Data Protection Statement

PRIVACY BY DESIGN

THE ROCKET GROUP

The Rocket Group, ICO registration number ZB285816, takes its responsibilities as a Data Controller seriously. The Managing Director is accountable for data protection processes for the business and has established policies, procedures and security principles in accordance with the Data Protection Act 2018.

As Data Controller, the Rocket Group has produced a Data Protection Policy for all staff, sub contractors and clients. The Policy establishes the processes for processing personal data; the security principles for safe storage and use; retention of data and the fair processing of personal data.

When fulfilling contracts The Rocket Group will process personal data for clients, their customers or agents under the legal basis of “Contract” as outlined in Article 6 of the General data Protection Regulations.

If clients or their agents request The Rocket Group to identify individuals to be contacted on behalf of the client or its agents (for instance, in the pursuit of a tailored marketing campaign to named individuals), the Rocket Group will seek “Consent” as the legal basis for processing those individuals personal data when sharing with the client or their agents.

A data protection privacy impact assessment will be conducted by The Rocket Group upon commencement of all contracts to confirm this legal basis or to identify any other legal basis relevant to pursuit of the contract. The impact assessment will identify any risks and mitigations for the processing of personal information, and a copy will be made available to the client on request.

In addition to the Data Protection Policy, a Privacy Policy has been developed and is available on the Rocket Group website and all Rocket Group employee email signatures. The Privacy Policy informs users of the website and recipients of our emails their rights in respect of data collected by the Rocket Group and their rights relating to our processing of their personal data.

Where it is agreed that the client and The Rocket Group were to be classified as Joint Controllers, the Rocket Group would recommend the inclusion of a Data Sharing Agreement to establish the roles and responsibilities for the parties. The Rocket Group would be happy to base any agreement on our Agreement Template.

ROCKET DATA PROTECTION POLICY

Objecting to how we may use personal information – Individuals have the right at any time to require us to stop Purpose

This policy sets out how The Rocket Group (company number SC201232) uses and protects personal information.

The Rocket Group is the Data Controller for personal data about individual, corporate and community stakeholders, service users, event attendees, grant applicants, staff and newsletter subscribers. For the purpose of this document we will use the group term ‘associates’ to describe any one of these groups.

The Law

In May 2018, the General Data Protection Regulation came into force for all EU Member States, replacing the existing data protection law. In the UK, the Data Protection Act 2018 replaced previous legislation and enshrines the GDPR within the UK legal framework. The principles of the Regulation governing individual’s privacy are outlined in Article 5, that personal data shall be:

“a) processed lawfully, fairly and in a transparent manner in relation to individuals;

b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;

c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and

f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”

Data processing

Data processing is any activity that involves the use of personal data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring personal data to third parties.

Personal data

Personal data is any information identifying a data subject (a living person to whom the data relates). It includes information relating to a data subject that can be identified (directly or indirectly) from that data alone or in combination with other identifiers. The Rocket Group possesses or can reasonably access. Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person’s actions or behaviour.

Sensitive Personal Data

Sensitive personal data is a special category of information which relates to a data subject’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data. It also includes personal data relating to criminal offences and convictions.

This data protection policy ensures The Rocket Group:

• Complies with data protection law and follows good practice;

• Protects the rights of staff, customers and partners;

• Is open about how it stores and processes individuals’ data;

• Protects itself from the risks of a data breach;

Privacy notices

The Company will provide staff members with a privacy notice setting out the information the Company holds about staff members, the purpose for which this data is held and the lawful basis on which it is held. The Company may process personal information without staff members’ knowledge or consent, in compliance with this policy, where this is required or permitted by law.

If the purpose for processing any piece of data about staff members should change, the company will update privacy notices with the new purpose and the lawful basis for processing the data and will notify staff members of changes.

People, risks and responsibilities

This policy applies to:

• The management and staff of The Rocket Group

• All contractors, suppliers and other people working on behalf of The Rocket Group.

ROCKET GROUP PRIVACY POLICY

This policy sets out how The Rocket Group (company number SC246690) uses and protects your personal information, including data from your use of our website.

KEY DEFINITIONS

Data processing

Personal data

Personal data is any information identifying a data subject (a living person to whom the data relates). It includes information relating to a data subject that can be identified (directly or indirectly) from that data alone or in combination with other identifiers The Rocket Group possesses or can reasonably access. Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person’s actions or behaviour.

How we process your personal information

We do not trade personal data for commercial purposes and will only disclose it if required by law, if it is necessary to arrange a service you have asked us for, or if it is with your consent. The Rocket Group uses providers (processors) based in the European Economic Area to process associate data, except where specified.

Information you give to us.

