PRIVACY POLICY & SUBJECT ACCESS REQUEST PROCEDURE

Contents

PRIVACY POLICY

1. Who are we?
2. Changes to our privacy policy
3. How the law protects you
4. Types of Personal Information
5. Where we collect personal information from
   • Data you give to us
   • Data we collect
   • Data from third parties we work with
6. Who we share your personal information with
   • Credit Reference Agencies (Business account customers only)
   • Sending data outside of the EEA
7. Marketing
8. How long we keep your personal information
9. What if you want us to stop using your personal information?
10. Access to your information and correction
11. Cookies
12. Other websites
13. How to complain
14. How to contact us

SUBJECT ACCESS REQUEST PROCEDURE

1. Introduction
2. The General Data Protection Regulation
3. What is Personal Information?
4. The Right of Access
5. How To Make a Subject Access Request (SAR)?
6. What We Do When We Receive An Access Request
7. Fees and Timeframes
8. Your Other Rights
9. Exemptions and Refusals
10. Submission & Lodging a Complaint
11. Supervisory Authority

PRIVACY POLICY

1. Who are we?

Archant Community Media Limited is a privately owned media company serving geographical and specialist interest communities with over 140 brands and associated websites.

We have a large portfolio of UK-based regional newspapers with titles in East Anglia, London, Kent and the South West. Our collection of more than 60 news brands includes the Eastern Daily Press in Norfolk, the East Anglian Daily Times in Suffolk and the Ham & High in London.

We are the largest publisher of regional and local lifestyle magazines and associated digital media in the UK. Our portfolio of 75 magazine titles includes county, specialist interest and wedding magazines as well as client contract magazines. In recent years we have extended our activities into exhibitions, events and digital media.

Archant Community Media Limited is part of the Archant Limited Group (the “Group”). This privacy notice is to let you know how companies within the Group promise to look after your personal information. This includes what you tell us about yourself, what we learn by having you as a customer, and the choices you give us about what marketing you want us to send you. This notice explains how we do this and tells you about your privacy rights and how the law protects you.

2. Changes to our privacy policy

We keep our privacy policy under regular review and we will place any updates on this web page. This privacy policy was last updated in May 2018.

3. How the law protects you

We are only allowed to use your personal data if we have a one or more of the following reasons to do so:

• To fulfil a contract we have with you, or
• When it is our legal duty, or
• When it is in our legitimate interest (which means we have a business or commercial reason to use your information. We still have to assess whether your rights when relying on this reason), or
• When you give us consent to

Here is a list of all the ways that we may use your personal information and the reason from the list above which we are relying on. If we are relying on a legitimate interest this is also detailed below:

What we use your personal information for	Our reasons	Our legitimate interests
• To manage our relationship with you or your business. • To develop new ways to meet our customers’ needs and to grow our business. • To develop and carry out marketing activities. • To study how our customers use products and services from us and other organisations. • To provide advice or guidance about our products and services.	• Your consent. • Fulfilling contracts. • Our legitimate interests. • Our legal duty.	• Keeping our records up to date, working out which of our products and services may interest you and telling you about them.  • Developing products and services, and what we charge for them. • Defining types of customers for new products or services. • Seeking your consent when we need it to contact you.
• To develop and manage our brands, products and services. • To test new products. • To manage how we work with other companies that provide services to us and our customers.	• Fulfilling contracts. • Our legitimate interests. • Our legal duty.	• Developing products and services, and what we charge for them. • Defining types of customers for new products or services. • Being efficient about how we fulfil our legal and contractual duties.
• To make and manage customer payments. • To collect and recover money that is owed to us.	• Fulfilling contracts. • Our legitimate interests. • Our legal duty.	• Being efficient about how we fulfil our legal and contractual duties. • Complying with regulations that apply to us.
• Developing products and services, and what we charge for them. • Defining types of customers for new products or services.	• Fulfilling contracts. • Our legitimate interests.	• Complying with regulations that apply to us.  • Being efficient about how we fulfil our legal and contractual duties.
• To serve you targeted advertising that we believe are more relevant to your interests.	• Our legitimate interests.	• Developing products and services, and what we charge for them. • Defining types of customers for new products or services.
• To run our business in an efficient and proper way. This includes managing our financial position, business capability, planning, communications, corporate governance, and audit.	• Our legitimate interests. • Our legal duty.	• Complying with regulations that apply to us.  • Being efficient about how we fulfil our legal and contractual duties.
• To exercise our rights set out in agreements or contracts.	• Fulfilling contracts. • Our legitimate interests.	• Complying with regulations that apply to us.  • Being efficient about how we fulfil our legal and contractual duties.
• To maintain statutory records.	• Our legal duty • Our legitimate interests.	• Complying with regulations that apply to us • Being efficient about how we fulfil our legal and contractual duties.

