Privacy notice
How to contact us
If you have any questions regarding your personal data and how we may use it, including any queries relating to this Notice, please contact dataprotection@hrwallingford.com.
Terminology
From 25 May 2018, our data processing activities will be governed by the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"). For the purpose of the GDPR, we are the 'Data Controller' of all personal data obtained by us as set out in this Notice, because we ultimately determine how your personal data will be handled by us. We are also usually the Data Processor as we will usually process all your data ourselves. Sometimes we may sub-contract some of the data processing and in this case our sub-contractors, who would be our 'Data Processors'.
'Personal data' is any information that can be used to identify you, including your name, e-mail address, IP address, or any other data that could reveal your physical, physiological, generic, mental, economic, cultural or social identity.
If we handle your personal data then you are a "Data Subject". This means you have certain rights under the GDPR in relation to how your personal data is processed, which are set out in this Notice.
How do we collect your personal data?
We may obtain personal data from you in a variety of ways, including when you:
- make direct contact with us by any means, for example by email, telephone or when you provide us with your business card;
- visit one of our websites, for example when you complete an online form, create a user account; or subscribe to receive newsletters or email updates from us;
- take part in a webinar or online meeting we host;
- apply for a job with us – this is covered by a separate Privacy notice for job applicants;
- engage with us on social media;
- attend an event or meeting we host;
- choose to complete any surveys we send to you;
- visit our offices which usually have CCTV security systems (which may record your image).
We may also collect personal data while we are establishing a business relationship or providing our services or products through a contractual arrangement.
In addition, we may collect personal data indirectly from public sources, for example news articles or internet searches, and from our clients and partners.
What categories of personal data do we collect?
We may collect the following categories of personal data, either through direct interactions, or from information provided by our clients and partners:
- Your contact details, for example, your name, job title, company name, work address, telephone numbers, and email address.
- Your professional details, for example, business interests, qualifications, professional memberships and affiliations, published articles.
- Your image, for example, from CCTV footage or from photographs taken on our premises or during events that we host.
- Your Twitter account and LinkedIn profile details;
- Your internet protocol (IP) address or other online identifiers;
- Your vehicle registration number;
- Location-based data;
- Your attendance at events and any dietary requirements you may have;
- Your comments/questions.
Why do we need your personal data?
We aim to be clear about the personal data we collect and tell you why we need it. This might typically include:
- Providing specialist research and consultancy services and technology relating to civil engineering and environmental hydraulics;
- Promoting our services, products and capabilities to existing and potential clients and partners;
- Processing and responding to communications from individuals or requests for proposals and quotations;
- Sending invitations and providing access to events and webinars;
- Personalising our website landing pages and communications we think would be of interest based on your location or interactions with us;
- Administering, maintaining and ensuring the security of our information systems, applications and websites;
- Authenticating access to user accounts or restricted areas of our websites;
- Identifying qualified candidates for our job vacancies (governed by our Privacy Notice for Job Applicants);
- Contacting journalists about our press releases, press events or to highlight messages that may be of interest on specific industry topics;
- Travel arrangement assistance.
How do we process your personal data?
We will only process your personal data where we have a legal basis for doing so, as outlined in this Notice, or as we explain to you at the time we collect it. Please note that we may process your personal data without your knowledge or consent, where this is required or permitted by law.
Your personal data may be shared with third parties, including (but not limited to) the following:
- any member of our Group, including our subsidiaries or affiliate companies;
- third parties where we are under a duty to disclose your personal data to comply with any legal obligation, or to appropriate regulators or other law enforcement organisations;
- third party suppliers to us, including (for example) sub-contractors, shipping companies, auditors and our IT providers, who may be located outside the EEA.
- third parties to whom we choose to sell, transfer, or merge parts of our business or our assets.
Third parties provide certain services on our behalf. We may provide personal data that we have collected to third party service providers to help us deliver products and services or to manage our mailing lists or surveys.
We are committed to protecting your personal data from loss, misuse, disclosure, alteration, unauthorised access and destruction and to keeping your data secure. We take all reasonable precautions to safeguard the confidentiality of your personal data.
We have strict procedures and security features to prevent unauthorised access of your personal data.
Do we transfer your personal data outside the EEA?
We operate globally and have offices and subsidiaries in locations such as the USA, China, Australia, Italy, India, UAE and Malaysia. For specific situations we may from time to time transfer your personal data from within the European Economic Area (EEA) to our offices outside of the EEA or to other people or companies To safeguard your personal data we ensure that all our offices, subsidiaries and affiliates enter into a group data protection agreement which will apply, where your data is transferred to one of them and which puts provisions in place to make sure that when your data is transferred it will be protected in the same way as it is protected before the transfer by us and we aim to put in place a data processing agreement with any third parties which will also ensure similar protection for your personal data. We may also transfer your personal data to countries outside of the EEA to other people or companies for one of the legal bases for processing your personal data as indicated above.
We take steps to ensure that any third parties with whom we share your personal data keep your personal data secure.
What legal bases do we use to process your personal data?
There are four main legal bases that we rely on when it comes to processing your personal data. These are:
- Legitimate interest. We may need to process your data to pursue our legitimate interests in a way which might reasonably be expected as part of running our business and which does not materially impact your rights, freedom or interests. For example, we will use your email address to provide information you have asked us to supply, or send you information about updates to or similar services.
- Contractual obligations. If we are in a contract with you (or about to enter into a contract with you and you have requested certain pre-contract details) we may need to process your data to comply with our contractual or pre contractual obligations. For example, we might need to use your e-mail address to communicate with you, or pass your address details to a supplier in order for them to deliver something to you.
