Date Implemented: 07/08/2023
This statement is intended to provide you with information about how we process your personal data in our interactions with you. If you have any concerns or outstanding question after reviewing this statement, then we encourage you to contact us by emailing our DPO at firstname.lastname@example.org or writing to Data Protection, 73 Moorclose Road, Queensbury, Bradford, West Yorkshire, BD13 2EB. ProvePrivacy Limited is registered in England & Wales: Company Number 11647885.
We process personal data in several ways as part of providing the ProvePrivacy full suite data compliance solution. This privacy statement outlines what data we collect, why we collect it and how we treat it whilst we are holding it. Please review the section which details how we might interact with you.
When you make an enquiry about ProvePrivacy you are likely to provide us with some personal data to enable us to contact you or respond to an enquiry. You may do this via our website or directly, by passing us your business card or any other similar method.
We may also research public sources to obtain business contact details, which we use in marketing our products and services. As business to business communications these are outside of the scope of the Privacy in Electronic Communications Regulation (PECR) but are in scope of the Data Protection Act (2018), therefore we consider these communications to be in our legitimate interest, we will always offer you the opportunity to opt out of these emails.
We normally retain this personal data for marketing purposes as long as we believe that we retain a legitimate interest to continue towards entering into a contract with you. Normally we will not retain this data for any longer than 12 months after our discussions are no longer active and we will always respect your decision if you ask us to stop contacting you.
We may also share this information with our marketing partners the Data Safety Hub, who will process your data on our behalf.
If you enter into a contract with us, we will consider you our Key Account Contact, unless you inform us otherwise. Key account contacts will be contacted by us when we need to communicate service messages relating to your account as part of our contractual obligation to you. These service messages may also include a notification of new functionality which becomes available, where this is the case we consider these messages to be in our legitimate interest.
As part of managing our service we collect payments by direct debit. We use FastPay to administer this service on our behalf. FastPay are a joint controller in respect of the management of direct debit payments, you may contact either party in respect of these payments and we will manage any enquiries or concerns.
If we have obtained your personal data from a third party such as one of our Partners, we will inform you of this when we first correspond with you or at least within one month of receiving it.
If you have been introduced to us via one of our Partners then you should be aware that we will be a Joint Data Controller alongside the Partner in respect of the ProvePrivacy service. It is important to us that you understand that you can exercise your rights (outlined below through correspondence with either ourselves or our Partner and we aim to make this as easy for you as possible. You should take some time out to review the Partners privacy statement as well as this one in order to understand how they treat your personal data.
‘Subscriber content’ is the information added to the ProvePrivacy system by an organisation which subscribes to the service, this may include personal information such as your name and emails address.
ProvePrivacy is the Data Processor for this personal data and the Subscriber shall be the Data Controller in respect of the Subscriber Content. The Subscriber shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Subscriber Content and you should refer to their privacy statement in respect of your rights as a data subject.
The Subscriber, ProvePrivacy and our approved Advisory Partners will have access to the Subscriber Content and may be required to access this as part of maintaining your account, such as for resetting passwords etc. Neither ProvePrivacy or any Partner in its Partner Network will use your personal information for any purpose other than to administer the system.
ProvePrivacy do not delete any of your data when you leave your employment, although your employer may choose to do so. We will retain Subscriber Content until our relationship with your employer no longer exists, at which point we will erase all of the employers records within one month of the service ending.
As part of the contractual agreement with your employer, ProvePrivacy will share your login details with Roebuck Management Limited, trading as knowledgezone.co.uk in order to provide access to the ‘Awareness Training’. This data will be provided solely to enable access to the knowledgezone learning portal.
If you are one of our Partners, then we will process personal information in order to undertake the management of the contract between us. This means that we will hold contact information, account information as well as financial information, which is needed to pay you your referral fees.
We may share this data with a third party if this is required to manage our relationship. For example if there is a dispute over payments of invoices then data may be shared with debt recovery organisations.
We will retain this information for the duration of our relation, plus a period of up to seven years in order that we might meet any of our accounting obligations.
ProvePrivacy and our Partners are each Data Controllers in respect of the personal data relating to any potential Subscribers (Subscriber Contact Data).
Personal data is shared for the following Permitted Purposes:
- Subscribers personal data may be shared to manage the contractual relationship with the Subscriber.
- Subscribers Personal data may be shared to effect any maintenance or administrative changes to the ProvePrivacy platform.
- Subscribers personal data may be shared in order to assist the Subscriber with the management of their risks or issues identified as part of their use of the ProvePrivacy platform.
Where Shared Personal Data exists, we are jointly responsible to ensure:
- It is accurate and up-to-date and has at all times been collected, processed and transferred in accordance with data protection legislation;
- each relevant Data Subject has been provided with sufficient information to enable fair, transparent and lawful processing of the Shared Personal Data for the Permitted Purpose;
- it is entitled to transfer, and the other party is entitled to Process all Shared Personal Data for the Permitted Purpose in accordance with all Data Protection Legislation.
If you are associated with ProvePrivacy through our supply chain, we are likely to retain personal data with employees in your organisation with respect to managing any correspondence relating to the contract in place between our organisations. For example, we may hold email addresses or mobile phone numbers which we will use for contacting you. We will retain this information for as long as our relationship with you is current, plus a period of up to seven years in order that we might meet any of our accounting obligations.
We may share this data with a third party if this is required to manage our relationship. For example, if there is a dispute over payments of invoices then data may be shared with debt recovery organisations.
