Privacy notice
At the Nasstar Group we are committed to protecting and respecting your privacy at all times
Last updated: June 2024
This notice provides an outline of when and why we collect personal information, how we use it and the conditions under which we may disclose it to third parties. It is important that you read this notice together with our Website Terms and Conditions.
If you have any questions regarding this notice or our privacy practices in general, please email us at dpo@nasstar.com.
Who are we?
This notice is issued on behalf of the Nasstar group of companies so when we mention ”Nasstar”, “we”, “us” or “our” in this privacy notice, we are referring to the relevant company in the Nasstar Group responsible for processing your data. Details of the Nasstar group of companies can be found here. GCI Network Solutions Limited is the controller, and responsible for this website. This means we decide how your personal data is processed and for what purposes. In some circumstances, we also act as a processor in respect of our customers' personal data, with the customer acting as a controller.
Our registered business address is Melbourne House, Brandy Carr Road, Wakefield, West Yorkshire, WF2 0UG and our company house identifier is 04082862.
What is personal data?
Personal data relates to an individual who can be identified from that data. Identification can be by the information alone or in conjunction with any other information in the data controller's possession or likely to come into its possession.
The processing of personal data in the UK is governed the General Data Protection Regulation 2016/679 (the “GDPR”) as incorporated into UK law pursuant to s.3 of the European Union (Withdrawal Act) 2018 (as amended) (“UK GDPR”), the Data Protection Act 2018 (“DPA”) and also by the Privacy and Electronic Communications (EC Directive) Regulations 2003.
Contact details of the Data Protection Officer (“DPO”)
If you have any queries or questions about this notice then please contact our DPO by emailing dpo@nasstar.com.
What personal data do we collect and how do we collect it?
One of the purposes of this Privacy Notice is to explain how we collect and process personal data. The primary ways we collect information are as follows:
- Visit one of our websites
- Subscribe to our service through your enterprise
- Contact us directly, e.g. using email, chat, contact forms or contact centre
- Request marketing information to be sent to you
- Participate in an online survey
- Submit a job application
- Provide us feedback
- Visit one of our office locations
We encourage you to read this Privacy Notice. It has been written to ensure you understand how we collect information, how it is safeguarded, what is collected, how it is processed, where it is processed, with whom we may share it, and your rights under the law.
We collect and process a range of information about you. This includes:
CRM data
- your name and contact details, including email address and telephone number;
- your image when you visit one of our offices with an entrance surveillance system;
Communications data
- your IP address, operating system and browser type;
- your traffic data, location data, weblogs and other communication data, the resources that you access;
Content data
- your call recordings when you interact with our support team;
- details of any contact including a record of the correspondence.
We collect this information in a variety of ways. For example, data is collected through online forms, website cookies, from correspondence with you, through subscription to our newsletters and through event registrations.
To enable the provision of products and services to you, we may also collect and process other personal data to enable the performance of the contract between you and us. This will be communicated and agreed through specific contract documentation and / or specific privacy notices.
In some cases, we collect personal data about you from third parties, such as analytics providers, lead generation companies, partners and event organisers.
We do not collect any special categories of personal data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). Nor do we collect any information about criminal convictions and offences from your use of our website.
How do we process your personal data?
We comply with our obligations under the DPA and GDPR by keeping personal data up to date (subject to your notification of any required updates to your personal data); by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data.
How do we process your personal data?
We will only use your personal data when we have your consent, a legitimate interest (and your interests and fundamental rights do not override those interests) or where we need to comply with a legal obligation.
We set out in the table below a description of the ways we may use your personal data and which of the legal bases we rely on to do so, including our legitimate interests where appropriate.
Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us at dpo@nasstar.com if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.
Purpose/Activity | Type of data | Lawful basis for processing including basis of legitimate interest |
---|---|---|
To register you as a new customer | (a) Identity (b) Contact | Performance of a contract with you |
To process and deliver your order and carry out our obligations arising from any contracts entered into between you and us including: (a) Manage payments, fees and charges (b) Collect and recover money owed to us | (a) Identity (b) Contact (c) Financial (d) Transaction (e) Marketing and Communications | (a) Performance of a contract with you (b) Necessary for our legitimate interests (to recover debts due to us) |
To manage our relationship with you which will include: (a) Notifying you about changes to our terms or privacy policy or changes to our services (b) Asking you to leave a review or take a survey | (a) Identity (b) Contact (c) Profile (d) Marketing and Communications | (a) Performance of a contract with you (b) Necessary to comply with a legal obligation (c) Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services) |
To enable you to partake in a prize draw, competition or complete a survey | (a) Identity (b) Contact (c) Profile (d) Usage (e) Marketing and Communications | (a) Performance of a contract with you (b) Necessary for our legitimate interests (to study how customers use our products/services, to develop them and grow our business) |
To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data) | (a) Identity (b) Contact (c) Technical | (a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise) (b) Necessary to comply with a legal obligation |
To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you | (a) Identity (b) Contact (c) Profile (d) Usage (e) Marketing and Communications (f) Technical | Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy) |
To use data analytics to improve our website, products/services, marketing, customer relationships and experiences | (a) Technical (b) Usage | Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy) |
To make suggestions and recommendations to you about goods or services, and inform you of news, events and activities, that may be of interest to you | (a) Identity (b) Contact (c) Technical (d) Usage (e) Profile (f) Marketing and Communications | Necessary for our legitimate interests (to develop our products/services and grow our business) |
To provide support for our services and improve our service quality | (a) Identity (b) Contact (c) Technical (d) Usage (e) Call Recordings | (a) Performance of a contract with you (b) Necessary for our legitimate interests (to develop our products/services and improve our service quality) |
To recruit new hires and manage employment relationship | (a) Identity (b) Contact (c) Resume/CV, Education, Employment, and other background data (d) Financial (e) Transaction | (a) Consent provided by you as an applicant (b) Necessary for our legitimate interests (to manage our e2e relationship) (c) Necessary to comply with a legal obligation as an employer |
If you are a customer, supplier, employee, contractor or users of our services, then we may use your personal data for other purposes that are described in other privacy notices available on the Nasstar website or through specific contract documentation.
