Privacy Policy
MiiM Media Limited has a responsibility to document how we will protect your personal data. This is a legal requirement of the Data Protection Act (2018), Part 2, within the UK GDPR ‘Right to be Informed’.
This Privacy Notice will outline our responsibilities to you.
This Privacy Notice was last updated in September 2024.
1.0 Key Terms
1.1 Whilst every effort has been made to outline our responsibilities to you in as clear, concise, and easy to understand manner as possible, we do need to use certain terms throughout this Privacy Notice.
1.2 We will now provide an easy-to-understand definition of each term:
- Business Continuity Plan (BCP): This is a prevention and recovery system for potential threats, such as natural disasters or cyberattacks. A BCP is designed to protect personnel and assets and make sure they can function quickly when a disaster strikes.
- Data Controller: A Data Controller has the responsibility of deciding how personal data is processed, the purpose for the data processing, and how to securely protect the personal data.
- Data Processing Agreement (DPA): Whenever a Data Controller uses a Data Processor to process personal data on their behalf, a written contract needs to be in place between the parties. Similarly, if a processor uses another organisation (i.e. a Sub-Processor) to help it process personal data for a Data Controller, it needs to have a written contract in place with that Sub-Processor. This is commonly referred to as a DPA.
- Data Processor: In a similar way to Data Controllers, Data Processors must protect people’s personal data. However, they only process it in the first place on behalf of the Data Controller. They would not have any reason to have the personal data if the Data Controller had not asked them to do something with it.
- Data Protection Act (DPA 2018): The DPA 2018 sets out the legal data protection framework in the UK. It contains three separate data protection regimes:
- Part 2: sets out a general processing regime (the UK GDPR);
- Part 3: sets out a separate regime for law enforcement authorities; and
- Part 4: sets out a separate regime for the three intelligence services.
- Data Subject: A Data Subject is a living person who can be identified from personal data.
- GDPR: This stands for General Data Protection Regulation (GDPR), the UK’s agreed standards for data protection that are also written into UK law through the Data Protection Act 2018 (DPA 2018).
- Incident Response Plan (IRP): A document that outlines an organisation’s procedures, steps, and responsibilities of its incident response program, for example when responding to a personal data breach.
- Individual Rights: In UK data protection law, individuals have rights over their personal data. These rights allow the individual to ask the Data Controller to do something, or stop doing something with their personal data. There are eight individual rights.
- Information Commissioner’s Office (ICO): The Information Commissioner’s Office (ICO) is the UK’s independent body set up to uphold information rights.
- Lawful Basis: A lawful basis is the legal reason or legal grounds relied upon for the processing of an individual’s personal data. There are six lawful bases to choose from: consent, contract, legal obligation, legitimate interest, public task, and vital interests.
- Personal Data: Personal data is information about who you are, where you live, what you do, and more. It is all information that identifies you as a Data Subject.
- Privacy and Electronic Communications Regulations 2003 (PECR): PECR sits alongside the DPA 2018 and the UK GDPR. This legislation gives people specific privacy rights in relation to electronic communications, and electronic processing of their personal data.
- Processing: Processing means taking any action with someone’s personal data, including processing the data for a specific purpose, storing the data, and archiving the personal data.
- Sub-Processor: A Sub-Processor acts under the instructions of the Data Processor, meaning that they may process individuals’ personal data on behalf of the Data Processor. MiiM Media Limited will always seek the permission of the Data Controller before appointing any Sub-Processors.
2.0 Scope
2.1 The scope for MiiM Media Limited is any Data Subject, whose personal data is processed upon instruction, in line with UK privacy legislation including the DPA 2018, PECR (2003), and the UK GDPR.
2.2 We also acknowledge any additional responsibilities requested by the industry regulator in the UK, the Information Commissioner’s Office (ICO).
2.3 The DPA 2018 and UK GDPR have a material scope covering personal data that is processed either electronically or is processed as part of a physical paper filing system.
2.4 MiiM Media Limited will adhere to the seven UK GDPR data processing principles when handling personal data:
- Lawfulness, Fairness, and Transparency;
- Purpose Limitation;
- Data Minimisation;
- Accuracy;
- Storage Limitation;
- Integrity and Confidentiality (Security); and
- Accountability.
2.5 All associates and employees of MiiM Media Limited who interact with Data Subjects are responsible for ensuring that this Privacy Notice is drawn to their attention, at the earliest available opportunity.
3.0 Lawfulness
3.1 MiiM Media Limited is a private limited company, based in England, under company registration number 13146896, complying with the laws of England and Wales, paying further reference to the Companies Act (2006).
3.2 MiiM Media Limited is registered with the ICO under registration number ZB517958.
3.3 MiiM Media Limited acts as a Data Processor and Data Controller. We are responsible for the personal data that we process (on behalf of the Data Subject), and have our own measures for ensuring compliance with the UK data controller regulations (personal data we are responsible for).
3.4 MiiM Media Limited also determines the scope of the personal data processing, what personal data we process, and for what purpose.
3.5 From time to time we may appoint Data Processors on behalf of MiiM Media Limited. We will always ensure that a written agreement is in place with each of our Data Processors documenting how personal data will be processed, safeguarded, and stored. MiiM Media Limited has the overall responsibility for all Data Processors.
3.6 MiiM Media Limited has a duty of care acting as a Data Controller to appoint a Data Protection Officer (DPO). We have a legal obligation to notify the ICO of their name and contact details. Our appointed Data Protection Officer (DPO) is CSRB Limited. They can be contacted via email at dpo@csrb.co.uk.