Asbestos Removal Contractors Association Limited (“ARCA”/“We”/“Us”) are committed to protecting and respecting your privacy. All policies also apply to Asbestos Testing and Consulting (ATaC) which is a division of ARCA and to all our websites (www.arca.org.uk, www.atac.org.uk and www.arca.ie) (the “Sites”).
Unit 1 Stretton Business Park 2
Burton upon Trent
Information Commissioners Office Registration Reference: Z9332145
Purpose for processing
- To administer and provide membership services;
- To send communications to you such as information, news or surveys about ARCA or ATaC;
- To carry out our obligations arising from any contracts entered into between you and us;
- To prevent fraud and other prohibited or illegal activities;
- To meet legal and regulatory requirements;
- To notify you about changes to our services, including contacting you by email, telephone or post; and/or;
- To create records of qualification assessments and meetings otherwise, as disclosed to you at the point of collection.
Legal basis for processing:
We will only use your personal data when the law allows us to.
- We will use your personal data when you have given clear consent for us to process your personal data for a specific purpose (Basis: Art 6(a) GDPR).
- We will use your personal data where we need to perform a contract we have entered into with you (Basis: Art 6(b) GDPR).
We will use your personal data for the purposes of the legitimate interests of the Association (Basis: Art 6(f) GDPR)
The kind of information we hold about you
We may collect and process the following data about you:
Information that you may provide: by filling in forms on the Sites; on forms or documents you send to us by post, email or by telephone. This includes information provided at the time of registering to use the Sites, by subscribing to our services or requesting further services whether on-line or by post or telephone. Such information may include your name, age, postal and email addresses, telephone number, national insurance number, qualifications and photograph.
We may also ask you for information when you report a problem with the Sites.
If you contact us, we may keep a record of that correspondence.
We may also ask you to complete surveys that we use for research purposes, although you do not have to respond to them.
Details of transactions you carry out through the Sites and of the fulfilment of your requests.
Details of your visits to the Sites including, but not limited to, traffic data, location data, weblogs and other communication data and the resources that you access.
ARCA operates in accordance with the General Data Protection Regulation (GDPR) in respect of any personal information you may supply, e.g. name, address, e-mail, National Insurance number, photograph etc.
If you are a user with general public and anonymous access, the Sites do not store or capture personal information, but merely log your IP address which is automatically recognised by the web server. This statement only covers the Sites maintained by ARCA. This statement does not cover other websites linked to from within the Sites. The system will record your e-mail address and other information if volunteered to us by you. This shall be treated as proprietary and confidential, and will only be used to provide the services you have specifically signed up for. By subscribing to these services, you are giving your consent to ARCA to hold this information.
The details we hold about you may be updated or removed, and further information about qualifications you hold and the like, may be added to the data we store.
How is your personal information collected?
We collect personal data about you through your applications for membership, registration onto training courses or qualifications, during qualification assessments, during meetings and when you give us specific consent to receive marketing information, and data that is available in the public domain. This is collected online, by email, by post, by filling in a form, by telephone or by audio or video recording.
The recipients or categories of recipients of personal data
We may share your personal information with our suppliers who administer a service in order to provide you with the relevant service on our behalf, e.g. providing personal data to Awarding Organisations for the purposes of the award of a qualification. We may also disclose your personal information to third parties:
If we are under a duty to disclose or share your personal data in order to comply with any legal obligation;
In order to enforce or apply our agreements;
To protect the rights, property, or safety of ARCA, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction; and
To help ARCA or our affiliates analyse and/or improve our communication or relationship with you.
Except as described above, we will not disclose your personal information to third parties for their own marketing purposes unless you have provided consent.
- Reference Point Limited: Reference Point Limited is the technology provider for our smartcard ecosystem and acts as a data processor for your data on our behalf. Reference Point keeps a log of all online card transactions, which is used for support purposes, for helping us understand how cards are being used and for producing statistics about card use. Reference Point Limited may also process your data in order to provide us with technical support services.
- Person checking your card using Go Smart: When your card is read electronically, a copy of your card is recorded by Go Smart along with the time and location, where available. This provides a log of the cards that have been read for the person reading your card.
- Custom Card Services International Limited: In the case of physical cards, your personal data will be provided to Custom Card for the purpose of printing and encoding your card.
- Other recipients: Go Smart enables the person who has checked your card to forward a copy of your data to someone else - someone at head-office for example. Before doing this, the card checker should inform you who the data will be sent to and what it will be used for.
- Your card can also be checked electronically by some other software systems. Users of these systems are required to comply with applicable data protection rules when processing your data.
Your data and the EEA
The personal data that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area (“EEA”) and by using ARCA products or services (including the Site), you consent to any such transfer of personal data outside the EEA. Personal Data held outside of the EEA will be stored with Mailchimp or Microsoft. Mailchimp’s agreement is certified with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework and Microsoft’s agreement complies with the EU-US Privacy Shield and EU Model Clauses, and therefore both comply with GDPR requirements.
