Privacy Statement

Here at Waterstons* we take our responsibilities to protect your privacy very seriously and recognise our responsibility to handle, manage and secure your data appropriately and legally. We operate in compliance with the UK General Data Protection Regulation (UK GDPR), Data Protection Act 2018 (UK) and the Australian Privacy Act 1988 and EU GDPR where it applies to our processing activities.

Waterstons are the Data Controller for the personal data we collect about our clients and their employees, potential new employees, seminar attendees, mailing list subscribers; and we are the processor for our Project, managed services, service desk or hosting client’s data. This privacy statement explains what you can expect when Waterstons collects and processes your personal information.

*Waterstons is made up of Waterstons Ltd (UK) and Waterstons PTY Ltd (Australia)

Summary

• We keep the information we hold about you to a minimum.

• We use your data to provide our services to you, keep you informed, meet our legal obligations, and improve our website.

• We delete your data when it is no longer required.

• Generally, we do not give your information to third parties, but there are some exceptions.

• We take security very seriously.

• We do not record telephone calls.

• We will not share your information with any other company or organisation unless required to by law and we will not sell your information.

• Your data may be held or processed outside the UK.

• We use website cookies.

• We are happy to answer your questions about any of this.

Want More Detail?

To see more about how we use your personal data, read the section or sections which apply best to your relationship with us:

• Visitors to our websites;

• People who use Waterstons services

• Prospective Clients

• Potential Employees

• Visitors to our Offices

Lead Supervisory Authority & Registration

Waterstons Lead Supervisory Authority is the UK Information Commissioner’s Office (ICO) and our ICO registration number is Z6192161.

Your Rights

You have the following rights regarding your privacy and your personal data:

• To be informed and understand how your data will be used, secured and managed.
• To access the personal data, we hold about you and understand how we process it.
• To have your data kept accurate and up to date and to be disposed of securely when no longer required.
• In some circumstances, restrict our processing of your data, and or to request we erase your personal data where this is appropriate.
• To object to our processing or withdraw previously given consent.

Not all rights will apply to all processing, however if you want to exercise any of these rights, please just contact us.

If you have concerns or a complaint about how we handle your data, please contact us and we will try to resolve the issue. If you remain unhappy with how we have resolved your concern or complaint you have the right to contact the UK Information Commissioner's Office for an independent review.

Contact Us

If you have any questions or concerns about this Privacy Statement or how we handle your personal data, please contact us

• data.protection@waterstons.com

Changes to this Privacy Statement

We keep our privacy statement under regular review. This privacy statement was last updated on 16^th August 2021.

Information Security

At Waterstons we take security seriously and are ISO 27001:2013, Cyber Essentials and Cyber Essentials Plus certified, and committed to Information Security best practice. Waterstons will store, process and transmit (when necessary) your information securely, we will do this using encryption and recognised appropriate security controls. We will ensure our employees respect your data and your privacy and when no longer required we will dispose of your data in a secure manner using recognised deletion and sanitisation techniques, crosscut shredding or appropriately due diligence checked disposal contractors.

Our preference is to use Transport Layer Security (TLS) to secure email communications using encryption; however, we recognise some of you may not. We therefore run opportunistic TLS meaning if you also use it our communications will be encrypted and secure by default. But if you don’t communications will continue but they will not be encrypted and may not be entirely secure when passing over the internet. If you want to protect all emails and attached documents you send to us, we encourage you to set up opportunistic TLS also.

We however will exchange particularly sensitive, technical, security or bulk data with you via alternative secure encrypted methods such as Liquid Files and Microsoft Teams.

Phone calls are not encrypted or recorded however we call you we collect Calling Line Identification (CLI) information. We use this information to help improve efficiency and effectiveness as well as for service desk reporting and troubleshooting performance issues. This information is retained for a maximum of 90 days.

If you have particular security requirements or questions, please contact us to discuss how we can support you.

Retention

Data about clients: duration of your relationship with us, then 7 years.

Financial Data: is kept for a minimum 7 years or if it relates to a client then the above retention will apply.

Unsuccessful Job Applicant Data: is kept for 12 months and then securely disposed of with the exception of minimal information so we can track that you have previously applied.

Visitor and CCTV Data: is kept for 60 days then may be anonymised for statistical reporting after which.

Further detail on specific retention periods can be provided on request and details of related security can be seen I the Security section of this statement.

