1 Company Contact Details
Our company contact details are as follows:
AST Authors Limited
Registered and business address:
Letchworth Garden City
Telephone: 01462 481144
2 What is General Data Protection Regulation (GDPR)?
The intention of GDPR is to strengthen data protection for individuals within the European Union and will become enforceable from 25 May 2018.
Accountability: AST are committed to the principles of the GDPR. Our data protection policy and Privacy notice is regularly reviewed and updated and our staff are periodically trained on data protection and security throughout the year.
Transparency, Fairness and Lawfulness: We process data with data subjects’ interests in mind and ensure that we approach processing activities with transparency to maintain fairness in what we do. This way we can be sure that we are processing data lawfully. We have a robust process in place to allow us to deal efficient with any access requests we may receive.
Data Integrity and Confidentiality: We hold data on secure systems with 256-bit AES security. Information security and integrity is key to our smooth operation.
Data Minimisation and Data Storage: We will not keep data for longer than is necessary and only keep data if there is a lawful basis which allows fair retention. When we do need to remove data from our possession, we do so by using industry approved standards so the disposal or anonymisation is thoroughly compliant.
Data Accuracy: Keeping data accurate is very important to us and we train our staff to ensure they are maintaining data to a high quality and with all the facts available.
Purpose Limitation: We use the data we attain for a specific purpose. This means that data is not processed for any alternative reasons other than what the data was originally collected for.
For detailed information refer to the following website: https://ico.org.uk/.
AST have taken steps to ensure, with all best intentions and efforts, that we comply with GDPR. This is outlined in the following sections.
3 Program to Comply with GDPR
GDPR compliance requires an ongoing program to manage and maintain. GDPR compliance is not a once off event, it is a series of actions required in order to conform with regulations, which must be reviewed on a periodic basis to ensure that maximum compliance is attained.
AST’s program for processing data will:
Only act upon written instructions of our clients (normally the data controllers)
Be subject to a duty of confidence and ensure the same of all relevant staff members
Ensure the appropriate measures are taken to ensure the security of the processing
Only engage a sub-processor on written consent of the data controller
Assist the data controller in providing subject access and allowing data subjects to exercise their rights under the GDPR
Assist the data controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments
Ensure to delete or return all personal data to the controller if requested at the end of any relevant contracts
Submit to audits and inspections, provide the controller with whatever information it needs to ensure that they are both meeting their Article 28 obligations and tell the controller immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state
Train our staff to comply with these regulations
AST’s Direct Responsibilities under GDPR are to:
Only act on the written instructions of the controller (Article 29)
Not use a sub-processor without the prior written authorisation of the controller (Article 28.2)
Co-operate with supervisory authorities (such as the ICO) in accordance with Article 31
Ensure the security of its processing in accordance with Article 32
Keep records of its processing activities in accordance with Article 30.2
Notify any personal data breaches to the controller in accordance with Article 33
Employ a data protection officer if required in accordance with Article 37 and
Appoint (in writing) a representative within the European Union if required in accordance with Article 27
AST’s policy for controlling data will:
Only to collect and retain information necessary to transact with our customers and prospects
Ensure that revoked consent requests are managed with 48 working hours of revocation
Ensure to enable right to access within 7 days of request, unless otherwise specified in writing
Train our staff to company with the regulation
Subject access requests
Upon receiving a written subject access request AST will:
Ensure to verify the identity of the person requesting the information
Respond in writing within 40 calendar days with the requested information
If requested, initiate the right to erasure process
The information provided to the client and the ICO will include:
What has happened
When and how we found out about the breach
The people that have been or may be affected by the breach
What we are doing as a result of the breach
4 Responsibilities for Handling Sensitive Material and Data
The following persons are responsible for handling sensitive material and data:
Russell Austin (Director)
Fraser McLaren (Director).
5 Arrangements for IT Data Security
AST use equipment such as PCs and laptops which have robust firewalls and virus scanning software. AST use equipment which are all password protected and staff are encourages never to reveal passwords. AST will:
Not over process personal data
Not keep any personal data any longer than it is necessary for the purpose for which the personal data has been processed
Not pass information to 3rd parties
Store personal data using file hosting services which adhere to the Cloud Security Alliance (CSA) Code of Conduct for GDPR Compliance
Take necessary actions to keep up-to-date information by revalidating personal data each year. AST will contact the data owner and gain consent to keep their data on our records
Correctly destroy or delete data that is out of date
Use marketing automation platforms/email marketing service providers which allow recipients to subscribe and unsubscribe to our services at any time and the option to log in and update their personal data
Note: Service providers will also be fully GDPR compliant.
