Privacy & Data Protection Policy for ACVO TSI
Information we collect
The personal information that you are asked to provide, and the reasons why you are asked to provide it, will be made clear to you at the point we ask you to provide your personal information.
If you contact us directly, we may receive additional information about you such as your name, email address, phone number, the contents of the message and/or attachments you may send us, and any other information you may choose to provide.
When you register for an Account, we may ask for your contact information, including items such as name, company name, address, email address, and telephone number.
How we use your information
We use the information we collect in various ways, including to:
- Provide, operate, and maintain our website
- Improve, personalize, and expand our website
- Understand and analyze how you use our website
- Develop new products, services, features, and functionality
- Communicate with you, either directly or through one of our partners, including for customer service, to provide you with updates and other information relating to the website, and for marketing and promotional purposes
- Send you emails
- Find and prevent fraud
ACVO TSI follows a standard procedure of using log files. These files log visitors when they visit websites. All hosting companies do this and a part of hosting services’ analytics. The information collected by log files include internet protocol (IP) addresses, browser type, Internet Service Provider (ISP), date and time stamp, referring/exit pages, and possibly the number of clicks. These are not linked to any information that is personally identifiable. The purpose of the information is for analyzing trends, administering the site, tracking users’ movement on the website, and gathering demographic information.
Cookies and Web Beacons
Like any other website, ACVO TSI uses ‘cookies’. These cookies are used to store information including visitors’ preferences, and the pages on the website that the visitor accessed or visited. The information is used to optimize the users’ experience by customizing our web page content based on visitors’ browser type and/or other information.
For more general information on cookies, please read “What Are Cookies”.
Advertising Partners Privacy Policies
Note that ACVO TSI has no access to or control over these cookies that are used by third-party advertisers.
Third Party Privacy Policies
You can choose to disable cookies through your individual browser options. To know more detailed information about cookie management with specific web browsers, it can be found at the browsers’ respective websites.
CCPA Privacy Rights (Do Not Sell My Personal Information)
Under the CCPA, among other rights, California consumers have the right to:
Request that a business that collects a consumer’s personal data disclose the categories and specific pieces of personal data that a business has collected about consumers.
Request that a business delete any personal data about the consumer that a business has collected.
Request that a business that sells a consumer’s personal data, not sell the consumer’s personal data.
If you make a request, we have one month to respond to you. If you would like to exercise any of these rights, please contact us.
GDPR Data Protection Rights
We would like to make sure you are fully aware of all of your data protection rights. Every user is entitled to the following:
The right to access – You have the right to request copies of your personal data. We may charge you a small fee for this service.
The right to rectification – You have the right to request that we correct any information you believe is inaccurate. You also have the right to request that we complete the information you believe is incomplete.
The right to erasure – You have the right to request that we erase your personal data, under certain conditions.
The right to restrict processing – You have the right to request that we restrict the processing of your personal data, under certain conditions.
The right to object to processing – You have the right to object to our processing of your personal data, under certain conditions.
The right to data portability – You have the right to request that we transfer the data that we have collected to another organization, or directly to you, under certain conditions.
If you make a request, we have one month to respond to you. If you would like to exercise any of these rights, please contact us.
Another part of our priority is adding protection for children while using the internet. We encourage parents and guardians to observe, participate in, and/or monitor and guide their online activity.
ACVO TSI does not knowingly collect any Personal Identifiable Information from children under the age of 13. If you think that your child provided this kind of information on our website, we strongly encourage you to contact us immediately and we will do our best efforts to promptly remove such information from our records.
Data Protection Policy
This Policy relates to information from which individuals can be identified and sets out how the Company will manage such information.
Throughout this Policy, the following definitions apply:
Company name: ACVO TSI
Company Personnel: all employees, workers, consultants, directors, members.
Data Controller: the person or organisation that determines when, why and how to process Personal Data.
Data Protection Act 2018: the Data Protection Act 2018, as amended from time to time.
Data Subject: an identified or identifiable individual about whom we hold Personal Data.
Data Privacy Impact Assessment (DPIA): tools and assessments used to identify and reduce risks of a data processing activity.
