About this policy
Sulis Public Affairs Ltd (“Sulis Public Affairs Ltd”, “we”, “us”, or “our”) is committed to protecting and respecting the personal data that we hold in accordance with UK General Data Protection Regulation (UK-GDPR) and the Data Protection Act 2018 (Act). This policy provides guidance on how and why we process and store personal data and explains your rights to access the information we hold about you.
The Sulis Public Affairs Ltd registered office is 2nd and 3rd Floors, Northgate House, Upper Borough Walls, Bath, BA1 1RG and we are registered with the Information Commissioners Office (registration number ZA792163).
Sulis Public Affairs Ltd will process all data in accordance with the principles of UK-GDPR and the Act.
Personal data must:
• be processed fairly, lawfully and in a transparent manner;
• be obtained only for specified, explicit and lawful purposes and shall not be processed in any manner incompatible with those purposes;
• be adequate, relevant and limited to what is necessary to fulfil those purposes;
• be accurate and kept up to date;
• not be kept for longer than is necessary to fulfil those purposes;
• be processed in accordance with the rights of individuals under UK-GDPR and the Act;
• be kept safe from unauthorised access, accidental loss or destruction; and
• not be transferred to a third country, unless that country has adequate levels of protection for personal data.
Personal data we hold and why
The personal data we process is dependent on specific client and project requirements, and the business services we provide and receive.
Client personal data
Client data is collected for professional services, and is used for purposes such as client management, administration and regulatory purposes where appropriate. Client data may include individual names, business address, email, phone number, records of correspondence.
Project related personal data
Personal data gathered for project-related purposes may include name, address, email, phone number; records of correspondence via phone, email, post; and any other relevant information regarding stakeholders and members of the public. This information may be obtained (but is not limited to) direct contact, internet searches, Royal Mail data, the electoral roll, public events, feedback forms, email, website, phone conversations, door to door visits or other public records, or from clients and their authorised agents in fulfilling the needs and purpose of the project.
Project-related data is used for (but not limited to) activities including stakeholder and community auditing, stakeholder mapping, public consultation/engagement, signing-up to receive project updates, recording attendance at public engagement events, processing of consultation feedback.
In the majority of cases, the legal basis for processing project related personal data will be a 'legitimate interest', in that it will be necessary and proportionate to meet the aims of the project. However, in some instances the legal basis will be 'consent', where data subjects will be asked to actively opt-in the processing of their personal data
Supplier and sub-contractor data
We may hold supplier and subcontractor data for the management of business relationships, the contracting of services, and the provision of services to clients. Personal data may include contact names, contact details, identity documents and details, insurance details and relevant policies and procedures. We share data with suppliers and sub-contractors (for example, sub-contractors providing payment and delivery services, sub-contractors providing digital engagement services etc).
We hold personal data from our contacts, including potential and former clients, in our financial software and secure server files. This information may include name, contact details, details of correspondence and other communication.
Personal data held on business contacts is used for purposes such as promoting our services, facilitating events, relationship management, administration.
Personal information that is out of date and where contacts request that they no longer wish us to send them updates is deleted.
Our website and social media
Personal data may be collected when individuals fill in forms on our websites or correspond with us by phone, email, social media or otherwise.
The personal data we hold depends on what data was entered and for what purpose.
Where data was entered to engage with functionality of our websites, that personal data may include an individual’s name, email address, organisation and phone number.
CookieTypeDescriptionDuration_gaAnalyticsThe _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.2 years_gidAnalyticsInstalled by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.1 day_gatPerformanceThis cookie is installed by Google Universal Analytics to restrain request rate and thus limit the collection of data on high traffic sites.1 minute
Location of processing
Where possible, personal data is securely stored within the UK. If we ever need to transfer personal data outside of the United Kingdom, we will follow the relevant rules that govern that geographical location.
We take the security of all the data we hold seriously. Sulis Public Affairs Ltd takes reasonable precautions at all times to guard data against any unauthorised access and use. Appropriate technical and organisational measures are taken to prevent the unauthorised or unlawful processing and accidental loss or damage of personal data.
We retain the personal data processed by us in a live environment for as long as is considered necessary for the purpose(s) for which it was collected (including as required by applicable law or regulation, typically six years).
In addition, personal data may be securely archived with restricted access and other appropriate safeguards where there is a need to continue to retain it.
We will only share personal data with others when we are legally permitted to do so.
Personal data held by us may be transferred to:
• Clients and their authorised agents to fulfil their legitimate interests and legal obligations;
• Third party organisations that provide applications/functionality, data processing or IT services to us;
• Third parties that support us in providing our services. For example, service providers of information technology, cloud-based software, website hosting and management, data analysis, data back-up, security and storage services. The servers powering and facilitating that cloud infrastructure are located in secure data centres around the world;
• Third party organisations that otherwise assist us in providing goods, services or information;
• Law enforcement or regulatory agencies or third parties as required by law or regulations.
Occasionally, we may receive requests from third parties with authority to obtain disclosure of personal data, such as to check that we are complying with applicable law and regulation, to investigate an alleged crime, to establish, exercise or defend legal rights. We will only fulfil requests for personal data where we are permitted to do so in accordance with applicable law or regulation.
All personal data, whether in paper or electronic form, will be destroyed or deleted securely to avoid any risk of unauthorised access or use once this data is no longer in use.
Your data protection rights
Under data protection law, you have rights including:
• Your right of access - You have the right to ask us for copies of your personal information.
• Your right to rectification - You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
• Your right to erasure - You have the right to ask us to erase your personal information in certain circumstances.
• Your right to restriction of processing - You have the right to ask us to restrict the processing of your personal information in certain circumstances.
• Your right to object to processing - You have the the right to object to the processing of your personal information in certain circumstances.
• Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.
• You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.
Please contact us at firstname.lastname@example.org if you wish to make a request to exercise these rights.
How to complain
If you have any concerns about our use of your personal information, you can make a complaint to us at email@example.com or by post at Sulis Public Affairs Ltd, 2nd and 3rd Floors, Northgate House, Upper Borough Walls, Bath, BA1 1RG.
You can also complain to the ICO if you are unhappy with how we have used your data.
The ICO’s address:
Information Commissioner’s Office
Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk