Skip to content

SPARK® TSL GDPR Privacy Policy

WiFi SPARK Limited  and SPARK Technology Services Limited(Together, “SPARK® TSL”)

1. Introduction

This document explains how SPARK® TSL obtains, holds, uses and discloses information about people (‘Personal Data’) [1]), the steps taken to ensure that it is protected, and also describes the rights individuals have in regard to their Personal Data handled by SPARK® TSL [2].

The use and disclosure of Personal Data is governed in the United Kingdom by the General Data Protection Regulation (‘GDPR’). SPARK® TSL is registered with the Information Commissioner as a ‘data controller’ for the purposes of GDPR. As such SPARK® TSL is obliged to ensure that the company handles all Personal Data in accordance with GDPR.

SPARK® TSL takes that responsibility very seriously and takes great care to ensure that Personal Data is handled appropriately in order to secure and maintain individuals’ trust and confidence in SPARK® TSL.

2. Context

Data Controller
SPARK® TSL is a Data Controller where the information collected is for the exclusive benefit of SPARK® TSL. In these instances, SPARK® TSL either collects and controls Personal Data for the Legitimate Interests of both the Data Controller (SPARK® TSL) and the Data Subject or as part of a contract. This may be in the event that payments are taken for an enhanced service.

This is detailed on the specific User Experience Portal for the service.

Data Processor
For most clients, SPARK® TSL acts strictly as a Data Processor at the instruction of the client, who is acting as Data Controller. In this scenario, SPARK® TSL collects Session Information and any Personal Data as instructed by the Data Controller. The information is then presented to the Data Controller. Where SPARK® TSL is the Data Processor, the Data Controller’s contact information and Data Processing Notice/Privacy Policy is detailed on the specific User Experience Portal for the service. 

3. Why does SPARK® TSL handle Personal Data?

Data Controller
SPARK® TSL obtains, holds, uses and discloses Personal Data for the provision of services to support SPARK® TSL’s business.

These include:

  • Staff administration, occupational health and welfare
  • Staff recruitment
  • Sales and Marketing including public relations, digital marketing and promotions
  • Management of finance to and from SPARK® TSL including payments
  • Internal review, accounting and auditing
  • Training
  • Vehicle and transport management
  • Payroll and benefits management
  • Management of complaints
  • Management of information & communications technology systems
  • Information provision
  • Licensing and registration
  • Research, including surveys which may be carried out by an external agent [3]
  • Performance management
  • Procurement
  • System testing
  • Security
  • Health and safety management

Data Processor
Where SPARK® TSL is the Data Processor, it collects Personal Data on behalf of the Data Controller. SPARK® TSL only collects Personal Data that it is instructed to, the information is then displayed securely and/or securely transmitted to the Data Controller for their purposes. In this scenario, Data Subjects must consult the Data Controller’s Privacy Policy in order to consent to the Data Processing in an informed manner.

4. Whose Personal Data does SPARK® TSL handle?

Data Controller
In order to carry out the purposes described in section 1 above SPARK® TSL may obtain, use and disclose (see section 7 below) Personal Data relating to a wide variety of individuals including the following:

  • Staff including volunteers, apprentices, agents, temporary and casual workers
  • Job applicants
  • Suppliers
  • Clients
  • Complainants, correspondents and enquirers
  • Advisers, consultants and other professional experts
  • Former and potential members of staff
  • Other individuals necessarily identified in the course of SPARK® TSL enquiries and activity

SPARK® TSL will only use appropriate Personal Data necessary to fulfil a particular purpose or purposes. It will collect the minimum information necessary to fulfil that purpose. Anyone working for SPARK® TSL may only use information which is necessary to carry out their official duties. Personal Data could be information which is held on a computer, in a paper record i.e., a file, as images, but it can also include other types of electronically held information.

Data Processor
As a Data Processor, SPARK® TSL processes the Personal Data of Data Subjects who are service users of the WiFi service provided for a contracted client.

