We have and will always treat your privacy seriously. We are committed to transparency about how we collect and use data to manage business relationships and provide services. We are committed to meeting our privacy and data protection obligations. Our policy covers what personal data we collect from you and how we use it.
The Outset UK Group is a collaborative venture between Outset (UK) Ltd (04607565), its subsidiary companies/affiliated entities, including UK Health, Safety & Environmental Training Ltd (07106035) and Outset Legal LLP (OC353570). In this policy we call them ‘the Group’. You can find out more on the “regulatory and statutory” section of our website.
This policy applies to all Group businesses. Our head office is Vinters Business Park, New Cut Road, Maidstone, Kent ME14 5NZ. Privacy related enquiries should be directed to our Privacy & Data Protection Compliance Officer at email@example.com
The services we provide to clients vary depending on what clients require of us from time to time. They are however all in the nature of professional services – legal advice, management and HR consulting advice, safety advice and training – and related software, systems and processes. When we are providing professional advice (including legal advice) our processing linked to providing the services is as data controller and we are providing ‘Controller Services’. When we provide services where clients specify the purposes for which personal data must be used and the means by which it is used (i.e. where we are not using the data given to us to provide professional advice) we are usually providing ‘Processor Services’.
Personal data refers to information that relates to an identifiable, living individual, including information such as an online identifier, like an IP address. “Personal information” in this policy is any information that can be used to identify you or that we can link to you and which we hold in a system (automated or paper).
Where we control personal data, it will be controlled by one or more of the following:
Outset (UK) Ltd
Outset Legal LLP
UK Health, Safety & Environmental Training Ltd
Other entities in the Group may process data on behalf of one or more of these data controllers.
What this Policy Covers
We may collect and process the following personal information:
Information you provide to us
We may process personal information you provide to us, including when you email us or contact us through various methods as follows:
- When you sign up for information or services: When you sign up for our newsletters, webinars, events, or when you contact us with queries, or respond to our communications. The personal information you provide may include your full name, title, telephone number, email address and additional content, date and time of your email correspondence, information about your current or previous employers or your business;
- When we provide you with services: This may include identity and contact data including your name, address, telephone number, date of birth, marital status, passport number, employment history, educational or professional background, tax status, employee number, job title and function as well as other personal data concerning your preferences relevant to our services. It may also include similar information you share with us in relation to your employees or consultants or those of businesses with whom you are dealing, as well as business information provided in the course of the contractual or client relationship between you or your organisation and our Group, or otherwise voluntarily provide to us. In the course of our client services, we may advise or represent you and/or your organisation in professional matters that require us to collect and use sensitive personal information relating to you (that is, information about your racial or ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health, sexual life, or details of criminal offences, or genetic or biometric data);
- When you supply services to us: This may include identity and contact data including your name, address, telephone number, date of birth, email address and additional content, together with information necessary to establish supplier credentials;
- When participating in recruitment activities: When you apply for any role with us, or with a client of ours if we are acting on their behalf, you may provide us with your full name, date of birth, nationality, education and qualification details, your gender, your CV, photograph, passport details, marital status, home address and home telephone number, mobile telephone number and other details set out in your communications with us. Similar information may be obtained where you apply for work placements or work experience. We may collect equality and monitoring data including sensitive personal data in order to carry out monitoring and comply with legal obligations;
- To enable processing of payments and fraud prevention: This may include bank account and other data necessary for processing payments and fraud prevention, including credit/debit card numbers, security code numbers and other related billing information.
Outset UK Group will also collect information about use of our Group services or when we otherwise interact or correspond with you. Outset UK Group use various technologies to collect and store information when you communicate with us or visit our websites. We may, for example, collect information about the type of device you use to access the websites, your IP address and your geographic location, the operating system and version, your browser type, the content you view and features you access on our websites, the web pages and the search terms you enter on our websites.
We may also collect passwords for accessing secure areas of any of our websites or password protected platforms or services, your preferences in receiving marketing information from us, your communication preferences and information about how you use our websites(s) including the services you viewed or searched for, page response times, download errors, length of visits and page interaction information (such as scrolling, clicks, and mouse-overs).
If you apply for a position with us, or in response to a managed recruitment campaign we conduct on behalf of a client, we may collect personal information relating to past employment, qualifications and education, opinions from relevant third parties about you, past employment history and other details about you, which may be provided to us by a third party that provides background screening services on our behalf.
If we collect or receive your personal information in relation to providing any services, we might also receive information from third parties such as your employer, other parties relevant to the services we are providing (e.g. other parties involved in a matter), regulators and other sources such as Companies House. That information could include your name, contact details, employment details and other information relevant to the services that we are providing to our client.
We may use your personal information that we have gathered:
1. to register you as a client and to provide services to a client;
2. to engage in marketing and business development activity. Subject to any relevant consent or other legal requirements, this may include sending you newsletters, professional updates, marketing communications and other information that we believe may be of interest to you;
3. to analyse and improve our services and communications and to monitor compliance with our policies and standards;
4. for insurance purposes;
5. to exercise or defend our legal rights, or to comply with court orders;
6. to protect the security of our communications and other systems and to prevent and detect security threats, frauds or other criminal or malicious activities;
7. to carry out background checks, where permitted;
8. to manage access to our premises and for security purposes;
9. where you have applied for a position with us, or with a client that we are representing, to review and process your application;
10. to comply with legal and regulatory obligations that we have a duty to discharge;
11. to establish, exercise or defend our legal rights or for the purpose of legal proceedings;
12. to record and monitor your use of our websites, social media or our other services for Outset Group business purposes. This may include analysis of usage, measurement of website performance and generation of marketing reports;
13. for our legitimate business interests, such as for undertaking business research and analysis, managing the operation of our business and improving our websites and interfaces;
14. to look into any complaints, concerns or issues you may have;
15. to prevent and respond to actual or potential fraud or illegal activities.
