Privacy Really Matters
At The Penguin Factory we have had a strong interest in privacy for many years and we welcome the new interest in keeping personal data safe.
The Data Protection Officer (DPO) at The Penguin Factory is Brett Sheffield. The DPO is responsible for making sure that the company does everything this Privacy Notice says. You can contact Brett at firstname.lastname@example.org for any queries including about this privacy notice. We may require identification in order to discuss requests relating to your personal data.
Penguin Factory Limited is a wholly owned subsidiary of Gladserv Limited, which is a registered Data Controller with the Information Commissioner's Office (ICO). Registration number: ZA243688.
Our Privacy Principles
The following applies to the personal data of anyone we have contact with:
- We keep your it data safe and secure
- We only store it on servers within the European Economic Area
- We understand and respect your privacy rights
The UK Information Commissioner is the advice and enforcement office for the European law known as the GDPR. The EU regards privacy as a fundamental democratic right and has set up the EU Data Protection Agency to defend it. You can read here about your many rights to data privacy, including to ask us to do things including: show you what personal data we hold; correct or delete your personal data; or pass all your personal data on to some other company.
There are two kinds of personal data we deal with: personal data controlled by our customers, and personal data we collect.
Personal Data Controlled by Our Customers
Many of our customers trust us to handle their data (all sorts of data), and the contract tells us what they want us to do with it, for example, back it up securely or make it available on shared network drives for them, or make their email work smoothly. We might be looking at their computers on their premises, or we might be storing data for them on our servers in a data centre, or some other arrangement. In all cases we don't know what is in this customer data and it is none of our business. We do know that it very likely has personal data controlled by the customer. That makes us a processor of this personal data, and our responsibilities under the GDPR are clear. The customer’s responsibilities as the controller are also clear. For example, it is the customer who must respond to an individual’s request to have their personal data corrected or removed, not The Penguin Factory.
The most important point is that the customer tells The Penguin Factory in the contract how they want their data handled.
Personal Data We Collect
If you are a customer, prospective customer, website visitor or anyone else, we will collect your personal data when you visit our website, send us an email or give us a phonecall etc. This data can include your name, your IP address, your email address and so on. We are the controller of this data according to the GDPR, and you have rights.
Rare Exceptions: Compulsory Handovers
There are two rare cases where we may be required to give your data to a third party (as opposed to where we choose to, such as giving your address to a courier company). The two cases are:
In response to a binding legal request from a government-authorised body (for example, from a court) which we would discuss thoroughly with you before doing anything at all, and
In response to a legal warrant served by law enforcement authorities, where we might not be able to inform you beforehand your data is being accessed.
We would aim to make rigorous enquiry before agreeing to any such request. In addition, we would be pleased to offer you consulting on how to encrypt your data, so that even if it is seized it will hopefully be unreadable. The GDPR encourages strong encryption of data.
What we Do With Data We Collect
There is a reason for all the personal data we collect, although the reason varies. The reasons include:
Delivering our online services such as our website. Our log of IP addresses, time and page visited and so on help us diagnose problems, maintain security, and inform our business on matters such as what people are the most interested in.
Delivering services customers have paid for, including contacting customers for technical queries and responding to problem reports.
Contacting customers for invoicing and other financial matters related to the contract we have with our customers.
Providing information for tax or legal reasons, for example, proving that we do in fact have a contract for services with a particular customer, or as part of a dispute resolution process.
Informing our response to binding legal requests from authorised government bodies including courts. This is not the same as handing over your data, which is dealt with in the section Rare Exceptions: Compulsory Handovers.
Occasionally passing some of the personal data to third parties, as described in the section titled “Third Parties”.
The GDPR calls this “the lawful basis of processing” and you can read what the ICO says about it. We have carefully considered Article 6 of the GDPR and how it applies to what we do.
Sharing Personal Data With Third Parties
Examples of the cases where we may share data with third parties include:
Financial reasons: If you don’t pay us for the services you have contracted us to provide, and we pass your details to a debt collector.
Legal reasons: If a court or other government-authorised body orders us, or we are in dispute with you, we have to disclose personal information (such as our record of who you are) to the court or other body.
Practical reasons: We often coordinate services on behalf of customers, including broadband suppliers, postal couriers, domain name providers. Each of these services needs some degree of identifying data which may well include your personal data to do a delivery, connect a phone line, or create a domain registered to you.
Administrative reasons: Sometimes our accountant, lawyer, auditor or other occasional professional will need some customer personal information to do their job.
Commercial reasons: Sometimes customers come to us via a reseller, in which case there may be an exchange of personal data between us and the reseller, depending on how the customer chooses to manage that relationship. The Penguin Factory shares data with its parent company, Gladserv Ltd.