We will not transfer any data that we collect or receive from you that constitutes personal data outside of the EEA unless there are appropriate safeguards or an adequacy decision in relation to the transfer as set out in the data protection legislation or the transfer otherwise complies with the data protection legislation. Such transfers may involve, for example, the use by Reference Point Limited of third party services allowing them to send e-mails or automated SMS messages on our behalf which make use of facilities in third countries to process and store data.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to the Sites; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
We will not retain your personal data longer than necessary, in relation to the purpose for which such data is processed.
By submitting applications for membership, ARMI Smartcards, booking forms for training courses or qualifications, or subscribing to any of our services or communications you agree to this storing or processing.
All data, including unencrypted audio and video recordings, and any transcripts produced from those recordings, will be stored on ARCA’s secure password protected IT system. Access to data will be restricted to those authorised by ARCA to process and view the data.
Where audio recording devices such as a dictation machines or mobile phones with dictation apps are used, which do not routinely offer encryption, the data will be transferred to ARCA’s secure password protected IT system as soon as practicable. Access to data will be restricted to those authorised by ARCA to process and view the data.
The data will be retained in accordance with our policy on ‘retention period and criteria used to determine the retention period’ below
Retention period and criteria used to determine the retention period:
- Membership details and employees personal data associated with member companies shall be stored for the duration of the membership. When companies are no longer members of the Association all personal data in relation to the company shall be permanently deleted, unless any of the employees have undertaken a training course or qualification within the past 3 years.
- All training and qualification delegate personal data, including audio and video recordings, will be permanently deleted or destroyed 3 years after the qualification or training course has been completed.
- All marketing information will have an ‘opt out’ or ‘unsubscribe’ for recipients if you opt out of any of our marketing lists we will delete your personal information and not send that communication to you again unless you give us consent.
- Your ARMI Smartcard may be suspended or cancelled at our discretion. However, your card is otherwise valid until its expiry date.
- We shall hold your personal data and all your ARMI Smartcard data for as long as you hold a valid card and for a period of 3 years thereafter.
- Audio recordings for the purposes of confirming meeting minutes will be stored for no longer than necessary and will be permanently deleted once the minutes of the meeting are accepted by either ARCA or the meeting participants, whichever is the sooner, as a true record of the meeting.
You have the right to request access to your personal data and correction or erasure of your personal data. You also have rights to restrict the processing of your personal data or to object to processing in certain circumstances. You also have the right to request the transfer of your personal data to another party.
Where our processing is based on your explicit consent to our processing, you have the right to withdraw such consent (this will not affect the lawfulness of processing prior to the withdrawal of your consent).
If you wish to exercise any of these rights please contact email@example.com
Complaints to Information Commissioner
You have the right to lodge a complaint about our processing with the Information Commissioner.
Consequences of failure to provide personal data
Your provision of personal data to us is a requirement necessary for you to enter into a contract with us to provide our services. If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you.
Automated decision making
Your personal data may be subject to automated decision-making, for example, data on your ARMI Smartcard may be used to determine whether or not you have the right qualifications to be gain electronic entry to a particular site.
A cookie is a small piece of data sent from a website and stored in the user's web browser while the user is browsing. Cookies were designed to be a reliable mechanism for websites to remember information or to record the user's browsing activity (clicking particular buttons, recording which pages were visited in the past).
We may use navigational data for system administration and to report aggregate information to our advertisers or other stakeholders. This is statistical data about our users’ browsing actions and patterns, and does not identify any individual.
GDPR Privacy and Cookies Policy? ›
To comply with the regulations governing cookies under the GDPR and the ePrivacy Directive you must: Receive users' consent before you use any cookies except strictly necessary cookies.How does GDPR apply to cookies? ›
Not all cookies are used in a way that could identify users, but the majority are and will be subject to the GDPR. This includes cookies for analytics, advertising and functional services, such as survey and chat tools. To become compliant, organisations must find or find a lawful basis to process that data.What is the difference between GDPR and CCPA cookies? ›
CCPA is not as strict as GDPR in terms of requiring explicit consent from visitors to store cookies on their devices. Websites do not require explicit consent for storing cookies on visitors' devices. It only requires websites to let visitors opt out of cookies that sell their personal information.What are the GDPR cookie notification requirements? ›
Companies must provide cookie notices as required by the ePrivacy Directive before collecting information via cookies or similar technologies. Users must be able to accept or reject the terms of the GDPR to give proper consent.What impact does GDPR have on cookies? ›
Can cookies be used to violate my privacy? That depends on how you define "privacy," and what you consider a violation. Cookies cannot be used to obtain personal information from your computer. The only data in a cookie is the data put into by a website's server.
