1 IDENTITY AND CONTACT DETAILSWORSLEY TRAINING LTD registered offices are 4 Andover Road, Upavon, United Kingdom, SN9 6EB, United Kingdom. Our telephone number is +44 (0) 7887 562613. You can contact us by email using firstname.lastname@example.org. We are a limited company registered no. 12496006 (England and Wales).
Worsley Training provides first aid training and certification. We provide a support service to our clients by sending regular newsletters containing relevant information and reminders of first aid information.
Our designated supervisory authority under the Data Protection Act 2018 and the UK’s General Data Protection Regulation (GDPR) is the Information Commissioner’s Office (ICO). We are based in the United Kingdom.
To contact the individual in charge of Data Protection in our company please use the details shown.
2 WHAT DATA WE PROCESSWorsley Training processes data on our:
• Current and potential suppliers.
We process information on individuals who are clients of Worsley Training, or those looking to engage with us and use our services. We process this data so that we can engage with the individuals to provide them with our services, manage the administration that relate to the provision of our services, or we process the data as we are taking steps to enter into a contract to provide these services.
We capture information on these individuals through the various mechanisms used to engage with them. An example is the contact form on our website.
The information we capture on these individuals will include basic contact details such as name, telephone number and email address, some more technical information that is captured when our website is used (e.g. cookies and IP addresses), and postal address, so that we can contact them and set up meetings and engage in work with them.
We work with children as a part of our training services, but do not capture names or other personal data details on the children.
We use the legal basis of contract to process this data. We do not capture special category information on these individuals.
2.2 PROSPECTIVE CUSTOMERS
Worsley Training captures information on individuals who we believe could have a need for our services (prospective customers). We use this data for direct marketing.
We can either capture this data directly from the individuals in the process of selling to them, from their engagement with us, or we can licence this data from reputable data providers.
The information we capture on these individuals will include basic contact details such as name, telephone number, email address, postal address and some more technical information that is captured when our website is used (e.g. cookies and IP addresses).
We do not process special category data on these individuals.
It is in our interests to process this data so that we can obtain further clients and so legitimate interests is the basis for processing we rely on for processing this type of personal data. We have conducted our gating and balancing tests to determine whether our legitimate interests do not outweigh the rights and freedoms of the individuals we are targeting.
Where regulations mandate that that we must obtain consent from individuals, for example if the data subject is not an employee of a corporate business (not a ‘corporate subscriber’) and we intend to use email to communicate, then we will use the lawful basis of consent to process data to promote our services.
This lawful basis of consent can include the use of a ‘soft opt-in’ where the individuals we are targeting have engaged our services, or their first-aid certification term has ended, within the past 2 years.
We define ‘staff’ from the perspective of data protection to include employees, contractors and consultants that might do work for our company.
2.3.1 Employment contract
We process data so that we can manage the staff that work for Worsley Training. We can also process data under this category where the individual is taking steps to enter into a contract with us (for example where we are recruiting an employee for Worsley Training). We capture this information in the course of recruiting and ‘on-boarding’ an individual to work with us.
The information we capture for this reason will include basic contact details such as name, telephone number, email address, postal address and details needed to process payments under the contracts such as bank account details and national insurance numbers. We will also capture information that relates to the
appraisal of performance and timekeeping.
We use the legal basis of ‘contract’ to process this data.
We can capture special category information (for example health-related information when people are off sick, or when evaluating our duties under equalities regulations).
The reason we process the Special Category data is when it is necessary to do so for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protection.
We can capture criminal offence information (specifically, we use the Disclosure and Barring Service to check criminal records for staff we intend to hire) on this data.
The reason we process the Criminal Offence data is when Preventing or detecting unlawful acts.
We have an appropriate policy document in place relating to this special category and criminal offence data
2.3.2 Employment operations
We also process information on staff and their next of kin where it is in Worsley Training’s interest to do so for operational efficiency. As examples: so that we can keep staff up-to-date with Worsley Training news, maintain a list of the staff’s next of kin for communication in the event of an emergency, or to create business cards for staff, or use their photographs on our organisation’s web
pages. We capture this information as a part of the employee ‘on-boarding’ process and we update the data at regular intervals.
The type of data that we process for this need includes name, email address, telephone number and images of the individual.
We use the lawful basis of ‘legitimate interests’ to process this data. We have completed the specification, gate analysis and balancing tests specified under GDPR for this data.
We do not capture special category information on this data.
If the data on staff or next of kin is ever used in an emergency, then we may process this data using a legal basis of ‘vital interests’.
We process information on suppliers so that we can purchase goods and services from them. We capture this information either from recommendations or by using data provided by the suppliers on their web sites or directories.
We capture individuals’ names, email addresses and telephone numbers on current or prospective suppliers.
We use the lawful basis of ‘contract’ to process this data.
