Our Privacy Statement.

Your personal information is collected and processed by GB3 Limited. The protection and integrity of your personal data is very important to us.

Company Registration.

Our company registration details are:

GB3 Limited is a company incorporated in England and Wales.

Registration number 05147753,

Registered office:The Root House Clifton Fields, Lytham Road, Preston, Lancashire, PR4 0XG

Information Commissioner Registration.

GB3 Limited is registered as a data controller with the Information Commissioner’s Office. The data controller registration details are:

Data Controller Name: GB3 Limited

Registration Number: Z1153390

Date Registered: 17 December 2007

Data Protection Office.

Post: The Root House, Clifton Fields, Preston, Lancashire, PR4 0XG

Email: dataprotection@gb3.co.uk

Telephone: 01772 851110

This Policy has been adopted by GB3 Limited (“GB3”).

In this Policy, “we”, “us” or “our” refers to GB3 Limited, or any organisation or brand belonging to GB3 Limited, as appropriate.

We are committed to safeguarding your personal data. This Policy describes how we collect, use, disclose and process your personal data, and applies to personal data we collect about you.

This Policy supplements but does not supersede or replace any other consents you may have provided to us, or any other agreements or arrangements that you may have with us, in respect of your personal data.

Data protection and privacy is ever changing and enhancing the rights of our customers, employees and partners. As such, we review our uses of personal data and may amend this Policy from time to time to reflect changes in applicable laws, improvements in data security or the way we handle personal data. Any updated Policy will supersede earlier versions and will apply to personal data provided to us previously.

You are encouraged to re-visit our Policy from time to time so that you are aware of our culture of privacy and relevant updates we have made to our Policy.

What is personal data?
Under the EU’s General Data Protection Regulation (GDPR) personal data is defined as:
“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.

You can voluntarily provide us your personal data.
We collect personal data that you voluntarily provide to us. The personal data we collect will often depend on the purposes for which the personal data are collected and what you have chosen to provide.
You always have the choice not to provide us with personal data. If you have provided your consent for us to process your personal data, you also have the right to withdraw your consent by contacting our Data Protection Office. However, if you do so, it may not be possible for us to fulfil the specific purposes for which we were given consent, including processing your transactions or providing you with the products and services you requested.

You may choose to give us personal data belonging to others.
If you provide the personal data of anyone other than yourself (e.g. your colleagues, associates, agents, partners), you are responsible for informing him/her of the specific purposes for which we are collecting his/her personal data and to ensure that he/she has provided valid consent, where appropriate, for your provision of his/her personal data to us. There may be instances where providing these personal data are relevant for the performance of a contract between us, in which case, consent may not be necessary.

Accuracy and completeness of personal data.
It is important that the personal data we hold about you is accurate and up to date. We would ask you to inform us if there are any inaccuracies with the personal data that we have recorded about you and we will act to update your personal data as required.
In some situations, you will have the ability to update your own information (e.g. when using a customer account on our website. We see it as your responsibility to ensure that all personal data that you provide is accurate and complete, and to inform us of relevant changes to your personal data.

Personal data belonging to children.
Our website and our services are not specifically intended for children and we do not knowingly collect data relating to children. If you are under the age of 16, please obtain consent from your parent or guardian before you submit any personal data to us. If you are a parent or guardian of a minor and you have reason to believe your child or ward has provided us with their personal data without your prior consent, please contact us to request for erasure of their personal data or for the minor to be unsubscribed from our mailing lists.

We may collect, use, store and transfer different kinds of personal data about you which we have categorised as follows:

Identity Data.
Data specifically related to identity may include, first name, maiden name, last name, marital status, title, date of birth, national insurance details and other recognised official identity documents.

Contact Data.
The contact information of you and others could include, email addresses and telephone numbers, postal address details and social media handles.

Financial Data.
Whether you are a customer, supplier or an employee, we may process financial data including bank account information and payment details.

Technical Data.
In this technical age there’s quite a bit of technical data around, including internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.

Usage Data.
Our website may give us information about how you use our website, products and services.

Marketing and Communications Data.
We make it our business to develop lasting relationships and to help with this we will be processing data about your preferences in receiving marketing from us and your communication preferences. But don’t worry, we’re not interested in bombarding you with marketing content, just timely and relevant information about services and products we care about and that are relevant to you.

Special Categories of Personal Data.
In the field of employment and for the purposes of assessing the working capabilities of our employees or agents, we will process special category personal data. There may be instances where other special categories of personal data are disclosed to us, but this is incidental and not part of an organised processing activity.

