No. Category Requirement/Control GDPR Ref Compliant? Black&Callow as Data Controller Black&Callow as Data Processor
1 Registration Registration with relevant regulator(s) N/A Yes We are registered with the ICO (Information Commissioner's Office #ZA077818). For financial printing services: Black&Callow is registered with the ICO (Information Commissioner's Office #ZA077818). For iRoadshow and IPO Research Online services ("online services"), our hosting partner is based in Jersey and is registered with the Jersey Office of the Information Commissioner.
2 Data Protection Officer Establish whether the company is required to have a DPO Article 37 Yes We have appointed a DPO. We have appointed a DPO.
3 Record Keeping Records kept of who the data protection officer is, if one is appointed, and how to contact them Article 30 N/A Adrian Burley, IT Manager, contactable via our website. Adrian Burley, IT Manager, contactable via our website.
4 Record Keeping Records kept of the purposes of all processing undertaken Article 30 Yes Can be determined from records in the Black&Callow system Can be determined from records in the Black&Callow system
5 Record Keeping Records kept of what data is kept and what categories of personal data apply Article 30 Yes Customer & prospect data including name, address, phone number(s), email address, alongside history of any opportunities, orders, activities and interests. The personal data we hold is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed. The personal data we process is provided to us by a third party to enable us to fulfill an order. The personal data we hold for the duration of each engagement may include name, address, postcode and, in some cases, information on shareholdings so we can personalise entitlement documents (financial printing services); and name and email address (online services). In all cases the personal data we hold is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
6 Record Keeping Records kept of who the controller is for each kind of data Article 30 Yes Can be determined from records in the Black&Callow system Can be determined from records in the Black&Callow system
7 Record Keeping Records kept of the recipients to whom any personal data has been or will be disclosed Article 30 Yes Can be determined from records in the Black&Callow system Can be determined from records in the Black&Callow system
8 Record Keeping Records kept of any transfers of personal data to a third country or to an internal organisation, including the name of the organisation,and the documentation of the safeguards for the transfer Article 30 Yes Can be determined from records in the Black&Callow system. Can be determined from records in the Black&Callow system
9 Record Keeping Records kept of retention policies for different categories of data Article 30 Yes Can be determined from records in the Black&Callow system. Can be determined from records in the Black&Callow system.
10 Record Keeping A general description of technical and organisational security measures is kept Article 30 Yes We retain full details of all technical and organisational security measures. We retain full details of all technical and organisational security measures.
11 Data Retention Data can only be retained for as long as necessary for the purpose for which it was obtained. The company needs to determine how long data can be kept before it is either deleted or anonymised. Article 5 Yes Data relating to our customers is kept on an ongoing basis to help us supply goods and services and to build & maintain good working relationships with our clients and prospective clients. This data is reviewed every four years. Data relating to invoices is kept for seven years to compy with legislation and to defend our legal rights. We do not keep any data for longer than is necessary to be able to perform functions related to the goods and services we supply.
12 Privacy Impact Assessments Where The Company implements new technologies which will or could result in a high risk to the rights and freedoms of individuals, The Company has to carry out a PIA. This is an exercise to determine what impact the technology and processing will have on individuals. Article 35 Yes A full PIA would be undertaken should the company ever seek to implement a new technology which will or could result in a high risk to the rights and freedoms of individuals. A full PIA would be undertaken should the company ever seek to implement a new technology which will or could result in a high risk to the rights and freedoms of individuals.
13 Employee Training Employees who handle personal data of other employees or customers must receive training in order to ensure that they handle it in accordance with GDPR. The company should keep a record of training and provide update and refresher training. Article 5 Yes All employees receive training in accordance with GDPR and are required to agree to our Data Protection and Information Security policies at the commencement of their employment, and records of refresher training will be retained. All employees receive training in accordance with GDPR and are required to agree to our Data Protection and Information Security policies at the commencement of their employment, and records of refresher training will be retained.
14 Policies and procedures General Data Protection Policy, if appropriate Article 5 Yes The personal data we hold is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed. We take every reasonable step to ensure that the data we hold is accurate and, where necessary, kept up to date, and that any personal data that is inaccurate is either erased or rectified without delay. We process all personal data lawfully, fairly and in a transparent manner. We do not transfer any personal data cross-border. As a client or a prospective client of Black&Callow, as Data Controller we use personal data for legitimate interests: to be able to provide our services, and to target prospective clients whom we have identified as being likely to use our services. For example, we would use personal data to be able to communicate with our clients by telephone or email, to provide estimates, to supply services, and to maintain relationships so as to build a sustainable business. Personal information is stored securely, is not shared with any other party, and in all cases personal data subjects have rights as outlined below. We process all personal data lawfully, fairly and in a transparent manner. As a Data Processor, we will only use data supplied to us by our clients (data controllers) or their advisors, such as Company Registrars, specifically for the purpose instructed to us by that client or advisor. For example, we would use personal data such as shareholder names and addresses provided to us by a Company Registrar to personalise and mail a letter or a form to shareholders (data subjects) as part of a capital markets or merger transaction. Some mailings may involve the use of more extensive personal data, for instance to help calculate an allotment of shares, so as to be able to personalise that information on a form. In all cases where we process such data on behalf of our clients, it is the obligation of the client or data controller to obtain any and all necessary consent to use the data subjects’ personal data. Such personal data is stored securely, is retained for the duration of the project for which it has been provided, is not shared with any other party, is not used by ourselves in any other capacity, and is securely deleted after the project has finished as part of a scheduled data destruction campaign.
15 Policies and procedures Data Subject Access Rights Procedure, if appropriate Article 5 Yes By emailing [email protected] with a request to see what data we may retain on you (if any). We will respond within the timelines set out in the GDPR regulations. Please note that we may request further information from you in order to verify your identity. By emailing [email protected] with a request to see what data we may retain on you (if any). We will respond within the timelines set out in the GDPR regulations. Please note that we may request further information from you in order to verify your identity.
16 Policies and procedures Data Retention Policy, if appropriate Article 5 Yes See item 11 above. Additionally, recipients may unsubscribe from our regular 'keep in touch' emails; while prospect and customer data is reviewed annually and, to the extent there has been no contact for up to four years, is securely deleted. Data relating to invoices is securely deleted after seven years. See item 11 above. Additionally, personal data is retained for the duration of the project and is securely deleted after the project has finished as part of a scheduled annual data destruction campaign in the year following payment of any and all invoicing or retained as required to defend our legal rights.
17 Policies and procedures Data Breach Escalation and Checklist, if appropriate Article 5 Yes We maintain a Data Breach Escalation policy which adheres to https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/personal-data-breaches/ We maintain a Data Breach Escalation policy which adheres to https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/personal-data-breaches/
18 Policies and procedures Employee Privacy Policy and Notice, if appropriate Article 5 N/A N/A N/A
19 Policies and procedures Processing customer data policy, if appropriate Article 5 Yes See item 14 above See item 14 above
20 Policies and procedures Guidance on privacy notices, if appropriate Article 5 Yes We adhere to the ICO's guidelines which can be seen at https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/privacy-notices-under-the-eu-general-data-protection-regulation/ We adhere to the ICO's guidelines which can be seen at https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/privacy-notices-under-the-eu-general-data-protection-regulation/
21 Privacy Notices Privacy notices must be given at the time that the data is obtained from the data subject, or if the data was received from a third party, within a reasonable period after obtaining the data but at the latest within one month Articles 10-12 Yes For personal information for which we are the controller, the privacy policy published on our website provides details of the information we collect and what we do with it. For information for which we are not the controller, our customer contracts require that invitees of the customer agree to suitable terms. For personal information for which we are the controller, the privacy policy published on our website provides details of the information we collect and what we do with it. For information for which we are not the controller, our customer contracts require that invitees of the customer agree to suitable terms.
22 Privacy Notices Do privacy notices contain the required information? Articles 10-12 Yes Yes, the information is available on our website and is based on ICO best practice guidelines. Yes, the information is available on our website and is based on ICO best practice guidelines.
23 Privacy Notices Is the language concise, transparent, intelligible and in an easily accessible form, using clear and plain language in particular for information addressed to a child? Articles 10-12 Yes See item 22 above. See item 22 above.
24 Lawfulness of processing Has the company established the legal basis on which grounds it processes all the different (nonsensitive) personal data that it holds? Article 6 Yes Yes, please see item 14 above. Yes, please see item 14 above.
25 Lawfulness of processing Has the company established the legal basis on which grounds it processes all the special categories of personal data (previously known as sensitive personal data) that it holds? (Article 9) Article 9 N/A We do not act as the controller for any such data, and for data we are processing on behalf of our customers, the customers and their invitees are required to act lawfully. We do not act as the controller for any such data, and for data we are processing on behalf of our customers, the customers and their invitees are required to act lawfully.
26 Lawfulness of processing In each case where the grounds are consent, (a) Was the consent freely given? (b) Is the consent presented in a manner which is clearly distinguishable from other matters, in an intelligible and easily accessible form, using clear and plain language? (c) Can the company demonstrate that the data subject gave their consent? (d) Does the data subject have the ability to withdraw their consent? Article 7 Yes We use data for legitimate interests rather than relying on consent. We use data for legitimate interests rather than relying on consent.
