ATaC GDPR Privacy & Cookies Policy

GDPR Privacy Policy

Asbestos Removal Contractors Association Limited (“ARCA”/“We”/“Us”) are committed to protecting and respecting your privacy.  All policies also apply to Asbestos Testing and Consulting (ATaC) which is a division of ARCA and to all our websites (www.arca.org.uk, www.atac.org.uk and www.arca.ie) (the “Sites”).

This Privacy and Cookie Policy (together with our Website Terms of Use and any other documents referred to on it) sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us.  Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.  If you have any questions about this Privacy and Cookie Policy and/or the processing of your personal data under the General Data Protection Regulation, you can reach us by email at info@arca.org.uk.  Alternatively, you can contact us at:

ARCA Ltd
Unit 1 Stretton Business Park 2
Brunel Drive
Stretton
Burton upon Trent
Staffordshire
DE13 0BY

We review this Privacy and Cookie Policy regularly.  Occasionally we may need to make changes or additions to the Privacy and Cookie Policy that may affect how we handle your data.  We will post new versions of this on our Sites.  We may also notify you of changes to this Privacy and Cookie Policy by email.

Information Commissioners Office Registration Reference: Z9332145

Purpose for processing

  • To administer and provide membership services;
  • To send communications to you such as information, news or surveys about ARCA or ATaC;
  • To carry out our obligations arising from any contracts entered into between you and us;
  • To prevent fraud and other prohibited or illegal activities;
  • To meet legal and regulatory requirements;
  • To notify you about changes to our services, including contacting you by email, telephone or post; and/or;
  • To create records of qualification assessments and meetings otherwise, as disclosed to you at the point of collection.

Legal basis for processing:

We will only use your personal data when the law allows us to.

  • We will use your personal data when you have given clear consent for us to process your personal data for a specific purpose (Basis: Art 6(a) GDPR).
  • We will use your personal data where we need to perform a contract we have entered into with you (Basis: Art 6(b) GDPR).
  • We will use your personal data for the purposes of the legitimate interests of the Association (Basis: Art 6(f) GDPR).

The kind of information we hold about you

We may collect and process the following data about you:

Information that you may provide: by filling in forms on the Sites; on forms or documents you send to us by post, email or by telephone. This includes information provided at the time of registering to use the Sites, by subscribing to our services or requesting further services whether on-line or by post or telephone.  Such information may include your name, age, postal and email addresses, telephone number, national insurance number, qualifications and photograph.

We may also ask you for information when you report a problem with the Sites.

If you contact us, we may keep a record of that correspondence.

We may also ask you to complete surveys that we use for research purposes, although you do not have to respond to them.

Details of transactions you carry out through the Sites and of the fulfilment of your requests.

Details of your visits to the Sites including, but not limited to, traffic data, location data, weblogs and other communication data and the resources that you access.

ARCA operates in accordance with the General Data Protection Regulation (GDPR) in respect of any personal information you may supply, e.g. name, address, e-mail, National Insurance number, photograph etc.

If you are a user with general public and anonymous access, the Sites do not store or capture personal information, but merely log your IP address which is automatically recognised by the web server. This statement only covers the Sites maintained by ARCA. This statement does not cover other websites linked to from within the Sites. The system will record your e-mail address and other information if volunteered to us by you. This shall be treated as proprietary and confidential, and will only be used to provide the services you have specifically signed up for. By subscribing to these services, you are giving your consent to ARCA to hold this information.

Processing

The details we hold about you may be updated or removed, and further information about qualifications you hold and the like, may be added to the data we store.

How is your personal information collected?

We collect personal data about you through your applications for membership, registration onto training courses or qualifications, during qualification assessments, during meetings and when you give us specific consent to receive marketing information, and data that is available in the public domain.  This is collected online, by email, by post, by filling in a form, by telephone or by audio or video recording.

The recipients or categories of recipients of personal data

We may share your personal information with our suppliers who administer a service in order to provide you with the relevant service on our behalf, e.g. providing personal data to Awarding Organisations for the purposes of the award of a qualification. We may also disclose your personal information to third parties:

  • If we are under a duty to disclose or share your personal data in order to comply with any legal obligation;
  • In order to enforce or apply our agreements;
  • To protect the rights, property, or safety of ARCA, our customers, or others.  This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction; and
  • To help ARCA or our affiliates analyse and/or improve our communication or relationship with you.

Except as described above, we will not disclose your personal information to third parties for their own marketing purposes unless you have provided consent.

ARMI Smartcards

  • Reference Point Limited: Reference Point Limited is the technology provider for our smartcard ecosystem and acts as a data processor for your data on our behalf. Reference Point keeps a log of all online card transactions, which is used for support purposes, for helping us understand how cards are being used and for producing statistics about card use. Reference Point Limited may also process your data in order to provide us with technical support services.
  • Person checking your card using CSCS Smart Check: When your card is read electronically, a copy of your card is recorded by CSCS Smart Check along with the time and location, where available. This provides a log of the cards that have been read for the person reading your card.
  • Custom Card Services International Limited: In the case of physical cards, your personal data will be provided to Custom Card for the purpose of printing and encoding your card.
  • Other recipients: CSCS Smart Check enables the person who has checked your card to forward a copy of your data to someone else - someone at head-office for example. Before doing this, the card checker should inform you who the data will be sent to and what it will be used for.
  • Your card can also be checked electronically by some other software systems. Users of these systems are required to comply with applicable data protection rules when processing your data.

