Privacy Statement - Gateley Plc

Privacy Statement

  1. Applicability

This notice applies to you if we process your personal information and you are not an employee or worker of ours, a prospective candidate employee or worker nor an individual to whom we have provided a specific privacy notice.  You may be, for example, be an individual that works at a supplier or customer that we deal with, an attendee at one of our marketing events, a shareholder or a user of our website.

References to we, our or us in this privacy notice are to the Gateley Group (being Gateley (Holdings) plc, and each of its direct and indirect subsidiaries, trading under the “Gateley” brand including Gateley Hamer and Gateley Capitus).  Details of our main trading entities are as follows:

Gateley Capitus Limited is a limited company incorporated in England and Wales. Registered Number: 3324995. Registered Office: One Eleven, Edmund Street, Birmingham B3 2HJ.

Gateley Hamer Limited is a limited company incorporated in England and Wales and regulated by the Royal Institution of Chartered Surveyors. Registered Number: 3948095.  Registered Office: One Eleven, Edmund Street, Birmingham B3 2HJ.

Gateley Plc is a public limited company incorporated in England and Wales. Registered Number: 9310187. Registered Office: One Eleven, Edmund Street, Birmingham B3 2HJ. Authorised and regulated by the Solicitors Regulation Authority.

We have appointed a Data Protection Officer to oversee our compliance with data protection laws.  Contact details are set out in the ‘Contacting us’ section at the end of this privacy notice.

We are committed to respecting your privacy. This notice is to explain how we may use personal information we collect before, during and after your relationship with us. This notice explains how we comply with the law on data protection and what your rights are and for the purposes of data protection we will be the controller of any of your personal information.

  1. Personal information we collect

We may collect the following types of personal information about you:

  • Contact details: information that allows us to identify and contact you directly such as your name, address email address, telephone number and addresses.
  • Identification information: passport and other official identification details, information from a third party AML check provider, Companies House information.
  • Details of your work history: This includes may include positions, roles, responsibilities
  • Personal history and information: This includes hobbies, interests, marital status, family details, dietary requirements.
  • Responses to surveys, competitions and promotions: we keep records of any surveys you respond to or your entry into any competition or promotion we run.
  • Creditworthiness: We may undertake investigations into your creditworthiness in order to establish whether to enter into or continue a business relationship with you
  • Details of your performance: when working with or for us or in relation to any project or work we are engaged in.
  • How you use our website: we collect information about the pages you look at and how you use them.
  • CCTV images: if you visit any of our premises which areas covered by our CCTV system.
  • Your usage of the IT systems we make available to visitors to our premises. Such as our client internet facilities.
  • Details of any shareholding you have in us.
  • Details of the correspondence (including e-mail correspondence) you send and receive from us: this includes letters and emails, SMS, MMS and other electronic communication and may in some cases include audio recording of telephone conversations
  • Subscription information: for example when you subscribe to one of our blogs or other materials.
  • IP address information: your computer’s IP address allows us to track your usage of our website.
  1. Special categories of personal information

We do not generally collect, store and use the following “special categories” of more sensitive personal information regarding you:

  • information about your race or ethnicity, religious beliefs, sexual orientation and political opinions;
  • information about your trade union memberships;
  • information about your health, including any medical condition, health and sickness records, medical records and health professional information; and
  • biometric information about you, for example fingerprints, retina scans.

Also we do not generally collect, store and use any criminal records history relating to you, our AML checks may reveal such information.

  1. Sources we collect your personal information from

We will collect personal information from a number of sources. These include the following:

  • Directly from you: when you indicate that you may wish to attend an event, complete forms we provide to you, enter our competitions and promotions, make a claim, make a complaint, provide AML information to us contact us by phone, email or communicate with us directly in some other way.
  • Our website: provides us with information about how you use it and the devices that you use to connect to our website.
  • Our providers of background information: which may include credit reference agencies, AML check provider, Companies House, LinkedIn and other web platforms
  • Your employer or the organisation you work for: they may provide us with your name, position contact details and background information about you.
  1. What we use your personal information for

The table below describes the main purposes for which we process your personal information, the categories of your information involved and our lawful basis for being able to do this.

