Privacy Notice
Your personal data is important to both you and us and it requires respectful and careful protection. This privacy policy applies to information held about customers and possible future customers, service providers/suppliers and possible future service providers/suppliers, contacts and all other people we hold personal data about. By `personal data’ we mean personal information that can identify you as an individual. ‘You’ means the person the information relates to. This policy contains important information on who we are, how and why we collect, store, use and share your information, your rights in relation to your information and how to contact us and supervisory authorities in the event of a complaint.
Please be aware that should you follow a link to another website, you are no longer covered by this policy.
WHO WE ARE
QED Management Systems is a limited company and provides consultancy services to support clients to achieve ISO certification and business process improvement. Our contact details are: QED Management Systems, St Mary’s Court, The Broadway, Amersham, Bucks, HP7 0UT. Telephone: 01494 318436
THE INFORMATION WE COLLECT
We collect, use and share information about you in order to respond to your enquiries, to provide you with information related to your enquiry and other services that may be of interest and to provide you with services and products you have asked for. The information may include any of the following personal data: name, company, address, email address, telephone number, payment information. To read more about additional information collected from visitors to our website please refer to the ‘Cookies’ section. You may have provided this information directly to us through the following ways:
- completing the contact form on our website
- calling or visiting our office or direct contact number
- speaking directly to us at an event or meeting
- writing to us
- emailing us
We may also receive your information from a third party e.g. a referral from a client, service provider or business partner.
Sharing your information with us is essential for you to be able to communicate with us, for us to provide our services, comply with contractual obligations and keep you up to date with any changes and improvements to our service.
How we use your personal data
We use this data in any of the following ways:
- to communicate with you
- to provide our services to you
- to keep you informed about the services you hold with us and to send information about services you may be interested in
- to help us develop new and improved services to meet our client’s needs
- for security and to check your identity to comply with legal and regulatory obligations
- where we have a legitimate business interest such as protection of our business interests
Under data protection laws, whenever we process your personal data, we must meet at least one set condition for processing. These conditions are set out in data protection law and we rely on a number of different conditions for the activities we carry out.
We have listed below the purposes and the lawful basis for processing your information:
How we may use your personal data
Lawful Basis
Clients and potential clients: to provide and manage the services you have requested as a client, we may store your data in our secure database, filing system and accounts software.
To carry out our contractual agreement or take steps to enter into a contract with you.
Where the law requires it.
Where it is in our legitimate interests to do so, to manage our customer relationship and provide a high level of service, to protect our business interests and the interests of our customers.
Clients: to provide you with information and updates on the services we supply to you we may store your data in our secure database and filing system.
To carry out our contractual agreement or take steps to enter into a contract with you.
Where it is in our legitimate interests to do so, to manage our customer relationship and provide a high level of service, to protect our business interests and the interests of our customers.
Clients: to provide you with support for issues related to HubProActive (HPA). Support tickets and responses are stored in hour ticketing system held on the Zendesk Platform. Zendesk is a third party ‘Helpdesk’ software. Their privacy statement can be accessed at:
To carry out our contractual agreement with you to respond to requests for support.
Where it is in our legitimate interests to do so, to manage our customer relationship and provide a high level of service to our customers.
HPA Clients: to provide you with support on the functions and use of HPA we may temporarily have access to your data (which may include some personal data) held in your HPA system. We only process or access this data as per your direct instructions and only to carry out the support purpose at that time. It is your responsibility to ensure your end users are aware of this.
To carry out our contractual agreement with you to respond to requests for support.
Where it is in our legitimate interests to do so, to manage our customer relationship and provide a high level of service, to protect our business interests and the interests of our customers.
Clients, potential clients, suppliers/service providers, potential suppliers/service providers and others who communicate with us: to handle general enquiries and complaints we may store your data in our Helpdesk system, filing system and/or email system depending on the way you communicate with us.
To respond to enquiries and carry out our contractual agreement or take steps to enter into a contract with you.
Where it is in our legitimate interest to ensure complaints are investigated promptly and satisfactorily.
Clients, potential clients, suppliers, potential suppliers and others who communicate with us: to communicate with you by email, phone, post or other digital methods.
