SUBJECT PRIVACY POLICY
At Personnel Checks, we respect your privacy and are committed to protecting your personal data. In this policy, we explain how we collect and use your personal information when you access and use our background checking portal found at app.personnelchecks.co.uk(the “Portal”).
Please note that links from the Portal may take you to external websites which are not operated by us or covered by this privacy policy. We recommend that you check the privacy policies of such websites before submitting any personal information to them.
1. ABOUT US
The Portal is operated by Personnel Checks Limited (“we”, “us” and “our”). We are based at One Cathedral Square, Cathedral Quarter, Blackburn, Lancashire, England, BB1 1FB.
In order to have access to and to use the Portal, you are required to provide us with certain personal information about you. We refer to such personal information as “Portal Data” and we are, for the purposes of the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018 (“DPA 2018”), the data controller of your Portal Data.
You may be required, through the Portal, to provide us with certain personal information about you so that we can perform particular background checks on you as instructed by one of our customers (a “Customer”). Also certain personal information about you may be generated as a result of background checks that we perform on you. We refer to any such personal information as “Case Activity Data”. We are, for the purposes of the UK GDPR and the DPA 2018, a data processor of your Case Activity Data. The Customer who instructed us to perform the particular background checks on you shall be the data controller of your Case Activity Data. As we are a data processor of your Case Activity Data (and not the data controller), this privacy policy does not seek to outline how and why we collect Case Activity Data and we suggest that you contact the Customer that has instructed us to perform such background checks to find out these details. This is because they are the entity that is legally required to provide you with such information.
If you have any questions about your privacy rights, or our use of your Portal Data, please contact us.
2. WHAT PORTAL DATA DO WE COLLECT ABOUT YOU AND HOW DO WE COLLECT THAT PORTAL DATA?
We will require you to provide Portal Data if you wish to access and use the Portal. At all times, we will only require you to provide Portal Data to us where it is necessary for you to do so.
A. WHAT PORTAL DATA DO WE COLLECT ABOUT YOU (i.e. what types of personal data make up Portal Data)?
We may collect Portal Data about you whenever you contact us, and/or use Portal. This information may include:
● Contact and Identity Data: such as your full name, title, date of birth, email address, postal address and phone number.
● Financial Data: includes bank account and payment card details.
● Transaction Data: includes details about payments from you to us.
● Device Data: includes the type of computer device you use, a unique device identifier (for example, your device’s IMEI number, the MAC address of the device’s wireless network interface or the mobile phone number used by the device, mobile network information, your mobile operating system, the type of mobile browser you use, time zone setting).
● Profile Data: includes the username and password you created to access the Portal as well as any document belonging to you or generated in relation to you.
● Usage Data: includes details of your use of any of the Portal including, but not limited to, traffic data and other communication data, whether this is required for our own billing purposes or otherwise and the resources that you access.
● Marketing and Communications Data: includes your preferences in receiving marketing from us and our third parties and your communication preferences.
● [Location data: includes your current location disclosed by GPS technology.]
Special Categories of Personal Data
We do not collect any special categories of personal data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, or any trade union membership). Whilst we may collect or receive information about criminal convictions and offences, and health or medical related data, such personal data is Case Activity Data and, as stated in paragraph 1 above, we are a data processor of this data only.
Aggregated Data
We collect, use and share Aggregated Data, such as statistical or demographic data, for any purpose. Aggregated Data may be derived from your Portal Data but is not considered personal data under data protection legislation as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific feature of the Portal. However, if we combine or connect Aggregated Data with your Portal Data so that it can directly or indirectly identify you, we will treat the combined data as personal data which will be used in accordance with this privacy policy.
If you do not provide Portal Data?
You are not required (by law or by any contract with us) to provide Portal Data to us. We will only require you to provide your Portal Data to us where it is necessary for us to provide you with access to the Portal.
If you fail to provide Portal Data when requested, we may not be able to provide you with access to the Portal.
B. HOW DO WE COLLECT PORTAL DATA?
We have different methods of collecting Portal Data from and about you, including via:
● Direct Interactions:
o You may provide us with Contact and Identity Data, Profile Data, Marketing and Communications Data, and Location Data via telephone or email, or when using the Portal.
o You may provide us with Financial Data and Transaction Data where you are required to purchase our services through the Portal.
● Automated technologies and/or interactions
As you interact with the Portal, we may automatically collect Device Data and Usage Data. This will be collated after using various ‘cookies’ and other similar technologies.
3. HOW AND WHY DO WE USE PORTAL DATA?
It is necessary for us to use your Portal Data in order to make the Portal available to you. When you create an account, and access the Portal, there is a contract between us (please see End User Licence Agreement) and we need to use your Portal Data in order to perform our side of that contract. Otherwise, we will only use your information in this way where we have a legitimate interest to do so. Using your information in this context is necessary so that we can:
● Enable you to use, and provide you with information about, the Portal.
● Contact you about any changes that we make to the Portal.
● Verify your identity, where necessary.
● Deal with any complaints you may have.
● Administer the Portal, including troubleshooting problems, analysing statistics, conducting research and tests and keeping the Portal secure.