4. Types of Personal Information

We use many different kinds of personal information:

Type of personal information	Description
Financial	Your financial position when you open a business account with us via credit reference agencies.
Contact	Where you live and how to contact you.
Transactional	Details about payments including to and from your accounts with us.
Contractual	Details about the products or services we provide to you.
Locational	Data we get about where you are, such as may come from your mobile phone, the address where you connect a computer to the internet.
Behavioural	Details about how you use our products and services.
Technical	Details on the devices and technology you use.
Communications	What we learn about you from letters, emails and conversations between us.
Usage Data	Other data about how you use our products and services.
Consents	Any permissions, consents or preferences that you give us. This includes things like how you want us to contact you.

5. Where we collect personal information from

We may collect personal information about you (or your business) from other companies within the Archant Group. We may also receive data from third parties where you have consented for your details to be given to third parties.

Data you give to us:

• When you sign up for our products and services
• When you talk to us on the phone
• When you use our websites and mobile device apps (including when you comment on them)
• In emails and letters
• In customer surveys
• If you take part in our competitions or promotions

Data we collect:

• We also collect data when you use our services. This can include the profile you create to identify yourself when you connect to our internet, mobile and telephone services. It also includes other data about how you use those services. We gather this data from devices you use to connect to those services, such as computers and mobile phones, using cookies and other internet tracking software.

Data from third parties we work with:

• Credit reference agencies
• Social networks
• Market researchers
• Third parties you have given consent to pass your data to us

6. Who we share your personal information with

We may share your personal information with companies within the Archant Group and these organisations:

• Regulators and other authorities, including the Police 
• Credit reference agencies 
• Debt collection agencies
• Fraud prevention agencies 
• Any party linked with you or your business's product or service 
• Companies we have a joint venture or agreement to co-operate with 
• Companies you consent to share your data with. 
• Companies who we run competitions in conjunction with
• Exhibitors at events
• Event venues
• If you are a shareholder, our Registrars
• If you use direct debits, we will share your data with the Direct Debit scheme
• If purchasing items from our shops, the supplier of such item

We may need to share your personal information with other organisations to provide you with the product or service you have chosen.

We may also share your personal information if the make-up of Archant Group changes in the future:

• We may choose to sell, transfer, or merge parts of our business, or our assets. Or we may seek to acquire other businesses or merge with them. 
• During any such process, we may share your data with other parties. We'll only do this if they agree to keep your data safe and private.
• If the change to our Group happens, then other parties may use your data in the same way as set out in this notice.

Credit Reference Agencies (Business account customers only)

For business customers we carry out credit and identity checks when you apply for an account. We may use Credit Reference Agencies (CRA's) to help us with this.

We will share your personal information with CRA's and they will give us information about you. The data we exchange can include:

• Name, address and date of birth
• Credit application
• Details of any shared credit
• Financial situation and history
• Public information, from sources such as the electoral register and Companies House.

We'll use this data to:

• Assess whether you or your business is able to afford to make repayments
• Make sure what you've told us is true and correct
• Help detect and prevent financial crime
• Manage accounts with us
• Trace and recover debts

Sending data outside of the EEA

We will only send your data outside of the European Economic Area ('EEA') to:

• Follow your instructions.
• Comply with a legal duty.
• Work with our agents and advisers who we use to help run services.

If we do transfer information to our agents or advisers outside of the EEA, we will make sure that it is protected in the same way as if it was being used in the EEA. We'll use one of these safeguards:

• Transfer it to a non-EEA country with privacy laws that give the same protection as the EEA.
• Put in place a contract with the recipient that means they must protect it to the same standards as the EEA.
• Transfer it to organisations that are part of Privacy Shield. This is a framework that sets privacy standards for data sent between the US and EU countries. It makes sure those standards are similar to what is used within the EEA. If you choose not to give personal information.

We may need to collect personal information by law, or under the terms of a contract we have with you.

If you choose not to give us this personal information, it may delay or prevent us from meeting our obligations. It may also mean that we cannot perform services. It could mean that we cancel a product or service you have with us.

7. Marketing

We may use your personal information to tell you about relevant products and offers. This is what we mean when we talk about 'marketing'.

The personal information we have for you is made up of what you tell us and data we collect when you use our services, or from third parties we work with where you have consented to data being passed to us

We can only use your personal information to send you marketing messages if we have either your consent or a 'legitimate interest'. That is when we have a business or commercial reason to use your information. It must not unfairly go against what is right and best for you.

