DTASC are registered with the UK Information Commissioner’s Office (“ICO”) on ZA142952
By telephone: + 44 (0) 1252 890995 By email: [email protected]
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’)
‘an identifiable natural person’ is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
Data protection principles
Direction Training Associates adheres to the following GDPR principles when processing your personal data:
- Lawfulness, fairness and transparency– data must be processed lawfully, fairly and in a transparent manner.
- Purpose limitation– data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
- Data minimisation– data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
- Accuracy– data must be accurate and, where necessary, kept up to date.
- Storage limitation– data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
- Integrity and confidentiality– data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage by using appropriate technical or organisational measures.
What are your rights and how can you exercise them?
You may exercise the following rights under the conditions and within the lawful limits
- the right to access your personal data as processed by us and, if you believe that any information relating to you is incorrect, obsolete or incomplete, to request its correction or updating;
- the right to request the erasure of your personal data or the restriction thereof to specific categories of processing;
- the right to withdraw your consent at any time, without affecting the lawfulness of the processing before such withdrawal;
- the right to object, in whole or in part, to the processing of your personal data; and
- the right to request its portability, i.e. that the personal data you have provided to us be returned to you or transferred to the person of your choice, in a structured, commonly used and machine-readable format without hindrance from us and subject to your confidentiality obligations.
- Where we have reasonable doubts concerning the identity of the person making the request, we may request additional information necessary to confirm your identity.
Responsibility of the controller
DTASC being a data controller and taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, we shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with the General Data Protection regulation (GDPR). Those measures shall be reviewed and updated where necessary.
- Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller.
- Adherence to approved codes of conduct or approved certification mechanisms may be used as an element by which to demonstrate compliance with the obligations of the controller.
Our privacy promise
Transparency – We will always tell you what data we’re collecting about you and how we use it. We only share your data with trusted partners and will never sell your data.
Secure – We are committed to always follow industry best practices to ensure your data is stored safely and securely. We protect the confidentiality, accuracy and availability of the information we collect about you.
Control – We will always give you control over the marketing you receive from us. You can choose the types of messages you receive and whether you want to stop receiving any marketing communications.
Legal basis for the processing
If any legal basis for processing needs to be changed or updated over time, or if we have a new purpose which we did not originally anticipate, we will update this section as long as new purpose is compatible with the original purpose.
The lawful basis for processing
The lawful bases for processing are set out in Article 6 of the GDPR.
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
We will not process your personal data if we do not have a proper justification foreseen in the law for that purpose. Therefore, we will only process your personal data if:
– we have obtained your prior consent to collect your data;
– the processing is necessary to perform our contractual obligations towards you or to
take pre-contractual steps at your request;
– the processing is necessary to comply with our legal or regulatory obligations; or
– the processing is necessary for our legitimate interests and does not unduly affect
your interests or fundamental rights and freedoms.
Please note that, when processing your personal data on this last basis, we always seek to maintain a balance between our legitimate interests and your privacy. Examples of such ‘legitimate interests’ are data processing activities performed:
- to benefit from cost-effective services (e.g. we may opt to use certain platforms offered by suppliers to process data);
- to offer our products and services to our customers;
- to prevent fraud or criminal activity, misuses of our products or services as well as the security of our IT systems, architecture and networks;
- to sell any part of our business or its assets or to enable the acquisition of all or part of our business or assets by a third party; and
- to meet our corporate and social responsibility objectives.
Purposes of the processing of data
We always process your personal data for a specific purpose and only process the personal data which is relevant to achieve that purpose. In particular, we process your personal data for the following purposes:
- for the purposes of our employees, clients and to manage our third party suppliers and service providers;
- organise tender-offers (if applicable), implement tasks in preparation of or to perform existing contracts;
- monitor activities at our facilities, including compliance with applicable policies as well as health and safety rules in place;
- grant you access to our training modules allowing you to provide us with certain services;
- manage our IT resources, including infrastructure management and business continuity;
- preserve the company’s economic interests and ensure compliance and reporting (such as complying with our policies and local legal requirements, tax and deductions, managing alleged cases of misconduct or fraud, conducting audits and defending litigation);
- manage mergers and acquisitions involving our company;
- archiving and record-keeping;
- billing and invoicing; and
- any other purposes imposed by law and authorities.
