Asbestos Removal Contractors Association Limited (“ARCA”/“We”/“Us”) are committed to protecting and respecting your privacy. All policies also apply to Asbestos Testing and Consulting (ATaC) which is a division of ARCA and to all our websites (www.arca.org.uk, www.atac.org.uk and www.arca.ie) (the “Sites”).
This Privacy and Cookie Policy (together with our Website Terms of Use and any other documents referred to on it) sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it. If you have any questions about this Privacy and Cookie Policy and/or the processing of your personal data under the General Data Protection Regulation, you can reach us by email at info@arca.org.uk. Alternatively, you can contact us at:
ARCA Ltd
Unit 1 Stretton Business Park 2
Brunel Drive
Stretton
Burton upon Trent
Staffordshire
DE13 0BY
We review this Privacy and Cookie Policy regularly. Occasionally we may need to make changes or additions to the Privacy and Cookie Policy that may affect how we handle your data. We will post new versions of this on our Sites. We may also notify you of changes to this Privacy and Cookie Policy by email.
Information Commissioners Office Registration Reference: Z9332145
Purpose for processing
- To administer and provide membership services;
- To send communications to you such as information, news or surveys about ARCA or ATaC;
- To carry out our obligations arising from any contracts entered into between you and us;
- To prevent fraud and other prohibited or illegal activities;
- To meet legal and regulatory requirements;
- To notify you about changes to our services, including contacting you by email, telephone or post; and/or;
- To create records of qualification assessments and meetings otherwise, as disclosed to you at the point of collection.
Legal basis for processing:
We will only use your personal data when the law allows us to.
- We will use your personal data when you have given clear consent for us to process your personal data for a specific purpose (Basis: Art 6(a) GDPR).
- We will use your personal data where we need to perform a contract we have entered into with you (Basis: Art 6(b) GDPR).
We will use your personal data for the purposes of the legitimate interests of the Association (Basis: Art 6(f) GDPR)
The kind of information we hold about you
We may collect and process the following data about you:
Information that you may provide: by filling in forms on the Sites; on forms or documents you send to us by post, email or by telephone. This includes information provided at the time of registering to use the Sites, by subscribing to our services or requesting further services whether on-line or by post or telephone. Such information may include your name, age, postal and email addresses, telephone number, national insurance number, qualifications and photograph.
We may also ask you for information when you report a problem with the Sites.
If you contact us, we may keep a record of that correspondence.
We may also ask you to complete surveys that we use for research purposes, although you do not have to respond to them.
Details of transactions you carry out through the Sites and of the fulfilment of your requests.
Details of your visits to the Sites including, but not limited to, traffic data, location data, weblogs and other communication data and the resources that you access.
ARCA operates in accordance with the General Data Protection Regulation (GDPR) in respect of any personal information you may supply, e.g. name, address, e-mail, National Insurance number, photograph etc.
If you are a user with general public and anonymous access, the Sites do not store or capture personal information, but merely log your IP address which is automatically recognised by the web server. This statement only covers the Sites maintained by ARCA. This statement does not cover other websites linked to from within the Sites. The system will record your e-mail address and other information if volunteered to us by you. This shall be treated as proprietary and confidential, and will only be used to provide the services you have specifically signed up for. By subscribing to these services, you are giving your consent to ARCA to hold this information.
Processing
The details we hold about you may be updated or removed, and further information about qualifications you hold and the like, may be added to the data we store.
How is your personal information collected?
We collect personal data about you through your applications for membership, registration onto training courses or qualifications, during qualification assessments, during meetings and when you give us specific consent to receive marketing information, and data that is available in the public domain. This is collected online, by email, by post, by filling in a form, by telephone or by audio or video recording.
The recipients or categories of recipients of personal data
We may share your personal information with our suppliers who administer a service in order to provide you with the relevant service on our behalf, e.g. providing personal data to Awarding Organisations for the purposes of the award of a qualification. We may also disclose your personal information to third parties:
If we are under a duty to disclose or share your personal data in order to comply with any legal obligation;
In order to enforce or apply our agreements;
To protect the rights, property, or safety of ARCA, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction; and
To help ARCA or our affiliates analyse and/or improve our communication or relationship with you.
Except as described above, we will not disclose your personal information to third parties for their own marketing purposes unless you have provided consent.
