The purpose of this privacy statement is to explain how The Fortus Group, referred to as TFG hereafter, processes personal data to fulfil its data protection responsibilities. Specific privacy notices for clients and third parties will be provided when necessary.
The Role of TFG in data protection terms is that of a data controller where it determines the purpose and use of personal data collected. Once received it becomes the responsibility of the TFG privacy manager (PM) contactable using firstname.lastname@example.org. The PM ensures that all processing accords with the latest UK data protection legislation.
The sort of personal data collected by TFG will be basic contact details sufficient to be able to respond to general enquiries and for sales purposes.
TFG’s duty of confidentiality means that TFG staff will treat your personal data with due respect and in confidence. It is only disclosed to those that need to know it. We expect the same duty of confidentiality from all third parties with whom TFG shares personal data and where appropriate, data processing agreements are in place. TFG uses reasonable organisational and technical measures to ensure personal data is kept secure.
TFG processes personal data against a lawful basis and such instances are described below:
We will pursue our legitimate interests to respond to your general enquiries and stay in touch with you for marketing purposes
To comply with our legal obligations
When it is necessary for the performance of a contract and its prior preparation, typically when preparing for a sale and the subsequent delivery
When processing for a pre-defined purpose for which your consent will be sought prior to the processing commencing – please note that consent can be withdrawn at any time by contacting the PM
In all cases the processing of personal data by TFG shall be done in accordance with the principles of data protection.
TFG will share personal data, on a ‘need to know’ basis with some or all of the following:
An IT support company that is subject to a data processing agreement
The ‘Fortus Live’ developer that is subject to a data processing agreement
The Inland Revenue (HMRC) for invoice purposes
Accountants appointed by TFG for payment handling and related record keeping
Third-party suppliers when needed to deliver products directly to our customers
Unspecified recipients but only when compelled to do so for legal reasons
TFG will process your personal data in the UK and Ireland and all business data, including email, are backed up using a replicated systems based in the UK and Ireland. TFG uses appropriate technical and organisational measures to safeguard all personal data.
TFG follows a retention schedule to determine the length of time it holds different types of personal data. The retention schedule is shown below:
Routine correspondence for casual and contract related business in hard copy or in emails will be stored for 3 years
Contact data is stored indefinitely unless a valid request to erasure is received from the interested data subject
For former customers, we will retain your details for 7 years after the conclusion of our contractual obligations to you
Invoice related information will be retained for 6 years after the tax year in which they were created
By exception, documentation that includes personal data may be retained by TFG beyond the schedule, but only for a specific purpose and only when TFG believes it has a legitimate interest or a legal obligation to do so
At the end of the retention schedule TFG will either return, destroy or delete your personal data and any associated emails or relevant documentation. If it is technically impractical to delete electronic copies of personal data, it will put it beyond operational use. It should be noted that TFG allows up to 3 months after the retention schedule to complete the action.
The TFG website does not use non-essential cookies and no personal data is held on the website server. Enquiries received via the website do so in the form of an email.
The UK General Data Protection Regulation defines the rights that you have, although these do not apply in all situations. For convenience, these rights are shown below:
Right to be informed as to how TFG is processing your personal data – this is done through this statement or separate TFG privacy notices
Right to access your personal data held by us which is done by making a ‘Data Subject Access Request’ (DSAR) to the PM
Right to rectification of your personal data if you believe we have collected it incorrectly or it needs to be updated
Right to erasure of your personal data for which we no longer have a legitimate purpose to process
Right to restrict processing under certain circumstances, during which time your personal data but will be out of operational use until the related matter is resolved
Right to data portability of your personal data in a machine-readable version, but this only applies to data that has been provided with consent or under contract
Right to object to TFG processing your personal data for which it does not have a legal or contractual obligation
Rights related to automated decision making and profiling (although we do not use these techniques in its decision making)
Further details on data subjects’ rights can be found on the Information Commissioner’s Office (ICO) website: https://ico.org.uk.
Raising concerns, exercising rights or making queries about our processing of your personal data can be done by contacting the PM. Be aware that we will need to verify your identity before responding fully. This may involve asking you for documentary proof that, in context, will enable us to confirm your identity. Alternatively, you may contact the ICO directly without referring to us first, although naturally we would welcome the first opportunity to address your concerns or queries.