Privacy & Data Protection Policy

Introduction

1. Excellentia Limited understands that your privacy is important to you and that you care about how your personal data is used. Excellentia Limited respect and value the privacy of all of our Associates and will only collect and use personal data in ways that are described here, and in a way that is consistent with our obligations and your rights under the law.

2. The European Union (EU) General Data Protection Regulation (GDPR) places obligations on a controller of personal data (Excellentia Limited.) to ensure the protection of that data when they are processed by a third party i.e. a processor (sub-contractor). In forming a controller/processor relationship, the GDPR is quite specific about the fact that a contractual agreement must be in place between the two parties, and that it should specify key items of information about the personal data involved and how it is processed.

Addressing Compliance to the GDPR

3. The following actions are undertaken to ensure that Excellentia Limited complies at all times with the accountability principle of the GDPR:

  • The legal basis for processing personal data is clear and unambiguous.

  • A Data Protection Officer is appointed with specific responsibility for data protection in the organisation.

  • All staff involved in handling personal data understand their responsibilities for following good data protection practice.

  • Training in data protection has been provided to all staff.

  • Rules regarding consent are followed.

  • Routes are available to data subjects wishing to exercise their rights regarding personal data and such enquiries are handled effectively.

  • Regular reviews of procedures involving personal data are carried out.

  • Privacy by design is adopted for all new or changed systems and processes.

United Kingdom’s withdrawal of the European Union

4. In preparations for the United Kingdom’s withdrawal of the European Union Excellentia Limited will monitor changes, prepare and continue to carry out good data protection and privacy principles after 31st January 2020. Please see the below European Commission website for further details.

5. “The United Kingdom submitted on 29 March 2017 the notification of its intention to withdraw from the Union pursuant to Article 50 of the Treaty on European Union. This means that unless a ratified withdrawal agreement establishes another date, all Union primary and secondary law will cease to apply to the United Kingdom from 30 March 2019, 00:00h (CET) (‘the withdrawal date’). The United Kingdom will then become a ‘third country’” European Commission

Information About us

6. Excellentia Limited. Limited company registered in England & Wales under company number 5974563

Registered address:

Anglo House, Worcester Road, Stourport-On-Severn, Worcestershire, DY13 9AW.

VAT number: GB 103 9884 04

Data Protection Officer:

Email address: dpo @ ExcellentiaGlobal.com

Telephone number: 020 7060 2130.

Postal Address: Excellentia Limited, Suite 101, 95 Wilton Rd, London SW1V 1BZ

Excellentia Limited are regulated by Information Commissioners Office

Registration Number: ZA022642

What Does This Notice Cover?

7.   This Privacy Information explains how Excellentia Limited use your personal data within its operational business activities: how it is collected, how it is held, and how it is processed. It also explains your rights under the law relating to your personal data.

What is Personal Data?

8.   Personal data is defined by the General Data Protection Regulation (EU Regulation 2016/679) (the “GDPR”) as ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier’.

9.   Personal data is, in simpler terms, any information about you that enables you to be identified. Personal data covers obvious information such as your name and contact details, but it also covers less obvious information such as identification numbers, electronic location data, and other online identifiers.

10. The personal data that Excellentia Limited use is set out in “How do You Use My Personal Data”

What Are My Rights?

11.   Under the GDPR, you have the following rights, which Excellentia Limited will always work to uphold:

a.    The right to be informed about our collection and use of your personal data.

b.     The right to access the personal data Excellentia Limited hold about you. Part 494 will tell you how to do this.

c.     The right to have your personal data rectified if any of your personal data held by us is inaccurate or incomplete. Please contact us using the details in Part 6 to find out more.

d.     The right to be forgotten, i.e. the right to ask us to delete or otherwise dispose of any of your personal data that Excellentia Limited have. Please contact us using the details in Part 6 to find out more.

e.     The right to restrict (i.e. prevent) the processing of your personal data.

f.     The right to object to us using your personal data for a particular purpose or purposes.

g.    The right to data portability. This means that you can ask us for a copy of your personal data held by us to re-use with another service or business in many cases.

h.    Rights relating to automated decision-making and profiling. Part 6 explains more about how Excellentia Limited use your personal data, including automated decision-making and profiling.

12. For more information about our use of your personal data or exercising your rights as outlined above, please contact us using the details provided in Part 6.

13. Further information about your rights can also be obtained from the Information Commissioner’s Office or your local Citizens Advice Bureau.