ARMI Smartcards
- Reference Point Limited: Reference Point Limited is the technology provider for our smartcard ecosystem and acts as a data processor for your data on our behalf. Reference Point keeps a log of all online card transactions, which is used for support purposes, for helping us understand how cards are being used and for producing statistics about card use. Reference Point Limited may also process your data in order to provide us with technical support services.
- Person checking your card using Go Smart: When your card is read electronically, a copy of your card is recorded by Go Smart along with the time and location, where available. This provides a log of the cards that have been read for the person reading your card.
- Custom Card Services International Limited: In the case of physical cards, your personal data will be provided to Custom Card for the purpose of printing and encoding your card.
- Other recipients: Go Smart enables the person who has checked your card to forward a copy of your data to someone else - someone at head-office for example. Before doing this, the card checker should inform you who the data will be sent to and what it will be used for.
- Your card can also be checked electronically by some other software systems. Users of these systems are required to comply with applicable data protection rules when processing your data.
Your data and the EEA
The personal data that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area (“EEA”) and by using ARCA products or services (including the Site), you consent to any such transfer of personal data outside the EEA. Personal Data held outside of the EEA will be stored with Mailchimp or Microsoft. Mailchimp’s agreement is certified with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework and Microsoft’s agreement complies with the EU-US Privacy Shield and EU Model Clauses, and therefore both comply with GDPR requirements.
We will not transfer any data that we collect or receive from you that constitutes personal data outside of the EEA unless there are appropriate safeguards or an adequacy decision in relation to the transfer as set out in the data protection legislation or the transfer otherwise complies with the data protection legislation. Such transfers may involve, for example, the use by Reference Point Limited of third party services allowing them to send e-mails or automated SMS messages on our behalf which make use of facilities in third countries to process and store data.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to the Sites; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
We will not retain your personal data longer than necessary, in relation to the purpose for which such data is processed.
By submitting applications for membership, ARMI Smartcards, booking forms for training courses or qualifications, or subscribing to any of our services or communications you agree to this storing or processing.
Data Storage:
All data, including unencrypted audio and video recordings, and any transcripts produced from those recordings, will be stored on ARCA’s secure password protected IT system. Access to data will be restricted to those authorised by ARCA to process and view the data.
Where audio recording devices such as a dictation machines or mobile phones with dictation apps are used, which do not routinely offer encryption, the data will be transferred to ARCA’s secure password protected IT system as soon as practicable. Access to data will be restricted to those authorised by ARCA to process and view the data.
The data will be retained in accordance with our policy on ‘retention period and criteria used to determine the retention period’ below
Retention period and criteria used to determine the retention period:
- Membership details and employees personal data associated with member companies shall be stored for the duration of the membership. When companies are no longer members of the Association all personal data in relation to the company shall be permanently deleted, unless any of the employees have undertaken a training course or qualification within the past 3 years.
- All training and qualification delegate personal data, including audio and video recordings, will be permanently deleted or destroyed 3 years after the qualification or training course has been completed.
- All marketing information will have an ‘opt out’ or ‘unsubscribe’ for recipients if you opt out of any of our marketing lists we will delete your personal information and not send that communication to you again unless you give us consent.
- Your ARMI Smartcard may be suspended or cancelled at our discretion. However, your card is otherwise valid until its expiry date.
- We shall hold your personal data and all your ARMI Smartcard data for as long as you hold a valid card and for a period of 3 years thereafter.
- Audio recordings for the purposes of confirming meeting minutes will be stored for no longer than necessary and will be permanently deleted once the minutes of the meeting are accepted by either ARCA or the meeting participants, whichever is the sooner, as a true record of the meeting.
Your rights
You have the right to request access to your personal data and correction or erasure of your personal data. You also have rights to restrict the processing of your personal data or to object to processing in certain circumstances. You also have the right to request the transfer of your personal data to another party.
Where our processing is based on your explicit consent to our processing, you have the right to withdraw such consent (this will not affect the lawfulness of processing prior to the withdrawal of your consent).
If you wish to exercise any of these rights please contact info@arca.org.uk
Complaints to Information Commissioner
You have the right to lodge a complaint about our processing with the Information Commissioner.