Allow visitors to our website to opt in/out, via check boxes, to store their personal data in order to contact them to allow our services
Allow our sub-contractors to give consent to store their personal data in two ways; 1. to be kept on our database whilst the works they are undertaking are in progress and 2. agree to kept on our database after the works are complete to allow AST to reach out for future contracts.
6 Privacy Notice
AST takes data privacy seriously. We recognise and value the trust that individuals place in us when providing us with personal data and we are committed to safeguarding the privacy and security of personal data we may collect from visitors to our websites and/or the clients to whom we provide legal and other services. This Privacy notice aims to help readers understand our personal data collection, usage and disclosure practices by explaining:
6.1 Who we are and what we do
AST is an authoring house who write technical documentation for a range of industries. Please see “Who is the data controller of your personal data” below for more information on the entities that control and process personal data within Author Services Technical.
6.2 What personal data we collect about you
We may collect and process different types of personal data in the course of operating our business and providing our services. These include:
Basic personal details such as your name and job title
Contact data such as your telephone number and postal or email address
Financial data such as payment related information or bank account details
Demographic data such as your address, preferences or interests
Website usage and other technical data such as details of your visits to our websites or information collected through cookies and other tracking technologies
Personal data provided to us by or on behalf of our clients or generated by us in the course of providing our services, which may, where relevant, include special categories of personal data
Recruitment related data such as your curriculum vitae, your education and employment history, details of professional memberships and other information relevant to potential recruitment to us
Data that you may provide to us in course of registering for and attending meetings.
6.3 How we obtain the personal data about you
We may collect or receive your personal data in a number of different ways:
Where you provide it to us directly, for example by corresponding with us by email
By direct interactions with us such as completing the Enquiry Form on our website
Where we monitor use of, or interactions with, our websites and/or any marketing we may send to you, or other email communications sent from or received by AST
Publicly available sources – we may, for example, use such sources to help us keep the contact details we already hold for you accurate and up to date or for professional networking purposes, e.g. LinkedIn.
6.4 How we use your personal data
We will only use your personal data where we are permitted to do so by applicable law. The use of personal data must be justified under one of a number of legal grounds. The principal legal grounds that justify our use of your personal data are:
Contract performance: where your information is necessary to enter into or perform our contract with you
Legal obligation: where we need to use your information to comply with our legal obligations
Legitimate interests: where we use your information to achieve a legitimate interest and our reasons for using it outweigh any prejudice to your data protection rights
Consent: where you have consented to our use of your information (you will have been presented with a consent form or facility in relation to any such use and may withdraw your consent through an unsubscribe or similar facility)
We may use your personal data in the following ways. In each case, we note the grounds that we rely on to use your personal data
To provide our services to you and to conduct our business – to administer and perform our services, including to carry out our obligations arising from any agreements entered into between you and us
To facilitate use of our website and to ensure content is relevant – to respond to requests for information or enquiries from visitors to our website and to ensure that content from our website is presented in the most effective manner for you and for your device
For marketing and business development purposes –to provide you with details of new services, updates where you have chosen to receive these. We will provide an option to unsubscribe or opt-out of further communication on any electronic marketing communication sent to you
For recruitment purposes –to enable us to process applications for employment submitted via our online form and to assess your suitability for any position for which you may apply at AST
To fulfil our legal, regulatory, or risk management obligations – to comply with our legal obligations for the prevention of fraud and/or other relevant background checks as may be required by applicable law and regulation and best practice at any given time (if false or inaccurate information is provided and fraud is identified or suspected, details may be passed to fraud prevention agencies and may be recorded by us or by them); to enforce our legal rights, to comply with our legal or regulatory reporting obligations and/or to protect the rights of third parties
To ensure that we are paid – to recover any payments due to us and where necessary to enforce such recovery through the engagement of debt collection agencies or taking other legal action (including the commencement and carrying out of legal and court proceedings)
Legal grounds: contract performance, legal claims, legitimate interests (to ensure that we are paid for our services)
To inform you of changes – to notify you about changes to our services or this Privacy Notice
Legal grounds: legitimate interests (to ensure we can notify you about changes to our service, this Privacy Notice etc.)
