Privacy Policy.

Data Protection General Statement

This Data Protection Policy outlines Mann & Co Limited (t/a The Collective) commitment to its clients, suppliers and other individuals to operate its business activities in a manner which meets the compliance obligations of the new Jersey data protection legislation, the Data Protection (Jersey) 2018 Law (“DPJL”) and the General Data Protection Regulation (EU) 2016/679. The Collective understands and respects your right to privacy and we are committed to ensuring the confidentiality and security of your personal data and the personal data processing activities within our organisation by applying the appropriate technical and organisational measures required to achieve this objective. This document covers the policies and procedures for processing personal data in a compliant manner and outlines the rights of the data subjects in respect of that data. The Privacy Notice below explains how we may use, process and store your personal data.

Data Controller

Mann & Co Limited (t/a The Collective) is the data controller of all personal data and data processing activities of its business operating in Jersey, Channel Islands. The business runs a creative solutions agency, creating designs, brands, websites and creates extraordinary experiences for companies and products. The company website is www.thecollective.je. The Registered Office is located at Richmond House, 8 David Place, St. Helier, Jersey. The Collective is registered as data controller with the Jersey Office of the Information Commissioner and its number is 68106.

Reference documents

• Data Protection (Jersey) Law 2018
• Data Protection (Registration and Charges) (Jersey) Regulations 2018
• EU General Data Protection Regulation 2016/679

Privacy Notice

Scope of application

This policy applies to our business activities operating within Jersey, Channel Islands, UK or the personal data processing of the data subjects within the European Economic Area (EEA).

Personal data

Personal data means any information relating to an identified or identifiable natural person. The Collective collects the following categories of personal information;

From Clients
Name Address Email address Telephone and mobile number Other relevant contact information Job titles Relevant business social media details e.g. Linkedin IP address for Google analytics website statistics reporting

From Suppliers
Name Address Email address Telephone and mobile number Other relevant contact information Job titles GST and/or VAT number Website details Relevant business social media details e.g. Linkedin

Note 1: The Collective does not process any credit/debit card information. Note 2: Please note that the list above is not exhaustive and The Collective may also collect and process personal data to the extent that it is useful or necessary for the provision of our products and services performed under contract.

Purposes of processing

The Collective’s use the personal data noted above for the following range activities,

Purpose
The provision of our professional services in delivering creative marketing and design solutions for our clients.
Direct marketing activities to existing and new clients with the promotion of our creative and design solution services e.g. using email campaigns, text sms messaging, written correspondence, as appropriate.
Use of social media to advertise and promote our creative and design products and services which may be of interest to customers e.g. using Facebook, Instagram, Twitter, Linkedin.
Building and managing client, supplier, intermediary and other business relationships.
Managing the security and access to our computer systems, premises, platforms, website and applications.
Recruitment of suitably skilled retail and other business support staff.
Establishment and exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.
Obtaining or maintaining insurance cover, managing risks, or obtaining professional advice.
Comply with legal, tax and regulatory Obligations.

Lawful basis for processing
Processing is undertaken in the performance of a Contract i.e. the service transaction with our clients.
Where Consent is received from interested parties by the use of “opt-in” choices for marketing preferences. Consent maybe withdrawn at any time by just choosing the “unsubscribe” link in the relevant email.
Legitimate interest basis is used by The Collective to operate our business to improve the products and services offered to interested parties You have the right to object to such processing by contacting our managing director.
Legitimate interest basis is used by The Collective to operate their business to improve the products and services offered to interested parties. You have the right to object to such processing by contacting our managing director.
Legitimate interest basis for The Collective to protect it’s business computer systems, business premises and staff. You have the right to object to such processing by contacting our managing director.
Legitimate interest basis for The Collective to promote it’s business to attract suitably skilled and qualified staff You have the right to object to such processing by contacting our managing director.
Legitimate interest basis for The Collective to protect and assert its legal rights and the legal rights of others. You have the right to object to such processing by contacting our managing director.
Legitimate interest basis for The Collective to protect and assert its legal rights and the legal rights of others. You have the right to object to such processing by contacting our managing director.
In the performance of a task carried out in compliance with a Legal Obligation.

Please note that this list is not exhaustive and The Collective may also collect and process personal data to the extent that it is useful or necessary for the provision of our services.

Data collection methods

We collect personal data in the following ways

• directly from you when you email or telephone or leave telephone voice message(s) or text SMS or through our website.
• when you complete and submit an electronic message via our website
• from third party channels such as public registers, social media, Linkedin and any other public open forums
• directly from you as a business partner, supplier or intermediary when engaging with us directly
• from use of website cookies and beacons which may track your usage of our website and uploading of information to the website

Information collected

Client and supplier personal data will only be used by us when there is a basis for a future professional services sales or service transaction/contract with you. The personal data collected is used to

• meet our obligations in the performance of a contract for provision of products or services which you have agreed with us
• assist us in the delivery and operation of secure business communications via email and our website and other relevant means
• meet legal obligations from relevant local laws in relation to customer sales transactions e.g. GST/VAT
• meet any legal obligations in relation to the defence of a legal claim or where we received a court order for the disclosure of personal data
• meet any other legal obligations from relevant local laws

Personal data may be used for legitimate business interest of The Collective as indicated above. Only personal data that is necessary for the purposes of assisting our clients with the provision of products or services as outlined above is actively collected. Any other personal information is only passively collected and is processed in accordance with this Privacy Notice, or it may be collected and processed as required by law.

