Introduction

This Policy sets out the obligations of peoplewise Limited, a company registered in England and Wales under number 2682510, whose registered office is at 20 Hammersmith Broadway London, W6 7AF (“the Company”) regarding data protection and the rights of customers, business contacts, survey respondents (“data subjects”) in respect of their personal data under EU Regulation 2016/679 General Data Protection Regulation (“GDPR”).

The GDPR defines “personal data” as any information relating to an identified or identifiable natural person (a “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

The procedures and principles set out herein must be followed at all times by the Company, its employees, agents, contractors, or other parties working on behalf of the Company.

The Company is committed not only to the letter of the law, but also to the spirit of the law and places high importance on the correct, lawful, and fair handling of all personal data, respecting the legal rights, privacy, and trust of all individuals with whom it deals.

peoplewise is concerned about the safety and privacy of all users of the Service. Please read our Data Privacy Policy which is an important part of the Terms of Use. The Privacy Policy (together with our Terms of Use) sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed. All personal data is processed in accordance with the Data Protection Policy and GDPR requirements. Please read the following carefully to understand our practices regarding your personal data.

For the purpose of the Data Protection Act 1998 (the Act), the data controller is peoplewise of 20 Hammersmith Broadway London, W6 7AF (registration number 02682510). This policy applies to our Service only. If you leave our Service to visit another, via a link or otherwise, you will be subject to the policy of that website provider.

Information we may collect from you

To carry out our Service, we need your permission and consent to collect, process, store and transfer certain information about you. This information may be personal data (such as demographic information regarding your age, education and work history). It will not include any information about classified by the GDPR as “special category” personal data. For all demographic personal data, you will have the option to enter ‘prefer not to say’.

Your personal data will be held by the Company for research, statistical and human capability identification and development purposes. We shall only collect and process personal data for and to the extent necessary for the specific purpose/s to which you have been informed.

By accepting this Privacy Policy, by registering with us, by participating in any of our online feedback or assessment processes, or by otherwise using our Service, you consent to the collection, processing and transfer of your personal information, by peoplewise under the terms of this Privacy Policy.

How long we keep your information

In accordance with GDPR and the Data Protection Act, we shall not retain any of your personal data for longer than is necessary in light of the purpose(s) that the personal data was originally collected, held and processed.

When personal data is no longer required, all reasonable steps will be taken to erase or otherwise dispose of it without delay. All personal data will be encrypted after five years and stored for research purposes.

In certain circumstances we may destroy or delete any of your personal information that we hold. Please note that our policies on privacy will be overridden where we are required or permitted to disclose personal information under law or the terms of any court order.

The periods for which we retain your personal information depends on the purposes for which we use it. However, in certain circumstances we may destroy or delete any of your personal information that we hold. Please note that our policies on privacy will be overridden where we are required or permitted to disclose personal information under law or the terms of any court order.

IP addresses and cookies

‘Cookies’ are small pieces of information between a web server and a web browser, which enable the server to collect information from the browser. We use cookies to enable us to provide the mechanisms for online browsing and to monitor traffic. These cookies do not contain any personally identifiable information.

We may collect information about your computer, including where available, your internet protocol (IP) address, operating system and browser type, for system administration and to report aggregate information. This is statistical data and does not identify any individual and we will not collect personal information in this way.

We may obtain information about your general internet usage by using a cookie file which is stored on the hard drive of your computer. Cookies contain information that is transferred to your computer’s hard drive. They help us to improve our site and to deliver a better and more personalised service.

You may refuse to accept cookies by activating the setting on your browser which allows you to refuse the setting of cookies. However, if you select this setting you may be unable to access certain parts of our Service. Unless you have adjusted your browser setting so that it will refuse cookies, our system will issue cookies when you log on to our site.

• To opt out of being tracked by Google Analytics visit Google Analytics Opt-Out

Where we store your personal data

We will ensure that all personal data collected, held and processed is kept secure and protected against unauthorised or unlawful processing and against accidental loss, destruction or damage. We undertake a range of technical and organisational measures with respect to secure storage and disposal of your personal data.

The data that we collect from you may be transferred to, and stored at, a destination outside the European Union (EU). The recipient countries may not have the same data protection laws as the country from which peoplewise  initially obtained the information. It may also be processed by staff operating outside the EU, who work for us or for one of our suppliers. Such staff may be engaged in, among other things, the fulfilment of your service, and the provision of the Service. By submitting your personal data, you agree to this transfer, storing or processing. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this privacy policy.

The transfer of personal data to a country outside of the EEA shall take place only if one or more of the following applies:

• The transfer is to a country, territory, or one or more specific sectors in that country (or an international organisation), that the European Commission has determined ensures an adequate level of protection for personal data;
• The transfer is to a country (or international organisation) which provides appropriate safeguards in the form of a legally binding agreement between public authorities or bodies; binding corporate rules; standard data protection clauses adopted by the European Commission; compliance with an approved code of conduct approved by a supervisory authority (e.g. the Information Commissioner’s Office); certification under an approved certification mechanism (as provided for in the GDPR); contractual clauses agreed and authorised by the competent supervisory authority; or provisions inserted into administrative arrangements between public authorities or bodies authorised by the competent supervisory authority;
• The transfer is made with the informed consent of the relevant data subject(s);
• The transfer is necessary for the performance of a contract between the data subject and the Company (or for pre-contractual steps taken at the request of the data subject);
• The transfer is necessary for important public interest reasons;
• The transfer is necessary for the conduct of legal claims;
• The transfer is necessary to protect the vital interests of the data subject or other individuals where the data subject is physically or legally unable to give their consent; or
• The transfer is made from a register that, under UK or EU law, is intended to provide information to the public and which is open for access by the public in general or otherwise to those who are able to show a legitimate interest in accessing the register.

