Last updated August 14, 2023

<aside> 👋 Table of contents

</aside>

1: Identity and contact details of the data controller

The data controller responsible in accordance with the purposes of the General Data Protection Regulation (GDPR) of the European Union and other data protection regulations is:

Business Smart Solutions Ltd.

20-22 Wenlock Road

London, N1 7GU

United Kingdom

0204 529 1139

[email protected]

www.businesssmartsolutions.co.uk

2: Contact details of the data protection officer

The designated data protection officer is:

Ben Moreton

CEO

Business Smart Solutions Ltd

0204 529 1139

3: General information on data processing

1. Scope of processing personal data

   In general, we only process the personal data of our users to the extent necessary to provide a functioning website with our content and services. The regular processing of personal data only takes place with the consent of the user. Exceptions include cases where prior consent cannot be technically obtained and where the processing of the data is permitted by law.

2. Legal basis for data processing

   Where consent is appropriate for processing personal data, Art. 6 (1) (1) (a) GDPR serves as the legal basis to obtain the consent of the data subject for the processing of their data.

   As for the processing of personal data required for the performance of a contract of which the data subject is party, Art. 6 (1) (1) (b) GDPR serves as the legal basis. This also applies to processing operations required to carry out pre-contractual activities.

   When it is necessary to process personal data in order to fulfil a legal obligation to which our company is subject, Art. 6 (1) (1) (c) GDPR serves as the legal basis.

   If vital interests of the data subject or another natural person require the processing of personal data, Art. 6 (1) (1) (d) GDPR serves as the legal basis.

   If the processing of data is necessary to safeguard the legitimate interests of our company or that of a third party, and the fundamental rights and freedoms of the data subject do not outweigh the interest of the former, Art. 6 (1) (1) (f) GDPR will serve as the legal basis for the processing of data.

3. Data removal and Storage Duration

   The personal data of the data subject will be erased or restricted as soon as the purpose of its storage has been accomplished. Additional storage may occur if this is provided for by the European or national legislator within the EU regulations, law, or other relevant regulations to which the data controller is subject. Restriction or erasure of the data also takes place when the storage period stipulated by the aforementioned standards expires, unless there is a need to prolong the storage of the data for the purpose of concluding or fulfilling the respective contract.

   In compliance with ISO 9001 standards, we maintain detailed records of all personal data processing activities. These records are systematically reviewed to ensure accuracy, completeness, and compliance with both legal obligations and our commitment to quality management

   3.1 Data Retention Periods

   To ensure compliance with legal requirements and to meet our operational needs, Business Smart Solutions Ltd. adheres to the following data retention periods:

   1. General Personal Data:
      • Retained for 1-2 years post the end of the relationship or transaction, unless longer retention is required for legal, audit, or compliance purposes.
   2. Payroll and Finance Data:
      • Retained for 6-7 years in line with standard financial record-keeping requirements and the policies of our cloud storage providers.
   3. Candidate and Personal Data:
      • Retained for 1-2 years post the application process for recruitment purposes, or longer if consented to for future job opportunities.
   4. Backup Data:
      • Weekly backups are saved for one month, monthly backups for one year, and yearly backups for seven consecutive fiscal years, as per our Backup and Data Protection Policy.
   5. Data for Legal Compliance:
      • Specific retention periods depend on legal requirements applicable to the type of data, with some records (like tax-related information) typically retained for at least 6-7 years.
   6. Data in Case of Disputes:
      • Retained for the duration of the dispute resolution process and an additional 1-2 years post resolution for record-keeping purposes.

   Please note that the retention periods may be subject to change based on legal and regulatory updates or organizational policy revisions.

4. Information Security Measures

   We employ comprehensive information security measures to protect personal data against unauthorized access, alteration, and destruction. This includes robust encryption, access controls, and regular security assessments in line with ISO 27001 standards.

5. Data Handling Access to personal data is strictly controlled and limited to authorized personnel only. We implement stringent access control measures to ensure that personal data is handled and processed only by individuals who have undergone proper training and clearance.

6. Feedback

   We value customer feedback and consider it essential for improving our data protection practices. Your suggestions help us better safeguard your personal data and enhance the overall quality of our services

4: Rights of the data subject

When your personal data is processed, you are a data subject within the meaning of the GDPR and have the following rights:

1. Right of access (Art. 15 GDPR)

   You may request the data controller to confirm whether your personal data is processed by them.

   If such processing occurs, you can request the following information from the data controller:

   • Purposes of processing
   • Categories of personal data being processed.
   • Recipients or categories of recipients to whom the personal data have been or will be disclosed.
   • Planned storage period or the criteria for determining this period
   • The existence of the rights of rectification, erasure or restriction or opposition.
   • The existence of the right to lodge a complaint with a supervisory authority.
   • If applicable, origin of the data (if collected from a third party).
   • If applicable, existence of automated decision-making including profiling with meaningful information about the logic involved, the scope and the effects to be expected.
   • If applicable, transfer of personal data to a third country or international organization.