Your data and the EEA

The personal data that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area (“EEA”) and by using ARCA products or services (including the Site), you consent to any such transfer of personal data outside the EEA.  Personal Data held outside of the EEA will be stored with Mailchimp or Microsoft.  Mailchimp’s agreement is certified with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework and Microsoft’s agreement complies with the EU-US Privacy Shield and EU Model Clauses, and therefore both comply with GDPR requirements.

We will not transfer any data that we collect or receive from you that constitutes personal data outside of the EEA unless there are appropriate safeguards or an adequacy decision in relation to the transfer as set out in the data protection legislation or the transfer otherwise complies with the data protection legislation. Such transfers may involve, for example, the use by Reference Point Limited of third party services allowing them to send e-mails or automated SMS messages on our behalf which make use of facilities in third countries to process and store data.

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to the Sites; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
We will not retain your personal data longer than necessary, in relation to the purpose for which such data is processed.

By submitting applications for membership, AMI Smartcards, booking forms for training courses or qualifications, or subscribing to any of our services or communications you agree to this storing or processing.

Data Storage:

All data, including unencrypted audio and video recordings, and any transcripts produced from those recordings, will be stored on ARCA’s secure password protected IT system.  Access to data will be restricted to those authorised by ARCA to process and view the data. 

Where audio recording devices such as a dictation machines or mobile phones with dictation apps are used, which do not routinely offer encryption, the data will be transferred to ARCA’s secure password protected IT system as soon as practicable.  Access to data will be restricted to those authorised by ARCA to process and view the data. 

The data will be retained in accordance with our policy on ‘retention period and criteria used to determine the retention period’ below

Retention period and criteria used to determine the retention period:

  • Membership details and employees personal data associated with member companies shall be stored for the duration of the membership.  When companies are no longer members of the Association all personal data in relation to the company shall be permanently deleted, unless any of the employees have undertaken a training course or qualification within the past 3 years.
  • All training and qualification delegate personal data, including audio and video recordings, will be permanently deleted or destroyed 3 years after the qualification or training course has been completed.
  • All marketing information will have an ‘opt out’ or ‘unsubscribe’ for recipients if you opt out of any of our marketing lists we will delete your personal information and not send that communication to you again unless you give us consent.
  • Your AMI Smartcard may be suspended or cancelled at our discretion. However, your card is otherwise valid until its expiry date. 
  • We shall hold your personal data and all your AMI Smartcard data for as long as you hold a valid card and for a period of 3 years thereafter.
  • Audio recordings for the purposes of confirming meeting minutes will be stored for no longer than necessary and will be permanently deleted once the minutes of the meeting are accepted by either ARCA or the meeting participants, whichever is the sooner, as a true record of the meeting.

Your rights

You have the right to request access to your personal data and correction or erasure of your personal data. You also have rights to restrict the processing of your personal data or to object to processing in certain circumstances. You also have the right to request the transfer of your personal data to another party.

Where our processing is based on your explicit consent to our processing, you have the right to withdraw such consent (this will not affect the lawfulness of processing prior to the withdrawal of your consent).

If you wish to exercise any of these rights please contact info@arca.org.uk

Complaints to Information Commissioner

You have the right to lodge a complaint about our processing with the Information Commissioner.

Consequences of failure to provide personal data
Your provision of personal data to us is a requirement necessary for you to enter into a contract with us to provide our services.  If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you.

Automated decision making

Your personal data may be subject to automated decision-making, for example, data on your AMI Smartcard may be used to determine whether or not you have the right qualifications to be gain electronic entry to a particular site.

Cookies

A cookie is a small piece of data sent from a website and stored in the user's web browser while the user is browsing. Cookies were designed to be a reliable mechanism for websites to remember information or to record the user's browsing activity (clicking particular buttons, recording which pages were visited in the past).

Like a lot of websites today, this website uses cookies as part of the Member Login process, that is, if the ‘remember me’ checkbox is ticked a cookie will be saved on to the Members device to store their login details.

When you access the Sites, some information in the form of a “cookie” or similar file may be automatically downloaded to your computer. This helps us to enhance the on-line experience of visitors to the Sites. If you do not want cookies sent to or stored on your system, most Internet browsers will allow you to delete or block cookies from your computer hard drive, prevent them from being stored or signal a warning before a cookie is stored. You should refer to your browser instructions or help screen to learn more about these functions. However, please note that if you use your browser settings to delete or block cookies you may not be to access all or parts of the Sites. Unless you have adjusted your browser setting so that it will refuse cookies, our system will issue cookies as soon you visit the Sites.

If you continue to use the Sites, you agree to our use of cookies.

We may use navigational data for system administration and to report aggregate information to our advertisers or other stakeholders. This is statistical data about our users’ browsing actions and patterns, and does not identify any individual.

This means that your session will be tracked, but you will not be identified. We use cookies to track the pages that you visit on the Sites and to ensure that you do not see the same information repeatedly. We may also collect non-personal information, such as number of Site visits and tracking patterns of page viewing, to monitor the performance of the Sites and make improvements to it.

Changes to our Privacy and Cookie Policy

Any changes we may make to our Privacy and Cookie Policy in the future will be posted on this page and, where appropriate, notified to you by e-mail. We encourage you to periodically review this Privacy and Cookie Policy to be informed of how ARCA is protecting your personal data.

GDPR Privacy and Cookie Policy Effective Date: 10th August 2018