14. If you have any cause for complaint about our use of your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office.

15.   Our timeline to comply with your rights are documented below:

Data Subject Request Timescale
The right to be informed When data is collected (if supplied by data subject) or within one month (if not supplied by data subject)
The right of access One month
The right to rectification One month
The right to erasure Without undue delay
The right to restrict processing Without undue delay
The right to data portability One month
The right to object On receipt of objection
Rights in relation to automated decision making and profiling. Not specified

What Personal Data Do You Collect?

16. Excellentia Limited may collect some or all of the following personal data (this may vary according to your relationship with us):

  • Name

  • Address

  • Email address

  • Phone number

  • Business name

  • IP Address

  • Job title

  • Professional Details

  • Social Network information

  • Information about your preferences and interests

  • Data required as per Right to work

  • BPSS

Where deemed appropriate you will be contacted to fulfil BS7858 check requirements. The BS7858 is a code of practice released by British Standards Institution, a business standards company which supports companies in achieving excellence within their field, and continuously boosting performance. This code in particular refers to security screening of individuals employed in a security environment. These checks might include:

  • Identity checks

  • ID confirmation

  • Five years address history

  • Right to Work check

  • Character references

  • SIA Licence check (if applicable)

  • Financial checks

  • Bankruptcy / Insolvency / IVA

  • CCJ (Up to £10,000)

  • Credit score

  • Employment Checks

  • Five or 10 years employment history

  • Gap referencing (more in-depth and extended to 31 days)

  • Criminal records

  • Basic Disclosure

How Do You Use My Personal Data?

17. Under the GDPR, Excellentia Limited must always have a lawful basis for using personal data. This may be because the data is necessary for our performance of a contract with you, because you have consented to our use of your personal data, or because it is in our legitimate business interests to use it. Your personal data will be used for one of the following purposes:

    a.      Carrying out a contract of employment and/or subcontract.

    b.      Carrying our verification of identity checks as required by Right to work, BPSS and BS7858 checks.

    c.      Providing and managing your account.

    d.      Your personal details are required in order for us to enter into a contract with you.

    e.      Personalising and tailoring our products and services for you.

    f.       Communicating with you. This may include responding to emails or calls from you.

    g.      Supplying you with information by email or post that you have opted-in to (you may unsubscribe or opt-out at any time by visiting our data protection area online

 

Lawfulness of Processing

18.    The lawful basis in which we process your The European Union (EU) General Data Protection Regulation (GDPR) Article 6 (Personal) data is to allow us to prepare and into a contract with you, therefore for this type of data the legal basis is as follows:

The European Union (EU) General Data Protection Regulation (GDPR) Article 6:

    (b)    processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract

Excellentia Limited have a duty of care to our end clients, general public and our personnel. The lawful basis in which we process your Article 9 (Special Category) data is in the public interest and in a protective function that we do so, therefore for this type of data the legal basis is as follows:

The European Union (EU) General Data Protection Regulation (GDPR) Article 9:

     (g)    processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;

and as per Union or Member State law:

Data Protection Act (2018) Schedule 1, Part 6 (11) Protecting the public against dishonesty.

Excellentia Limited may have to process personal data relating to criminal convictions and offences

The European Union (EU) General Data Protection Regulation (GDPR) Article 10 data:

Data Protection Act (2018) Schedule 1, Part 6 (11) Protecting the public against dishonesty and Article 9 (g) applies.

           In the case exposure is to individuals under the age of 18 or deemed as “at risk”:

Data Protection Act Schedule 1 Part 68 Safeguarding of children and of individuals at risk.

Unless it is necessary for a reason allowable in The European Union (EU) General Data Protection Regulation (GDPR), Excellentia Limited will always obtain explicit consent from a data subject to collect and process their data. This is as per the ICO Direct Marketing Code of Practice, The Privacy and Electronic Communications (EC Directive) Regulations 2003, The Data Protection Act 2018 and The European Union (EU) General Data Protection Regulation (GDPR). Your agreement to this privacy policy is positive affirmation and is the explicit consent.

19. In case of children below the age of 16 (a lower age may be allowable in specific EU member states) parental consent will be obtained. Transparent information about our usage of their personal data will be provided to data subjects at the time that consent is obtained and their rights with regard to their data explained, such as the right to withdraw consent. This information will be provided in an accessible form, written in clear language and free of charge. Please see our compliance area on our website [1] if you wish to withdraw consent.

