Privacy policy

Introduction and purpose

Frame Agency Ltd (‘we’, ‘our’, ‘us’, ‘the company’) is committed to protecting the privacy and security of personal information. This Privacy Policy explains how we collect and use information about you.

By using your information, we hope we can provide the news, content, products and services you’re interested in. The use of your information helps us understand what your needs and interests are, provide you with relevant content, and let you know about our events and services.

Who we are

Frame Agency Ltd is an independent creative communications agency business based in Glasgow and Edinburgh.

Our registered company address is Four Winds Pavilion, Pacific Quay, Glasgow, G51 1DZ.

Our company registration number is SC117337. Our VAT number is 294 8911 52.

Because we collect personal information from people and then decide how to use that information, for the purposes of the General Data Protection Regulation (GDPR), effective from 25th May 2018, we are what is called a ‘Data Controller’.

This means that we are responsible for deciding how we hold and use personal information. We are required under data protection laws to notify you of the information contained in this policy.

For the purposes of this policy: 

‘Clients’ includes natural persons who have engaged us to provide advice to them in their personal capacity or on behalf of a company, partnership, charity, trust, estate, agency, department, corporate body of any description or any other group or organisation; and
‘Subscribers’ includes natural persons that have signed up to our marketing communications, briefings or blogs, have attended or registered to attend one of our events, or follow us on social media.

This policy applies to the personal information of past and present clients and subscribers. Please note that you may fall in to more than one of these categories so we may hold your personal information in a number of capacities.

If you are a past or present employee or consultant of the firm, we will hold further personal information about you. For further details please contact info@framecreates.co.uk or speak to your line manager.

This policy does not form part of any contract that you may have with the company. It is provided for information purposes only.

Data Protection Contact

We have a nominated Data Protection Officer to oversee compliance with this policy. If you have any questions about this policy or how we handle personal information, please contact our Data Protection Officer in writing using the details below.

Email address: info@framecreates.co.uk


Postal address:
Data Protection Officer
Frame Agency Ltd
Four Winds Pavilion
Pacific Quay
Glasgow
G51 1DZ


Changes to this policy
We reserve the right to update this policy at any time and we will provide you with a new policy when we make substantial updates.

1. The Data Protection Principles
We will comply with data protection law. The law says that the personal information that we hold must be:

  • Used in a lawful, fair and transparent way.
  • Collected only for valid purposes that we have clearly explained and not used in any way that is incompatible with those purposes.
  • Relevant to the purposes for which it was collected and limited only to those purposes.
  • Accurate and kept up to date.
  • Kept only as long as necessary for the purposes for which it was collected.
  • Kept securely.

The kind of information that we hold about clients

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (such as anonymous data).

There are some ‘special categories’ of more sensitive personal data which require a higher level of protection.

We collect, store and use some or all of the following categories of personal information about clients:

(A) Client on-boarding information: Name, title, job title, company, address, telephone number, email address, bank account details.
(B) Client file information: The categories of personal information that we hold about you for the purposes of specific matters that we are providing advice on will vary according to the type of matter, but will include as a minimum the information set out in A above. Where we have collected client file information other than from you, we will always ask you to confirm its accuracy. By way of example this category may include, amongst other things: tax details, marriage details, employment details, directorships, shareholding details or personal correspondence.
(C) Relationship information: Name, title, job title, company, address, telephone number, email address, client relationship details (length of relationship, company contacts engaged with, meetings, calls and other engagement with the company), services details (number of engagements, references, reviews and testimonials), career history and other biographical information, and dietary preferences.
(D) Marketing information: name, title, job title, address, telephone number, email address, company, engagement details (click-throughs, open rates, bounce rates, return to sender notifications), event attendance history, dietary preferences, professional career history, payment details and marketing preferences.
(E) Social media information: Username, company details and engagement details (likes, retweets, shares, reactions, comments).
(F) Monitoring: PC login details, use of our IT and communications systems.

