Personal data or personal information means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

We may collect, use, store and transfer different kinds of personal data and personal information which have been grouped together below:

Categories & Personal Data Items

Identify data: Includes first name, last name, alias, unique personal identifier (such as an ID number or password), online identifiers (such as an IP address) and account name (the name provided as the account holder).

Contact data: Includes postal address, email address and telephone or mobile number.

Internet or other similar network activity: Online behaviour and interactions with our and other websites, applications, systems, and advertisements. Some of this information will be collected through cookies and similar technologies. You can read more about this in our Cookie Policy.

Professional or employment-related information: Business contact details to provide you our Services at a business level or job title.

We use different methods to collect data from and about you including:

Personal data and information provided by you: The personal data and information that we collect depends on the context of your interactions with us and the Services, the choices you make, and the products you use. We will typically collect personal data directly from you via our website or in-person, such as during an industry event.

Third parties or publicly available sources: To enhance our ability to provide relevant marketing, offers, and Services to you and update our records, we may obtain information about you from other sources, such as public databases, joint marketing partners, data providers, and from other third parties. Third party sources include LinkedIn and Cognism Limited.

Information automatically collected: We automatically collect certain information when you visit, use, or navigate the Services. This information does not reveal your specific identity (like your name or contact information) but may include device and usage information, such as your IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, information about how and when you use our Services, and other technical information. This information is primarily needed to maintain the security and operation of our Services, and for our internal analytics and reporting purposes. Like many businesses, we also collect information through cookies and similar technologies, which you can read more about in our Cookie Policy.

The following paragraphs set out why we process your personal data and information and our lawful basis for processing your personal data, in accordance with UK and EU Legislation. (Note, for privacy policies in ASEAN, follow this link). We may rely on more than one lawful basis for processing your personal data depending on the context of the processing activity.

To provide our services:

Although our core Services do not revolve around collecting and processing personal data, we may process small amounts of personal data in order to fulfil our contractual obligations. This includes management of contracts, using job titles in reports and sending email communications to our clients.

Lawful basis for processing: This processing may be necessary for the performance of a contract, or to take steps prior to entering a contract, which Asia Privacy Action and our clients are subject to.

Personal data categories:

• Name

• Email addresses

• Address

• Contact number

• Signatures

• Business contact details

To handle website enquiries:

We have a Contact Us page on this website, which allows individuals to ask questions about our Services, The Contact Us page and any correspondence sent via email is monitored by our internal teams, to ensure we identify and handle your request effectively.

Lawful basis for processing: This processing is carried out for our legitimate interests, enabling Asia Privacy Action to facilitate your enquiry.

Personal data categories:

• Name

• Business email address

• Business telephone number

• Job title

To engage with prospective clients:

We process basic business contact information of prospective clients and opportunities, which may initially be collected via sales meetings, business cards, verbally, events we may host, speak at, or attend. We may obtain information from third parties or publicly available sources, including those outlined under the section ‘How will we collect your personal data?’

Lawful basis for processing: This processing is carried out for our legitimate interests for us to promote our Services to your organisation. This information may also be processed for the performance of a contract, or to take steps prior to entering a contract, when you are a named signatory within the contract.

Personal data categories:

• Name

• Email addresses

• Address

• Contact number

• Business contact details

• Email conversations

• Physical and Electronic Signatures

To manage financial accounting and administration:

Our financial management and accounting Services process basic client contact information to fulfil our accounting requirements. This ranges from invoices, account details, timesheet approvals, statement of works, terms and conditions and bank details

Lawful basis for processing: This processing is necessary for the performance of a contract with you, or to meet our legal obligations for financial reporting. 

Personal data categories:

• Name

• Email addresses

• Address

• Contact number

• Business contact details

• Email conversations

• Signatures

• Client and Supplier Bank Details

To collect information on Associates / Contractors:

We process basic contact and work information in relation to associates and contractors who would like to work with us or one of our clients. This information could be collected through our website, email, LinkedIn, recruitment agencies or job advertising boards.

Lawful basis for processing: This processing is necessary for the performance of a contract with you, or to take steps prior to entering a contract when you are a named signatory within the contract.

Personal data categories:

• Name

• Email addresses

• Address

• Telephone details·         Skills

• Job history

• Bank account details

• Company insurance details

• Passport

• Driving licence

• References and email conversation

To send you marketing and promotional communications:

From time to time, we may email you about our Services or events (including webinars and in-person) which may be of interest to you or your organisation.We will only ever contact you with these communications if we consider you to be a ‘Corporate subscriber’ and the content is relevant to your role as an employee at the organisation you work for.

Lawful basis for processing: This processing is carried out for our legitimate interests for us to promote our Services or events to your organisation. You can tell us not to contact you by following the unsubscribe instructions on any communications sent to you. We will only send communications to individuals within organisations where we believe we have a legitimate interest to do so. 

If you do not wish to receive any form of communication from Asia Privacy Action then simply inform us through our contact page, email info@asiaprivacyaction.com or you can unsubscribe using the ‘unsubscribe’ link available at the bottom of any of our communications.

Personal data categories:

• Full name

• Job title

• Email address

• Phone number

To identify usage trends and understand our customer journeys:

We will process information about how you use our Services.

Lawful basis for processing: This processing is carried out for our legitimate interests to analyse and improve your user experience and the performance of our website.

