General Data Protection Regulation (GDPR) statement

The UK General Data Protection Regulation (UK GDPR), together with the Data Protection Act 2018, governs how organizations handle personal data in the UK. It replaced the Data Protection Act 1998 and places greater obligations on how organizations collect, store, and process personal data. Where we offer services to, or hold the personal data of, individuals located in the EU, the EU GDPR may also apply.

This legislation applies to "personal data". This means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.

We have prepared for, and continue to comply with, our data protection obligations in the following ways:

1. Awareness
   Decision makers and key people within the MIDAS team are aware of, and keep up to date with, UK data protection law.
2. Accountability
   We monitor compliance with data protection policies and regularly review the effectiveness of data handling / processing activities and security controls.
3. Information we hold
   We have documented what personal data we hold, where that data came from and who it is shared with.
4. Data Protection by Design and Data Protection Impact Assessments
   We have implemented appropriate technical and organizational measures to show we have considered and integrated data protection into our processing activities.
5. Data Protection responsibility
   Our business has designated responsibility for data protection compliance to a suitable individual within the organization.
6. Lawful basis for processing personal data
   Our business has reviewed the various types of information processing we carry out. We have identified our lawful basis for our data processing activities and documented this. Our business has explained our lawful basis for processing personal data in our privacy policies.
7. Consent
   Our business has reviewed how we seek, record and manage consent. Our business has reviewed the systems currently used to record consent and implemented appropriate mechanisms in order to ensure an effective audit trail.
8. Children
   Our business does not offer services directly to children.
9. Communicating privacy information
   Our business has reviewed our current privacy policies and keeps them up to date.
10. Individuals' rights
    Our business has checked our procedures to ensure that we can deliver the rights of individuals under the UK GDPR.
11. Subject access
    Our business has procedures in place for how we handle requests from individuals for access to their personal data within the timescales outlined in the UK GDPR, and for how we provide any additional information to requestors as required. You can request a copy of the personal data we hold on you at any time using our self-service Subject Access Request tool.
12. Data breaches
    Our business has appropriate procedures in place to ensure personal data breaches are detected, reported and investigated effectively. Our business has mechanisms in place to assess and then report relevant breaches to the UK Information Commissioner's Office (ICO) where the individual is likely to suffer some form of damage, for example through identity theft or confidentiality breach. Our business has mechanisms in place to notify affected individuals where the breach is likely to result in a high risk to their rights and freedoms.
13. Hosting your data: controller and processor roles
    Where we "cloud-host" your MIDAS system, any personal data you or your users enter into it (such as the details of your MIDAS users and of persons associated with bookings) remains yours. In relation to that data, you are the "controller" and we act as your "data processor" in accordance with Article 28 of the UK GDPR. We process such data only on your behalf and in accordance with our Data Processing Agreement. The lawful basis for our processing as your processor is your instruction; the lawful basis for our own limited processing in connection with operating and securing the service is our legitimate interests under Article 6 (1)(f) of the UK GDPR.
14. Sub-processors
    To deliver the cloud-hosted service we engage a small number of sub-processors, who are themselves bound by data protection obligations. These include our hosting and data center provider, our content delivery and security provider (Cloudflare), our transactional email delivery provider (SMTP2GO), and, where you enable online or invoice payments, the relevant payment processor (Stripe or PayPal). Our hosting provider holds data in the highest regard and does not disseminate any customer uploaded data outside of its network; a copy of its privacy policy may be found here. Further detail on the third parties involved is set out in our Software Privacy Policy.
15. International transfers
    We offer cloud-hosted customers a choice of data centers for where their live MIDAS database will reside. This includes a European data center hosting option. Where personal data is transferred outside the UK, such transfers are protected by an appropriate safeguard recognised under the UK GDPR, such as the UK International Data Transfer Agreement, or the UK Addendum to the standard contractual clauses approved by the European Commission.

    We are a UK-based business, governed by the law of England and Wales, and are subject to the exclusive jurisdiction of the courts of England and Wales.