Last updated: 17th January 2020
This notice is set out to give guidance and help you understand what information we collect at SmartSpace Global Ltd (a SmartSpace Software PLC company), how we use it, and what choices you have.
Any questions relating to this document should be sent to: firstname.lastname@example.org.
SmartSpace Global Ltd is part of SmartSpace Software Plc. Where below we refer to ‘group’ we are referring to SmartSpace Software PLC and its subsidiary companies. Where we refer below to, ‘we’, ‘us’ or ‘our’ we are referring to SmartSpace Global Ltd and its subsidiary companies.
We have taken every step to ensure compliance with the General Data Protection Regulations with respect to collection, use and retention of data.
Changes to this Policy
We may change this policy from time to time, and if we do we will post any hanges on this page. Unless stated otherwise, the change will apply from the date that we upload the revised policy.
If you continue to use our services after those changes are in effect, you agree to the revised policy.
What Personal Data do we collect
Content and information submitted by yourself to SmartSpace Global is referred to in this notice as ‘personal data’.
There are four main categories of personal data we collect, hold and process:
- Account Data is personal data we collect about you in connection with the creation or administration of a customer account. The Account Data we collect may include your name, your company, job title, phone numbers, email addresses, your location, billing information, your IP address and/or other device identifying data, and other information required to provide a service or information you have requested from us. The legal basis of our processing of Account Data is necessity for the performance of a contract to which you or your employer are a party.
- Visitor or Employee Data is personal data about a Customer’s visitors or employees that is input into SmartSpace applications. Visitor and Employee Data may include visitors’ and employees’ names, phone numbers, email addresses, locations, company name, department, vehicle information (such as number plates), dietary requirements or preferences and any other information that a Customer decides to capture about its visitors and employees. We will not disclose, move, access, process or use Visitor or Employee Data except as expressly instructed by our Customer in line with our contract with them or as per further written instructions as may be provided by the Customer. We require our Customers to comply with applicable privacy and data protection laws.
- Website Data. We collect, and store information about all visitors who come and take a look at our website. Whether you actively provide us with information by filling in an enquiry form or are merely browsing, the IP address of the computer you are using, the browser software and operating system, the date and time you access our website and the internet address of the website from which you visited website. This information is really helpful to us and lets us track website usage, measure the number of visitors to the different sections of our website and helps us make the content we provide for you more useful.
- Job applicants, current and former employees. We collect, and store information about all job applicants and employees, whether via direct applicants or via recruiters. If you have any queries about the recruitment process or how we handle your information, please contact us. If we make an offer of employment, we will ask you for information so that we can carry out pre-employment checks. You must successfully complete pre-employment checks to progress to becoming an employee of SmartSpace. We are required to confirm the identity of our staff, their right to work in the country of their work location, and seek assurance as to their trustworthiness, integrity and reliability. You will therefore be required to provide:
- Proof of your identity – you will be asked to attend our office with original documents, we will take copies.
- Your consent for our third-party screening provider to conduct pre-employment checks on our behalf. We use Sterling Talent and as part of this process we will provide your name, email address and identity document details to Sterling. You will be required to provide your consent and information directly to Sterling for appropriate checks to be carried out. Checks will include, but will not necessarily be limited to (depending on role): basic criminal disclosure, employment verification, right to work check and credit check, Sterling’s privacy notice can be found here: https://www.sterlingcheck.com/about/privacy-clients/
For the purposes of GDPR:
- We are the Data Controller (as defined in the GDPR) when processing Account Data, Job applicant or Employee Date and Website Data;
- We act as a Data Processor on behalf of our Customers (who are the Data Controller) when processing Visitor and Employee Data. We shall only process Visitor and Employee Data in line with our contract with our Customer and as per any further written instructions which they may provide.
How we use your Personal Data
We will use your personal data:
- To verify your identity;
- To provide services and products to you;
- To market our services and products to you;
- To understand and improve the services and products that we provide to you;
- For billing and account management;
- To complete credit checks against your company;
- To respond to communications from you;
- To conduct research and statistical analysis (on an anonymised basis);
- To protect and/or enforce our legal rights and interests, including defending a claim;
- To contact your referees, using the details you provide to obtain references
- For any other purpose authorised by you, or as may be permitted under applicable law;
Other data uses
It’s in SmartSpace Global’s legitimate business interest to keep its customers, website visitors and business contacts informed of our latest content, products and services.
We process customer and contact data and use direct marketing as part of this legitimate interest. It’s necessary for us to use a variety of direct marketing channels and messages to ensure our contacts are kept informed of our products, services and content, and wherever possible we make sure the messages we send are targeted and relevant. Any direct marketing we undertake complies with e-privacy rules on consent.
In particular you could expect to receive from us:
- Occasional email updates highlighting our website content, downloadable reports, and forthcoming events or webinars.
- Occasional direct mailings or telemarketing calls about our forthcoming events or latest content
- Occasional content updates on Twitter, LinkedIn or Facebook, based on the pages you visit on our website
- You can manage your preferences and unsubscribe from any or all of these different types of messages at any time.
As part of a larger group of companies, one of our other companies may be better placed to offer you the services you have requested or provide you with additional information. In these situations, it’s in our legitimate interest to share your data with them so they can assist you.
Disclosing and transferring your Personal Data
Personal data will not be transferred to third parties unless one of the following situations apply. Data processors are third parties who provide elements of our recruitment and onboarding for us. We have contracts in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct. Where we do need to pass on data, we will only provide the minimum amount of information necessary. We may disclose your personal data to:
- Any courier in order for them to be able to make any requested delivery to you.