Purpose
Personal information used
Lawful basis
Identity and AML checks All the personal information we collect We may have a legal obligation to undertake identification and AML checks

We also have a legitimate interest in knowing your identity

 

Passing details of our AML checks to third parties All the personal information we collect The third parties have a legitimate interest in undertaking identity and AML checks

 

Enter into and perform contracts All the personal information we collect To enter into and perform contracts with either yourself or the organisation that you represent

 

Deal with your queries or complaints All the personal information we collect This may be necessary to perform a contract with you or the organisation that you represent

We have a legitimate interest to improve the services or products we provide

 

Maintain and improve  services and products All the personal information we collect We have a legitimate interest to improve the services and products we provide

 

Data analytics and statistical research to help us improve our online services

 

How you use our website

 

We have a legitimate interest to improve the services we provide
Security of our IT systems All the personal information we collect We have a legitimate interest in ensuring the security of our IT systems.
Staff training All the personal information we collect We have a legitimate interest to improve the services we provide

 

Perform credit checks Contact details and payment information We have a legitimate interest to ensure that we are likely to be paid for our services or products

 

Determine services that may be of interest to you All personal information we collect We have a legitimate interest to improve the services and products we provide

 

To provide you with requested information Contact details and services and products or other information that you have requested we provide to you or your organisation

 

To comply with the request made by you
Direct marketing Contact details and services and products that we have determined may be of interest to you or your organisation and/or which you or your organisation has purchased in the past We may ask for your consent to process your data for this purpose, you may revoke your consent at any point. Alternatively if you or your organisation has purchased similar services or products from us previously we may market similar products or services as a legitimate interest in developing our business.  You have the right to opt out from such marketing at any time

 

Holding events Your contact details, details of attendance, your comments in response forms and dietary requirements and CCTV images We have a legitimate interest in holding events and tracking attendance and providing appropriate food and drinks at events

 

Fraud, crime prevention and debt collection All the personal information we collect We have a legitimate interest to detect and prevent crime and to collect debts.

 

Shareholding Details of the number of shares that you hold in us and details of your purchase history We have a statutory duty to maintain a register of members and to report on certain changes in shareholding. We may also process your personal information to perform analyses of the types of person that own shares in us and we do so on the basis that we have a legitimate interest in so doing.

 

For some of your personal information you may have a legal, contractual or other requirement or obligation for you to provide us with your personal information.  If you do not provide us with the requested personal information we may not be able to properly perform our contract with you or the organisation you represent or comply with legal obligations and we may have to terminate our relationship.  For other personal information you may not be under an obligation to provide it to us, but if you do not provide it then we may not be able to properly perform our arrangements with you or the organisation you represent.

Where you have given us your consent to use your personal information in a particular manner, you have the right to withdraw this consent at any time, which you may do by contacting us as described in the “Contacting us” section below.  We will generally only ask for your consent for direct marketing.

Please note however that the withdrawal of your consent will not affect any use of the data made before you withdrew your consent and we may still be entitled to hold and process the relevant personal information to the extent that we are entitled to do so on bases other than your consent.  Withdrawing consent may also have the same effects as not providing the information in the first place, for example we may no longer be able to provide marketing information to you.

We may anonymise and aggregate any of the personal information we hold (so that it does not directly identify you).  We may use anonymised and aggregated information for purposes that include testing our IT systems, research, data analysis, improving our site and developing new products and services.

CCTV images relating to you will be covered by our separate privacy notice regarding our CCTV system which can be found at www.gateleyplc.com or you can request a copy by contacting us as described in the “Contacting us” section below.