Third parties

We will not transfer your personal data to third parties for their use or purpose outside what we declare in this statement without your permission, except in the following circumstances:

• If required to by law or court order
• For COVID19 Contact tracing requirements.
• If you do not pay your bills, we may choose to engage a third party to recover any money you owe us. We've never done this, but we want to keep this option open to us.

However, we do have a small number of companies providing services to us and they may process your data on our behalf:

• Telehouse & Pulsant Group (Datacentre Providers)
• Microsoft O356 & Azure (in EEA)
• AWS (in EEA)
• Iron Mountain (Offsite Backup Storage in UK)
• Restore DataShred (Secure Paper Disposal in UK)
• Fluid (Public Website Hosting in the UK)
• Gooding & Partners (Auditors in Australia)
• RMT (Auditors in UK)
• Muckles LLP (Legal Partners in UK) and other legal partners as necessary in the UK and Australia
• Google (Website Analytics, Maps and non-personal data website services)
• Hiscox Insurance and connected legal representation and their related partners
• Restore PLC (Offsite Document Storage in UK)
• BreezyHR (Hosted Recruitment Management hosted in the USA)
• Envoy (Visitor Management System hosted in the USA)
• Skykick (Backup integration service in the EEA)
• FreshService/FreshChat (Hosted Service Desk and live chat services hosted in the EEA)
• Ciphr (Hosted HR/Recruitment services hosted in the EEA)
• Mailjet (Email mailing service - Hosted in the USA)
• Giant (Employee BPSS Vetting Service – Hosted in the EEA)
• Clip Training (Hosted Video training hosted in the USA)
• Eventbrite (Event booking services)
• Alienvault (Security monitoring services in the EEA)
• Cleantalk (Website spam filtering services)
• Hubspot (Providing Australian website contact us enquiries capture)
• Telephony service providers (Basic call data only)
• Vimeo (Video hosting services)
• LinkedIn (Marketing Services)

Data held or processed outside the UK

Some data we hold, and process is outside the UK or EEA, with carefully selected partners we only do this with countries of adequate equivalent laws/provisions or appropriate legal (UK GDPR Model Clauses) agreements and extensive due diligence to ensure we provide the best secure services.

As we operate from Australia also, we have a sharing agreement applying all our policies, procedures and training to the Australian arm of our business and a restricted transfer agreement to ensure your data is appropriately handled and managed. This enables us to provide you with a seamless secure Waterstons experience 24x7 365 if required with the peace of mind your data is all handled appropriately and in compliance with GDPR and other related legislation.

Visitors to our websites

What we hold

We generate log files from various servers, this will include an IP address assigned to you or, more likely, to someone who provides you with Internet access.

If you choose to use our contact us page or another page for more information or you register for an event, we will also gather your name and contact details so we can respond to you or keep you informed, you can of course opt out at any time by letting us know. In this case your information may be processed by our website hosting provider, MailChimp or Eventbrite on our behalf. Please also be aware our Australian Contact us page is powered by Hubspot. All information entered into our contact us pages may be screened for spam by Cleantalk.

If you choose to enter into a Live chat with us any data, you enter will be processed by Waterstons and our third party service provider FreshChat on their platform under contract to Waterstons.

Using your information

Dealing with enquiries

If you have requested information via our website e.g. Our ‘Contact Us Page’, we will follow up on your enquiry and see if there is a way in which we can help you.

We keep a record of enquiries received, to help us plan our business strategy and check that we are offering what potential clients want. We may also use your contact details to inform you of related products or services you may be interested in, however you can opt out at any time.

GDPR Legal Basis for processing:

• Art. 6(a) Consentif you have asked us to provide you with information on a product and service and provided us with your details.
• Art. 6(f) Legitimate interests of Waterstons to generate business by maintaining contacts, generating proposals and communicating with prospective clients regarding their requirements. If you have previously requested information, we may send you information about related products and services we offer or a token of our appreciation (Marketing); however, you can object to this at any time, and we will add you to our suppression list and cease sending you such Marketing Communications.

Providing Information & Training Services

If you use our websites to access training or information, we may gather a small amount of information to manage your experience and track your progress or performance.