You can ask us to stop sending you marketing messages by contacting us at any or using the unsubscribe button on the marketing material

If you choose to stop receiving marketing material you may still receive certain things such as invoices from us which we need to send you for contractual or other legal purposes.

8. How long we keep your personal information

We will keep your personal information for as long as you are a customer of Archant Group or you continue to use our services.

After you stop being a customer/user, we may keep your data for up to 6 years to enable us to respond to any questions or complaints and to show that we treated you fairly.

We may keep your data for longer than 6 years if we cannot delete it for legal, regulatory or technical reasons. We may also keep it for research or statistical purposes. If we do, we will make sure that your privacy is protected and only use it for those purposes.

9. What if you want us to stop using your personal information?

You have the right to object to our use of your personal information, or to ask us to delete, remove, or stop using your personal information if there is no need for us to keep it. This is known as the 'right to object' and 'right to erasure', or the 'right to be forgotten'.

There may be legal or other official reasons why we need to keep or use your data. But please tell us if you think that we should not be using it.

You can also ask us to restrict the use of your personal information if:

• It is not accurate.
• It has been used unlawfully but you don't want us to delete it.
• It not relevant any more, but you want us to keep it for use in legal claims.
• You have already asked us to stop using your data but you are waiting for us to tell you if we are allowed to keep on using it.

If you want to object to how we use your data, or ask us to delete it or restrict how we use it or, please contact us.

If you withdraw your consent, we may not be able to provide certain products or services to you. If this is so, we will tell you.

10. Access to your information and correction

You have the right to request a copy of the information that we hold about you. If you would like a copy of some or all of your personal information please see the subject access request procedure below.

We want to make sure that your personal information is accurate and up to date. You may ask us to correct or remove information you think is inaccurate using the contact details above.

11. Cookies

To find out more about how we use cookies please see our cookie policy. 

12. Other websites

Our website contains links to other websites. This privacy policy only applies to this website so when you link to other websites you should read their own privacy policies

13. How to complain

Please let us know if you are unhappy with how we have used your personal information. You can contact us at DPO@archant.co.uk or Data Protection Officer, Prospect House, Rouen Road, Norwich, Norfolk NR1 1RE.

You also have the right to complain to the Information Commissioner's Office. Find out on their website how to report a concern.

14. How to contact us

If you wish to contact us with regard to your data, our Data Protection Officer is Tara Cross and can be contacted by:

Email:
DPO@archant.co.uk

Post:
Data Protection Officer
Prospect House
Rouen Road
Norwich
NR1 1RE

Telephone:
01603 628311

Subject Access Request Procedure

15. Introduction

This procedure document supplements the subject access request (SAR) provisions set out Archants’ (hereinafter referred to as the “Company”) Data Protection Policy & Procedures and provides the process for individuals to use when making an access request, along with the protocols followed by the Company when such a request is received.

The Company needs to collect personal information to effectively and compliantly carry out our everyday business functions and services and in some circumstances, to comply with the requirements of the law and/or regulations.

As the Company processes personal information regarding individuals (data subjects), we are obligated under the General Data Protection Regulation (GDPR) and Data Protection Bill to protect such information, and to obtain, use, process, store and destroy it, only in compliance with the GDPR and its principles.

16. The General Data Protection Regulation

The General Data Protection Regulation (GDPR) gives individuals the right to know what information is held about them, to access this information and to exercise other rights, including the rectification of inaccurate data.

17. What is Personal Information?

Information protected under the GDPR is known as “personal data” and is defined as: - “Any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

Further information on what constitutes personal information and your rights under the data protection regulation and laws can be found on the Information Commissioners Office (ICO).

18. The Right of Access

Under GDPR, an individual has the right to obtain from the controller, confirmation as to whether personal data concerning them is being processed. We are committed to upholding the rights of individuals and have dedicated processes in place for providing access to personal information. Where requested, we will provide the following information: -

• the purposes of the processing
• the categories of personal data concerned
• the recipient(s) or categories of recipient(s) to whom the personal data have been or will be disclosed
• If the data has been transferred to a third country or international organisation(s) (and if applicable, the appropriate safeguards used)
• the envisaged period for which the personal data will be stored (or the criteria used to determine that period)
• where the personal data was not collected directly from the individual, any available information as to its source

19. How To Make a Subject Access Request (SAR)?

A subject access request (SAR) is a request for access to the personal information that the Company holds about you, which we are required to provide under the GDPR.

