GDPR Compliance Statement

Introduction

As an organization, we want to meet the requirements of the General Data Protection Regulation (GDPR). We also think it is important to give you as a customer (or potential customer) information about:

• the personal data that we process about you;
• the way we do that;
• the provision of data to others;
• how long we keep your data; and
• how we protect this data.

In addition, we want to inform you about your rights via this compliance statement. Finally, we want to let you know who you can go to with questions, requests or complaints.

Personal data is any information about an identified or identifiable natural person. For you, this means that that information refers directly to you or this information can be traced back to you.  Please note that business information such as a company address or general email address is not covered by GDPR, but we will hold and process such information within our secure systems, as we do with personal data.

The processing of personal data concerns all actions that we can carry out with your personal data, from collecting the data, through recording, storing, modifying data up to and including destruction.

Grounds on which we are allowed to process your data according to the law

The law is clear on six specific grounds:

1. Consent: Where you have given clear consent to us to use your data. Note: Supplying your personal data such as name and personal email address to the company or an employee of it implies consent that this information can be used by the business and it will become subject to this policy.
2. Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract. Note: This point includes information supplied for us to conduct our business transactions with you.
3. Legal Obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
4. Vital Interests: the processing is necessary to protect someone’s life.
5. Public Task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
6. Legitimate Interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. Note: This again covers the use of data in order to transact business with us.

Obligation to provide data

In order to transact business with you for the supply of goods, we will require information such as a name, address and contact details, but those provided can be those of a business rather than an individual.  There is no obligation to supply personal data about an individual should you prefer not to do so.

Where we supply training to individuals, personal data will be required to identify that individual in order to certify or confirm their participation.  Specific details of data collected and its use will be made clear to individuals and their specific consent will be required at the time of training, but training cannot be completed without the provision of such data.

The data that we process from you

The data provided by you and processed by the company may include the following:

• your name, first names, initials and possible title;
• your postal address;
• contact details including email addresses, telephone numbers or data to enact other communication methods;
• your bank account number;
• other data necessary for the implementation or application of a law.

The processing of the above data is only for one or more of the following purposes:

• To enact our regular business of supply of goods – taking orders, receiving monies and delivering goods, plus associated activity such as returning credits;
• To produce evidence of successful training that we have carried out on your behalf;
• For marketing purposes to keep you informed of the company’s business, news, products, offers, events and related activities. You can specifically opt out of receipt of such information at any time.  Opting out of the receipt of marketing information will not imply withdrawal of consent for business activity such as that detailed in the points above and where it will be necessary to retain data to continue to transact business.  In such an instance we will continue to hold your information for business transaction purposes.

 Transfer of your personal data

In principle, we only use your personal data for ourselves (our own business operations) and we only use this information for the purposes for which this data was obtained by us. In some cases, it may be necessary to pass on your details to others, such as to a party that processes data on our behalf.

With parties that process personal data on our behalf (the so-called ‘processors’), we conclude processing agreements (if necessary). We do this so that when we provide data to them, it is, among other things, well established that they also protect these data properly and they must report to us in case of a (presumption of a) data breach.

The storage of your personal data

When storing personal data, our basic principle is that we do not store data longer than necessary for the purpose for which we have processed it. As far as there are, we observe the statutory retention periods. Data may be retained by us for longer if we have a legitimate interest in it (for example, when legal proceedings are underway or have been announced and we must be able to defend ourselves).

We therefore expect to hold personal data that has been held for transactional periods for no longer than 8 years after the last related transaction (that is to hold it for 7 years as required by UK law and up to one further year to allow a period of time for disposal).

Data held in relation to training courses is held for up to one year after the validity of the issued training certificate.

Securing your personal data    

We will operate suitable security measures, software and processes to keep your data safe from data security breaches and will inform you if we believe a potential breach has occurred.

We therefore have in place an appropriate level of protection. We also update this periodically whenever necessary.

Your rights

You have the right under the GDPR to ask us, regarding your personal data, for:

• access to your data;
• a copy of your data;
• information about the processing of your data;
• correction of data that is actually incorrect;
• completion of incomplete information when necessary for the purpose for which the data is processed;
• deletion of your data (Note: we do not have to comply with this if we have a legitimate interest in (longer) storage of your data, when this is necessary in connection with the execution of your data or to comply with a legal obligation or on the basis of another reason stated in the law). Should you wish to continue to transact with the business, alternative data may need to be supplied before deletion can be carried out;
• limitation of the data we process for you (Note: we strive to collect as little data as possible (data minimization));
• objection to the use of your data;
• withdrawal of permission of all or some uses of your data;
• supply of your data in a standard or particular format and, if that is technically possible, transfer of this data to another party in this way;

To submit a complaint about your data or any of our use of it, please submit an initial complaint to

Sarah Andrews: sarah.andrews@s1e.co.uk or Olivia Davies: olivia.davies@s1e.co.uk

Alternatively, you can make a formal complaint directly to the Information Commissioner’s Office (ICO).  Current contact details and procedural points can be found at www.ico.org.uk

Contact person(s)

With questions, requests, or complaints about the processing of your personal data, you can contact: Sarah Andrews: sarah.andrews@s1e.co.uk or Olivia Davies: olivia.davies@s1e.co.uk