arrow_circle_up

Privacy Policy

  • Call Sales on: N/A
  • Call Customer Service on: N/A

Privacy Policy


Introduction


Alcumus is committed to protecting your privacy. This Privacy Notice explains how companies in Alcumus Group Limited’s group of companies (together, “Alcumus” or “we” or “our” or “us”) use any personal information that we may collect about you when you interact with us. It also explains how we’ll store, handle and keep that data safe.

We know that there’s a lot of information here, but we want you to be fully informed about your rights, and how we use your data.

Should we ask you to provide certain information by which you can be identified when using this website, then you can be assured that it will only be used in accordance with this Privacy Notice. We may change this Privacy Notice by updating this page. We’ll notify you of any significant changes, but you’re welcome to come back and check it whenever you wish. 
 

Who is Alcumus?


Alcumus includes each of the following companies:
 
  • Alcumus PSM Limited

  • Alcumus ISOQAR Limited

  • Alcumus Sypol Limited

  • Alcumus SafeContractor Limited

  • Alcumus Info Exchange Limited

  • Alcumus Holdings Limited

  • Alcumus Group Limited

  • Alcumus ContractorCheck Inc. (a Canadian registered company)

  • Banyard Solutions Limited

  • eCompliance Management Solutions Inc. (a Canadian registered company)


When you are using any of our company websites, Alcumus Group Limited is the data controller.
 

Topics:


When do we collect your information and what information do we collect?

Reasons for collecting personal information

Use of your information

Sharing your information

How long do we keep your information?

Recording calls

Your Rights

Cookies

Where we store your personal data

How to contact us
 

1. When do we collect your information and what information do we collect?


We collect your information:

  • When you visit any of our websites or portals.

  • When you make an online purchase.

  • When you create an account with us.

  • When you engage with us on social media or live chat.

  • When you contact us with queries or complaints, or to report a problem with our website.

  • When you ask one of our partners to email you information about a product or service.

  • When you enter prize draws or competitions, or complete any surveys we send you.

  • When you book an appointment with us or book to attend an event e.g. conference.

  • When you comment on or review our products and services.

  • When you fill in any forms.

  • When you permit a third party to share with us the information they hold about you.

  • We collect data from publicly-available sources (such as Companies House) where the information is made public as a matter of law.

  • When you apply for a job with us.


We will collect and process the following information about you as follows:

  • Information you give us. This may include your name, gender, address, e-mail address and phone number, financial and credit card information, personal description and photograph, and details of any employees of your company.

  • Information we collect about you. With regard to each of your visits to our website we will automatically collect the following information:

    • technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform;

    • information about your visit, including the full Uniform Resource Locators (URL), to, through and from our website (including date and time), products you viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), methods used to browse away from the page, and any phone number used to call our customer services, sales and/or renewals teams.

  • Information we receive from other sources. This is information we receive about you if you use any of the other websites we operate or the other services we provide. In this case we will have informed you when we collected that data if we intend to share that data internally and combine it with data collected on this website. We will also have told you for what purpose we will share and combine your data. We are working closely with third parties (including, for example, business partners, sub-contractors in technical, payment services, advertising networks, analytics providers, credit reference agencies). We will notify you when we receive information about you from them and the purposes for which we intend to use that information.
     

2. Reasons for collecting Personal Information


The type of information that we collect is limited to that which is necessary.

• To Deal with your Enquiries
For online or telephone enquiries, we will generally require basic information such as your name and contact details in order to be able to deal with your enquiry.

• Training and Quality Purposes
Telephone calls made to certain telephone numbers within Alcumus may be recorded for training and quality purposes. See also section 6 (Recording Calls) below.

• Website Registration
To register online to receive, for example, email alerts or access to certain documentation, we will require certain basic information from you together with confirmation of the alerts or documentation that you wish to receive.

