This Privacy Information Notice was last updated on 28th September 2020.
Who we are
We are Form & Function Digital Co-operative Ltd. Company number SC625583 registered in Scotland at 7 Rosefield Avenue, Edinburgh EH15 1AT.
We’re committed to protecting and respecting your data privacy.
Note: This Privacy Information Notice relates to Form & Function Digital Co-operative Ltd as Data Controller. If Form & Function Digital Co-operative Ltd is also a Data Processor for your organisation, please read ‘How we process personal data on behalf of clients’.
Collection, processing and storage of personal data
Form & Function Digital Co-operative collects, processes and stores personal data in order to carry out and promote our business of providing consultancy, website design & development, and hosting, maintenance and technical support services to our clients.
This Privacy Information Notice details what personal data we collect, how we collect it, why we collect it, the lawful basis for processing it, where we store it and how long we store it for. The notice also provides information about how to request, modify or delete the personal data we hold through a Subject Access Request (SAR) and how to contact us with any questions about our data protection policies or procedures.
How we collect personal data
Contact form
Newsletter sign-up form
Client Record Management (CRM)
Project management
Support desk
Proposal management
Content Management System User Accounts (WordPress)
Server logs
Analytics
Accounting software
Cookies
Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site. The information below explains the cookies we use and why.
Universal Analytics (Google)
Universal Analytics (Matomo - formerly Piwik)
How do I change my cookie settings?
Most web browsers allow some control of most cookies through the browser settings. To find out more about cookies, including how to see what cookies have been set, visit www.aboutcookies.org or www.allaboutcookies.org.
Find out how to manage cookies on popular browsers:
To find information relating to other browsers, visit the browser developer’s website.
To opt out of being tracked by Google Analytics across all websites, visit https://tools.google.com/dlpage/gaoptout.
Special category personal data
We do not collect, process or store any special categories of personal data such as race, ethnic origin, politics, religion, trade union membership, genetics, biometrics (where used for ID purposes), health, sex life or sexual orientation, or criminal offence data (except where necessary to carry out performance of employment contracts – if you are an employee of Form & Function Digital Co-operative please refer to the Employee Privacy Policy for details of how your personal data is collected, processed and stored).
Retention and deletion of personal data
We identify and delete personal data in our possession when it is no longer needed for the performance of our contract with the client organisation, unless we are required to keep it for legal or security reasons.
We are required by UK government regulations to keep certain types of data (eg payroll, accounts and VAT records) for a minimum of 7 years. We also need to keep details of the fulfilment of business contracts for several years after completion of a contract as part of our professional indemnity insurance.
Accordingly, we routinely delete most other data, including emails, in batches after 8-9 years have elapsed. We keep some accounting and archival data indefinitely.
When deleting personal data, we take steps to delete all copies beyond reasonable possibility of restoration, including copies on backups.
Who do we share your personal data with?
Aside from Form & Function Digital Co-operative staff it is sometimes necessary to share your personal data with Third Party Service Providers working on our behalf:
We may pass your information to our third party service providers, agents, subcontractors and other associated organisations for the purposes of completing tasks and providing services to you on our behalf (for example to process payment and send you mailings). However, when we use third party service providers, we disclose only the personal information that is necessary to deliver the service and we have a contract or agreement in place that requires them to keep your information secure and not to use it for their own marketing purposes.
We will not sell or rent your information to third parties.
It may be necessary to share your personal data where there is a legal requirement to do so.
Your legal rights in relation to personal data and how Form & Function Digital Co-operative addresses these
The right to be informed
The right of access
The right to rectification
The right to erasure
The right to restrict processing
The right to data portability
The right to object
Rights in relation to automated decision making and profiling
How we protect your personal data
We maintain a high level of physical and electronic security in relation to the collection, storage and disclosure of your information. We take reasonable steps to ensure that any information we hold about you is protected. We use Secure Socket Layer (SSL), which encrypts information given over the internet to protect all personal data.
Internally Form & Function Digital Co-operative utilises password managers so that passwords can be administered securely. We use and enforce strong passwords and where we store data we encrypt it.
What data breach procedures we have in place
We will document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken.We will notify the Information Commissioner Office (ICO) no later than 72 hours if the breach is likely to result in a risk to the rights and freedoms of natural persons in accordance with Article 55.
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, will we communicate the personal data breach to the data subject without undue delay. This communication will describe in clear and plain language the nature of the personal data breach and include:
- the name and contact details of the data protection officer or other contact point where more information can be obtained;
- describe the likely consequences of the personal data breach;
- describe the measures taken or proposed to be taken by us to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
This communication to the data subject is not required if the conditions in Article 34 – 3a), b) or c) – are met.:
- the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
- the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise;
- it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
What third parties we receive data from
We do not buy or receive personal data from any third parties.
What automated decision making and/or profiling we do with personal data
We do not use automated decision making or undertake profiling with personal data.
Privacy Notice updates
We may change this Policy from time to time so please check this page occasionally to ensure that you’re happy with any changes. By using our website, you’re agreeing to be bound by this Policy.
This Privacy Information Notice was last updated on 10th May 2019.
How to contact us
We are registered with the Information Commissioner’s Office (ICO) in the UK:
Form & Function Digital Co-operative on the ICO register number ZA513969.
If you are unhappy with the way we handle your personal data and we have not been able to resolve it, you have the right to lodge a complaint with the ICO.
Any questions regarding this Policy and our privacy practices should be sent by email to dpo@formandfunction.coop or by writing to Form & Function Digital Co-operative Ltd, The Melting Pot, 5 Rose Street, Edinburgh EH2 2PR.