Data requiring special protection.
There may be instances where we process special category data for the specific purpose of safeguarding and our legal obligations to undertake criminal record checks through the Disclosure & Barring Service.

Personal data you voluntarily provide to us.
We collect personal data that is relevant to our relationship with you. Your personal data may be collected by us, directly or indirectly, for instance:

  • when you subscribe to our mailing lists;
  • when you participate in competitions, contests or games organised by us;
  • when you attend events or meetings organised by us, or conducted at our offices, for example, sales events, promotional and marketing events, training sessions and social events;
  • when your images are captured by us via CCTV cameras while you are within the properties that we use, or when photographs or videos of you are taken when you attend events, meetings or training sessions organised by us;
  • when you use our services or enter into transactions with us, or express an interest in doing so, including services, products and transactions which you utilise in-person or electronically;
  • when you communicate with us by telephone, email, via our website or through other communication channels, for example, through social media platforms;
  • when you submit an employment application to us or when you provide documents or information including your CV in connection with such applications; and/or
  • when you submit your personal data to us for any other reason.

Personal data that has been provided by others.
Depending on your relationship with us, we may also collect your personal data from third party sources, for example:

  • from our business partners such as consultancy firms, compliance organisations and other similar technology services businesses and third parties providing advertising, marketing, promotional services to us, where appropriate, and;
  • from your referees, educational organisations or previous employers (if you have applied to us for a job);
  • from your family members, friends or colleagues who provide your personal data to us on your behalf; and/or
  • from public agencies or other public sources.

Personal data that can be collected automatically.
As you interact with our website, we may automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies. We may also receive Technical Data about you if you visit other websites employing our cookies. We’ve structured our website in a way that asks for your consent for certain cookies, we value your privacy and data rights. For more information about our use of cookies, please see our Cookie Policy.

External links on our website.
Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.

Legal basis.
We will always have a legal basis for processing personal data and we have methodically assessed our purposes and legal bases. Here is a breakdown of our purposes and legal bases: –

