Reviewed and updated July 2020
For CEFM job applicants please see our privacy notice for job applicants.
At CEFM and under data protection laws we are deemed to be a ‘data controller’ in relation to some of the personal information (personal data) we process. We process personal data in a variety of ways and for various reasons.
This notice is to inform you of the personal data we hold, the reasons why we hold it and what you can do about any personal data we may hold on you.
This privacy notice may be updated from time to time and will be published on cefm.co.uk.
Within this privacy notice we will inform you of:
- What personal data is and what is meant by processing it.
- What the data protection principles are that we uphold.
- The types of personal data we process and where it comes from and the purpose(s) for processing it.
- Our legal basis (grounds) for using your personal data.
- Details of how long we hold the data for and where it is stored.
- How we protect your personal data.
- Who we share your personal data with.
- Automated decision making.
- External websites.
- Your rights in relation to the personal data.
What is personal data and what does processing mean?
Personal data is any information that relates to you and can be used directly or indirectly to identify you.
Personal data and processing are defined as follows:
- Personal data means any information relating to an identified or identifiable natural person (data subject). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- Special categories of personal data means information about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and biometric/genetic data.
- Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Data protection principles
We process personal data in accordance with the following data protection principles:
- We process personal data lawfully, fairly and in a transparent way.
- We collect personal data only for specified, explicit and legitimate purposes.
- We process personal data only where it is adequate, relevant and limited to what is necessary for the purposes of processing.
- We keep accurate personal data and take all reasonable steps to ensure that inaccurate personal data is rectified or deleted without delay.
- We keep personal data only for the period necessary for processing.
- We adopt appropriate measures to make sure that personal data is secure, and protected against unauthorised or unlawful processing, accidental loss, destruction or damage.
The types of personal data we process, where it comes from and the purpose for processing
What we process – email, letter, application/booking forms and telephone
When making contact with CEFM you may be asked or will generally provide some personal details such as your name, job title, email address and contact telephone number. You may provide other aspects of personal data as well, such as transaction and billing information.
This information may come to us via email, letter, application/booking forms or telephone and you may be seeking quotations, advice or registering for updates.
Not all personal information will come directly from you. It may, for example, come from your past, current or future employer, who provides your details so that we can provide you with services. It may also come from a third-party or from a person who represents you.
Data may also come from publicly available sources such as LinkedIn, websites and published databases.
We retain emails, correspondence and records of telephone conversations/voicemail messages. The purpose of processing such information is so that we can:
- Accurately record the details of who has contacted us.
- Update our telephone directory so that when you call, we can identify you as part of call monitoring and security.
- Perform the services you are requesting under the contract we have with you. Such as to comply with your licensing requests/queries or to respond to HR related matters and queries.
- Set up the account.
- Register you for the services that we provide including setting you up for our e-updates service CEFMinform either for your trial period or for the duration of your contract with us.
- Administer our website and keep it safe and secure.
- Comply with our contractual obligations to you or your past, current or future employer.
- Update and enhance our records.
- Compile information about the use of our products and services.
- Record queries and the advice or information we have given so that we can refer to it at a later stage.
- Provide quotes.
- Comply with insurance conditions.
- Comply with legal obligations, such as complying with regulatory and legal proceedings, respond and defend claims, prevent and detect fraud.
- Enforce our terms and conditions.
- Meet internal/external audit requirements.
- Respond to requests from courts, regulatory and public bodies.
- Compile sales data.
- Take payments.
- Obtain feedback from you and address any concerns you may.
- Sending marketing information.
- Notify you of events, training sessions and newsletters.
- Run our business.
Special Category data
In most cases, where we process special category data, it is provided to us by you or by your past, present or future employer in order to obtain advice and guidance. Where we provide services through partners and suppliers who process your special category data, we have no direct access to your data.
What we process – visiting our website – casual visitors
When you visit our website cefm.co.uk we use Google Analytics, a third party, to collect standard internet log information and visitor behaviour details.
We do this to find out which parts of our website are being used and why. The information collected does not identify anyone and we do not allow Google to use the information to identify anyone either. If we do collect information that identifies you personally we will be up front about it and notify you of what is being collected and why.
What we process – logging into our website – registered user
CEFM records the Internet Protocol (IP) address when registered users (including those who have a free trial) log into our CEFMi members area. This includes information such as the individual log in credentials such as email address and password. It may include your preferences. We also automatically collect data (such as browsing patterns) on each visit.
CEFM members who have access to the CEFMi area are required to log in using their registered credentials so that only authorised users have access to our services. This information is recorded.
We record such information to provide the service, to improve our overall service and to provide user analysis. We also do this to find out things like the number of visitors to our site and the areas our users are using (traffic data) and the resources you use.
We also use this information to maintain the security of our site and to ensure that it is not being used improperly or in breach of the agreement we hold with you.
CEFM will not disclose this personal data to third parties for any reasons other than those covered within this notice.
Cookies are small text files that are placed on your computer or other device by websites that you visit.
For further information on the cookies we use, please visit the ‘Cookies’ section of our website.
Most web browsers allow some control of most cookies through the browser settings. To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit www.aboutcookies.org or www.allaboutcookies.org.
Our legal basis (grounds) for using your personal data
There are several reasons why we hold, process and share individuals’ personal data. Under data protection laws, the lawful reasons for processing personal data include:
- For the performance of a contract.
