Privacy Policy

Privacy Statement and Controller contact details

This Privacy Statement describes our policies and procedures on the collection, use and disclosure of your information when you use our services. It also outlines your Privacy Rights and how the law protects you.

 

We take privacy and the protection of personal and sensitive information seriously and are committed to protecting your data and complying with the data regulations to their full extent. Our Privacy Statement explains how we use and protect your personal information, to show that we are adhering to the GDPR/UK GDPR and Data Protection Act 2018.

 

Data Privacy Simplified Ltd (DPS) is the data controller for the information being processed, unless otherwise stated. If you wish to contact us this can be done via email or telephone.

 

A data controller is the business that collects your data AND decides how it is processed. A data processor is the business that may process personal data but only acts on behalf of the data controller.

 

Where DPS trades as DPS & BJM IG Privacy Training, DPS is still the data controller for the information that is being processed unless otherwise stated. 

 

You can email our Data Protection Officer (DPO) Tania Palmariello via tania@dataprivacysimplified.co.uk or call her on 07384 780 865 with any queries you may have in relation to this privacy statement or your privacy rights as an individual.

 

You can also write to us, using the following address:

 

DPO

31 Rooksmead

Bedford

MK41 7QX

 

The UK GDPR requires every organisation that processes personal information to be registered with the Information Commissioner's Office (ICO). Our registration number is ZB148373 and you can find us on the Information Commissioner's register and searching for us by using our registration number.

 

Our promise to you

We are committed to our responsibility to be fair, lawful, and transparent when it comes to managing your information. We endeavour to make our processing activities easy to read and understand and we welcome your feedback. We promise that:

 

• We will do everything physically possible to keep your information secure and confidential.

• You are in control of how we communicate with you – and you can change your preferences at any time by contacting us.

• We will train our staff to ensure that they know how to manage your information appropriately and in line with regulations.

• We will not transfer your data to third parties, except for trusted partners who carry our specialist processing e.g., accountant, bank for financial transactions.

• We have done all checks possible to verify that any third parties comply with data protection legislation and will only use them if we are satisfied that they take your privacy seriously.

 

Legal Bases

Where we process personal data, we will only this if we have identified a legal basis to do so according to the UK GDPR.

 

Where we process special categories of personal data, we will only do so if additionally, to a legal basis, we have identified a condition for processing under article 9.

 

Generally, for personal data, we rely on CONSENT, CONTRACT or LEGITIMATE INTEREST, depending on the purpose of processing. We will delete or anonymise your data as soon as it is no longer needed and not required by law.

 

For special category data, which we will only process if there is a need to do so, we will generally use EXPLICIT CONSENT, EMPLOYMENT, SOCIAL SECURITY AND SOCIAL PROTECTION (only where the law permits) or VITAL INTERESTS as a condition for processing this. We will also delete the information as soon as it is no longer needed and not required by law.

 

​Personal Data that we process

Information we collect and store depends on the service you have requested or are interested in requesting and whether or not we are entering into a contract.

 

We always collect the minimum data necessary for the purpose of the services requested. For more information about the individual categories and purposes of data we collect please look at the relevant heading below.

 

Working for us

If you work for us, we will only collect the information that is necessary and that we are legally required to process to pay you and are necessary to maintain a working relationship. These details will be required and our legal basis for processing is CONTRACT.

 

Where you provide additional information, you do this voluntarily and/or in order to receive company benefits and our legal basis for processing these details are CONSENT. Where we rely on CONSENT for processing, you can always exercise your right to withdraw CONSENT, although you will need to bear in mind that this may affect your ability to use some of these benefits.

 

We will retain your data in line with statutory requirements, after which it will be safely and securely destructed, in line with the storage limitation principle. 

 

It is your responsibility to inform us of any changes to your personal that so that we can keep it accurate in line with data protection principles.

 

Where we process special category data, we will only do this if we have a legal obligation to do so or you have given us explicit consent. In either case, we will only to so if we have identified an additional condition for processing as specified in article 9 of the UK GDPR.  

 

For employment purposes your personal details will be processed on the legal basis of CONTRACT and special category data under the additional condition for processing of EMPLOYMENT.

 

Contracting us

If you do take one of our consultancy services offerings, we will be entering into a contractual relationship with you. We will collect your organisations details, your contact details, and any details of contacts you provide us with to enable us to fulfil our contractual obligations towards you. In addition, we will process commercial, confidential, and sensitive information that you provide us with for the purposes specified in the contract and data processing agreement. We also will process financial details for the purpose of invoicing and financial transactions. When our contract ends, we will follow all instructions as per our contract with you in relation to all personal and other data that we have processed on your behalf. The legal basis we use is CONTRACT.

