1. Purpose of this Privacy Notice
ECLIPSE ADMIN SERVICES LIMITED is committed to protecting the privacy and security of your personal information.
This privacy notice describes how we collect and use personal information about you during and after your working relationship with us, in accordance with the General Data Protection Regulation (GDPR).
It applies to all clients of ECLIPSE ADMIN SERVICES LIMITED
The Company is a "data controller". This means that we are responsible for deciding how we hold and use personal information about you. We are required under data protection legislation to notify you of the information contained in this privacy notice.
This notice applies to current and former clients and we may update this notice at any time.
It is important that you read this notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information.
2. Data Protection Principles
We will comply with data protection law. This says that the personal information we hold about you must be:
1. Used lawfully, fairly and in a transparent way
2. Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes
3. Relevant to the purposes we have told you about and limited only to those purposes
4. Accurate and kept up to date
5. Kept only as long as necessary for the purposes we have told you about
6. Kept securely
3. The information we hold about you
Personal data can be any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
There are "special categories" of more sensitive personal data which require a higher level of protection, but at present, we do not collect, store or process any of this data.
We may collect, store and use the following categories of personal information about you:
• Personal contact details such as name, title, addresses, telephone numbers, and email addresses
• Date of birth
• Marital status and any dependants
• Next of kin and emergency contact information
• National Insurance number
• Bank account details
• Unique Taxpayer Reference (UTR)
• Personal financial information required to fulfil our contractual obligations with you
• Documentary evidence to fulfil Anti-Money Laundering legislation
4. How we Collect your Personal Information
We collect personal information at various stages of a business relationship, but either directly from you the individual or via a previous service provider.
Generally, information would be collected soon after signing a contract to provide services, then at certain intervals such as after a tax year end or after a specific event that would change the personal data.
We would contact a previous service provider soon after signing a new contract to provide services and rarely later in the business relationship. Personal data would thereafter be collected directly and would be specifically required to fulfil our obligations under the contract.
5. How we will use Information about you
We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:
1. Where we need to perform the contract we have entered into with you
2. Where we need to comply with a legal obligation
3. Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests
6. The situations in which we will use your personal information
We need all the categories of information in the list above (see ‘The information we hold about you’) primarily to allow us to perform our contract with you and to enable us to comply with legal obligations.
The situations in which we will process your personal information are:
• To enable services detailed in the contract with you to be delivered
• Administering the contract we have entered into with you
• Contacting and liaising with your previous service provider
• Business management and planning, including accounting and auditing
• Liaising with selected third parties on your behalf – e.g. HMRC
• Making arrangements for the termination of our working relationship
7. If you fail to provide personal information when requested by us
If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you, or we may be prevented from complying with our legal obligations.
Due to the nature of our services, failure to provide us with personal information when requested could result in financial penalties, such as a fine from for which you would be personally liable.
8. Change of Purpose
We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
9. How we use particularly sensitive personal information
"Special categories" of particularly sensitive personal information require higher levels of protection. The following is classified as special category data:
• ethnic origin;
• trade union membership;
• biometrics (where used for ID purposes);
• sex life; or
• sexual orientation.
We currently do not collect or store this type of data as it is not required for the type of services currently provided. We need to have further justification for collecting, storing and using this type of personal information.
We may process special categories of personal information in the following circumstances:
1. In limited circumstances, with your explicit written consent
2. Where we need to carry out our legal obligations and in line with our Data Protection policy
Less commonly, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else's interests) and you are not capable of giving your consent, or where you have already made the information public. We may also process such information about members or former members in the course of legitimate business activities with the appropriate safeguards.
10. Do we need your consent?
Consent is not required when we need to process a person’s personal data to comply with contractual obligations. As processing is necessary for a contract with an individual, then processing is lawful on this basis and we do not need to get separate written consent. Please also refer to the following section on the lawful basis.
11. The Lawful Basis for Processing Data
There are six lawful bases under GDPR:
1. Consent: the individual has given clear consent for you to process their personal data for a specific purpose
2. Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract
3. Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations)
4. Vital interests: the processing is necessary to protect someone’s life
5. Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law
6. Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests
All processing activities within ECLIPSE ADMIN SERVICES LIMITED are covered by the second lawful basis of CONTRACT.
12. Sharing Your Data with Third Parties
We may have to share your data with third parties, including third-party service providers. Generally, ECLIPSE ADMIN SERVICES LIMITED will only share your data with a third party where it is necessary to fulfil our contractual obligations with you. We may also share your personal data with a regulator, where required by law or where we have a legitimate interest in doing so.