  1. Who we share your personal information with

We share personal information with the following parties:

  • Companies in the same group of companies as us: in relation to joint events.
  • Other companies in our supply chain: so that they can contact you about any issues in the supply chain.
  • Credit reference and other identification agencies: so that we can assess your creditworthiness and to verify your identity. These agencies may retain a footprint that a search has been undertaken
  • Marketing and public relations companies: to help us to develop, carry out and assess marketing and PR campaigns
  • Those who manage our share register and details of shareholdings.
  • Other service providers and advisors: such as companies that support our IT, help us analyse the data we hold, process payments, send communications to our customers, provide us with legal or financial advice and generally help us deliver our products and services to you or the organisation that you represent.
  • Purchasers of our business: buyers or perspective buyers to whom we sell or negotiate to sell our business.
  • The Government or relevant regulators: where we are required to do so by law or to assist with their investigations, for example the Information Commissioner’s Office.
  • Police, law enforcement agencies and security services: to assist with the investigation and prevention of crime and the protection of national security.

We also use Google Analytics which sets cookies to collect information about how visitors use our website.  See our cookie notice for more information.  We use the information to compile reports and to help us improve the website. The cookies collect information in an anonymous form, including the number of visitors to the website and blog, where visitors have come to the website from and the pages they visited.  To opt out of being tracked by Google Analytics across all websites visit http://tools.google.com/dlpage/gaoptout .

We do not disclose personal information to anyone else except as set out above. We may provide third parties with aggregate statistical information and analytics about users of our products and services but we will make sure no one can be identified from this information before we disclose it.

  1. Direct Marketing

Email, post and SMS marketing: from time to time, we may contact you by email, post or SMS with information about products or services we believe you may be interested in.

We will only send marketing messages to you in accordance with the marketing preferences you set when you create your account or that you tell us afterwards you are happy to receive or where you or the organisation you represent have purchased similar services or goods from us previously.

You can then let us know at any time that you do not wish to receive marketing messages by sending an email to us at dpo@gateleyplc.com or by using the by using the details set out in the “Contacting us” section below.  You can also unsubscribe from our marketing by clicking on the unsubscribe link in any marketing messages we send to you.

  1. Transferring your personal information internationally

The personal information we collect may be transferred to and stored in countries outside of the UK and the European Union. Some of these jurisdictions require different levels of protection in respect of personal information and, in certain instances, the laws in those countries may be less protective than the jurisdiction you are typically resident in. We will take all reasonable steps to ensure that your personal information is only used in accordance with this privacy notice and applicable data protection laws and is respected and kept secure and where a third part processes your data on our behalf we will put in place appropriate safeguards as required under data protection laws.  For further details please contact us by using the details set out in the “Contacting us” section below.

Our directors and other individuals working for us may in limited circumstances access personal information outside of the UK and European Union if they are on holiday abroad outside of the UK or European Union.  If they do so they will be using our security measures and will be subject to their arrangements with us which are subject to English Law and the same legal protections that would apply to accessing personal data within the UK.

In limited circumstances the people to whom we may disclose personal information as mentioned in section 6 above may be located outside of the UK and European Union.  In these cases we will impose any legally required protections to the personal information as required by law before it is disclosed.

  1. How long do we keep personal information for

We will keep your personal information for as long as is necessary for the purpose for which it has been obtained.  For individual contacts at customers and suppliers this will be for as long as we continue to have a relationship with that customer or supplier and then for a period of 7-15 years afterwards.

It is important to ensure that the personal information we hold about you is accurate and up-to-date, and you should let us know if anything changes, for example if you move position or work for a different organisation or change your phone number or email address, you can contact us by using the details set out in the “Contacting us” section below.

  1. Security

We have numerous security measures in place to protect the loss, misuse and alteration of information under our control, such as passwords and firewalls. We cannot, however, guarantee that these measures are, or will remain, adequate. We do, however, take data security very seriously and will use all reasonable endeavours to protect the integrity of the information you provide.

