when and how you use the Platform; any comments or feedback you provide to us; technical information about your computer or mobile device for analysis and system administration, such as your IP address, operating system and browser type.

Use:

We may use the personal information we hold in the following ways:

  • To provide your employer or service provider with reports and analysis, summarising the information gathered through our Platform and surveys. This may include demographic analysis, based on respondent’s survey answers or demographic information provided by you
  • We will take all reasonable steps to protect respondents’ confidentiality, like merging their feedback with other employees’ – please see our Confidentiality Promise for more information
  • To notify you about changes to our Platform or our Services that you use
  • To deal with any enquires, correspondence or complaints you have raised or have been raised by other parties relating to your use of our Platform or Services
  • To compile usage reports of our Platform or Services

 

The Grounds on which we Process Personal Data:

  • In order to Process Personal Data, we must have valid legal grounds to hold and manage it in accordance with Data Protection Legislation.
  • In relation to our clients, it is likely that our legal ground will be that we are Processing their Personal data in order to perform the services under our contract with them.
  • In relation to our employees, our grounds for Processing their Personal Data may be both (1) under contract; and (2) our legitimate interest in holding the data (for example, the need to hold certain employee records).
  • Where individuals have asked to be added to our database, our reason for holding their data may be based on their consent (as well as in certain circumstances on our legitimate interest).
  • Where our Processing of Personal Data is based on the Data Subject’s consent, it may be possible for the Data Subject to withdraw that consent (and thereby our ground for holding their Personal Data). In that event, we will stop the Processing of their Personal Data.
  • We may only share your Personal Data with third parties on the same basis: where we have valid legal grounds to do so. So, we may share your Personal Data where necessary to perform a contract with you, where it is in our legitimate interest to do so or when you have specifically consented to it.
  • Finally, there are some other valid grounds for Processing (or sharing) Personal Data : (i) where there is a legal obligation that we must; (ii) where it is of vital interest that we should share the Personal data (to protect someone’s life); or (iii) where it is part of a public task or official function.

 

Disclosure:

We may share your personal information to other third parties inside the EEA:

  • To deliver our Services – these third party providers include:
3rd party providers 3rd party policies
Amazon Web Servers smith+henderson websites are hosted on Amazon Web Servers (AWS) in London and Dublin. Amazon confirms that AWS services will comply with GDPR when it becomes enforceable.

 

(Amazon, n.d.)

Codibly Codibly are a software agency, specialising in big data. Based in Krakow, Poland, Codibly help us develop, test and deploy some updates to our survey platform.

 

Egnyte Egnyte stores EU customers’ data in their European data centre. Customer data is not accessed unless explicit permission is granted and the data does not leave the EU even when a support ticket is opened.

 

(Egnyte, n.d.)

MailJet We use MailJet to send our survey email invitations, using their European servers.

 

“We are proud to announce our complete implementation of all GDPR’s rigid requirements as of December 2017.”

 

(Mailjet, 2018)

Survey Gizmo We may use SurveyGizmo (.eu for EU servers) to host bespoke surveys, such as research whitepapers or competitions.

 

“SurveyGizmo is aware of the GDPR requirements that go into effect in May of 2018.  We are in the process of working with a third party to ensure we will be compliant and have all necessary certifications before the deadline.”

 

(Survey Gizmo, n.d.)

Thamesdown Marketing Services Where large numbers of paper surveys are required, we will work with Thamesdown Marketing Services to print, distribute and data capture paper surveys. Thamesdown have over 30 years experience and their clients include major financial services institutions. For projects outside of the UK, we reserve the right to work with local partners after carrying out due diligence.

 

We may also disclose your information:

  • In the event that we sell or buy any business or assets, in which case we may disclose your Personal Data to the prospective seller or buyer of such business or assets
  • If Smith & Henderson Ltd or substantially all of its assets are acquired by a third party, in which case Personal Data held by it about its customers will be one of the transferred assets
  • If for the purposes of delivering our services, a third party is required who complies with the GPDR. For example, if we require to print, post and capture large amounts of paper surveys outside of the UK
  • If we are under a duty to disclose or share your Personal Data in order to comply with any legal obligation, or in order to enforce or apply our Terms of Use or Terms of Subscription and other agreements; or to protect the rights, property, or safety of Smith & Henderson Limited, our customers, or others.

In respect of all disclosures of Personal Data, we will only share the personal information which is necessary for the particular purpose for which it is provided, or where we have another legitimate interest in doing so (weighed up against your rights to have your data protected), and we will ensure that the Personal Data is appropriately protected.

 

Retention:

Reasonable measures are taken by each smith+henderson employee who is responsible for client relationships to adhere to the smith+henderson retention schedule:

  • After a project has finished, there may be cause to review the Personal Data which was shared as part of the project, in order to deal with any queries. For that reason, client’s Personal Data will be stored for up to 12 months after the project has finished or the company has terminated their contract with smith+henderson, unless specifically requested. This will be audited internally every December to ensure compliance.
  • If a client has signed up for continuous pulse surveys and decides to cancel their account, we will delete all Personal Data within 90 days of receiving this instruction
  • Email inboxes are continually monitored by the mailbox owner with an annual review taking place in December. For that reason data may be stored in Mailboxes for up to 12 months

 

Section C

FOR OUR NON-SURVEY RESPONDENTS

We are the Data Controller of the Personal Data supplied to us through our websites. We are therefore responsible for making sure that our systems, Processes and people comply with the relevant data protection laws in respect of that Personal Data.

Collection:

We collect and Process the following data about you:

  • Information you give us:
    • When you contact us or subscribe to our content, such as our newsletter, we collect your contact details, including your name and email address.
    • We may collect your personal information or data if you submit it to us in other contexts. For example, by giving us a testimonial, by entering a contest or entering into correspondence with us.
    • Personal Data may also be collected from you during the application and selection Process should we advertise any vacancies (for example via your application form and CV).

We may receive information about you if you use other websites we operate. We also work with third parties, including affiliate partners, sub-contractors, advertising networks, search engine providers and analytics providers and may receive information about you from them.

Use:

We may use the personal information we hold in the following ways:

  • For marketing activities
  • For recruitment purposes
  • To deal with any enquires, correspondence or complaints you have raised or have been raised by other parties relating to your use of our Platform or Services

If you have opted in to receive our newsletters, other information services or marketing materials, we will use your personal information to distribute this/these to you.

If you have applied for a role with smith+henderson, either advertised or speculatively, Personal Data will be used for HR administration and management in respect of the selection of people to work for us (including suitability, eligibility and/or fitness to work).

 Disclosure:

We may disclose your personal information to other third parties:

  • In the event that we sell or buy any business or assets, in which case we may disclose your Personal Data to the prospective seller or buyer of such business or assets
  • If Smith & Henderson Ltd or substantially all of its assets are acquired by a third party, in which case Personal Data held by it about its customers will be one of the transferred assets
  • If for the purposes of delivering our services, a third party is required who complies with the GPDR. For example, if we require to print, post and capture large amounts of paper surveys outside of the UK
  • If we are under a duty to disclose or share your Personal Data in order to comply with any legal obligation, or in order to enforce or apply our Terms of Use or Terms of Subscription and other agreements; or to protect the rights, property, or safety of Smith & Henderson Limited, our customers, or others.

All information gathered through our surveys and Platform is Processed within the EEA only. Information from other sources, such as our website may be Processed outside of the EEA, by trusted suppliers under the EU-US Privacy Shield and Swiss-U.S. Privacy Shield regimes.

In addition to those providers outlined in Section B, these may include:

3rd party providers 3rd party policies
GoDaddy We use GoDaddy to host our websites.

 

“We will only share information about you that is necessary for the third party to provide the requested service. These companies are prohibited from retaining, sharing, storing or using your personally identifiable information for any secondary purposes.”

 

(GoDaddy, n.d.)

MailChimp We use MailChimp to send email newsletters.

 

“We’ve been researching the GDPR and modifying many of our internal practices and policies over the last year, because we are committed to achieving compliance with the GDPR in 2018. For example, we’re in the Process of updating our Data Processing Agreement and third-party vendor contracts to meet the GDPR’s requirements.”

 

(MailChimp, n.d.)

Zoho We use Zoho as our CRM system, again using their EU servers.

 

“Over the years, we have demonstrated our commitment to data privacy and protection by meeting the industry standards for ISO 27001 and SOC 2 Type 2. We already have strong Data Processing Agreements, and we are revising them to meet the requirements of the GDPR. Zoho Corporation participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework with respect to transfer of data to the US. We recognize that the GDPR will help us move towards the highest standards of operations in protecting customer data.”

 

(Zoho.eu, n.d.)

 

Retention:

Data provided to smith+henderson via any of our websites are provided in full knowledge of its future use, with explicit consent in relation to each of the proposed uses. Those who leave their details may opt-in to receive marketing updates from smith+henderson. Until a person in our marketing database unsubscribes or requests to be forgotten, they will remain a part of it.

Upon unsubscribing, Personal Data will be retained for up to 90 days prior to deletion from our systems.

If you have shared your Personal Data in the form of a role application, smith+henderson will keep Personal Data of applicants who we do not employ for up to 12 months after we receive it.

 

CHANGES TO THIS PRIVACY POLICY

Any changes we may make to our privacy policy in the future will be posted on our website, so please ensure that you are viewing the correct version. Please contact us if you have any questions, comments or requests regarding this Privacy Policy.