Processing type Data category Our legal basis Specific purpose, safeguarding and the respect of individual’s data rights
Individual or small-group communication via email, post or telephone Contact data Contractual Obligation In order to fulfil the service, product or project that you have enquired about, where we have been contracted to fulfil a service, product or project and to facilitate our relationship with you, your business or colleagues. You can of course ask us not to contact you, but it’s likely to affect our ability to fulfil our obligations to you.
CRM system data capture, storage and analysis. Identity & Contact data Legitimate Interest We collect and store information about our engagements with customers, project plans and business opportunities which may include personal data belonging to staff, customers and other third parties. It is in our legitimate interest to process data in our CRM and project management systems to ensure the smooth operation of our business, effective planning and an efficient customer experience. You may request access to, rectification of or erasure of details we have stored on you.
Customer service tickets Identity, Contact, Financial, Technical & Usage data Contractual Obligation We collect, process and store information for the specific purpose of fulfilling our support services, which may include personal data belonging to staff, customers and other third parties. We process data in this way to ensure the smooth operation of our business, effective planning and to deliver a great customer experience. You may request access to, rectification of or erasure of details we have stored on you, where appropriate.
Training and other corporate events Identity, Contact, Special category health data Contractual Obligation / Consent The information you provide will be used to communicate with you about your attendance at the event and to follow-up on your experience post-event. The personal information we may process could include your name, job title and employer, address and phone number, email address, dietary requirements, access requirements. We will ask for your consent to process health related data.
Email marketing to other businesses Identity & Contact data Legitimate Interests Where we are looking to have, or we already have a business to business relationship with you or your organisation, we will look to provide you with interesting and relevant services, products and projects. You are more than welcome to opt out of receiving our marketing information by using the Unsubscribe feature in our emails or by contacting us.
Email marketing to consumers Identity & Contact data Consent Where we would like to let our customers know about our services, products or projects we will obtain the consent of those individuals. It’s important to make clear that consumers have the right to withdraw consent at any time or to opt out of direct marketing.
Postal marketing to businesses and consumers Identity & Contact data Legitimate Interest We only ever aim to provide customer or potential customers with well designed, relevant and interesting products and so our marketing material should be the same. We’re not fans of spam, so we won’t be spamming anyone with lots of unnecessary postal marketing material. Recipients may ‘opt-out’ of postal marketing via contact details provided. In any case we will make it our business to check the Mail Preference Services before undertaking marketing materials.
Telephone marketing to other businesses Identity & Contact data Legitimate Interest We’re not fans of nuisance phone calls, so we won’t be spamming anyone with lots of unnecessary calls. Recipients may ‘opt-out’ of telephone marketing by either letting our team members know or by contacting us at any point. In any case we will make it our business to check the Telephone Preference Services before undertaking marketing activities.
Promotional Images and film footage Identity Data Consent We may take photographs and / or video footage at our offices or an event we host, which could capture personal data of staff, customers, visitors and other third parties. We will always notify participants when a photographer or filmmaker is present at our offices or events. Written consent will always be obtained, and we will respect the wishes of anyone who signals their desire not to have their image taken and will always ask for consent where photos are to be published alongside a name or other personal identifier. You have the right to withdraw consent at any time or to opt out of this processing activity.
Collection/analysis of statistical information about website usage and other marketing engagement metrics. Technical & Usage data Legitimate Interest To manage and improve how people engage with our public-facing channels..
Sharing information with Companies House, Accountants, legal advisors, HMRC and Statutory authorities Identity, Contact, Financial & Special category data Legitimate Interest / Legal Obligation As a registered UK business, we are subject to UK company law and therefore have specific legal obligations. We process our accounts in accordance with UK law and therefore use external accountants, which is our legitimate interest, to submit our statutory accounting records. We are subject to audits and assessments from industry standard bodies and in the protection of our interests and to comply with UK law, we may be obligated to share information with the statutory authorities.
Undertaking DBS checks Identity, Contact data & data deserving special protection data Legal Obligation / Legitimate Interest Where a member of staff is to be placed within a customer that works with either children or adults at risk, we will undertake checks with the Disclosure Barring Service as is our legal obligation. There may also be a balanced and reasonable legitimate interest to conduct checks DBS checks on our wider team.
Administrative purposes Identity, Contact & Financial data Legitimate Interest We may disclose your personal data to third parties who provide services to us, including our service providers and data processors (providing services such as hosting and maintenance services, analysis services, e-mail messaging services, delivery services, handling of payment transactions, marketing, human resources, and professional services) and our consultants and professional advisors (such as accountants, compliance, lawyers, auditors).
Fulfil job roles and recruitment Identity, Contact, Special category health data Contractual Obligation / Legitimate Interest If you are a job seeker, in addition to the specific position which you have applied for, we may disclose your personal data to departments within GB3 for the purpose of offering additional employment opportunities.
Security and Safety Identity, Contact, Technical & Usage data Legal Obligation / Legitimate Interest We may process personal data for the specific purposes of security and safety. This is in connection with the buildings that we own and/or rent, or events organised by us or conducted at the buildings we own and/or use; and through the systems that we operate throughout the organisation.

Use permitted under applicable laws.
We may also collect, use, disclose and process your personal data, without your knowledge or consent, where this is required or permitted by law.

Using your personal data to contact you.
When we contact or send you information for the purposes described above, we may do so by post, e-mail, SMS, telephone or such other means provided by you. If you do not wish to receive any communication or information from us or wish to restrict the manner by which we may contact or send you information, you can let us know by contacting our Data Protection Office.

During the course of providing the services that you request from us, we may share your information with our processing partners, known as recipients, data processors and sub-processors.
When disclosing personal data to third parties, we will (where appropriate and permissible) enter into contracts with these third parties to protect your personal data in a manner that is consistent with all applicable laws and/or ensure that they only process your personal data in accordance with our instructions.
We commonly conduct due diligence with third party recipients around the areas of their data security protocols and data protection policies.

Recipients of your personal data
We may disclose your personal data for the purposes described in this Policy or as required or permitted by law, for example, to:

  • our third-party vendors and service providers, who are engaged to provide business, support, operational and/or administrative functions such as HR support, auditing, legal, marketing, website maintenance, payment, fulfilment and delivery of orders.
  • regulatory authorities, statutory bodies or public agencies, including to support their investigations.
  • credit reference agencies, debt collection and tracing agencies, financial organisations.

In the provision of our services to you we use data processors that are outside of the European Economic Area (EEA). Specifically, we use data processors based in the USA.
The General Data Protection Regulation has strict rules about data transfers to international organisations and we use approved data transfer mechanisms, including the EU–US Privacy Shield and employ data sharing agreements that utilise model clauses.
We take extra steps to ensure comprehensive due diligence of organisations that may receive your personal data.
If you would like any more information, please get in touch by contacting our Data Protection Office, details can be found at the start of this Privacy Notice.

The security of personal data is really important to us, and it has to be because data security is part of our business.

