General Data Protection Regulation 2018 Privacy Notice
JSS Training Services (Scotland) Ltd Privacy Notice
About this Privacy Notice and our role
This privacy notice provides information about the different types of personal data that we collect and the ways in which we use it. It applies to all those who interact with us online through our website (https://jsstraining.co.uk) (our “Site”) and to JSS Training Services (Scotland) Ltd customers. JSS Training is the trading name for JSS Training Services (Scotland) Ltd, who is the data controller in respect of any such personal data.
As a data controller, we are committed to protecting your privacy at all times in accordance with all applicable laws and regulations governing the use or processing of personal data, including (where applicable) the General Data Protection Regulation (“GDPR”) and any subsequent data protection legislation, whichever is in force in the UK at the relevant time.
What personal information we collect, when we collect it and how we use it?
(a) Information we collect
We also collect, use and share aggregated data such as statistical or demographic data. For example, we may aggregate the data about your usage of our Site with similar data of other users to calculate the percentage of users accessing a specific feature of our Site. Such information will enable us to understand, in general terms, user preferences in relation to the content of our Site and the effectiveness of the advertising. Aggregated data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this Privacy Notice.
(b) Information you give to us
We will collect your first name, last name, email address and telephone number when you make an enquiry, whether via our Site or by telephone. We need to collect this information in order to respond to your enquiry. We will also keep records of our interactions, for example for training purposes. When you book one of our courses, we will collect further personal information from you, such as your address, Full Name, Email, Contact Numbers, National Insurance Number, Unique Learner Number, Date of Birth, Previous qualifications details, photograph, and employer details which we will need in order to consider and process your application, and to communicate with you in connection with your course. During your registration process we will also ask for your payment card or bank details, which we will use to process payments. Further information will be generated during your course, such as your progress and performance records, and information about your certification, which we need to collect and retain in connection with our role as a training provider. We use Google Forms as a research tool and to collect feedback from our customers. From time to time we may ask you to complete a survey and any information provided by you in response to our survey will be used by us to monitor the quality and improve our services, as well as to inform our marketing efforts. We also use Google Forms to collect bespoke training requirements. Whilst this is mainly used to collect information from businesses about their training requirements, it may contain a limited about of personal data provided by the person completing the form. We use such information to develop our course offering.
(c) Information we obtain indirectly
Your personal information may be shared with us by third parties. For instance we may receive it from your employer, if your course is arranged by your employer.
We may receive personal information about you from credit reference agencies if you purchase our courses on finance. We may also receive personal data about you from various other third parties, such as from our analytics providers (Google analytics), advertising networks and social networking sites (only if you interact with us on such sites).
(d) Special categories of data
Data protection law recognises certain categories of personal information as sensitive and therefore requiring more protection. These categories of data include details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data.
We do not anticipate collecting any special categories of data via our Site. However, we may collect and/or use special categories of data in connection with the provision of our courses, for example in order to make adjustments for any disabilities or dietary requirements you may have. We may also collect ethnicity data from you (should you choose to provide it) to identify and keep under review the existence or absence of equality of opportunity or treatment. We will only process these special categories of data if there is a valid reason for doing so and where the data protection laws allow us to do so.
(e) Other purposes
In addition to the purposes mentioned above, we will also process your personal information to manage our business, including for accounting and auditing purposes, to conduct our regular reporting activities on the performance of our company, including in the context of a business reorganisation or group restructure, to maintain our IT systems, to deal with legal disputes involving you, our agents and/or our suppliers, and to comply with our legal obligations. We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
(f) If you do not wish to provide any personal data
Where we need to collect personal data by law, or under the terms of a contract we have with you (or your employer) and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to enrol you on one of our courses). In this case, we may have to cancel your order but we will notify you if this is the case at the time.
(g) Children’s data
Our courses are not available to candidates under 18 years of age and so, if you are under 18, you must not use our Site or provide any personal information to us without the express consent of your parent or guardian.
We may use some of your personal data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which of our offers may be relevant for you (we call this marketing).
We operate an opt-in policy for individuals. This means we will not send you any marketing information unless you have requested to receive e-mail, text, sms, post or social media messages from us.
You can ask us to stop sending you marketing messages at any time by following the opt-out links on any marketing message sent to you.
Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us as a result of a product purchase, warranty registration, product experience or other transactions.
For legal entities, such as companies, limited liability partnerships and other incorporated organisations, we operate, in compliance with the relevant data protection laws, an ‘opt-out’ policy. This means that we will continue to contact such businesses with news and information of our services until we are informed that this communication is no longer required.