Ordinarily, we do not rely on consent as a legal basis for processing any Portal Data (even though consent is likely to be relied upon by the data controller when processing Case Activity Data) other than when sending marketing communications to you via email or text message. You have the right to withdraw consent at any time by contacting us.
We have set out below, a description of all the ways we plan to use your Portal Data, and which of the legal bases we rely on to do so.
Note that we may process your Portal Data for more than one lawful basis. Please contact us if you need details about the specific legal ground on which we are relying to process your Portal Data where more than one ground has been set out in the table below.
| Purpose/Activity | Type of Data | Lawful basis for processing including basis of legitimate interest |
|---|---|---|
| To register you as a new user of the Portal | (a) Contact & Identity | Contract. Necessary for our legitimate interests (to develop the Portal) |
| To enable you to purchase our services through the Portal | (a) Contact & Identity (b) Financial (c) Transaction (e) Profile (f) Location (g) Device (h) Usage (i) Marketing and Communications |
Contract Necessary for our legitimate interests (to develop the Portal) Consent |
| (a) Notifying you about changes to our EULA or this privacy policy (b) Asking you to leave a review or take a satisfaction survey |
(a) Contact & Identity (b) Profile (c) Marketing and Communications |
Necessary to comply with a legal obligation Necessary for our legitimate interests (to keep our records updated and to study how individuals use the Portal) |
| To administer and protect our business and the Portal (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data) | (a) Contact & Identity (c) Profile (d) Location (e) Device (f) Usage |
Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise) Necessary to comply with a legal obligation |
| To use data analytics to improve the Portal. | (a) Device (b) Usage (c) Profile |
Necessary for our legitimate interests |
| To make suggestions and recommendations to you about the Portal. | (a) Contact & Identity (b) Device (c) Transaction (d) Usage (e) Profile |
Consent Necessary for our legitimate interests (to develop the Portal) |
Marketing
We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising. You can ask us to stop sending you marketing messages at any time by contacting us to amend your preferences, methods of contact and products/services you wish to hear about.
Change of purpose
We will only use your Portal Data for the purposes for which we collected it, as set out above, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your Portal Data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your Portal Data without your knowledge or consent in compliance with the above rules, where this is required or permitted by law.
4. WHO DO WE SHARE YOUR PORTAL DATA WITH?
We may also share your Portal Data with the parties set out below for the purposes set out in the table at paragraph 3. These entities will not use your data to contact you. Selected third parties will be subject to obligations to process your Portal Data in compliance with the same safeguards that we deploy.
We may need to disclose your Portal Data to any one of the following:
Third party service providers, for example: Telecommunications, IT systems etc acting as processors based in the United Kingdom whom we engage to deliver the Portal and our services (e.g. host our dialler system, electronic storing of your personal data).
HM Revenue & Customs, Regulators (The Charity Commission, Information Commissioner’s Office), and other authorities based in the United Kingdom who require reporting of processing activities in certain circumstances.
Accountants, Solicitors, Compliance Consultants and other similar services based in the United Kingdom who require the reporting of processing activities in certain legal and compliance circumstances.
Third parties to whom may choose to sell, transfer or merge parts of our business or assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change in these circumstances occurs, your personal data will be used in the same way as set out within this privacy policy.
If you have any concerns about your Portal Data being shared, please contact us for more information.
There are certain exceptional circumstances in which we may disclose your Portal Data to other third parties. This would be where we believe that the disclosure is:
Required by the law, or in order to comply with judicial proceedings, court orders or legal or regulatory proceedings.
Necessary to protect the safety of our employees, our property or the public.
Necessary for the prevention or detection of crime, including exchanging information with other companies or organisations for the purposes of fraud protection and credit risk reduction.
In respect of any Case Activity Data, whilst we are not ultimately responsible for who such data is shared with (as we are only a data processor of such data), we may provide you with details of the third parties such data shall be shared with at the moment that you submit such data to us prior to us performing any background checks on you.
5. HOW LONG DO WE KEEP YOUR PORTAL DATA?
How long will we hold your Portal Data?
We will only retain your Portal Data for as long as we need it for the purposes for which it was collected (as set out in paragraph 3), as well as for any purposes necessary to satisfy any legal, accounting or reporting requirements.
If you create and maintain an account on the Portal, we will retain any Portal Data you provide to us at least for as long as you keep your account, and afterwards for a period of 6 (six) years from the date of your last log in.
If you purchase any services through the Portal, we will retain elements of your Portal Data which you provide to us for a period of 6 (six) years from the date of your purchase.
Where you contact us, but you do not have an account on Portal and/or we don’t have an ongoing relationship with you, we will retain your information for a period of 12 (twelve) months, so that we can recognise you if you contact us again in the near future.
If you would like us to delete your Portal Data before the end of these periods, please contact us.
6. INTERNATIONAL TRANSFERS
We do not transfer your Portal Data outside of the United Kingdom.
7. HOW DO WE PROTECT PORTAL DATA?
We will take all steps reasonably necessary to ensure that your Portal Data is treated securely and in accordance with this privacy policy.