5. What types of Personal Data does SPARK® TSL handle?

Data Controller
In order to carry out the purposes described under section 1 SPARK® TSL may obtain, use and disclose (see section 7 below) Personal Data relating to or consisting of the following:

  • Personal details such as name, address and biographical details
  • Account or payment details
  • Education and training details
  • Employment details, including performance and development
  • Financial details
  • Goods or services provided
  • Racial or ethnic origin
  • Trade union membership
  • Physical or mental health or condition
  • Offences (including alleged offences)
  • Criminal proceedings, outcomes and sentences
  • Sound and visual images
  • Other digital media
  • Licenses, permits, qualifications or accreditations held
  • References to manual records or files
  • Information relating to health and safety
  • Complaints, incident and accident details
  • Curriculum vitae including employment and educational details

SPARK® TSL will only use appropriate Personal Data necessary to fulfil a particular purpose or purposes. Personal Data could be information which is held on a computer, in a paper record i.e., a file, as images, but it can also include other types of electronically held information.

Data Processor
Where SPARK® TSL is the Data Processor, SPARK® TSL collects Personal Data on behalf of the Data Controller. SPARK® TSL only collects Personal Data that it is instructed to, the information is then displayed securely and/or securely transmitted to the Data Controller for their purposes. In this scenario, Data Subjects must consult the Data Controller’s Privacy Policy in order to consent to the Data Processing in an informed manner.

An example of the types of information requested would be:

  • Name
  • Postcode
  • Date of Birth

Date of Birth is required in order to go to reasonable efforts to ensure that any Data Subjects under the age of consent gain consent from a Parent or Guardian for their Personal Data to be processed. Date of Birth may also be used to validate the individual in the event of a Subject Access Request

6. Where does SPARK® TSL obtain Personal Data?

Data Controller
SPARK® TSL may obtain Personal Data from a wide variety of sources, including the following:

  • The individual data subjects
  • Current, past or prospective employers of the individual
  • Healthcare, social and welfare advisers or practitioners
  • Education and training establishments
  • Business associates and other professional advisors
  • Employees and agents of SPARK
  • Suppliers, providers of goods or services
  • Persons making an enquiry or complaint
  • Legal representatives
  • Auditors
  • Financial organisations and advisors
  • Credit reference agencies
  • Trade, employer associations and professional bodies
  • Ombudsmen and regulatory authorities
  • The media
  • Openly available information from the internet
  • Data Processors working on behalf of SPARK® TSL
  • Recruitment agencies

SPARK® TSL may also obtain Personal Data from other sources such as its own correspondence.

Data Processor
Individual Data Subjects

7. How does SPARK® TSL handle Personal Data?

Data Controller
In order to achieve our purposes, SPARK® TSL will handle Personal Data in accordance with GDPR. In particular, the company will ensure that Personal Data is handled fairly and lawfully with appropriate justification. SPARK® TSL will strive to ensure that any Personal Data used by the company or on SPARK’s behalf is of the highest quality in terms of accuracy, relevance, adequacy and non-excessiveness, is kept as up to date as required, is protected appropriately, and is reviewed, retained and securely destroyed when no longer required. SPARK® TSL will also respect individuals’ rights under GDPR (see Section 11 below).

Data Processor
Personal Data is handled securely at rest and in transit at the behest of Data Controllers and in accordance with the requirements of GDPR. Where access and or amend requests are given the company will ensure that changes, once validated, are within the required timeframes.

8. How does SPARK® TSL ensure the security of Personal Data?

SPARK® TSL takes the security of all Personal Data under the company’s control very seriously. SPARK® TSL will comply with the relevant parts of GDPR relating to security and seek to comply with Articles 32 – 34.

SPARK® TSL will ensure that appropriate policies, training, technical and procedural measures are in place, including audit and integrity monitoring, to protect manual and electronic information systems from data loss and misuse, and only permit access to them when there is a legitimate reason to do so, and then under strict guidelines as to what use may be made of any Personal Data contained within them. These procedures are continuously managed and enhanced by the SPARK® TSL Information Security Team to ensure up-to-date security.

9.  Who does SPARK® TSL disclose Personal Data to?

When Data Subjects provide information, they will be told what it will be used for and whom it will be shared with. SPARK® TSL may disclose, or enable access by other parties, including those from whom Personal Data is obtained as listed above. This may include disclosures to bodies or individuals working on behalf of SPARK® TSL such as support contractors or partners. However, SPARK® TSL will not supply these organisations with your information unless it is satisfied that equal measures are in place to protect the information from unauthorised access.

Disclosures of Personal Data will be made on a case-by-case basis, using the Personal Data appropriate to a specific purpose and circumstances, and with necessary controls in place. Where monies are due or outstanding SPARK® TSL reserves the right to use all the available information at its disposal to protect its business interests.