• Business Purposes
When you enter into a business relationship with us, the information that we will require will be of a more detailed nature and may include your business address and contact details. We will need this information to ensure that we provide the requested services to you (including any member benefits), and for general administrative purposes (e.g. managing your account, undertaking customer satisfaction surveys and research and obtaining credit checks).
Any contract we have with you will be governed either by: (i) the applicable standard T&Cs; or (ii) bespoke contractual documentation agreed with our customers.

Research
We may hold your personal details for research purposes, but in this case, we will never make your personal details available to other companies for marketing purposes other than for the marketing of Alcumus’ products and services or where you have requested us to do so.
 
3. Use of your information
We use information held about you in the following ways:

Information you give to us. We will use this information:

  • to carry out our obligations arising from any contracts entered into between us and to provide you with the information and services that you request from us (this includes account management and obtaining customer feedback);

  • to provide you with information about other services we offer that are similar to those that you have already purchased or enquired about;

  • to provide you with information about services we feel may interest you (including services provided by affinity partners and providers of member benefits). If you are an existing customer, we will only contact you by electronic means (e-mail or SMS) with information about services similar to those which were the subject of a previous sale or negotiations of a sale to you;

  • to notify you about changes to our services;

  • to ensure our website content is presented in the most effective manner for you and your computer.

Information we collect about you. We will use this information:

  • to administer our website and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;

  • to improve our website to ensure that content is presented in the most effective manner for you and for your computer;

  • as part of our efforts to keep our website safe and secure;

  • to measure or understand the effectiveness of advertising we serve to you and others, and to deliver relevant advertising to you;

  • to make suggestions and recommendations to you

  • to ensure the data we hold for you is complete, accurate and up to date;

  • and other users of our website about products or services that may interest you or them.

Information we receive from other sources. We will combine this information with information you give to us and information we collect about you. We will use this information and the combined information for the purposes set out above.
 

4. Sharing your Information


We sometimes share your personal data with trusted third parties, including:

  • Any member of the Alcumus group of companies, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006 (and as outlined above).

  • Carefully selected third parties including:

    • business partners, suppliers and sub-contractors for the performance of any contract we enter into with you;

    • technology companies who support our website and other online systems (for example, our software hosting and development partners);

    • advertisers and advertising networks that require the data to select and serve relevant adverts to you and others. We do not disclose information about identifiable individuals to our advertisers, but we will provide them with aggregate information about our users;

    • marketing companies who help us manage our electronic communications with you to show you products that might interest you while you’re browsing the internet. See our Cookies Policy for further details;

    • analytics and search engine providers that assist us in the improvement and optimisation of our website;

    • suppliers who carry out market research, customer satisfaction and NPS surveys on our behalf to ensure we are delivering a good service as well as identifying ways we can improve our services;

    • data insight companies for the purposes of research, profiling and to ensure your details are up to date and accurate;

    • credit reference agencies (CRAs) for the purpose of assessing your credit score where this is a condition of us entering into a contract with you. They will also give us information about you, such as about your financial history. We do this to assess creditworthiness, check your identity, manage your account, trace and recover debts and prevent criminal activity. We will also continue to exchange information about you with CRAs on an ongoing basis, including about your settled accounts and any debts not fully repaid on time. CRAs will share your information with other organisations. The identities of the CRAs, and the ways in which they use and share personal information, are explained in more detail at http://www.experian.co.uk/crain/index.html and https://www.helpit.com/privacy-policy/; and

    • debt collection agencies, for the purpose of recovering unpaid debts due under our contract with you.

We may disclose your personal information to third parties for their own purposes in very specific circumstances, including:

  • With your consent, given at the time you supply your personal data, we may pass that data to a third party who provides member benefits for their direct marketing purposes (in relation to promoted member benefits only). These third parties are currently Tradepoint (B&Q PLC) and Bionic Services Limited.

  • If we decide to expand, reduce or sell any Alcumus company or substantially all of its assets, in which case personal data regarding our customers will be transferred to the new owner, under the terms of this Privacy Notice.