- Consent. In specific situations, we collect and process your data with your consent. We will usually ask you to tick a box (or similar) to confirm that you have provided your consent. For example, unless we have a legitimate interest to contact you to market our services, we will obtain your consent to receive marketing updates from us.
- Legal obligation. If the law requires us to, we may need to collect and process your data. For example, we can pass on details of people involved in fraud or other criminal activity to law enforcement agencies.
What if you don’t supply your personal data?
You are under no obligation to supply your personal data to us. If you choose not to provide the personal data we request when visiting our websites, you will still be able to access parts of the site, but you may not be able to access certain features or services, for example creating an account or submitting an order or enquiry.
If you chose to have a relationship with us, such as a contractual or other business relationship or partnership, we will naturally continue to contact you in connection with that business relationship, in accordance with this Notice and any additional contractual terms agreed with you.
How do you access and update your data?
Where we collect personal data from you, we want to provide a way for you to contact us should you need to update or correct that information.
All our marketing emails will contain a link where you can update your details or unsubscribe. Otherwise you can send updates and corrections about your personal data to dataprotection@hrwallingford.com and we will incorporate the changes to the personal data that we hold and do so as soon as practicable.
How long do we retain your personal data?
Different personal data is collected for a variety of reasons, so we cannot definitively set out how long we will retain all personal data in this Notice.
We will retain your personal data on our systems only for as long as we need it, given the purposes for which it was collected, or as required to do so by law.
We keep contact information (such as mailing lists) until a user unsubscribes or asks us to delete their information. If you choose to unsubscribe from a mailing list, we may keep certain information about you so that we can honour your request.
Website visitors
By using our websites or providing us with personal information, you are agreeing to this Notice along with our usage terms and conditions.
You can browse our websites without telling us who you are. If you want to contact HR Wallingford without sharing your personal information, please contact us by post or by telephone.
We may use the personal information you give us via our websites and contact you for marketing purposes by email, where it is in our legitimate interests or if you have specifically provided your consent for us to do so. We will never share your details with other organisations outside of our Group to use for their own purposes, including marketing purposes.
All of our marketing emails provide a clear route for you to opt out and should you wish to change your communication preferences, you can do this at any time, either via the links provided on our marketing emails, or by emailing dataprotection@hrwallingford.com.
Where you receive a marketing email from us, we may collect information to determine whether you have visited our site and which sections you have viewed to enable us to make our communications more relevant for you.
If you do not want us to collect information that shows if you visited our site using links in our email communications, you will need to unsubscribe. We will automatically log this information on our database, and your preference will be maintained on a ‘marketing suppression list’.
Cookies
Cookies are small text files that are placed on the user’s device (computer or mobile phone) by websites that they visit. We may use ‘cookies’ to identify visits to our websites and track information on how visitors use a site.
We use Google Analytics (_utma, _utmb, _utmc,_utmz) cookies to collect information about how visitors use our site. We use the information to compile reports and to help us improve the site. The cookies collect information in an anonymous form, including the number of visitors to the site, where visitors have come to the site from and the pages they visited. Click here for an overview of privacy at Google.
Payment card information
If you use your credit or debit card to make a payment for an online purchase, for example to register for an event, we will ensure that this is done securely and in accordance with the Payment Card Industry Data Security Standard.
Online payments on our websites are carried out using a 'payment gateway’, which is a direct connection to a payment service provided by a bank. This means that when you input card data into the payment page, you are communicating directly with the bank and the bank passes your payment to us. Your payment card information is handled by the bank and not processed or held by us. We use WorldPay as our payment gateway.
Payments made by telephone will be processed by staff authorised and trained to see your card details and process payments. All card details and validation codes are securely destroyed once your payment has been processed.
If we receive an email containing any credit or debit card details, it will be immediately deleted, no payment will be taken and you will be notified about this.
Links
Our websites contains links to third party websites. When you visit external websites please read their privacy policies carefully. We accept no responsibility for external websites.
Automated decision making
We don’t make decisions based solely on automated decision-making.
Your rights
As a Data Subject, you have the following rights in relation to your personal data:
- The right to be informed. You can ask us to tell you what personal data we are processing and why we are processing.
- The right of access. You have the right to be provided with copies of the personal data of you that we are processing as well as confirmation of the processing we are doing.
- The right to change incorrect or incomplete data. If you think the personal data that we hold on you is inaccurate or incomplete you can tell us and we will fix it.
- The right to erasure. If you want us to permanently delete the personal data we hold for you then you can ask us to do so.
- The right to restrict processing. If you do not like how we are using your personal data where we are relying on using it for our legitimate interests, then you can let us know and we will stop processing it in that way.
- The right to data portability. If you want us to pass on your personal data to someone else then please let us know. This transfer should not affect the integrity or otherwise damage your personal data.
- The right to withdraw your consent. If we have relied on your consent to process your personal data, you can withdraw this at any time by contacting us.
If you would like to exercise any of these rights, please contact dataprotection@hrwallingford.com. We may need to request specific information from you to help us confirm your identity and ensure your right to access the information or to exercise any of your other rights. This helps us to ensure that personal data is not disclosed to any person who has no right to receive it. No fee is required to make a request unless your request is clearly unfounded or excessive. Depending on the circumstances, we may be unable to comply with your request based on other lawful grounds.
You may contact the UK Information Commissioner’s Office at ico.org.uk to report concerns you may have about our data handling practices.