What is personal information?
Information relating to an identified or identifiable individual is “personal information”.
Personal information revealing racial or ethnic origin, political opinions, religious beliefs, philosophical beliefs or trade union membership, genetic and biometric data, or data concerning health, sex life or sexual orientation is “special category personal information”.
Who we are
“We”, “us”, “our” refers to EMPOVA Consulting Ltd. When we collect, store and use personal information we are subject to the General Data Protection Regulation as the controller of that personal information.
Personal information we collect
We may collect and use the following personal information:
· Your name and contact information, including email address and telephone number and company details;
· Information to enable us to check and verify your identity;
· Your billing information, transaction and payment card information;
· Information to enable us to undertake credit or other financial checks on you;
· Your gender information;
· Location data
Personal information is required to provide products and/or services to you. If you do not provide personal information we ask for, it may delay or prevent us from being able to do so.
How we collect personal information
We will collect personal information directly from you in person, by telephone, text or e-mail [and/or via our website [app(s)]].
We may also collect information from publicly accessible sources, or directly from a third party, or from a third party with your consent, from cookies on our website; or from our IT systems, including our computer networks and connections, CCTV and access control systems, communications systems, email and instant messaging systems.
How we use personal information
Under data protection law, we can only use your personal information if we have a lawful reason for doing so. This can be:
· To comply with our legal and regulatory obligations;
· For the performance of our contract with you or to take steps at your request before entering into a contract;
· For our legitimate interests or those of a third party. A legitimate interest is when we have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests; or
· Where you have given consent.
Our lawful reasons for using personal information
· To provide you with products and/or services;
· To prevent and detect fraud against you or us;
· Conducting checks to identify our customers and verify their identity;
· Other processing necessary to comply with professional, legal and regulatory obligations that apply to our business;
· Gathering and providing information required by or relating to audits, enquiries or investigations by regulatory bodies
· Ensuring business policies are adhered to, for example, policies covering security and internet use;
· Operational reasons, such as improving efficiency, training and quality control;
· Ensuring the confidentiality of commercially sensitive information;
· Statistical analysis to help us manage our business;
· Preventing unauthorised access and modifications to systems;
· Updating customer records;
· Statutory returns;
· Ensuring safe working practices, staff administration and assessments;
· Marketing our services;
· Credit reference checks via external credit reference agencies.
Use of special category personal information
The reasons listed above do not apply to special category personal information, which we will only process with your explicit consent.
Marketing or promotional communications
We may use your personal information to send you updates (by e-mail, text message, telephone or post) about our products and/or services.
We have a legitimate interest in processing your personal information for marketing or promotional purposes, so we usually do not need your consent. However, where consent is needed, we will ask for consent separately and clearly.
You have the right to opt out of receiving marketing or promotional communications from us at any time.
We may ask you to confirm or update your marketing preferences if you instruct us to provide further products and/or services in the future, or if there are changes in the law, regulation, or the structure of our business.
How we share personal information
We may share personal information with:
· [Other companies within the EMPOVA group;
· Third parties we use to help deliver our products and/or services to you, such as payment service providers, warehouses and delivery companies;
· Other third parties we use to help us run our business;
· Third parties approved by you, such as social media sites you choose to link your account to or third party payment providers;
· Credit reference agencies;
· Our insurers and brokers;
· Our bank[s].
We only allow our service providers to handle your personal information if we are satisfied they take appropriate measures to protect your personal information. We also impose contractual obligations on service providers relating to ensure they can only use your personal information to provide services to us and to you. We may disclose and exchange information with law enforcement agencies and regulatory bodies to comply with our legal and regulatory obligations.
Where we store personal information
Information may be kept at our offices, and those of our group companies, third party agencies, service providers, representatives and agents.
Some of these third parties may be based outside the European Economic Area.
How long we retain personal information
We will retain your personal information while we are providing products and/or services to you.
After that, we will keep your personal information for as long as is necessary to respond to any questions, complaints or claims made by you or on your behalf; to show that we treated you fairly, and to keep records required by law.
We will not retain your personal information for longer than necessary for the purposes set out in this policy.
Transfer of personal information out of the EEA
We may share your personal information outside the European Economic Area (EEA). These transfers are subject to special rules under data protection law. [The following countries to which we transfer personal information have been assessed by the European Commission as having an adequate level of protection for personal information. We may transfer personal information to countries which do not have the same level of data protection laws as the UK and the EEA. We will, however, ensure the transfer complies with data protection law and that all personal information will be secure by putting in place the appropriate security measures, safeguards, and data protection contract clauses required.
Your rights under data protection law
You have the following rights under data protection law:
· The right to be provided with a copy of your personal information (the right of access);
· The right to require us to correct any mistakes in your personal information;
· The right to require us to delete your personal information in certain circumstances;
· The right to require us to restrict processing of your personal information in certain circumstances;
· The right to receive the personal information you provided to us, in a structured, commonly used and machine-readable format and/or transmit that data to a third party in certain circumstances;
· The right to object at any time to your personal information being processed for direct marketing (including profiling); and in certain other situations to our continued processing of your personal information;
· The right not to be subject to automated individual decision-making.
If you would like to exercise any of your rights, please contact us.
How we keep personal information secure
We have appropriate security measures to prevent personal information from being lost or used or accessed unlawfully. Only those who have a genuine business need to access personal information can see it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality. We also have procedures to deal with a suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
How to contact us
If you have any questions or concerns about use of personal information, please contact us via our Data Protection Officer Natasha Wilson at firstname.lastname@example.org
How to make a complaint
We hope that our Data Protection Officer will be able to resolve any questions or concerns you may have about use of your information.
The supervisory authority for data protection complaints in the UK is the Information Commissioner who may be contacted at their website: https://ico.org.uk/concerns, or by telephone on 0303 123 1113.