This Policy applies to both personal information supplied to us either by an individual or by others. We may use personal information supplied to us for any of the purposes as set out in this Policy, or as otherwise disclosed at the point of collection.
This Policy is an important document. We recommend that you read it carefully and print and keep a copy for your future reference.
In this Policy, we use the terms:
"we", "us", and "our" (and other similar terms) to refer to: HCHR Limited which trades as Personology Our Company Registration number is 04369184
What basis do we have for processing your Personal Information?
We will only process personal Information where we have a lawful reason for doing so. The lawful basis for processing Personal Information by us will be one of the following:
- the processing is necessary for the performance of a contract you are party to or in order to take steps at your request prior to you entering into a contract;
- the processing is necessary in order for us to comply with our legal obligations (such as compliance with anti-money laundering legislation);
- the processing is necessary for the pursuit of our legitimate business interests (including that of the delivery and the promotion of our services); and
- processing is necessary for the establishment, exercise or defence of legal claims.
How does Personology collect and process information about you and who is responsible for it?
Personology may collect and process information about you from several sources which are outlined here.
- When you enter your information on a contact form on our website. The data controller for this data is Personology Ltd.
- When you enter your information into a newsletter subscription form. The data controller for this data is Personology Ltd.
- When information is received through networking activity by a staff member of any business in Personology Network with information about yourself or your company and where it is understood there is a legitimate interest in receiving HR services from Personology.
- When your company or employing company enters into a client agreement with Personology and provides information about you to that Personology business for the purposes of receiving HR services. In this case, only information about you that is relevant to the delivery of these services should be shared by your employer with Personology. The data controller for this information is your company or employing company.
What sort of information about you is being collected and processed by Personology?
In line with the expectations of the Data Protection Act (2018) and the GDPR regulations, we only collect necessary information that is required to allow us to promote and deliver our services fairly and effectively.
How can you find out what information Personology holds about you?
Under the Data Protection Act (2018) and European GDPR regulations, any person about whom organisations hold data (a ‘data subject’) is allowed to request a copy of that information. This is called a Subject Access Request (‘SAR’).
There is guidance for individuals who want to make a Subject Access Request on the website of the regulator, the Information Commissioners Office (‘ICO’) (https://ico.org.uk) and it is strongly recommended that you review this guidance before submitting your request to avoid any delays. There is also information on this site about requirements for SARs for both the requesting and responding parties, and who SARs should be sent to.
If you wish to make a subject access request to Personology, these should be submitted by email to email@example.com or by post to:
10 St James Crescent
Why is Personology collecting and processing your information?
We collect and process information about you for several purposes depending on the context of the information and how it was collected:
- to analyse website usage so we can determine how we can make improvements and if you subscribe to our newsletter, to email you about other directly related products and services we think may be of interest to you based on our understanding of your legitimate interest.
- to survey contacts about activity directly related to Personology Ltd marketing activity, service delivery or directly related projects undertaken by Personology Ltd.
- to provide outsourced HR services to your company or employing company in line with client agreements made with the company.
If you provide your information to us through this website, we would consider this to mean you have a legitimate interest in our services, and that you are happy to be contacted in relation to those services, and that you are happy for us to share this with our relevant data sub-processors outlined below in order for our services to be delivered to you.
How long is your information kept, and can you make sure it is accurate?
Personology must retain some information for periods in line with regulatory or legislative requirements. If there is no regulatory or legal requirement to retain your information, then it will be kept until one of the following is true:
- You request for your data to be erased (see section below) and this can be legally fulfilled.
- The data is known to be or is suspected to be invalid/inaccurate by Personology.
- The data is known to be or is suspected to be no longer appropriate for use for reasons of legitimate interest by Personology (as outlined above).
If you believe any information held by Personology is incorrect and wish to amend it, please contact us in writing. Please see the section at the end of this Privacy Notice about how to contact us by email or post.
Can you opt-out of marketing or request for your information to be erased?
Personology does not wish to undertake marketing activity towards those who do not wish to receive it, and we will always comply with a request from you to either opt-out of marketing. We will comply with a request from you for your information to be erased if it is appropriate to do so (a) in accordance with the Data Protection Act (2018) or the European GDPR requirements and (b) if there is no legitimate justification for retaining the information.
In some cases, we may not be able to agree, wholly or in part, to your request for your information to be erased if there is a legitimate requirement to keep it. An example of a legitimate requirement would be if you are an employee of a company using Personology for outsourced HR services, and you are involved in some way with an HR issue which is being dealt with. In such a case, there is a legitimate requirement to retain relevant information relating to that issue in order for your employer to be able to resolve the HR issue and any related legal challenges. This may extend beyond the apparent resolution of the issue if there is a reasonable argument that the information may need to be revisited.
- Use the ‘opt-out’ or ‘unsubscribe’ link in any marketing communication from HR Dept if you do not wish to be contacted with any marketing communications.
