Webb Yates Engineers Limited (Webb Yates) is committed to protecting your personal data and compliance with the requirements of the Data Protection Act 2018, and all other data protection legislation currently in force.

This privacy statement outlines what data we collect, why and how we collect and how we use your personal data. It also provides information about your rights. It applies to personal data provided to us by you directly, or by others on your behalf. We may use your personal data for the purposes outlined in this privacy statement or as otherwise stated at the point of collection.

Personal data is information about an individual from which that individual can be identified. It does not include data where the identity has been removed (anonymous data). Individuals can sometimes be referred to as data subjects.

When collecting and using your personal data, our policy is to be transparent about why and how we process it.

Webb Yates is the controller of the personal data we collect. We are responsible for ensuring systems, processes, suppliers and people comply with data protection laws in relation to the information we handle.

All employees must follow Webb Yates’ processes when handling personal data and must take part in any data protection training we provide.

When collecting your personal data we will follow the Data Protection Principles and will:

• Process it fairly, lawfully and in a clear, transparent way.
• Process it in a way that ensures it will not be used for anything that you are not aware of or have not consented to (as appropriate).
• Only use it in the way that is necessary to the purpose.
• Ensure it is accurate and kept up to date.
• Keep your data in a form which allows identification for only as long as we need it.
• Process it in a way that ensures security of your data.
• Ensure it is processed by a data controller who has a comprehensive understanding of these principles.

In addition, the data controller must be able to demonstrate that they take responsibility for what they do with the personal data, i.e. accountability.

We may also collect Aggregate Data which is statistical or demographic data for any purpose. This type of data may come from your personal data but is not considered personal data in law as it does not directly or indirectly reveal your identity. When combined with your personal data it can directly or indirectly identify you and will therefore be used in accordance with this privacy policy.

We may on occasion collect Special Categories of Personal Data (race, ethnicity, religious or philosophical belief, sex life, sexual orientation). Any such data will only be used as Aggregate Data. For example, this could be information about health, racial or ethnic origin, criminal convictions, trade union membership, or religious beliefs. This information may be processed not only to meet Webb Yates Engineers’ legal responsibilities but, for example, for purposes of personnel management and administration, to support business decision-making, suitability for employment, and to comply with equal opportunity legislation. Since this information is considered sensitive, the processing of which may cause concern or distress, we will ask you to give express content for this information to be processed, unless Webb Yates has a specific legal requirement to process such data.

Collection of personal data

Our policy is to only collect personal data that is necessary and only use personal information for the purposes for which we collect it.

We collect data via the following methods:

• Direct interaction, where you have given consent that we may process your personal data for specific purposes, i.e. filling in a form, corresponding to post, email, phone and social media platforms, entering into a contractual or legal obligation:
  • Relating to clients and other contacts
  • Relating to providing our services
  • Relating to applying for a job or work placement
  • Relating to registering for marketing material, attend an event or completing a survey
  • Relating to registering for Webb Yates Engineers digital services
  • Relating to new business activities, i.e. tendering for projects and entering competitions
  • Relating to providing feedback.
• Automated technologies and interactions:
  • As you interact with our digital platforms, we may automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies. We may also receive Technical Data about you if you visit other digital platforms employing our cookies.
  • We collect cookies to measure and improve the performance of our website, for example Google Analytics. These are not used to transport personal data to third parties.
• Third party or publicly available sources:
  • Google Analytics collect and assess Aggregate Data such as statistical or demographic data for marketing purposes.
  • Publicly available sources, such as Companies House, and/or public websites which display information about you, such as LinkedIn.
• Financial and Transaction Data from banks globally.

Use of personal data

We use personal data for the following purposes:

• Managing our business operations where we feel it is necessary for our legitimate interest (or those of a third party) and your interests or fundamental rights do not override those interests.
• Providing and receiving services. Where you have given clear consent personal data may be processed for a specific purpose.
• Unless we are asked not to, to provide information to you that we think will be relevant and of interest.
• Complying with contractual, legal and regulatory obligations.
• When it is considered necessary to protect an individual’s vital interests.

We have outlined below the ways in which we may use your personal data. Please note that we may use data for more than one lawful purpose where we reasonably consider that we need to, and it is compatible with the original purpose. We may also process your personal data without your knowledge or consent, in compliance with the above, where this is required or permitted by law.

• To register you as a new client, supplier, job applicant, employee or work placement.
• To process payments and deliver/receive services to/from you.
• To enable us to meet our contractual and legal obligations, including tendering for work.
• To send relevant communications.
• To enable you to take part in a survey.
• To enable you to utilise Webb Yates digital services.
• To administer and protect our business and our digital platforms.
• To deliver relevant digital content and understand the effectiveness of the content we serve you.
• To use data analytics to improve our digital platforms, products/services, marketing, customer relationship and experiences.
• To make suggestions and recommendations to you about our services, events and publications that may be of interest to you.
• Throughout your employment with Webb Yates Engineers and for as long as necessary after the termination of your employment:
  • References obtained through recruitment
  • Details of terms of employment
  • Payroll details
  • Pension details
  • Health Insurance details
  • Life Insurance details
  • Tax and National Insurance information
  • Details of job duties
  • Details of health and sickness absence records
  • Details of holiday records
  • Information about performance
  • Details of any disciplinary and grievance investigation and proceedings
  • Training records
  • Contact names and addresses, including next of kin
  • Photograph
  • For emergency purposes
  • Correspondence with Webb Yates and other information that you have given us.

