Simpleducks Privacy Notice
Simpleducks (“Simpleducks”, “we”, “us”), (registered Limited Company in England & Wales 10245249), is committed to protecting your privacy. At all times we aim to respect any personal information you share with us, or that we receive from others, and keep it safe. This Privacy Notice (“Notice”) sets out our data processing practices and your rights and options regarding the ways in which your personal information is used and collected, including through our website.
This Notice contains important information about your personal rights to privacy. Please read it carefully to understand how we use your personal information.
Contents of this Privacy Notice:
- How we collect personal information about you
2. What personal information do we use?
3. How and why will we use your personal information?
4. Lawful bases
5. Communications for marketing/ fundraising
6. How long do we keep your personal information?
7. Will we share your personal information?
8. Security/ storage of and access to your personal information
9. International Data Transfers
10. Exercising your Rights
11. Changes to this Notice
12. Data Protection Manager
13. Links and third parties
14. How to contact us
We collect personal information about you:
- When you give it to us directly. For example, personal information that you give to us when you communicate with us by email, phone or letter.
- When we obtain it indirectly. For example, your personal information will be shared with us by training/learning providers after you enrol for a course in relation to which we provide the relevant qualification; when you undertake a test using third party systems licenced to Simpleducks; or when your personal information have been sent to us regarding a job vacancy with Simpleducks.
- When you visit our website. When you visit our website, we automatically collect the following types of personal information:
- Technical information, including the internet protocol (IP) address used to connect your device to the internet, browser type and version, time zone setting, browser plug-in types and versions and operating systems and platforms.
- Information about your visit to the website, including the uniform resource locator (URL) clickstream to, through and from the website (including date and time), services you viewed or searched for, page response times, download errors, length of visits to certain pages, referral sources, page interaction information (such as scrolling and clicks) and methods used to browse away from the page.
- Cookies- we collect and use your personal information by using cookies on our website. We only use first party cookies; these are cookies that are set by this website directly:
- ASPSESSION*: ASP session cookie which identifies a specific user’s session. This will expire when you leave the website.
- More information on session cookies and what they are used for at http://www.allaboutcookies.org/cookies/session-cookies-used-for.html
- Google Analytics: We use Google Analytics to collect information about visitor behaviour on our website. Google Analytics stores information about what pages you visit, how long you are on the site, how you got here and what you click on.
- You can find out more about Google’s position on privacy as regards its analytics service at http://www.google.com/intl/en_uk/analytics/privacyoverview.html
- AddThis: The social media sharing functionality on certain web pages is provided by the third party AddThis. As you navigate these pages or if you use the sharing buttons, AddThis will automatically set cookies. We have no control over the cookies that AddThis uses. You can opt out of addthis.com cookies at http://www.addthis.com/privacy/opt-out
In general, we may combine your personal information from these different sources set out in a-c above, for the purposes set out in this Notice.
What personal information do we use?
Marketing & General Business Contact data:
This will normally be limited to:
- Job title
- Contact data including e-mail address and telephone number
- Company details including website and social media addresses
- Other data relevant to your enquiry
- Purchase history in respect of Simpleducks products and services
Job Application data:
- Simpleducks collects a range of personal data about you throughout the recruitment and selection process including:
- Personal details; name, address, date of birth, contact number, email address
- Employment history; previous employers, employment dates, roles held, duties
- Education, skills, qualifications
- Employment references/feedback from previous employers
- Right to work in the UK information; passport, driving license, national insurance number
- Equality and diversity information
Throughout the process we may also collect information as to whether you have a disability for which we would need to make a reasonable adjustment.
We may collect, store and otherwise process personal information in order to allow us to carry out our role as a training provider and Health & Safety Consultancy Business. This may include but not be limited to:
- Your name and contact details including postal address, telephone number, email address and emergency contact details and, where applicable;
- Your date of birth and gender;
- Your financial information, such as bank details and/ or credit/ debit card details in the case of replacement certificate requests;
- Information about your computer/ mobile device and your visits to and use of this website, including, for example, your IP address and geographical location;
- Unique candidate identifiers/unique learner numbers;
- Details of your qualifications/ experience;
- And/or any other personal information which we obtain as per paragraph 1.
