Privacy Policy
INFORMATION ABOUT US:
We, We’ve Got The Key Limited is a company registered in England under number 13735698. We’re fully committed to protecting your personal information and registered with the Information Commissioners Office in the UK under registration number is ZB277656. This statement describes how we may collect and use personal information, which is consistent with our legal obligations and your legal rights. Please read this statement carefully.
GDPR principles
This Policy aims to ensure compliance with the EU Regulation 2016/679 General Data Protection Regulation (“GDPR”). The GDPR sets out the following principles with which any party handling personal data must comply. All personal data must be:
- Processed for limited purposes and not in any way incompatible with those purposes
- Adequate, relevant and will not be excessive
- Accurate
- Not kept for longer than necessary
- Processed in accordance with your individual rights
- Secure
- Not transferred to countries without adequate data protection
Defining ‘personal data’
The General Data Protection Regulation (GDPR) is an EU Regulation (2016/679), that defines personal data as ‘any information relating to an identifiable person who can be directly or indirectly identified, in particular by reference to an identifier’. This means information that can identify who you are. Personal data that we collect or receive about you is set out below.
Information we collect or receive about you
So that we can provide a product or service and for any other related purposes, we’ll need to collect or receive data in relation to the various data subjects shown below.
| Data subjects | Type of data collected |
| Partnership and Suppliers | Contact name, address, contact telephone numbers, profession, industry, financial details, business name, company status, FCA status, Directorship details, email address, bank details |
| Customers | Full name, contact telephone number, email address, vehicle registration, home address, copy of V5C, vehicle insurance certificate, copy of photo ID |
| Employees, Contractors and Applicants | Full name, date of birth, full address, title, employment history, employer reference, bank details, NI number, copy passport, medical information, criminal convictions, nationality, email address, copy licence, next of kin details, credit information, details of sick leave, prescribed medication, disabilities, interview notes, CVs, application forms, performance reviews, salary information, disciplinary records, and grievances |
Cookies
We may also collect information relating to the user journey on our website, including users’ IP addresses, browser names, type of computer, etc. Some of this information is collected through cookies. Learn more about how we use cookies in our Cookies Policy found on our website. For further information visit www.aboutcookies.org or www.allaboutcookies.org.
How your information is collected
We’ll collect or receive data from the various data subjects using the different channels shown below:
| Data subjects | Where data comes from |
| Partnership and Suppliers | During telephone calls, emails and letters, in person, when registering for our services, when using our website, from government agencies, regulatory bodies, fraud prevention agencies, credit reference agencies, social networks, introducers and insurance companies |
| Customers | During telephone calls, emails and letters, in person, when registering for our services, when using our website, via an API submission |
| Employees, Contractors and Applicants | Receiving application forms, when using our website, from online jobsites and recruitment agencies, from social networks, CVs, emails and letters, from interview notes, when conducting pre-employment checks, from HMRC, credit reference agencies, fraud prevention agencies, previous employer, performance reviews, remuneration, benefits and expenses, disciplinary and grievance matters, medical conditions through return to work interviews, details of sick leave, disabilities, prescribed medication, GP reports and occupational therapists |
We may also monitor or record our phone calls with you so that we can ensure we’ve acted on what you’ve asked us to do, resolve any queries or concerns you may have, comply with industry regulations and improve our customer service. We’ll continue to take steps in ensuring personal data collected, processed, and held by us is kept accurate and up-to-date and checked annually.
Who we share your information with
For us to process your data and fulfil our legal and contractual obligations, we’ll need to share your personal information with relevant organisations as shown below:
| Data subjects | Where data goes to |
| Partnership and Suppliers | Fraud prevention agencies, government bodies, customers, other partners and financial institutions |
| Customers | Our employees, sub-contractors, authorities, and selected third party companies |
| Employees, Contractors and Applicants | Future employers, government bodies, local and central authorities, third-party companies offering employee benefits, financial institutions, occupational therapist and if necessary, legal representatives |
We’ll continue to take steps in ensuring your personal data is safeguarded in accordance with our obligations and your rights, and that all relevant parties involved in handling data on our behalf, safeguard personal data as part of their contractual and legal obligations. In certain circumstances, we may be legally required to share your personal information held by us, for example complying with legal obligations or providing information to a governmental authority.
Transferring data
We’ll not transfer any of your personal information outside of the UK.
The legal grounds for processing your data
Your personal data will always have a lawful basis, either because:
- We’re processing your data under the authority of our Partners or;
- It’s necessary for our performance of a contract with you, or;
- You have consented to our use of your personal data for one or more specific reasons, or;
- We have a legal obligation to process your data, or;
- It’s in our legitimate business interests to use it
Specifically, we’ll use information we hold about you in the following ways:
| Data Subject | How we use your data | Legal basis for processing |
| Partners and Suppliers | To perform and receive services stated in our agreement with you | Contract |
| To comply with our legal and regulatory obligations | Legal obligation | |
| Determining our performance through surveys and offering additional services or products that may be of interest to you, either by email, phone and/or post where you have agreed to this. You may opt-out at any time by unsubscribing, or contacting us by phone, email or in writing | Consent | |
| Compiling statistics about the use of our site including data on traffic, usage patterns, user numbers, sales, and other information | Legitimate interests | |
| Assessing how well a particular industry sector is working | Legitimate interests | |
| Customers | Service level adherence, quality assurance, complaint monitoring | Contract |
| As part of the defence of a legal claim | Legitimate interests | |
| Using service providers to support our business so that they can provide services to us and/or to you on our behalf | Contract | |
| Determining our service delivery through surveys and offering additional services or products that may be of interest to you, either by email and/or post where you have agreed to this. You may opt-out at any time by unsubscribing, or contacting us by phone, email or in writing | Consent | |
| Using data for market research which will help in future proofing the business for change and developing new systems and/or products to suit consumer needs | Legitimate interests | |
| For fraud prevention, audit, compliance purposes, apprehending or prosecuting offenders | Legal obligations | |
| Investigating complaints | Legal obligations | |
| Updating you with changes to our terms and privacy statement | Legal obligations | |
| Employees, Contractors and Applicants | Due to the contractual relationship between you and us | Contract |
| To collect your data as part of your employment with us | Legal obligations | |
| For the provision of health and pensions schemes using third parties | Consent | |
| Determine our performance through surveys and offering additional services or products that may be of interest to you, either by email and/or post where you have agreed to this. You may opt-out at any time by unsubscribing, or contacting us by phone, email or in writing | Legitimate interests | |
| Updating you with changes to our terms and privacy statement | Legal obligations | |
| Sharing subjective data with medical professionals as part of attendance monitoring and used to assess the health, wellbeing, and welfare of employees and to highlight any issues which may require further investigation | Consent | |
| Sharing subjective data with medical professionals and/or understanding disabilities to facilitate adaptations in the workplace, and/or to ensuring special needs are catered for at interview or selection testing | Consent | |
| Sharing subjective data with government agencies when assessing the suitability of certain types of employment | Consent |
How long we keep your personal information
| Data subjects | Retained for |
| Partners and Suppliers | We won’t keep your personal data for any longer than is necessary to fulfil the contractual obligation and will only keep it for longer when it is required by law |
| Customers | Data will be retained in accordance with our data retention policy and will be kept for a minimum of 7 years, or for an unlimited period if required for legal or regulatory reasons |
| Employees, Contractors and Applicants | We do not keep your personal data for any longer than is necessary to fulfil the contractual obligation and will only keep it for longer when it is required by law |
The rights you have regarding your personal information
As a data subject, you have the following rights under the General Data Protection Regulation:
- You have the right to be informed on how we hold and deal with your personal information and this Privacy Statement fulfils that obligation. Our Partners will also have the responsibility of providing you with their Privacy Statements, informing you how your data will be shared with ourselves and how we’ll process your data.
- If you’re a Partner, Supplier, Employee, Contractor or Applicant, you have the right to ask for a copy of personal information we hold about you or ask for your information to be corrected. If you’re a customer of one of our Partners e.g. you’ve purchased an insurance policy from a broker or insurer, you’ll need to refer to their Privacy Statement and exercise your rights directly with them. However, we will always keep our Partners informed if we’ve received a request direct.
- You can also ask us to delete the information we hold about you, prevent us from processing your information and object to us processing your information (withdraw consent). Please note, these rights may not apply where our basis for processing is by legal or contractual obligations.
If you require more information about your rights, or would like to exercise them, please contact us using the following details:
| For the attention of: | Mariam Gbadamosi (Data Protection Officer) |
| Email: | mariamgbadamosi@wgtk.co.uk |
| Phone: | 01603 367 100 |
| Address: | Speed Medical House, Matrix Park, Chorley, Lancashire, England, PR7 7NA. |
Please refer to the section below ‘Accessing your personal data’, for more information on exercising this right.
Accessing your personal data
This Privacy Statement explains the type of personal data we hold about you and you can ask us for a copy of your personal data at any time. This is known as a “subject access request” (“SARs”).