Recipients of data

Personal data collected may be disclosed or transferred to

• The Collective’s data processors who provide services in relation to the secure and safe running of its business systems and processes.
• Professional agents in the provision of required services (e.g. lawyers, bankers, accountants, auditors).
• Competent authorities as required by law.
• Law enforcement and fraud prevention agencies, to help tackle fraud or where such disclosure is necessary for compliance with legal obligation.
• Other third parties where requested by you and when relevant consent has been obtained from you.
• Any new owner of The Collective should it be acquired or merged with another company.

Third party service providers are bound by the requirements of the Data Processor Agreement obligations, where personal data is to be processed to high standards of confidentially and the required security arrangements are in place.

Social media platforms

When we use social media platforms e.g. Facebook, Instagram, Twitter, Linkedin, we only operate it so as to promote our own business and we would not knowingly engage in activities that go beyond this scope. Clients (and other data subjects) are advised to refer to the respective privacy notices of these social media platforms to check your data protection and privacy rights. The Collective cannot be held responsible for third party social media platforms or websites activities.

Transfer and access to personal data

The Collective’s preference is to keep all business and personal data in its possession within Jersey jurisdiction where possible, or alternatively within the UK or the EEA. We will only transfer data outside of these areas where it is absolutely necessary for the performance of the contract agreed by you. Where the destination of the data transfer is outside the Jersey, UK or EEA and does not include a third country that has an “adequacy/equivalence” status, as recognised by the EU Commission, we would always ensure that appropriate safeguards are in place. Where we cannot guarantee these safeguards, we would always request your consent before the data is transferred.

Retention of data

The Collective will only retain your personal data for as long as is necessary to fulfil the purpose for which it was collected. Summary of the important data retention periods are as follows;

• The Collective will retain data in relation to client and supplier transactions for 10 years from the date of the transaction where they are deemed to be part of the financial records of the business,
• Client contact details will be kept for the purposes of staying in contact, but any irrelevant or expired data will not be held longer than 5 years,
• All other information will be deleted after 2 years.

This is subject to the exception where the data cannot be deleted for legal or regulatory reasons.

Data subject rights

Where a data subject in the European Union (or any “adequate/equivalent” status country) wishes to exercise their rights under applicable data protection laws, they should contact the managing director of The Collective, at info@thecollective.je. Data subjects have a number of rights available to them;

• access to their personal data,
• rectification of any inaccuracies,
• restriction on the processing their data
• to object to the processing of their data
• to be forgotten (erasure of your data)
• right to data portability
• right to object to automated decision making and profiling
• right to withdraw consent for those data processing activities based on consent

The Collective does not make any decisions based on purely automated means, but if we do, you have a right to object. Each data subject request to exercise the rights noted above will be reviewed against the requirements of the Data Protection (Jersey) Law 2018 and in certain circumstances (e.g. restriction, erasure, objection, data portability) these rights may not be exercisable by the company. Full explanations will be given in such cases.

Making a complaint

The Office of the Information Commissioner in Jersey, Channel Islands, is an independent statutory authority where you can make a complaint or learn more about data protection in Jersey. Their website is https://jerseyoic.org and telephone number is 01534 716530.

Security features

The Collective is committed to ensuring the security of your personal data and has implemented appropriate commercially reasonable technical, physical and organizational measures to prevent unauthorized or unlawful processing of your personal data or accidental loss or destruction of your personal data.

• Our website is encrypted using HTTPS (Hypertext Transfer Protocol Secure). In HTTPS the communication protocol is encrypted using Transport Layer Security (TLS). This provides a secure method of communication with us and any personal data uploaded onto our website is securely managed by our website data processor services.
• Where other channels are used for receiving personal data, we will store this information in a secure, digitally encrypted way via our UK cloud-server database or other online repository.
• Email communications are scanned using the latest version of anti-virus and malware software deployed by our business.

Management and employees are trained in their data protection responsibilities and obligation to handle personal data in a confidential manner.

Change to this notice

The Collective may update this Privacy Notice at any time. The updated notice will appear on our website www.thecollective.je and in our Terms of Business. This Privacy Notice was last approved on 2 December 2020.

Data protection contact details

If you have any questions, concerns or complaints with respect to this Privacy Notice or the handling of your privacy or personal information, please contact our managing director at info@thecollective.je. If you believe that any information we are holding on you is incorrect or incomplete, please write to or email us as soon as possible, at the above address. We will promptly correct any information found to be incorrect.

• info@thecollective.je
• +44 (0) 1534 855033