  1. Your rights in relation to your personal information

You have the following rights in relation to your personal information: (i) the right to be informed about how your personal information is being used; (ii) the right to access the personal information we hold about you; (iii) the right to request the correction of inaccurate personal information we hold about you; (iv) the right to request the erasure of your personal information in certain limited circumstances; (v) the right to restrict processing of your personal information where certain requirements are met; (vi) the right to object to the processing of your personal information; (vii) the right to request that we transfer elements of your data either to you or another service provider; and (viii) the right to object to certain automated decision making processes using your personal information.

You should note that some of these rights, for example the right to require us to transfer your data to another service provider or the right to object to automated decision making, may not apply as they have specific requirements and exemptions which apply to them and they may not apply to personal information recorded and stored by us.  For example we do not use automated decision making in relation to your personal data.  However some have no conditions attached, so your right to withdraw consent or object to processing for direct marketing are absolute rights.

Whilst this privacy notice sets out a general summary of your legal rights in respect of personal information, this is a very complex area of law. More information about your legal rights can be found on the Information Commissioner’s website at https://ico.org.uk/for-the-public/.

To exercise any of the above rights, or if you have any questions relating to your rights, please contact us by using the details set out in the “Contacting us” section below.

If you are unhappy with the way we are using your personal information you can also complain to the UK Information Commissioner’s Office or your local data protection regulator. We are here to help and encourage to contact us to resolve your complaint first.

  1. Changes to this notice

We may update this privacy notice from time to time. When we change this notice in a material way, we will update the version date at the bottom of this section. For significant changes to this notice we will try to give you reasonable notice unless we are prevented from doing so. Where required by law we will seek your consent to changes in the way we use your personal information.

  1. Contacting us

In the event of any query or complaint in connection with the information we hold about you, please email dpo@gateleyplc.com or write to us at:

Data Protection Officer
One Eleven, Edmund Street
Birmingham B3 2HJ

Version dated April 2018

We are committed to respecting your privacy. This notice is to explain how we may use personal information we collect before, during and after your relationship with us.

This notice applies to current and past clients of Gateley who are living individuals and to persons who work for our clients.

References to we, our or us in this privacy notice are to the Gateley Group (being Gateley (Holdings) plc, and each of its direct and indirect subsidiaries, trading under the “Gateley” brand including Gateley Hamer and Gateley Capitus).  Details of our main trading entities are as follows:

Gateley Capitus Limited is a limited company incorporated in England and Wales. Registered Number: 3324995. Registered Office: One Eleven, Edmund Street, Birmingham B3 2HJ.

Gateley Hamer is a limited company incorporated in England and Wales and regulated by the Royal Institution of Chartered Surveyors. Registered Number: 3948095.  Registered Office: One Eleven, Edmund Street, Birmingham B3 2HJ.

Gateley Plc is a public limited company incorporated in England and Wales. Registered Number: 9310187. Registered Office: One Eleven, Edmund Street, Birmingham B3 2HJ. Authorised and regulated by the Solicitors Regulation Authority.

For the purposes of this notice the controller is that Gateley Group entity that you or your business has engaged.

  1. Personal Information

When you interact with us in relation to our work for you, you may provide us with or we may obtain personal information about living individuals (subjects).  The subjects may be you (if you have engaged us as an individual client), your employees, the living individuals that you may wish to contract with, you wish us to advise in relation to or persons that you may have a dispute with.  The information we may obtain includes:

  • personal contact details such as name, title, addresses, telephone numbers, and personal email addresses;
  • details of a dispute with the subject;
  • details of a contract or transaction involving the subject;
  • details of the advice that you require regarding the subject;
  • date of birth;
  • gender;
  • marital status and dependants;
  • credit history;
  • next of kin, details of family members and emergency contacts;
  • national insurance number and other tax or governmental identifiers;
  • bank accounts and tax status;
  • employment details and records (including job titles, work history, working hours, training records and professional memberships);
  • images in photographic or video form; and
  • shareholdings of the subject.

