1 Keeping your data safe
2 Who's in control of my personal data?
2.2 The only exception to this is the additional information we collect from sub-contractors that we are contractually obliged to provide to clients.
3 What data do you collect and where from?
3.1 The type of personal data that we collect about you depends on our relationship with you.
3.2.1 We collect personal data about our clients (including prospective clients) in order to provide and promote our services. This applies equally if you are an individual client, sole trader or unincorporated partnership, or if you are an employee, shareholder or director of a company or limited partnership.
3.2.2 The information we collect about our clients (Client Information) includes the following:
(a) first name and surname;
(b) telephone numbers;
(c) email address;
(e) job title;
(f) financial details; and
(g) information provided to us by you whenever you engage or communicate with us for any reason.
3.2.3 Most of the time, we collect Client Information directly from you. However, sometimes we obtain Client Information from a third party (for example, if someone refers business to us) or from a publicly available source (for example, LinkedIn, business websites or search engine results).
3.3.1 If you are an individual, sole trader or an unincorporated partnership providing services to Ecosulis (i.e. as a subcontractor), or a director, employee or shareholder of a subcontractor, in addition to the information listed above, we sometimes need to ask you to provide us with further information. This is so that we can verify your identity and professional standing on behalf of our own clients. The information we will request includes the following (Subcontractor Information):
(a) registration numbers;
(b) passport details;
(c) health & safety registration information;
(d) trade membership and qualification information;
(e) photographic identification and proof of address documents;
(f) National Insurance number; and
(g) next of kin.
3.4 Other suppliers and business partners
3.4.1 We collect personal information about individuals who work for suppliers and other business partner organisations. The information is the same as for clients.
3.5 Other parties with similar goals to Ecosulis (e.g. academics)
3.5.1 The information we collect about these parties is limited to contact information:
(a) first name and surname;
(b) telephone numbers;
(c) email address;
(d) address; and
(e) job title.
3.5.2 This information may be collected directly from you or from a publicly available source (for example, LinkedIn, business websites or search engine results).
4 What do you use my personal data for?
4.1 Carrying out our services
4.1.1 We use Client Information to register you as a new customer, to contact you and to provide our services.
4.1.2 We also use Client Information to conduct analysis to enable us to improve our business and our services.
4.2 Communicating with you
4.2.1 We use information that you voluntarily provide to us when contacting us with queries, comments or complaints to enable us to respond to those queries, complaints or comments and to make sure that these are appropriately dealt with.
4.3.1 We will use your email address, telephone number and/or postal address to send you direct marketing communications. We do this at all times in accordance with our obligations under direct marketing laws. You can choose not to receive these communications by following the instructions in each communication to unsubscribe.
4.4 Reassuring our clients
4.5.1 If you are a general supplier or business partner, we use your personal data for the efficient operation of our business.
4.6 Informing you of initiatives if your goals are similar to those of Ecosulis
4.6.1 If you are involved with activities aligned with the goals of Ecosulis (e.g. academics) then we will use your personal data to make you aware of initiatives that may be of interest to you or your contacts.
5 What is your legal basis for using my personal data?
5.1 Data protection law says that we have to tell you the legal basis that we rely on to process your personal data for the purposes that we have notified you of. The table below tells you what that legal basis is in relation to each of the purposes set out above.
Personal data used
To register you as a new customer and to provide our services to you and manage our relationship with you
If you are an individual, sole trader or unincorporated partnership, we process this personal data for these purposes on the basis that this information is necessary in order to perform our contract with you to provide our services.
Responding to your queries, comments and complaints
We process this personal data for this purpose on the basis that this information is necessary for our legitimate interests. We have an interest in making sure that comments and queries are handled appropriately.
We process this personal data for this purpose on the basis that it is in our legitimate interests to do so, in order to promote and market our business. You can opt out of receiving marketing communications at any time by following the ‘unsubscribe’ instructions in marketing communications.
Fulfilling our obligations to certain clients to provide them with information
Subcontractor Information relating to any Subcontractor involved in the supply of services by Ecosulis
We process this personal data for this purpose on the basis that this information is necessary for our legitimate interests and/or the legitimate interests of our clients. We are required to provide an enhanced amount of information on all subcontractors connected with the provision of Ecosulis services to certain clients due to their nature, size and significance of their projects.
Efficient operation of Ecosulis
Other suppliers’ and business partners’ information
We process this personal data on the basis that this information is necessary for your performance according to the contract between us.
Other parties with similar goals to Ecosulis
We process this personal data for this purpose for our legitimate interests.
6 Who do you share my personal data with?
6.1 If you are a subcontractor, we may share the Subcontractor Information with the client for whom the work is being carried out. This is to comply with our contractual obligations to that client.
6.2 We may share your information with another individual, consultant or organisation that provides similar services to our services, if we are unable to assist you by providing our own services or answering any queries.
