External Contacts Privacy Notice
Houghton Greenlees and Associates Ltd takes data protection and privacy very seriously. We are making continual improvements to our processes and policies, ensuring our employees understand their roles and the requirements that we must meet as an organisation.
This Privacy Notice explains how we handle and process data that relates to External Contacts (i.e. non-employee data). If you have any questions or concerns, please contact our Data Protection Team.
This External Contacts Privacy Notice sets out what personal data Houghton Greenlees and Associates Ltd holds about you, how we collect it, and how we use it for the performance of contracts and marketing. It applies to anyone in our contacts database.
Please note: we will not necessarily hold, use or share all of the types of personal data described in this Privacy Notice. The specific types of data about you that we will hold, use and share will depend upon our professional relationship with you.
We are required by data protection law to give you the information in this Privacy Notice. It is important that you read the Privacy Notice carefully, together with any additional information that we might give you about how we collect and use your personal data.
This Privacy Notice applies from 25 May 2018, when the General Data Protection Regulation comes into force. It does not give you any contractual rights. We may update this Privacy Notice at any time.
Who is the controller?
Houghton Greenlees and Associates Ltd (Lower Barn, East End Court, Tickenham Road, Clevedon BS21 6QY) is the “controller” for the purposes of data protection law. We are responsible for deciding how we hold and use your personal data.
Our Data Protection Lead is Paul Williams. He is responsible for advising us on our data protection law obligations and monitoring our compliance.
Paul leads a wider Data Protection Team consisting of the Board of Directors. You can also contact them if you have any questions or concerns about data protection.
What is personal data?
‘Personal data’ means any information that could identify you, for example:
- National Insurance number
- Employee number
- Email address
- Physical features
It can be factual (e.g. contact details or date of birth), an opinion about your actions or behaviour, or information that may impact you in a personal or business capacity.
Data protection law divides personal data into two categories:
- Ordinary personal data OR
- Special category data: any personal data that reveals your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health conditions, sexual life or sexual orientation, or biometric or genetic data that is used to identify an individual is known as special category data. (The rest is ordinary personal data).
What type of personal data may we hold about you?
We collect, hold and use the following types of ordinary personal data about you:
- Biographical information including your name, title, contact details.
- Publicly available information about you, such as your business social media presence.
- Lifestyle information including but not limited to interests.
- Events that you have attended with us or with an employee of HGA.
And why do we hold it?
Any personal information retained is used solely in connection with project related day to day correspondence. We do not as a usual course of business carry out marketing campaigns, or newsletter drops etc.
What are our legal grounds for using your personal data?
- We need it to undertake a project (Performance of Contract), because you are a member of the external team on one of our projects.
- We need it to comply with a legal obligation (Legal Obligation), e.g. if you are a member of the external team on one of our projects we are required to retain your details for the duration of the contract i.e. for 6 years for a signed contract or 12 years for a contract signed under deed or under seal.
What type of special category personal data do we hold about you? Why? And on what legal grounds?
We will only collect, hold and use limited types of special category data about you, as described below.
Since special category data is usually more sensitive than ordinary personal data, we need to have an additional legal ground (as well as the legal grounds set out in the section on ordinary personal data, above) to collect, hold and use it.
The additional legal grounds that we rely on to collect, hold and use your special category data are explained below for each type of special category data.
Criminal records information/DBS checks
Due to our work with education providers (Schools, Colleges and Universities), Ministry of Justice and Ministry of Defence we may ask you to complete a DBS or Security Clearance.
For the majority of our External Contacts we do not collect this data. However, should our clients require you to have these checks to enter their premises or work on their projects we will inform you.
In the context of the Performance of Contract we will use this information to assess your suitability to form part of an External Team for projects where these checks need to be in place e.g. schools, NHS Schemes etc.
Our additional legal ground for using this information is that of Legal Obligation.
How do we collect your personal data?
You provide us with most of the personal data about you that we hold and use, for example on a business card, email signature or through verbal discussions.
Some of the personal data about you that we hold and use is generated from internal sources following a Business Development meeting. For example, we may record that you enjoy cycling or that you have particular sector experience.
Some of the personal data about you that we hold and use may come from external sources. We may also obtain information about you from publicly available sources, such as your LinkedIn profile or other media sources.
Who do we share your personal data with?
We will not share your personal data with anyone, with the exception of;
- Legal/professional advisers
We share any of your personal data that is relevant, where appropriate, with our legal and other professional advisers, in order to obtain legal or other professional advice about matters related to you or in the course of dealing with legal disputes with you or your company.
Our legal grounds for sharing this personal data are that: it is in our legitimate interests to seek advice to clarify our rights/obligations and appropriately defend ourselves from potential claims; it is necessary to comply with our legal obligations/exercise legal rights in connection with contract; and it is necessary to establish, exercise or defend legal claims.
How long will we keep your personal data?
If you are involved with a project(i.e. part of an external team), we are required to retain your details for the duration of the contract i.e. for 6 years for a signed contract or 12 years for a contract signed under deed or under seal. However we may need to retain these for a maximum of 15years, if there are specific legal circumstances associated with a contract that require us to hold your personal data.
You have a number of legal rights relating to your personal data, which are outlined here:
- The right to make a subject access request. This enables you to receive certain information about how we use your data, as well as to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
- The right to request that we correct incomplete or inaccurate personal data that we hold about you.
- The right to request that we delete or remove personal data that we hold about you where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
- The right to object to our processing your personal data where we are relying on our legitimate interest (or those of a third party), where we cannot show a compelling reason to continue the processing
- The right to request that we restrict our processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it.
- The right to withdraw your consent to us using your personal data. As described above, we do not normally rely on your consent as the legal ground for using your personal data. However, if we are relying on your consent as the legal ground for using any of your personal data and you withdraw your consent, you also have the right to request that we delete or remove that data, if we do not have another good reason to continue using it.
- The right to request that we transfer your personal data to another party, in respect of data that you have provided where our legal ground for using the data is that it is necessary for the performance of a contract or that you have consented to us using it (this is known as the right to “data portability”).
- The right to object to a decision based on profiling/solely automated decision-making, including the right to voice your opinion, and obtain human intervention in the decision-making.
If you would like to exercise any of the above rights, please contact Paul Williams, our Data Protection Lead at firstname.lastname@example.org, in writing.
Note that these rights are not absolute and in some circumstances, we may be entitled to refuse some or all of your request.
If you have any questions or concerns about how your personal data is being used by us, you can contact our Data Protection Team.
Note too that you have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues. Details of how to contact the ICO can be found on their website: https://ico.org.uk