Legal bases for data processing
Under the GDPR, a company can collect or process information provided certain criteria are fulfilled. In our case, these would be:
• Contractual obligations - in order to ensure that requested services or goods which have been contracted for are successfully delivered;
• Legal compliance - if we are under a statutory obligation to provide relevant information to government agencies;
• Legitimate interest - if we can demonstrate to a competent authority that we have a reasonable interest in data which would allow us to run the business or maintain the safety of our partners which overrides the potential impact on others.
When could data be obtained?
With the widespread prevalence of IT, personal data could conceivably be obtained in all manner of ways. In our case, these could be:
• when you visit our website, regardless of your device or browser;
• if you contact us by phone, e-mail, social media or direct message service on a mutually accessed online forum or escort directory;
• whenever you visit us in person, where CCTV systems, which are in place in our premises for the safety of our ladies and visitors, could pick up your image.
What sort of privacy related data could be obtained?
The data which could be communicated or processed will depend on the type and level of your interaction with Indigo Nile. This could include:
• copies of documents provided under our recruitment process, which would be legally required to prove that you have the right to work in the UK and have reached the minimum age of consent. These documents, such as passports and driver's licence, could list your full name, address, date of birth, nationality, and facial image;
• your image may be recorded when visiting our premises
• details of interactions with us in the premises, online, and by phone, either directly or through information which you have provided to third-party sites.
How and why is personal data used?
For logical reasons, we aim to minimise our exposure to information which could have the hallmarks of a personal identifier. Therefore, while it could be beneficial to ourselves as a business to operate them, we are not likely to introduce features such as mailing lists or VIP galleries to select members, given the known privacy risks of operating such services. Likewise, while we know that not everyone may wish to acquire one, there are many individuals with an interest in client privacy who recommend using a "punting phone" when engaging in this hobby. Bearing this in mind, sometimes we will find ourselves having to collect data for a diverse number of uses, including:
• as an incall agency operating an appointments-only policy, we naturally need to communicate by phone in order to arrange appointments and ensure they are satisfied. Hence, we would have a contractual base for processing a name and number for fulfillment purposes;
• as an outcall agency operating, we may need to verify that a potential client is residing at a particular location in order to arrange appointments and ensure they are satisfied. Hence, we would have a contractual base for processing a name and number for fulfillment purposes;
• in order to respond to complaints or queries. Handling your information not only enables us to respond to you, but also allows us to keep a record of our response should further feedback be required. Doing so would not only be in order from a contractual basis, but is also due to having a legitimate interest in ensuring that we maintain an appropriate level of client customer service;
• to protect our partners, clients, premises and property, we naturally have CCTV systems in place which record images only. Due to their ability to enhance security and reduce fraudulent activity, we could have both a legitimate interest in handling such information, and a legal obligation to ensure that such data provides for a safe working environment (which could lead to us sharing data with law enforcement and other support bodies);
• to maintain the integrity of our website, for ourselves and visitors, we have a legitimate business interest in using security software to monitor browsing activity and to filter out potentially undesirable communications on the basis of IP addresses and other electronic identifiers;
• to ensure individuals are above the age of consent and legally allowed to be within our premises, we would have a legal obligation to ensure individuals provide appropriate documents, as well as a legitimate business interest in verifying that such information is correct.
How is personal data protected?
Given the nature of the business, we understand that data security and personal privacy is important, so, based on professional guidance, appropriate steps are taken to limit both physical and electronic access to it. In particular, data which is processed directly by ourselves is stored in the UK, although for third-parties, such as Twitter, it may be stored in a non-EU state (albeit in accordance with their own obligations under GDPR).
Where collected, data is only processed for as long as it is required for its intended purpose, being deleted completely or anonymised in a non-identifiable manner for statistical purposes. Thus, for example, while the hard disk drive on the CCTV system will be overwritten in a relatively short timespan, thereby completely removing all processed images, when it comes to web surfing data, information could be collated for a longer period of time, in order to build up a more complete idea of how popular a particular page is or how successful a certain advertising avenue is.
Who is personal data shared with?
Unless absolutely necessary, we seek to avoid providing third-parties with any data which may have been processed. In the rare situations where this does occur, we will only provide access to particular data for precise purposes, and will actively monitor such services to ensure that they too comply with the requirements of the GDPR. Key instances where data may be accessed by third-parties include:
• should there be an incident which placed the safety of partners or visitors at risk, we would contact third-parties, such as the police and NUM, and provide them with relevant data which could help them to identify the perpetrator of such an event should further action be deemed necessary;
• in order to provide relevant services which are embedded on our website, we may allow companies such as GoDaddy, Google and Twitter access to information which allow their plugins and apps to function correctly.
In a similar vein, it is possible that third-parties may provide us with personal data which you have previously provided to them. Thus, for example, when submitting a booking request via a referral site such as AdultWork, information would be transmitted to ourselves that could include a name, username and phone number. In such circumstances, we strongly advise you to become aware of their privacy policies, as they may have differ in operating methods to ourselves.
Your rights over your personal data
You have certain rights under the GDPR regarding your personal data, including:
• the right to request access to any personal data which may be held on you, and which we would, depending on the circumstances, provide free of charge;
• the right to request that any data which is held on you is corrected should it be incorrect or incomplete;
• the right to object to the processing of data if this is being done on the basis of our assessment that we have a legitimate interest in doing so. We would have to comply with such a request, unless we feel that we have a legitimate interest in continuing to do so that overrides your request.
• the right to lodge a complain with the regulator, if you are unhappy with the response obtained. The regulator, which is, at this moment, the Information Commissioners Office, would have to right to investigate further and would have the right to request further personal information from you, whilst retaining its freedom to publish such information in the public sphere should it deem this to be necessary or appropriate.
In order to exercise your right to view or correct your personal data, please contact us by e-mail at email@example.com, stating clearly that you would like to exercise these rights. At this point, we will provide an appropriate response within the recommended timespan (currently one month). Should we choose not to action your request, we shall inform you of this, together with explaining the reasons for this decision.
Important Warning regarding Authentication of Access Requests
In order to verify that the request is genuine, and to prevent unauthorised attempts to gain access to personal data, we will have to verify your identity comprehensively before proceeding with any requests which have been made under this privacy notice. Should such verification information not be provided; should we be dissatisfied that it is not genuine; or should we believe in any way that it has not been issued directly from the correct person, we will exercise our right under the GDPR not to proceed further.
Coronavirus Update - July 2020
As visitors may be aware, the government has stated that a track-and-trace system will be running in England on behalf of the NHS. The stated purpose is to assist in monitoring and dealing with potential COVID-19 infections in the country [external guidance here]. We are satisfied that this will have a minimal impact on visitor privacy, as we will not require additional information to be provided than is needed to meet our obligations. Should we ever be contacted by the NHS, we will naturally endeavour to ensure that the source is genuine, using safeguards which are already in place.