SPARK® TSL will also not supply your information to any organisation for marketing purposes without your prior consent.

SPARK® TSL periodically undertakes surveys through online survey systems e.g., Survey Monkey. Respondents should satisfy themselves regarding the privacy notices associated with any third-party software provider.

SPARK® TSL will also disclose Personal Data to other bodies or individuals when required to do so by, or under, any act of legislation, by any rule of law, and by court order. SPARK® TSL may also disclose Personal Data on a discretionary basis for the purpose of, and in connection with, any legal proceedings or for obtaining legal advice.

10. Data Processing Notice as Data Controller

Where WIFISPARK® TSL LIMITED is the Data Controller:

Data Controller Name: WiFi SPARK LIMITED
Data Controller Email: info@wifispark.com
Data Controller Website: www.wifispark.com
Data Protection Group Contact Email: dpo@wifispark.com
Legal Basis for Data Processing: Service Dependent stipulated on the specific services’ User Experience Portal

Where SPARK TECHNOLOGY SERVICES LIMITED is the Data Controller:

Data Controller Name: SPARK TECHNOLOGY SERVICES LIMITED
Data Controller Email: info@wifispark.com
Data Controller Website: www.wifispark.com
Data Protection Group Contact Email: dpo@wifispark.com
Legal Basis for Data Processing: Service Dependent stipulated on the specific services’ User Experience Portal

Who has access to the Personal Data collected by Data Subjects?

WiFi SPARK LIMITED
SPARK TECHNOLOGY SERVICES LIMITED
AWS – Amazon Web Services
AVIDLY AGENCY
HUBSPOT 

11. What are the rights of Data Subjects?

Under GDPR Individuals have the following rights:

11.1.  The right to be informed

Data Subjects have the right to be informed about the collection and use of the Personal Data. This is a key element of transparency. This must include:

  • The purposes of processing their Personal Data
  • The retention periods for keeping the Personal Data
  • The parties with access to the data

The information must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language.

11.2. The right to Access

Under GDPR, individuals will have the right to obtain:

  • Confirmation that their data is being processed;
  • Access to their personal data; and
  • Other supplementary information – this largely corresponds to the information that should be provided in a privacy notice (see Article 15)
11.3. The right to Rectification

Individuals are entitled to have personal data rectified if it is inaccurate or incomplete. If the Personal Data has been disclosed to third-parties, each recipient must be contacted in order to inform them of the rectification - unless this proves impossible or involves a disproportionate effort. If asked to, Data Controllers must also inform the individuals about these recipients.

11.4. The right to Erasure (Right to be Forgotten)

The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing. The right to erasure does not provide an absolute ‘right to be forgotten’. Individuals have a right to have personal data erased and to prevent processing in specific circumstances:

  • Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
  • When the individual withdraws consent.
  • When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing.
  • The personal data was unlawfully processed (i.e. otherwise in breach of the GDPR).
  • The personal data has to be erased in order to comply with a legal obligation.
  • The personal data is processed in relation to the offer of information society services to a child.
11.5. The right to Restrict Processing

Individuals have a right to ‘block’ or suppress processing of personal data

When processing is restricted, Data Controllers & Processors are permitted to store the personal data, but not further process it.

Data Controllers can retain just enough information about the individual to ensure that the restriction is respected in future.

Data Controllers & Processors will be required to restrict the processing of personal data in the following circumstances:

  • Where a Data Subject contests the accuracy of the personal data, you should restrict the processing until you have verified the accuracy of the personal data.
  • Where an individual has objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and you are considering whether your organisation’s legitimate grounds override those of the individual.
  • When processing is unlawful and the individual opposes erasure and requests restriction instead.
  • If you no longer need the personal data but the individual requires the data to establish, exercise or defend a legal claim.
11.6. The right to Data Portability
  • The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.
  • It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
  • Some organisations in the UK already offer data portability through the ‘midata’ and similar initiatives which allow individuals to view, access and use their personal consumption and transaction data in a way that is portable and safe. -
  • It enables consumers to take advantage of applications and services which can use this data to find them a better deal or help them understand their spending habits.
11.7. The right to Object

Individuals have the right to object to:

  • Processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
  • Direct marketing (including profiling); and
  • Processing for purposes of scientific/historical research and statistics.

