ATaC GDPR Privacy & Cookies Policy
Asbestos Removal Contractors Association Limited (“ARCA”/“We”/“Us”) are committed to protecting and respecting your privacy. All policies also apply to Asbestos Testing and Consulting (ATaC) which is a division of ARCA and to all our websites (www.arca.org.uk, www.atac.org.uk and www.arca.ie) (the “Sites”).
Unit 1 Stretton Business Park 2
Burton upon Trent
Information Commissioners Office Registration Reference: Z9332145
Purpose for processing
- To administer and provide membership services;
- To send communications to you such as information, news or surveys about ARCA or ATaC;
- To carry out our obligations arising from any contracts entered into between you and us;
- To prevent fraud and other prohibited or illegal activities;
- To meet legal and regulatory requirements;
- To notify you about changes to our services, including contacting you by email, telephone or post; and/or;
- To create records of qualification assessments and meetings otherwise, as disclosed to you at the point of collection.
Legal basis for processing:
We will only use your personal data when the law allows us to.
- We will use your personal data when you have given clear consent for us to process your personal data for a specific purpose (Basis: Art 6(a) GDPR).
- We will use your personal data where we need to perform a contract we have entered into with you (Basis: Art 6(b) GDPR).
- We will use your personal data for the purposes of the legitimate interests of the Association (Basis: Art 6(f) GDPR).
The kind of information we hold about you
We may collect and process the following data about you:
Information that you may provide: by filling in forms on the Sites; on forms or documents you send to us by post, email or by telephone. This includes information provided at the time of registering to use the Sites, by subscribing to our services or requesting further services whether on-line or by post or telephone. Such information may include your name, age, postal and email addresses, telephone number, national insurance number, qualifications and photograph.
We may also ask you for information when you report a problem with the Sites.
If you contact us, we may keep a record of that correspondence.
We may also ask you to complete surveys that we use for research purposes, although you do not have to respond to them.
Details of transactions you carry out through the Sites and of the fulfilment of your requests.
Details of your visits to the Sites including, but not limited to, traffic data, location data, weblogs and other communication data and the resources that you access.
ARCA operates in accordance with the General Data Protection Regulation (GDPR) in respect of any personal information you may supply, e.g. name, address, e-mail, National Insurance number, photograph etc.
If you are a user with general public and anonymous access, the Sites do not store or capture personal information, but merely log your IP address which is automatically recognised by the web server. This statement only covers the Sites maintained by ARCA. This statement does not cover other websites linked to from within the Sites. The system will record your e-mail address and other information if volunteered to us by you. This shall be treated as proprietary and confidential, and will only be used to provide the services you have specifically signed up for. By subscribing to these services, you are giving your consent to ARCA to hold this information.
The details we hold about you may be updated or removed, and further information about qualifications you hold and the like, may be added to the data we store.
How is your personal information collected?
We collect personal data about you through your applications for membership, registration onto training courses or qualifications, during qualification assessments, during meetings and when you give us specific consent to receive marketing information, and data that is available in the public domain. This is collected online, by email, by post, by filling in a form, by telephone or by audio or video recording.
The recipients or categories of recipients of personal data
We may share your personal information with our suppliers who administer a service in order to provide you with the relevant service on our behalf, e.g. providing personal data to Awarding Organisations for the purposes of the award of a qualification. We may also disclose your personal information to third parties:
- If we are under a duty to disclose or share your personal data in order to comply with any legal obligation;
- In order to enforce or apply our agreements;
- To protect the rights, property, or safety of ARCA, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction; and
- To help ARCA or our affiliates analyse and/or improve our communication or relationship with you.
Except as described above, we will not disclose your personal information to third parties for their own marketing purposes unless you have provided consent.
- Reference Point Limited: Reference Point Limited is the technology provider for our smartcard ecosystem and acts as a data processor for your data on our behalf. Reference Point keeps a log of all online card transactions, which is used for support purposes, for helping us understand how cards are being used and for producing statistics about card use. Reference Point Limited may also process your data in order to provide us with technical support services.
- Person checking your card using Go Smart: When your card is read electronically, a copy of your card is recorded by Go Smart along with the time and location, where available. This provides a log of the cards that have been read for the person reading your card.
