Who We Are
We are a provider of IT services to businesses only (our clients).
We are Nexus Open Systems, based at Vale House, Pynes Hill, Exeter EX2 5AZ. For enquiries relating to data protection in our business, email our compliance manager on firstname.lastname@example.org, call 01392 205095, or discuss with your account manager.
Our company number is 3603046 and we are registered with the ICO as a data controller, number Z5891047.
The Types of Personal Data We Process
- Related to website visitors and mailing list subscribers
- IP address
- Interaction/activity data and IP/location (clicks and views on emails and on our website, and where you are)
- Related to the staff of our clients
- Name, contact and company information
- Correspondence, feedback and complaint data
- Links to quotes, invoices, tickets, projects and IT devices
- CCTV images
- We also process, directly or incidentally, the data on our clients’ systems.
We provide data processing agreements in respect of our clients’ data and our clients’ customers’ data.
All written correspondence with Nexus is likely to be stored. This is principally to retain a record of what has been said, for the fulfilment of a contract, but also in our legitimate interest to defend ourselves against a future claim.
We may record voice calls, for internal training and monitoring purposes.
Legal Basis and Purposes
We will process personal data:
- For the performance of a contract with our clients, to deliver a contract or service:
- To establish the credit-worthiness of the client
- To manage and perform that contract
- To process payments and recover debt
- As necessary for our own legitimate interest or those of other persons and organisations, e.g.:
- To follow up on expressions of interest from potential clients, visitors to trade shows etc.
- To market our services to existing clients via email, telephone, post, social media and other direct methods
- To run and host events (based on which, we assume you have an interest in our products and services)
- To market our services to contacts at potential new business clients via email, telephone, post, social media and other direct methods
- To optimise our marketing, based on a profile of your use of our emails and website
- For the good governance of our business, accounting, operational review and internal audit
- For statistics and analytics on our sales and market
- As necessary to comply with a legal obligation, e.g.:
- To comply with data subject requests under data protection law
- To keep adequate records mandated by law or regulation, such as tax and financial transactional data
- To detect and prevent fraud or unauthorised use
- For activities related to the prevention, detection and investigation of crime
- Based on consent, e.g.:
- Marketing communication where we’ve asked for consent, such as for people who sign up for email via our website
Consent can be withdrawn, but this may then affect what we can do for you.
Sharing of Personal Data
We have a register of sub-processors to whom we share data, dependent upon circumstances.
In addition, we may have to share personal data:
- With courts, to comply with legal requirements, or for the administration of justice
- In an emergency or to otherwise protect the interests of data subject(s)
- If we restructure or sell our business or its assets, or merge with another business
- With business consultants or other reputable advisers who may be appointed from time to time
- If a client arranges with us to pass specific data to a specific third party, provided the client has the legal right to authorise the transfer
The majority of data used for our work is kept and processed in the UK, with most of the remainder in the EU.
The exceptions are:
- Google analytics (web statistics only)
- Mailchimp (email sending)
- Suppliers (various)
In the Google and Mailchimp cases, appropriate safeguards are in place via model clauses or a privacy shield.
In the case of suppliers, we are likely to be joint controllers in cases where the supplier is doing more than a simple one-off supply of goods. Key overseas suppliers such as Microsoft (e.g. Microsoft 365) and GoDaddy (e.g. domains and certificates), comply with the EU-US privacy shield. Although we use UK data centres with Microsoft, they do not guarantee that no data will pass to other jurisdictions including the United States. The requirements of the GDPR remain. Contact us before proceeding, if you would like to confirm the suppliers to be used for your order.
Legal and regulatory requirements normally take precedence to determine the retention periods for data. For example, financial records such as invoices are kept by us for 7 years to honour HMRC requirements.
We keep email correspondence as a reference to support sales, projects and to defend ourselves against claims. Our default retention period for email correspondence is 3 years and 3 months, but may be more or less on a case-by-case basis.
We keep ticket correspondence for similar reasons, but anonymise the name attached to the ticket 5 years after activity ceases.
We keep CVs for 18 months so we may contact candidates if a suitable role becomes available.
Retention periods for other data are based on a combination of factors:
- Legal/regulatory stipulations
- The basis of the processing, implying a timeframe of need for the data
- Risks and benefits associated with storing and processing the data
Automated Decision-Making and Profiling
We do not use automated decision making.
Our mailing system and website will profile your activity (clicks, pages visited). This will be used in a limited way, by our sales and marketing team, to assess your level of interest in our services and to tailor some marketing activity.
In each marketing email we send, we will include a link to update your preferences. The options we offer will change over time, and we may periodically require you to confirm your details and preferences.
Your Personal Rights
To exercise these rights, please contact us using the details at the top of the page. Please note that these rights don’t apply in all circumstances.
- You have the right to access personal data we hold about you. In the first instance, please contact us with a brief description of what you are seeking.
- You have the right to have data corrected or updated, if it’s inaccurate or incomplete.
- You have the right to have your personal data erased (the right to be forgotten).
- You have the right to restrict processing of your personal data.
- You can object to the processing of your personal data
- You have rights to object to, or query, automated decision-making and profiling
You have the right to complain to the Information Commissioner’s Office, for example if you are not happy with the way we have processed your data or managed your rights. Visit www.ico.org.uk