The processing is necessary for the purposes described above and we take steps to minimise the impact on your privacy rights by endeavouring to contact only those individuals who have expressed an interest in our services or those in IT-based job roles, with information around IT-based services, solutions, events and information. We also offer you the right to object to or opt-out from our communications and processing activities at any time. To opt-out, you can use the unsubscribe button at the bottom of an e-shot or you can email enquiries@nasstar.com.
Automated decision making and profiling
No automated decision making is undertaken by us or the third parties with whom data is shared. Profiling is undertaken through the use of analytics in pursuance of our legitimate interests and as outlined in the section Purposes for which we will use your personal data above.
Cookies
Our website uses cookies to make our site work and to distinguish you from other users of our website. This helps us to provide you with a good experience when you browse our website and also allows us to improve it. Please see our Cookie Notice for details: https://www.nasstar.com/cookies
Categories of recipients
Your personal data will be treated as strictly confidential and will only be shared with the recipients detailed below for the purpose stated.
- Marketing communication facilitators - to keep you updated on our products and services;
- Online advertising providers - to keep you updated on our products and services;
- Website engagement companies (e.g. live chat) - to help us to assist you and respond to your queries;
- Analytics providers - to help us improve your online experience;
- Third parties for joint promotions with that party - to help us organise events;
- Third Parties acting as processors or sub-processors required to enable us to provide the products and services we provide;
- Companies within the Nasstar Group - for marketing purposes and to support overall provision of our products and services;
- Fraud prevention agencies - to prevent fraud;
- Alternative dispute resolution - for complaint escalation;
- Law enforcement agencies, government bodies, regulatory organisations, courts or other public authorities - where required by law.
Transfers outside of the UK and outside of the EEA and Safeguards for International transfers
Your data may be transferred to countries outside the European Economic Area (EEA) or the United Kingdom in instances where we are required to transfer your data to another member of the Group for any of the purposes listed at How do we process your personal data? above, where our or our recipients' servers used for storing personal data are based outside of the EEA or the United Kingdom.
If you use our services whilst you are outside of the EEA or the United Kingdom, your data may be transferred outside the EEA or the United Kingdom (as appropriate) in order for us to provide you with those services.
Data will only be transferred outside of the EEA or the United Kingdom (as appropriate) where a declaration of adequacy and Data Protection Agreement or equivalent agreement is in place. If the country in which the data is to be transferred has no declaration of adequacy in place, then we will request the third party to enter into a legal agreement that reflects those standards through the use of Standard Contractual Clauses. “Standard Contractual Clauses” for these purposes means: (i) where the GDPR applies, the standard contractual clauses for the transfer of personal data to controllers or processors (as appropriate) established in third countries approved by the European Commission from time to time (as amended or replaced by the European Commission from time to time) and (ii) where the UK GDPR applies, the “International Data Transfer Addendum to the EU Commission Standard Contractual Clauses” or the “International Data Transfer Agreement” issued (in each case) by the Information Commissioner under s.119A(1) of the Data Protection Act 2018 (as amended or replaced by the Information Commissioner's Office from time to time).
Data retention period and criteria used to determine that period
We keep your personal data for no longer than is reasonably necessary for the purposes set out in this Privacy Notice. This is determined through assessment by the DPO.
We delete personal data relating to sales and marketing upon receipt of an opt-out request, or two years after the last communication we receive from you.
Rights to request access to the data, object, restrict processing, rectification, erasure and portability
Under the GDPR, you have the ability to exercise via the DPO the following rights with respect to your personal data:
- The right to request a copy of your personal data which we hold about you;
- The right to request that we correct any personal data if it is found to be inaccurate or out of date;
- The right to request your personal data is erased where it is no longer necessary for us to retain such data;
- The right where applicable to request, that we provide you with a copy of your personal data and where possible, to transmit that data directly to another data controller (known as the right to data portability);
- The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing;
- The right where applicable to object to the processing of personal data;
- The right to object to the use of Cookies;
- The right to lodge a complaint with your local supervisory authority.
Right to withdraw consent at any time
We do not rely on consent for our processing activities but instead on our legitimate interests, or for contractual purposes; we therefore cannot offer the right to withdraw consent. However, you do have the right to object to or opt-out from our processing activities by contacting our DPO.
Further processing
If we wish to use your personal data for a new purpose that is not covered by this privacy notice and which is incompatible with the purposes described in this notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Where necessary, we will seek your prior consent to the new processing.
Right to lodge a complaint with ICO
To exercise all relevant rights, or for queries, please in the first instance contact us on the contact details provided above.
Should you have a concern about our information rights practices, you have the right to complain directly to our supervisory authority, the ICO.
Their address and contact details are as follows:
Information Commissioners Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number.
Alternatively, you can contact them via the following link: https://ico.org.uk/global/contact-us/
Contact details for data protection authorities in the European Economic Area, are available at https://edpb.europa.eu/about-edpb/board/members_en. For other countries please contact our DPO at dpo@nasstar.com.
Updates to this Notice and your Personal Data
We may update this notice from time to time in response to changing legal, technical or business developments.
When we update our notice, we will take appropriate measures to inform you, consistent with the significance of the changes we make.
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.