  • If we are under a duty to disclose or share your personal data in order to comply with any legal obligation; or to protect the rights, of any Alcumus company, our customers, or others. This includes exchanging information with other organisations for the purposes of fraud protection and credit risk reduction.
     

5. How long do we keep your information


Whenever we collect or process your personal data, we’ll only keep it for as long as is necessary for the purpose for which it was collected. At the end of that retention period, your data will either be deleted completely or anonymised (e.g. by aggregating it with other data so that it can be used in a non-identifiable way for business planning).

In certain cases, the law requires us to keep personal data for a specific period (e.g. a minimum of forty years in the case of COSHH records).
 

6. Recording Calls


We may record calls for training and quality purposes. We will not use the information that we collect from you for any purposes other than for training and monitoring the quality of the information that we provide to you during the call.

Call recordings are stored securely and access to such recordings is limited to certain personnel only. Recorded calls will be saved for no longer than is necessary.
 

7. Your Rights


You have the right to request:

  • Access to the personal data we hold about you, free of charge in most cases.

  • The correction of your personal data when incorrect, out of date or incomplete.

  • That we stop using your personal data for direct marketing (either through specific channels, or all channels).

  • Review of any decision made based solely on automatic processing of your data (i.e. where no human has yet reviewed the outcome and criteria for the decision).

  • That we erase your personal data, under certain conditions.

  • That we restrict the processing of your personal data, under certain conditions.

  • The transfer of your personal data we have collected to another organisation, or directly to you, under certain conditions.

To ask for your information to be amended, please update your online account, or contact your account manager or our Data Protection Officer.

If we choose not to action your request, we will explain to you the reasons for our refusal.

Your right to withdraw consent
Whenever you have given us your consent to use your personal data, you have the right to change your mind at any time and withdraw that consent.

Where we rely on our legitimate interest
Where we are processing your personal data on the basis of our legitimate interest, you can ask us to stop for reasons connected to your individual situation. We must comply unless we believe we have a legitimate overriding reason to continue processing your personal data

Direct marketing
You have the right to stop the use of your personal data for direct marketing activity through all channels, or selected channels. We must always comply with your request.

Checking your identity
To protect your information, we will ask you to verify your identity before proceeding with any request you make under this Privacy Notice. If you have authorised a third party to submit a request on your behalf, we will ask them to prove they have your permission to act.

Partner websites
Our website may contain links to and from the websites of our partner networks, affinity scheme partners, advertisers and affiliates. Please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. You should check these policies before you submit any personal data to these websites.

Complaints
If you wish to raise a complaint on how we have handled your personal data, you can contact our Data Protection Officer who will investigate the matter.

If you are not satisfied with our response or believe we are processing your personal data not in accordance with the law you can complain to the Information Commissioner’s Office (ICO).
 

8. Cookies


Our website uses cookies to distinguish you from other website users. This helps us to provide you with a good browsing experience. For detailed information on the cookies we use and the purposes for which we use them, see our Cookie policy.
 

9. Where we store your personal data


In relation to our UK companies, the data that we collect from you will not be transferred to or stored at a destination outside the European Economic Area ("EEA") unless there are sufficient technical and operational safeguards in place. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Notice.

All information you provide to us is stored on our secure servers. Any payment transactions will be encrypted using SSL technology. Where you have chosen a password which enables you to access certain parts of our website, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our website; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
 

10. How to contact us


We hope this Privacy Notice has been helpful in terms of how we use your personal data and your rights in relation to such personal data. If you have any questions or wish to make a complaint, please contact our Data Protection Officer:

  • Write to us at Data Protection Officer, Axys House, Heol Crochendy, Parc Nantgarw, Cardiff CF15 7TW

This Privacy Notice was last updated on 09 June 2021.

Payment Privacy Policy


Introduction


Welcome to the SafeContractor Payment Portal (“the Portal”) privacy notice.