20. With your permission and/or where permitted by law, Excellentia Limited may also use your personal data for marketing purposes, which may include contacting you by email, telephone, text message, post with information, news, and offers on our products or services.

21. We may contact you indirectly or directly, by means of our social media pages, profiles and ads. By following us on social media, you agree to give consent to be contacted this way. We do not sell or pass on any data collected via social media.

22. You will not be sent any unlawful marketing or spam.  Excellentia Limited will always work to fully protect your rights and comply with our obligations under the GDPR and the Privacy and Electronic Communications (EC Directive) Regulations 2003, and you will always have the opportunity to opt-out.

23. Excellentia Limited do not use automated systems for carrying out Marketing Activities, as per this privacy policy.

How Long Will You Keep My Personal Data?

24. Excellentia Limited will not keep your personal data for any longer than is necessary in light of the reason(s) for which it was first collected. Your personal data will therefore be kept for the following periods (or, where there is no fixed period, the following factors will be used to determine how long it is kept):

    a.     Where contracts and services have been undertaken your data is kept on file for a minimum of seven years for legal and accounting obligations.

    b.     Periodic contact with data subjects on a yearly basis will be undertaken, all data subjects will be contacted to update their details.

    c.     During email marketing activities Excellentia Limited will provide an unsubscribe link at the bottom of the email. Your details will then be unsubscribed from our mail out system.

    d.     Where un-subscription has not occurred, and no contracts or services have been provided, data will be kept for a maximum of three years and then removed.

 

How and Where Do You Store or Transfer My Personal Data?

25. Excellentia Limited takes every effort to store your personal data in the UK within its day to day business operations. We have acquired service providers that provide this specifically. This means that the data will be fully protected under the GDPR.

26. In certain circumstances where we use service providers outside of the UK we have opted for EEA service providers. The European Economic Area (the “EEA” consists of all EU member states, plus Norway, Iceland, and Liechtenstein).

27. Excellentia Limited wherever possible will store your personal data within the European Economic Area (the “EEA”) where it is having been deemed acceptable to do so. Excellentia Limited investigates the processing of data thoroughly and ensures that the correct level of data protection and privacy is there, with the relevant documentation to say so. This means that your personal data will be fully protected under the GDPR or to equivalent standards by law.

28. Countries Listed within the EEA:

Austria       Belgium

Bulgaria     Croatia

Cyprus       Czech Republic

Denmark   Estonia

Finland      France

Germany   Greece

Hungary    Iceland

Ireland       Italy

Latvia         Liechtenstein

Lithuania   Luxembourg

Malta          Netherlands

Norway      Poland

Portugal    Romania

Slovakia    Slovenia

Spain         Sweden

United Kingdom

International Transfers of Personal Data

29. Transfers of personal data outside the European Union will be carefully reviewed prior to the transfer taking place to ensure that they fall within the limits imposed by the GDPR. This depends partly on the European Commission’s judgement as to the adequacy of the safeguards for personal data applicable in the receiving country and this may change over time.

30. Intra-group international data transfers will be subject to legally binding agreements referred to as Binding Corporate Rules (BCR) which provide enforceable rights for data subjects.

Third Countries Service Providers

31. Where any of your data is processed outside of the UK and EEA, Excellentia Limited investigates the processing of data thoroughly and ensures that the correct level of data protection and privacy is there, with the relevant documentation to say so.

32. Third countries may not have data protection laws that are as strong as those in the UK and/or the EEA. This means that Excellentia Limited will take additional steps in order to ensure that your personal data is treated just as safely and securely as it would be within the UK and under the GDPR.

33. An example would be if we use an international provider who has servers based in United States of America. In this instance before interacting with such service, we would check to see if they are part of Privacy Shield. You can check to see if a USA based company is certified company here Privacy Shield Participant check

34. We would then progress our checks by investigating their privacy policy and any relevant security and compliance documentation.

35. Once relevant checks have been undertaken, service providers will then be part of our approved provider list. Service provider Privacy Policies will be checked annually to check for adherence to our own standards, unless we are informed of changes prior to this. This document is reviewed annually and upon significant change to Excellentia Limited and relevant legislation.

36. Where your data is processed outside of the EEA, we limit the exposure of the data to the processor wherever possible to core functions. Your data will only be used as documented as part of the service providers Privacy Policy. Please see section 40 for further details on how we share your data with our service providers.