When making a subject access request, this should be made in writing for the attention of the Data Protection Officer, either by email or by post to the details shown in the ‘The rights you have regarding your personal information’ section above.
Normally, we do not charge for a subject access request, however if you make repetitive requests, we may charge a fee to cover our administrative costs in responding.
We’ll aim to reply to your request within one month of receiving it and try to provide you with a copy of your personal data within this timeframe. However, in instances where we receive complex subject access requests, we may need more time to gather the information for you and this may take up to a maximum of two months from the date we receive your request. You’ll be kept fully informed of our progress.
Data Protection Impact Assessments
We’ll carry out Data Protection Impact Assessments for any and all new projects and/or new uses of personal data and will be overseen by the Data Protection Officer who will address the following:
- The type(s) of personal data that will be collected, held, and processed;
- The reason for processing;
- How this data will be used;
- The parties (internal and/or external) who are to be consulted;
- Whether it is necessary to collect, hold and process this data;
- Risks posed to both to our firm and the data subject; and
- Proposed measures to minimise and handle identified risks
Complaints
If you feel unhappy with the way we’ve handled your personal information, please give us the opportunity to put matters right and contact us by phone, email or in writing.
| For the attention of: | Mariam Gbadamosi (Data Protection Officer) |
| Email: | mariamgbadamosi@wgtk.co.uk |
| Phone: | 01603 367 100 |
| Address: | Speed Medical House, Matrix Park, Chorley, Lancashire, England, PR7 7NA. |
If we’re unable to help, you also have the right to refer the matter to the Information Commissioners Office at: – Information Commissioners Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF or call: 0303 123 1113. Website: https://ico.org.uk.
How and where we store your data
Data security is very important to us, and we have physical, technological and organisational measures in place to protect your data to help prevent loss, theft and authorised access/use. Steps we take to secure and protect your data include:
- SFTP protocol that allows for the transfer of files over a secure connection;
- All data transferred via email is to be encrypted;
- Personal data may be transmitted over secure networks only; transmission over unsecured networks is not permitted in any circumstances;
- Personal data may not be transmitted over a wireless network if there is a wired alternative that is reasonably practicable;
- Where personal data is to be sent by facsimile transmission the recipient should be informed in advance of the transmission and should be waiting by the fax machine to receive the data;
- All personal data to be transferred physically, whether in hardcopy form or on removable electronic media shall be transferred in a suitable container marked “confidential”;
- All electronic copies of personal data should be stored securely using passwords and data encryption;
- All hardcopies of personal data, along with any electronic copies stored on physical, removable media should be stored securely in a locked box, drawer, cabinet, or similar;
- Personal data will not be stored on any mobile device (including, but not limited to, laptops, tablets, and smartphones), without the formal written approval of the Data Protection Officer, and kept for no longer than is necessary;
- Personal data will not be transferred to any device personally belonging to an employee;
- Data will be backed up on a SQL server stored in the UK;
- Our claims management system and weblink include IP protection;
- Security and data protection policies are in place; and
- Regular staff training
We also require our Partners and Suppliers to ensure they keep up with safeguarding data and comply with all the required laws.
We only keep your personal data for as long as we need in order to use it as described in this Privacy Statement and for as long as we have your permission to keep it.
As part of our security and back up procedures, your data will only be stored in the UK.
Although we endeavour to provide standard security measures for information we process and maintain, no security system can prevent all potential security breaches.
If our business ownership changes
If our ownership changes in anyway, any personal information that you’ve provided will, where it is relevant to any part of our business that is being transferred, be transferred along with that part and the new owner or newly controlling party will, under the terms of this Privacy Statement, be permitted to use that data only for the same purposes for which it was originally collected by us.
Information on how you can control your data
We want to ensure that you can control our use of your data for direct marketing purposes. You’ll have the option to opt-out of receiving emails by using the unsubscribe links provided, or by contacting us by email, in writing or by phone.
You may also wish to sign up to one or more of the preference services operating in the UK: The Telephone Preference Service (“the TPS”), the Corporate Telephone Preference Service (“the CTPS”), and the Mailing Preference Service (“the MPS”).
These may help to prevent you receiving unsolicited marketing. Please note that these services will not prevent you from receiving marketing communications that you have consented to receiving.
Changes to our Privacy Statement
We may change this Privacy Statement from time to time (for example, if the law changes or if we change our business in a way that affects personal data protection). Any changes will be immediately posted on our website, and you will be deemed to have accepted the terms of the Privacy Statement on your first use of our website following the alterations. We recommend that you check our website regularly to keep up to date. This notice was last updated on 07/12/2021.