We may also collate, process and share any statistics based on an accumulation of information held by us provided that any individual is not identified from the resulting analysis and the collation, processing and dissemination of such information as is permitted by law.
The primary legal grounds we rely on to process your personal information are:
- Consent: Outset UK Group may in some circumstances need your consent to use your personal information. You can withdraw your consent by contacting us;
- Obligations under a contract: Outset UK Group may need to collect and use your personal information to enter into a contract with you or to perform our obligations under a contract with you;
- Legitimate interests: Outset UK Group may use your personal information for what we identify as our legitimate interests or those of a third party. We have a legitimate interest in providing legal and professional services, provided that all relevant personal data safeguards are in place and our clients have a legitimate interest in receiving that advice;
- Compliance with the law: We may use your personal information as necessary to comply with applicable laws and regulations; and
- Legal Claims: Because processing is necessary for the establishment, exercise or defence of legal claims.
We share and process data within the Group so as to provide the best possible service to our clients. We may also share your personal information outside of the Group. This may include:
- Third party agents, partners, suppliers or contractors, bound by obligations of confidentiality, in connection with the processing of your personal information for the purposes described in this Policy. Parties may include our IT and communications service providers as well as insurance, pension or benefit providers if you are employed by us;
- Third parties relevant to the services that we provide. This may include, but is not limited to, counterparties to transactions or litigation, other professional service providers, regulators, authorities, governmental institutions;
- To the extent required by law, regulation or court order, for example, if we are under a duty to disclose your personal information in order to comply with any legal obligation.
Your personal information may in some circumstances be transferred to locations outside of the EEA. However, we do not transfer any Shared Personal Data outside of the EEA unless:
- we ensure that the transfer is to a country approved by the European Commission (under Article 45 GDPR) as providing adequate protection; or
- there are (under Article 46 GDPR) appropriate safeguards in place; or
- one of the derogations for specific situations in Article 49 GDPR applies to the transfer.
In addition to the above restrictions on transfer outside the EEA, where we are a data controller, we do not transfer any Shared Personal Data outside of the EEA unless there is also compliance with Article 26 GDPR.
In other circumstances, the law itself may permit us to otherwise transfer your personal information outside the EEA. In all cases, however, any transfer of your personal information will be compliant with the applicable data protection law in place.
We take the security of your data seriously and have internal policies and controls in place to ensure your data is not lost, accidentally destroyed, misused or disclosed, and that it is not accessed except by those authorised to do so in the performance of their duties.
Where we engage third parties to process personal data on our behalf, they do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.
We have also put in place procedures to deal with any suspected personal data breach.
If any of the personal data that you have provided to us changes, for example if you change your email address or contact details, or if you become aware we have any inaccurate personal data about you, please let us know by contacting either the Outset UK Group colleague with whom you deal or by emailing firstname.lastname@example.org.
We will retain your personal data for as long as necessary to fulfil the purposes that we collected it for and for us to assert or defend against legal claims. How long we keep it will vary, and will depend primarily on:
- The purpose for which we are using your personal information - we will need to keep the information for as long as is necessary for the relevant purpose;
- Legal obligations - laws or regulations may set a minimum period for which we have to keep your personal information.
The appropriate retention period is determined by the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure, the purposes for which we process and whether we can achieve those purposes through other means, together with the applicable legal requirements.
Upon expiry of the applicable retention period we securely destroy your personal data in accordance with applicable laws and regulations. We ensure that the personal information we hold is subject to appropriate security measures.
You have a number of rights in relation to the personal information that we hold about you and you can exercise your rights by contacting us directly. These rights include:
- Access: You can request a copy of the personal data that we hold about you. There are exceptions to this right, so that access may be denied if, for example, making the information available to you would reveal personal data about another person, or if we are legally prevented from disclosing such information;
- Accuracy: We aim to keep your personal data accurate, current, and complete. You can request that we correct your personal data if it is inaccurate or incomplete;
- Erasure: You can request that we erase your personal information in certain circumstances. Please note that there may be circumstances where you ask us to erase your personal information but we are legally entitled to retain it;
- Objecting: You can request that we restrict our processing of your personal information in certain circumstances. Again, there may be circumstances where you object to, or ask us to restrict, our processing of your personal information but we are legally entitled to refuse that request. For example, in certain circumstances it may be lawful for us to continue processing without your consent if we have another legitimate reason (other than consent) for doing so;
- Porting: In some circumstances, you can request that some of your personal data is provided to you, or to another data controller, in a commonly used, machine-readable format. Please note that this right only applies to personal information which you have provided to us;
- Complaint: If you believe that your data protection rights may have been breached, you can complain to the relevant data protection supervising authority (e.g. The Information Commissioner’s Office (ICO) in the UK).
Write: Privacy & Data Protection Officer
Outset UK Group
Vinters Business Park
New Cut Road
Date issued: 24 May 2018