6.3 Professional advisers including lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services.
6.4 HM Revenue & Customs, regulators and other authorities based in the United Kingdom and other relevant jurisdictions.
6.5 We will also share your information with third-party service providers, such as cloud storage providers, marketing agencies and software providers that we use for internal software such as project management software and accounting.
6.6 We require all third parties to respect the security of your personal data and treat it lawfully.
7 Whereabouts is my personal data kept?
7.1 We use Box for cloud storage. Box is based in the USA and is certified with the EU–US Privacy Shield framework. This means that Box protects your personal data in the USA in a way that has been approved by the European Commission. You can find out more about Privacy Shield, and Box's certification, here.
7.2 Some of our other third-party suppliers will also use other cloud storage providers who store personal data outside of the UK and the European Economic Area (EEA) and/or transfer personal data to affiliates worldwide to ensure that they can continue to provide their services to us. Where this happens, any transfers of personal data outside the UK or the EEA will be covered by one or more of the following measures to protect it:
7.2.1 EU-US Privacy Shield framework, as described above;
7.2.2 Model contract clauses, which are standard sets of contractual clauses approved by the European Commission as ensuring an adequate level of protection of personal data outside the UK and the EEA; or
7.2.3 Binding corporate rules, which are sets of rules entered into between group companies that require affiliates outside the UK and the EEA to protect data in the same way as it is protected within the UK and the EEA.
8 How long do you keep my personal data for?
8.1 We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
8.2 To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
8.3 By law we have to keep basic information about our customers (including contact, identity, financial and transaction data) for six years after they cease being customers, for tax purposes.
8.4 In some circumstances you can ask us to delete your data: see 9.8 below for further information.
8.5 In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
9 What rights do I have?
9.1 You have a number of rights under data protection law. These rights and how you can exercise them are set out in this section. We will normally need to ask you for proof of your identity before we can respond to a request to exercise any of the rights in this section and we may need to ask you for more information, for example to help us to locate the personal data that your request relates to.
9.2 We will respond to any requests to exercise your rights as soon as we can and in any event within one month of receiving your request along with any necessary proof of identity or further information. If your request is particularly difficult or complex, or if you have made a large volume of requests, we may take up to three months to respond. If this is the case we will let you know as soon as we can and explain why we need to take longer to respond.
If you want to exercise any of these rights, please write to us at Vicky Sheppard, Office Manager, Ecosulis Ltd, Harwell Innovation Centre, Building 173, Curie Avenue, Harwell Campus, Oxford, OX11 0QG. You can also contact us by email using:
firstname.lastname@example.org or email@example.com.
9.3 A right to access your information
9.3.1 You have a right to ask us to send you a copy of all the personal data that we hold about you (subject to some exceptions).
9.4 A right to an electronic copy of your information
9.4.1 If you are an individual, sole trader or unincorporated partnership client, you can also ask us to send you the Client Information that we hold about you in a common electronic format, or to ask us to transfer that data to a third party if you want us to and if it is technically feasible for us to do so.
9.5 A right to object to us processing your information
9.5.1 You have a right to object to us processing any personal data that we process where we are relying on legitimate interests as the legal basis of our processing (as set out in section 5 above).
9.5.2 If you make a request to exercise your right to object but we have compelling legitimate grounds to carry on processing your personal data, we will be able to continue to do so. Otherwise, we will cease processing your personal data.
9.6 A right to ask us not to market to you
9.6.1 You can ask us not to send you direct marketing. You can do this by following the ‘unsubscribe’ instructions in any marketing emails, or by contacting us using the details above.
9.7 A right to have inaccurate data corrected
9.7.1 You have a right to ask us to correct inaccurate data that we hold about you. If we are satisfied that the new data you have provided is accurate, we will correct your personal data as soon as possible.
9.8 A right to have your data erased
9.9 A right to have processing of your data restricted
9.9.1 You can ask us to restrict processing of your personal data in some circumstances, for example if you think the personal data is inaccurate and we need to verify its accuracy, or if we no longer need the data but you require us to keep it so that you can exercise your own legal rights.
9.9.2 Restricting your personal data means that we only store your personal data and don't carry out any further processing on it unless you consent or we need to process the data to exercise a legal claim or to protect a third party or the public.
10 How can I contact you?
Vicky Sheppard, Office Manager Harwell Innovation Centre, Building 173, Curie Avenue, Harwell Campus, Oxford, OX11 0QG.
11 What if I have a complaint?
11.1 You have a right to complain to the Information Commissioner's Officer (ICO), which regulates data protection compliance in the UK, if you are unhappy with how we have processed your personal data.
11.2 You can find out how to do this by visiting www.ico.org.uk.
12 What if this policy changes?
Last updated June 2020
Signed: Vicky Sheppard – Office Manager