Data Protection Officer (DPO): the person required to be appointed in specific circumstances under the GDPR. Where a DPO has not been appointed, this term refers to the data protection compliance manager or refers to the Company data protection/privacy team with responsibility for data protection compliance.
General Data Protection Regulation (GDPR): the EU General Data Protection Regulation.
Personal Data: any information identifying a Data Subject or information relating to a Data Subject that we can identify (directly or indirectly) from that data alone or in combination with other identifiers.
Personal Data Breach: the loss, or unauthorised access, disclosure or acquisition of Personal Data.
Privacy Guidelines: the Company Privacy/GDPR and Data Protection Act 2018 related guidelines provided to assist in interpreting and implementing this Data Protection Policy and Related Policies, as amended from time to time. These are available from Maggie Hepburn.
Privacy Notices: separate notices setting out information that may be provided to you that details why we collect information about you and what we do with it.
Processing or Process: any activity that involves the use of Personal Data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties.
Related Policies: the Company’s policies, operating procedures or processes related to this Data Protection Policy and designed to protect Personal Data, as amended from time to time. These are available from: Maggie Hepburn.
Sensitive Personal Data: information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data, and Personal Data relating to criminal offences and convictions.
This Data Protection Policy applies to all Personal Data the Company processes regardless of how that data is stored or whether it relates to past or present employees, apprentices, workers, contractors, agency workers, volunteers and interns
This Data Protection Policy applies to all Company Personnel. You must read, understand and comply with this Data Protection Policy. You must also comply with all such Related Policies and Privacy Guidelines, including any amendments. Any employee who is found to have breached this Data Protection Policy may be subject to disciplinary action up to and including summary dismissal.
We recognise that the correct and lawful treatment of Personal Data will maintain confidence in the organisation and will provide for successful business operations. It is a critical responsibility that we take seriously at all times.
Whilst employees are required to comply with the terms of this Data Protection Policy, it does not form part of their employment contract.
Please contact [Maggie Hepburn/Data Protection Compliance Manager/the DPO] with any questions about the operation of this Data Protection Policy or if you have any concerns that this Data Protection Policy is not being or has not been followed.
4. TYPES OF DATA WE HOLD
Personal data is kept in personnel files or within the Company’s HR systems. The type of data held by the Company includes but is not limited to the following:
name, address, phone numbers – for individual and next of kin
CVs and other information gathered during recruitment
references from former employers
National Insurance numbers
job title, job descriptions and pay grades
conduct issues such as letters of concern, disciplinary proceedings
internal performance information
medical or health information
sickness absence record
terms and conditions of employment
Relevant individuals should refer to the Company’s Privacy Notice for more information on the reasons for its processing activities, the lawful bases it relies on for the Processing and data retention periods.
- PERSONAL DATA PROTECTION PRINCIPLES
5.1 LAWFULNESS AND FAIRNESS
Data may only be collected by the Company if the Processing is fair, lawful and for specified purposes, some of which are set out below:
(a) the Data Subject has given his or her consent;
(b) the Processing is necessary for the performance of a contract with the Data Subject;
(c) to meet our legal compliance obligations;
(d) to protect the Data Subject’s vital interests;
(e) to pursue our legitimate interests.
In some circumstances consent maybe required. Consent should be freely given, specific and informed. It may also be withdrawn at any time.
Information in relation to how and why we collect data will be provided through appropriate Privacy Notices
5.4 PURPOSE LIMITATION
Personal Data will be collected only for specified, explicit and legitimate purposes. It will not be further Processed in any manner incompatible with those purposes. We will not Process Personal Data for new, different or incompatible purposes from that disclosed when it was first obtained unless the Data Subject has been informed and has consented where necessary.
5.5 DATA MINIMISATION
Personal Data will be adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed. When Personal Data is no longer needed, it is deleted or anonymised in accordance with the Company’s data retention guidelines
We will ensure that the Personal Data we use and hold is accurate, complete, kept up to date and relevant to the purpose for which we collected it. We will take all reasonable steps to destroy or amend inaccurate or out-of-date Personal Data.
5.7. STORAGE LIMITATION
Personal Data will be kept in an identifiable form for no longer than is necessary for the purposes for which the data is processed.