This is information about you that you give us by filling in forms on our site or by corresponding with us by phone, email or otherwise. It includes information you provide when you:

• Use our site

• Purchase or Subscribe to any services offered by us

• Register to receive downloadable information, newsletters or other information

• Send us a request to contact you or when you report a problem with our site(s).

The information you give us may include your name, position, and employer details, address & post code, email address and phone number.

We will use this information:

• to send you the information you have requested;

• to inform our marketing and sales activities, including market mapping, client and prospect mapping and analysis;

• to provide you with news and information which we think may be of interest to you and with information about our products and services. If you no longer wish us to use your data in this way, please let us know by clicking the unsubscribe button on our e-mail communications;

• to ensure that content from our site is presented in the most effective manner for you and for your computer.

Information we collect about you.

With regard to each of your visits to our site we will automatically collect the following information:

• Technical information, including the Internet Protocol (IP) address used to connect your computer to the Internet, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform;

• information about your visit, including items you viewed or searched for, page response times, length of visits to certain pages.

We will use this information:

• to administer our site so that it works well when you visit and we may also ask you for your opinion to help us do that, and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;

• to improve our site to ensure that content is presented in the most effective manner for you and for your computer;

• to allow you to participate in interactive features of our services, when you choose to do so; and

• as part of our efforts to keep our site secure.

Information we receive from other sources.

This is the information we receive about you:

• If you are a client of a contracted customer of ours and The Rocket Group is providing you a service.

• From our third party service providers (including, for example, sub-contractors in technical and delivery services, analytics providers, search information providers).

Legal basis for processing your information

We process your personal information lawfully and fairly in accordance with data protection laws. We may process your personal information where:

• It is necessary for performing our functions and activities generally;

• Providing services to you;

• You have consented to our processing of your personal information;

• We have a legal obligation to do so; or

• We have a legitimate interest to do so, for example on a business sale or for fraud prevention purposes.

Sharing your information

We may disclose your personal information to third parties, including:

• Analytics and search engine providers, that assist us in the improvement and optimisation of our site;

• Our professional advisers and services providers;

• If The Rocket Group or substantially all of its assets are acquired by a third party, in which case personal data held by us about you will be one of the transferred assets; and/or

• If we are under a duty to disclose or share your personal information in order to comply with any legal obligation or in order to enforce or apply our website Terms & Conditions. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.

With our clients with whom we work collaboratively to bring you services and information you have requested – in all circumstances this will be made clear at the time of collecting your data.

The Rocket Group are not subject to the requirements of the Freedom of Information (Scotland) Act 2002 and the Environmental Information (Scotland) Regulations 2004, however our clients may be and may require us, in respect of legislation, to disclose information.

Where we store your personal data

All information you provide to us is stored in our databases on a secure server located within the EEA (European Economic Area). These are cloud services hosted for us by Microsoft.

Your data may be processed by staff operating outside European Economic Area (EEA) who work for us or for one of our suppliers. This includes staff engaged in, among other things, providing the information you have requested, marketing activities and the provision of support services. We will only transfer your data outside of the EEA provided appropriate or suitable safeguards are in place to protect your data, these being either Standard Contractual Clauses or, in the case of transfers to the US, a Privacy Shield certification. Please contact us if you would like a copy of the appropriate safeguards. By submitting your personal data, you agree to this transfer.

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.

Retention of your personal data

We will only keep your personal data within the time-frames allowed by law and for so long as is necessary to comply with our legal obligations.

Your rights under the GDPR

Access to personal information - Individuals who are the subject of personal data held by The Rocket Group are entitled to:

• Ask what information the company holds about them and why

• Ask how to gain access to it

• Be informed how to keep it up to date

• Be informed how the company is meeting its data protection obligations

If an individual contacts the company requesting this information, this is called a subject access request or SAR. To assist us in dealing with your request to access your information, please download and complete this form and submit it by email to: info@therocketgroup.co.uk

We will respond to Subject Access Requests within one month as is the requirement under GDPR. We will always verify the identity of anyone making a subject access request before handing over any information.

Correcting personal information – Individuals may ask us to correct any personal information about them that is inaccurate, incomplete or out of date.

Deletion of personal information – Individuals have the right to ask us to delete personal information about them where:

• They consider that we no longer require the information for the purposes for which it was obtained

• We are using that information with their consent and that consent has been withdrawn – see Withdrawing consent to using your information below

• They have validly objected to our use of their personal information – see Objecting to how we may use personal information below

• Our use of your personal information is contrary to law or our other legal obligations.

Your rights under the GDPR

Objecting to how we may use personal information – Individuals have the right at any time to require us to stop using their personal information for direct marketing purposes. In addition, where we use personal information of an individual to perform tasks carried out in the public interest then, if the individual asks us to, we will stop using that personal information unless there are overriding legitimate grounds to continue.

