Your privacy matters

DRUM Studios Ltd privacy policy

DRUM Studios Ltd is a digital agency providing creative services, website development and hosting solutions to its clients. 

The privacy and security of our clients’ personal information is extremely important to us. For complete transparency, this privacy policy explains what data we collect and hold and how we will use our clients personal data.

As a small agency, we do not actively collect consumer data for our benefit. However due to the nature of some of our clients’ businesses we have, in certain circumstances and when the need arises, access to their customer data.

DRUM Studios Ltd is not in the business of trading, selling or leasing any data, and we will never do so.  In addition to this we never share personal data collected by us or by our clients for any marketing purpose whatsoever.  The data we share with third parties is business critical and required for us to provide our service.  

Purpose

Information is required for a number of functional reasons within the business and each have a different lawful basis.

Clients

The data we access:

In addition to design and video/animation related work, our business also often requires us to manage the hosting of websites or to help our clients plan and implement marketing activities.

This requires our clients to provide us with access to systems which may contain personal data. This data may be related to the client itself or the client’s own customers.

We only use our clients personal data on relevant lawful grounds as permitted by the EU General Data Protection Regulation.

Data for our own business purpose:

Business Contact Details

Our clients’ personal data (any information which identifies them, or which can be identified as relating to them personally for example, name, address, phone number, email address) will be collected and used by us to provide our service. We only collect the personal data that we need and it is stored within our accounting software and  cloud based email software which which are both password protected.

Email correspondence

We share data between our team and our clients via email correspondence. Internal emails are encrypted with Transport Layer Security (TLS).

File storage

Design files and our client’s other working documents are stored securely in the cloud.  Our third party cloud storage supplier is fully GDPR compliant. 

Access to these files is tightly managed in accordance with our security policy and all accounts are protected by two factor authentication.


Data we are able to access to provide a service to clients:

Website hosting and access:

We manage and access our client’s websites hosted on our servers, these sites and systems often contain our client’s own customers data. These include, but are not limited to:

  • Client CMS systems

  • Client databases

  • Client email marketing via Mailchimp

  • Google Marketing Services such as Analytics & Adwords

  • Social media accounts such as Facebook, Linkedin and Twitter

  • Google Business Profiles

Data access

The DRUM team are required to access the above data in order to provide a service to our clients. In addition to employees of the company we also employ freelance contractors who have signed NDA’s to cover their obligations to GDPR for DRUM Studios Ltd.

If data is downloaded, it is not shared with any partner or third-party and it remains the sole property of the client.  All sensitive data which includes our client’s customers details are password protected. 

Data Access Security and Management

All passwords used by DRUM Studios Ltd are stored securely using an encrypted password management service which is fully GDPR compliant and in accordance with our Security Policy and Access Control Policy.

Data Processors

DRUM use a number of different service providers (acting as “data processors”) to enable us to operate our business and the services we provide to our clients. In some instances personal data is transferred to (and stored by) these data processors, who generally fall under the following categories:

  • Service providers and subcontractors, including but not limited to:

    • Payment processors

    • Suppliers of technical and support services 

  • Website Analytics service providers

  • Server Management providers

  • Document Storage and Backup service providers

  • Email, contacts and calendar service providers

  • Accounting Software service providers

For security reasons (to reduce the risk of phishing attacks to our customers) we do not name all our service providers in this privacy notice. 

We may also share your personal data with the following third parties in certain circumstances:

  • We will share personal information with law enforcement or other authorities (such as tax authorities) if required by applicable law.

  • We may share personal information with third parties to whom we may choose to sell, transfer, or merge parts of our organisation or our assets. Alternatively, we may seek to acquire other organisations or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice.

  • We may share personal information with professional advisors such as lawyers, accountants or auditors in order for them to provide legal, accounting or auditing services to us.

Many of our data processors operate “cloud-based systems”, which means the information is held in information data centres in different locations. 

All the cloud-based systems we use reserve the right to hold copies of our clients personal information outside the EEA to hold back-up copies, so they can guarantee recovery.

In each case we and/or our processors use one or more of the following means that are designed to help safeguard your privacy rights and give you remedies in the unlikely event of abuse:

  • Certain processors may transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission. For further details, see European Commission: Adequacy of the protection of personal data in non-EU countries.

  • Where personal data is transferred outside the EEA or countries the EC deems to have adequate privacy protection, we use specific contracts approved by the European Commission which give personal data the same protection it has in Europe. For further details, see European Commission: Model contracts for the transfer of personal data to third countries.

  • Providers storing data in the US may be self-certified to the EU-US Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US. For further details, see European Commission: EU-US Privacy Shield.

Our Clients’ Data Rights

The personal data we hold about our clients is their data, so they have certain rights over them. This section summarises our clients personal data rights. Any or all of these rights can be exercised when chosen.

Rights that can be exercised:

  • Update any Personal Information which is out of date or incorrect;

  • Delete any Personal Information which we are holding about you;

  • Restrict the way that we process Personal Information;

  • Provide Personal Information to a third-party provider of services; or

  • Provide a copy of any Personal Information which we hold.

Our clients have the following rights:

  1. To request a copy of all personal data we hold relating to them and we must provide this within 30 days;

  2. To require us to correct any records that are wrong;

  3. To require us to erase personal data and we must comply unless we need it for one of the purposes described above (for example, this might include the fact that we need to demonstrate performance of our contractual obligations.)

  4. To have your personal data transferred to another organisation, and we’re obliged to provide it to you in a clear and reasonable format.

DRUM Studios Ltd retains the right to keep data that is needed to establish, exercise or defend a legal claim.

Where we process data based on a “legitimate interest” (underlined in the Purpose section above) clients have the right to object to our processing of that data. From that point, data processing is stopped until we have determined whether our clients rights override our interests.

Your Rights

At all times, you have the right to report a concern or lodge a complaint with the Information Commissioner’s Office. 

Please refer to the ICO at https://ico.org.uk/concerns/or by calling them on 0303 123 1113.

How To Get In Touch

If you have any questions, concerns or just want some more information in relation to our privacy management, you can contact us in the following ways:

Telephone: 01252 734616

Email: privacy@wearedrum.com

Updates 

We update our Policy from time to time so please do review this Policy regularly.