This GDPR Policy outlines how ARCH collects, uses, stores, and protects personal data in compliance with the General Data Protection Regulation (GDPR) and relevant data protection laws in the UK and Ireland. We are committed to safeguarding the privacy of our clients, employees, and partners.
This policy applies to all personal data processed by ARCH in the course of providing training and other services in the UK and Ireland. It covers data collected from clients, employees, contractors, and any other individuals whose personal data we process.
We adhere to the following principles when processing personal data:
Lawfulness, Fairness, and Transparency: Personal data shall be processed lawfully, fairly, and in a transparent manner.
Purpose Limitation: Data shall be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
Data Minimisation: Data collected shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
Accuracy: Personal data shall be accurate and, where necessary, kept up to date.
Storage Limitation: Data shall be kept in a form which permits identification of data subjects for no longer than is necessary.
Integrity and Confidentiality: Personal data shall be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage.
Accountability: We shall be responsible for, and be able to demonstrate compliance with, these principles.
We process personal data based on one or more of the following legal bases:
Consent: The data subject has given consent to the processing of their personal data for one or more specific purposes.
Contract: Processing is necessary for the performance of a contract to which the data subject is a party.
Legal Obligation: Processing is necessary for compliance with a legal obligation to which we are subject.
Legitimate Interests: Processing is necessary for the purposes of legitimate interests pursued by us or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.
Data subjects have the following rights regarding their personal data:
Right to be Informed: Data subjects have the right to be informed about the collection and use of their personal data.
Right of Access: Data subjects have the right to access their personal data and supplementary information.
Right to Rectification: Data subjects have the right to have inaccurate personal data rectified or completed if it is incomplete.
Right to Erasure: Data subjects have the right to have personal data erased in certain circumstances.
Right to Restrict Processing: Data subjects have the right to request the restriction or suppression of their personal data.
Right to Data Portability: Data subjects have the right to obtain and reuse their personal data for their own purposes across different services.
Right to Object: Data subjects have the right to object to the processing of their personal data in certain circumstances.
Right to Erasure: Data subjects have the right to have personal data erased in certain circumstances.
Rights Related to Automated Decision-Making and Profiling: Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them
We collect and use personal data for the following purposes:
Service Delivery: To provide training and other services to our clients.
Employee Management: To manage our employees and contractors.
Compliance: To comply with legal and regulatory obligations.
Communication: To communicate with clients, employees, and partners.
Marketing: To send marketing communications, where consent has been obtained.
We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
Access Control: Restricting access to personal data to authorised personnel only.
Encryption: Using encryption to protect personal data during transmission and storage.
Regular Audits: Conducting regular audits and assessments of our data protection practices.
Incident Response: Having procedures in place to detect, report, and investigate data breaches.
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements.
We may transfer personal data to third parties, including service providers and partners, in accordance with applicable data protection laws. Where data is transferred outside the UK or EEA, we ensure appropriate safeguards are in place.
We have appointed a Data Protection Officer (DPO) who is responsible for overseeing our data protection strategy and implementation to ensure compliance with GDPR requirements.
We provide regular training to our employees on data protection and GDPR compliance to ensure they understand their responsibilities and our policies.
In the event of a data breach, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where feasible. If the breach is likely to result in a high risk to the rights and freedoms of individuals, we will also inform the affected individuals without undue delay.
This policy is reviewed regularly and updated as necessary to ensure continued compliance with GDPR and other relevant data protection laws.
For any questions or concerns regarding this policy or our data protection practices, please
contact:
training@archsafety.com
0044 2866 326 267