 

Enquiring for our services

If you enquire about our services, we will collect the personal details that you provide us with. This information will be collected either via email or telephone depending on your preferred contact method. As you provide this information voluntarily, we rely on your CONSENT for the purposes that you have specified in your enquiry. In some cases, we may contact you in relation to other services and will rely on LEGITIMATE INTEREST to process your data. This will only be in cases where we can identify a LEGITIMATE INTEREST and only if you have not asked us not to contact you for other purposes. You can request for your information to be deleted at any time; however, we might not be able to provide you with a reply to your enquiry if you request deletion prior to us responding. We will remind you annually of your rights to update your preferences. Where you ask for your information to be deleted, we will do this safely and securely so that it cannot be retrieved.

​

Training / Event attendance

For training and events, we collect and process the minimal amount necessary to deliver the training and issue you with your certificates. We may also need to use this data for other administrative purposes as required depending on the service requested.

 

Usually, the information required will be Name, Phone Number, Email Address, unless otherwise specified.

​

For some training events, additional information might be required such as dietary requirements, accessibility adjustments, emergency contacts but we will inform you, should we require this information. You can request for additional information to be deleted after you’re your event/training.

 

Where we provide training certificates, we will stick to statutory requirements for retention.

 

We only hold digital copies of certificates.

 

Highfield accredited certificates will be sent to you via email by us, however we will delete these immediately after. Highfield Qualifications are the data controller for these certificates and any copies must be ordered from the directly. Their privacy notice can be found here.

​

For training attendance and payments, we use other third parties to process some of your details. They are acting on our behalf and their privacy policies can be found by clicking their links:

​

Go Cardless – Bank payments

Lloyds Bank – Bank payments

Eventbrite – Events and trainings

Hubken Training – Online learning platform

​

For training and events, our legal basis is CONTRACT and where special category data is used, we rely on EXPLICIT CONSENT as a condition of processing.

​

Job Enquiry

If you have applied for a job with us, we will hold your information in line with statutory or recommended retention periods. We will contact you with any relevant job roles that may be available and if not, ask you if you would like us to keep your details on file, in which case we will keep and send you updates to remind you of opportunities and that you can change your preferences at any time. For job enquiries we will use CONSENT as a legal basis for processing.

 

International Transfers

We do not normally transfer data outside the European Economic Area (EEA). However, where there is a specific service need for data to be transferred to the EEA through a third party, we will ensure that we and they put appropriate safeguards in place. 

 

We use the following Microsoft products: Teams, SharePoint and Outlook which are supported by backup servers in the UK. Microsoft have confirmed that other tools such as Microsoft Forms are backed up on servers outside of the UK but within the EEA. We will only use Microsoft Forms if requested or approved by our clients. We have a Data Protection Impact Assessment in place for the use of Microsoft 365 and appropriate standard operating procedures for our staff to ensure safe usage.

Information Sharing, Security and Retention

We will not share your information with any third parties for the purposes of direct marketing.

 

We use third parties to support the provision of our services and therefore under GDPR/ UK GDPR they are considered data processors. These third parties include accountancy services, banking services and freelancers.

 

Apart from the aforementioned, we use the following cloud-based applications for hosting, storing, and processing your data, depending on the service or contract we have with you:

 

(The below links will take you to the provider websites and relevant privacy policies/notices)

​

• Microsoft 365

• NHS Net where applicable 

• Quickbooks 

• Prove Privacy 

 

We and our cloud providers will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

​

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

​

We have strong security controls in place and are compliant with the Data Security Protection Security Toolkit (DSPT) and have Cyber Essential Certification.  

​

Where we provide links to websites of other organisations, this privacy notice does not cover how that organisation processes personal information. We encourage you to read the privacy notices on the other websites you visit.

 

Your Data Protection Rights

Under data protection law you have certain rights that you can exercise in regard to your personal data, these are outlined below:

 

1. You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process.

​

1. You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.

​

1. You have the right to ask us to erase your personal information in certain circumstances.

​

1. You have the right to ask us to restrict the processing of your information in certain circumstances.

 

 

1. You have the right to object to processing if we are able to process your information because the process forms part of our public tasks or is in our legitimate interests.

 

1. Your right to portability only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another or give it to you. The right applies when we are processing your data with your consent or for the performance of a contract and when we are carrying out the processing by automated means.

 

Your rights are not absolute in some cases and exemptions and/or restrictions may apply. You can find out more about your rights on the ICO website.

 

How to complain

If you have any concerns about our use of your personal information, you can make a complaint to us via email tania@dataprivacysimplified.co.uk or via phone 07384 780 865. You also have the right to complain to the ICO if you are unhappy with how we use or have used your data.

 

The ICO's address:

Information Commissioner's Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

 

​Helpline number: 0303 123 1113

Website: https://ico.org.uk