In short, the EU's General Data Protection Regulation (GDPR) doesn't apply if your business doesn't operate within the EU, doesn't process personal data, or if you're only processing data for domestic purposes.What data does GDPR not apply to? ›
The UK GDPR does not apply to certain activities including processing covered by the Law Enforcement Directive, processing for national security purposes and processing carried out by individuals purely for personal/household activities.What data is exempt from GDPR? ›
Domestic purposes – personal data processed in the course of a purely personal or household activity, with no connection to a professional or commercial activity, is outside the UK GDPR's scope.Does CCPA regulate cookies? ›
Does the CCPA Apply to Cookies? Yes. The CCPA applies to “personal information,” which is any information that relates to or is reasonably capable of being linked to a particular person. This includes online identifiers like cookies.How is GDPR different from Data Protection Act? ›
The first major difference between GDPR and data protection is that GDPR applies to all businesses, regardless of size or location. Data protection, on the other hand, only applies to businesses in the European Union (EU).How is the GDPR different from the US law? ›
GDPR is geared towards a person's RIGHT TO PRIVACY. US laws generally do not encompass the right to privacy - whilst US legislation addresses data security and the importance of private records, privacy is often absent from the discussion, appearing in separate privacy laws.Is cookie consent required in USA? ›
What is GDPR compliance checklist? ›
In your list, you should include: the purposes of the processing, what kind of data you process, who has access to it in your organization, any third parties (and where they are located) that have access, what you're doing to protect the data (e.g. encryption), and when you plan to erase it (if possible).Why are cookies a privacy risk? ›
Cookies by themselves do not pose security risks, however, they can be used by cybercriminals to impersonate the user, collect financial data, access their accounts or to steal passwords that are stored in the browser. These can spread malware and induce you to visit dangerous websites.Does GDPR apply to first party cookies? ›
First-party cookies, on the other hand, are often strictly necessary cookies that do not require user consent. All cookie laws, including GDPR and CCPA, allow essential first-party cookies to be exempt from collecting user consent before performing their actions.What personal information is stored in cookies? ›
Since the data in cookies doesn't change, cookies themselves aren't harmful. They can't infect computers with viruses or other malware. However, some cyberattacks can hijack cookies and enable access to your browsing sessions. The danger lies in their ability to track individuals' browsing histories.What privacy issues do cookies create? ›
Since tracking cookies are used to gather information about you without your authorization, they present a real threat to your online privacy. Tracking cookies like third-party cookies aren't used to enhance your experience but rather to keep track of your activity across certain websites.Can cookies reveal your identity? ›
What is the relationship between cookies and your privacy? ›
The principles are: Lawfulness, Fairness, and Transparency; Purpose Limitation; Data Minimisation; Accuracy; Storage Limitations; Integrity and Confidentiality; and Accountability.Does GDPR apply to US citizens? ›
Due to its effectiveness and abilities, GDPR extends to manage data regardless of whether it's Europe, the US, or any part of the world. It is known as the 'extra-territorial effect'. The legislation is not restricted to European businesses and citizens, and it can be applied and used for businesses outside Europe.What are the two rules of GDPR? ›
Integrity and confidentiality (security) Accountability.What three types of data does GDPR protect? ›
Types of personal data protected under GDPR includes: Basic identity information. Web data (like location, IP address, cookie data, and RFID tags) Health and genetic data.What personal data is sensitive to GDPR? ›
genetic data, biometric data processed solely to identify a human being; health-related data; data concerning a person's sex life or sexual orientation.What personal data is covered by GDPR? ›
“'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier ...What cookies are exempt from GDPR? ›
Only strictly necessary cookies can be white-listed to be exempt from GDPR cookie consent. Preference cookies that remember user choices such as language settings or currency on your website. Statistics cookies that most often come from third-party services such as analytics software that you implement on your website.Does GDPR apply to all personal data? ›
The EEA GDPR and the UK GDPR apply to all "personal data,” which includes any information relating to a living, identified or identifiable person. Examples include name, SSN, other identification numbers, location data, IP addresses, online cookies, images, email addresses, and content generated by the data subject.Are cookie policies required? ›
Is cookie consent mandatory? ›
The EU cookie law requires you to: Refrain from placing trackers and cookies on users' browsers until they've given their consent for you to do so. Ask users for consent to all trackers and cookies on your site. Give users detailed information about all trackers and cookies on your site.Can users refuse to accept cookies? ›
What happens if you don't accept cookies? – The potential problem with refusing to accept cookies is that some website owners may not allow you to use their websites if you don't accept their cookies. Another downside is that without acceptance, you may not receive the full user experience on certain websites.Can I refuse to accept cookies? ›
Do you HAVE to accept cookies? Most cookies are really not an issue. They are just used by the website owner so you have a better experience with the site. You can decline the “Accept Cookies” message and most websites will work just fine.Does the US have a cookie law? ›