Who has access to your personal data and who are they transferred to?
DTASC hold your data and we will not sell, share, or otherwise transfer your personal data to any other third parties other than those indicated in this Privacy Notice without your prior
consent to do so.
In the course of our activities and for the same purposes as those listed in this Privacy Notice, your personal data can be accessed by or transferred to the following categories of recipients on a need to know basis to achieve such purposes:
- our personnel
- our IT systems providers, cloud service providers
- any third party to whom we assign or novate any of our rights or obligations; and
- our advisors and external lawyers in the context of the sale or transfer of any part of our business or its assets.
The above third parties are contractually obliged to protect the confidentiality and security of your personal data, in compliance with applicable law.
Your personal data can also be accessed by or transferred to any national and/or international regulatory, enforcement, public body or court, where we are required to do so by applicable law or regulation or at their request.
The personal data we collect from you may also be processed, accessed or stored in a country outside the UK, which may not offer the same level of protection of personal data.
If in the case we are required to transfer any of your personal data to external companies, legal entities in other jurisdictions, we will make sure to protect your personal data by applying the level of protection that is required under the local data protection/privacy laws applicable to the UK, acting in accordance with our policies and standards and, for entities located in the European Economic Area (i.e. the EU Member States plus Iceland, Liechtenstein and Norway, the “EEA”), unless otherwise specified, only transferring your personal data on the basis of standard contractual clauses approved by the European Commission. You may request additional information in relation to international transfers of personal data and obtain a copy of the adequate safeguard put in place by exercising your rights.
Personal data we collect
We collect and process the following personal data from you:
- Identity and Contact Data, Company: contact details, name, address, telephone number, job title and function, and other personal data concerning your preferences relevant to our services; Personal contact details of staff: Name, e mail address, job title and department. Individual direct learners: Name, e mail address. For our staff minimum personal contact details and next of kin contact
- Financial and Payment Data: Unless payments are received directly on invoicing or paid through our secure website and Paypal, we would only require any data necessary for processing payments and fraud prevention. For our staff we will hold bank account details for the processing of salaries.
- Business Information, including information provided in the course of the contractual or client relationship between us, or otherwise voluntarily provided by you or your organisation
- Physical Access Data, relating to details of your visits to our premises;
- Sensitive personal data: No sensitive data will be requested or held by us (that is, information about your racial or ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health, sexual life and sexual orientation or details of criminal offences, or genetic or biometric data).
Under the GDPR, an employee, client, supplier or third-party provider has a right to be informed of:
– what records/data are kept by us and how they’re used;
– the confidentiality and the security of the records we hold;
– in the case of our employees, how these records can help with their training and
development at work;
How long we keep your personal data
We will only keep your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
At the end of that retention period, your data will either be deleted or anonymised (so that it can no longer be associated with you) for research or statistical purposes.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances you may be entitled to ask us to delete your data: see your rights below for further information.
The criteria we use for retaining different types of personal data, includes the following:
- General queries – when you make an enquiry or contact us by email or telephone, we will retain your information for as long as necessary to respond to your queries. After this period, we will not hold your personal data for longer than one year if we have not had any active subsequent contact with you;
- Direct marketing– where we hold your business or personal data on our database for direct marketing purposes (if applicable), we will retain your information for no longer than two years if we have not had any active subsequent contact with you.
- Legal and regulatory requirements– we may need to retain personal data for up 7 years after we cease providing services and products to you where necessary to comply with our legal obligations, resolve disputes or enforce our terms and conditions.
