INTRODUCTION

We take the privacy of your information seriously and request that you carefully review this Privacy Notice, as it contains significant details regarding:

• The personal information we collect about you.
• How we handle your information.
• With whom your information may be shared.

We will not disclose your information to anyone without your consent and prior knowledge, except as outlined in this Privacy Notice and any applicable terms and conditions.

In its day-to-day business operations, MODERN HOME SHIELD UK LIMITED utilises various data pertaining to identifiable individuals, including:

• Current, former, and potential employees.
• Customers.
• Users of its websites.
• Subscribers.
• Other stakeholders.

In the collection and use of this data, MODERN HOME SHIELD UK LIMITED adheres to numerous laws governing such activities and the necessary safeguards to protect it. The purpose of this policy is to outline the relevant legislation and describe the measures MODERN HOME SHIELD UK LIMITED is implementing to ensure compliance.

These controls extend to all aspects of the organization’s information systems, encompassing board members, directors, employees, suppliers, and other third parties with access to MODERN HOME SHIELD UK LIMITED systems.

The following policies and procedures are pertinent to this document:

• Risk Assessment Process (DPIA).
• Data Mapping Procedure.
• Legitimate Interest Assessment Procedure.
• IT Incident Response Procedure.
• GDPR Roles and Responsibilities.
• Records Retention and Protection Policy.

PRIVACY AND PERSONAL DATA PROTECTION POLICY

1.1 The General Data Protection Regulation

The General Data Protection Regulation (GDPR) stands as one of the most significant legislative frameworks influencing MODERN HOME SHIELD UK LIMITED in its information processing activities. Substantial fines may be imposed in the event of a GDPR breach, as the regulation aims to safeguard the personal data of European Union citizens. It is the policy of MODERN HOME SHIELD UK LIMITED to ensure transparent and demonstrable compliance with the GDPR and other pertinent legislation at all times.

1.2 Definitions

The GDPR encompasses a total of 26 definitions, which are not all suitable for reproduction here. Nonetheless, the key definitions relevant to this policy are outlined below:

‘Personal data’ is defined as:
any information pertaining to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be directly or indirectly identified, particularly by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person;

‘processing’ means:
any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment, or combination, restriction, erasure, or destruction;

‘controller’ means:
the natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

1.3 Principles Relating to Processing of Personal Data

The GDPR is founded upon several fundamental principles, which include:

(a) processed lawfully, fairly, and transparently in relation to the data subject (‘lawfulness, fairness, and transparency’);
(b) collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes shall, in accordance with Article 89 (1), not be deemed incompatible with the initial purposes (‘purpose limitation’);
(c) adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (‘data minimization’);
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, considering the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
(e) kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods where the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, subject to the implementation of appropriate technical and organizational measures required by this Regulation to safeguard the rights and freedoms of the data subject (‘storage limitation’);
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’). The controller shall be responsible for, and able to demonstrate compliance with, paragraph 1 (‘accountability’).

MODERN HOME SHIELD UK LIMITED will ensure compliance with all these principles in its current processing activities and upon the implementation of new processing methods such as new IT systems.

1.4 Rights of the Individual

The data subject possesses rights under the GDPR, which include:

DATA SUBJECT REQUEST
The right to be informed
The right of access
The right to rectification
The right to erasure
The right to restrict processing
The right to data portability
The right to object
Rights concerning automated decision making and profiling. Each of these rights is supported by appropriate procedures within MODERN HOME SHIELD UK LIMITED to enable the required actions to be taken within the timeframes stipulated in the GDPR.

1.5 Lawfulness of Processing

The GDPR outlines six alternative ways to establish the lawfulness of processing personal data in specific cases. It is MODERN HOME SHIELD UK LIMITED’s policy to identify the appropriate basis for processing and to document it in accordance with the Regulation. Brief descriptions of the options are provided in the following sections.

1.5.1 Consent

Unless necessary for a lawful reason under the GDPR, MODERN HOME SHIELD UK LIMITED will always obtain explicit consent from a data subject to collect and process their data. For children under the age of 16 (a lower age may be allowable in certain EU member states), parental consent will be obtained. Clear information regarding the use of their personal data will be provided to data subjects at the time of obtaining consent, and their data rights, such as the right to withdraw consent, will be explained. This information will be provided in an accessible format, written in plain language, and free of charge.

