Privacy and Cookie Notice

/Privacy and Cookie Notice
Privacy and Cookie Notice2018-11-06T17:41:43+00:00

Privacy and Cookie Notice

Privacy Notice

Introduction

I, Sam Glynn, of Code in Motion Ltd (collectively, “I” or “we” or “us”) know you care about how your personal data is used and shared. For my business to succeed, I need to ensure you can trust me with your personal data.

The following describes how I collect, store, use and disclose your personal data*.

*Personal data is data relating to a living individual who can be identified, or is identifiable, using this data or if this data is used in conjunction with other data that is in Code in Motion’s possession, or could come into its possession.

If you have any questions, comments or concerns about any of this, you can contact me at hello@codeinmotion.ie or at +353 (1) 554 6268.

Below, I describe the types of steps I take to secure your data while it is in my possession.

I then provide more specific detail on how your personal data is collected, stored, used, shared and retained, categorised by the different types of relationships an individual may have with Code in Motion. e.g. You may be just a site visitor, a newsletter subscriber, and/or a client.

Security Controls

Before I discuss the specific ways that I collect, store, use and store your personal data, I will describe the types of broad security controls in place within Code in Motion that provide some level of assurance about how your personal data is secured by Code in Motion.

IT Security

All of the personal data stored on Code in Motion’s computer devices is encrypted. The devices are updated with the latest software and security patches at regular intervals. They are protected with anti-virus, anti-malware and other security layers. Their screens are configured to automatically lock after a short period of inactivity to reduce the risk of unauthorised access. The data stored on local devices is backed up on a frequent basis and the backups are encrypted.

Organisational Security

Code in Motion is just me, Sam Glynn. I am fully aware of the things I can, and can’t, do with your data. My experience with data protection and my background in IT and IT security also means I’m very aware of how to protect your data.

In the event that I employ staff, they will be brought through detailed data protection and IT security training as part of their on-boarding.

3rd Party Security

As detailed further in the privacy policy below, I only engage 3rd parties who understand their data protection obligations and know how to keep data secure. All are under contractual obligations to comply with GDPR and to only use your data in ways that I have instructed.

Email Security

Most of my conversations with clients occur using email. My use of Microsoft Office 365 means your emails are stored in its Western Europe data centres and my email repository is secured by a world-leading cloud services provider. Complex passwords and two-step authentication are enabled on all Code in Motion email accounts, and they are only accessed on trusted Code in Motion computer devices.

Document Sharing Security

If I need to share information that includes data of a sensitive nature, I will always do so in a secure way. For example:

  • The information will be included in a document that is encrypted using WinZip AES encrytion
  • The information will be included in a document that is shared on a secure file sharing platform such as Tresorit or Sync.
  • Passwords will be communicated over a different channel to the information itself – e.g. I will send the password to you as an SMS message.

Website visitors

The following describes the personal data I collect, store, use, share, and retain about site visitors.

What personal data do I collect?

Some or all of: Originating Internet Protocol (IP) address, proxy IP address, url accessed on codeinmotion.ie, complete http header, http request body, and any cookies linked to the codeinmotion.ie site.

What is the purpose of this data collection?

To try to protect my website from hackers and unauthorised / unusual activity.

To understand what content on my site is popular / not popular.

What’s my lawful basis for this?

Legitimate interest (protecting my website).

How do I use this data?

This data is collected and analysed by security components that are protecting my website.

A limited subset of the data is collected and reported by a privacy-centric analytics service (usefathom.com) on my behalf.

Who do I share it with?

This data is shared with the website hosting provider (Siteground) and website security providers (e.g. Defiance WordFence).

A limited subset of the data is shared with an analytics service (usefathom.com) for the sole purpose of showing me information on page views.

Does the data leave the EEA?

Yes.

  • (Defiance WordFence) analyses this data in the USA. It uses EU-approved model contractual clauses to ensure the data remains protected while it is outside of the EEA.

How do I secure this data?

Alongside the ‘Security Controls’ described earlier, there are other components / configurations in place to secure the data:

  • Data Protection Agreeements are in place with all 3rd parties with access to this data.
  • Two-factor authentication is activated on all admin accounts of the hosting provider and the website itself, reducing the likelihood of a successful hack.
  • Email alerts are sent to me when any signins occur on the site.
  • The site is backed up and encrypted weekly to a remote and secure location.
  • Security layers monitor and protect the site from hacking attempts.
  • The software on the site is updated on a frequent basis.

How long do I keep this data?

The maximum length of time this IP address data is retained is 90 days after Code in Motion’s contract with its hosting provider ends.

Newsletter Subscribers

The following describes the personal data I collect, store, use, share, and retain about people who have signed up for my email updates (e.g. newsletter updates).