- Request directly by email to firstname.lastname@example.org if you do not wish to be contacted with any marketing communications.
- Request by email email@example.com if you wish for your information to be erased (the right to be forgotten).
- Contest our determination of a legitimate requirement to retain your information on a case-by-case basis. In the first instance, we ask that you contact the relevant HR Dept office to obtain an explanation of that determination.
Who else is your information shared with?
On occasion, we may need to share your Personal Information with third parties. We will only share Personal Information where we are legally permitted to do so.
Personology does not pass your information to third parties outside of Personology Network, other than to specific data sub-processors necessary for us to market and provide our services.
Where you supply us with Personal Information as a client, we will assume, unless you instruct us otherwise in writing, that we can disclose your Personal Information in such manner as we believe is reasonably necessary to provide our services (including as described in this Policy), or as is required under applicable law. This might be because, for example, we may pass your Personal Information to third parties such as:
- credit-checking agencies for credit control reasons;
- events: we may need to pass on your Personal Information (e.g. name, company, occupation) to a third party in connection with management of an event, in which case the details will only be used by the third party for that specific purpose;
- In order to facilitate marketing and delivery of our services to those who have provided their information and who we believe have a legitimate interest in our business, we may share your information with specific ‘sub-processors’ with whom we have data sharing agreements. We want to be clear and transparent with you about the sub-processors we use and what we have done to ensure that they take your data protection as seriously as we do.
- business partners, service providers and other affiliated third parties: to enable us to provide our services to you, we may need to share your Personal Information with our business partners (including other professional advisers such as accountants or auditors), external service providers and/or overseas counsel. Our arrangements with external service providers currently cover the provision of support services including IT, HR Consultancy, Legal Expenses Insurance, document production and file management, business and legal research, event management, marketing administration and facilities management; and
- disclosures required by law or regulation: in certain circumstances, please note that we may be required to disclose Personal Information under applicable law or regulation, including to law enforcement agencies or in connection with proposed or actual legal proceedings.
International transfers of Personal Information (including to outsourced service providers)
From time to time, we may need to transfer your Personal Information to organisations/individuals that are located in territories outside of the European Economic Area ("EEA"), in order to provide you with the services required.
Please note that the legal regimes of some territories outside of the EEA do not always offer the same standard of data protection as those inside the EEA, although we will ensure that your Personal Information is only ever treated in accordance with this Policy.
Where necessary, we have entered into standard European Commission approved form model data protection clauses with parties that are located in territories outside of the EEA, to provide you with the service required and with our external service providers and business partners in relation to services that they may provide that involve processing data from locations outside of the EEA for which we are Data Controller.
We use Microsoft Office 365 to manage our emails and file storage, which may include some information that has been collected through our website or other sources relating to marketing and surveying activity. Microsoft have confirmed that they are DPA/GDPR compliant and have updated their terms and conditions to reflect this. Microsoft may transfer data outside of the EEA but will only do so in a manner which protects your data and meets the requirements of the GDPR and the Data Protection Act (2018).
Each of the sub-processors listed above may change and be updated at any time, but our commitment to the security of your data remains. Any new providers will be subject to the same vetting and selection process and will be governed by the same or similar terms and conditions.
Under these agreements, data may be transferred outside of the EEA but only where your rights and the rights of the data subject are protected and where that transfer is compliant with the requirements of the DPA and GDPR.
How is the data stored?
The information we collect is stored in secure cloud vaults that operate inside the EEA. This includes Mailchimp, Microsoft, Google & Act-On. All information is stored in an encrypted form. Information held by Microsoft on our behalf may be transferred outside of the EEA but only where there are appropriate protections in place and in line with GDPR guidance.
How we look after your Personal Information
We have in place appropriate technical and organisational security measures to protect your Personal Information against unauthorised or unlawful use, and against accidental loss, damage or destruction.
We put in place strict confidentiality agreements (including data protection obligations) with our third party service providers.
Cookies are text files placed on your computer to collect standard internet log information and visitor behaviour information. This information is used to track visitor use of the website and to compile statistical reports on website activity. You can set your browser not to accept cookies using the following instructions, although in a few cases some of our website features may not function as a result. You can configure cookie settings in your browser’s settings.
Detailed step by step guidance on how to control and delete cookies is also available from www.aboutcookies.org.
Changes to our Privacy Notice
We keep our Privacy Notice under regular review and we will place any updates on this web page.
How to contact Personology
If you would like to contact Personology in relation to any matter covered in this Privacy Notice or with queries about our website or marketing/survey activity, please email firstname.lastname@example.org or write to us at Personology
10 St James Crescent, Uplands, Swansea, Sa1 6DZ.
While we hope that you will not need to, if you want to complain about our use of Personal Information please send an email detailing your complaint to the Data Protection Officer.
You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues. The Information Commissioner can be contacted at:
Information Commissioner’s Office