If you make a ‘New Feature’ suggestion via our website, then you may provide us with personal information at that time. We will ask for your consent to contact you to inform you when new functionality is added. You will be provided with the opportunity to withdraw consent on each communication and you can withdraw consent at any time by emailing us at email@example.com. We retain all new feature requests for a period of up to 24 months, which we believe is in our legitimate interest, as not all requests will be relevant to our roadmap immediately.
If you raise a ‘Service Request’ via our website we will ask you for contact information as part of the issue logging process, we need this in order to follow up with you in resolving your issue and meeting our contractual obligations. We retain all service incidents for a period of up to 24 months after the issue has been resolved.
If you make a ‘Enquiry’ via any of the contact forms on our website then we will treat this information as outlined in the ‘Potential Client’ section.
If you have applied for a job role with ProvePrivacy it is likely that you have provided us with personal information to support your application, typically a CV and contact details. We will use the information provided to review if you are suitable for an interview and we may also collect additional information from other sources such as your referees or from social media.
If you are unsuccessful at any stage, then we may retain your personal information for up to an additional six months. We do this in order that we can meet our employment law obligations, but we may also use this information in our legitimate interest, to contact you again if we wish to revisit the application.
If you are successful in your application, we will provide you with an employees Privacy Statement which will detail how we treat the personal data of our employees. You will receive this as part of your offer notification.
You have the right to be informed about the data that we process on your behalf. In most cases we will ensure that the Privacy Statement you are reading now is the means by which we inform you of our usage of your personal data, this will change from time to time and will always be dated in order that you know when this version came into effect.
There may be circumstances where you would not reasonably be expected to have had visibility of this statement when we obtain your data, such as when someone else provides us with it. In these circumstances we will inform you when we first communicate with you and at least within 30 days of receiving the data.
You have the right to access any personal data that we process on your behalf. If we do not hold any of your personal data, we will inform of this also.
We will provide this on request and we will also provide you with the purposes for which we process your data. If we have transferred your data to a ‘third country’, then we will inform you of the safeguards that we have put in place to ensure that it receives the same protections as you would expect.
We will provide you with a copy of any personal data free of charge, except in circumstances where additional copies of the same data is requested or where we deem your request to be excessive, where we may apply a reasonable fee to cover our administration costs.
It is our policy to ensure that any personal data that we hold remains accurate and up to date. If you believe that we are processing inaccurate personal data, you have the right to have this personal data corrected.
We may ask you to prove your identity to us prior to making any changes in order to confirm the integrity of the request.
You have the right to have your personal data removed from our systems. This right only applies where:
- the personal data is no longer necessary for the purposes for which it was collected
- we processed your personal data on the basis of your consent and you have withdrawn this
- we are processing your personal data on the basis of legitimate interest and there are no legitimate grounds remaining for its continued use
- the processing is deemed unlawful
- the personal data must be erased to comply with a legal obligation
- where the data applies to a child and their usage of ‘information society services’
You have the right to ask us to restrict or cease the processing of your personal data. You may wish to use this right if you want to ask us to stop doing something, but not erase the data. This may be necessary for example if the data we are processing is incorrect, or you need us not to erase the data in order that you can retain it as evidence gainst legal claims etc.
You have the right to ask us to transfer your personal data to another Data Controller where the processing is based upon a contract with you or with your consent and the data is processed by automated means.
You have the right to object to any processing which is bases upon our legitimate interests (or in the public interest).
You have the right not to be subject to a decision based solely on automated means, for example in any automated scoring systems we might apply to learning.
Where you exercise this right, you have the right to have an individual to make this decision based upon the original facts and any other information that you might provide.
In the case of the above rights above numbered 2 through to 8, ProvePrivacy will assess the request against any of our contractual or lawful obligations before responding. If we conclude that we must reject your request we will provide you with a rationale. In all circumstances we will respond to a request within 30 days.
If you do not accept our decision, or if you have any other reason to be concerned about how we treat your personal data then you have the right to register a complaint regarding the use of your personal data to a supervisory authority at any time. The UK’s supervisory authority is the Information Commissioners Office details of which can be found at ico.org.uk.
International Data Transfers
ProvePrivacy do not routinely transfer personal data outside of the UK or the EU. The ProvePrivacy platform’s data servers are situated in the Republic of Ireland and normal administrative usage occurs within the UK.
If there are exceptional circumstances where your personal data needs to be processed outside of the EU, we will ensure that we have put in place recognised safeguards or that the transfer is subject to a recognised exception (as documented in UK and EU Data Protection Regulation).
What are cookies?
Cookies are simple ’text files’ which are downloaded onto your computer the first time that you visit a website and they can then be read by the website. Typically, they contain two pieces of information: a site name and unique user ID. Cookies are NOT programs and do not run anything on your computer.
How do cookies help me?
Some cookies are sophisticated and might record things like your preferences for page layouts and colour schemes. They can also be used to store data for example for things like progress in a training course or information on what is in your ‘shopping cart’.
The possibilities are endless, and generally the role of cookies is beneficial, making your interaction with frequently-visited sites smoother – for no extra effort on your part.
What should I be wary of?
By their nature cookies are recording behavioural data on your habits on websites and sharing this with the organisation, if you do not trust the organisation then you should be wary about the information being shared with them as they can influence what you see on the internet, for example through targeted advertising.. As this can occur without warning we believe (and the law states) that you need to be aware when cookies are in use and provide your consent to their usage.
What Cookies do ProvePrivacy use?
ProvePrivacy do not currently use any cookies on their website, once we do, we will inform you of them here.