Do we process special categories of data?
The EU General Data Protection Regulation (“GDPR”) recognises certain categories of personal information as sensitive and therefore requiring more protection, for example information about your health, ethnicity and religious beliefs.
Simpleducks may process special category personal data e.g. ethnicity, religion or belief, sexual orientation, in order to monitor recruitment statistics. However, this information will be anonymised and not be used in order to make a decision about whom to offer a role.
In certain situations, Simpleducks may collect and/or use these special categories of data (for example, information on candidates’ medical conditions so that we can make arrangements for reasonable adjustments and/or special considerations). We will only process these special categories of data if there is a valid reason for doing so and where the GDPR allows us to do so.
How and why will we use your personal information?
Your personal information, however provided to us, will be used for the purposes specified in this Notice. In particular, we may use your personal information in the following ways:
Learner specific reasons
- To register you as a candidate and allow you to sit examinations;
- For examination administration purposes;
- To conduct examinations and assessments;
- To issue examination results and certificates and replacement certificates;
- To carry out any reviews or appeals;
- To otherwise provide you with services, products or information you have requested.
Assessment specific reasons
- To allow us to carry out an end point assessment on NVQ’s;
Marketing & general business contact specific reasons
- To communicate as necessary with Awarding Bodies;
- To provide further information about our work, services or activities
- To answer your questions/ requests and communicate with you in general;
- To manage relationships with our partners and service providers;
Job Applicant specific reasons
- We only process your personal data for the purpose of progressing your job application or as required by law or regulatory requirements e.g. checking that you are eligible to work in the UK. Simpleducks will not use your personal data for any other purpose than the recruitment and selection of the post for which you have applied.
- To analyse and improve our work, services, activities, products or information (including our website), or for our internal records;
- To keep our facilities safe and secure;
- To run/administer the activities of Simpleducks, including our website, and ensure that content is presented in the most effective manner for you and for your device;
- To audit and/or administer our accounts;
- To satisfy legal obligations which are binding on us, for example in relation to regulatory, government and/or law enforcement bodies with whom we may work (for example requirements relating to the payment of tax or anti-money laundering);
- For the prevention of fraud or misuse of services;
- For the establishment, defence and/ or enforcement of legal claims.
The GDPR requires us to rely on one or more lawful bases to use your personal information. We consider the grounds listed below to be relevant:
- Where you have provided your consent for us to use your personal information in a certain way (for example, we may ask for your consent to collect special categories of your personal information so that you may sit an exam with reasonable adjustments and/or special considerations).
- Where necessary so that we can comply with a legal obligation to which we are subject (for example, where we are obliged to share your personal information with regulatory bodies which govern our work and services).
- Where necessary for the performance of a contract to which you are a party or to take steps at your request prior to entering a contract (for example, to provide you with a certified award after sitting an examination).
- Where there is a legitimate interest in us doing so.
The GDPR allows us to collect and process your personal information if it is reasonably necessary to achieve our or others’ legitimate interests (as long as that processing is fair, balanced and does not unduly impact your rights as an individual).
In broad terms, our “legitimate interests” means the interests of running of Simpleducks as a commercial entity and ensuring that appropriate levels of certified awards are granted to candidates in line with our standards as well as ensuring that we function in a compliant and effective manner.
When we process your personal information to achieve such legitimate interests, we consider and balance any potential impact on you (both positive and negative), and on your rights under data protection laws. We will not use your personal information for activities where our interests are overridden by the impact on you, for example where use would be excessively intrusive (unless, for instance, we are otherwise required or permitted to by law).
Communications for marketing/promotional purposes
Awarding Organisations that have accredited Simpleducks, must be allowed to contact Simpleducks about business critical matters by email, phone and other relevant channels, this is an integral part of their agreement with Simpleducks.
