1. Introduction
    1. Genilogic Ltd (“the Company”) is committed to protecting the privacy and security of our customers’ personal information.
    2. The Company has developed policies and practices which describe how we collect and use personal information about customers during and after their relationship with us, in    accordance with the General Data Protection Regulation (GDPR).
    3. The Company is a “data processor”. This means that we are responsible for processing data on behalf of the customer, the data controller.  We are required under data protection legislation to notify our customers of this information which is contained within a privacy notice sent out to them.
    4. It is important that all company personnel read this policy, together with any other data protection policies in place or which are implemented in the future, so that they are aware of what personal data is collected, where it is retained and the period the Company will retain it for.
  2. Data Protection principals
    1. The Company will comply with data protection law. The law states that any personal information we hold on an individual must be:
    2. Used lawfully, fairly and in a transparent way.
    3. Collected only for valid purposes that we have clearly explained to the individual and not used in any way that is incompatible with those purposes.
    4. Relevant to the purposes we have told the individual about and limited only to those purposes.
    5. Accurate and kept up to date.
    6. Kept only as long as necessary for the purposes we have told the individual about.
    7. Kept securely.
  3. The type of information that we hold about customers
    1. Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
    2. There are “special categories” of more sensitive personal data which require a higher level of protection.
    3. The Company will collect, store, and use the following categories of personal information about individuals (not all will be applicable to each individual):
    4. Personal contact details such as name, title, addresses, telephone numbers, and personal email addresses.
    5. Company information.
    6. Location of employment or workplace.
    7. Such information, as set out in this clause 3, is collected from the customer during the setup of the system as per the contract with the Company, through electronic, written or verbal communication.
    8. We only use an individual’s personal information when the law allows us to. Most commonly, we will use personal information as per the privacy notice and in the following circumstances:
    9. Where we need to perform the contract we have entered into with the customer.
    10. Where it is necessary for our legitimate interests (or those of a third party) and an individual’s interests and fundamental rights do not override those interests.
  4. Where is customer information stored?
    1. In line with the Company’s Information Security Policy, we undertake regular data mapping and risk assessments in line with the personal data that we hold to ensure we are compliant with our obligations under the GDPR.
    2. Personal data is stored both electronically and in paper format. In particular, personal data is stored as follows:-
      1. Electronically with Fresh Sales, a CRM solution;
      2. Electronically in Amazon Web Services;
      3. Electronically on Outlook 365;
      4. Electronically with Mailchimp
      5. Paper format.
  5. How long will the Company use customer information for?
    1. The Company will only retain customer personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
    2. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of an individual’s personal data, the purposes for which we process an individual’s personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
    3. In some circumstances we may anonymise personal information so that it can no longer be associated with an individual, in which case we may use such information without further notice to that individual. Once the individual in question is no longer a customer of the company we will retain and securely destroy their personal information in accordance with applicable laws and regulations.
    4. In particular, we will retain a customer’s personal information for the length of time needed to complete the initial request and for a maximum of 30 days should the customer terminate their request (subject to any legal requirement).
  6. Data sharing
    1. The Company will share an individual’s personal information with third parties where required by law, where it is necessary to administer the working relationship with the customer.
    2. “Third parties” includes third-party service providers. The following activities are carried out by third-party service providers:
      1. Mailing lists;
      2. Secure servers;
      3. Customer relationship management platforms.
    3. All of our third party service providers are required to take appropriate security measures to protect personal information in line with our policies.
    4. The Company may share a customer’s personal information with other third parties, for example in the context of the possible sale or restructuring of the business. The Company may also need to share personal information with a regulator or to otherwise comply with the law.
  7. Data Security
    1. The Company has put in place appropriate security measures to prevent customer personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to customer personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process an individual’s personal information on our instructions and they are subject to a duty of confidentiality. Details of these measures are contained within our Information Security Policy.
    2. The Company has put in place procedures to deal with any suspected data security breach and will notify an individual and any applicable regulator of a suspected breach where we are legally required to do so.