Alcumus SafeContractor Limited (“SafeContractor”, “we”, “us”, “our”) respects your privacy and is committed to protecting your personal data. This privacy notice will inform you as to how we look after your personal data when you visit our Portal and tell you about your legal privacy rights.

 

1. Important Information and who we are


Purpose of this privacy notice


This privacy notice aims to give you information on how we collect and process your personal data through your use of this Portal, including any data you may provide through this Portal.

This Portal is not intended for children and we do not knowingly collect data relating to children.

It is important that you read this privacy notice together with any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This privacy notice supplements the other notices and is not intended to override them.
 

Contact details

We are Alcumus SafeContractor Limited (Company Number 07618138), with our registered office at Axys House, Heol Crochendy, Parc Nantgarw, Cardiff, Wales, CF15 7TW.


We have appointed a Data Protection Officer (DPO) who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact our DPO Karl Mrosek on dpo@alcumusgroup.com.

You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
 

Changes to the privacy notice and your duty to inform us of changes


This version was last updated on 8th January 2020. Historic versions can be obtained by contacting us.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
 

Third-party links


This Portal does not include any links to third-party websites.

This Portal does contain a link to our main company website www.safecontractor.com.
 

2. The data we collect about you


Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

We may collect, use, store and transfer different kinds of personal data about you and/or your employees, including:

Identity Data includes first name, maiden name, last name, username, title (including where such details are included on any training or qualification certificate or documentation).

Contact Data includes billing and operational address(es), email address and telephone numbers.

Financial Data includes bank account and payment card details.

Transaction Data includes details about payments to and from you.

Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this Portal.

Usage Data includes information about how you use our Portal.

Marketing and Communications Data includes your marketing and communication preferences in receiving marketing from us.

We also collect, use and share the information you submit relating to you or your company/employees as part of the application and accreditation process.

We also collect, use and share Aggregated Data such as demographic data for the purposes of linking contractors to clients. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific Portal feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.
 

If you fail to provide personal data


If you fail to provide personal data when requested, we may not be able to perform the contract we have or are trying to enter into with you (e.g. to provide you with our services). In this case, we may have to cancel a service you have with us, but we will notify you if this is the case.
 

3. How is your personal data collected?


We use different methods to collect data from and about you including through:

Direct interactions.

You may give us your Identity Data, Contact Data and Financial Data by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you:

Apply for our services;

Create an account on our Portal;

Subscribe to our service or publications;

Request marketing to be sent to you;

Enter a competition, promotion or survey; or

Give us some feedback.

Automated technologies or interactions.

As you interact with our Portal, we may automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies.

Third parties or publicly available sources. We may receive personal data about you from various third parties and public sources as set out below:

Technical Data from the following parties analytics providers such as Google based outside the EU;

Financial Data and Transaction Data from payment service providers such as Worldpay.

Identity Data and Contact Data from our anchor clients in respect of their contractor base.

Identity Data and Contact Data from publicly availably sources such as Companies House and the HSE website, Gas Safe website, which are all based inside the EU.

Product Data, Identity Data and Contact Data from our membership benefit providers where you have engaged with a third party product or service.
 

4. How we use your personal data


We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

Where we need to perform the contract we are about to enter into or have entered into with you.

Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

Where we need to comply with a legal or regulatory obligation.

Where we have your consent.
 

Purposes for which we will use your personal data


We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.

Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.
 

Purpose/activity

Type of data

Lawful basis for processing including basis of legitimate interest

To register you as a new customer

(a) Identity Data
(b) Contact Data

Performance of a contract with you

To process and deliver your order including:
(a) Manage payments, fees and charges
(b) Collect and recover money owed to us

(a) Identity Data
(b) Contact Data
(c) Financial Data
(d) Transaction Data
(e) Marketing and Communications Data

(a) Performance of a contract with you
(b) Necessary for our legitimate interests (to recover debts due to us)

To manage our relationship with you which will include:
(a) Notifying you about changes to our terms or privacy policy
(b) Asking you to leave a review or take a survey