6. SECURITY INTEGRITY AND CONFIDENTIALITY
6.1 PROTECTING PERSONAL DATA
Personal Data will be secured by appropriate technical and organisational measures against unauthorised or unlawful Processing, and against accidental loss, destruction or damage.
You must follow all procedures and technologies we put in place to maintain the security of all Personal Data from the point of collection to the point of destruction as set out in our Information Technology Policy. Where you work remotely, whether at home or at client sites, or Process Personal Data on personal devices, you must follow our [remote/home working.
Failure to follow the Company’s rules on data security may be dealt with via the Company’s disciplinary procedure. Appropriate sanctions include dismissal with or without notice dependent on the severity of the failure.
6.2 REPORTING A PERSONAL DATA BREACH
The GDPR [and Data Protection Act 2018] requires Data Controllers to notify any Personal Data Breach to the applicable regulator and, in certain instances, the Data Subject. We have put in place procedures to deal with any suspected Personal Data Breach and will notify Data Subjects or any applicable regulator where we are legally required to do so within 72 hours.
If you know or suspect that a Personal Data Breach has occurred, you should contact Maggie Hepburn immediately.
7. TRANSFER LIMITATION
If we transfer data out with the EU we will comply with the Company’s guidelines on cross border data transfers which is available from Maggie Hepburn]. OR Where it appears necessary to transfer Personal Data outside of the UK, you must first contact Information commissioners officefor guidance on how this can be achieved within the scope of the GDPR [and Data Protection Act 2018].
- COMPANY PROCEDURES
The Company has appointed Maggie Hepburn with a specific responsibility for protecting the personal data of individuals in respect of processing and controlling the data. If you wish further information in relation to the steps taken please contact Maggie Hepburn
9. DATA SUBJECT’S RIGHTS AND REQUESTS
Data Subjects have certain rights when it comes to how we handle their Personal Data.
These include rights to: withdraw consent to Processing; receive certain information about the Data Controller’s Processing activities; request access to the Personal Data that we hold; ask us to erase Personal Data if it is no longer required for the purpose for which it was collected or Processed; to rectify inaccurate data; to complete incomplete data; restrict Processing in specific circumstances; challenge Processing which has been justified on the basis of our legitimate interests or in the public interest; prevent Processing that is likely to cause damage or distress to the Data Subject or anyone else; be notified of a Personal Data Breach which is likely to result in high risk to their rights and freedoms; make a complaint to the supervisory authority.
You must immediately forward any Data Subject request you make or receive to Maggie Hepburn and comply with the Company’s Data Subject response process.
We implement appropriate technical and organisational measures to ensure compliance with data protection principles. Our policies and procedures are one way in which we demonstrate our compliance with the GDPR and Data Protection Act 2018.
11. RECORD KEEPING
Where required by the GDPR [and Data Protection Act 2018] we will keep full and accurate records of all our data Processing activities. In addition, we will keep records of Data Subjects’ consents and procedures for obtaining consents, in accordance with the Company’s record keeping guidelines.
12. TRAINING AND AUDIT
We require all Company Personnel to read and understand the Data Protection Policy when they are inducted. In addition, you will be required to undergo training appropriate to your role to enable you to comply with the GDPR [and Data Protection Act 2018].
13. SHARING PERSONAL DATA
We will only share Personal Data with third parties where certain safeguards and contractual arrangements have been put in place.
We only share the Personal Data we hold with third parties, including but not limited to our service providers such as benefits providers, payroll providers and professional advisors if:
we have a lawful basis for doing so;
sharing the Personal Data complies with the Privacy Notices provided to the Data Subject and, if applicable, consent has been obtained; and
the third party has agreed to comply with the required data security policies and procedures and put adequate security measures in place.
We may share the Personal Data we hold with another employee, agent or representative of our group [(which includes our subsidiaries and our ultimate holding company along with its subsidiaries)] if the recipient has a job-related need to know the information.
14. CHANGES TO THIS DATA PROTECTION POLICY
We reserve the right to change this Data Protection Policy at any time without notice to you.
This Data Protection Policy does not override any applicable national data privacy laws and regulations in countries where the Company operates.