Privacy Policy

You have a legal right to be informed about how our organisation uses any personal information that we hold about you. To comply with this, we provide a ‘privacy notice’ to you where we are processing your personal data.

This privacy notice explains how we collect, store and use personal data about you.

We, Gateway HR & Training Limited are the ‘data controller’ for the purposes of data protection law.

Gateway HR is registered with the Information Commissioners Office (ICO) as a data controller.

Our data protection officer is Charlotte Armstrong (see ‘Contact us’ below).

The personal data we hold

We process data relating to our employees, our clients and employees of our clients. Personal data that we may collect, use, store and share (when appropriate) includes, but is not restricted to:

Contact details and job title
Contact information including email address and telephone number (we may also collect information that is available from your browser)
Information relating to the employment records of our clients' data subjects
Demographic information such as postcode, preferences and interests
Other information relevant to customer surveys and/or offers
We may keep a record of any correspondence that you send to us
Details of your visits to our website including but not limited to traffic data, location data, weblogs and other communication data and the resources that you access
Details of transactions you carry out through the website and the fulfilment of your order
Applications for roles we are recruiting, either on behalf of clients or ourselves
Occupational health records on behalf of our clients to enable us to assist clients to make informed decisions about supporting employees in their roles
As an applicant for a role, you will be required to provide proof of your identity and proof of your qualifications prior to receiving a job offer
As part of a recruitment process a criminal records declaration may be required to declare any unspent convictions in roles that require such checks to be completed
Photographs
CCTV Images
Date of birth and gender (training delegates - when required by accreditation bodies)
Assignments (training delegates)
Details of any learning difficulties (training delegates)
Qualification results (training delegates)
Other qualifications held
We may also collect, store and use information about you that falls into “special categories” of more sensitive personal data. This includes information about (where applicable):
Health, including any medical conditions relating to both physical and mental health

Our legal basis for using this data

We only collect and use personal information about you when the law allows us to. Most commonly, we use it where we need to:

Fulfil a contract we have entered into with you
Comply with a legal obligation
You have given us consent to use it in a certain way
Where it is necessary for our legitimate interests (or those of a third party) and you interests and fundamental rights do not override those interests
Less commonly, we may also use personal information about you where:
We need to protect your vital interests (or someone else’s interests)
Carry out a task in the public interest

Where you have provided us with consent to use your data, you may withdraw this consent at any time. We will make this clear when requesting your consent and explain how you go about withdrawing consent if you wish to do so.

Some of the reasons listed above for collecting and using personal information about you overlap, and there may be several grounds which justify the organisation’s use of your data.

Why we use this data

The purpose of processing your information is to understand your needs and to help us provide you with an effective service.

Collecting this information

We collect your personal data by a variety of means including online communication, telephone communication and via face to face contact. We may also collect additional information from third parties including employers, employees and other professional bodies.

Whilst you are engaged with our company we may need to collect additional personal information from you not identified on the above list but before doing so we will provide you with a written notice setting out details of the purpose and the lawful basis of why we are collecting that data, its use, storage and your rights.

While the majority of information we collect from you is mandatory, there is some information that you can choose whether or not to provide to us. Whenever we seek to collect information from you, we make it clear whether you must provide this information (and if so, what the possible consequences are of not complying), or whether you have a choice.

How we store this data

All data provided is stored on a secure local server with appropriate restricted access and electronic procedures. The data on the server is backed up with a third-party data security company. Your information will not be transferred outside of the European Economic Area.

We use Infusionsoft as a marketing tool and data base. Although this is an American software company, they have confirmed that they have taken the necessary steps to be GDPR compliant.

We use Basecamp, a project management software tool, to share information relating to current HR client issues that we are dealing with. The information stored is a brief update, to ensure that any HR consultant understands the progress of a project and can provide appropriate, timely advice to the client. The storage used by Basecamp is a combination of AWS, Google Cloud and own managed servers which are located in the USA. Basecamp have confirmed that they have the relevant security measures in place to comply with GDPR.

We use Breathe HR to store our employee data and where requested, employee data relating to our clients,. Breathe HR are GDPR compliant and certified to the requirements of ISO27001:2013.

We will not collect more information than we need to fulfil our stated purposes and will not keep it for longer than is necessary. Once your engagement with us has ended, we will retain all data securely before destroying the information in accordance with our Retention of personal data policy. A copy of the policy can be requested from the DPO.

Data Sharing

We will never sell, rent or trade information about you to other companies. Your data will not be supplied to anyone except as described in this privacy notice, unless we are obliged by law to disclose it.

Where it is legally required, or necessary (and complies with data protection law) we may share personal information with:

Suppliers and service providers – to enable them to provide the service we have contracted them for, for example, payroll providers, HR system providers and Occupational Health providers. In these instances, we will ensure that any such provider follows the same obligations of security with regards to your data as us.
Central and local government
Educators and examining bodies
Health authorities
Health and social welfare organisations
Police forces, courts, tribunals
Professional bodies

In certain circumstances, this information may be shared after you have ceased engagement with Gateway HR & Training Ltd.

Transferring data internationally

In the unlikely event that we need to transfer personal data to a country or territory outside the European Economic Area, we will do so in accordance with data protection law.

Your Rights

How to access personal information we hold about you

Individuals have a right to make a ‘subject access request’ to gain access to personal information that the organisation holds about them.

If you make a subject access request, and if we do hold information about you, we will:

Give you a description of it
Tell you why we are holding and processing it, and how long we will keep it for
Explain where we got it from, if not from you
Tell you who it has been, or will be, shared with
Let you know whether any automated decision-making is being applied to the data, and any consequences of this
Give you a copy of the information in an intelligible form

You may also have the right for your personal information to be transmitted electronically to another organisation in certain circumstances.

If you would like to make a request, please contact our data protection officer.

Other rights regarding your data

Unless subject to exemption under GDPR law, individuals have certain rights regarding how their personal data is used and kept safe. You have the right to:

Object to the use of your personal data if it would cause, or is causing, damage or distress
Prevent your data being used to send direct marketing
Object to the use of your personal data for decisions being taken by automated means (by a computer or machine, rather than by a person)
Withdraw your consent to the processing at any time, where consent was the lawful basis for processing the data
In certain circumstances, have inaccurate personal data corrected, deleted or destroyed, or restrict processing
Claim compensation for damages caused by a breach of the data protection regulations

To exercise any of these rights, please contact our data protection officer.

Complaints

We take any complaints about our collection and use of personal information very seriously.

If you think that our collection or use of personal information is unfair, misleading or inappropriate, or have any other concern about our data procession, please raise this with us in the first instance.

To make a complaint, please contact our data protection officer.

Alternatively, you can make a complaint to the Information Commissioner's Office:

Report a concern online at https://ico.org.uk/concerns/
Call 0303 123 1113
Or write to: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Contact Us

If you have any questions, concerns or would like more information about anything mentioned in this privacy notice, please contact our data protection officer:

- Maria Mace | [email protected] | 01536 215240