1. This privacy notice sets out the privacy practices for AACE (the Company) and tells you what to expect in relation to your personal data which is collected and processed by the Company.
2. Your privacy is important to the Company. For employees and associates we need to collect personal data from you for the purpose of administering our contract with you. For customers we need to collect personal data from you for the purpose of fulfilment of any contract we have with you and for business development.
3. The Company promotes a culture of active data protection by having procedures for data protection promulgated to all employees through the Company’s Quality Management System and reinforcing this with regular awareness training.
Lawful basis for processing
4. The Law, including the General Data Protection Regulation (GDPR), requires that the Company adheres to lawful bases for processing a data subject’s information. The nature of the Company’s business and specific requirements associated with some types of data mean that we apply three lawful bases for processing personal data, which are:
a. Consent. Allows the data subject the choice whether they will agree to their personal data being processed;
b. Contractual obligation. Enables the Company to fulfil their contractual obligations to the data subject;
c. Legal obligation. Permits the Company to process personal data to comply with a common law or statutory obligation.
Types of information
6. The Company may require your consent to hold data about you. When consent is the identified lawful basis for processing your data, we will ask for your consent and will be clear about what the information is used for if you choose to provide it. Further, it is your right to withdraw your consent at any time and you may do so by contacting HR@aace.co.uk.
Your right of access
7. You have a right to ask what information we hold on you, and to ensure that it is accurate and up to date, and to have it corrected if it is not. We may occasionally ask you if there have been any changes to your data so that we are able to keep information up to date. If you are concerned about what information we hold on you or would like to update information that we hold on you, please contact the HR Manager (HR@aace.co.uk). We will process your request within one month.
Storing your data
8. All physical data will be held securely in a locked cabinet in a non-public location, accessible only by trusted and designated employees of the Company. All electronic data will be held within the Company’s accredited network environment (to Cyber Essentials Plus) with strict access controls to files and folders to trusted and designated Company employees.
Sharing of your data
9. The Company engages several suppliers to support the administration of the business. These include accountancy and payroll, telecommunications, pensions, healthcare and facilities management for our premises. Through legally binding contracts with the supplier(s), the Company ensures that the protection of your data is at least to the same standard as the Company.
10. The Company will not share your personal data with any third party other than our trusted and contracted suppliers who will be required to hold and use your data solely for the purpose of the contract with the Company.
Disposal of data
11. If we agree to your request to destroy your data, it will be confidentially destroyed in the case of physical data, or permanently erased in the case of electronic data. We will notify you in writing to confirm when and how it has been destroyed or permanently erased. We may not agree to disposal of certain data if we have a legitimate or legal need to retain it. Where there is a legal obligation to, we will keep a record of destruction of data.
Retention of personal data
12. The Company will not hold personal data longer than necessary. There are statutory requirements and non-statutory recommendations for personal data retention, which mean that we will keep data for specified periods of time. Similarly, external organisations may also be required to retain personal data we lawfully provide to them in support of our business.