Under the EU General Data Protection Regulation (GDPR) there are six lawful basis for processing personal data. These are detailed as follows:
- Consent – the individual has given clear consent for you to process their personal data for a specific purpose
- Contract – the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract
- Legal Obligation – the processing is necessary for you to comply with the law (not including contractual obligations)
- Vital Interests – the processing is necessary to protect someone’s life
- Public Task – the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law
- Legitimate Interests – the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.
Indicia Training and Personal Data
As an organisation that only processes business related data, Indicia Training has assessed all six grounds for lawful processing of personal data. ‘Legitimate Interests’ is the most suitable lawful ground for the processing of data for the purposes of Indicia Training’s marketing and sales.
Indicia Training collects and stores data relating to businesses and decision makers. We believe that these decision makers are likely to have an interest in the Indicia Training course schedule. Deemed as ‘Legitimate Interest’ this is based upon the fact that most organisations have people in need of developing skills to run computer systems and people with a need for improving business/soft skills. Our typical segmentation includes staff within IT, HR, Procurement and Organisational Development.
We collect, process and store the essential information required for making contact with people who would benefit from attending our accredited courses. The personal data we collect is generally limited to first name, last name, job title, business address, email address and telephone number. Indicia Training also collects information relating to Delegates booked to attend courses, this information is generally limited to first name, last name, email address, business address and telephone number. We may also collect information provided to us by our customers on persons they believe may have an interest in our services. Under the lawful basis of Legitimate Interest within the B2B arena we will look to introduce our services to the contacts provided.
The business data collected will be used to communicate marketing and sales messages relating to the Indicia Training course schedule, based upon the job function held by the data subject. Indicia Training specifically only sends messages to those we believe are likely to be interested our services based upon their job function within an organisation. Messages from Indicia Training are typically delivered via email, and telephone.
While Indicia Training primarily offer our own courses, we also market some third party courses that complement our portfolio. Where we are requested to source a course provided by a third party, we will provide the minimum details to the third party company so they can process the course booking accordingly.
When Indicia Training receive an enquiry via our website, we are provided basic contact details such as name and email address. We will use the data provided to process the request and may use it to inform the recipient by email or telephone about other Indicia Training products and services that we feel may be of interest. It is deemed that as our website has been visited and we have been provided with contact information that the person entering the details is legitimately interested in our products and services. A person has the right to unsubscribe from any method of correspondence at any time by informing us by telephone or email.
Legitimate Interest Assessment (LIA)
Indicia Training has carried out a Legitimate Interest Assessment (LIA) as advised by the ICO. Based upon that assessment it is deemed that the rights and freedoms of the data subjects would not be overridden in our correspondence regarding Indicia Training and that in no way would a data subject be caused harm by our correspondence. Based upon our segmentation by specific job function, coupled with our processing of personal data within the context of a business environment, we believe that any individual that receives correspondence from Indicia Training in a direct marketing or sales capacity, would be legitimately interested in the Indicia Training solution. It is also deemed that direct marketing and sales is necessary in the context of promoting Indicia Training to professionals in business in order to increase awareness of our courses in the marketplace.
Per the ICO guidance, Indicia Training can confirm:
- We have checked that legitimate interests is the most appropriate basis
- We understand our responsibility to protect the individual’s interests
- We have identified the relevant legitimate interests
- We have checked that the processing is necessary and there is no less intrusive way to achieve the same result
- We have done a balancing test, and are confident that the individual’s interests do not override those legitimate interests
- We only use individuals’ data in ways they would reasonably expect
- We are not using people’s data in ways they would find intrusive or which could cause them harm
- We do not process the data of children
- We have considered safeguards to reduce the impact where possible
- We will always ensure there is an opt-out / ability to object
- We include information about our legitimate interests in our privacy notice
Indicia Training sales and administration teams are responsible for ensuring the validity and quality of the data contained within the Indicia Training CRM system. The team continually cleanse the data held within the CRM system.
When we need your consent to use personal information?
In the day to day running of our business we may use your personal information without asking for your consent where:
- We are entering into and carrying out our obligations under a contract with you; or
- We need to use your personal information for our own legitimate purposes (or those of a third party) and our doing so will not interfere with your fundamental privacy rights.
- We need to comply with a legal or regulatory obligation
How we Procure Data
At Indicia Training we procure data in a variety of ways, collected in line with the lawful basis of ‘Legitimate Interests’. If you have received correspondence from us, we will have procured your data in one of the following ways:
- You have requested information from Indicia Training on a previous occasion
- We have been sent your details such as your e-mail address requesting information about our services be sent to you
- You or someone else (B2B) has expressly shared your contact details with us for the purpose of receiving information now and/or in the future
- We have previously met at an event and your business card or contact details were handed to us willingly
- You have previously connected with a member of our team via social media portals, such as LinkedIn and discussed our services
- We have found your business and contact details online, believing that your business would genuinely be interested in the Indicia Training product, based upon your job function aligning with our typical customer profiles they have made contact to introduce you to our product
- We may obtain Identity and Contact Data from publicly available sources such as Companies House, the Electoral Register or search engines or third-party websites
- We have been provided your business contact details within email correspondence returns from contacts within your organisation, for example Left Company responses. Based upon the response aligning with our typical customer profiles we will endeavour to make contact to introduce you to our product
- By providing us with your phone number and/or email address, you expressly permit us, or someone designated by us, to contact you using the phone number / email address provided
How do we keep your personal information safe
We take every care to ensure that your personal information is kept secure. The security measures we take include:
We limit access to personal information to those employees, agents, contractors or third parties who have a business need to know;
- only storing your personal data on our secure servers or in a secure cloud environment;
- maintaining up to date firewalls and anti-virus software to minimise the risk of unauthorised access to our systems; and
- enforcing a strict policy on the use of mobile devices and out of office working.
Unfortunately, sending information via the internet is not completely secure. Although we will do our best to protect your personal information, we cannot guarantee the security of personal information sent to our website; you send us personal information at your own risk. Once we have received your personal data, we will use strict procedures and security features (some of which are described above) to try to prevent unauthorised access.
We have put in place procedures to deal with any suspected personal information breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
How long do we keep your personal information?
We will only retain your personal information for as long as necessary to fulfil the purposes for which we collected it for, including for the purposes of satisfying any legal, accounting or reporting requirements. In practice this means that we will keep: client details e.g. your name and contact details for 6 years, account information, invoices and payment records for 7 years and complaint records for 3 years.
Automated Decision Making and Profiling
We will not use your personal information to make automated decisions about you or to profile you.
Disclosing Your Information
Indicia does not sell, trade or otherwise transfer to outside parties any personally identifiable information, this does not include trusted third parties or subcontractors who assist us in conducting our business or service your requirements. Such trusted parties may have access to personally identifiable information on a need-to-know basis and will be contractually obliged to keep your information confidential.
We may disclose your personal information as follows:
- Feedback to your employer, or the booker of the course, if they have provided the funds for the course
- Any third party we contract to act on our behalf
- Partners with whom we work to provide Services
- Any law enforcement agency, court, regulator, government authority or other third party where we believe this is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights or the rights of any third party.
E-newsletter/ Indicia Communications
We use our own server to deliver our regular e-newsletters. We gather statistics around pages opened and subsequent tracking of pages you visit on our website to help us monitor and improve our services to the recipient of the newsletter.
We monitor any emails sent to us, including file attachments, for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send is within the bounds of the law.
Payment Card Transactions
For questions relating to this policy, please contact: info@Indiciatraining.com
This policy was last reviewed and updated on the 24th May 2018. Policies are periodically reviewed to ensure compliance with the current compliance environment.