Ascendis is committed to the responsible handling and protection of personal data.
Personal data relates to any information about a person that makes you identifiable which may include (but is not limited to):
- Names and contact information i.e. emails and telephone numbers
- National Insurance Numbers
- Employment history
- Employee numbers
- Credit History
- Personal tax
- Payroll and accounting data
We collect, use, disclose, transfer, and store personal information when needed to provide our services and for our operational and business purposes as described in this policy.
For general data protection regulation purposes, the “data controller” means the person or organisation who decides the purposes for which and the way in which any personal data is processed.
The data controller is Ascendis
What information do we collect and how?
Ascendis, as a Data Controller, is bound by the requirements of the General Data Protection Regulations (GDPR).
We obtain, use and process the information provided to us by individuals to enable us to discharge the services (as defined in our Letter of Engagement and supporting Schedules) and for other related purposes including;
- Updating and enhancing client records
- Analysis for management purposes
- Carrying out credit checks in relation to you
- Statutory returns
- Legal and regulatory compliance
- Crime prevention.
How will we use the information and why?
At Ascendis we take privacy seriously and will only use personal information to provide the services which have been requested from us, as detailed in our Letter of Engagement and supporting schedules and as we have identified above. We will only use this information subject to data protection law and our duty of confidentiality.
We may receive personal data for the purposes of our money laundering checks, such as a copy of a passport. This data will only be processed for the purposes of preventing money laundering and terrorist financing, or as otherwise permitted by law or with the individual’s consent.
Our work may require us to pass on information to our third-party service providers, agents, subcontractors and other associated organisations for the purposes of completing tasks and providing the services on our behalf. However, when we use third party service providers, we disclose only the personal information that is necessary to deliver the services and we have ensured that these providers comply with the general data protection regulation as detailed in this policy.
Sharing of Information
We partner with and are supported by service providers both within the UK and abroad. Personal information will be made available to these parties only when necessary to fulfill the services they provide to us, such as software support. Our third-party service providers are not permitted to share or use personal information we make available to them for any other purpose than to provide services to us.
As part of the services offered, your information may be transferred to countries outside the European Union (“EU”). For example, some of our third-party providers may be located outside of the EU. Where this is the case we take steps to ensure that the information we collect is processed according to this Privacy Statement and the requirements of applicable law wherever the data is located.
When we transfer personal information from the European Economic Area to other countries in which applicable laws do not offer the same level of data privacy protection as in your home country, we take measures to provide an appropriate level of data privacy protection. In other words, your rights and protections remain with your data.
We would like to send information about our services which may be of interest to those clients which have specifically opted in to receive such communications. If any individual decides to opt out of receiving marketing, they may opt out at any point by emailing firstname.lastname@example.org or by following the unsubscribe link found in the email communication you receive from us.
How long we keep personal information
We retain personal information for as long as we reasonably require it for legal or business purposes. In determining data retention periods, Ascendis takes into consideration local laws, contractual obligations, and the expectations and requirements of our customers. When we no longer need personal information, we securely delete or destroy it.
Subject access request policy
If you request access to your personal information, we will gladly comply, subject to any relevant legal requirements and exemptions, including identity verification procedures. Before providing data to you, we will ask for proof of identity and sufficient information about your interaction with us so that we can locate any relevant data. We will respond to any subject access requests within one month of receipt of the request.
Right to portability policy
This is an your right to receive the personal data which you have given to us, in a structured, commonly used and machine-readable format and have the right to transmit that data to another controller without delay from the current controller if:
(a) The processing is based on consent or on a contract, and
(b) The processing is carried out by automated means.
Right to object policy
This is your right to lodge an objection to the processing of your personal data if you feel the “ground relating to your particular situation” apply. The only reasons we will be able to deny this request is if we can show compelling legitimate grounds for the processing, which override their interest, rights and freedoms, or the processing is for the establishment, exercise or defence of a legal claims.
In some jurisdictions, you have the right to correct or amend your personal information if it is inaccurate or requires updating. You may also have the right to request deletion of your personal information; however, this is not always possible due to legal requirements and other obligations and factors.
Right to be forgotten policy
Under the GDPR, you have a right to have personal data erased, known as the ‘right to be forgotten’. This could apply where processing is no longer necessary for the purpose; where the data subject withdraws consent; if the individual objects to processing undertaken for legitimate interests; or where there are legal requirements to do so. There are exemptions from this right. For example, the right to erasure does not apply if processing is necessary to comply with a legal obligation. We will respond to any data erasure request within one month of receipt of the request
Security breach policy
A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Ascendis will report data breaches to the Information Commissioner’s Office within 72 hours of us becoming aware of it. Ascendis will also report the breach to any affected individuals where there is a high risk that they will suffer adverse effects.