To reorganise or make changes to our business – In the event that we undergo a re-organisation (for example if we merge, combine or divest a part or all of our business) we may need to transfer some or all of your personal data to the relevant third party (or its advisors) as part of any due diligence process or transfer to that re-organised entity or third party your personal data for the same purposes as set out in this Privacy Notice or for the purpose of analysing any proposed re-organisation
Legal grounds: legitimate interests (in order to allow us to change our business).
6.5 Who we share your personal data with?
AST is an authoring house who write technical documentation for a range of industries and as such any personal data that we collect or you provide to us may be shared with and processed by any non AST entity among our global network. We may also share your personal data with a variety of the following categories of third parties:
Our professional advisors (e.g. legal, financial, business, risk management or other advisors) and auditors
Our insurers and insurance brokers
Third party service providers to whom we outsource certain functions such as information and document management, office support, word processing and translation services (we have agreements in place with these service providers to protect the confidentiality and security of information (including personal data) shared with them);
Other third-party external advisors or experts engaged in the course of the services we provide to our clients.
6.6 How long we keep your personal data
We will retain your personal data for as long as is necessary to fulfil the purpose for which this data was collected and any other permitted linked purpose. If your personal data is used for two purposes, we will retain it until the purpose with the latest period expires; but we will stop using it for the purpose with a shorter period once that period expires. Our retention periods are also based on our business needs and good practice.
6.7 How we protect your personal data
We recognise that information security is an integral element of data privacy. While no data transmission (including over the Internet or any website) can be guaranteed to be secure from intrusion, we implement a range of commercially reasonable physical, technical and procedural measures to help protect personal data from unauthorised access, use, disclosure, alteration or destruction in accordance with data protection law requirements. Information that you provide to us is stored on our password and firewall protected IT equipment and our service providers’ secure servers and accessed and used subject to our security policies and standards.
6.8 What rights you have in relation to your personal data
If you have any questions about our use of your personal data, you should first contact us via the details provided in section in Section 1. Under certain circumstances and in accordance with EU or other applicable data protection laws, you may have the right to request us to:
provide you with further details on the use we make of your information
provide you with a copy of information that we hold about you
update any inaccuracies in the personal data we hold
delete any personal data that we no longer have a lawful ground to use
where processing is based on consent, to withdraw your consent so that we stop that particular processing
object to any processing based on the legitimate interests ground unless our reasons for undertaking that processing outweigh any prejudice to your data protection rights; and
restrict how we use your information whilst a complaint is being investigated.
You may also ask us not to process your personal data for marketing purposes. We will inform you if we intend to disclose your information to any third-party service provider for this purpose. You can exercise your right to prevent such processing at any time by using an unsubscribe facility via our website.
We are also required to take reasonable steps to ensure that your personal data remains accurate. In order to assist us with this, please let us know of any changes to the personal data that you have provided to us by contacting us using the contact details provided in Section 1.
While it is our policy to respect the rights of individuals, please be aware that your exercise of these rights is subject to certain exemptions to safeguard the public interest (e.g. the prevention or detection of crime), our interests (e.g. the maintenance of legal privilege) and some of these rights may be limited (for example the right to withdraw consent) where we are required or permitted by law to continue processing your personal data to defend our legal rights or meet our legal and regulatory obligations.
If you contact us to exercise any of these rights, we will check your entitlement and respond in most cases within a month.
If you are not satisfied with our use of your personal data or our response to any exercise of these rights, you have the right to complain to the relevant Supervisory Authority (data protection regulator).
6.9 Who is the data controller of your personal data
The data controller of your personal data, processed by us under this Privacy Notice, will be the Responsible Officers’ name(s) nominated in section 4.
When you visit our website, we may send a cookie to your computer. This is a small data file stored by your computer to help improve functionality or tailor information to provide visitors with more relevant pages. We may also analyse website traffic to identify what visitors find most interesting so we can tailor our websites accordingly.
6.11 How we may update this Privacy notice