For example:
- to manage customer and supplier relationships
- for the purpose of meeting contractual or regulatory requirements
- to keep you informed of changes or updates to your services
- to respond to enquiries made through our website contact form
We may keep records of communication in our secure database, filing system or email system.
Where we have agreed to contact you as part of our contractual obligations.
Where the law requires it.
Where it is in our legitimate interests to do so, to manage our customer relationship and provide a high level of service, to protect our business interests and the interests of our customers.
Where it is in our legitimate interests to do so, to manage our supplier relationship, to protect our business interests and the interests of our customers.
Where it is in our legitimate interests to respond to an enquiry.
Clients, potential clients and those on our mailing list: To contact you with marketing information and offers relating to the products and services offered by us (providing you have opted in to receiving marketing material). We store your data in our secure marketing database and email system.
Where it is in our legitimate interest to provide you with information about our products and services that may be of interest.
In relation to direct digital marketing, where we have your consent to do so.
Clients: to recover any debts you owe us and enforce other obligations we are entitled to under contract and to protect ourselves against harm to our rights and property interests. We may keep records of communication in our secure database and accounts system.
Where it is in our legitimate interest to ensure our business is run with due diligence and we are capable of recovering the debts owed to us.
Where the law requires it.
Clients and potential clients: Where necessary to undertake checks for the purposes of detecting and preventing fraud, and money laundering and to verify your identity before providing services to you as a client.
We do not retain this documentation but will record the date and outcomes of the checks in our secure database.
To carry out our contractual agreement or take steps to enter into a contract with you.
Where the law requires it.
Where it is in our legitimate interest to detect and prevent fraud, money laundering and other crimes and to verify your identify in order to protect our business.
Service providers e.g. associate consultants: Where necessary to undertake checks for the purposes of detecting and preventing fraud, and money laundering and to verify your identity before permitting you to provide services on our behalf.
We do not retain this documentation but will record the date and outcomes of the checks in our secure database.
To carry out our contractual agreement or take steps to enter into a contract with you.
Where the law requires it.
Where it is in our legitimate interest to detect and prevent fraud, money laundering and other crimes and to verify your identify in order to protect our business.
Suppliers and service providers: to make payments to you as a service provider or supplier for products and services we have purchased. We may store your data in our secure accounts system.
To carry out our contractual agreement with supplier and service providers e.g. to make payments for products and services.
To keep records for accounting purposes.
Where the law requires it.
Supplier and service providers e.g. associate consultants: to maintain records of supplier and service provider compliance checks e.g. checks of your professional competence and insurance documentation. Where required for evidence of compliance, we store your data in our secure database.
Where it is in our legitimate interest to ensure our business is run with due diligence, to protect our business interests and the interests of our clients.
Where the law requires it.
Special Category Data
We do not collect any special category data about you. Special category data refers to data that includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data. We do not collect any information about criminal convictions and offences.
Who we MAY share your data with and why
- Government and law enforcement agencies: We may be required by law to share your data with other organisations, such as the government or law enforcement agencies:
- to satisfy any applicable law, regulation, legal process, or governmental request;
- to detect, prevent, or otherwise address fraud, security, or technical issues;
- to protect our rights, property or safety, our users and the public.
- This may include exchanging information with other organisations for fraud protection and spam/malware prevention.
If we do so we always do so securely and we won’t share more than we need to.
- Our associate consultants: If you are a client we may share your information with our associate consultants who deliver work on our behalf. We will only share what is necessary for the work being delivered. We will always require our associate consultants to follow similarly high information security standards to QED. Information Security and confidentiality are explicit contractual obligations and where necessary we will undertake supplier data protection audits.
- Our clients: If you are a service provider (including associate consultants) who provides services on our behalf, we may share your compliance information with our clients where contractually obliged to do so. We will always inform you if this is the case and will only share what is necessary for the work being delivered.
- Service partners: If you are a client who subscribes to a service we offer from our service partners e.g. HubProActive, we will share your information with them in order for them to contract with you. This may include personal data.
- Google Analytics. We use Google Analytics on our website. Google Analytics uses cookies to collect non-identifying information. Google provides some additional privacy options regarding its Analytics cookies. You can read about these at http://www.google.com/policies/privacy/partners/.