3. We may also collect, store and use the following ‘special categories’ of more sensitive personal information about clients:

(G) Relationship information (sensitive): special access requirements, allergies.
(H) Matter information (sensitive): The categories of personal information that we hold about you for the purposes of specific matters that we are providing advice on will vary according to the type of matter. Where we have collected this information other than from you, we will always ask you to confirm its accuracy. By way of example this category may include, amongst other things: race or ethnicity, political opinions, philosophical or religious beliefs, trade union membership, biometric data, medical conditions, prescriptions, surgeries, therapies, medical history, disabilities and sexual orientation.
(I) Criminal records: criminal convictions and offences.

4. How we collect clients’ personal information

We collect personal information in category A directly from clients as part of our file opening process.

We collect personal information in categories B, G, H and I directly from clients as we take instructions in relation to specific matters. We may also obtain further information about specific matters from other sources including publicly available registers, court transcripts, credit searches and private investigators.

We collect personal information in categories C and D directly from clients over the course of our relationship. We may also collect further information from other sources such as Companies House or market information providers.

We collect personal information in category E either from clients directly or from social media platforms when clients engage with our social media accounts on Facebook, Twitter, Instagram and Linkedin.

We collect personal information falling within category F when clients visit our premises or use our IT or communications systems.

5. How we use clients’ personal information

We will only use personal information when the law allows us to. The law says that we must identify a lawful basis for each use of personal data. We rely on a number of lawful bases, including:

1. Where we have obtained freely given, specific, informed and unambiguous consent from you to use your personal information in certain ways.
2. Where we need to perform a contract that we have entered into.
3. Where we need to comply with a legal obligation.
4. Where it is necessary for us to use personal information to pursue our legitimate interests (or those of a third party) and we believe that using personal information in that way is not overridden by the interests or fundamental rights of the person to whom the information relates.

Below, we have set out the purposes for which we use each category of personal data and the lawful bases which are relevant to those purposes.

We use your client on-boarding information and client file information for communicating with you in the course of our engagement, as necessary, to perform our duties under a contract with you, or with a view to entering into a contract with you, to provide you with services. This includes taking your instructions, providing advice and invoicing our fees and disbursements. We may also need to disclose some personal data to meet our statutory obligations under the Lobbying (Scotland) Act 2016 and Transparency of Lobbying, Non-Party Campaigning and Trade Union Administration Act 2014 in performing the contract we have entered into with you.

We use your client file information to provide advice to you. For clients, our lawful basis for this is that it is necessary in order to perform the contract that we have with you.

We use your relationship information to manage and strengthen our relationship with you, this includes linking the work that we do across different practice areas and offices to ensure that you receive a seamless, relevant and streamlined service at all times. Our lawful basis for this is in order to pursue our legitimate interests in creating deep and lasting relationships with our clients.

We use your marketing information for marketing purposes, this includes contacting you with relevant briefings, blogs, information about our services and events, and measuring engagement with our communications to ensure that the content that we create is relevant and useful. Our lawful basis for this is your consent. You have the right to withdraw this consent or amend your marketing preferences at any time by contacting info@framecreates.co.uk

We hold your social media information in the course of operating our social media accounts on Twitter, Facebook, LinkedIn, Medium, and Instagram. Our lawful basis for this is that it is necessary in order to pursue our legitimate interest in maintaining a visible, engaging and relevant social media presence.

We use monitoring to ensure network and information security, including preventing unauthorised access to our systems and preventing malware distribution and to ensure compliance with our IT and communications policies. Our lawful basis for this is our legitimate interest in securing our information and systems.

‘Special categories’ of particularly sensitive personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. Below we have identified the further justification on which we are relying to process clients’ special category personal data. We have in place an appropriate policy and safeguards which we are required by law to maintain when processing such data.

We use relationship information (sensitive) to ensure that our offices and events are inclusive and accessible to all our clients. Our lawful basis for this is our legitimate interest in ensuring that clients and others can access and make use of our offices and events.

We use matter information (sensitive) to provide confidential advice to you. For clients, our lawful basis for this is your explicit consent in providing us with that information in order that we can perform the contract we have entered into.

If we require to use information relating to criminal records our legal basis for that would be the performance of our contract with you and your explicit consent in providing that information. 

7. The kind of information that we hold about subscribers

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (such as anonymous data).

There are some ‘special categories’ of more sensitive personal data which require a higher level of protection.

