This Policy sets out the obligations of PeopleWise Limited, a company registered in England and Wales under number 2682510, whose registered office is at 20 Hammersmith Broadway London, W6 7AF (“the Company”) regarding data protection and the rights of customers, business contacts, survey respondents (“data subjects”) in respect of their personal data under EU Regulation 2016/679 General Data Protection Regulation (“GDPR”).
The GDPR defines “personal data” as any information relating to an identified or identifiable natural person (a “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
The procedures and principles set out herein must be followed at all times by the Company, its employees, agents, contractors, or other parties working on behalf of the Company.
The Company is committed not only to the letter of the law, but also to the spirit of the law and places high importance on the correct, lawful, and fair handling of all personal data, respecting the legal rights, privacy, and trust of all individuals with whom it deals.
For the purpose of the Data Protection Act 1998 (the Act), the data controller is PeopleWise of 2 Queen Caroline Street, London, W6 9DX (registration number 02682510). This policy applies to our Service only. If you leave our Service to visit another, via a link or otherwise, you will be subject to the policy of that website provider.
Information we may collect from you
To carry out our Service, we need your permission and consent to collect, process, store and transfer certain information about you. This information may be personal data (such as demographic information regarding your age, education and work history). It will not include any information about classified by the GDPR as “special category” personal data. For all demographic personal data, you will have the option to enter ‘prefer not to say’.
Your personal data will be held by the Company for research, statistical and human capability identification and development purposes. We shall only collect and process personal data for and to the extent necessary for the specific purpose/s to which you have been informed.
How long we keep your information
In accordance with GDPR and the Data Protection Act, we shall not retain any of your personal data for longer than is necessary in light of the purpose(s) that the personal data was originally collected, held and processed.
When personal data is no longer required, all reasonable steps will be taken to erase or otherwise dispose of it without delay. All personal data will be encrypted after five years and stored for research purposes.
In certain circumstances we may destroy or delete any of your personal information that we hold. Please note that our policies on privacy will be overridden where we are required or permitted to disclose personal information under law or the terms of any court order.
The periods for which we retain your personal information depends on the purposes for which we use it. However, in certain circumstances we may destroy or delete any of your personal information that we hold. Please note that our policies on privacy will be overridden where we are required or permitted to disclose personal information under law or the terms of any court order.
IP addresses and cookies
We may collect information about your computer, including where available, your internet protocol (IP) address, operating system and browser type, for system administration and to report aggregate information. This is statistical data and does not identify any individual and we will not collect personal information in this way.
We may obtain information about your general internet usage by using a cookie file which is stored on the hard drive of your computer. Cookies contain information that is transferred to your computer’s hard drive. They help us to improve our site and to deliver a better and more personalised service.
- To opt out of being tracked by google analytics visit Google Analytics Opt-Out
Where we store your personal data
We will ensure that all personal data collected, held and processed is kept secure and protected against unauthorised or unlawful processing and against accidental loss, destruction or damage. We undertake a range of technical and organisational measures with respect to secure storage and disposal of your personal data.
The transfer of personal data to a country outside of the EEA shall take place only if one or more of the following applies:
- The transfer is to a country, territory, or one or more specific sectors in that country (or an international organisation), that the European Commission has determined ensures an adequate level of protection for personal data;
- The transfer is to a country (or international organisation) which provides appropriate safeguards in the form of a legally binding agreement between public authorities or bodies; binding corporate rules; standard data protection clauses adopted by the European Commission; compliance with an approved code of conduct approved by a supervisory authority (e.g. the Information Commissioner’s Office); certification under an approved certification mechanism (as provided for in the GDPR); contractual clauses agreed and authorised by the competent supervisory authority; or provisions inserted into administrative arrangements between public authorities or bodies authorised by the competent supervisory authority;
- The transfer is made with the informed consent of the relevant data subject(s);
- The transfer is necessary for the performance of a contract between the data subject and the Company (or for pre-contractual steps taken at the request of the data subject);
- The transfer is necessary for important public interest reasons;
- The transfer is necessary for the conduct of legal claims;
- The transfer is necessary to protect the vital interests of the data subject or other individuals where the data subject is physically or legally unable to give their consent; or
- The transfer is made from a register that, under UK or EU law, is intended to provide information to the public and which is open for access by the public in general or otherwise to those who are able to show a legitimate interest in accessing the register.
All information you provide to us is stored on our secure servers. Where you have a password to access certain parts of the Service, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.
