GDPR Privacy Notice
Introduction
SERQA is committed to protecting the privacy and security of those with whom we interact. This privacy statement explains how we
use and treat personal information provided to us within client instructions. It also identifies additional information that the company
may collect to reach a successful investigative conclusion and how we protect data to ensure that it is secure
Protecting Information
SERQA maintains security policies and practices within facilities and systems to protect information from unauthorised access and inappropriate disclosure, alteration, and destruction. Security includes, but is not limited to, encryption, physical access security and other appropriate technologies.
Cookies
The Company makes use of both session and persistent cookies on websites it owns and operates directly or indirectly through a third-party partner. Cookies are small pieces of data that are stored by the user’s Web browser. They are used by websites to enhance user experience and remember information such as username, language, viewing preferences, shortcut navigation and other user preferences.
Server & Application Logging
SERQA web servers automatically collect internet protocol (IP) addresses which are used solely for reporting demographic information, number of visits and in communications troubleshooting. Authentication credentials are also recorded to comply with auditing requirements and assist with investigation of client requirements. As the Company enhances, modifies or maintains its’ systems, services and processes, modifications may be made to this policy.
Obtaining & Sharing Information
The Company is authorised by its instructing clients to act as their representative in obtaining information on living individuals. The company respects the privacy of individuals while obtaining information for legitimate businesses that can demonstrate an appropriate
need for this information.
As part of individual investigations, we will from time to time perform intelligence research as part of our provisional inquiries. These checks are lawful and are all made using publicly available sources which include but may not be limited to;
• Social media platforms
• Companies House
• Electoral roll
• Subscription databases
The company will not share personal data with any third parties unless the data needs to be shared to meet legal or statutory requirements. We will not pass on data to third parties for marketing and promotions activity, nor will the company pass on any information for profiling purposes.
Instruction Data
If an instruction is received via the SERQA client portal, a case file is opened within the CMS including the personal details of the subject / claimant and any ancillary information relating to the instruction.
If the instruction is received by email or hard copy, a case file is opened in the CMS, and the information is entered, and if received via hard copy, the instruction is destroyed by shredding.
Data Processing & Storage
No data processing and storage takes place outside of the UK.
Subject Access Request
Data will be shared with a third party if we receive a formal Subject Access Request, which forms part of the General Data Protection Regulations. However, if SERQA receives a request for subject data from the subject or a third party acting on their behalf, we will notify our client in advance of compliance with the subject access request.
If SERQA are asked to provide any personal data regarding an investigation by the law enforcement such as the police, the security services, it will do so, and the client will be informed.
Retention of Records
• SERQA will securely maintain personal data it processes for a period that the original purpose for processing it continues.
• We accept that evidence we obtain through certain types of investigation may be called upon as expert witness evidence including attendance at court and therefore cannot place a defined time frame on a standard data deletion process.
• When assessing data retention periods, SERQA will consider the amount, nature, and sensitivity of the information, the potential risk of harm from unauthorised use or disclosure of the data, the purposes for which we process the data and whether we can achieve those purposes through other means, and the applicable legal requirements.
• SERQA acknowledge our clients retain the position of Data Controller within the data relationship hierarchy and expects to be informed when a claim settles on a case where the company holds relevant personal data. This will allow data to be deleted permanently.
• To ensure data is not retained beyond a period that is necessary for the purpose it was processed; once the seven-year anniversary of SERQA’s last work activity is reached and providing the company have not been contacted by the client confirming settlement has been reached, we will assume settlement did conclude and without notice, automatically permanently delete all data.
• Clients are encouraged to contact the company periodically on individual cases if deferment of standard data destruction timeframes is considered appropriate.
GDPR Single Contact Point
All enquiries concerning this Privacy Notice and related issues should be directed to our Data Protection Officer (DPO).
SERQA DPO, Liberty House, Greenham Business Park, Newbury, Berkshire, RG19 6HW