You may also provide us with or we may collect, store and use the following “special categories” of more sensitive personal information regarding subjects:

  • information about the subject’s race or ethnicity, religious beliefs, sexual orientation, trade union memberships and political opinions;
  • information about the subject’s health, including any medical condition, health and sickness records; and
  • information about the subject’s criminal convictions and offences

We obtain the information regarding subjects from you, as part of our work for you and as a result of our investigations in pursuit of your instructions to us.  We may, instruct third parties (such as enquiry agents) to obtain personal information regarding subjects.  Notwithstanding that you have provided information regarding subjects to us or in furtherance of your instructions, we may process such information as controller and have a duty to inform subjects of our processing of personal information except where an obligation of professional secrecy applies.

If you are providing information regarding subjects to us, it is your responsibility to ensure that you have the right to provide the information to us.

  1. Uses made of the information

We are committed to protecting privacy, and will only use personal information regarding subjects in accordance with applicable data protection legislation, including the Data Protection Act 1998 and (once applicable) the General Data Protection Regulation and the UK implementing legislation.  Most commonly, we will use your personal information in the following circumstances:

  • where we need to perform the contract we have entered into with you;
  • where we need to comply with a legal obligation; and
  • where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

We may also use your personal information in the following situations, which are likely to be rare:

  • where we need to protect your interests (or someone else’s interests); and
  • where it is needed in the public interest.

We need all the categories of information in the list in paragraph 1 above primarily to allow us to perform our contract with you and to enable us to comply with legal obligations. In some cases we may use your personal information to pursue legitimate interests of our own or those of third parties, provided your interests and fundamental rights do not override those interests.  These legitimate interests are to manage our relationship with you, determine our respective rights and obligations and to properly conduct our business.  There are more limited circumstances where we process personal data pursuant to your consent.

The situations in which we will process your personal information are listed below. We have also indicated by colour coding below the main bases for the purpose or purposes for which we are processing or will process your personal information:

Purpose
Personal information used
Lawful basis
Performing client instructions All the personal information we collect We do this to perform our contract with clients.

 

Undertaking client management, including engagement letters, billing and billing management All the personal information we collect We have a legitimate interest to properly manage our business.
Management of payments on our client’s behalf All the personal information we collect We do this to perform our contract with clients.

 

Ensuring the security of our systems and information as well as client information All the personal information we collect We have a legitimate interest to manage the security of our systems.
Perform credit checks Contact details and payment information We have a legitimate interest to ensure that we are likely to be paid for our services or products

 

Staff training All the personal information we collect We have a legitimate interest to train staff and improve the services we provide.
To prevent and detect criminal or improper acts (including CCTV) Your usage of our systems (including our extranets)

CCTV (where installed)

We have a legitimate interest to ensure that criminal acts are not committed using our systems or on our premises.
Sale or takeover of our business All the personal information we collect We have a legitimate interest in relation to corporate transactions relating to us.
Business continuity All the personal information we collect We have a legitimate interest in making back-ups and providing for business continuity in the event of an occurrence which affects our ability to trade from one of our offices

Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information.

If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you, or we may be prevented from complying with our legal obligations.

We will only use subject’s personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.  If we need to use subject’s personal information for an unrelated purpose, we will (if required by law) notify the subject and explain the legal basis which allows us to do so.

Please note that we may process subject personal information without the subject’s knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

”Special categories” of particularly sensitive personal information require differing levels of protection. We need to have further justification for collecting, storing and using this type of personal information. We may process special categories of personal information in the following circumstances:

  • in limited circumstances, with explicit written consent;
  • where we need to carry out our legal obligations; and
  • where it is needed in the public interest.

Less commonly, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect the subject’s interests (or someone else’s interests) and the subject is not capable of giving consent, or where the subject has already made the information public.