We retain personal data processed by us for as long as is considered necessary for the purpose for which it was collected. In the absence the specific legal, contractual or statutory requirements, our baseline retention period for personal data is detailed below:

• Clients – 12 years
• Suppliers – 5 years
• Employees – 6 years following termination of employment
• Job applicants – 1 year

We may hold some personal data for longer periods where extended retention periods are required by law or regulation.

Your data is an important asset to us, and as such, we make reasonable efforts to ensure the necessary measures are in place to prevent unauthorised or inappropriate access, use, modification, disclosure or destruction. Measures we take to keep data secure include, but are not limited to:

• Making regular backups of files.
• Protecting file servers and workstations with virus scanning software.
• Using a system of passwords to access company equipment and data.
• Allowing only authorised staff to access certain files, based on requirements to perform their job function.
• Using data encryption techniques to code data when in transit.
• Ensuring all employees are only given sufficient rights to systems necessary to enable them to perform their job function.
• Only retaining personal information for as long as necessary to fulfil the purpose that we collect it for and in line with statutory retention requirements.
• Ensuring all employees are aware of this policy and comply with the content contained within it.
• Ensuring all employees keep portable equipment and removal storage media secure, and where possible, lock it away out of sight.
• Ensure hard copies taken outside the office environment are kept securely and out of sight, for example in a bag or folder.

We will only share personal data with others when we are legally permitted to do so. When we share data with others, we put arrangements in place to protect the data and to comply with our data protection standards.

Third parties comprise of:

• Service providers acting as processors based in the UK and inside and outside the EU who provide IT and system administrative services.
• Professional advisers acting as processors or joint controllers including lawyers, bankers, auditors, and insurers based in the UK and who provide consultancy, banking, legal, insurance and accounting services.
• HM Revenue & Customs, regulators and other authorities acting as processors or joint controllers in the UK who require reporting of professional activities in certain circumstances.
• Market researchers in the UK.

We recognise that our commitment to the safety of your personal data is an ongoing responsibility, so we will regularly review this privacy statement.

The data controller on behalf of Webb Yates Engineers Limited is Webb Yates, 48-50 Scrutton Street, London EC2A 4HH (registered in England and Wales No. 5393930).

If you have any questions about this privacy statement or how and why we process personal data, please contact us:

By post: Webb Yates Engineers Ltd, 48-50 Scrutton Street, London EC2A 4HH

By email: data.protection@webbyates.com

By telephone: 020 3696 1550

You have certain rights over your personal data and we, as data controller, are responsible for fulfilling these rights.

Right to access

You have the right to access the personal data we hold for you. This includes information on:

• Why we are processing your personal data.
• Which categories of data are being processed.
• Who we share your data with.
• How long we will keep your data.
• The rights you have to erase or rectify your data, and how to restrict and object to us processing it.
• The rights you have to make a complaint.
• The source of the data.

If you want to access your personal data, you can email us at data.protection@webbyates.com. We will respond to any requests within one month of receipt.

Right to rectification

You have the right to amend any errors in the personal data we hold for you. If you want to amend your personal data, you can email us at data.protection@webbyates.com. We will respond to any requests within one month of receipt.

Withdrawal of consent

Where we process personal data based on consent, you have the right to withdraw consent at any time. If you want to exercise this right, you can email us at data.protection@webbyates.com. We will respond to any requests within one month of receipt.

Other rights

As well as rights to access, to rectify and to withdraw consent, you may have other rights in relation to your personal data. These include the right to erasure, the right to restrict or object to the processing of your data, and the right to data portability. If you want to exercise any of these rights, you can email us at data.protection@webbyates.com. We will respond to any requests within one month of receipt.

Cookies

You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of our digital platforms may become inaccessible or not function properly.

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or processed.

The following are examples of data breaches:

• Access by an unauthorised third party.
• Deliberate or accidental action (or inaction) by a data controller or data processor.
• Sending personal data to an incorrect recipient.
• Computing devices containing personal data being lost or stolen.
• Alteration of personal data without permission.
  • Loss of availability of personal data.

A record of all personal data breaches regardless of whether they are notifiable or not as part of the general accountability requirement under the Data Protection Act 2018 will be kept which will include the facts relating to the breach, its effects and the remedial action taken.

We will undertake to notify the Information Commissioner of a breach which is likely to pose a risk to people’s rights and freedoms without undue delay and at the latest within 72 hours of discovery. If we are unable to report in full within this timescale, we will make an initial report to the Information Commissioner, and then provide a full report in more than one instalment if so required.

We will undertake to notify the individual whose data is the subject of a breach if there is a high risk to people’s rights and freedoms without undue delay and may, dependent on the circumstances, be made before the supervisory authority is notified.

We hope that you will have no reason to make a complaint about our use of your personal data, but should you wish to do so you can email us at data.protection@webbyates.com.

All Directors and employees of Webb Yates must also advise immediately if they receive a compliant relating to how we have processed personal data of a third party so the complaints procedure may be followed.