ERA Services CIC, company number, 12441128 registered at Solway House Business Centre, Parkhouse Road, Carlisle CA6 4BY(“We”) are committed to protecting and respecting your privacy.
For collecting data covered by The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), the Data Controller is Sandra Movassagh and we are registered with the Information Commissioner Office (ICO), registration number ZA831080.
The purpose of this policy is for you to understand what data we collect, why and what we do with the data. We aim to comply with the principles set out in Article 5 of the GDPR. Article 5(1) requires that personal data shall be:
“(a) processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency’);
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’);
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’);
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”
Information we may collect from you
We may collect and process the following data about you:
- Information that you provide by filling in an enquiry form on our site. We will use this information to send answers to your enquiries only. We may also ask for further information if you are reporting problems with our website. This will be stored: on our email system. You have the right to withdraw consent at any time by asking us to delete these emails.
- If you contact us by email, we will keep a record of that correspondence. This will be stored: on our email system. You have the right to withdraw consent at any time by asking us to delete these mails.
- Details of your visits to our site including, but not limited to, traffic data, location data, weblogs and other communication data, whether this is required for our own billing purposes or otherwise and the resources that you access. This will be stored: on our Google Analytics account – see Cookies below for further information.
- Details of your registration for an ERA assessment. This will include Company Information, details of your Directors, latest company accounts and documentation provided as supporting evidence with the audit questionnaire.
- Personal details required for any employee of our company in order to pay you and make necessary reports to HMRC. This will include proof of ID and address, evidence of right to work in the UK, bank details and National Insurance number.
We may collect information about your computer, including where available your IP address, operating system and browser type, for system administration and to report aggregate information to our advertisers. This is statistical data about our users’ browsing actions and patterns and does not identify any individual.
All information you provide to us is stored on our servers (see above: Information we may collect from you). We have computer safeguards such as firewalls and data encryption to protect your information. We also operate from a secure office building protected by alarms and covered by constant CCTV surveillance. The transmission of any personal data is done so in an encrypted manner using a Secure Sockets Layer (SSL).
Though we adhere to as many technical and organisational measures possible to safeguard your personal data, we unfortunately cannot guarantee the security of any personal data that you transfer over the internet to us.
Under the General Data Protection Regulation (GDPR), the lawful bases we rely on for processing this information are:
- Your consent by signing/accepting your contract of employment with us. You are able to remove your consent at any time. You can do this by contacting a Director
- We have a contractual obligation
- We have a legal obligation
- We have a legitimate interest
We use information held about you in the following ways:
- To reply to your enquiries
- To provide you with information on our service that you request from us, where you have consented to be contacted for such purposes.
- To conduct our assessment, should you enter into a contractual agreement with us for our services.
- For employees of ERA Services to pay you and make onward payments to HMRC of tax and National Insurance contributions.
We may disclose your personal information to members of our company, which means ERA Services CIC, its subsidiaries such as sales/marketing and the members of the auditing team assigned to your company.
We have computer safeguards such as firewalls and data encryption to protect your information. We also operate from a secure office building protected by alarms and covered by constant CCTV surveillance. The transmission of any personal data is done so in an encrypted manner using a Secure Sockets Layer (SSL). Though we adhere to as many technical and organisational measures possible to safeguard your personal data, we unfortunately cannot guarantee the security of any personal data that you transfer over the internet to us. The personal data that we collect from you may be transferred to, and stored at, a destination deemed ‘adequate’ for transference. At no point will it be shared or stored outside of those geographical limits. We will put in place appropriate protection to make sure your personal data remains adequately protected and is treated in line with this policy.
Under the Data Protection Law, you have the following rights:
Right to be Informed – this is a key transparency requirement under the UK GDPR. You have the right to be informed about the collection and use of your personal data. As outlined in this policy, we will provide you with a clear concise information about what we do with your personal data.
Right of Access – to see the personal data we hold about you. This is called a Subject Access Request. If you would like a copy of the personal data we hold about you, contact the HR Director.
The law allows us to charge a ’reasonable fee’ for the administrative costs of complying with a request if it is manifestly unfounded or excessive, or if an individual requests further copies of their data. Should this be the case, our policy is a fee of £10.
Right to Rectification – We want to make sure that the personal data we hold about you is accurate, complete and up to date. If any of the details are incorrect, please let us know and we will amend, update or complete them.
Right to Erasure – in certain circumstances, you are able to exercise your “Right to be forgotten”. Requesting this service will result in the removal of all correspondence and data points that we hold on you as a company, including the request itself. To contact our data controller directly please make an enquiry to the operations director.
Right to Restriction of Processing – in certain circumstances, you have the right to ask us to restrict the processing of your information.
Right to Object to Processing – in certain circumstances, you have the right to object to the processing of your personal data
Right to Data Portability – in certain circumstances, you have the right to ask that we transfer the information you gave us to another organisation, or to you.
Rights to Automated Decision Making and Profiling – We do not conduct decision making and profiling which relies solely on automation. All decision making processes involve human involvement.
You are not required to pay any charge for exercising your rights. (Except for a ‘reasonable’ administrative fee where an access request is found to be manifestly unfounded or excessive, or if an individual requests further copies of their data). If you make a request, we have one month to respond to you.
We are fully GDPR compliant, both as a processor and controller of personal data and recognise our obligations to ensure full compliance on an ongoing basis.
We respect our employee’s rights to data privacy and protection and the safeguarding of personal information. As such, we are continually revising our internal procedures and working practices in order to meet the requirements of the GDPR.
We responsibly promote the awareness of the GDPR across our company through staff training and actively identifying any gaps and implement new policy requirements as it becomes appropriate.
In order to comply with the full GDPR legislation we have a legal responsibility to notify any breach of personal data to the supervisory authority.
In the case of a personal data breach, the processor (you), shall notify the controller (managing director), without undue delay after becoming aware of the said breach.
The notification of the above shall:
- Describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned
- Communicate the name and contact details of the data protection officer or other contact point where more information can be obtained
- Describe the likely consequences of the personal data breach
- Describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects
- Please be advised that all data breaches, queries or errors must be reported to the data controller immediately for review/advice and/or reporting.
You can also complain to the ICO if you are unhappy with how we have used your data.
The ICO’s address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline number: 0303 123 1113