We are required to rely on one or more lawful grounds to collect and use the personal information that we have outlined above. The following are applicable, depending on the context:
Where it is necessary for us to process your personal information in order to perform a contract to which you are a party (or to take steps at your request prior to entering a contract), for example to provide our training services to you.
We rely on this basis where applicable law allows us to collect and use personal information for our legitimate interests and the use of your personal information is fair, balanced, and does not unduly impact your rights. For instance, it is in our legitimate interest to process personal data of any person who contacts us with an enquiry, in order to respond to such enquiry, or process data for the purposes connected with the administration of our business, for developing our business strategy and monitoring the performance of our business.
Generally we do not rely on consent as a legal basis for processing personal data other than in relation to certain direct marketing activities.
Where the processing of your personal information is necessary for us to comply with a legal obligation to which we are subject.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
Sharing your personal data
We will not sell, rent or lease your personal information to others. We do not share your personal information with third parties for marketing purposes.
We will only share personal information we collect from you with:
• UK Certification Ltd to the extent necessary in connection with exam registration; • Learner Registration Service (for a ULM number required for QCF qualifications); • our agents and service providers (such as MailChimp, Google Forms, Student Management System); • your employer, if your course has been arranged for you by your employer; • credit reference agency and/or finance provider (if you purchase our course(s) on finance); • to persons or bodies contracted by us to carry out the roles of examiner, marker, advisor, tutor, consultant, representative or other similar roles on our behalf in the context of our provision of courses; • the service providers we engage to process results data and produce qualification certificates on our behalf; • our regulators, including Ofqual and the Information Commissioner’s Office; • our marketing automation tool service providers (such as MailChimp), for the purpose of managing email lists and issuing communications on our behalf; and • if you have specifically consented to us sharing your personal data with a named third party
We may also need to share your personal information for auditing purposes, with our advisers, if we are under any legal obligations or in connection with any legal proceedings, in order to establish, exercise or defend our legal rights.
We require third parties to respect the security of your data and to treat it in accordance with the law. All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal information. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.
We are aware that certain countries outside the UK or European Economic Area (EEA) have a lower standard of protection for personal information, including security protections.
We do not currently transfer and store any personal data outside the EEA. If in the future we decide to use suppliers based outside the EEA or who would require transfer of personal data outside the EEA, we will do so only if we can be satisfied that the recipient implements appropriate safeguards (as required by UK data protection laws) designed to protect your personal information.
Keeping your data secure
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
Any payment transaction will be encrypted.
How long do we keep your personal information?
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, regulatory or reporting requirements. For example, by law, we are required to keep basic information about our customers for tax purposes (including contact details, identity and transaction information) for six years after they cease being our customers. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Once you are no longer our customer, we will retain and securely destroy most of your personal information in accordance with applicable laws and regulations. However, we will need to retain any information necessary to verify your qualifications/certification or to issue replacement certificates.
Rights and duties
Please inform us of changes
It is important that the personal information we hold about you is accurate and current. Please let us know if your personal information changes during your relationship with us.
Your rights in connection with personal information
Under certain circumstances, by law you have the right to:
• Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a confirmation from us as to whether we process any of your personal information or not, and if this is the case, to receive a copy of such personal information and to check that we are lawfully processing it. • Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected. • Request erasure of your personal information (often referred to as “the right to be forgotten”). This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below). • Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. • Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it, or if we no longer need your data for our legitimate interests but we need to hold some of it for the purpose of legal proceedings. • Request the transfer of your personal information to another party.
If you would like to exercise any of the above rights, please:
• email, call or write to us (see our contact details below); • let us have proof of your identity and address (a copy of your driving licence or passport and a recent utility or credit card bill). This is to allow us to verify your identity and prevent disclosure to unauthorised third parties; and • let us know the details of your request, for example by specifying the personal data you want to access, the information that is incorrect and the information with which it should be replaced.
Please note that if you request erasure, object to our processing of your personal data or request the restriction of our processing of your personal data we may not be able to provide our services in relation to your investments.
We will investigate any requests promptly and will endeavour to respond within 30 days.
Contact us or the ICO
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues. You can also contact the ICO on 0303 123 1113. We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
Changes to this Privacy Notice
From time to time we may update this Privacy Notice. When we do, we will publish the changes on our Site. If material changes are made to this Privacy Notice we will notify you by email or by placing a prominent notice on our Site.