Hermitage Group Ltd – CRN 08355093
Border Merchant Systems Ltd – CRN 02542536
Fidelity Systems Ltd – CRN 03217771
Stratus21 Ltd – CRN 10089780
CIS Systems Ltd – CRN 08365507
We are providing you with this Privacy Notice in demonstration of our commitment to information security. We are registered with the Information Commissioner’s Office under the following reference numbers:
Hermitage Group Ltd – ZA246246
Border Merchant Systems Ltd – ZA246233
Fidelity Systems Ltd – CRN 03217771
Stratus21 Ltd – ZA246239
CIS Systems Ltd – ZA246236
HIG Group operates and maintains an Information Security Management System (ISMS) in order to control its information assets and the information assets of its customers correctly. The ISMS is part of our ‘privacy by design’ approach to data management and consists of the following components:
HIG Group issues the following contractual documentation, which incorporate binding information security clauses, to employees, contactors, customers and suppliers:
|Privacy Notice or Statement of Compliance for GDPR||√||√||√||√|
|Contract of Employment with Non Disclosure content||√|
|Service Contract (or equivalent) with Non Disclosure content||√|
|Commercial Terms of Business||√|
HIG Group maintains operating policies and protocols to cover:
HIG Group’s relevant policies and protocols help us to fully realise our commitment to lawful, fair and transparent data processing.
HIG Group commits to oversee the competence of all our human resources in respect of compliance with GDPR. This includes the issue of contractual and procedural documentation, as described above, as well as the implementation of training for all relevant members of staff.
Training is provided either directly by HIG Group or by their suppliers to enable employees and contractors to operate consistently within our ISMS.
HIG Group has run a GDPR audit to determine that our physical office environment, our IT systems, our personnel, our policies and our practices conform to the standards of the General Data Protection Regulation.
We are registered with the Information Commissioner’s Office and we operate a formal incident management process to identify, contain and recover from a data breach, should one occur. Our employees are trained to report any suspicion of data breach to our Data Protection Officer in line with our Data Protection Policy.
In the course of transacting with us you may be required to provide personal information to include: your name, address, telephone number, email address, and any feedback you give to us, including by phone, email, post, or when you communicate with us via social media.
Your personal information may be used by us to:
You have the right to access the personal information that we hold about you in many circumstances. This is sometimes called a 'Subject Access Request'. If we agree that we are obliged to provide personal information to you (or someone else on your behalf), we will provide it to you or them free of charge.
Before providing personal information to you or another person on your behalf, we may ask for proof of identity and sufficient information about your interactions with us that we can locate your personal information.
If any of the personal information we hold about you is inaccurate or out of date, you may ask us to correct it. If you would like to exercise these rights, please contact our Data Protection Representative, Dean Macken, firstname.lastname@example.org
You have the right to object to us processing your personal information if we are not entitled to use it any more, to have your information deleted if we are keeping it too long or have its processing restricted in certain circumstances. If you would like to exercise this right, please contact our Data Protection Representative, as detailed above.
4.2.iii How long will we keep your information?
We will retain a record of your personal information only for as long as it is necessary to do so. Our objective is to provide you with a high quality and consistent service across our group. We will always retain your personal information in accordance with law and regulation.
Qualifying the compliance of suppliers and third parties is essential to establishing our own Statement of Compliance with GDPR. Should any suppliers or third parties with whom we share personal information – either as data controllers or data processors – fail to evidence conformity to the requirements of GDPR (or fail to ameliorate their non-conformity under notice) we will terminate our relationship with them.
Our current key suppliers/third party in the context of personal information data processing have documented evidence of their compliance with GDPR.
Access to all our office environments is physically controlled during business hours of 8.00 am to 5.30pm. Our premises are alarmed and a list of keyholders held at all times.
Server, routers and other business critical equipment is stored securely within each premises.
Remote access to servers is carefully managed and monitored with enhanced security protocols in place.