27 Lawfulness of processing (a) Does The Company carry out profiling on employees or customers? (b) If so, does this profiling result in making a decision about the individual which would have a significant legal effect or similar on that individual e.g. refusal of credit or refused for an interview? (c) If the answer to (b) is yes, has The Company got the consent of the individuals to this profiling? Article 22 Yes N/A. We do not make decisions that would have a significant effect on individuals on the basis of information obtained from profiling. N/A. We do not make decisions that would have a significant effect on individuals on the basis of information obtained from profiling.
28 Lawfulness of processing Does the company process personal data of children? If so, consider language of privacy notices and how to obtain valid consent Article 8 Yes We do not collect, nor act as the controller for, the personal details of any children. We do not collect, nor act as the controller for, the personal details of any children.
29 Data Subject Rights Does The Company enable employees and customers to request their personal data processed by The Company? Are there personnel trained to respond to requests within the 1 month timeframe? Article 15 Yes Yes, see item 15 above. Employees and customers can see what data we hold by emailing [email protected], and have the right to withdraw their consent at any time and to lodge a complaint with a supervisory authority. Our data policy is outlined above and additional details are contained in the privacy policy on our website. Yes, see item 15 above. Employees and customers can see what data we hold by emailing [email protected], and have the right to withdraw their consent at any time and to lodge a complaint with a supervisory authority. Our data policy is outlined above and additional details are contained in the privacy policy on our website.
30 Data Subject Rights Ability for subjects to exercise their right to rectification of inaccurate data Articles 16-21 Yes Yes, see items 15 and 29 above. Yes, see items 15 and 29 above. Additionally, where we act as Data Processor, we are able to pass requests on to the relevant Data Controllers within the allotted time frame.
31 Data Subject Rights Ability for subjects to exercise their right to erasure Articles 16-21 Yes See items 15 and 30 above. See items 15 and 30 above.
32 Data Subject Rights Ability for subjects to exercise their right to a restriction of processing (more accurate description required here) Articles 16-21 Yes See items 15 and 30 above. See items 15 and 30 above.
33 Data Subject Rights Ability for subjects to exercise their right of data portability Articles 16-21 Yes See items 15 and 30 above. See items 15 and 30 above.
34 Data Subject Rights Ability for subjects to exercise their right to object where processing is based on public interests or legitimate interests or for direct marketing Articles 16-21 Yes See items 15 and 30 above. See items 15 and 30 above.
35 Privacy by Design Protect and minimise data if possible, within reason Article 25 Yes Yes, we protect and minimise data where possible, please see item 15 above for policy details. Yes, we protect and minimise data where possible, please see item 15 above for policy details.
36 Privacy by Design Don't collect or share more than is required Article 25 Yes See item 35 above. See item 35 above.
37 Data processors and international transfers Ensure that any third data processors are GDPR compliant Article 28 Yes As Data Controller we have Controller-Processor GDPR agreements in place with third party suppliers. As Data Processor we have Controller-Processor GDPR agreements in place with third party suppliers.
38 Data processors and international transfers Considerations for where the company, or the company's processors, transfer data out of the EEA (Articles 44-49) Articles 44-49 Yes All Black&Callow data processing is conducted within the EEA. Should a need arise for data to be transferred outside the EEA, the company will fully consider the impact and aim to ensure, as far as possible, that such transfers are minimised and comply with GDPR. All Black&Callow data processing is conducted within the EEA. Should a need arise for data to be transferred outside the EEA, the company will fully consider the impact and aim to ensure, as far as possible, that such transfers are minimised and comply with GDPR.
39 Security Are security measures appropriate for the personal data Article 32 Yes We work to ISO:27001 information security standards. All personal data is encrypted and/or password protected. All employees are obliged to comply with our policies including: Company Data Protection Statement which complies with the Data Protection Act; IT User Policy; Electronic Information and Communications System Policy and others which deal with confidentiality and data protection. In the unlikely event of any data breach, we comply with GDPR regulations in relation to reporting such breaches to DPAs and/or data subjects. We work to ISO:27001 information security standards. All personal data is encrypted and/or password protected. All employees are obliged to comply with our policies including: Company Data Protection Statement which complies with the Data Protection Act; IT User Policy; Electronic Information and Communications System Policy and others which deal with confidentiality and data protection. In the unlikely event of any data breach, we comply with GDPR regulations in relation to reporting such breaches to DPAs and/or data subjects.
40 Breach Notification Does the company have procedures in place to enable it to report a breach to the regulator within 72 hours of becoming aware of it? Article 33 Yes Yes. Yes.
41 Breach Notification If the breach is likely to result in a high risk to the rights and freedoms of individuals, the company will need to notify the individuals affected. Note that if data is encrypted or otherwise unintelligible, then individuals will not need to be notified. Article 34 Yes Should any such breach occur, procedures are in place to comply with this requirement. Should any such breach occur, procedures are in place to comply with this requirement.