(a) Identity Data
(b) Contact Data
(c) Marketing and Communications Data

(a) Performance of a contract with you
(b) Necessary to comply with a legal obligation
(c) Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services)

To enable you to partake in a prize draw, competition or complete a survey

(a) Identity Data
(b) Contact Data
(c) Usage Data
(d) Marketing and Communications Data

(a) Performance of a contract with you
(b) Necessary for our legitimate interests (to study how customers use our products/services, to develop them and grow our business)

To administer and protect our business and this Portal (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data) 

(a) Identity Data
(b) Contact Data
(c) Technical Data

(a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)
(b) Necessary to comply with a legal obligation

To deliver Portal content to you

(a) Identity Data
(b) Contact Data
(c) Usage Data
(d) Marketing and Communications Data
(e) Technical Data

Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy)

To use data analytics to improve our Portal, services, marketing, customer relationships and experiences

(a) Technical Data
(b) Usage Data

Necessary for our legitimate interests (to define types of customers for our products and services, to keep our Portal updated and relevant, to develop our business and to inform our marketing strategy)

To make suggestions and recommendations to you about goods or services that may be of interest to you

(a) Identity Data
(b) Contact Data
(c) Technical Data
(d) Usage Data

Necessary for our legitimate interests (to develop our products/services and grow our business)

To take you through the accreditation process

(a) Identity Data
(b) Contact Data

Performance of a contract with you

To introduce you to our membership benefit providers offering complimentary products and services and to provide you with information about products and services that may be of interest to you

(a) Identity Data
(b) Contact Data

(a) necessary for our legitimate interests (to develop our partner relationships)

(b) where we have your consent

 

Change of purpose


We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you require an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
 

5. Disclosures of your personal data


We may have to share your personal data with the parties set out below for the purposes set out in the table in paragraph 4 above.

Internal third parties in the Alcumus Group of companies acting as joint controllers or processors and/or which provide IT, finance and system administration services.

External third parties including:

UK-based service providers acting as processors who provide IT and system administration services (specifically Amazon Web Services and Clearstream Technology Group).

Professional advisers acting as processors or joint controllers including lawyers, bankers, auditors and insurers who provide legal, insurance and accounting services.

HMRC, regulators and other authorities acting as processors or joint controllers based in the UK who require reporting of processing activities in certain circumstances.

SSIP in relation to accredited SafeContractor members. This usually will be limited to business information, Contact Data and Identity Data.
Credit reference agencies such as Experian. Alcumus may undertake a credit reference check on the Client via a third-party supplier and may share details of the Client’s payment performance with such third-party supplier. This may impact the Client’s credit score if it does not make payment within the agreed payment terms set out in this Contract.

Third parties to whom we may choose to sell, transfer, or merge parts of our business. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice.

Third party anchor clients of SafeContractor who may wish to purchase services via a contractor are able to access contractor information (including in some circumstances personal data) via the Portal. Levels of personal data are limited in nature, restricted and redacted where appropriate. At present, the types of documents made available to anchor clients include: (i) risk assessments (ii) H&S policies; (iii) training records; and (iv) equipment issue or maintenance records. These documents may contain employee names, job titles and contact details (including email or postal addresses). Checks are undertaken by SafeContractor to ensure that the documents shared do not contain extensive or unnecessary personal data in excess of the types and categories of personal data outlined above.

Membership benefit providers we work closely with and will sometimes share information with them about you so that they can send you information about any of their products and services you may be interested in, or any promotions they are running. SafeContractor's current partners are set out below. If you would like more information about the ways in which they process personal data, please refer to their privacy policies (as provided below):

Bionic (click here for Bionic privacy policy)

TradePoint (click here for TradePoint privacy policy)

Fuel Card Services (click here for Fuel Card Services privacy policy)
 

6. Data security


We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. We limit access to your personal data to those employees, contractors and other third parties who have a business need to know. They are subject to a duty of confidentiality. We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
 

7. International transfers


We do not transfer your personal data outside the European Economic Area (EEA).

