IWI Associates has always taken data protection seriously. The company has been registered as a data controller with the Information Commissioner’s Office since 30 November 2001 under registration reference Z613580X.
With the introduction of the General Data Protection Regulation (GDPR) (EU) 2016/679, IWI Associates has taken the opportunity to publish a formal privacy polic
IWI Associates is an international micro business which provides education, training and consultancy services to clients across the European Union and beyond.
For the majority of our projects or assignments, our client is the data controller and we are the data processor. Such clients are based both inside and outside the EU. In other cases we are the data controller and our client is based in the United Kingdom. In either case, we make sure to comply with the applicable data protection laws and policies, including the GDPR.
We obtain personal data when you engage us to deliver our services, participate in our projects or assignments and/or when you use our website, email or social media.
Where our client is the data controller, the personal data we process might include your names, addresses, job titles, telephone numbers and email addresses.
Where we are the data controller, the personal data we process might additionally include your passport and bank account details.
We process personal data to enable us to provide education, training and consultancy to and on behalf of our clients, to promote our services, to maintain our own accounts and records, to comply with our legal obligations and to support and manage our employees and associates.
The lawful bases on which we rely for such use are contract, legal obligations legitimate interests.
The majority of our work is undertaken on the basis of a formal written contract or a purchase order with written terms and conditions. In such cases, we control or process personal data to comply with our contractual obligations.
We may be required by legislation, other regulatory requirements and/or our insurers to retain personal data for up to seven years after the end of a contract.
Our data control or processing is generally not required by law but is of clear benefit to ourselves, our clients and the participants in our projects or assignments. Given the type of personal data we collect or process, the privacy impact on individuals is limited and the individuals concerned should reasonably expect us to use the data in that way.
We will not sell or rent your personal data to any third parties. We will not share your personal data with third parties for marketing purposes.
We may pass your personal data to third party service providers, agents, subcontractors and other associated organisations for the purposes of completing tasks and providing services to you or on our clients on our behalf. In relation to such third parties with whom we share your personal data, we may need to transfer your personal data to support clients located outside the European Union. Any such transfer of your personal data will be subject to adequate levels of protection that will safeguard your privacy rights.
We have in place security measures to prevent your personal data from being accidently lost, used, altered, disclosed, or accessed without authorisation. For example:
Computers and other devices which can access your personal data are protected by passwords and/or biometrics;
Paper documents are kept in locked filing cabinets in a locked office;
Paper documents which are no longer required are cross-cut shredded or disposed of using a commercial confidential waste service;
Computer storage devices which are no longer required are destroyed of using a commercial confidential waste service.
We use these only to provide anonymous information for Google analytics.
In order to process any of the requests listed below, we may need to verify your identity for your security. In such cases your response will be necessary for you to exercise this right.
You have the right to request a copy of the personal data that we hold about you. Once we have received your request we will respond within 30 days.
If the data we hold about you is out of date, incomplete or incorrect, you can inform us and we will ensure that it is updated.
If you feel that we should no longer be using your data or that we are illegally using your data, you can request that we erase the data we hold. When we receive your request, we will confirm whether the data has been deleted or tell you the reason why it cannot be deleted.
You have the right to request that we stop processing your data. Upon receiving the request, we will contact you to tell you if we are able to comply or if we have legitimate grounds to continue.
We seek to resolve directly all complaints about how we handle your personal data, but you also have the right to lodge a complaint with the Information Commissioner’s Office at https://ico.org.uk/.