All information you provide to us is stored on our secure servers. Where you have a password to access certain parts of the Service, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.

Unfortunately, the internet is not a secure medium. However, we have put in place various security procedures to help ensure that your information is as secure as is possible. We cannot however guarantee the security of any data transmitted to our site via the internet; it is not completely secure and any transmission is at your own risk. We will do our best to protect your personal data and use strict procedures and security features to try to prevent unauthorised access.

Disclosure of your information

We may disclose your personal information to third parties:

• in the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets
• if we are under a duty to disclose or share your personal data in order to comply with any obligation by law, to our customers or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
• if they are clients who have engaged peoplewise  in the delivery the Service for which you are providing information
• if they are freelance associates, who provide services to us which may cover, but are not limited to, the Service; Occupational Health Services; lawyers, accountants, and other administrative, security and back-up and services. As part of providing those services, such third parties may be provided with access to personal information.

In addition, our software development partners may use personal information for purposes of modifying, improving, refining and validating their technology, and research and development.

Where we disclose your information to third parties, we will obtain assurances from the third party that they will protect that information according to the standards described in this Privacy Policy, GDPR and the Data Protection Act.

Your rights

Under the GDPR, you have the right to be informed about the collection and use of your personal data, including the purposes for collecting your personal data, the retention periods for that personal data, and who it will be shared with. You will be informed of this privacy information at the time that personal data is collected from you.

Under the GDPR, you have the right to obtain confirmation that your personal data is being processed, the right to access your personal data, and the right to access other supplementary information (if relevant). For more information see below.

Under the GDPR, you have the right to have inaccurate personal data rectified or completed, if it is incomplete. You can update your demographic personal data directly on Enable via your profile page. You can also make a request for rectification of personal data verbally or in writing. We shall respond to your request within one calendar month. In certain circumstances, we retain the right to refuse a request for rectification.

Under the GDPR, you have the right to erasure (also known as the ‘right to be forgotten’). Unless we have reasonable grounds to reuse to erase personal data, all requests for erasure shall be complied with, and you shall be informed of the erasure within one month of receipt of the erasure request. The period can be extended by up to two months in the case of complex requests. If such additional time is required, you shall be informed.

Under the GDPR, you have the right to restrict restriction or suppress the processing of your personal data. This is not an absolute right and only applies in certain circumstances. You can make a request for restriction verbally or in writing.

Under the GDPR, you have the right to data portability, which includes the right to to receive a copy of your personal data and to use it for other purposes (namely transmitting it to other data controllers). To facilitate data portability, we shall make available all applicable personal data to you, by written request, in CSV format.

Under GDPR, you have the right to object to the Company processing your personal data based on its legitimate interests and direct marketing (including profiling). If you object to the Company processing your personal data based on its legitimate interests, the Company shall cease such processing immediately, unless it can be demonstrated that the Company’s legitimate grounds for such processing override your interests, rights and freedoms, or that the processing is necessary for the conduct of legal claims. If you object to the Company processing your personal data for direct marketing purposes, the Company shall cease such processing immediately. If you object to the Company processing your personal data for scientific and/or historical research and statistics purposes, you must, under the GDPR, “demonstrate grounds relating to his or her particular situation”. We are not required to comply if the research is necessary for the performance of a task carried out for reasons of public interest.

Under the GDPR, you have rights with respect to automated decision-making (making a decision solely by automated means without any human involvement) and profiling (automated processing of personal data to evaluate certain things about an individual). Where personal data is used for profiling purposes, clear information explaining the profiling shall be provided, including the significance and likely consequences of the profiling; appropriate mathematical or statistical procedures shall be used; and actions will be taken to prevent discriminatory effects arising out of profiling.

Under GDPR, you have the right to withdraw your consent at any time by unticking the ‘opt in’ box on your profile page. By opting out your Enable account will be closed and all your personal data shall be anonymised and encrypted and retained for research purposes only.

Under GDPR, you have the right to lodge a complaint with a supervisory authority (e.g. the Information Commissioner’s Office) if you consider that the processing of your personal data relating infringes GDPR regulation. The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint.

Access to information

In accordance with the GDPR and the Data Protection Act, you have the right to access information held about you.

You may make subject access requests (“SARs”) at any time to find out more about the personal data which the Company holds about you, what it is doing with that personal data, and why.

If you wish to make a SAR, you should do so using a Subject Access Request Form via the Company’s Data Protection Officer at 20 Hammersmith Broadway London, W6 7AF. Responses to SARs shall normally be made within one month of receipt, however this may be extended by up to two months if the SAR is complex and/or numerous requests are made. If such additional time is required, you shall be informed.

Changes to our privacy policy

We regularly review and, where necessary, update our privacy information. If we plan to use your personal data for a new purpose, we will update our privacy information and communicate the changes to individuals before starting any new processing.

Any changes we make to our privacy policy in the future will be posted on this page; we advise that you check this page regularly to keep up to date with any necessary changes.

Contact

The Company’s Data Protection Officer is Nicola Adcock. Questions, comments and requests regarding this data privacy policy are welcomed and should be addressed to the Company’s Data Protection Officer at letushelp@peoplewise.co.uk