In the course of our work we occasionally collect and process personal data.
Under the definitions in the UK GDPR Panda is both a Data Controller – for data it collects to support the running of its business. And a Data Processor, where it processes information on behalf of its client.
Data that we hold
As a data controller, we hold personal data for a variety of contractual reasons. These include:
> Data to help us deliver a contract to a client. This can include information that is commercially sensitive.
> Data about our staff and associates to help us meet our contractual obligations to them, as well as to advance our legitimate business interests. For example being able to pay them, keeping records of our decisions and providing a suitable and safe working environment.
> Data on user research participants which we use to deliver a contract to a client.
> Personal data voluntarily provided to us, by past, present and potential clients, in order to keep them informed of our work through marketing
> Personal data voluntarily provided to us by people who apply for a role at Panda (whether an open vacancy or not)
How we process our data
Data we hold is kept in a selected cloud based software systems including
As part of our role as a Data Controller we review what information is being processed with these systems to ensure that the arrangements are GDPR compliant.
We assume consent when any of the below information has been voluntarily provided to us.
> Applications for a vacancy at Panda (whether an open role or “general application”)
> Applications to receive marketing material from us
> Applications to participate in user research
> Requests for proposals to conduct new client work
The use of all information will be limited to its intended use, such as to fulfil a contractual obligation, or to apply for a job vacancy.
The use of data beyond the intended use, will require explicit consent from the owner of that information. In this instance, Panda will contact the information owner and seek consent for the new use.
When conducting user research on behalf of our clients we require explicit consent from participants to gather and store their personal data, which will be kept for no longer than is necessary to fulfil our contractual obligations.
You may have a number of rights concerning the data we hold about you. If you wish to exercise any of these rights, please contact our Data Protection Officer as set out above.
> The right to be informed. You have the right to be provided with clear, transparent and easily understandable information about how we use your information and your rights. This is why we’re providing you with the information in this policy.
> The right of access. You have the right to obtain access to your information.
> The right to rectification. You are entitled to have your information corrected if it is inaccurate or incomplete.
> The right to erasure. Enables you to request the deletion or removal of certain information that we hold about you.
> The right to restrict processing. You have rights to ‘block’ or ‘suppress’ further use of your information. When processing is restricted, we can still store your information, but will not use it further.
> The right to data portability. You have the right to obtain your personal information in an accessible and transferrable format so that you can re-use it for your own purposes across different service providers.
> The right to lodge a complaint. You have the right to lodge a complaint about the way we handle or process your information.
> The right to withdraw consent. If you have given your consent to anything we do with your information (i.e. to deliver a contract, meet our obligations as an employer, or justifiably means to run our business) you have the right to withdraw that at any time. Withdrawing consent will not however make unlawful our use of your information while consent had been apparent.
> The right to object to processing. You have the right to object to certain types of processing, including processing for direct marketing and profiling.