In the event that the UK no longer forms part of the EEA, we will not transfer your data outside of the UK to a county other than one which is within the EEA.
 

8. Data retention - how long will you use my personal data for?


How long will you use my personal data for?

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

Details of retention periods for your personal data are available on request by contacting us.

In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes
in which case we may use this information indefinitely without further notice to you.
 

9. Your legal rights


Under certain circumstances, you have legal rights in relation to your personal data, including:

Request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.

Request correction of your personal data. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.

Request erasure of your personal data. This enables you to ask us to delete or remove personal data where (a) there is no good reason for us continuing to process it; (b) you have successfully exercised your right to object to processing (see below); (c) where we may have processed your information unlawfully; or (d) where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.

Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.

Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data's accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.

Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.

Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

Request us not to use your personal data for marketing purposes. You can ask us or third parties to stop sending you marketing messages at any time by contacting us at any time.
 

No fee usually required


You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
 

What we may need from you


We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may contact you to ask you for further information in relation to your request to speed up our response.
 

Time limit to respond


We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

If you wish to exercise any of the rights set out in this policy, please contact us.

Product Privacy Policy


Introduction


Welcome to the SafeContractor Accreditation Portal (“the Portal”) privacy notice.

Alcumus SafeContractor Limited (“SafeContractor”, “we”, “us”, “our”) respects your privacy and is committed to protecting your personal data. This privacy notice will inform you as to how we look after your personal data when you visit our Portal and tell you about your legal privacy rights.
 

1. Important information and who we are


Purpose of this privacy notice


This privacy notice aims to give you information on how we collect and process your personal data through your use of this Portal, including any data you may provide through this Portal.

This Portal is not intended for children and we do not knowingly collect data relating to children.

It is important that you read this privacy notice together with any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This privacy notice supplements the other notices and is not intended to override them.
 

Contact details

We are Alcumus SafeContractor Limited (Company Number 07618138), with our registered office at Axys House, Heol Crochendy, Parc Nantgarw, Cardiff, Wales, CF15 7TW.


We have appointed a data protection officer (DPO) who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact our DPO, Karl Mrosek, on dpo@alcumusgroup.com.

You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
 

Changes to the privacy notice and your duty to inform us of changes

This version was last updated on 11 May 2018. Historic versions can be obtained by contacting us. It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

 

Third-party links

This Portal does not include any links to third-party websites. This Portal does contain a link to our main company website www.safecontractor.com.

 

2. The data we collect about you


Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).


We may collect, use, store and transfer different kinds of personal data about you, including:

Identity Data includes first name, maiden name, last name, username, and title.

Contact Data includes billing and operational address(es), email address and telephone numbers.

Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this Portal.

Usage Data includes information about how you use our Portal.

Marketing and Communications Data includes your marketing and communication preferences in receiving marketing from us.

We also collect, use and share Aggregated Data such as demographic data for the purposes of linking contractors to clients. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific Portal feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.
 

If you fail to provide personal data


If you fail to provide personal data when requested, we may not be able to perform the contract we have or are trying to enter into with you (e.g. to provide you with our services). In this case, we may have to cancel a service you have with us, but we will notify you if this is the case at the time.
 

3. How is your personal data collected?


We use different methods to collect data from and about you including through:

Direct interactions.

You may give us your Identity and Contact Data by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you:

Apply for our services;

Create an account on our Portal;

Subscribe to our service or publications;

Request marketing to be sent to you;

Enter a competition, promotion or survey; or

Give us some feedback.

Automated technologies or interactions.

As you interact with our Portal, we may automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies.

Third parties or publicly available sources. We may receive personal data about you from various third parties and public sources as set out below:

Technical Data from analytics providers such as Google based outside the EU.

Identity Data and Contact Data from our anchor clients in respect of their contractor base.

Identity Data and Contact Data from publicly availably sources such as Companies House, the HSE website, Gas Safe website, which are all based inside the EU.
 