2. Right to rectification (Art. 16 GDPR)

   You have a right to rectification and/or modification of the data, if your processed personal data is incorrect or incomplete. The data controller must correct the data without delay

3. Right to the restriction of processing (Art. 18 GDPR)

   You may request the restriction of the processing of your personal data under the following conditions:

   • If you challenge the accuracy of your personal data for a period that enables the data controller to verify the accuracy of your personal data.
   • The processing is unlawful, and you oppose the erasure of the personal data and instead request the restriction of their use instead.
   • The data controller or its representative no longer need the personal data for the purpose of processing, but you need it to assert, exercise or defend legal claims; or
   • If you have objected to the processing pursuant and it is not yet certain whether the legitimate interests of the data controller override your interests.

4. Right to erasure ("Right to be forgotten") (Art. 17 GDPR)

   If you request from the data controller to delete your personal data without undue delay, they are required to do so immediately if one of the following applies:

   • Personal data concerning you is no longer necessary for the purposes for which they were collected or processed.
   • You withdraw your consent on which the processing is based pursuant to and where there is no other legal basis for processing the data.
   • You object to the processing of the data and there are no longer overriding legitimate grounds for processing, or you object pursuant to Art. 21 (2) GDPR.
   • Your personal data has been processed unlawfully.
   • The personal data must be deleted to comply with a legal obligation in Union law or Member State law to which the data controller is subject.
   • Your personal data was collected in relation to information society services offered pursuant to Art. 8 (1) GDPR.

   The right to deletion does not exist if the processing is necessary

   • to exercise the right to freedom of speech and information;
   • to fulfil a legal obligation required by the law of the Union or Member States to which the data controller is subject, or to perform a task of public interest or in the exercise of public authority delegated to the representative.
   • for reasons of public interest in the field of public health.
   • for archival purposes of public interest, scientific or historical research purposes or for statistical purposes.
   • to enforce, exercise or defend legal claims.

5. Right to data portability

   You have the right to receive your personal data given to the data controller in a structured and machine-readable format. In addition, you have the right to transfer this data to another person without hindrance by the data controller who was initially given the data, if:

6. Right to object

   For reasons that arise from your particular situation, you have, at any time, the right to object to the processing of your personal data pursuant to Art. 6 (1) (1) (e) or 6 (1) (1) (f) GDPR; this also applies to profiling based on these provisions.

   If the personal data relating to you are processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data in regard to such advertising; this also applies to profiling associated with direct marketing.

7. Right to complain to a supervisory authority

   Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority if you consider that the processing of personal data concerning you infringes the GDPR. The supervisory authority to which the complaint has been lodged shall inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy under Art. 78 GDPR. A list, of the locally competent supervisory authorities in Germany can be found on the website of the Federal Commissioner for Data Protection at the following link: https://www.bfdi.bund.de/DE/Service/Anschriften/Laender/Laender-node.html

   You have the right to lodge a complaint about the processing of your personal data with a data protection supervisory authority. Austrian Data Protection Authority Barichgasse 40-42 1030 Vienna Phone: +43 1 52 152-0 E-mail: dsb@dsb.gv.at

8. Data Breach Notification In the unlikely event of a data breach, we are committed to promptly notifying affected individuals and relevant authorities in accordance with GDPR requirements. Our incident response plan outlines the steps we take to address and mitigate any breach, ensuring the ongoing protection of personal data.

5: Newsletter

1. Description and scope of data processing

   You can subscribe to a newsletter on our website free of charge. When subscribing for the newsletter, the data from the input mask is transmitted to us.

   • Email address
   • Last name
   • First name
   • Telephone / mobile phone number

   No data will be passed on to third parties in connection with data processing for the dispatch of newsletters. The data will be used exclusively for sending the newsletter.

2. Purpose of data processing

   The user's email address is collected to deliver the newsletter to the recipient.

   Additional personal data as part of the registration process is collected to prevent misuse of the services or email address.

3. Legal basis for data processing

   The legal basis for the processing of data provided by the user after registration for the newsletter is Art. 6 (1) (1) (a) GDPR if the user has given his consent.

4. Duration of storage

   The data will be deleted as soon as it is no longer necessary to achieve the purpose for which it was collected. The user's email address will therefore be stored as long as the newsletter subscription is active.

   The other personal data collected during the registration process is generally deleted after a period of seven days.

5. Objection

   The subscription for the newsletter can be cancelled by the data subject at any time. For this purpose, every newsletter contains an opt-out link.

   Through this, it is also possible to withdraw the consent to the storage of personal data collected during the registration process.

6: Contact via Email

1. Description and scope of data processing

   You can contact us via the email address provided on our website. In this case the personal data of the user transmitted with the email will be stored.

   The data will be used exclusively for the processing of the conversation.