This privacy notice is published by C Bavington Ltd, registered office 10 Longmore Avenue, East Barnet, Herts EN4 8AF, UK
Why have a privacy notice?
C Bavington Ltd handles personal data of two general kinds.
I say "handles". I know standard parlance in these notices is typically "collects" but this sounds a bit active to me. People "collect" stamps or Pokemon.
The company gets given personal data, more often than not, rather than actively collecting it.
First is the personal data about clients, leads, suppliers and so on used in conducting business generally.
I (Charlie Bavington) am the data controller for that data.
For those with knowledge of GDPR/ICO terminology, use of this data falls under "core business purposes" which, if that was all the data I stored and used, would mean you,
dear reader, would be spared all this, as would I, for ICO registration would not be needed.
Second is the personal data that might be included within a text supplied by a client for translation. I am prima facie merely the data processor for that data.
However, the company does store translated material in databases, storage is deemed a type of processing, and I control how that is done, so I am the controller for that data too.
ICO guidance for data controllers gives a long list of data processing purposes for which ICO registration is required, and that list includes "consultancy and advisory services".
Elsewhere in the civil service, the drafters of VAT Notice 741a Place of Supply, in section 12.6, say that translation is a consultancy service.
My deduction is, therefore, ICO could well consider likewise, and thus registration is advisable.
Others view the matter differently as regards this conclusion, namely that translation does not fall under any of the data processing purposes for which registration is required,
so they ain't registerin', no, sir. But C Bavington Ltd has registered, and here is my privacy notice.
For ease of reference from here on in, the first category will be referred to as "core" personal data, and the second category "incidental" personal data.
"You" as the reader, which seems to be the popular style for these things, might be in either category.
Note that personal data is not sold, exchanged or otherwise distributed or made public.
What personal data is stored
a) Core personal data: if you are a current or past client, or have contacted me about translation work in the past, your name and some limited business contact details
are stored at the time first contact is made.
As the Contact form on this very website indicates, this is likely to be no more than your name, work email address and the organisation where you are employed.
The above also applies if you are or have been a supplier, with the addition of any information you might have provided on an invoice (notably your bank details).
b) Incidental personal data: this could be as much as an entire CV, or as little as your name and email address. It's entirely beyond my control.
Steps are taken to minimise the extent to which such data is stored, including anonymisation, it being duly noted anonymisation is itself a form of data processing falling within the scope of GDPR.
Why personal data is stored or processed (the lawful basis)
a) Core personal data is stored for the purposes of conducting regular business and occasional marketing activities.
The essential lawful basis for storing this data is evidence that business transactions are legitimate if I'm ever called upon to do so.
No automated processing of core personal data takes place. Quotes and invoices are generated manually.
The data is held on a couple of spreadsheets, and if I haven't heard from you for a while, I might send an email to say hello, but there is no automated schedule.
b) Incidental personal data is processed because otherwise the translation quite possibly wouldn't make any sense.
So the lawful basis for processing is the necessity to meet contractual obligations in terms of providing useable translations; performance of a contract, if you will.
However, if processing (and thus subsequent storage) of the actual personal data itself can be avoided, I avoid it (one example might be if a translation contains a list of names).
Incidental personal data is stored, as part of the storage of work undertaken in general, (i) to be able to answer client questions,
(ii) for future reference, and (iii) as evidence that business transactions are legitimate.
For long-term storage, the personal details of those unfortunate data subjects included in translated material,
most of whom are blissfully unaware, are anonymised to make future identification impossible.
Where personal data is processed and stored
All data is stored locally only. All data is processed locally only. No external servers or cloud storage or processing services are used.
They promise the moon on a stick in terms of security, but once they're breached, they can't be unbreached. And if your internet connection is unavailable, then what?
The one obvious exception to local storage/processing is email servers, and for suppliers, online banking.
How personal data is processed and stored
On company hardware, which is password protected. And moreover stays on company premises.
No wandering down the pub, coffee emporium, library, park, beach or airport departure lounge with a laptop with all the risks to data, both personal and otherwise, that such carefree shenanigans entails.
Who has access to personal data
Personal data (core and incidental alike) is not routinely passed to third parties. The few exceptions to that blanket statement are:
1. Information might be disclosed to authorised agencies if there is a legal requirement to do so. Especially if the alternative is chokey or a fine for yours truly. Apologies in advance for being so spineless.
2. Incidental personal data in a file I am not translating personally might be passed to another translator to meet the needs of that particular translation project. I will endeavour to ensure such (sub-)processors are GDPR compliant for the peace of mind of all parties. Meanwhile, disclosure of client details under such circs is kept to a minimum, and may easily amount to nothing whatsoever.
3. If you are a supplier, my online banking service will store your bank details. Furthermore, I might pass your contact details on to business contacts who are interested in the type of service you provide.
4. Staff employed at email service providers could have access to email contents/attachments for technical and admin reasons.
And of course, the other person who has access to your personal data is....you. Albeit indirectly. See below.
When (retention of personal data)
Personal data relating to the company's financial affairs is retained for as long as the company might need to provide evidence that transactions are legitimate.
Client and supplier contact details are retained for the period they are commercially useful.
The personal data of data subjects in translation texts is anonymised, so it is no longer really personal data and is thus lawfully kept indefinitely (and also thus kind of irrelevant to a privacy statement, but mentioned for the sake of completeness).
The obligatory stuff - your rights
You have the right to ask what data is held, to see it, and to ask for it be corrected and deleted (although not both at once, I think, that would just be strange).
Please bear in mind I can decline a request for deletion (or correction, although that seems less likely) if I have legal basis that trumps your personal desires.
Otherwise, the necessary action will be taken within 28 days, tops.
If automated processing ever starts, you can object to that too. Watch this space.
The easiest way to submit such requests, given you're already on the website now, reading this, is via the Contact page.
If I ever email you in the guise of marketing and you'd rather I didn't, just say, and the necessary steps will be taken.
I'd appreciate it if you raised any concerns about your personal data directly with me in the first instance.
Otherwise, you can have a moan to the Information Commissioners Office (ICO).
I wrote the code for this website myself, and I didn't add any cookies.
Any cookies will have been planted without my knowledge by devious agents acting for nefarious and possibly malicious regimes, who knows to what end...?
If the thought of that keeps you awake at night, disable cookies in your browser settings. It won't make the slightest difference to your navigation here.