Privacy policy
IWI Associates has always taken data protection seriously. The company has been registered as a data controller with the Information Commissioner’s Office since 30 November 2001 under registration reference Z613580X.
With the introduction of the General Data Protection Regulation (GDPR) (EU) 2016/679, IWI Associates has taken the opportunity to publish a formal privacy policy.
Our role
IWI Associates is an international micro business which provides education, training and consultancy services to clients across the European Union and beyond.
For the majority of our projects or assignments, our client is the data controller and we are the data processor. Such clients are based both inside and outside the EU. In other cases we are the data controller and our client is based in the United Kingdom. In either case, we make sure to comply with the applicable data protection laws and policies, including the GDPR.
How do we collect personal data?
We obtain personal data when you engage us to deliver our services, participate in our projects or assignments and/or when you use our website, email or social media.
What type of personal data do we collect?
Where our client is the data controller, the personal data we process might include your names, addresses, job titles, telephone numbers and email addresses.
Where we are the data controller, the personal data we process might additionally include your passport and bank account details.
How do we use personal data?
We process personal data to enable us to provide education, training and consultancy to and on behalf of our clients, to promote our services, to maintain our own accounts and records, to comply with our legal obligations and to support and manage our employees and associates.
The lawful bases on which we rely for such use are contract, legal obligations legitimate interests.
Contract
The majority of our work is undertaken on the basis of a formal written contract or a purchase order with written terms and conditions. In such cases, we control or process personal data to comply with our contractual obligations.
Legal obligations
We may be required by legislation, other regulatory requirements and/or our insurers to retain personal data for up to seven years after the end of a contract.
Legitimate interests
Our data control or processing is generally not required by law but is of clear benefit to ourselves, our clients and the participants in our projects or assignments. Given the type of personal data we collect or process, the privacy impact on individuals is limited and the individuals concerned should reasonably expect us to use the data in that way.
Third parties
We will not sell or rent your personal data to any third parties. We will not share your personal data with third parties for marketing purposes.
We may pass your personal data to third party service providers, agents, subcontractors and other associated organisations for the purposes of completing tasks and providing services to you or on our clients on our behalf. In relation to such third parties with whom we share your personal data, we may need to transfer your personal data to support clients located outside the European Union. Any such transfer of your personal data will be subject to adequate levels of protection that will safeguard your privacy rights.
Information security
We have in place security measures to prevent your personal data from being accidently lost, used, altered, disclosed, or accessed without authorisation. For example:
- Computers and other devices which can access your personal data are protected by passwords and/or biometrics;
- Paper documents are kept in locked filing cabinets in a locked office;
- Paper documents which are no longer required are cross-cut shredded or disposed of using a commercial confidential waste service;
- Computer storage devices which are no longer required are destroyed of using a commercial confidential waste service.
Cookies and tags
We use these only to provide anonymous information for Google analytics.
Your rights
In order to process any of the requests listed below, we may need to verify your identity for your security. In such cases your response will be necessary for you to exercise this right.
The right to access information we hold about you
You have the right to request a copy of the personal data that we hold about you. Once we have received your request we will respond within 30 days.
The right to correct and update the information we hold about you
If the data we hold about you is out of date, incomplete or incorrect, you can inform us and we will ensure that it is updated.
The right to have your information erased
If you feel that we should no longer be using your data or that we are illegally using your data, you can request that we erase the data we hold. When we receive your request, we will confirm whether the data has been deleted or tell you the reason why it cannot be deleted.
The right to object to processing of your data
You have the right to request that we stop processing your data. Upon receiving the request, we will contact you to tell you if we are able to comply or if we have legitimate grounds to continue.
Complaints
We seek to resolve directly all complaints about how we handle your personal data, but you also have the right to lodge a complaint with the Information Commissioner’s Office at https://ico.org.uk/.