We will use the subject’s personal information in the following special categories in the following ways:

  • we will use information relating to the subject’s health insofar as it relevant to your instructions to us;
  • we will use information about criminal convictions to comply with law and in order to comply with your instructions to us;
  • we will use information about the subject’s trade union membership to comply with your instructions to us; and
  • we will use information about subject’s race or national or ethnic origin, religious, philosophical or moral beliefs, sexual life or sexual orientation to comply with your instructions to us.

Where you have given us your consent to use your personal information in a particular manner, you have the right to withdraw this consent at any time, which you may do by contacting us as described in paragraph 8. Please note however that the withdrawal of your consent will not affect any use of the data made before you withdrew your consent and we may still be entitled to hold and process the relevant personal information to the extent that we are entitled to do so on bases other than your consent.

You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified you.

  1. Disclosure of your personal information

We may share your personal information where it is necessary to administer the working relationship or we have a legitimate interest in so doing. We may also disclose your personal information to third parties if we are under a duty to disclose or share your personal information in order to comply with any legal obligation, or in order to enforce or apply such other terms as apply to our relationship, or to protect rights, property, or safety of our other employees, workers and contractors our customers, ourselves or others.  with you or where we have a legitimate interest in doing so.  This includes exchanging information with other companies and organisations for the purposes of providing references and fraud protection.

”Third parties” includes third-party service providers (including contractors and designated agents) and other entities within the Gateley Group.

The third parties we share your personal information with where required by law are courts and governmental agencies.

The third parties we share your personal information with where it is necessary to administer the working relationship with you include (where you are a contractor) the client of ours for whom you are ultimately providing services to.

The following activities are carried out by third-party service providers: payroll, pension administration, benefits provision and administration and IT services.  All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

We will share your personal information with other entities in our group as part of our regular reporting activities on company performance, in the context of a business reorganisation or group restructuring exercise, for system maintenance support and hosting of data.  All members of the Gateley Group are bound by this privacy policy.

We may share your personal information with other third parties, for example in the context of the possible sale or restructuring of the business. We may also need to share your personal information with a regulator or to otherwise comply with the law.

In certain cases the disclosure of your personal information to a third party as described in this paragraph 3 may involve your personal information being transferred outside of the United Kingdom. This may be to:

  • a country in the European Economic Area or that is otherwise considered to have data protection rules that are equivalent to those in the United Kingdom; or
  • a country which is not considered to have the same standards of protection for personal data as those in the United Kingdom, in which case we will take all steps required by law to ensure sufficient protections are in place to safeguard your personal information, including where appropriate putting in place contractual terms approved by the relevant regulatory authorities.

For more information about the circumstances in which your personal information may be disclosed to third parties and the safeguards we put in place to protect your personal information when we do so, please contact us as described in paragraph 8.

  1. Data security

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

You should take all reasonable steps to keep your personal information held on out IT systems secure, including choosing a secure password for your accounts and not disclosing your passwords to anybody else. You should use a unique password for every account.  Further details are in our IT and password policies.

  1. Your rights and retention, updating and removal of your personal information 

The duration for which we retain your personal information will differ depending on the type of information and the reason why we collected it from you. However, in some cases personal information may be retained on a long term basis: for example, personal information that we need to retain for legal purposes will normally be retained in accordance with usual commercial practice and regulatory requirements.  Generally, where there is no legal requirement we retain all physical and electronic records for a period of 15 years.  Exceptions to this rule are:

  • CCTV records which are held for no more than 35 days unless we need to preserve the records for the purpose of prevention and detection of crime;
  • Details regarding unsuccessful job applicants where we hold records for a period of not more than 12 months except for unsuccessful applicants for training contracts where we hold records for up to three years; and
  • Information that may be useful to a pension provider which we may retain for the period that your pension is payable.