We may use your contact details to provide you with information about our work, events, services and/or activities which we consider may be of interest to you.
Where Simpleducks is operating with businesses (in particular with Colleges, training providers, organisations and employers) rather than individuals, it does not generally seek consent to send business communications. Simpleducks regards the use of data for such communications to be justified under our shared Legitimate Interest under the terms of GDPR legislation.
If individuals at organisations choose to unsubscribe from communications (which is their right under GDPR) then this may affect our organisation’s ability to continue to function as an approved training provider.
Where you have provided us with your consent previously but do not wish to be contacted by us about our work, events, services and/or activities in the future, please let us know by email at email@example.com You can opt out of receiving emails from Simpleducks at any time by clicking the “unsubscribe” link at the bottom of our marketing emails.
How long do we keep your personal information?
Simpleducks reserves the right to keep learner data for a period of up to 60 years. This is for reasons such as requested certificate replacement, in the event of your original certificate being lost or damaged, which is to your benefit.
Job applicant data:
We will hold your personal data for 6 months after end of the recruitment and selection process for which you applied. This allows us time to be able to respond to feedback requests and is within the time limit in which an applicant can make a legal claim.
If your application is successful, the personal data collected during the recruitment process will be transferred to the HR records and retained throughout your employment/assignment. In this case your personal data will be processed in line with our staff privacy notice.
Unless still required in connection with the purpose(s) for which it was collected and/or processed, we will retain your information for the period set out in our Data Retention Policy. However, if before that date (i) your personal information is no longer required in connection with such purpose(s), (ii) we are no longer lawfully entitled to process it or (iii) you validly exercise your right of erasure, we will remove it from our records at the relevant time. If you request to receive no further contact from us, we may keep some basic information about you on our suppression list in order to comply with your request and avoid sending you unwanted materials in the future.
Will we share your personal information?
We do not share, sell or rent your personal information to third parties for marketing purposes. However, in general we may disclose your personal information to selected third parties in order to achieve the purposes set out in this Notice. These parties may include (but are not limited to):
- Training/learning providers;
- Individual examiners
- Educational authorities such as Department for Education, Welsh Government, Department of Education Northern Ireland, ESFA, IFA and the Learning Records Service;
- Other educational establishments/prospective employers (for example if a reference is sought);
- Suppliers and sub-contractors for the performance of any contract we enter into with them, for example IT service providers such as testing platforms, website hosts or cloud storage providers and certificate printing companies;
- Professional service providers such as accountants and lawyers;
- Parties assisting us with research to monitor the impact/effectiveness of our work, events, services and activities;
- The police, for example in sharing data in relation to malpractice cases linked to fraud;
- Regulatory bodies who govern our work, such as Ofqual, Qualifications Wales, CCEA Regulation, SQA or Ofsted; and/or
- CITB where we need to provide data to allow a learner to gain access to a CSCS or CPCS competency card.
In particular, we reserve the right to disclose your personal information to third parties:
- In the event that we sell or buy any business or assets, in which case we will disclose your personal information to the (prospective) seller or buyer of such business or assets;
- If substantially all of our assets are acquired by a third party, personal information held by us may be one of the transferred assets;
- If we are under any legal or regulatory duty to do so; and/or
- To protect the rights, property or safety of Simpleducks, its personnel, users, visitors or others.
Security/storage of and access to your personal information
Simpleducks is committed to keeping your personal information safe and secure and we have appropriate and proportionate security policies and organisational and technical measures in place to help protect your information.
Your personal information is only accessible by appropriately trained staff and contractors, and stored on secure servers which have features to prevent unauthorised access.
International Data Transfers
Given that we are primarily a UK-based organisation we will normally only transfer your personal information within the European Economic Area (“EEA”), where all countries have the same level of data protection law as under the GDPR.
However, because we may sometimes use agencies and/or suppliers to process personal information on our behalf, it is possible that personal information we collect from you will be transferred to and stored in a location outside the EEA, for example the United States.