- Custom Card Services International Limited: In the case of physical cards, your personal data will be provided to Custom Card for the purpose of printing and encoding your card.
- Other recipients: Go Smart enables the person who has checked your card to forward a copy of your data to someone else - someone at head-office for example. Before doing this, the card checker should inform you who the data will be sent to and what it will be used for.
- Your card can also be checked electronically by some other software systems. Users of these systems are required to comply with applicable data protection rules when processing your data.
Your data and the EEA
The personal data that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area (“EEA”) and by using ARCA products or services (including the Site), you consent to any such transfer of personal data outside the EEA. Personal Data held outside of the EEA will be stored with Mailchimp or Microsoft. Mailchimp’s agreement is certified with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework and Microsoft’s agreement complies with the EU-US Privacy Shield and EU Model Clauses, and therefore both comply with GDPR requirements.
We will not transfer any data that we collect or receive from you that constitutes personal data outside of the EEA unless there are appropriate safeguards or an adequacy decision in relation to the transfer as set out in the data protection legislation or the transfer otherwise complies with the data protection legislation. Such transfers may involve, for example, the use by Reference Point Limited of third party services allowing them to send e-mails or automated SMS messages on our behalf which make use of facilities in third countries to process and store data.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to the Sites; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
We will not retain your personal data longer than necessary, in relation to the purpose for which such data is processed.
By submitting applications for membership, ARMI Smartcards, booking forms for training courses or qualifications, or subscribing to any of our services or communications you agree to this storing or processing.
All data, including unencrypted audio and video recordings, and any transcripts produced from those recordings, will be stored on ARCA’s secure password protected IT system. Access to data will be restricted to those authorised by ARCA to process and view the data.
Where audio recording devices such as a dictation machines or mobile phones with dictation apps are used, which do not routinely offer encryption, the data will be transferred to ARCA’s secure password protected IT system as soon as practicable. Access to data will be restricted to those authorised by ARCA to process and view the data.
The data will be retained in accordance with our policy on ‘retention period and criteria used to determine the retention period’ below
Retention period and criteria used to determine the retention period:
- Membership details and employees personal data associated with member companies shall be stored for the duration of the membership. When companies are no longer members of the Association all personal data in relation to the company shall be permanently deleted, unless any of the employees have undertaken a training course or qualification within the past 3 years.
- All training and qualification delegate personal data, including audio and video recordings, will be permanently deleted or destroyed 3 years after the qualification or training course has been completed.
- All marketing information will have an ‘opt out’ or ‘unsubscribe’ for recipients if you opt out of any of our marketing lists we will delete your personal information and not send that communication to you again unless you give us consent.
- Your ARMI Smartcard may be suspended or cancelled at our discretion. However, your card is otherwise valid until its expiry date.
- We shall hold your personal data and all your ARMI Smartcard data for as long as you hold a valid card and for a period of 3 years thereafter.
- Audio recordings for the purposes of confirming meeting minutes will be stored for no longer than necessary and will be permanently deleted once the minutes of the meeting are accepted by either ARCA or the meeting participants, whichever is the sooner, as a true record of the meeting.
You have the right to request access to your personal data and correction or erasure of your personal data. You also have rights to restrict the processing of your personal data or to object to processing in certain circumstances. You also have the right to request the transfer of your personal data to another party.
Where our processing is based on your explicit consent to our processing, you have the right to withdraw such consent (this will not affect the lawfulness of processing prior to the withdrawal of your consent).
If you wish to exercise any of these rights please contact firstname.lastname@example.org
Complaints to Information Commissioner
You have the right to lodge a complaint about our processing with the Information Commissioner.
Consequences of failure to provide personal data
Your provision of personal data to us is a requirement necessary for you to enter into a contract with us to provide our services. If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you.
Automated decision making
Your personal data may be subject to automated decision-making, for example, data on your ARMI Smartcard may be used to determine whether or not you have the right qualifications to be gain electronic entry to a particular site.
A cookie is a small piece of data sent from a website and stored in the user's web browser while the user is browsing. Cookies were designed to be a reliable mechanism for websites to remember information or to record the user's browsing activity (clicking particular buttons, recording which pages were visited in the past).
We may use navigational data for system administration and to report aggregate information to our advertisers or other stakeholders. This is statistical data about our users’ browsing actions and patterns, and does not identify any individual.