Consequences of failure to provide personal data
Your provision of personal data to us is a requirement necessary for you to enter into a contract with us to provide our services. If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you.
Automated decision making
Your personal data may be subject to automated decision-making, for example, data on your ARMI Smartcard may be used to determine whether or not you have the right qualifications to be gain electronic entry to a particular site.
Cookies
A cookie is a small piece of data sent from a website and stored in the user's web browser while the user is browsing. Cookies were designed to be a reliable mechanism for websites to remember information or to record the user's browsing activity (clicking particular buttons, recording which pages were visited in the past).
Like a lot of websites today, this website uses cookies as part of the Member Login process, that is, if the ‘remember me’ checkbox is ticked a cookie will be saved on to the Members device to store their login details.
When you access the Sites, some information in the form of a “cookie” or similar file may be automatically downloaded to your computer. This helps us to enhance the on-line experience of visitors to the Sites. If you do not want cookies sent to or stored on your system, most Internet browsers will allow you to delete or block cookies from your computer hard drive, prevent them from being stored or signal a warning before a cookie is stored. You should refer to your browser instructions or help screen to learn more about these functions. However, please note that if you use your browser settings to delete or block cookies you may not be to access all or parts of the Sites. Unless you have adjusted your browser setting so that it will refuse cookies, our system will issue cookies as soon you visit the Sites.
If you continue to use the Sites, you agree to our use of cookies.
We may use navigational data for system administration and to report aggregate information to our advertisers or other stakeholders. This is statistical data about our users’ browsing actions and patterns, and does not identify any individual.
This means that your session will be tracked, but you will not be identified. We use cookies to track the pages that you visit on the Sites and to ensure that you do not see the same information repeatedly. We may also collect non-personal information, such as number of Site visits and tracking patterns of page viewing, to monitor the performance of the Sites and make improvements to it.
Changes to our Privacy and Cookie Policy
Any changes we may make to our Privacy and Cookie Policy in the future will be posted on this page and, where appropriate, notified to you by e-mail. We encourage you to periodically review this Privacy and Cookie Policy to be informed of how ARCA is protecting your personal data.
GDPR Privacy and Cookie Policy Effective Date: 10th August 2018
FAQs
GDPR Privacy and Cookies Policy? ›
Under the EU's GDPR, cookies that are not strictly necessary for the basic function of your website must only be activated after your end-users have given their explicit consent to the specific purpose of their operation and collection of personal data.
Does GDPR require a cookie policy? ›To comply with the regulations governing cookies under the GDPR and the ePrivacy Directive you must: Receive users' consent before you use any cookies except strictly necessary cookies.
How does GDPR apply to cookies? ›The UK GDPR classes cookie identifiers as a type of 'online identifier', meaning that in certain circumstances these will be personal data. For example, a user authentication cookie would involve processing of personal data, as it is used to enable the user to log in to their account at an online service.
Can cookie policy be in privacy policy? ›A Cookie Policy, or Cookie Notice, is a document that outlines the use of cookies on the website. The cookie policy can be a separate page of your website, or a sub-section of your privacy policy that is dedicated to cookies.
Does GDPR apply to all cookies? ›Not all cookies are used in a way that could identify users, but the majority are and will be subject to the GDPR. This includes cookies for analytics, advertising and functional services, such as survey and chat tools. To become compliant, organisations must find or find a lawful basis to process that data.
What is the difference between GDPR and CCPA cookies? ›CCPA is not as strict as GDPR in terms of requiring explicit consent from visitors to store cookies on their devices. Websites do not require explicit consent for storing cookies on visitors' devices. It only requires websites to let visitors opt out of cookies that sell their personal information.
What are the GDPR cookie notification requirements? ›Companies must provide cookie notices as required by the ePrivacy Directive before collecting information via cookies or similar technologies. Users must be able to accept or reject the terms of the GDPR to give proper consent.
What impact does GDPR have on cookies? ›Are cookies covered by GDPR? Yes, cookies are covered by GDPR if they collect information about users that could be used to identify them. Because cookies can be used to record information about individual users, they are subject to certain aspects of GDPR.
What is GDPR cookie information? ›What is a cookie policy? A GDPR compliant cookie policy is a notice to your website visitors about which cookies your website uses, what type of data they collect, for what purposes this data is processed and for how long time the cookies will continue to be stored on the visitors' computers.