Any other company within our group of companies or affiliates for the purposes described in this policy.
- Any business that supports our services and products, including any person that hosts or maintains any underlying IT system or data centre that we use to provide the website or SmartSpace applications and products; or that assists us with our marketing and customer care activities described in this policy.
- Any other company in the case of a change to our business structure, sale, merger, consolidation, liquidation, dissolution, reorganisation or acquisition; or steps in contemplation of such activities (e.g. due diligence).
- Any third-party integration provider where you, or your company, has expressly requested such integration service. SmartSpace Global and its subsidiaries are not responsible for how the provider of an integration may collect, use and share such data.
- Comply with legal or regulatory requirements and to respond to lawful requests, court orders and legal processes for supervisory authorities or a law enforcement agency.
Protect and defend the rights, property, or safety of us or third parties, including enforcing contracts or policies, or in connection with investigating and preventing fraud.
- We sometimes engage recruitment agencies to assist us with our recruitment. Any recruitment agencies engaged will be data controllers in regard to your personal data and we therefore advise that you check their Privacy Policies prior to sharing your personal data with them.
As part of our GDPR compliance obligations we are duty bound to check when considering sharing your personal data with any third parties that they apply the same or greater controls in terms of data protection. All SmartSpace Global suppliers, affiliates and any other third parties that we may use to process your data are subject to a strict due diligence process to ensure they operate in accordance with GDPR, including the use of non-disclosure agreements.
Protecting your information – Security and Retention
We take reasonable and appropriate measures to ensure that any personal data collected from you is kept safe from loss, misuse, unauthorised access or disclosure. These steps take into account the sensitivity of the personal data we collect, process and store, and the current state of technology.
While we take reasonable steps to maintain secure internet connections, if you provide us with information over the internet, the provision of that information is at your own risk.
All personal data is stored in accordance with SmartSpace Global’s retention policy and is only kept for as long as deemed necessary for the purpose of which it was used. You can ask us to let you know what data we hold about you at any time.
Sending information over the internet is generally not completely secure, and therefore we can’t guarantee the security of your data while it’s in transit. Transmission of such data is therefore entirely at your own risk. We have procedures and security features in place to keep your data secure once we receive it.
We will also monitor any emails sent to us, including file attachments, for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send is within the bounds of the law.
Job Applicant Data that is provided to us is stored on our secure servers and at the recruitment stage may additionally be stored within BambooHR in the applicant tracking function. We use BambooHR to generate offers of employment and store employee data. We will not share any of the information you provide during the recruitment process with any third parties for marketing purposes or store any of your information outside of the European Economic Area. The information you provide will be held securely by us and/or our data processors whether the information is in electronic or physical format. We will use the contact details you provide to us to contact you to progress your application. We will use the other information you provide to assess your suitability for the role you have applied for.
Data Retention Policy
Account Data and Website Data that we collect and process will not be kept longer than necessary for the purposes for which it is collected, or for the duration required for compliance with applicable law, whichever is longer.
Visitor and Employee Data is processed and retained in line with our Customer (the Data Controller’s) written instructions to us.
International transfers of data
The Account Data and Website Data may be transferred to, and stored in, a country operating outside the European Economic Area (EEA). Under the GDPR, the transfer of personal data to a country outside the EEA may take place where the European Commission has decided that the country ensures an adequate level of protection. In the absence of an adequacy decision, we may transfer personal data provided appropriate safeguards are in place.
Some of the Account Data and Website Data we collect is processed in the United Kingdom (where our registered office is located).
Some of the Account Data and Website Data we collect is processed by third party data processors in other countries, including the United States. These countries are not subject to an adequacy decision by the European Commission and instead, in transferring your personal data to these countries, we take other appropriate safeguards as prescribed by the GDPR. We have verified that our data processors in the United States have self-certified under the EU-US Privacy Shield framework.
Your Data, Your Rights
Your rights in relation to your personal data under GDPR include:
i. Right to be informed. About how we collect and use your personal data
ii. Right of access. To what data we hold about you and how we are using it
iii. Right to rectification. If any personal data is incorrect you can ask us to update it
iv. Right to removal. If you wish us to remove your details from our systems, also referred to as the ‘right to be forgotten’
v. Right to restrict processing. You can request the restriction of how we process your personal data if certain criteria under the GDPR are met
vi. Right to data portability. Gives you the option to ask for your personal data if you wish to provide it to another provider
vii. Right to object. To us using your personal data for legitimate interests, direct marketing and research and statistics.
viii. Right to opt out of automated decision making. We don’t use computers to make our decisions for us, but if we did, you could ask that a suitably experienced professional reviews your information and makes a decision themselves instead.
You can withdraw your consent for receiving marketing content at any time by emailing us at email@example.com.
If we do send you marketing emails, they will all have an ‘unsubscribe’ link at the bottom which will also allow you to update or withdraw your consent to receiving any future marketing correspondence.
If you wish to exercise your rights in relation to Visitor and Employee Data, as Data Processor we shall pass your subject access request to the relevant Data Controller and shall support the Data Controller in responding to your request.
If you have any questions about your personal data, our use of your personal data, or you wish to exercise your rights when it comes to any of the foregoing, contact us at firstname.lastname@example.org.
We do not intend to collect personal data from children aged under 16. If you have reason to believe that a child under the age of 16 has provided personal data to use through our website and/or by using our applications, please contact us at: email@example.com.
Building 250, The Village, Butterfield, Luton, Bedfordshire, LU2 8DL