We collect, store and use some or all of the following categories of personal information about clients:

(J) Relationship information: name, title, job title, company, address, telephone number, email address, client relationship details (length of relationship, company contacts engaged with, meetings, calls and other engagement with the company), services details (services used, number of engagements, references, reviews and testimonials) and dietary preferences.

(K) Marketing information: name, title, job title, address, telephone number, email address, company, engagement details (click-throughs, open rates, bounce rates, return to sender notifications) event attendance history, dietary preferences, payment details, reviews, case studies, testimonials and marketing preferences.

(L) Social media information: username, company details and engagement details (likes, retweets, shares, reactions, comments).

(M) Monitoring:vehicle details, swipe/fob records, PC login details, use of our IT and communications systems.

8. We may also collect, store and use the following ‘special categories’ of more sensitive personal information about subscribers:

(N) Relationship information (sensitive): special access requirements, allergies.

9. How we collect subscribers’ personal information

We collect personal information in categories A, B and E, and N directly from you over the course of our relationship, this may be when you sign up to a newsletter, when you appoint us or engage our services, when you attend one of our events, or some other time when you engage with us directly. We may also source some of this information from other sources such as Companies House or market information providers.

We collect personal information in category C either from you directly or from social media platforms when you engage with our social media accounts on Facebook, Twitter, Instagram, Medium, and Linkedin.

We collect personal information falling within category D when you visit our premises or use our IT or communications systems.

10. How we use subscribers’ personal information

We will only use personal information when the law allows us to. The law says that we must identify a lawful basis for each use of personal data. We rely on a number of lawful bases, including:

  • Where we have obtained freely given, specific, informed and unambiguous consent from you to use your personal information in certain ways.
  • Where we need to perform a contract that we have entered into.
  • Where we need to comply with a legal obligation.
  • Where it is necessary for us to use personal information to pursue our legitimate interests (or those of a third party) and we believe that using personal information in that way is not overridden by the interests or fundamental rights of the person to whom the information relates.

Below, we have set out the purposes for which we use each category of personal data and the lawful bases which are relevant to those purposes.

We use your relationship information to manage and strengthen our relationship with you. This includes linking the work that we do across different practice areas and offices to ensure that you receive a seamless, relevant and streamlined service at all times. Our lawful basis for this is necessary in order to pursue our legitimate interests in creating and maintaining deep and lasting relationships with our contacts.

We use your marketing information for marketing purposes, this includes contacting you with relevant briefings, blogs, information about our services and events, and measuring engagement with our communications to ensure that the content that we create is relevant and useful. Our lawful basis for this is your consent. You have the right to withdraw this consent or amend your marketing preferences at any time by contacting info@framecreates.co.uk

We hold your social media information in the course of operating our social media accounts on Twitter, Facebook, LinkedIn, Medium, and Instagram. Our lawful basis for this is that it is necessary in order to pursue our legitimate interest in maintaining a visible, engaging and relevant social media presence.

We use monitoring to ensure network and information security, including preventing unauthorised access to our systems and preventing malware distribution and to ensure compliance with our IT and communications policies. Our lawful basis for this is our legitimate interests in securing our information and systems.

11. ‘Special categories’ of particularly sensitive personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. Below we have identified the further justification on which we are relying to process subscribers’ special category personal data. We have in place an appropriate policy and safeguards which we are required by law to maintain when processing such data.

We use relationship information (sensitive) to ensure that our offices and events are inclusive and accessible to all our clients. Our lawful basis for this is our legitimate interest in ensuring that clients can access and make use of our offices and events. Our further justification is that processing that information is necessary for reasons of substantial public interest.

If you fail to provide personal information

If you fail to provide certain personal information when we request it, we may not be able to perform our contract with you properly (such as providing you with communications advice) or we may be prevented from achieving our legitimate interests (such as engaging with you on social media).

If you choose not to provide the information requested in our client on-boarding process, we may not be able to engage you as a client of the company.

13. Change of purpose

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another purpose and that purpose is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the lawful basis which allows us to do so.

14. Automated decision-making

Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. We are allowed to use automated decision-making where we have notified you of the decision and given you 21 days to request a reconsideration, where it is necessary to perform a contract with you or with your explicit written consent.