What personal data do I collect?

First name and email address. I may also be able to derive your employer from your email address.

Why do I collect this?

To send you updates – e.g. whenever a new blog post is published on the site.

What’s my lawful basis for this?

Consent – Anyone on the list has given their consent to be on the list.

If you withdraw your consent, your personal data will remain on MailChimp (as an unsubscribed user) until the end of that calendar year, on the basis of legitimate interest – See the ‘Retention’ section for more information.

How do I use this data?

I use this to send my newsletter and blog updates to interested individuals.

Who do I share it with?

This data is shared with MailChimp. This is the service I use to manage my subscriber list.

When you subscribe, I receive an email to notify me. Your details are contained in this email and retained on Microsoft Office 365.

Does the data leave the EEA?

Yes. MailChimp is based in the USA. It is certified under the EU-approved “EU-US Privacy Shield” to ensure the data remains protected while it is outside of the EEA.

How do I secure this data?

Alongside the ‘Security Controls’ described earlier, there are other components / configurations in place to secure the data:

  • Data Protection Agreeements are in place with MailChimp to protect the data.
  • Two-factor authentication is activated on all Code in Motion accounts on MailChimp.
  • Email alerts are sent to me when any signins occur with these accounts.

How long do I keep this data?

The data is used on MailChimp to send you updates by email until you withdraw your consent.

At this point, the data remains on MailChimp until the end of that calendar year, at which point I delete all those who have unsubscribed from the mailing list. My lawful basis for keeping it until the end of that year is legitimate interest – To let me see at what point I lost subscribers so I can understand the content that is getting good or bad feedback.

The email sent to my email account when you sign up to the list is retained until the end of that calendar year (i.e. no later than the MailChimp retention period).

Do you have concerns about MailChimp?

If you would like to receive my email newsletters etc but do not want your personal data going to MailChimp, let me know and I’ll find another way to keep you updated.

People who contact me regarding a breach, SAR, etc

The following describes the personal data I collect, store, use, share, and retain about people (who are not clients or employees / agents of clients) that contact me through my website or by phone seeking free guidance (e.g. relating to a suspected breach, subject request, or enquiry from a regulator).

What personal data do I collect?

One or more of: Name, phone number, and possibly email address. Possibly other information published online (e.g. LinkedIn profile)

What is the purpose of this processing?

To respond to the query and to understand the context of the situation; to support my business; to help potential clients and build networks with people in other businesses.

What is my lawful basis for this processing?

Legitimate interest – I have a legitimate interest to help people who may need my help, and a legitimate interest to grow my business and my network.

How do I use this data?

To understand how I can help you.

To understand the common types of issues that people are encountering.

Who do I share it with?

Microsoft: Most of this data is communicated over email and my email provider is Microsoft.

Tresorit: If we are sharing documents that contain personal data, I may use this secure document sharing service to do so. It would be a rare occurrence .

Does the data leave the EEA?

Yes, if we use Tresorit, the data will be stored in Switzerland. This transfer is allowed as the EC believes this country provides an adequate level of protection for personal data.

How do I secure this data?

Alongside the ‘Security Controls’ described earlier, there are other components / configurations in place to secure the data. For example:

  • Data Protection Agreeements are in place with Microsoft and Tresorit.
  • Two-factor authentication is activated to reduce the likelihood of a hack – e.g. On all Code in Motion accounts on Microsoft and Tresorit.

How long do I keep this data?

If you don’t want my help after our call, for a maximum of 2 years after our last interaction / conversation, though probably less – i.e. If we have not interacted for 1 year, your data will be queued for deletion. Deletion is performed at the end of each calendar year.

People who contact me with general queries or who I contact

The following describes the personal data I collect, store, use, share, and retain about people (who are not clients or employees / agents of clients) that contact me with a general query or who I contact in my day-to-day business.

What personal data do I collect?

One or more of: Name, email address, phone number, job title, employer. Possibly other information published online (e.g. LinkedIn profile)

What is the purpose of this processing?

To grow and support my business; to respond to potential clients; to build networks with others in the industry.

What is my lawful basis for this processing?

Legitimate interest – I have a legitimate interest to grow my business.

How do I use this data?

Mainly to understand how I can help you, or how we could possibly help each other.

Who do I share it with?

Microsoft: Most of this data is communicated over email and my email provider is Microsoft.

Evernote: I may take notes of our discussions using this cloud-based tool. It would be a rare though – I tend to use Evernote for more general / non-personal data.

Tresorit or Sync: If we are sharing documents that contain personal data, I may use one of these services to do so. It would be a rare event though.

Does the data leave the EEA?

Yes, if I use one of these services to store or transmit the personal data.