Data Controllers & Processors must stop processing the personal data unless:

  • They can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual; or
  • The processing is for the establishment, exercise or defence of legal claims.
  • Data Subject must be informed of their right to object “at the point of first communication” and in the privacy notice.
  • This must be “explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information”
11.8. The right to be information of any Automated Decision Making, including Profiling

The GDPR has provisions on:

  • Automated individual decision-making (making a decision solely by automated means without any human involvement); and
  • Profiling (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision-making process.

GDPR applies to all automated individual decision-making and profiling.

Article 22 of GDPR has additional rules to protect individuals if you are carrying out solely automated decision-making that has legal or similarly significant effects on them.

Data Controllers & Processors can only carry out this type of decision-making where the decision is:

  • Necessary for the entry into or performance of a contract; or
  • Authorised by Union or Member state law applicable to the controller; or
  • Based on the individual’s explicit consent.

You must identify whether any of your processing falls under Article 22 and if so, make sure that you:

  • Give individuals information about the processing;
  • Introduce simple ways for them to request human intervention or challenge a decision;
  • Carry out regular checks to make sure that your systems are working as intended.

12. Automated Decision Making in Practice

Data Controller
SPARK® TSL as a Data Controller makes no automated decisions or profiling based on Personal Data.

Data Processor
SPARK® TSL acting as a Data Processor has the facility to provide session and traffic trends to Data Controllers via its secure Analytics Platform. This may be contextualised with Personal Data in order for Data Controllers to see demographic trends. The Data Controller may then make marketing and advertising decisions focused on their demographics. All assumptions made by the Data Controller are outside of SPARK® TSL’s purview and area of business; SPARK® TSL only presents the information available.

13. Lodging a Concern

If individuals have any concerns regarding the way their Personal Data is handled by SPARK® TSL or the quality (accuracy, relevance, non-excessiveness etc) of their Personal Data they are encouraged to raise them with SPARK® TSL’s Data Protection Team.

The Information Commissioner is the independent regulator responsible for enforcing GDPR and can provide useful information about GDPR’s requirements. They should also be contacted if a Data Subject wishes to raise a concern with regard to how Personal Data is controlled or processed. The Information Commissioner’s Office may be contacted using the following:

The Information Commissioner’s Office
Wycliffe House
Wilmslow
Cheshire
SK9 5AF
0303 123 1113
https://ico.org.uk/ 

14. How long does SPARK® TSL retain Personal Data?

Data Controller
SPARK® TSL keeps Personal Data as long as is necessary for the particular purpose or purposes for which it is held and will be disposed of in a secure manner when no longer needed. The periods for retention of information are specified in SPARK’s Retention Schedule, however payment details are kept inline with the requirements for HMRC, and where SPARK® TSL is the Data Controller of a Guest WiFi Service for a particular client, we keep Personal Data for 6 months after the last time the service was used. Where this situation is relevant, the specific sites portal details this.

Data Processor
Where SPARK® TSL are the Data Processor, we keep the Personal Data on behalf of the Data Controller in line with their Data Retention Policies. This is on a case-by-case basis and SPARK® TSL encourages Data Subjects to refer to the particular Data Controllers’ Privacy Policy.

15. Monitoring

SPARK® TSL may monitor or record and retain telephone calls, text, emails and other electronic communications to and from SPARK® TSL in order to provide a help and support service. Monitoring may also be employed for legitimate business interests such as to deter, prevent and detect inappropriate or criminal activity, to ensure security and to assist its Business Purposes.

16. Contact Us

Any individual with concerns over the way SPARK® TSL handles their Personal Data may contact the Data Protection Team as below:

FAO Data Security Officer
WiFi SPARK
5 Cranmere Court
Lustleigh Close
Matford Business Park
Exeter
EX2 8PW
dpo@wifispark.com
www.wifispark.com

[1] ‘Personal Data’ is defined under GDPR. In practical terms, it means information handled by SPARK® TSL that relates to identifiable living individuals. The information can be held electronically or as part of paper records and can include photographs. For ease of readers, this document refers to the handling, use, holding etc of Personal Data.

[2] This document is designed to help satisfy Fair Processing Requirements and may be regarded as a generic over-arching ‘Fair Processing Notice’ for SPARK® TSL.

[3] SPARK® TSL conducts satisfaction surveys to evaluate our performance and effectiveness. SPARK® TSL may contact individuals, such as service users and clients, or those reporting complaints to ask them for their opinion of the service we are providing. SPARK® TSL uses the information provided to improve services wherever possible.