graphics.coop is a design and website development company. We design, build and maintain websites for many of our client organisations. We also provide email services and handle mailing lists for a few of our them.
Our work entails processing data collected by our clients’ websites (eg via form submissions, cookies and analytics), and data provided to us directly by our clients (eg membership lists and mailing lists).
You may have been given a link to this page from one of our client organisations as part of their compliance with the General Data Protection Regulation (GDPR), which requires them to list who processes the data they control. This page provides information about how we process that data, which may include personal data about you. For the purposes of GDPR, we are a Data Processor for our clients, who are the Data Controllers.
Reason for processing
We process data on behalf of our clients in order to carry out the work they contract us to do (eg designing, building and maintaining their websites).
What personal data is collected, how it is processed, and where it is stored
Under GDPR, organisations are prohibited from transferring personal data outwith the UK, European Economic Area or Switzerland, to third countries and international organisations, except where the European Commission has determined that an adequate level of protections are afforded to individuals. The US government has a certification scheme called Privacy Shield, which provides assurance that such protections are in place.
We host our clients’ websites on servers in the UK managed by two companies: Electric Hosting, a UK company and; Flywheel, a US company which is registered with Privacy Shield. Backups of data from these websites are stored in encrypted form, both on servers within the EU owned by AWS Europe, and on our own computers. Flywheel operate their own backup system, which is covered by their Privacy Shield compliance.
A variety of third-party plugins and analytics services are in use on our clients websites. Some of these collect personal data (eg through cookies). We check the GDPR compliance of these companies and services, and make adjustments where necessary to ensure compliance. A full list of cookies set by each client’s website should be provided on their site.
Most of our clients websites include contact forms, where website users can submit data to contact our clients and use their services. Most of the data entered by users into these forms is personal data, and in a few cases is sensitive personal data.
Mailing and membership lists belonging to our clients may be administered directly from their websites, or may be collected by their websites and administered by third-party email companies, MailChimp (based in the USA) and Campaign Monitor (based in Australia). Both of these companies have declared their compliance with GDPR. Most of our clients using these companies manage their own lists, but we assist some of them directly with their mailings and list management.
Data supplied to us by clients exists on our own computers and on the online projects management systems we use. Primarily, this comprises email, which we host on a secure server on our own premises, and systems operated by Teamwork, a company based in the Republic of Ireland.
Data held on computers and storage devices on our own premises, and backups of the data held off-site elsewhere in Edinburgh (as part of our disaster-recovery planning) are all protected against theft by strong encryption.
For comparison, you can view the information about cookies and personal data collected by our own website
You can also view a list of the third-party sub-processors we may use on to process data on behalf of our client organisations. Please note that not all of these third party sub-processors are used for every client, just a subset will be in use.
Retention and deletion of personal data
We identify and delete personal data in our possession which is controlled by our client organisations, when it is no longer needed for the performance of our contract with the client organisation.
Personal data for use in a one-off short-term contract is deleted soon after completion of the contract (eg we delete a mailing list provided to us for a single mailing after it has been sent out).
Some of our contracts with client organisations last for many years, and some of these include personal data (eg membership lists administered from websites which we maintain). We encourage and assist our clients in implementing good practice with the personal data collected by, and administered by their websites. Data collected by their website forms should be deleted when it is no longer needed, the retention period depending on the purpose for which that particular data was collected by that particular organisation – this could be days, weeks, months or years – refer to the organisation’s website for its policy. Membership and mailing lists need to be kept up-to-date and data on unsubscribed individuals should not be retained, unless necessary for compliance (eg to prevent inadvertantly emailing somebody who has opted out).
When deleting personal data, we take steps to delete all copies beyond reasonable possibility of restoration, including copies on backups. Digital data is deleted securely by overwriting it, and data on paper physically destroyed.
Subject Access Requests
If you wish to make a Subject Access Request about data we process on behalf of one of our client organisations, the request should be addressed to that organisation (the Data Controller).
What would happen in the event of a personal data security breach
If we become aware of a personal data breach involving data we process for one of our client organisations, we will notify the client organisation without undue delay. As the Data Controller, our client organisation is then responsible for following its own data breach procedures, and informing the Information Commissioner Office and those affected by the breach where necessary. As a Data Processor, we have a role in assisting our client with the subsequent investigation and remedial work.