Our website and business operations is not intended for or directed at children under the age of 16 years and we do not knowingly collect data relating to children under this age.
For email marketing to an individual subscriber (that is, a non-corporate email address) with whom we have not previously engaged as a client, we need your consent to send you any unsolicited email marketing.
Where you do provide consent, you can withdraw your consent at any time, but without affecting the lawfulness of processing based on consent before its withdrawal.
You have the right to opt out of receiving email marketing communications from us at any time by:
– contacting our Privacy Manager using the contact details set out above; or
– using the “unsubscribe” link in emails.
We transfer only non-personal data outside the UK or the European Economic Area (EEA).
Security of your personal data
We have implemented appropriate technical and organisational controls to protect your personal data against unauthorised processing and against accidental loss, damage or destruction. You are responsible for choosing a secure password when we ask you to set up a password to access parts of our sites or apps. You should keep this password confidential and you should choose a password that you do not use on any other site. You should not share your password with anyone else, including anyone who works for us. Unfortunately, sending information via the internet is not completely secure. Although we will do our best to protect your personal data once with us, we cannot guarantee the security of any personal data sent to our site while still in transit and so you provide it at your own risk.
- Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we, the controller shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
- the pseudonymisation and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
- In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
- Adherence to an approved code of conduct or an approved certification mechanism may be used as an element by which to demonstrate compliance with the requirements set out in paragraph 1.
- We the controller shall take steps to ensure that any natural person acting under the authority of the controller who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law.
We use industry standard physical and procedural security measures via our third-party provider to protect information from the point of collection to the point of destruction. This includes encryption, firewalls, access controls, policies and other procedures to protect information from unauthorised access.
Where data processing is carried out on our behalf by a third party provider, we take steps to ensure that appropriate security measures are in place to prevent unauthorised disclosure of personal data.
Despite these precautions, however, DTASCI cannot guarantee the security of information transmitted over the Internet or that unauthorised persons will not obtain access to personal data.
In order to improve our website, we may use small files commonly known as “cookies”. A cookie is a small amount of data which often includes a unique identifier that is sent to your computer or mobile phone (your “device”) from our website and is stored on your device’s browser or hard drive. The cookies we use on our website won’t collect personally identifiable information about you and we won’t disclose information stored in cookies that we place on your device to third parties.
You can find more information about how to do manage cookies for all the commonly used internet browsers by visiting www.allaboutcookies.org. This website will also explain how you can delete cookies which are already stored on your device.
Our website may, from time to time, contain links to and from third-party websites. If you follow a link to any of these websites, please note that these websites have their own privacy policies and DTASC does not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.
In the event of a data breach, DTASC have put in place and recorded procedures within the scope of the GDPR to deal with any suspected breach and will notify you and any applicable regulator of a breach where required to do so.
The Privacy and Electronic Communications Regulations (PECR)
The Privacy and Electronic Communications Regulations (PECR) sit alongside the previous Data Protection Act and the GDPR. They give people specific privacy rights in relation to electronic communications.
There are specific rules on: marketing calls, emails, texts and faxes; cookies (and similar technologies); keeping communications services secure; and customer privacy as regards traffic and location data, itemised billing, line identification, and directory listings.
We will, under the GDPR, abide under these rules to insure compliance is met.
Email & monitoring
Whilst every member of the DTASC team has a personal private email address, email which you send to us or which we send to you may be monitored to ensure compliance with professional standards and our internal compliance policies. Monitoring is not continuous or routine, but under the GDPR, this may be undertaken to insure the usage of company emailing is in line with compliance. Occasional spot checks or audits may also be undertaken to insure ongoing compliance.
You have the right to make a complaint at any time with a supervisory authority, in particular in the EU (or EEA) state where you work, normally live or where any alleged infringement of data protection laws occurred. The supervisory authority in the UK is ICO who can be contacted at https://ico.org.uk or telephone on 0303 123 1113.
This Private Policy has been updated and effective as of
April 23rd, 2018.