ISSUE DATE 25 May 2018  |  Version 1.0

1.  Introduction

RMI Consulting Ltd (“RMI Consulting”, “the Company”) is committed to protecting the privacy and security of your personal information. The Company is registered with the Information Commissioner’s Office, registration reference number Z3406223.

This Privacy Notice describes how we collect, hold and use personal data about you in accordance with the General Data Protection Regulation (GDPR). It applies to our general business activities as they relate to current, past, future and potential prospects, customers, suppliers, employees, website users and professional contacts.

It is important that you read this Privacy Notice, together with any other data protection information as may be issued to you, as it will help you understand what personal data RMI Consulting holds about you, how we use this data and what rights you have in this respect.

This notice may be updated at any time and we will inform you when significant changes occur. The most up-to-date copy of the notice will be accessible on our website at www.rmiconsulting.co.uk.

Should you have any questions about this Privacy Notice or how the Company manages your privacy and the security of your data, please email dataprotection@rmiconsulting.co.uk or contact us by post to Data Protection Team, RMI Consulting Ltd, Hartham Park, Corsham, Wiltshire SN13 0RP.

2.  What information do we hold and why?

The types of information we hold will vary depending on the category of data subject. For each of the following groups, the likely information to be held is identified along with the lawful basis for doing so. It is noted that more than one lawful basis might apply.

We are committed to only using personal data for the purposes for which we collect it, unless it is reasonably considered that we need to use it for another reason compatible with the original. If this is the case, where appropriate, we will contact you to explain the legal basis for doing so unless we are permitted or required to by law, in which case we may do so without prior notification to you.

Your personal data is not used in any automated decision making or profiling. We will never sell your personal data as marketing information to third parties.

2.1.  Prospects and Clients

For the purpose of the relationship between RMI Consulting and its past, current and future prospects and clients, the overarching lawful basis for processing is Contract, which may include actions required prior to entering into a contract, such as receiving and reviewing personal data that may be necessary in order to prepare a proposal.

Information held in order to fulfil the contractual obligation depends on the nature of the service for which RMI Consulting is engaged to provide and, relating to a specific person where this is with an individual, or the representatives of a company if the relationship is with a corporate entity, may include:

• Name
• Date of birth
• Email address
• Contact number(s)
• Bank details
• Financial information
• Risk information
• Insurance details
• License and accreditation details
• Enforcement action and incident history • Director identification
• Driving license details

For those circumstances where we go above and beyond our standard services within the lawful basis of Contract, we may rely upon Legitimate Interest. Additionally, where we may request feedback from you on our provision of services, this would be collected on the grounds of the Legitimate Interest of our business development and, where possible, data subjects will be provided with the option to contribute anonymously so it is not possible for us to identify them through the feedback provided.

Where RMI Consulting is to liaise with third parties on your behalf, for example, administering the direct procurement of third party services as your representative, it may be necessary to share pertinent information with them. We will restrict such disclosure to only data that is strictly necessary and, where we have any control of selecting such third parties, we will endeavour to undertake checks of their data protection arrangements to the extent that can reasonably be expected.

2.2.  Suppliers

In order to enable the fulfilment of a contract of supply by a third party to RMI Consulting, it may be necessary for us to hold pertinent information on the lawful basis of Contract. Such information may include name, address, email address, contact number(s) and bank details to facilitate payment. This information will be gathered in the course of doing business with you and kept to a minimum.

2.3.  Employees

In order to fulfil our contractual obligation with employees, and legal obligations elsewhere, we may hold the following information:

• Name
• Address
• Email address
• Contact number(s)
• Identification verification
• Bank details
• Pension information
• National Insurance number
• Payroll details
• Health information
• Next of kin
• Driving license details
• Ethnicity
• Trade union membership
• Criminal convictions and offences

Where possible and reasonable to do so given its nature, we will take steps to anonymise data. For example, where information regarding ethnicity is collected for statistical purposes.

It may be necessary to share certain information with third parties, such as our pension provider, to facilitate the pension scheme; Bank, to pay salary and make other payments; and HMRC, to fulfil the Company’s legal obligation to report payroll information.

We may additionally communicate and receive personal data to and from other sources, such as the Disclosure and Barring Service, in order to undertake background checks of employees and prospective employees.

2.4.  Website Users

The information collected and stored relating to your visit to our website helps us improve the user experience by learning from site traffic and usage. You will be prompted to accept the use of cookies to enable this through provision of a cookie banner. Analytics cookies are restricted unless website users have consented.

We engage the services of a third party, Google Analytics, to provide with usage data for our website. This data is processed and presented in such a way that does not identify individual persons. We engage the services of SquareSpace to host our website, who may collect anonymous usage data in order to improve the user experience.

Where any data is transferred or held by a third party in connection with our activities as Data Controllers, we will endeavour to undertake checks of their respective Privacy Policies and GDPR-related documentation.

If you complete the contact form, you will be providing us with data including your name, company name, contact details and the reason for making contact. Our basis for processing this information is Legitimate Interest. On receipt of your enquiry, we may share the information with the relevant person(s) within the company in order to action your request.