If personal data are not obtained directly from the data subject, this information will be provided to the data subject within a reasonable period after the data are obtained, and definitely within one month.

1.5.2 Performance of a Contract

Where the personal data collected and processed are necessary to fulfill a contract with the data subject, explicit consent is not required. This is often the case where the contract cannot be completed without the personal data in question, for example, a delivery cannot be made without an address to deliver to.

1.5.3 Legal Obligation

If the collection and processing of personal data are required to comply with the law, explicit consent is not required. This may apply to some data related to employment and taxation, for example, and to many areas addressed by the public sector.

1.5.4 Vital Interests of the Data Subject

If personal data are necessary to protect the vital interests of the data subject or another natural person, this may serve as the lawful basis for processing. MODERN HOME SHIELD UK LIMITED will retain reasonably documented evidence that this is the case whenever this reason is used as the lawful basis for processing personal data. For instance, this may apply to aspects of social care, particularly in the public sector.

1.5.5 Task Carried Out in the Public Interest

Where MODERN HOME SHIELD UK LIMITED needs to perform a task that it believes is in the public interest or as part of an official duty, the data subject’s consent will not be requested. The assessment of the public interest or official duty will be documented and made available as evidence where required.

1.5.6 Legitimate Interests

If the processing of specific personal data is in the legitimate interests of MODERN HOME SHIELD UK LIMITED and is judged not to significantly affect the rights and freedoms of the data subject, this may constitute the lawful basis for processing. Again, the rationale behind this perspective will be documented.

This document provides a comprehensive list of the ways in which we may use your personal information, as well as the reasons upon which we rely. It also outlines our legitimate interests.

What we use your personal information for

1. Serving you as a customer

– To manage our relationship with you or your business;
– To develop and carry out marketing activities;
– To study how our customers use products and services from us;
– To communicate with you about our products and services;
– To develop and manage our brands, products and services.

Our reasons

– Your consent
– Fulfilling contracts
– Our legitimate interests
– Our legal duty

Our legitimate interests

– Keeping our records up to date, working out which of our products and services may interest you and telling you about them;
– Developing products and services, and what we charge for them;
– Defining types of customers for new products or services;
– Seeking your consent when we need it to contact you;
– Being efficient about how we fulfil our legal and contractual duties.

2. Business Improvement

– To test new products & services;
– To manage how we work with other companies that provide services to us and our customers;
– To develop new ways to meet our customer’s needs and to grow our business.

Our reasons

– Fulfilling contracts
– Our legitimate interests
– Our legal duty

Our legitimate interests

– Developing products and services, and what we charge for them;
– Defining types of customers for new products or services;
– Being efficient about how we fulfil our legal and contractual duties.

3. Managing our Operations

– To deliver of our products and services;
– To make and manage customer payments;
– To manage fees, charges and interest due on customer accounts;
– To collect and recover money that is owed to us.

Our reasons

– Fulfilling contracts
– Our legitimate interests
– Our legal duty

Our legitimate interests

– Remaining competent about how we fulfil our legal and contractual duties
– Complying with rules and guidance from regulators

4. Managing security, risk and crime prevention

– To manage risk for us and our customers;
– To obey laws and regulations that apply to us;
– To respond to complaints and seek to resolve them;
– To detect, investigate, report, and seek to prevent financial crime

Our reasons

– Fulfilling contracts
– Our legitimate interests
– Our legal duty

Our legitimate interests

– Review risk factors as well as doing our legal duties in this respect
– Complying with rules and guidance from regulators
– Remaining competent about how we fulfil our legal and contractual duties

5. Business management

– To run our business in an efficient and proper way. This includes:
– Managing our financial position,
– Managing our business capability,
– Adding and testing systems and processes,
– Managing communications,
– Managing corporate governance,
– Regular auditing.
– To exercise our rights set out in agreements or contracts

Our reasons

– Our legitimate interests
– Our legal duty
– Fulfilling Contracts

Our legitimate interests

– Complying with rules and guidance from regulators
– Being efficient about how we fulfil our legal and contractual duties

For processing special categories of personal data

– Substantial Public Interest
– Responding to Regulatory Requirements – Showing whether we have assessed your request in the right way. – Legal Claims
– Consent
– Conduction Police and DBS checks to help prevent, detect, and prosecute unlawful acts and fraudulent behaviour.
– Using health information as needed to provide facilities under which our staff can comfortably and safely work.
– Using any special categories of data as needed to establish, exercise or defend legal claims
– Telling you that we need your consent to process special categories of personal data, when that is what we rely on for doing so.