37. Excellentia Limited will not transfer your personal data which we hold as part of our marketing activities to an unstable country or one where it would be at risk.

Secure by Design

38. The security of your personal data is essential to us, and to protect your data, Excellentia Limited take a number of important measures.

39. We have introduced best practices and procedures in house and when dealing with any personal data of our data subjects.

40. Our security measures are kept confidential however our security setup is one of layered security measures, which wherever possible is designed to fail safe, as no security measures can be 100%.

41. We are working towards cyber essentials and ISO:27001 compliance for our internal processes. Wherever possible service providers as minimum adhere to Article 5 of the General Data Protection Act.

Privacy by Design

42. Excellentia Limited has adopted the principle of privacy by design and will ensure that the definition and planning of all new or significantly changed systems that collect, or process personal data will be subject to due consideration of privacy issues, including the completion of one or more data protection impact assessments.

The data protection impact assessment will include:

a.    Consideration of how personal data will be processed and for what purposes

b.    Assessment of whether the proposed processing of personal data is both necessary and proportionate to the purpose(s)

c.    Assessment of the risks to individuals in processing the personal data

d.    What controls are necessary to address the identified risks and demonstrate compliance with legislation

e.    Use of techniques such as data minimization and pseudonymisation will be considered where applicable and appropriate.

Contracts involving the Processing of Personal Data

43. Excellentia Limited will ensure that all relationships it enters into that involve the processing of personal data are subject to a documented contract that includes the specific information and terms required by the GDPR.

Data Breach & Incident Response

44. It is Excellentia Limited’s policy to be fair and proportionate when considering the actions to be taken to inform affected parties regarding breaches of personal data. In line with the GDPR, where a breach is known to have occurred which is likely to result in a risk to the rights and freedoms of individuals, the relevant supervisory authority will be informed within 72 hours. This will be managed in accordance with our Information Security Incident Response Procedure which sets out the overall process of handling information security incidents.

Do You Share My Personal Data

45. Excellentia Limited believe in total transparency and want our associates to know how we interact with their data, along with how we may have to process your data with third parties for our daily business functions.

46. In some cases, those third parties may require access to some or all of your personal data that Excellentia Limited hold. If any of your personal data is required by a third party, Excellentia Limited will take steps to ensure that your personal data is handled safely, securely, and in accordance with your rights, our obligations, and the third party’s obligations under the law.

47. Excellentia Limited contract with third parties and those third parties may sometimes contract with third parties (as described above) that are located outside of the European Economic Area (the “EEA” consists of all EU member states, plus Norway, Iceland, and Liechtenstein). If any personal data is transferred to a third party outside of the EEA, Excellentia Limited will take suitable steps in order to ensure that your personal data is treated just as safely and securely as it would be within the UK and under the GDPR, as explained above in Part 25 – 37.

48. In some limited circumstances, Excellentia Limited may be legally required to share certain personal data, which might include yours, if Excellentia Limited are involved in legal proceedings or complying with legal obligations, a court order, or the instructions of a government authority.

How can I Access My Personal Data

49. If you want to know what personal data Excellentia Limited have about you, you can ask us for details of that personal data and for a copy of it (where any such personal data is held). This is known as a “subject access request”.

50. All subject access requests should be made in writing and sent to the email or postal addresses shown in Part 6. To make this as easy as possible for you, a Subject Access Request Form is available for you to use in the compliance area of our website. You do not have to use this form, but it is the easiest way to tell us everything Excellentia Limited need to know to respond to your request as quickly as possible. There is not normally any charge for a subject access request. If your request is ‘manifestly unfounded or excessive’ (for example, if you make repetitive requests) a fee may be charged to cover our administrative costs in responding.

51. Excellentia Limited will respond to your subject access request within one month of receiving it. Normally, Excellentia Limited aim to provide a complete response, including a copy of your personal data within that time. In some cases, Excellentia Limited, particularly if your request is more complex, more time may be required up to a maximum of three months from the date Excellentia Limited receive your request. You will be kept fully informed of our progress.

How Do I Contact You

52. To contact us about anything to do with your personal data and data protection, including to make a subject access request, please use the details provided in Part 6 of this document

Changes to this Privacy Notice

53. Excellentia Limited may change this Privacy Notice from time to time. This may be necessary, for example, if the law changes, or if Excellentia Limited change our business in a way that affects personal data protection. Any changes will be made available on our website within our compliance area.