Are cookies a violation of privacy? ›Can cookies be used to violate my privacy? That depends on how you define "privacy," and what you consider a violation. Cookies cannot be used to obtain personal information from your computer. The only data in a cookie is the data put into by a website's server.
Should cookie policy be separate from privacy policy? ›
You most likely do not need a separate Cookies Policy, but having one can help with legal compliance. Because some types of cookies collect protected personal information, they fall under the scope of privacy laws and their use must be disclosed.
What is the difference between cookies policy and privacy policy? ›The difference between a privacy policy and a cookie policy is that a privacy policy includes all the different ways your website and/or business might be collecting, processing, and storing data from users – both offline and online, whereas a cookie policy is specifically about the tracking technologies embedded on ...
Is a cookie policy different than a privacy policy? ›There is a significant difference between a cookies policy vs. privacy policy. A cookies policy addresses how you use cookies and third-party services. In contrast, a privacy policy addresses how your company stores and uses consumer data.
What does GDPR not allow? ›In short, the EU's General Data Protection Regulation (GDPR) doesn't apply if your business doesn't operate within the EU, doesn't process personal data, or if you're only processing data for domestic purposes.
What data does GDPR not apply to? ›The UK GDPR does not apply to certain activities including processing covered by the Law Enforcement Directive, processing for national security purposes and processing carried out by individuals purely for personal/household activities.
What data is exempt from GDPR? ›Domestic purposes – personal data processed in the course of a purely personal or household activity, with no connection to a professional or commercial activity, is outside the UK GDPR's scope.
Does CCPA regulate cookies? ›Does the CCPA Apply to Cookies? Yes. The CCPA applies to “personal information,” which is any information that relates to or is reasonably capable of being linked to a particular person. This includes online identifiers like cookies.
How is GDPR different from Data Protection Act? ›The first major difference between GDPR and data protection is that GDPR applies to all businesses, regardless of size or location. Data protection, on the other hand, only applies to businesses in the European Union (EU).
How is the GDPR different from the US law? ›GDPR is geared towards a person's RIGHT TO PRIVACY. US laws generally do not encompass the right to privacy - whilst US legislation addresses data security and the importance of private records, privacy is often absent from the discussion, appearing in separate privacy laws.
Is cookie consent required in USA? ›Essentially, the U.S. does not require consent for cookies. But there is a federal law that places strict restrictions on the use of cookies - the Children's Online Privacy Protection Act (COPPA). This law regulates the activity of websites and online services aimed at children under 13 years old.
What is GDPR compliance checklist? ›
In your list, you should include: the purposes of the processing, what kind of data you process, who has access to it in your organization, any third parties (and where they are located) that have access, what you're doing to protect the data (e.g. encryption), and when you plan to erase it (if possible).
Why are cookies a privacy risk? ›Cookies by themselves do not pose security risks, however, they can be used by cybercriminals to impersonate the user, collect financial data, access their accounts or to steal passwords that are stored in the browser. These can spread malware and induce you to visit dangerous websites.
Does GDPR apply to first party cookies? ›First-party cookies, on the other hand, are often strictly necessary cookies that do not require user consent. All cookie laws, including GDPR and CCPA, allow essential first-party cookies to be exempt from collecting user consent before performing their actions.
What personal information is stored in cookies? ›Cookies track and store personal information about the user, which websites can use in the future. They store data such as name, residential address, email address, and phone number. Websites can use this information to send customized pop-ups or offers to users upon their visit and send marketing campaigns.
What is basic cookie privacy policy? ›What is a cookie policy? A cookie policy tells your users which cookies are active on your website, what data you're tracking, what you're using this information for and where their data is being sent. It should also tell people how they can opt out or change their settings.
What is privacy and cookie consent policy? ›When your website's users give you explicit consent to activate cookies and other trackers that process personal data on their computers, that's cookie consent. Obtaining cookie consent or stating how you use cookies are requirements under many data privacy and protection laws.
What are at least two privacy risks associated with cookies? ›Since the data in cookies doesn't change, cookies themselves aren't harmful. They can't infect computers with viruses or other malware. However, some cyberattacks can hijack cookies and enable access to your browsing sessions. The danger lies in their ability to track individuals' browsing histories.