It is important to ensure that the personal information we hold about you is accurate and up-to-date, and you should let us know if anything changes, for example if you move home or change your phone number or email address. You can contact us using the details in paragraph 8 or via your usual contact.

Under certain circumstances, by law you have the right to:

  • request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it;
  • request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected;
  • request the erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to stop processing personal information where we are relying on a legitimate interest and there is something about your particular situation which makes you want to object to processing on this ground;
  • request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it; and
  • request the transfer of your personal information to another party.

If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please use the contact details in paragraph 8.

You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

  1. Enquires, issues and compliants

In the unlikely event that you have any concerns about how we use your personal information, please contact us as described in paragraph 8.

If you make a complaint about our handling of your personal information, it will be dealt with in accordance with our complaints handling procedure.

If we are unable to resolve your complaint, you may make a complaint to the Information Commissioner’s Office. Please see https://ico.org.uk/for-the-public/raising-concerns/ for more information.

  1. Changes to this privacy notice

We reserve the right to alter this privacy notice at any time. Such alterations will be posted on our intranet. You can also obtain an up-to-date copy of our privacy notice by contacting us as described in paragraph 8. Should you object to any alteration, please contact us.

  1. Contacting us

If you need to contact us about this notice or any matters relating to the personal information we hold on you, you can do so via our Data Protection Officer, who may be contacted at dpo@gateleyplc.com or:

Data Protection Officer
One Eleven, Edmund Street,
Birmingham B3 2HJ

  1. Further information

We hope that the contents of this privacy notice address any queries that you may have about the personal information we may hold about you and what we may do with it. However, if you do have any further queries, comments or requests, please contact us as described in paragraph 8 above.

Whilst this privacy notice sets out a general summary of your legal rights in respect of personal information, this is a very complex area of law. More information about your legal rights can be found on the Information Commissioner’s website at https://ico.org.uk/for-the-public/.

Version issued April 2018

This notice sets out how Gateley plc of One Eleven, Edmund Street, Birmingham, B3 2HJ (we, us our) uses your personal information which may be recorded on our CCTV system. This notice explains how we comply with the law on data protection and what your rights are and for the purposes of data protection we will be the controller of any of your personal information recorded on our CCTV system.

We have appointed a Data Protection Officer to oversee our compliance with data protection laws, and contact details are set out in the “Contacting us” section at the end of this privacy notice. 

  1. What information may we hold / process that will relate to you?

We may collect from you video recordings and still pictures which feature you if you are in the field of vision of any of our CCTV system. This personal information may include your activities, your face, car registration details and other visual information about you which is recorded on our CCTV system.

  1. What do we do with your personal information?

As the data controller we will collect personal information on our CCTV system and use it for the following purposes:

  • For the prevention and detection of crime
  • For evidence in any civil or criminal legal proceedings
  • To assist in investigations
  • For safety and security
  • Dealing with any queries, complaints or enquiries
  • Retaining records

As well as being the purposes for which we use your personal information, all of the above are also legitimate reasons for us to use and store personal information relating to you which is captured on our CCTV system and legitimate interests is our legal basis for processing your personal information.

We do sometimes use facial recognition software at the request of law enforcement authorities, e.g. the police or security services, and when this is done it will be automated data processing. This facial recognition software will seek to identify individuals based on their features, i.e. biometric data, and may lead to criminal investigations and/or action against you. The bases for this processing of biometric data, which is special category personal information, is that processing is necessary for the establishment, exercise or defence of legal claims and also processing is necessary for reasons of substantial public interest.

We may anonymise any of the personal information we hold on our CCTV system (so that it does not directly identify you, for example by obscuring your face) and it therefore ceases to be your personal information. We may use this anonymised information for any other purposes.

