Data Protection Policy - Zigger Limited

Privacy Notice

This is the data protection notice of Zigger Limited. In this document, "we", "the company”, "our", “Zigger” or "us" refer to Zigger Limited and ziggerwebdesign.co.uk. We are company number 10018513 registered in England. Our registered office is at 33 Imber Cross, Thames Ditton, Surrey KT7 0LG.

Introduction

In order to deliver our services Zigger gathers and uses information about individuals and companies. No personal data is collected for purposes other than the delivery of these services. For example where we provide services such as a website or email address we may provide passwords and login details, this information is not used for purposes such as marketing, etc.
These individuals include customers, suppliers, business contacts, employees and other people where we have a relationship.

Purpose

The Principles

The Data Protection Act 1998 sets out rules for processing personal information relating to living individuals. It applies to some paper records as well as those held in electronic form. The Act gives individuals certain rights. It also imposes obligations on those who record and use personal information to be open about how that information is used and requires them to follow the eight data protection principles.

Personal data must be processed following these principles so that data is:

The Act provides individuals with rights in connection with personal data held about them. It provides individuals with the right to access data concerning themselves (subject to the rights of third parties). It also includes the right to seek compensation through the courts for damages and distress suffered by reason of inaccuracy or the unauthorised destruction or wrongful disclosure of data. Requests for information access should be made to hi@zigger.co.uk. This information is provided without charge.
Zigger complies with all the principles of this Act.

GDPR

The EU parliament approved GDPR (General Data Protection Regulation) which comes in force in May 2018. Its purpose, as described by the governing body (www.eugdpr.org) states:
“The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organisations across the region approach data privacy.”

Considered issues
We have reviewed the following areas to identify where real needs to collect data exist and how we handle the resulting data.
What personal information is being collected?
-General Enquiries. We collect names, phone numbers and email addresses.
-Hosted Websites. We store data relating to the customer’s website – images, text and code. Also access to back-end data concerning website visitors and search engine access.
-Email. We store the login details – email address and initial password.
-Domains. We store the login details required to access the domain.
Who is collecting it?
It is collected by a single officer of the company.
How is it collected?
-General Enquiries. This is provided by a customer or website enquiry.
-Hosted Websites. It is created when we publish the website to the hoster.
-Email. It is created when we create the email address.
-Domains. It is created when we buy the domain.
Secondary data is accumulated over time through other communication systems such as email, mobiles and letters.
Why is it being collected?
The personal information has been minimised to a point where we have enough to complete the required tasks and no more.
How will it be used?
The data is stored in a number of systems outlined below and used as part of our responsibility to ensure the efficient running of the services we provide.
Who will it be shared with?
The information is not shared with anyone outside Zigger, but it is held on a number of GDPR-compliant applications outside the company and, in some cases outside the EEA.

Fairness

It is important that we have a fair and transparent privacy notice. It is based on:

Risks and Security

A single member of staff is designated as a ‘Data Handler’ and has the responsibility for ensuring data is collected, stored and handled appropriately. This is essentially controlled through system access.
We have made appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of or damage to personal data. Staff and other individuals should be aware that guidelines and regulations relating to the security of manual filing systems and the preservation of secure passwords for access to relevant data held on computer should be strictly observed.

Responsibilities

Zigger is a small company so the ‘Data Controller’ and ‘Data Handler’ are the same person. He is responsible for:

Staff Guidelines

The only people able to access data covered by this policy should be those who need it for their work.

Systems Zigger Use to store data

Systems outside Zigger that store personal information are classed as Data Processors while Zigger are Data Controllers. These are the systems we use to store data:

Google Drive – customer’s website files.
“We are working hard to prepare for the EU’s General Data Protection Regulation (GDPR). Keeping users’ information safe and secure is among our highest priorities at Google. Over the years, we have spent a lot of time working closely with Data Protection Authorities in Europe, and we have already implemented strong privacy protections that reflect their guidance. We are committed to complying with the new legislation and will collaborate with partners throughout this process.“
Link: https://privacy.google.com/businesses/compliance/#?modal_active=none

Pipedrive – domain, email, physical address, phone, passwords, prices
“As a company with roots in Europe, Pipedrive is very much up to speed with the implications that the EU General Data Protection Regulation has for businesses.
We appreciate the privacy needs of Pipedrive users as well as their customers and, as such, have implemented — and will continue to improve — technical and organizational measures in line with the GDPR to safeguard the personal data processed by Pipedrive.”
Link: https://support.pipedrive.com/hc/en-us/articles/360000335129-Pipedrive-and-GDPR

Zapier - used to transfer the data above
“We are making progress on all product changes and compliance efforts and expect to be fully compliant by the 25th of May. Our vendor and internal data audit is complete. Our advanced export and deletion work is coming along quickly, and you can already export your task history and delete your account today. We've gotten updated drafts of new Terms of Service as well as new DPAs from attorneys and expect this to wrap up and be available and shared shortly.”
Link: https://zapier.com/help/gdpr

Lastpass – email passwords, login details to hosters and other applications
“At LogMeIn, our ongoing compliance review and actions build on our existing investments in privacy, security, and operational processes necessary to meet the requirements of GDPR and other applicable regulations. LogMeIn (including LastPass) participates in the EU Privacy Shield framework and is already compliant with all current EU data protection rules. By May 25th 2018, the company will be GDPR compliant as well.”
Link: https://logmeincdn.blob.core.windows.net/lporcamedia/document-library/lastpass/pdf/en/Overview-LastPass-GDPR.pdf

Code42 - cloud backup of all data
"Code42 users have substantial amounts of business-critical data on their devices, often including personal data. Code42 will comply with its requirements under GDPR. In addition, Code42's product features can help your organization comply with its own compliance obligations under GDPR."
Link: https://support.code42.com/Terms_and_conditions/Compliance_resources/Code42_and_GDPR_compliance

If you have any questions regarding the data we hold on you, please contact us at hi@zigger.co.uk and we will be happy to help.