What privacy issues do cookies create? ›Since tracking cookies are used to gather information about you without your authorization, they present a real threat to your online privacy. Tracking cookies like third-party cookies aren't used to enhance your experience but rather to keep track of your activity across certain websites.
Can cookies reveal your identity? ›Yes, sometimes cookies can be used to identify an individual, but cookies themselves do not contain any personal information. Cookies contain a unique ID which is a random string of characters assigned to a user's web browser.
Do you have to display cookie policy? ›No, you do not need a cookie policy on your website. However, some laws such as the ePrivacy Directive and the General Data Protection Regulation (GDPR) require websites to detail their use of cookies to users.
What is the relationship between cookies and your privacy? ›
Some websites use cookies to store additional personal information about you. However, you can only do so if you have provided the Web site with your personal information. Legitimate Websites will encrypt personal data contained in cookies to prevent unwanted access to your cookie folder by a third party.
What are the 7 principles of GDPR? ›The principles are: Lawfulness, Fairness, and Transparency; Purpose Limitation; Data Minimisation; Accuracy; Storage Limitations; Integrity and Confidentiality; and Accountability.
Does GDPR apply to US citizens? ›Due to its effectiveness and abilities, GDPR extends to manage data regardless of whether it's Europe, the US, or any part of the world. It is known as the 'extra-territorial effect'. The legislation is not restricted to European businesses and citizens, and it can be applied and used for businesses outside Europe.
What are the two rules of GDPR? ›Integrity and confidentiality (security) Accountability.
What three types of data does GDPR protect? ›Types of personal data protected under GDPR includes: Basic identity information. Web data (like location, IP address, cookie data, and RFID tags) Health and genetic data.
What personal data is sensitive to GDPR? ›genetic data, biometric data processed solely to identify a human being; health-related data; data concerning a person's sex life or sexual orientation.
What personal data is covered by GDPR? ›“'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier ...
What cookies are exempt from GDPR? ›Only strictly necessary cookies can be white-listed to be exempt from GDPR cookie consent. Preference cookies that remember user choices such as language settings or currency on your website. Statistics cookies that most often come from third-party services such as analytics software that you implement on your website.
Does GDPR apply to all personal data? ›The EEA GDPR and the UK GDPR apply to all "personal data,” which includes any information relating to a living, identified or identifiable person. Examples include name, SSN, other identification numbers, location data, IP addresses, online cookies, images, email addresses, and content generated by the data subject.
Are cookie policies required? ›Yes, if your website uses cookies, you need a cookie policy.
These laws require websites that serve citizens of these locations to disclose what data they collect and how they use that data. If your site uses cookies, then it collects data.
Is cookie consent mandatory? ›
You must tell people if you set cookies, and clearly explain what the cookies do and why. You must also get the user's consent. Consent must be actively and clearly given.
What is the EU cookie policy? ›What are the requirements of the EU cookie law? If you have visitors from inside the European Union, the EU cookie law (ePrivacy Directive) requires you to only use cookies and trackers on your website if EU visitors have given their explicit consent for you to do so.
What are the EU cookie laws? ›The EU cookie law requires you to: Refrain from placing trackers and cookies on users' browsers until they've given their consent for you to do so. Ask users for consent to all trackers and cookies on your site. Give users detailed information about all trackers and cookies on your site.
Can users refuse to accept cookies? ›What happens if you don't accept cookies? – The potential problem with refusing to accept cookies is that some website owners may not allow you to use their websites if you don't accept their cookies. Another downside is that without acceptance, you may not receive the full user experience on certain websites.
Can I refuse to accept cookies? ›Do you HAVE to accept cookies? Most cookies are really not an issue. They are just used by the website owner so you have a better experience with the site. You can decline the “Accept Cookies” message and most websites will work just fine.
Does the US have a cookie law? ›No, there is no cookie law in the United States. However, some U.S. privacy laws such as CalOPPA consider the information collected via cookies to be protected personal information.
Is privacy policy the same as cookie policy? ›The difference between a privacy policy and a cookie policy is that a privacy policy includes all the different ways your website and/or business might be collecting, processing, and storing data from users – both offline and online, whereas a cookie policy is specifically about the tracking technologies embedded on ...