Below we have set out the automated decisions that we make about you.

We make automated marketing decisions. We have an electronic system that will automatically select certain clients for certain marketing communications. For example, invites to an event in Edinburgh on the topic of communications may only be sent to those clients who work in Communications functions and are based in Edinburgh.

Other than those detailed above, you will not be subject to decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified you.

15. Data sharing

We may occasionally share your data with third parties, including third-party service providers, partner firms, or clients. We require all third parties to respect the security of your data and to treat it in accordance with the law.

Third-party service providers require access to your personal data in the course of providing their services to us. We engage third parties to provide the following services: IT support, customer relationship management systems, document management systems, design services, printing and reprographics support, event hosting services, email marketing management systems, survey and polling services, media monitoring, parliamentary monitoring, audiovisual support, client reviews, and market insight services.

All third parties are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow third parties to use your personal data for their own purposes. We only permit them to access your personal data for specific purposes and in accordance with our instructions.

We may share your personal information with other third parties, for example with a potential purchaser in the context of a potential sale or restructuring of the business. We may also need to share your personal information with a regulator to comply with the law.

We may transfer your personal information outside the EU. If we do, you can expect a similar degree of protection in respect of your personal information.

Some of our third party service providers are based in the United States of America and host their services on servers based there. This means that your data may be transferred to the US as part of a technical process or for storage. The European Commission has issued an adequacy decision in relation to transfers to the US made under the EU-US Privacy Shield framework. You can find more information about the Privacy Shield here.

Transfers will always be subject to adequate safeguards.

These safeguards may take the form of an adequacy decision. Adequacy decisions are made by the European Commission in respect of certain countries. An adequacy decision means that the countries to which we transfer your data are deemed to provide an adequate level of protection for your personal information.

To ensure that your personal information does receive an adequate level of protection in the absence of an adequacy decision, we will put in place binding corporate rules or standard contractual clauses approved by the European Commission or the ICO to ensure that your personal information is treated by those third parties in a way that is consistent with and respects the EU and UK laws on data protection. If you require further information about these protective measures, please contact our Data Protection Officer by emailing info@framecreates.co.uk

Data security

We have put in place appropriate security measures to protect your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those people who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.

We have put procedures in place to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

17. Data retention

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal accounting, or reporting requirements.

We retain client on-boarding information in category A for six years from the date that we take you on as a client or open a client file on your instructions.

We retain relationship information in categories C and J for the period of our relationship with you and for three years afterwards.

We retain marketing information in categories D and K for the period of our relationship with you and for five years afterwards.

We retain social media information in categories E and L for the period during which we are connected on any given social media platform only.

We retain client file, matter information, criminal records and monitoring information in categories B, F, G, H, I, J, M, and N for the period of our relationship with you only.

In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.

Where you have chosen to unsubscribe from our marketing communications, we will retain your contact details to ensure that you are not sent any further communications. This information will be held indefinitely.

In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.

18. Changes to your data

It is important that the personal information we hold about you is accurate and up to date. Please keep us informed if your personal information changes during your working relationship with us. If your personal information changes, please let us know by emailing info@framecreates.co.uk

19. Your rights

Under certain circumstances, by law you have the right to:

Request access to your personal information. This is commonly known as a subject access request. This enables you to receive a copy of the personal information we hold about you and to check that we are processing it lawfully.

Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.

Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).

Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.

Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.

Request the transfer of your personal information to another party.

Request the reconsideration of an automated decision. This enables you to ask us to reconsider a decision that was made solely by automated means or to ask for human intervention.

If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, request that we transfer a copy of your personal information to another party or request the reconsideration of an automated decision, please contact our Data Protection Officer by emailing info@framecreates.co.uk

You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

20. Withdrawal of consent

Where you have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact our Data Protection Officer on info@framecreates.co.uk. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to.

21. Complaints

If you have any concerns over how we use your data, please contact our Data Protection Officer in the first instance on info@framecreates.co.uk.

 
If you are not satisfied that we have addressed your concerns adequately, you have the right to lodge a complaint with the ICO. Their contact details are below:

Information Commissioner’s Office

Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Tel: 0303 123 1113
Web: www.ico.org.uk