Unfortunately, the internet is not a secure medium. However, we have put in place various security procedures to help ensure that your information is as secure as is possible. We cannot however guarantee the security of any data transmitted to our site via the internet; it is not completely secure and any transmission is at your own risk. We will do our best to protect your personal data and use strict procedures and security features to try to prevent unauthorised access.
Disclosure of your information
We may disclose your personal information to third parties:
- in the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets
- if we are under a duty to disclose or share your personal data in order to comply with any obligation by law, to our customers or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
- if they are clients who have engaged PeopleWise in the delivery the Service for which you are providing information
- if they are freelance associates, who provide services to us which may cover, but are not limited to, the Service; Occupational Health Services; lawyers, accountants, and other administrative, security and back-up and services. As part of providing those services, such third parties may be provided with access to personal information.
In addition, our software development partners may use personal information for purposes of modifying, improving, refining and validating their technology, and research and development.
Under the GDPR, you have the right to be informed about the collection and use of your personal data, including the purposes for collecting your personal data, the retention periods for that personal data, and who it will be shared with. You will be informed of this privacy information at the time that personal data is collected from you.
Under the GDPR, you have the right to obtain confirmation that your personal data is being processed, the right to access your personal data, and the right to access other supplementary information (if relevant). For more information see below.
Under the GDPR, you have the right to have inaccurate personal data rectified or completed, if it is incomplete. You can update your demographic personal data directly on Enable via your profile page. You can also make a request for rectification of personal data verbally or in writing. We shall respond to your request within one calendar month. In certain circumstances, we retain the right to refuse a request for rectification.
Under the GDPR, you have the right to erasure (also known as the ‘right to be forgotten’). Unless we have reasonable grounds to reuse to erase personal data, all requests for erasure shall be complied with, and you shall be informed of the erasure within one month of receipt of the erasure request. The period can be extended by up to two months in the case of complex requests. If such additional time is required, you shall be informed.
Under the GDPR, you have the right to restrict restriction or suppress the processing of your personal data. This is not an absolute right and only applies in certain circumstances. You can make a request for restriction verbally or in writing.
Under the GDPR, you have the right to data portability, which includes the right to to receive a copy of your personal data and to use it for other purposes (namely transmitting it to other data controllers). To faciliate data portability, we shall make available all applicable personal data to you, by written request, in CSV format.
Under GDPR, you have the right to object to the Company processing your personal data based on its legitimate interests and direct marketing (including profiling). If you object to the Company processing your personal data based on its legitimate interests, the Company shall cease such processing immediately, unless it can be demonstrated that the Company’s legitimate grounds for such processing override your interests, rights and freedoms, or that the processing is necessary for the conduct of legal claims. If you object to the Company processing your personal data for direct marketing purposes, the Company shall cease such processing immediately. If you object to the Company processing your personal data for scientific and/or historical research and statistics purposes, you must, under the GDPR, “demonstrate grounds relating to his or her particular situation”. We are not required to comply if the research is necessary for the performance of a task carried out for reasons of public interest.
Under the GDPR, you have rights with respect to automated decision-making (making a decision solely by automated means without any human involvement) and profiling (automated processing of personal data to evaluate certain things about an individual). Where personal data is used for profiling purposes, clear information explaining the profiling shall be provided, including the significance and likely consequences of the profiling; appropriate mathematical or statistical procedures shall be used; and actions will be taken to prevent discriminatory effects arising out of profiling.
Under GDPR, you have the right to withdraw your consent at any time by unticking the ‘opt in’ box on your profile page. By opting out your Enable account will be closed and all your personal data shall be anonymised and encrypted and retained for research purposes only.
Under GDPR, you have the right to lodge a complaint with a supervisory authority (e.g. the Information Commissioner’s Office) if you consider that the processing of your personal data relating infringes GDPR regulation. The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint.
Access to information
In accordance with the GDPR and the Data Protection Act, you have the right to access information held about you.
You may make subject access requests (“SARs”) at any time to find out more about the personal data which the Company holds about you, what it is doing with that personal data, and why.
If you wish to make a SAR, you should do so using a Subject Access Request Form via the Company’s Data Protection Officer at 2 Queen Caroline Street, London, W6 9DX. Responses to SARs shall normally be made within one month of receipt, however this may be extended by up to two months if the SAR is complex and/or numerous requests are made. If such additional time is required, you shall be informed.
We regularly review and, where necessary, update our privacy information. If we plan to use your personal data for a new purpose, we will update our privacy information and communicate the changes to individuals before starting any new processing.