We try to ensure that all information you provide to us is transferred securely. Before submitting any personal information through the Portal in particular, we recommend that you check for the padlock symbol in your browser and “https” in the URL. Unfortunately, the transmission of information via the internet is not always completely secure. Although we will do our best to protect personal data, we cannot guarantee the security of data transmitted to the Portal; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
All information which you provide to us is stored on third party secure servers in the UK.
Where you have been provided with any passwords or other credentials which enable you to access certain parts of the Portal, you are responsible for keeping these details confidential.
8. WHAT RIGHTS DO YOU HAVE IN RESPECT OF PORTAL DATA?
In accordance with the current data protection legislation, you are entitled to a range of specific data subject rights. If you wish to exercise any of these rights in relation to any Portal Data, please contact us.
| Your right to ACCESS | You have the right to ask us to confirm whether or not we hold any of your personal information. If we do, you have the right to have a copy of your information and to be informed of the following:
• Why we have been using your information. • What categories of information we were using. • Who we have shared the information with. • How long we envisage holding your information. In order to maintain the security of your information, we will have to verify your identity before we provide you with a copy of the information we hold. The first copy of your information that you request from us will be provided free of charge. If you require further copies, we may charge an administrative fee to cover our costs. |
| Your right to RECTIFICATION | You have the right to have inaccurate personal data rectified. You may also be able to have incomplete personal data completed, although this will depend on the purposes for the processing. This may involve providing a supplementary statement to the incomplete data. |
| Your right to ERASURE | Under certain circumstances, you have the have the right to have personal data erased. Also known as ‘the right to be forgotten’. This could be if:
• The information is no longer needed for the original purpose for which we collected it. • You withdraw your consent for us to use the information (and we have no other legal reason to keep using it). • You object to us using your information and we have no overriding reason to keep using it. • We have used your information unlawfully. • We are subject to a legal requirement to delete your information. In those situations, you have the right to have your personal data deleted. If you believe that one of these situations applies to you, please contact us |
| Your right to RESTRICT PROCESSING | Under certain circumstances, you have the right to request the restriction or suppression of your personal data. Restriction of processing means we are permitted to store your personal data but we are unable to use it. This right is available where:
• You have informed us that the information we hold about you is inaccurate, and we have not yet been able to verify this. • You have objected to us using your information for our own legitimate interests and we are in the process of considering your objection. • We have used your information in an unlawful way, but you do not want us to delete your data. • We no longer need to use the information, but you need it for a legal claim. |
| Your right to DATA PORTABILITY | You have the right to obtain a copy of your personal data for your own purposes. This allows you to move, copy or transfer your personal data more easily from one IT environment to another, safely and securely, without affecting the usability of the data.
We will attempt to provide such personal data in the manner/format you request but if we determine that the manner/format is unreasonable then we shall be required to provide such personal data to you in the manner/format that we consider most appropriate. |
| Your right to OBJECT | We aim to always ensure that your rights and information are properly protected. If you believe that the way we are using your data is not justified due to its impact on you or your rights, you have the right to object. Unless we have a compelling reason to continue, we must stop using your personal data for these purposes.
You can tell us at any time that you would prefer that we do not use your information for direct marketing purposes. If you would not like to receive any direct marketing from us, please contact us or use the links provided in any of our marketing communications. |
| Your right to be INFORMED | You have the right to be informed about the collection and use of your personal data. Your right to be informed forms part of this policy, and provides the purposes for processing your data, our retention periods and who it will be shared with. |
| Your rights in relation to AUTOMATED DECISION-MAKING AND PROFILING | Any automated decision-making or profiling we undertake is solely for the purpose of tailoring the information which we provide to you. We will not use automated decision-making or profiling to make decisions which will have a legal effect upon you or otherwise significantly affect you, and you have the right not to be subject to such decisions. If you have any concerns or questions about this right, please contact us. |
9. CHANGES TO THIS PRIVACY POLICY
Any changes we make to this privacy policy in the future will be posted on this page, presented to you when you next log in to the Portal and, where appropriate, notified to you by email. Please check back frequently to see any updates or changes to our privacy policy.
This version was last updated in April 2022 and historic versions can be obtained by contacting us.
10. COMPLAINTS
If you wish to make a complaint about our collection or use of your Portal Data, we ask that you please contact us in the first instance so that we may seek to resolve your complaint.
If you wish to make a complaint about our collection or use of your Case Activity Data, we ask that you please contact the organisation who instructed to perform background checks on you in the first instance so that they may seek to resolve your complaint. If you cannot recall who this organisation was/is then please contact us and we can provide you with such organisation’s details.
You have the right to lodge a complaint with the relevant supervisory authorities that oversee data protection law. In the UK, you may contact the Information Commissioner’s Office if you wish to make a complaint.
11. CONTACT US
If you wish to speak to us regarding your privacy, or our use of your personal data generally or your Portal Data specifcally, please contact us using the following details:
Full Name: Personnel Checks Limited
Post: One Cathedral Square, Cathedral Quarter, Blackburn, Lancashire, England, BB1 1FB
Email: applicants@personnelchecks.co.uk
Telephone Number: 01254 355688