Data Handling Policy
This Data Policy outlines how DMV Artists a division of the NPA Group, hereafter known as ‘DMV’, collects, processes and handles the information of Clients, Customers, Companies and any other User, hereafter known as the ‘Subject(s)’, in line with the 2018 GDPR.
1.1 Handling of Data where DMV Artists has a working relationship with you
Where a Subject has worked with, or contacted DMV in regards potentially working with, a DMV Artist, DMV will process this contact as a legitimate business interest. DMV deems that further communication and information in regards the specific DMV Artist during the period of the service contract will therefore be of interest and potential value to the Subject.
This does not cover Direct Marketing unless specific consent has been obtained.
1.2 Handling Financial Data
Where DMV has conducted financial transactions with the Subject all invoicing and billing details will be stored on DMV’s secure accounting software and kept for a period of no more than seven years, in line with its legal obligations.
Purchases made to DMV by card are made via a third party payment gateway, Paypal. All card details are encrypted and stored securely by the third party. DMV does not retain any card details on its systems.
DMV retains the right to share financial details of any Subject with its designated accountant, and where necessary with auditors, HMRC, IRS and Companies House. Where possible, and permissible, DMV will seek to ensure that this data does not allow for personal identification of the Subject.
If the Subject has chosen to register with an online payments company, all data handling and privacy policies for the Subject’s financial details will rest with the online payments company.
GDPR - Your rights and how DMV protects them
2.1 Use of Data and Consent
Under GDPR there are strict laws for governing the use of a Subject’s data. The people who make the decisions on how to collect and use your data are known as the Data Controllers, and the person who then carries out those decisions and actions them is known as the Data Processor.
DMV will function as both the Data Controller and the Data Processor, and where third-party software is used to act as the Processor, terms are in place to guarantee DMV retains ownership as the Data Controller. DMV will only ever collect non-sensitive personal data from subjects not employed by or directly contracted by the company.
DMV uses Google Analytics and Zoho CRM to analyse Subjects’ data, however DMV only use this function to analyse overall trends and does not track individual personal Subject data.
When a Subject subscribes to a mailing list, subscription site or other marketing sign-up, DMV will ensure that there is a clear option for consent to the Subject’s data being collected and processed, and in addition provide clear information for the Subject as to how they can opt out again should they so choose.
Subjects should note therefore that if they do not indicate their consent to Direct Marketing data processing on sign-up DMV may not be able to provide them the information services they require.
2.2 Right to Access
Subjects have the right to access any of their data held by DMV at any time and should do so by emailing enquiries@dmvartists.co.uk. A charge may be levied if large amounts of data are requested after an initial request.
DMV cannot provide a Subject with another Subject’s data except where power of attorney can be proven. DMV may therefore find it necessary to redact some of the data provided to a Subject if disclosure of such would adversely affect the rights and freedoms of another Subject.
2.3 Right to Data Portability
Although it is unlikely DMV will hold enough data on a Subject for there to be a need for portability, at a Subject’s request DMV can provide all data in a standard format to the Subject. For the avoidance of doubt DMV defines a standard format to cover the following file types: .csv, .doc, .docx, .gif, .jpg, .mp3, .mp4, .pdf, .png, .txt, .wav, .xlsx, .zip
2.4 Right to be Informed
A Subject may write to DMV at any time to enquire as to the status of the specific data held on them and how it has been processed. Full information on how DMV deals with Subject data in general is contained within this policy and also in the Privacy Policy, the most up to date copy of which can be found online at https://www.dmvartists.co.uk/privacy-policy/
2.5 Right to have Information corrected
DMV are keen to ensure any data they hold on a Subject is accurate and welcomes the rectification of any data it holds that is either incorrect, altered or incomplete. If a Subject has changes to make to their data that DMV holds then please email enquiries@dmvartists.co.uk and this will be rectified within 7 working days.
2.6 Right to be Forgotten
Subjects have the right to have their data ‘forgotten’ (deleted), by DMV at any point and can request this via enquiries@dmvartists.co.uk. DMV will act upon this within 7 working days. In instances where DMV are unable to remove all Subject data due to a legal or contractual obligation, DMV will inform the Subject via email what part of their data must be retained and the reasons for the retention.
2.7 Right to Restrict Processing and the Right to Object
Subjects have the right to request their data is restricted in some way and to object to Direct Marketing if they wish. All Direct Marketing sent out will always contain a link to unsubscribe, and Subjects can also unsubscribe at any time on DMV’s website https://www.dmvartists.co.uk/unsubscribe/
A Subject may at any time request their data is restricted in some way, either all of the data or part. This could for example be because: the Subject no longer wishes to be contacted by telephone but is happy with email contact; there is a dispute in regards the way the Subject’s data has been processed; the Subject does not want DMV to further process their data at all, but they also do not wish for it to be deleted.
However, Subjects should understand that if DMV are no longer able to process their data and there is no necessary reason to retain it, the data may be deleted after the standard period anyway, subject to any legal requirements.
2.8 Right to be notified of breach
DMV work hard to ensure that the likelihood of a data breach in their systems is minimal. Staff have access only to the data they need to perform their work. All financial information provided to DMV is kept on a separate system from other personal data, to which only the Directors and the accountant have access.
In the unlikely event there is a high-risk data breach DMV will aim to notify all Subjects affected within 72 hours. If the risk is not considered to affect the rights and freedoms of the Subject then DMV will only keep a record of the incident and the Subjects involved, and will not inform the Subjects directly. In both cases DMV will assess whether the breach is such that it needs to be reported to the ICO.