  • Tresorit: Switzerland. This transfer is allowed as the EC believes this country provides an adequate level of protection for personal data.
  • Sync: Canada. This transfer is allowed as the EC believes this country provides an adequate level of protection for personal data.
  • Evernote: USA. The legal basis for this transfer is EU-US Privacy Shield.

How do I secure this data?

Alongside the ‘Security Controls’ described earlier, there are other components / configurations in place to secure the data. For example:

  • Data Protection Agreeements are in place with Evernote, Microsoft, Tresorit and Sync.
  • Two-factor authentication is activated wherever possible to reduce the likelihood of a hack – e.g. On all Code in Motion accounts on Evernote, Microsoft, Tresorit.

How long do I keep this data?

For a maximum of 2 years after our last interaction / conversation, probably sooner – i.e. If we have not interacted for at least 1 year, your personal data will be queued for deletion. Deletion processes are run at the end of each calendar year.

Training attendees

The following describes the personal data I collect, store, use, share, and retain about individuals who register and/or attend one of Code in Motion’s GDPR classroom training sessions.

What personal data do I collect?

Name, email address, payment details.

What is the purpose of this processing?

To ensure people who wish to be trained can register and pay to attend my course.

What is my lawful basis for this?

Contract – When you pay to attend one of my training courses, we have entered into a contract. I need this personal data to perform the contract.

How do I use this data?

To administer the course and to send you course material by email.

Who do I share it with?

EventBrite: I use EventBrite to handle most registrations and payments.

Microsoft: Most of our interaction happens over email before and after the event, and my email provider is Microsoft.

Tresorit or Sync: If we are sharing documents that contain personal data, I may use one of these services to do so. It would be a rare event though – I usually only need to give you course material, none of which contains the personal data of anyone except myself.

Does the data leave the EEA?

Yes.

  • EventBrite: EventBrite transfer your registration and payment information to the USA. The legal basis for this transfer is EU-US Privacy Shield.
  • Tresorit: Switzerland. This transfer is allowed as the EC believes this country provides an adequate level of protection for personal data.
  • Sync: Canada. This transfer is allowed as the EC believes this country provides an adequate level of protection for personal data.

How do I secure this data?

Alongside the ‘Security Controls’ described earlier, there are other components / configurations in place to secure the data. For example:

  • Data Protection Agreeements are in place with EventBrite, Microsoft, Tresorit and Sync.
  • Two-factor authentication is activated wherever possible to reduce the likelihood of a hack – e.g. On all Code in Motion accounts on Microsoft and Tresorit.

How long do I keep this data?

Your personal data on EventBrite is deleted at the end of the calendar year of the training course.

Your personal data stored on Code in Motion’s computer devices and email system is retained for 7 years after the training ends. This is on the basis of the Statute of Limitations, to enable me to defend any future legal action an attendee may initiate against Code in Motion.

Do you have concerns about EventBrite?

If you would like to register for one of my training events but do not want your personal data going to EventBrite, let me know and I’ll find another way to get you registered.

Clients

The following describes the personal data I collect, store, use, share, and retain about the employees of a client.

What personal data do I collect?

One or more of: Name, email address, phone number, job title, employer. Possibly other personal data that employees have provided to me in the course of the contract.

What is the purpose of this processing?

To perform a contract between the client and Code in Motion.

What’s my lawful basis for this?

Contract between the client and Code in Motion.

How do I use this data?

To perform the contract of work requested by the client.

Who do I share it with?

Microsoft: Most client work is communicated over email and my email provider is Microsoft.

Evernote: I may take notes of our discussions using this cloud-based tool. It would be a rare though – I tend to use Evernote for more general / non-personal data.

Tresorit or Sync: If we are sharing documents that contain personal data, I may use one of these services to do so. It would be a rare event though.

Accounting firms: I use accountants to help with company financials. They seldom need the personal data of clients but it may happen – e.g. if a client is a sole trader, their ‘business name’ is their own name and so counts as personal data.

Legal firms or debt collection agencies: If the client is not complying with payment terms, the contract allows Code in Motion to engage with these 3rd parties to pursue payment. Personal data about one or more employees working for the client (e.g. contact details) may be share in such a scenario.

Does the data leave the EEA?

Yes, if I use one of these services to store or transmit the personal data.

  • Tresorit: Switzerland. This transfer is allowed as the EC believes this country provides an adequate level of protection for personal data.
  • Sync: Canada. This transfer is allowed as the EC believes this country provides an adequate level of protection for personal data.
  • Evernote: USA. The legal basis for this transfer is EU-US Privacy Shield.

How do I secure this data?

Alongside the ‘Security Controls’ described earlier, there are other components / configurations in place to secure the data. For example:

  • Data Protection Agreeements are in place with Evernote, Microsoft, Tresorit and Sync.
  • Two-factor authentication is activated wherever possible to reduce the likelihood of a hack – e.g. On all Code in Motion accounts on Evernote, Microsoft, Tresorit.