We do not capture special category information on this data.
2.5 ANY RECIPIENT OR CATEGORIES OF RECIPIENTS OF THE PERSONAL DATA
Worsley Training pass data on to other data controllers for the following purposes:
• For data relating to those applying to be members of staff or for staff who have found other employment after the end of a contract, we share data with third parties to obtain and provide references.
• We share data with organisations with which we have a legal obligation to share data (for example HMRC or where we are required to share data with parties involved in the legal disputes in which we are representing our clients).
• We share data on staff with organisations where we are acting as an intermediary between the staff and an organisation providing benefits to the staff member (for example pension providers).
• We share data with organisations who use such data for non-marketing purposes (including credit and risk assessment and management, identification and fraud prevention, debt collection and returning assets to you).
We will not transfer your data to countries outside the UK to destinations that are not considered ‘adequate’ by relevant legislation without additional safeguards.
We transfer data to other organisations who are processors of data that we control. We maintain a list of Worsley Training data processors and ensure that we have data processing agreements between Worsley Training and the data processor. Where relevant and if the data processor transfer data outside of the UK and EEA, we obtain commitment from the data processors that additional safeguards are in place.
2.6 RETENTION PERIOD OR CRITERIA USED TO DETERMINE THE RETENTION PERIOD
• We will retain information on clients for 6 years after an engagement as we will need to retain this information for financial and legal purposes.
• We will retain information that we use on prospective customers for the purposes of direct marketing where we use legitimate interests as a lawful basis for processing the data for as long as we believe the data is valid, and the prospective customer has not objected to our processing of the data.
• We will retain information that we use on prospective customers for the purposes of direct marketing where we use consent as a lawful basis for processing the data for 2 years after the latest interaction with the individual.
• We will retain the details of the suppliers or partners for as long as we might have a need for the services that the supplier or partner offer.
• We will retain some information on staff members for 7 years after their employment with us ends, as we need to retain information on staff members for legal reasons.
• We are required to keep some details of those on our first-aid courses (assessment papers, course register and feedback forms) for three and a half years.
• We will retain information on individuals who we have details on for recruitment purposes for 6 months after the job role that they were being considered for has been filled. If we believe that their details may be suitable for future roles, we will obtain their consent to retain their CVs for longer periods.
If any of these data retention timescales clash with legal or contractual obligations then these other obligations will override the retention timescales outlined above.
All records are disposed of securely when deleted. We will review the data before deletion to make sure that there are no special factors that we need to take account of in the deletion of the records.
3 HOW WE LOOK AFTER DATAWe take reasonable technical and procedural precautions to prevent the loss, misuse or unauthorised alteration of personal data.
We protect our IT system from cyber attack. Access to your personal data is password-protected, available to relevant personnel only, and sensitive data is secured by encryption. We regularly monitor our system for possible vulnerabilities and attacks.
We do not publish the details of the safeguards we use to protect the personal data that we control as this could reduce the effectiveness of those safeguards.
4 COOKIESA cookie is a small file which asks permission to be placed on your computer’s hard drive. Once you agree, the file is added and the cookie helps analyse web traffic or lets you know when you visit a particular site. You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the website. By law, we may not place cookies on your computer without your consent, unless they are strictly necessary to the operation of the service that we provide on the website.
We use traffic log cookies to identify which pages are being used. This helps us analyse data about web page traffic and improve our website in order to tailor it to customer needs. We only use this information for statistical analysis purposes and then the data is removed from the system.
We use Google Analytics to monitor how our website is being used so we can make improvements. Our use of Google Analytics requires us to pass to Google your IP address. In particular, Google may use the data collected to contextualise and personalise the ads of its own advertising network. You can opt out of Google Analytics by using this link: https://tools.google.com/dlpage/gaoptout?hl+en=GB.
6 YOUR RIGHTSWorsley Training recognises the rights of individuals as defined in the General Data Protection Regulation.
We will always seek to uphold those rights and the links provided should help you to communicate with us to exercise those rights, where relevant.
• Your right to be informed (this document and further information in communications we might send to you). For more information, please click here.
• Your right of access. For more information, please click here.
• Your right to rectification. For more information, please click here.
• Your right of erasure (right to be forgotten). For more information, please click here.
• Your right of restriction of processing. For more information, please click here.
• Your right to data portability. For more information, please click here.
• Your right to object. For more information, please click here.
We do not carry out decision-making and profiling based solely on automated means without any human involvement. For more information on your rights related to automated decision making, including profiling, please click here.
To send us email communications exercising or to discuss any aspect of the rights outlined, please use email@example.com or any of the contact details shown in the Identity and Contact Details section.
We recognise your right to lodge a complaint with a supervisory authority. You can access the ICO’s website from this link.
You can access a list of contact details for the EEA’s supervisory authorities using this link.