4. How we use your personal data


We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

Where we need to perform the contract we are about to enter into or have entered into with you.

Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

Where we need to comply with a legal or regulatory obligation.
 

Purposes for which we will use your personal data


We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.
 

Purpose/activity

Type of data

Lawful basis for processing including basis of legitimate interest

To register you as a new customer

(a) Identity Data
(b) Contact Data

Performance of a contract with you

To manage our relationship with you which will include:
(a) Notifying you about changes to our terms or privacy policy
(b) Asking you to leave a review or take a survey

(a) Identity Data
(b) Contact Data
(c) Marketing and Communications Data

(a) Performance of a contract with you
(b) Necessary to comply with a legal obligation
(c) Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services)

To enable you to partake in a prize draw, competition or complete a survey

(a) Identity Data
(b) Contact Data
(c) Usage Data
(d) Marketing and Communications Data

(a) Performance of a contract with you
(b) Necessary for our legitimate interests (to study how customers use our products/services, to develop them and grow our business)

To administer and protect our business and this Portal (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data) 

(a) Identity Data
(b) Contact Data
(c) Technical Data

(a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)
(b) Necessary to comply with a legal obligation

To deliver relevant Portal content to you

(a) Identity Data
(b) Contact Data
(c) Usage Data
(d) Marketing and Communications Data
(e) Technical Data

Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy)

To use data analytics to improve our Portal, services, marketing, customer relationships and experiences

(a) Technical Data
(b) Usage Data

Necessary for our legitimate interests (to define types of customers for our products and services, to keep our Portal updated and relevant, to develop our business and to inform our marketing strategy)

To make suggestions and recommendations to you about goods or services that may be of interest to you

(a) Identity Data
(b) Contact Data
(c) Technical Data
(d) Usage Data
 

Necessary for our legitimate interests (to develop our products/services and grow our business)

 

Marketing and opt-out


We do not undertake marketing, promotions or competitions via the Portal. This is undertaken via other means. You can ask us to stop sending you marketing messages at any time by contacting us. Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us as a result of a service purchase, service experience or other transactions.


Change of purpose


We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you require an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
 

5. Disclosures of your personal data


We may have to share your personal data with the parties set out below for the purposes set out in the table in paragraph 4 above.

Other companies in the Alcumus Group of companies acting as joint controllers or processors and which provide IT, finance and/or system administration services.

External third parties including:

UK-based service providers acting as processors who provide IT and system administration services (specifically Amazon Web Services and Clearstream Technology Group).

Professional advisers acting as processors or joint controllers including lawyers, bankers, auditors and insurers who provide legal, insurance and accounting services.

HMRC, regulators and other authorities acting as processors or joint controllers based in the UK who require reporting of processing activities in certain circumstances.

SSIP in relation to accredited SafeContractor members. This usually will be limited to business information, Contact Data and Identity Data.

Third parties to whom we may choose to sell or merge parts of our business. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice.

Third party clients of SafeContractor who may wish to purchase services via a contractor are able to access contractor information (including in some circumstances, Personal Data) via the Portal.
 

6. Data security


We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. We limit access to your personal data to those employees, contractors and other third parties who have a business need to know. They are subject to a duty of confidentiality. We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
 

7. International transfers


We do not transfer your personal data outside the European Economic Area (EEA).
 

8. Data retention


How long will you use my personal data for?


We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

Details of retention periods for your personal data are available on request by contacting us.

In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
 

9. Your legal rights


Under certain circumstances, you have legal rights in relation to your personal data, including:

Request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.

Request correction of your personal data. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.

Request erasure of your personal data. This enables you to ask us to delete or remove personal data where: (a) there is no good reason for us continuing to process it; (b) you have successfully exercised your right to object to processing (see below); (c) where we may have processed your information unlawfully; or (d) where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.

Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.

Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data's accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.

Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.

Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

No fee usually required:

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

What we may need from you:

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may contact you to ask you for further information in relation to your request to speed up our response.