- To comply with a legal obligation.
- To protect the vital interests of the individual or another person.
- For a task carried out in the public interest.
- For a legitimate interest of CEFM or one of the organisations it shares data with (eg legal advisers or occupational health) except where those rights are overridden by the interests or fundamental rights and freedoms of the data subject which require protection.
Sometimes the handling of your personal data falls within several of the above lawful grounds.
We may ask for your consent to use your information in certain ways. If we ask for your consent to use your personal data, you can take back this consent at any time. Any use of your information before you withdraw your consent remains valid.
Performance of a contract
Some of the stated purposes above will fall within the performance of a contract ground.
We need to process data to enter into the Service Level Agreements (SLAs) and to meet our obligations under such contracts. For example, we need to process your data to provide you with a contract, to set out the basis of our services and the terms and conditions.
On some occasions, CEFM will process your personal data for the performance of a contract that it may hold with a third party. For example, a data security contract with a third-party IT services provider or as part of cloud-based storage. Or to refer you to our legal team or other third parties described in our data share agreements.
Some of the stated purposes above will fall within the legal obligation ground.
In some cases, we need to process data to ensure that we are complying with our legal obligations to courts, public bodies and regulatory bodies.
Some of stated purposes above will fall within the legitimate interests ground.
We have a legitimate interest in processing personal data before, during and after the end of the contract, licence or SLA. Some examples include to:
- Maintain accurate and up-to-date records and contact details.
- Ensure effective general business administration.
- Fulfil audit and accounting requirements.
- Protect our business and its users, servers and services.
- Respond to and defend against legal claims or other investigatory or regulatory processes.
Where is my personal data stored and for how long do you keep it?
At CEFM we store data, that may include personal data, in both electronic and non-electronic formats.
Our servers and storage systems are based in the EU or the European Economic Area (EEA) and we have ensured that appropriate safeguards are in place to protect your personal data.
We use cloud-based storage systems which are based in the UK.
We will only retain personal data insofar as it is necessary, and we have a right to do so. This can be after the contractual purpose, for which it has been collected, has been addressed. For example, CEFM may retain information for longer periods for accounting, business administration, legal and/or compliance reasons. We have a retention schedule that determines how long we hold data, including personal data.
Once retention of personal data is no longer necessary, we will ensure that the information is either returned to you or, if retained by us, anonymised or confidentially and irretrievably destroyed.
How do we protect individuals’ personal data?
We take the security of your personal data very seriously. We have internal policies and controls in place to try to ensure that data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our authorised personnel in the performance of their duties.
Where we engage third parties to process personal data on our behalf, they do so under a data share agreement and based on our written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.
We also adopt technical security measures such as using encryption software for files and emails. Our servers carry appropriate security and firewalls.
With whom do we share your personal data?
We may disclose your personal data to any of our employees, officers, agents, suppliers or subcontractors insofar as reasonably necessary for the purposes set out in this privacy notice.
CEFM will not share your personal data with third parties other than:
- Where you or your past, present or future employer have purchased a service that will be directly delivered by one of our service partners. For example, to occupational health providers, insurance providers or legal advisors. If we are acting on behalf of your past, present or future employer, they have the right to access data received from our service partners and use that data in accordance with their own privacy notice.
- Where we act on behalf of any licensing body, we share your personal data with them. We share the personal data because any licence your school applies for will be administered, owned and run by the licensing body. We also share information with licensing bodies where a licence is not required.
- To the extent to which we are required to meet legal and/or regulatory and/or compliance obligations.
- To provide information to our insurers and legal advisors.
- To protect our rights, users, systems and services.
Where we do share information with third parties, we endeavour to ensure that the safety and security of such data is protected and not used for any purpose other than as required.
Automated decision-making and profiling
We do not make automatic decisions or undertake automated decisions regarding individuals to evaluate certain information about an individual (profiling).
CEFM may contact you by email, letter (newsletter) and telephone to promote our services and to provide you with details of management updates or training events.
You may request the removal of your details from such mailings at any time by following the unsubscribe link within the email.
This will not invalidate your ability receive any other services from us, such as our CEFMinform newsletter.
What rights do you have in relation to your information?
You have the following rights in relation to your personal data. Some of these rights are new.
- To access your personal data so that you are aware of what is being processed and to verify it is being done lawfully.
- To object to the processing of your personal data that is likely to cause, or is causing, damage or distress.
- To prevent the processing of your personal data for the purpose of direct marketing.
- To object to decisions being taken by automated means.
- In certain circumstances, to have inaccurate personal data rectified, blocked, erased or destroyed.
- To claim compensation for damages caused by a breach of the data protection regulations.
- To object to the processing of your personal data where the organisation is relying on its legitimate interests as the legal ground for processing.
Further guidance and advice on the above rights can be obtained from the ICO’s website https://ico.org.uk/for-the-public.
If you have a concern about the way we are collecting or using your personal data, we ask that you raise your concern with us in the first instance by contacting CEFM’s data manager by writing to Red Lion House, 9–10 High Street, High Wycombe, Bucks, HP11 2AZ.
Alternatively, if we fail to respond within one month you can contact the Information Commissioner’s Office at https://ico.org.uk/concerns to raise any concerns you have.