In the event that QED Management Systems is acquired by a third party, your personal data may be transferred to any such acquirer.
YOUR RIGHTS
The GDPR aims to give you more control of your data. It provides new and strengthened rights as follows:
Right to access – you can ask us whether we’re processing your personal data, including where and for what purpose. You can also request an electronic copy of your personal data free of charge. If you require further copies of the data there may be a charge where permitted by the legislation.
Right to restrict processing – in certain circumstances, you can ask us to restrict our use of your personal data.
Right to rectification – you can ask us to correct inaccurate personal data we hold about you.
Right to erasure (right to be forgotten) – in certain circumstances, you can ask us to erase your personal data.
Right to data portability – you can ask us to provide you with a copy of your personal data in a commonly used electronic format so that you can transfer it to other businesses.
Right to object to automated decision-making – in certain circumstances, you can ask us not to make automated decisions about you based on your personal data that produce significant legal effects.
Right to lodge a complaint – you can lodge a complaint with the supervisory authority ICO but we ask that you allow us to see if we can resolve the problem first (See complaints and queries section).
This means you can at any time:
- inform us of a correction to your personal data;
- withdraw any permission you have previously given to allow us to use your information;
- object to any automated decision-making;
- ask us to stop or start sending you marketing messages;
- ask us to send you (or someone you nominate) a copy of the information we hold about you;
- ask us to stop using your information in certain circumstances.
Data Subject Access Request
You have the right to request a copy of the personal data we hold about you and to have any inaccuracies corrected. We will require you to prove your identity with 2 pieces of approved identification. We will use reasonable efforts consistent with our legal duty to supply, correct or delete personal information about you on our files.
We will need two copies of forms of identification, which can be: passport, driving licence, birth certificate, utility bill (from last 3 months), current vehicle registration document or a bank statement (from last 3 months).
If you can advise of the specific information that you require, we can process your request more quickly. We will respond to your request within one month of you providing information that confirms your identity.
We will then give you a description of your data, why we have it, who it could be disclosed to and it will be in a format that you can access easily.
If you wish to make a DSAR request please contact us using the contact details at the end of this notice and we will explain the process to you.
Retention of your data
We will keep your data for as long as we have a relationship with you. Once our relationship has come to an end we will only retain your personal data for a period of time that is calculated depending on the type of personal data and the purposes for which we hold that data. We maintain a Retention of Records Schedule to communicate our record retention requirements to all staff.
We only retain information that enables us to:
- maintain business records to comply with our contractual obligations
- comply with record retention requirements under the law
- defend or bring any existing or potential legal claims
- maintain records of anyone who does not want to receive marketing from us
- deal with any future complaints regarding services we have delivered
- if required to by law enforcement agencies
How Do We Protect Your Personal DATA
We are committed to protecting your information. We take appropriate technical and organisational measures to guard against unauthorised or unlawful processing of your personal data and against accidental loss or destruction of, or damage to, your personal data.
The measures we use are designed to provide a level of security appropriate to the risk of processing your personal information. However, please bear in mind that IT infrastructure and the internet cannot be guaranteed to be 100% secure
We have access security measures in place and restrict access to databases only to those who need access appropriate to their job role.
All personal information and details provided as part of an enquiry, support or service request, or financial details are stored on secure servers or email systems. We do not store credit card numbers or related identifying information on any of our servers.
Digital data and hard copy data is securely disposed of when no longer required. Hard copy data is cross shredded. Digital data that is no longer required is deleted and media storing or that has stored digital data is securely disposed of through approved suppliers.
Our Cookie Policy
To view our cookie policy click here.
Changes to this Privacy Notice
We keep our privacy notice under regular review. This privacy notice was last updated on 22nd May 2018.
Queries or complaints
We try to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. Please get in touch if you think we are using or collecting your data in an inappropriate way.
You can call us on 01494 618436 and ask to be referred to the Data Protection Lead;
or you can email info@qedms.co.uk;
or write to us at QED Management Systems, St Mary’s Court, The Broadway, Amersham, Bucks. HP7 0UT.
The supervisory body for the UK is the Information Commissioners Office (ICO)
You can visit their website at: https://ico.org.uk/
Or contact them on: 0303 123 1113