You may opt in to receive our periodic newsletter; the lawful basis for which we hold personal data relating to this activity is Consent. All newsletter recipients shall actively opt in and on all such communications the facility to opt out will be made available. For this we may engage the services of MailChimp, a registered trademark of The Rocket Science Group LLC. The data held in this respect includes as a minimum your name and email address. If you opt out of receiving email communications from us, this extends to any communications sent by MailChimp on our behalf.

We do not collect sensitive information through our website.

2.5.  Professional Contacts

We will collect, store and use the personal data, such as names, addresses, email addresses and telephone numbers of professional contacts on the grounds of Legitimate Interest. This information will be gathered in the course of doing business with you and will not be shared with third parties unless considered reasonable to do so and/or where we have notified you prior, for example providing a recommendation of you as a trusted potential service provider to a Client.

3.  How might we collect this information?

The process of collecting your personal data may comprise a variety of sources including:

• Directly from you, in the course of our business relationship
• Networking events and trade shows
• Referrals
• Professional contacts
• Our website and social media channels
• Your website and social media channels
• Public sources, such as Companies House

4.  Information Disclosure

We will not disclose your personal data except in accordance with the lawful bases stated within this Privacy Notice.

For the purposes of fulfilling our contractual obligations to our clients, it may be necessary to share personal data with select third parties. Such disclosure would strictly be as is necessary in the course of providing our services to you and may include Insurers, Insurance Brokers, the Health and Safety Executive and other companies such as Training or Engineering Inspection Providers.

It may be necessary for us to disclose or share pertinent information of yours in accordance with our own business management arrangements to third parties such as our Insurers, Insurance Brokers, IT support provider, bookkeeping software provider, document storage provider, auditors, bank, accountants, HMRC and other Government Agencies. Information is shared with such parties for the purposes of fulfilling our instructions to them, or legal obligations where appropriate, and they are not provided with this information to use for their own purposes.

Where such disclosures are necessary, the third party is responsible to you for their handling of your information and compliance with legal requirements. However, as responsible Data Controllers, we will endeavour to undertake checks of their data protection arrangements to the extent that can reasonably be expected. We will maintain a database of pertinent data protection documentation for such third parties and ensure they have been updated to incorporate reference to the GDPR.

We may also disclose information if permitted or required to do so by law.

5.  International Data Transfer

The vast majority of data we hold or that is held on our behalf is done so within the European Union (“EU”), to which the GDPR applies. We undertake checks of all third party providers that we engage directly to ascertain the location of storage of data they may hold on our behalf.

A small number of the third party providers that hold data on our behalf have data centres outside of the EU, for example in the United States. Whilst the GDPR does not prohibit such data transfer, it is necessary for them to be undertaken in line with recognised methods, including standard contractual clauses and frameworks. For any such organisations, we will take steps to ensure they have comprehensive, robust data protection arrangements and are cognisant of the GDPR and suitably capable of meeting its requirements, including those relating to methods of transfer.

6.  How long will we hold your data for?

Your data will be held for an appropriate duration as per legal, regulatory, industry, accounting, reporting and other such requirements. It will not be held for longer than is necessary or if you request that we no longer hold it, unless circumstances are such that this is not deemed legal or otherwise reasonable, in which case we will provide our reasoning.

We will regularly review the data we hold about you and remove anything that is no longer needed. If it needs to be retained but not regularly accessed, we will lower the risk by safely archiving it or moving it offline.

It may be that we are able to anonymise your data in order to retain it for a longer period, for example for statistical purposes. If this is the case and you cannot be identified from any such data, we may continue to use it without prior notice to you.

Our approach to data retention will be proportionate, ensuring your privacy is balanced with the impact of retention.

7.  How will we protect your data?

Confidentiality and data protection is engrained in our culture and is one of our core values.

We have implemented a variety of technical and organisational measures that collectively protect your data against accidental loss, destruction or damage, safeguarding your privacy. We will ensure these measures are maintained, reviewed and updated as necessary to provide continued protection. Should you wish to find out more about such measures, please contact our Data Protection Team using the contact details provided.

8.  Your Rights

Under the GDPR, you have the right to be informed about the collection, use and retention of your data. You may request access to any or all of your data, often known as a subject access request, to which we will respond within one month.

If any of the data we hold about you is inaccurate or incomplete, it is your right to rectify it.

In certain circumstances, you have the right ‘to be forgotten’. For example, this may be if the data is no longer necessary to be held for the purposes for which it was originally collected, if we are relying upon consent as the lawful basis for holding your data and you withdraw that consent, or if erasure is necessary to comply with a legal obligation.

You may also have the right to suppress or restrict the processing of your personal data, or object to it in certain circumstances.

Your right to data portability allows you to obtain and reuse your data for your own purposes. It allows you to move, copy or transfer personal data easily from one IT environment to another in a secure manner without affecting usability.

Should you wish to exercise any of these rights, please email dataprotection@rmiconsulting.co.uk or contact us by post to Data Protection Team, RMI Consulting Ltd, Hartham Park, Corsham, Wiltshire SN13 0RP.

9.  Complaints

Any complaints regarding our management of data protection should be sent for the attention of the Managing Director via email to dataprotection@rmiconsulting.co.uk or by post to Data Protection Team, RMI Consulting Ltd, Hartham Park, Corsham, Wiltshire SN13 0RP.

This policy will be reviewed on an annual basis, or in the interim should circumstances require it.