We require third parties to respect the security of your data and to treat it in accordance with the law. All third parties that we deal with are required to take appropriate steps to protect your personal data. Third parties are only permitted to process data for the specified purpose and are not allowed to use data provided to them for any other purpose.
13. Security of Personal Data
ECLIPSE ADMIN SERVICES LIMITED takes the security of all data seriously and we have put in place specific security measures to ensure personal information is kept secure. All information systems in use have appropriate security measures in place and access is limited to only those that require it. ECLIPSE ADMIN SERVICES LIMITED uses encryption and the use of secure data transfer systems to transmit any data outside of the company. Third party systems are all required to be GDPR compliant, which includes the requirement to ensure all data is secure. ECLIPSE ADMIN SERVICES LIMITED has reviewed all third party systems and all current third party relationships and the associated systems are GDPR compliant. Any future system changes or new systems would be fully reviewed prior to use to ensure security of data and GDPR compliance.
Appropriate security measures are in place to ensure your personal data is not accessed in an unauthorised manner, lost, stolen or accidentally disclosed to an unauthorised third party.
In the event of a suspected data security breach, there are processes in place to notify you and the Information Commissioner’s Office of the event.
14. Retention of Data
ECLIPSE ADMIN SERVICES LIMITED’s data retention policy is driven by accounting and legal requirements which stipulate statutory periods for retaining data. ECLIPSE ADMIN SERVICES LIMITED will only retain your personal data for as long as necessary to comply with statutory retention periods, but this is generally up to seven years in most cases.
15. Your Rights with regard to the Personal Data we hold
As laid out within the GDPR, individuals have various rights as follows:
The Right to be Informed
Individuals have the right to be informed whenever we collect or process their data. ECLIPSE ADMIN SERVICES LIMITED are obligated to provide fair and transparent processing information and this is provided through Privacy Notices included within the Letter of Engagement and also available on ECLIPSE ADMIN SERVICES LIMITED’s website. Any substantial changes would result in a revised Privacy Notice and this would be communicated to you as and when updates occur.
The Right of Access
Individuals have the right to access their personal data and any supplementary information. Individuals have the right to obtain:
• Confirmation that their data is being processed
• Access to their personal data
• Any supplementary information
The right of access also allows individuals to be aware of and verify the lawfulness basis for processing their data.
You are able to exercise this right through a Subject Access Request. Once ECLIPSE ADMIN SERVICES LIMITED receive a Subject Access Request, we will provide a response without delay and at the latest, within one month of receipt for less complex cases. In complex cases which require more time to comply, a response will be sent informing you of the extension to this standard period and explaining why an extension is necessary. For complex cases, response times can be extended up to a further two months over the original one month response time.
Subject Access Requests will most often be provided free of charge. However, a reasonable fee can be charged for excessive or repetitive requests, for example, further copies of the same information.
ECLIPSE ADMIN SERVICES LIMITED operates a secure document portal and we will endeavour to use this portal to respond to Subject Access Requests. Using this portal ensures that the data provided remains secure.
The Right to Rectification
Individuals have the right to have personal data corrected if it is inaccurate or incomplete.
If you believe the personal data we hold is inaccurate or incomplete, please inform us and we will work with you to correct this. Once the data has been corrected, we will send you a formal confirmation of this within one month of your original notification to us.
The Right to Erasure (also known as The Right to be Forgotten)
Individuals have the right to request the deletion or removal of personal data where there is no compelling reason for its continued processing. If you believe this to be the case, please inform us and within 30 days we will send you a formal response.
The Right to Restrict Processing
Individuals have the right to ‘block’ or suppress the processing of personal data. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it. When you inform us of an issue where we would restrict processing, we will send you a formal response once the issue has been rectified and once the restriction has been lifted.
The Right of Data Portability
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact Jordan Moody – Data Protection Lead.
16. Data Protection Lead
We have appointed a Data Protection Lead (DPL) to oversee compliance with this privacy notice. If you have any questions about this privacy notice or how we handle your personal information, please contact the DPL. Jordan Moody is the DPL for ECLIPSE ADMIN SERVICES LIMITED and is the person who you should direct all data queries to in the first instance, including issues related to any of your rights detailed in section 15 above.
You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues:
In writing: Customer Contact
Information Commissioner's Office
By phone: 0303 123 1113
Or via the ‘Report a Concern’ section of their website – www.ico.org.uk
ECLIPSE ADMIN SERVICES LIMITED are registered with the ICO as a controller and processor of personal information.
Our Data Protection Registration Number is: ZA246311
17. Updates to this Privacy Notice
We reserve the right to update this privacy notice at any time, and we will provide you with a revised privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information, including the use of our secure data transfer portal to collect and/or confirm your personal data.