How long do I keep this data?

Personal data needed for the performance of the contract is retained for a period of 7 years after the contract ends, in line with contract law and the statute of limitations.

Other Notes

Business Transfers: I may choose to buy or sell assets, and may share and/or transfer personal data as part of such transactions. Also, if I (or our assets) are acquired, or if I go out of business, enter bankruptcy, or go through some other change of control, your personal data could be one of the assets transferred to or acquired by a third party.

Protection of Code in Motion and Others: I reserve the right to access, read, preserve, and disclose any information as necessary to comply with law or court order; enforce or apply my agreements with you and other agreements; or protect the rights, property, or safety of Code in Motion, my employees, my customers, or others.

Disclosures for National Security or Law Enforcement: Under certain circumstances, I may be required to disclose your personal data in response to valid requests by public authorities, including to meet national security or law enforcement requirements.

Cookie Policy

The following information is dynamically inserted into this page by an independent cookie scanning service called CookieBot. It provides independently sourced information on the cookies in use on this site. It also provides functionality to change your consent to cookies.

If you do not see any CookieBot content above, it may be due to temporary technical issues with CookieBot or because you have javascript disabled. To summarise what CookieBot should be reporting:

The Code in Motion website uses a limited number of cookies:

Analytics: I use Fathom (UseFathom.com) to gain a basic insight into which pages on my site are the most popular. It gathers very little information about your use of the site, significantly reducing the intrusion on your privacy compared to other analytics tools such as Google Analytics.

Cookie Consent: When accessing my site, you will be prompted to accept or block cookies. This Cookie Consent cookie is required to remember your choice.


Third-party links

Occasionally, I may include links to third-party products or services on my website. While I will only mention trustworthy sites, these third-party sites have separate and independent privacy policies. I have no responsibility or liability for the content and activities of these linked sites. Having said that, I seek to protect the integrity of my site and welcome any feedback about these sites.

Your rights

While I have personal data about you, you have certain rights. These include:

Right to access

You may request a copy of all personal data held by Code In Motion about you.

Right to rectify

You have the right to ask Code in Motion to correct any inaccuracies in the personal data held about you.

Right to erasure

In certain circumstances, you have the right to ask that I erase any personal data I am processing about you.

For example, if I have your data because you gave me your consent, you are now withdrawing consent and I have no other lawful basis for keeping the data.

Please note that I may still be allowed to retain and use your information. For example, if it is necessary to comply with a legal obligations, resolve disputes, enforce our agreements, or defend / establish a legal claim.

Right to restrict

In certain circumstances, you have the right to request that I restrict the processing of your personal data.

Right to object

In certain circumstances, you have the right to object to my processing of your personal data. This is especially true if I am processing your data on the basis of Code in Motion’s legitimate interest.

Right not to be subjected to automated decision making

You have the right not to be subjected to automated decision making where the decision has legal or significant effects. However, I don’t think I have such automated decision making processes in Code in Motion.

Right to withdraw consent

Where I am processing your personal data on the basis of your consent, you have the right to withdraw your consent at any time.

For example, if I am sending you marketing emails, you can withdraw your consent immediately by clicking the UNSUBSCRIBE link in the footer of the email.

How to exercise your rights

Please contact me at hello@codeinmotion.ie and provide me with as much information as possible to enable me to respond to your request.

Right to complain

If you believe Code in Motion is breaching your data protection rights, you have the right to complain to the data protection regulator.

Code in Motion is established in Ireland and is regulated by Ireland’s Data Protection Commission (Click here to visit the regulator’s website).


Contact me

If you have any questions about this privacy or cookie notice, please contact me by emailing hello@codeinmotion.ie

Changes to this notice

Any changes to this Privacy Notice will be posted on this website so you are always aware of the personal data I collect, use, store, disclose and retain.

If at any time I decide to use your personal data in a manner significantly* different from that stated in this Privacy Notice or otherwise stated to you at the time it was collected, I will note this significant* change below. I will also notify you if you have asked to be notified of such changes.

(* I don’t regard changes that just clarify meaning or improve explanations as significant).


Last Significant Change: 5th October 2018

History of Significant Changes

5th October 2018: Noted introduction of Fathom as an analytics tool to the site and CookieBot.com as a consent tool (See COOKIES)

25th May 2018: Re-organised content so the privacy notice is structured around your relationship with Code in Motion – e.g. site visitor, newsletter signup, client.

23rd May 2018: Removed Google Analytics from the site and updated the Cookie Policy to reflect this.

9th May 2018: Added Cookiebot service to provide up-to-date information on the cookies used on the site.