You can make this request in writing using the form at appendix one, or you can submit your access request electronically. Where a request is received by electronic means, we will provide the requested information in electronic form (unless otherwise request by you).

20. What We Do When We Receive An Access Request

Identity Verification

Subject Access Requests (SAR) are passed to the Data Protection Officer as soon as received and a record of the request is made, who will use reasonable measures to verify the identity of the individual making the access request, especially where the request is made electronically.

Where we are unable to verify your details, we may contact you for further information, or ask you to provide evidence of your identity prior to actioning any request. This is to protect your information and rights.

If a third party, relative or representative is requesting the information on your behalf, we will verify their authority to act for you and again, may contact you to confirm their identity and gain your authorisation prior to actioning the any request.

Information Gathering

If you have provided enough information in your SAR to collate the personal information held about you, we will gather all documents relating to you and ensure that the information required is provided in an acceptable format. If we do not have enough information to locate your records, we may contact you for further details. This will be done as soon as possible and within the timeframes set out below.

Information Provision

Once we have collated all the personal information held about you, we will send this to you in writing (or in a electronic form if requested). The information will be in a concise, transparent, intelligible and easily accessible format, using clear and plain language.

21. Fees and Timeframes

Whilst we provide the information requested without a fee, further copies requested by the individual may incur a charge to cover our administrative costs.

The Company always aim to provide the requested information at the earliest convenience, but at a maximum, 30 days from the date the request is received. However, where the retrieval or provision of information is particularly complex or is subject to a valid delay, the period may be extended by two further months. If this is the case, we will write to you within 30 days and keep you informed of the delay and provide the reasons.

22. Your other rights

Under the GDPR, you have the right to request rectification of any inaccurate data held by us. Where we are notified of inaccurate data, and agree that the data is incorrect, we will amend the details immediately as directed by you and make a note on the system (or record) of the change and reason(s).

We will rectify any errors within 30-days and inform you in writing of the correction and where applicable, provide the details of any third-party to whom the data has been disclosed.

If for any reason, we are unable to act in response to a request for rectification and/or data completion, we will always provide a written explanation to you and inform you of your right to complain to the Information Commissioner and to seek a judicial remedy.

In certain circumstances, you may also have the right to request from the Company, the erasure of personal data or to restrict the processing of personal data where it concerns your personal information; as well as the right to object to such processing. You can use the form at appendix one make such requests.

23. Exemptions and Refusals

The GDPR contains certain exemptions from the provision of personal information. If one or more of these exemptions applies to your subject access request or where the Company does not act upon the request, we shall inform you at the earliest convenience, or at the latest, within 30 days of receipt of the request.

Where possible, we will provide you with the reasons for not acting.

24. Submission & Lodging a Complaint

To submit your SAR, you can contact us at DPO@archant.co.uk or you can submit your request in writing using the form in Appendix 1, sending the request to: -

Data Protection Officer
Archant
Prospect House
Rouen Road
Norwich
NR1 1RE
01603 628311

If you are unsatisfied with our actions or wish to make an internal complaint please use the details above.

25. Supervisory Authority

If you remain dissatisfied with our actions, you have the right to lodge a complaint with The Information Commissioner’s Office (ICO) who can be contacted at: -

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
Fax: 01625 524 510
Email: enquiries@ico.org.uk

Subject Access Request Form

Under the General Data Protection Regulation, you are entitled as a data subject to obtain from the Company, confirmation as to whether we are processing personal data concerning you, as well as to request details about the purposes, categories and disclosure of such data. You can use this form to request information about, and access to any personal data we hold about you. Details on where to return the completed form can be found at the end of the document.
1. Personal Details:
Data Subject’s Name:			DOB: ______/______ /________
Home Telephone No:			Email:
Data Subject’s Address:
Any other information that may help us to locate your personal data:
2. Specific Details of the Information Requested:
3. Representatives (only complete if you are acting as the representative for a data subject) [Please Note: We may still need to contact the data subject where proof of authorisation or identity are required]
Representative’s Name:			Relationship to Data Subject:
Telephone No:			Email:
Representative’s Address:
I confirm that I am the authorised representative of the named data subject:
Representative’s Name: ______________________			Signature: ____________________
4. Confirmation
Data Subject’s Name: ________________________ [print name]
Signature: ____________________			Date:______/______ /________
5. Completed Forms
For postal requests, please return this form to: Tara Cross Data Protection Officer Archant Prospect House Rouen Road Norwich NR1 1RE For email requests, please return this form to: Tara Cross at DPO@archant.co.uk.