For clients and prospective clients, we may send you the Waterstons newsletter, as a recipient of our newsletter we will process your email address, name and role in your organisation. We may analyse the topics that interest you to ensure we provide interesting and relevant information in future and to see where we could potentially help you; we may also invite you to related events or send you items to complement or events or just to be nice.

GDPR Legal Basis for processing:

• Art. 6(a) Consent if you have chosen to access training services or opted to receive our newsletter.
• Art. 6(b) Contractual if you have contracted with us for the provision of services.
• Art. 6(f) Legitimate interests of Waterstons to look after our customers and potential customers and to generate business by maintaining contacts, generating proposals and communicating with prospective clients regarding their requirements. If you have previously requested information, we may send you information about related products, services or events we offer (Marketing) or tokens of our thanks; however, you can object to this at any time, and we will add you to our suppression list and cease sending you such Marketing Communications. We will also rely on legitimate interest to manage your streamlined experience using our websites to ensure you can track progress with training and deliver a better more tailored service to our clients.

Technical data

We may use the logs from our servers to assist maintain our security, as well as to determine website visitor behaviour and help us plan our business strategy, this helps us tailor our services and ensure they are relevant to our prospective client’s needs.

GDPR Legal Basis for processing:

• Art. 6(f): Legitimate interests where it is in the business interests of Waterstons to gather data to aid business strategy planning.

Security and performance

Waterstons uses a third party service to help maintain the security and performance of the Waterstons website, as well as to determine website visitor behaviour and help us plan our business strategy, this helps us tailor our services and ensure they are relevant to our prospective client’s needs. To deliver this service it processes the IP addresses of visitors to the Waterstons website.

Use of cookies by the Waterstons

When someone visits Waterstons websites we use a variety of cookies to understand the use of the site, our engagement with you and to improve your experience as well as for security and performance of our websites.

Some of our third party service providers (e.g. Mailchimp (Mailjet), Eventbrite, Google, Hubspot etc)may also use cookies linked from our site to manage your interaction. You can read more about how we use cookies or our partners cookies and privacy on our Cookie Notice.

GDPR Legal Basis for processing:

• Art. 6(f): Legitimate interests where it is in the business interests of Waterstons to secure our IT infrastructure, improve the services we offer, provide interaction with our customers and gather data to aid business strategy planning and to understand our potential customers interests.

People who use our Services

What data we hold

As our client we will hold the following information about you:

• Names, job roles and contact information of your employees
• Information about your business activities and in some cases your clients / customers
• Information and documents about your matters or enquiries, including communications with you
• Billing and payment information

Using your information

Providing you consultancy services, managed services, hosting or products

We use the information we hold about you and your business to provide the best service we can, to communicate with you regarding projects, products or services we are providing or to inform you of other related products, services or events you may be interested in.

We also use your information to bill you and keep track of payments.

Waterstons Ltd (UK) and Waterstons PTY Ltd (Australia) share all information and systems, please be assured all security and privacy policies apply to both arms of the business and appropriate sharing and restricted transfer agreements are in place. This enables us to provide a seamless service,particularly to our 24/7 Service Desk clients but also other projects.

GDPR Legal Basis for processing:

• Art. 6(a) Consent if you have asked us to provide you with information on upcoming events and related news via our mailing list.
• Art. 6(b) Contractual requirement to fulfil our contracts with you and communicate with you regarding that contract.
• Art 6(f) Legitimate interests; of Waterstons to generate business by maintaining contacts, generating proposals and communicating with clients regarding their requirements and making you aware of other related products, services or events you may be interested in (Marketing) however, you can object to this at any time, and we will add you to our suppression list and cease sending you such Marketing Communications, you may still receive service communications. If the need arises, we may also rely on legitimate interests for the recovery of unpaid debts.

Technical data

We may use the logs from our servers to assist in our firm's security, as well as to determine website visitor behaviour and help us plan our business strategy, this helps us tailor our services and ensure they are relevant to our prospective client’s needs.

GDPR Legal Basis for processing:

• Art. 6(f): Legitimate interests where it is in the business interests of Waterstons to gather data to aid business strategy planning and ensure our systems are protected.

Prospective Clients

What data we hold

If you contact us, we will hold the following information about you:

• Your name, role and contact information
• Information about your business activities
• Information and documents about your enquiries, including communications with you

We also generate log files from various servers: this will include an IP address assigned to you or, more likely, to someone who provides you with Internet access.