Restricting how we may use personal information – in some cases, individuals may ask us to restrict how we use their personal information. This right might apply, for example, where we are checking the accuracy of personal information that we hold or assessing the validity of any objection made by an individual to our use of their information. The right might also apply where there is no longer a basis for using an individual’s personal information but they don’t want us to delete the data. Where this right is validly exercised, we may only use the relevant personal information with the individual’s consent, for legal claims or where there are other public interest grounds to do so.

Automated processing – if we use personal information on an automated basis to make decisions which significantly affect an individual, that individual has the right to ask that the decision be reviewed by an individual within our organisation to whom representations may be made concerning the decision or to contest it. This right only applies where we use information with the individual’s consent or as part of a contractual relationship with the individual.

Withdrawing consent to using personal information – Where we use personal information with individual consent the individual may withdraw that consent at any time and we will stop using that personal information for the purpose(s) for which consent was given.

For queries as to whether the GDPR applies to the processing of your personal information or, if the GDPR does apply, and you wish to exercise any of these rights then please contact us - see Contact information and further advice below.

Changes to our privacy statement

We keep this privacy statement under regular review and will place any updates on this website. Paper copies of the privacy statement may also be obtained from the Data Protection Lead at the address below or requested via email: info@therocketgroup.co.uk

This policy was updated in February 2019 to show that we are adhering to the new General Data Protection Regulation (GDPR), which came into force in May 2018. This Policy is FPN 001

Contact. And the Data Protection Act 2018 which came into force in May 2018.

Questions, comments and requests regarding this privacy policy are welcomed and should be addressed to The Data Protection Lead Officer, The Rocket Group, 34 Halley Drive, New Albion Estate, Glasgow, G13 4DJ or via email to: info@therocketgroup.co.uk for any data protection queries.

Complaints

We seek to resolve directly all complaints about how we handle personal information but you also have the right to lodge a complaint with the ICO (Information Commissioner’s Office) who are the regulators of data protection laws in the UK. They can be contacted via their website here or by post:

The Information Commissioner’s Office - Scotland 45 Melville Street

Edinburgh

EH3 7HL

Telephone: 0303 123 1115 Email: scotland@ico.org.uk

Data protection risks

This policy helps to protect The Rocket Group from some very real data security risks, including:

Breaches of confidentiality. For instance, information being given out inappropriately.

Failing to offer choice and transparency. For instance, all individuals should be free to choose how the company uses data relating to them.

Reputational damage. For instance, the company could suffer if hackers successfully gained access to sensitive data.

Responsibilities

Everyone who works for or with The Rocket Group has responsibility for ensuring data is collected, stored and handled appropriately.

All staff that handle personal data must ensure that it is handled and processed in line with this policy and data protection principles. However, key responsibility belongs to:

The Managing Director, John Stirling, who is accountable for ensuring that The Rocket Group meets its legal obligations.

General staff guidelines

The only people able to access data covered by this policy should be those who need it for their work.

Data should not be shared informally. When access to confidential information is required, employees can request it from their line managers.

The Rocket Group will provide training to all employees including staff employed under contract to help them understand their responsibilities when handling data.

Employees should keep all data secure, by taking sensible precautions and following the guidelines below.

In particular, strong passwords must be used and they should never be shared.

Personal data should not be disclosed to unauthorised people, either within the company or externally.

Data should be regularly reviewed and updated if it is found to be out of date. If no longer required, it should be deleted and disposed of.

Employees should request help from their line manager or the Managing Director if they are unsure about any aspect of data protection.

Data storage

These rules describe how and where data should be safely stored. Questions about storing data safely can be directed to the Managing Director.

When data is stored on paper, it should be kept in a secure place where unauthorised people cannot see it. These guidelines also apply to data that is usually stored electronically but has been printed out for some reason: When not required, the paper or files should be kept in a locked drawer or filing cabinet.

Employees should make sure paper and printouts are not left where unauthorised people could see them, like on a printer.

Data printouts should be disposed of securely when no longer required using the supplied Shred-It bins.

When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts:

Data should be protected by strong passwords that are changed regularly and never shared between employees.

If data is stored on removable media (like a memory stick), these should be encrypted and kept locked away securely when not being used.

Data should only be stored on designated drives and servers.

Servers containing personal data should be sited in a secure location, away from general office space.

Data should be backed up frequently. Those backups should be tested regularly, in line with the company’s standard backup procedures.

Data must never be saved directly to laptops or other mobile devices like tablets or smart phones.

All servers and computers containing data should be protected by approved security software and a firewall.