GDPR SmithMartin LLP – FAQ’s
Request for access to personal data pursuant to Article 15 of the General Data Protection Regulation?
1. Can you confirm to me whether or not my personal data is being processed.?
A. If we have, then yes. In responding to you we would automatically categorise our findings…
2. Can you tell me what you know about me in your information systems, whether or not contained in databases, and including e-mail, documents on your networks, or voice or other media that you may store?
A. If you ask, then we can…
3. Can you advise me in which countries my personal data is stored, or accessible from. In case you make use of cloud services to store or process my data, please include the countries in which the servers are located where my data are or were (in the past 12 months) stored.
A. If you ask, then we can….
4. Can you provide me with a copy of my personal data that you have or are processing?
A. Yes we can, if asked…
5. Can you provide me with a formal accounting of the specific uses that you have made, are making, or will be making of my personal data?
A. Within the limits of our own company records, yes we can. Data garnered by third party suppliers or service providers, no we cannot, but will include the contact details of such services in order for you to extend your enquiry, if relevant.
6. Can you provide a list of all third parties with whom you have (or may have) shared my personal data?
A. See response above…
7. Please also identify which jurisdictions that you have identified above that these third parties with whom you have or may have shared my personal data, from which these third parties have stored or can access my personal data. Please also provide insight in the legal grounds for transferring my personal data to these jurisdictions. Where you have done so, or are doing so, on the basis of appropriate safeguards, please provide a copy.
A. We undertake no data transfers, list sales, database swaps etc., whatever.
8. What safeguards have been put in place in relation to these third parties that you have identified in relation to the transfer of my personal data.
A. See response above…
9. Please advise how long you store my personal data, and if retention is based upon the category of personal data, please identify how long each category is retained.
10. If you are additionally collecting personal data about me from any source other than me, please provide me with all information about their source, as referred to in Article 14 of the GDPR.
A. We never trawl or crawl, purchase or swap data for wide field collection, ever…
11. I would like to know whether or not my personal data has been disclosed inadvertently by your company in the past, or as a result of a security or privacy breach.
A. We have never had a data breach of any kind…
13. What technologies or business procedures do you have to ensure that individuals within your organisation will be monitored to ensure that they do not deliberately or inadvertently disclose personal data outside your company, through e-mail, web-mail or instant messaging, or otherwise.
Please inform me whether you have backed up my personal data to tape, disk or other media, and where it is stored and how it is secured, including what steps you have taken to protect my personal data from loss or theft, and whether this includes encryption.
A. Although we operate globally, we are a very small company. Our principal Partners control and accept responsibility for data security, privacy and ethical business.No third party has direct access to our very modest client lists, account details and/or subscriptions. Within the company these are zealously guarded – with back-ups kept on portable drives stored in a secure location. (Our professional advisers and accountants can see such information in the normal execution of our business, as can our bankers for example). Otherwise, your data is not part of our normal business discourse.
14. Have you had had any circumstances in which employees or contractors have been dismissed, and/or been charged under criminal laws for accessing my personal data inappropriately, or if you are unable to determine this, of any customers, in the past twelve months?
15. What training and awareness measures you have taken in order to ensure that employees and contractors are accessing and processing my personal data in conformity with the General Data Protection Regulation?
A. GDPR has generated much comment and new work, particularly for our Partners. We work with our clients, through meetings and formal training to illuminate, codify and deliver our response to GDPR. This Q&A is one example.
We use the same methodology for our Partners and Associates too, at SmithMartin LLP.