You have a legal right to be informed about how our organisation uses any personal information that we hold about you. To comply with this, we provide a ‘privacy notice’ to you where we are processing your personal data.
This privacy notice explains how we collect, store and use personal data about you.
We, Gateway HR & Training Limited are the ‘data controller’ for the purposes of data protection law.
Gateway HR is registered with the Information Commissioners Office (ICO) as a data controller.
Our data protection officer is Theresa Wright (see ‘Contact us’ below).
The personal data we hold
We process data relating to our employees, our clients and employees of our clients. Personal data that we may collect, use, store and share (when appropriate) includes, but is not restricted to:
- Contact details and job title
- Contact information including email address, (we may also collect information that is available from your browser) and telephone number
- Information relating to the employment records of our clients’ data subjects
- demographic information such as postcode, preferences and interests
- other information relevant to customer surveys and/or offers
- We may keep a record of any correspondence that you send to us.
- Details of your visits to our website including but not limited to, traffic data, location data, weblogs and other communication data and the resources that you access.
- Details of transactions you carry out through the website and of the fulfilment of your order.
- Applications for roles we are recruiting, either on behalf of clients or ourselves.
- Occupational health records on behalf of our clients to enable us to assist clients to make informed decisions about supporting employees in their roles.
- As an applicant for a role you will be required to provide proof of your identity and proof of your qualifications prior to receiving a job offer.
- As part of a recruitment process a criminal records declaration may be required to declare any unspent convictions, in roles that require such checks to be completed.
- CCTV images
- Date of birth and gender (training delegates – when required by accreditation bodies)
- Assignments (training delegates)
- Details of any learning difficulties (training delegates)
- Qualification results (training delegates)
- Other qualifications held
We may also collect, store and use information about you that falls into “special categories” of more sensitive personal data. This includes information about (where applicable):
- Health, including any medical conditions relating to both physical and mental health
Our legal basis for using this data
We only collect and use personal information about you when the law allows us to. Most commonly, we use it where we need to:
- Fulfil a contract we have entered into with you
- Comply with a legal obligation
- You have given us consent to use it in a certain way
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
Less commonly, we may also use personal information about you where:
- We need to protect your vital interests (or someone else’s interests)
- Carry out a task in the public interest
Where you have provided us with consent to use your data, you may withdraw this consent at any time. We will make this clear when requesting your consent and explain how you go about withdrawing consent if you wish to do so.
Some of the reasons listed above for collecting and using personal information about you overlap, and there may be several grounds which justify the organisation’s use of your data.
Why we use this data
The purpose of processing your information is to understand your needs and to help us provide you with an effective service.
Collecting this information
We collect your personal data by a variety of means including online communication, telephone communication and via face to face contact. We may also collect additional information from third parties including employers, employees and other professional bodies.
Whilst you are engaged with our company we may need to collect additional personal information from you not identified on the above list but before doing so we will provide you with a written notice setting out details of the purpose and the lawful basis of why we are collecting that data, its use, storage and your rights.
While the majority of information we collect from you is mandatory, there is some information that you can choose whether or not to provide to us. Whenever we seek to collect information from you, we make it clear whether you must provide this information (and if so, what the possible consequences are of not complying), or whether you have a choice.
How we store this data
All data provided is stored on a secure local server with appropriate restricted access and electronic procedures. The data on the server is backed up with a third-party data security company. Your information will not be transferred outside of the European Economic Area.
We use Infusionsoft as a marketing tool and data base. Although this is an American software company, they have confirmed that they have taken the necessary steps to be GDPR compliant.
We use Basecamp, a project management software tool, to share information relating to current HR client issues that we are dealing with. The information stored is a brief update, to ensure that any HR consultant understands the progress of a project and can provide appropriate, timely advice to the client. The storage used by Basecamp is a combination of AWS, Google Cloud and own managed servers which are located in the USA. Basecamp have confirmed that they have the relevant security measures in place to comply with GDPR.
We will not collect more information than we need to fulfil our stated purposes and will not keep it for longer than is necessary. Once your engagement with us has ended, we will retain all data securely before destroying the information in accordance with our Retention of personal data policy. A copy of the policy can be requested from the DPO.
We will never sell, rent or trade information about you to other companies. Your data will not be supplied to anyone except as described in this privacy notice, unless we are obliged by law to disclose it.
Where it is legally required, or necessary (and it complies with data protection law) we may share personal information with:
- Suppliers and service providers – to enable them to provide the service we have contracted them for, for example, payroll providers, HR system providers and Occupational Health providers. In these instances, we will ensure that any such provider follows the same obligations of security with regards to your data as us.
- Central and local government
- Educators and examining bodies
- Health authorities
- Health and social welfare organisations
- Police forces, courts, tribunals
- Professional bodies
In certain circumstances, this information may be shared after you have ceased engagement with Gateway HR & Training Ltd.
Transferring data internationally
In the unlikely event that we need to transfer personal data to a country or territory outside the European Economic Area, we will do so in accordance with data protection law.
How to access personal information we hold about you
Individuals have a right to make a ‘subject access request’ to gain access to personal information that the organisation holds about them.
If you make a subject access request, and if we do hold information about you, we will:
- Give you a description of it
- Tell you why we are holding and processing it, and how long we will keep it for
- Explain where we got it from, if not from you
- Tell you who it has been, or will be, shared with
- Let you know whether any automated decision-making is being applied to the data, and any consequences of this
- Give you a copy of the information in an intelligible form
You may also have the right for your personal information to be transmitted electronically to another organisation in certain circumstances.
If you would like to make a request, please contact our data protection officer.
Your other rights regarding your data
Unless subject to exemption under GDPR law, individuals have certain rights regarding how their personal data is used and kept safe. You have the right to:
- Object to the use of your personal data if it would cause, or is causing, damage or distress
- Prevent your data being used to send direct marketing
- Object to the use of your personal data for decisions being taken by automated means (by a computer or machine, rather than by a person)
- Withdraw your consent to the processing at any time, where consent was the lawful basis for processing the data
- In certain circumstances, have inaccurate personal data corrected, deleted or destroyed, or restrict processing
- Claim compensation for damages caused by a breach of the data protection regulations
To exercise any of these rights, please contact our data protection officer.
We take any complaints about our collection and use of personal information very seriously.
If you think that our collection or use of personal information is unfair, misleading or inappropriate, or have any other concern about our data processing, please raise this with us in the first instance.
To make a complaint, please contact our data protection officer.
Alternatively, you can make a complaint to the Information Commissioner’s Office:
- Report a concern online at https://ico.org.uk/concerns/
- Call 0303 123 1113
- Or write to: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
If you have any questions, concerns or would like more information about anything mentioned in this privacy notice, please contact our data protection officer: