- Purpose and lawful basis for processing
- What we need
- Why we need it
- How long we keep it
- What are your rights?
- Do we use any data processors?
Our purpose for collecting this information is so that we can assess, and take action on, all reported breaches.
The lawful basis we rely on to process your personal data is article 6(1)(e) of the UK GDPR, which allows us to process personal data when this is necessary to perform our public tasks as a regulator.
Public electronic communications service providers are required by law to report any security breaches involving personal data to us. Along with information about the breach, we need the name and contact details of a representative of your business.
We use the data collected to record the breach, make decisions about the action we may take, contact you for more information and inform you of any actions we’ve taken.
We may also contact you to ask if you would be interested in participating in a customer satisfaction survey. If you would like to be included, we will pass your name and email address onto a third party to complete the survey on our behalf.
For information about how long we hold personal data, see our retention schedule.
If you agree to participate in the customer experience survey, ICS will keep your survey response for 30 days from the survey closes. They will keep your name and email address for 9 months from the survey expiry date.
We process personal data in the breach form in our capacity as regulator, so you have the right to object to our processing of your personal data. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it.
For more information on your rights, please see ‘Your rights as an individual’.
We do not use any data processors for handling data breach reports.
We use the Institute of Customer Service (ICS) as a data processor to run our customer satisfaction surveys.