Information Security Management System (ISMS)
We have implemented a number of technical and operational measures, including the implementation of information security management system (“ISMS”), which is based on and accredited to an ISO27001:2013 standard.

Unauthorised access.
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.

Specific access.
We limit access to your personal data to those employees, agents, contractors and other third parties who have been authorised to access your personal data
While precautions will be taken to ensure that the personal data you provide is protected against unauthorised or unintended access, we cannot be held responsible for unauthorised or unintended access that is beyond our control.

Vulnerabilities.
We have put in place procedures to deal with any suspected personal data breach and will notify you and the supervisory authority of a breach where we are legally required to do so.
However, we cannot guarantee that our systems or applications are invulnerable to security breaches, nor do we make any warranty, guarantee, or representation that your use of our systems or applications is safe and protected from viruses, worms, Trojan horses, and other vulnerabilities.
We also cannot guarantee the security of data that you choose to send us electronically. Sending such data is entirely at your own risk.

Our retention schedules.
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

We consider our retention schedules to be appropriate and fair, for example, we may keep hold of your CV for 3 months if we weren’t able to find you a role within our team, but after that time your circumstances may have changed, and it wouldn’t be appropriate for us to keep it. We are legally obliged to keep certain elements of personal data relating to transactions, these are for tax and accounting purposes, so we’d keep hold of those data for 7 years.

Details of retention periods for different aspects of your personal data are available and you can request more details of that by contacting our Data Protection Office.

By law we may have to keep certain information about our customers and this data will be held solely and securely for those legal purposes.

As a customer or employee, you may at any point while we are in possession of or processing your personal data, you, the data subject, have the following rights:

  • Right of access – you have the right to request a copy of the information that we hold about you.
  • Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.
  • Right to be forgotten – in certain circumstances you can ask for the data we hold about you to be erased from our records.
  • Right to restriction of processing – where certain conditions apply to have a right to restrict the processing.
  • Right of portability – you have the right to have the data we hold about you transferred to another organisation.
  • Right to object – you have the right to object to certain types of processing such as direct marketing.
  • Right to object to automated processing, including profiling – you also have the right to be subject to the legal effects of automated processing or profiling.
  • Right to judicial review: in the event that we refuse your request under rights of access, we will provide you with a reason as to why. You have the right to complain and we have provided a specific section on this below.

All of the above requests will be forwarded on should there be a third party involved in the processing of your personal data.

At your request, we can confirm what information we hold about you and how it is processed. If we hold personal data about you, you can request the following information:

  • Identity and the contact details of the person or organisation that has determined how and why to process your data.
  • Contact details of the data protection officer, where applicable.
  • The purpose of the processing as well as the legal basis for processing.
  • If the processing is based on the legitimate interests of our business or a third party, information about those interests.
  • The categories of personal data collected, stored and processed.
  • Recipient(s) or categories of recipients that the data is/will be disclosed to.
  • If we intend to transfer personal data to a third country or international organisation, information about how we ensure this is done securely.
  • The EU has approved sending personal data to some countries because they meet a minimum standard of data protection. In other cases, we will ensure there are specific measures in place to secure your information.
  • How long the data will be stored.
  • Details of your rights to correct, erase, restrict or object to such processing.
  • Information about your right to withdraw consent at any time.
  • How to lodge a complaint with the supervisory authority.
  • Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether you are obliged to provide the personal data and the possible consequences of failing to provide such data.
  • The source of personal data if it wasn’t collected directly from you.
  • Any details and information of automated decision making, such as profiling, and any meaningful information about the logic involved, as well as the significance and expected consequences of such processing.

What forms of ID will I need to provide to access my data?
We accept the following forms of ID when details of your personal data are requested:
Passport, driving licence, birth certificate, utility bill from last 3 months.

In the event that you wish to make a complaint about how your personal data is being processed by us or third parties, or how your complaint has been handled, you have the right to lodge a complaint directly with the supervisory authority and our Data Protection Office.

Our Data Protection Office.
Postal Address:
Data Protection Office
The Root House Clifton Fields
Lytham Road
Preston
Lancashire
PR4 0XG

Email: dataprotection@gb3.co.uk

Telephone: 01772 851110

UK’s Supervisory Authority.
The UK’s supervisory authority is the Information Commissioners Office.

Postal Address:
Information Commissioner
Information Commissioners Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Web: https://ico.org.uk/make-a-complaint/

Telephone: 0303 123 1113

If you have any queries about this Policy, please feel free to get in touch with our Data Protection Office and we will do our best to answer your questions.

This Privacy Policy is effective from the 25th May 2018.

Always a Little Further.