  1. Who we share your personal information with

We share your personal information with the following parties:

  • Suppliers and service providers: to manage and operate the CCTV system as our data processor.
  • Joint data controllers: who may jointly operate and maintain the CCTV system with us.
  • The police and other law enforcement agencies: to carry out policing, assist investigations, trace missing people and investigate alleged criminal activities.
  • The security services: where relevant for matters of national security.
  • People who have been injured, attacked or had property damaged or stolen and their insurance providers: to assist them with any criminal or civil investigations or legal proceedings.
  • People who have been involved in road traffic accidents and their insurance providers: to assist with insurance claims, legal claims and investigations.
  • Private and other investigators: to aid their investigations.
  • Any relevant regulators: where we are required to do so by law or to assist with their investigations or initiatives, and this includes but is not limited to the Information Commissioner’s Office.

We do not disclose personal information obtained using our CCTV system to anyone else except as set out above.

  1. Transferring your personal information internationally

The personal information we collect about you is not transferred to or stored in countries outside of the UK or European Union except as set out in this section.

Our directors and other individuals working for us may in limited circumstances access personal information outside of the UK and European Union if they are on holiday abroad outside of the UK or European Union. If they do so they will be using our security measures and will be subject to their arrangements with us which are subject to English Law and the same legal protections that would apply to accessing personal data within the UK.

In limited circumstances the people to whom we may disclose personal information from our CCTV system as mentioned in section 3 above may be located outside of the UK and European Union. In these cases we will impose any legally required protections to the personal information as required by law before it is disclosed.

If you require more details on the arrangements for any of the above then please contact us using the details in the “Contacting us” section below.

  1. How long do we keep your personal information for

We will keep your personal information for up to approximately 35 days after the recording was made. After this time the recording stored on the hard drive of our CCTV system will usually be overwritten. However if we receive an enquiry about a particular recording on our CCTV we will generally then retain that part of the recording until it is no longer required. This period can vary as it will depend upon the circumstances of the particular case, but for criminal or civil legal proceedings this could mean that the personal information is retained until after the legal case and any appeals have been concluded, which may be many years. As soon as it is no longer required we will then delete the personal information.

  1. Your rights in relation to your personal information

You have the following rights in relation to your personal information: (i) the right to be informed about how your personal information is being used; (ii) the right to access the personal information we hold about you; (iii) the right to request the correction of inaccurate personal information we hold about you; (iv) the right to request the erasure of your personal information in certain limited circumstances; (v) the right to restrict processing of your personal information where certain requirements are met; (vi) the right to object to the processing of your personal information; (vii) the right to request that we transfer elements of your data either to you or another service provider; and (viii) the right to object to certain automated decision making processes using your personal information.

You should note that some of these rights, for example the right to require us to transfer your data to another service provider or the right to object to automated decision making, may not apply as they have specific requirements and exemptions which apply to them and they may not apply to personal information recorded and stored in our CCTV system. For example we do not use automated decision making in relation to your personal data in our CCTV system. However some have no conditions attached, so your right to withdraw consent or object to processing for direct marketing are absolute rights.

There is no legal, contractual or other requirement or obligation for you to provide our CCTV system with your personal information.

More information about your legal rights can be found on the Information Commissioner’s website at https://ico.org.uk/for-the-public/.

To exercise any of the above rights, or if you have any questions relating to your rights, please contact us by using the details set out in the “Contacting us” section below.

If you are unhappy with the way we are using your personal information you can also complain to the UK Information Commissioner’s Office or your local data protection regulator in the European Union if you are based outside the UK or bring a claim in the courts. However we are here to help and would encourage you to contact us to resolve your complaint first.

  1. Changes to this notice

We may update this privacy notice from time to time. You are encouraged to regularly check for any updated version of this privacy notice.

  1. Contacting us

In the event of any query or complaint in connection with the personal information we hold about you or if you would like more information about or to exercise your rights, you can contact our Data Protection Officer. Please email dpo@gateleyplc.com or write to us at:

Data Protection Officer
One Eleven, Edmund Street,
Birmingham B3 2HJ