Please note that some countries outside of the EEA have a lower standard of protection for personal information, including lower security requirements and fewer rights for individuals. Where your personal information is transferred, stored and/or otherwise processed outside the EEA in a country that does not offer an equivalent standard of protection to the EEA, we will take all reasonable steps necessary to ensure that the recipient implements appropriate safeguards (such as by entering into standard contractual clauses which have been approved by the European Commission) designed to protect your personal information and to ensure that your personal information is treated securely and in accordance with this Notice. If you have any questions about the transfer of your personal information, please contact us using the details below.
Unfortunately, no transmission of your personal information over the internet can be guaranteed to be 100% secure – however, once we have received your personal information, we will use strict procedures and security features to try and prevent unauthorised access.
Exercising your Rights
Where we rely on your consent to use your personal information, you have the right to withdraw that consent at any time. This includes the right to ask us to stop using your personal information for marketing or or to unsubscribe from our email list at any time.
You also have the following rights:
- Right of access – you can write to us to ask for confirmation of what personal information we hold on you and to request a copy of that personal information. Provided we are satisfied that you are entitled to see the personal information requested and we have successfully confirmed your identity, we will provide you with your personal information subject to any exemptions that apply.
- Right of erasure – at your request we will delete your personal information from our records as far as we are required to do so. In many cases we would propose to suppress further communications with you, rather than delete it.
- Right of rectification – if you believe our records of your personal information are inaccurate, you have the right to ask for those records to be updated. You can also ask us to check the personal information we hold about you if you are unsure whether it is accurate/up to date.
- Right to restrict processing – you have the right to ask for processing of your personal information to be restricted if there is disagreement about its accuracy or legitimate usage.
- Right to object – you have the right to object to processing where we are (i) processing your personal information on the basis of our legitimate interests (see section 4 above), (ii) using your personal information for direct marketing or (iii) using your information for statistical purposes.
- Right to data portability – to the extent required by the GDPR, where we are processing your personal information (that you have provided to us) either (i) by relying on your consent or (ii) because such processing is necessary for the performance of a contract to which you are party or to take steps at your request prior to entering into a contact, and in either case we are processing using automated means (i.e. with no human involvement), you may ask us to provide the personal information to you – or another service provider – in a machine-readable format.
- Rights related to automated decision-making – you have the right not to be subject to a decision based solely on automated processing of your personal information which produces legal or similarly significant effects on you, unless such a decision (i) is necessary to enter into/perform a contract between you and us/another organisation; (ii) is authorised by EU or Member State law to which Simpleducks is subject (as long as that law offers you sufficient protection); or (iii) is based on your explicit consent.
Please note that some of these rights only apply in limited circumstances. For more information, we suggest that you contact us using the details below.
We encourage you to raise any concerns or complaints you have about the way we use your personal information by contacting us using the details below. You are further entitled to make a complaint to the Information Commissioner’s Office – www.ico.org.uk. For further information on how to exercise this right, please contact us using the details below.
Changes to this Notice
We may update this Notice from time to time. We will notify you of significant changes by contacting you directly where reasonably possible for us to do so and by placing an update notice on our website.
This Notice was last updated on 23rd May 2018.
Data Protection Manager
Our Data Protection Manager can be contacted directly at:
- Email: Garet Estensen – firstname.lastname@example.org
- Phone: 0208 99 888 25
Alternately, please use the contact details below and mark the email/letter for the attention of the Data Protection Manager.
Links and third parties
We link our website directly to other sites. This Notice does not cover external websites and we are not responsible for the privacy practices or content of those sites. We encourage you to read the privacy policies of any external websites you visit via links on our website.
How to contact us
Please let us know if you have any questions or concerns about this Notice or about the way in which Simpleducks processes your personal information by contacting us at the channels below. Please contact:
- Email: email@example.com
- Phone: 0208 9988825
- Post: Simpleducks, 5 Meadvale Road, Ealing, London, W5 1NS