1.6 Privacy by Design

MODERN HOME SHIELD UK LIMITED has embraced the principle of privacy by design and will ensure that the definition and planning of all new or significantly altered systems that gather or handle personal data undergo thorough consideration of privacy matters. This includes conducting one or more data protection impact assessments.

The data protection impact assessment will encompass:

• Evaluation of how personal data will be processed and for what objectives.
• Assessment of whether the proposed processing of personal data is both essential and proportionate to the intended purpose(s).
• Evaluation of the risks to individuals associated with processing the personal data.
• Determination of the necessary controls to mitigate the identified risks and demonstrate compliance with legislation. Employment of techniques such as data minimization and pseudonymization will be explored where applicable and suitable.

1.7 Contracts Involving the Processing of Personal Data

MODERN HOME SHIELD UK LIMITED will ensure that all engagements it undertakes which entail the processing of personal data are governed by a documented contract. This contract will encompass the precise details and terms mandated by the GDPR. For further details, please refer to the GDPR Controller-Processor Agreement Policy.

1.8 International Transfers of Personal Data

Before any transfers of personal data outside the European Union occur, thorough scrutiny will be undertaken to ensure compliance with the boundaries set by the GDPR. This assessment relies partly on the European Commission’s assessment of the adequacy of safeguards for personal data in the recipient country, which may evolve over time. Intra-group international data transfers will be governed by legally binding agreements known as Binding Corporate Rules (BCR), which grant enforceable rights for data subjects.

1.9 Data Protection Officer

Under the GDPR, the role of Data Protection Officer (DPO) is mandated if an organisation is a public authority, engages in large-scale monitoring, or processes particularly sensitive types of data on a significant scale. The DPO must possess a suitable level of expertise and can either be an internal resource or outsourced to a suitable service provider.

Considering these criteria, MODERN HOME SHIELD UK LIMITED is not obligated to appoint a Data Protection Officer.

1.10 Breach Notification

MODERN HOME SHIELD UK LIMITED adheres to a policy of fairness and proportionality when determining the appropriate actions to notify affected parties of breaches in personal data. In accordance with the GDPR, if a breach occurs that is likely to jeopardize the rights and freedoms of individuals, the relevant supervisory authority will be notified within 72 hours. This process is outlined in our Information Security Incident Response Procedure, which delineates the overall approach to managing information security incidents.

Under the GDPR, the ICO has the authority to levy fines ranging up to four percent of annual worldwide turnover or twenty million Euros, whichever is higher, for breaches of the regulations.

1.11 Addressing Compliance to the GDPR

To ensure continuous adherence to the accountability principle of the GDPR, MODERN HOME SHIELD UK LIMITED undertakes the following actions:

• Ensuring the legal basis for processing personal data is clear and unequivocal.
• Appointing a Data Protection Officer with specific responsibility for data protection within the organization, if necessary.
• Providing all staff involved in handling personal data with a clear understanding of their responsibilities in adhering to good data protection practices.
• Conducting training sessions on data protection for all staff.
• Adhering to rules regarding consent.
• Providing avenues for data subjects to exercise their rights regarding personal data, and handling such inquiries efficiently.
• Conducting regular reviews of procedures involving personal data.
• Adopting privacy by design for all new or modified systems and processes.
• Documenting processing activities, including:
  • Organisation name and relevant details.
  • Purposes of the personal data processing.
  • Categories of individuals and personal data processed.
  • Categories of personal data recipients.
  • Agreements and mechanisms for transferring personal data to non-EU countries, including details of controls in place.
  • Personal data retention schedules.
  • Relevant technical and organisational controls in place.

These actions undergo regular review as part of the data protection management process.