Time limit to respond:

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

If you wish to exercise any of the rights set out in this policy, please contact us.

General Data Protection Regulation (GDPR) Statement
Director of Legal and Compliance, Alcumus 


Introduction


The EU General Data Protection Regulation (GDPR) and the Data Protection Act 2018 came into force on 25 May 2018, superseding the Data Protection Act 1998. GDPR will continue to apply despite Brexit and impacts all organisations that control or process personal data. It grants data subjects a range of new rights, giving them more control over how their data is used. Organisations are subject to new responsibilities and obligations, including the need to demonstrate compliance.
 

What are we doing to ensure compliance?


At Alcumus, we are committed to protecting and respecting the privacy of individuals and take our obligations under data protection legislation seriously. We already manage personal data in accordance with the industry standards for ISO 27001, PCI DSS, and in some locations, in accordance with the Cyber Essentials Certification. We understand and welcome the high standards that GDPR will promote and encourage across all organisations that process personal data on behalf of third parties.

In order to ensure that we were ready for GDPR, we put in place a multidisciplinary project team which, informed by an external GDPR gap analysis assessment and specialist external advice, dealt with the following key priorities:

Modifying and fine tuning our management systems, processes and policies (including ISO 9001 and ISO 27001) to enable us to be GDPR-compliant. To this end, we conducted a full review of our internal and external policies and updated them to ensure that they are GDPR compliant.

Ensuring that our employees and consultants are fully aware of the new obligations that GDPR introduced and ensuring that there is accountability and shared responsibility for ensuring compliance, from Board level down and across the Group. We rolled out compulsory GDPR eLearning training across the Alcumus Group to all of our employees and consultants. In-depth face to face training has also been provided, tailored specifically to job role.

Providing a range of products and services to our customers to assist them in their own GDPR-compliance, including specific support to those who use our technological solutions (such as our specially configured data-capture software), to ensure that such solutions are compliant.

Our five business units process personal data on behalf of our 42,000 customers, from large global brands through to SME businesses. We understand the importance of good data practices to our customers and are on hand to support our customers through their GDPR-readiness journeys.

Some of the specific initiatives that we have rolled out include:

Data review:

We have conducted an extensive review of all personal data we hold and have prepared a detailed data roadmap which outlines where this data is held, why we hold it and for how long.

Contractual updates:

We have conducted a full-scale analysis of third parties who process data on our behalf and have updated contractual positions to ensure that we (and our customers) are protected. In addition to this, we have updated our current business terms and conditions to give our customers the assurances required under GDPR.

Process updates:

We have updated our existing procedures to ensure we have the tools to maintain compliance with GDPR. This included the appointment of a new voluntary Data Protection Officer, and a review and update of our existing policies such as our data security and incident response plans.

Improved subject access:

We have updated our existing subject access request processes to ensure that it is easier and quicker for data subjects to exercise their rights, and for Alcumus to respond efficiently to such requests in the statutory timescales.

Review of consents:

We have reviewed our existing marketing practices, and associated consents/other lawful grounds for processing, to ensure that these are transparent, fair and GDPR-ready. We have communicated these practices to our marketing teams across the Alcumus.
 

What are the implications for our customers?


We understand the time and resource that is required to ensure that organisations are GDPR compliant. In supporting our customers to manage their risk-exposure and abide by the legislation, we have developed a number of measures and enhancements, through standard features, toolkits and added value solutions. These include:

Development of data governance modules to our software solutions.

Provision of template data protection impact assessments, with user-friendly guidance on product-specific considerations.

Advice on data retention and deletion.

Stronger software access controls.

Improved security requirements (e.g. introduction of data encryption at rest).

We understand that GDPR is an ongoing process and we will therefore continue to be in contact with all of our customers to progress our GDPR readiness project. If in the meantime you have any queries, please do not hesitate to contact us at legal@alcumusgroup.com

Suzie Chetri
Director of Legal and Compliance​, Alcumus