Privacy Policy

Privacy policy

Introduction

This notice contains important information about your rights to data privacy and about our commitment to protecting those rights.

The Risktec Privacy Policy applies to all individuals ('data subjects') whose personal data is stored or used ('processed') by the Risktec group of international businesses (part of the TÜV Rheinland Group).

The Risktec group will endeavour to process your personal data lawfully at all times, and in accordance with international best practice.  In particular, we will comply with the European Union's General Data Protection Regulation (or GDPR).

As defined by the GDPR, the 'controlling undertaking' of the Risktec group is Risktec Solutions Ltd (or RSL), a limited liability company registered in the United Kingdom.  Under GDPR, RSL is deemed to be the 'controller' of all personal data within the Risktec group.

The 'main establishment' for RSL is located in the United Kingdom (address below).  Therefore, the lead regulator (or 'supervisory authority') for the Risktec group is the UK Information Commissioner's Office (or ICO).

Our commitment to you

We will endeavour to process your personal data lawfully at all times, and in accordance with international best practice.

Furthermore, if you satisfy one of the following three criteria, your privacy will be protected by the EU's GDPR:

  • You are a resident of the European Union, or
  • You are a citizen of the European Union, or
  • Regardless of your citizenship or residency, you are a customer, supplier, partner (or any other type of stakeholder) of any Risktec business which operates within the borders of the European Union.

If you satisfy the above criteria, Article 13 of the GDPR confers to you the following rights:

  • Right to be informed about your data
  • Right to access your data
  • Right to rectify your data
  • Right to erase your data
  • Right to restrict the processing of your data
  • Right to object to the processing of your data
  • Right to data portability
  • Right to complain to a supervisory authority within the European Union
  • Rights related to automated decision making, including personal profiling.

In relation to the last of these rights, please note that Risktec does not use any personal data for automated decision making or profiling.

These rights under GDPR are explained in greater detail by Risktec's supervisory authority, the UK Information Commissioner's Office (details below).  Another useful source of information is the European Union website.

Legality of processing

Within the context of GDPR, Risktec's lawful bases for processing personal data include the following:

1)   Performance of a contract between parties

2)   The performance of a legal obligation

3)   The protection of vital interests (e.g. in a health emergency)

4)   The exercise of our legitimate interests (described below).

These four lawful bases for processing personal data lie at the heart of our relationship with you and your data.

Risktec's legitimate interests in the processing of personal data are concerned with the long-term sustainability and integrity of its business operations, involving:

  • The need to deliver specialist consulting, resourcing, training, education and inspection services to customers worldwide, across a diverse range of business and industrial sectors;
  • The need to build and maintain permanent and productive relationships with clients, suppliers, partners, employees and all other stakeholders;
  • The need to improve our services, manage our risks, maintain accurate records and operate our business efficiently.

Purposes and legal bases

Risktec uses personal data in many business processes.  These are listed in the following table, along with each activity's purpose and the applicable legal bases.

 

Legal Bases*

Process

Purpose

C

VI

LO

LI

Project management

Coordinating the delivery of services to clients using project methodologies

 

 

Business development

Informing prospective clients about the services offered; issuing proposals; building sustainable client relationships

 

 

Contact management

Maintenance of contact details, facilitating communications between employees, associates and all other stakeholders

 

Resourcing services

Coordinating the recruitment, registration and remuneration of associates

 

Travel management

Organising business travel for Risktec staff and associates

Office administration

Performing all activities associated with administrative support for the Risktec group of businesses

 

 

Company legal administration

Administering the legal requirements for registering companies within the Risktec group

 

 

External auditing

Periodic visits from certified auditors with access to all data

 

 

 

Corporate archiving

Secure storage of business records for extended periods in offsite locations

 

Training & education services

Managing all information pertaining to the enrolment and performance of clients on training and education programmes

 

 

Financial management

Payments to suppliers of goods and services to the Risktec group; billing clients for work completed

 

Accident reporting

Administering the reporting of workplace incidents and injuries

 

Inspection services

Delivery of technical inspection services to clients, including the recruitment and enrolment of inspectors

IT change management

Undertaking technical and administrative changes to IT systems in response to personnel changes

 

 

Employee HR management

Management and administration of the employee lifecycle

 

* Legal Bases:  Contract (C)   Vital Interest (VI)   Legal Obligation (LO)   Legitimate Interest (LI)

One or more of the following recipients may need to view or hold your personal data during the course of our lawful data processing activities:

  • Our employees
  • Our associates
  • Our clients
  • Our partners
  • Our suppliers
  • Our legal advisors
  • Our external auditors
  • Our payroll providers
  • Our insurance providers
  • Our pension providers
  • Our banks
  • Your bank(s)
  • Our tax authorities
  • Your tax authority
  • Our archivers
  • Our parent company (TÜV Rheinland Group)
  • Your nominated referee(s)
  • Our company registration authorities
  • Embassies or consulates
  • Government regulators for data protection and health/safety monitoring.

Access to personal data is granted on a 'need to know' basis.

Data safeguards

In order to protect the security of your data against loss, misuse, unauthorised access, disclosure or alteration, Risktec maintains a range of technical and organisational security measures.  These measures are regularly evaluated and improved.

Risktec is an ISO9000 compliant businesses and has achieved the Cyber Essentials security accreditation.

Our digital infrastructure is protected using advanced security measures, including encryption.  Where appropriate and feasible we may adopt techniques of anonymisation in order to hide or remove any information capable of identifying individual people

Transfers outside the EU

As a supplier of specialist goods and services worldwide, Risktec maintains offices both within and beyond the borders of the European Union.  We may occasionally need to share personal data with non-European stakeholders, including our professional colleagues, but only where we can demonstrate a lawful basis for our actions.

Data retention

We will retain personal data for no less than the minimum timescales specified in law.  Retention periods beyond these legal minimums will be influenced by our lawful bases for data processing (described above).

Our standard minimum retention period for data is 7 years, except where a shorter period has been mandated in law or by contractual terms agreed between us and individual clients.  All personal data is subject to periodic (typically annual) reviews.    It will then be maintained or erased in accordance with our obligations and legitimate interests.

Our supervisory authority for data privacy

Risktec's supervisory authority for data privacy is the UK Information Commissioner's Office (ICO).  You have the right to complain to the ICO, who may be contacted here:

Information Commissioner's Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

https://ico.org.uk.

Further information

For further information, or to exercise your rights as a data subject, Risktec's Data Protection Representative may be contacted here:

The Data Protection Representative

Risktec Solutions Ltd

The Malt House

Wilderspool Park

Greenall's Avenue

Warrington

Cheshire WA4 6HL

United Kingdom

data.protection@risktec.tuv.com.

Copyright © Risktec Solutions Ltd 2018. All rights reserved.