Using your information

Providing advice and information regarding our products and services

We use the information we hold about you and your business to provide the best service we can, to communicate with you regarding services you may be interested in and to inform you of other related products or services you may be interested in.

GDPR Legal Basis for processing

• Art. 6(a) Consent if you have asked us to provide you with information on upcoming events and related news via our mailing list.
• Art 6(f) Legitimate interests of Waterstons to generate business by maintaining contacts, generating proposals and communicating with prospective clients regarding their requirements. If you have previously requested information, we may send you information about related products, services or events we offer or to send you items related to our events or to be nice, however you can opt out at any time.

Dealing with enquiries

If you give us a ring or make contact by email, we will follow up on your enquiry and see if there is a way in which we can help you. We keep a record of enquiries received, to help us plan our business strategy and check that we are offering what potential clients want.

GDPR Legal Basis for processing

• Art 6(f) Legitimate interests of Waterstons to generate business by maintaining contacts, generating proposals and communicating with prospective clients regarding their requirements. If you have previously requested information, we may send you information about related products, services or events we offer, however you can object to this at any time, and we will add you to our suppression list and cease sending you such Marketing Communications.

Technical data

We may use the logs from our servers to assist in our firm's security, as well as to determine website visitor behaviour and help us plan our business strategy, this helps us tailor our services and ensure they are relevant to our prospective client’s needs.

GDPR Legal Basis for processing:

• Art. 6(f): Legitimate interests where it is in the business interests of Waterstons to gather data to aid business strategy planning and ensure our systems are protected.

Potential Employees

What data we hold

If you contact us to apply for employment, we will hold the following information about you:

• Your name and contact information
• Resume including qualifications, education and previous experience and employers and your referees contact details, as well as anything else you choose to tell us.

If you submit electronically, we may also generate log files from various servers: this will include an IP address assigned to you or, more likely, to someone who provides you with Internet access.

Using your information

Considering your application for Employment

We will use your resume or any information you or a recruitment agency provide to us to consider you for employment. If you are unsuccessful, we will retain this information for 12 months after the recruitment exercise has ended and then they will be securely destroyed with the exception of minimal information to identify you have previously applied. If you are employed these will become part of your personnel file.

GDPR Legal Basis for processing

• Art. 6(a) Consent if you have applied for employment, we will use these to consider your application.
• Art 6(f) Legitimate interests of Waterstons to securely and fairly manage recruitment to ensure we employ the right people, and we will use your details to make the appropriate checks.

ID Vetting checks

If you are offered a job, we will need to carry out verification checks on you. This is carried out via our provider Giant under contract, on their systems and then reports will be passed back to Waterstons.

We retain identity verification information for as long as you are an employee.

GDPR Legal Basis for processing:

• Art. 6(a) Consent for external vetting checks.
• Art. 6(c): Legal obligation where we have to do this processing to comply with legal and regulatory obligations relating to your right to work in the UK.
• Art 6(f): Legitimate interests where it is in Waterston’s interests to ensure prospective employees are appropriately vetted.

Technical data

We may use the logs from our servers to assist in our firm's security, as well as to determine website visitor behaviour and help us plan our business strategy, this helps us tailor our services and ensure they are relevant to our prospective client’s needs.

GDPR Legal Basis for processing:

• Art. 6(f): Legitimate interests where it is in the business interests of Waterstons to gather data to aid business strategy planning and ensure our systems are protected.

Visitors to Our Offices

What data we hold

If you visit our offices, we will hold the following information about you:

• Your name, identity and contact information
• Date & time of your visit
• Health screening questions as part of COVIDSafe procedures or accessibility requirements.
• Information about your business activities
• Information and documents about your enquiries, including communications with you
• Your Image (on CCTV) including date and time of visit

Our visitor’s system is hosted by our service provider Envoy in the USA under contract, GDPR Model Clauses Agreement and appropriate Due Diligence. Data will only be retained for 60 Days for contact tracing and will then be anonymised.

Using your information

We use the information we hold about you and your business to manage visitors to our offices for security, safety and possible investigative purposes.

GDPR Legal Basis for processing

• Art 6(c) Legal Requirement for Government COVID Contact Tracing.
• Art 6(f) Legitimate interests of Waterstons to maintain the security of our buildings and information and systems within and the safety of our employees and visitors and in compliance with our ISO 27001 Information Security requirements.