Personal data categories:

• IP Address

• Social Media IDs

• Unique Visitor IDs

• Telephone Number

————

In certain circumstances, we will process your personal data based on our legitimate interests. We have decided this by carrying out a balancing exercise to make sure our legitimate interest does not override your privacy rights as an individual. We document the balancing exercises that we carry out when relying upon this lawful basis for processing your personal data.

As you’d expect, our employees will access personal information for the purposes mentioned above. For example, our Business Development staff may need access to your details to support you when you get in contact with us.

We will also share information with third parties including service providers, business partners and sub-contractors for business administration, support, processing, Services, or IT purposes.

Please note that any third parties will only process your personal data on our instructions and where they have agreed to treat the information confidentially and to keep it secure.

We may also share your personal data with a third party who has purchased or merged with our organisation, in which case personal data held by us, about you, will be transferred to that third party to carry on our business.

At Asia Privacy Action we take the security of personal data extremely seriously. We have implemented a mixture of cyber security and privacy controls including encryption, and a Business Management System (BMS) which underpins our ISO27001:2013, ISO9001:2015, ISO27701:2019 and Cyber Essentials Plus Certifications.

We assess security for Confidentiality, Integrity, and Availability to ensure that data remains protected, accurate and available for its intended purposes. Some of the core controls we have implemented as part of these certifications are:

• Multi-Factor Authentication (MFA) on all internet-based systems

• Encryption of data at rest and in transit

• Technical assessments of our systems for vulnerabilities and configuration weaknesses

• Controlled access to only approved individuals

• Screening of all employees to a minimum of the Baseline Personnel Security Standard (BPSS)

• Data handling training for all employees

• Policies and procedures on secure operations and configuration of systems

Although our systems and Services are primarily located within the United Kingdom and EEA, there may be occasions where your personal data will be processed outside of this, in countries not deemed by UK and EU GDPR to have adequate Data Protection safeguards in place. Asia Privacy Action has implemented appropriate measures to ensure an adequate level of protection of your personal data if it is transferred outside of the UK or EEA. These measures include our processors entering into Standard Contractual Clauses or by way of derogations for specific circumstances.

Automated decisions are where a computer makes decisions about you without a person being involved. Profiling is the recording and analysis of a person's psychological and behavioural characteristics, to assess or predict their capabilities or to assist in identifying categories of people.

Asia Privacy Action does not make automated decisions about or profile its clients or customers.

Asia Privacy Action only processes personal data for as long as necessary to meet our legal obligations or where we have a legitimate business reason for keeping it. We review personal data on a case-by-case basis and document the period of retention for each.

For further information on how long personal data is likely to be kept before being removed from our systems and databases, please contact us via: info@asiaprivacyaction.com

Under Data Protection Legislation you have a number of Rights that are focused on placing you in control of how your data is processed.

You can exercise these Rights by emailing us at info@asiaprivacyaction.com.

We may ask you for identification prior to disclosing any data, as we need to ensure we only disclose information to the person entitled to it.

————————

Right to be informed. A right to be informed about the personal data we hold about you.

Right of access. A right to access the personal data we hold about you.

Right to rectification. A right to require us to rectify any inaccurate personal data we hold about you.

Right to erasure. A right to ask us to delete the personal data we hold about you. This right will only apply where (for example):

· We no longer need to use the personal data to achieve the purpose we collected it for.

· Where you withdraw your consent if we are using your personal data based on your consent.

· Where you object to the way we process your data (see the right to object described below).

If you request us to delete your data, we will retain minimum personal data to document these requests and thereby avoid using your personal data for any other purpose.

Right to restrict processing. In certain circumstances, a right to restrict our processing of the personal data we hold about you. This right will only apply where (for example):

· You dispute the accuracy of the personal data held by us.

· Where you would have the right to ask us to delete the personal data but would prefer that our processing is restricted instead.

· Where we no longer need to use the personal data to achieve the purpose, we collected it for, but you need the data for the purposes of establishing, exercising, or defending legal claims.

Right to data portability. In certain circumstances, a right to receive the personal data you have given us, in a structured, commonly used, and machine-readable format. You also have the right to require us to transfer this personal data to another organisation, at your request.

Right to object. A right to object to our processing of the personal data we hold about you where our lawful basis is for the purpose of our legitimate interests, unless we can demonstrate, on balance, legitimate grounds for continuing to process the personal data which override your rights, or which are for the establishment, exercise or defence of legal claims.

In particular, you can exercise your right to object to marketing communications being sent to you by utilising opt-out mechanisms in emails we send to you.

Right related to automated decision-making and profiling. A right for you not to be subject to a decision based solely on an automated process, including profiling, which produces legal effects concerning you or similarly significantly affects you.

Right to withdraw your consent. A right to withdraw your consent, where we are relying on it to use your personal data (for example, to provide you with brochures and newsletters).

If you’re unhappy with how we’re using your personal data, you have the right to complain to a Supervisory Authority. We’d encourage you to contact us first, so we can handle any queries or concerns you may have.

In the UK, the Supervisory Authority is The Information Commissioner who can be contacted by:

Visiting their website www.ico.org.uk

Phone on: 0303 123 1113

Write to: Information Commissioner’s Office Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We keep this notice under review and will reflect any updates or changes to practice within this notice (to reflect changes in operations and the way we process your data). This notice was last updated in April 2024.