Who we are
Registered Office 35 Badger’s Way, Weston Super Mare, North Somerset. BS24 7ED
EaglePeak Consulting Ltd Company Reg. No. 5799537 England and Wales
Our website addresses are: https://www.epc-qm.co.uk and www.eaglepeakconsulting.co.uk
PRIVACY NOTICE – EAGLEPEAK CONSULTING LTD.
EaglePeak Consulting Ltd., in accordance with the UK General Data Protection Regulation (UK_GDPR) and the Data Protection Act 2018 (DPA), are committed to ensuring the lawful, fair and transparent processing of all personal data under its control.
In general, EaglePeak Consulting (EPC) works purely on a Business to Business basis, and as such the processing of personal data other than professional contacts is minimal. Any personal data that we do process will be strictly handled in line with this policy.
1 Details of Data Controllers and Processors
Data Controller: EaglePeak Consulting Ltd. (Client contact personal data)
Data Processor: EaglePeak Consulting Ltd. (Second/ third party auditees; Client contact personal data)
Data Processor: Associate contractors acting on behalf of EaglePeak Consulting Ltd. (Second/ third party auditees; Client contact personal data)
2 Details of Personal information collected
In order to engage with our clients, suppliers and collaborative partners, EPC will collect or receive contact names, organisational positions, terrestrial and mobile numbers (which may be personal numbers that are also used for business purposes) email addresses (by exception these may be personal email addresses used for business purposes) and business addresses.
During the conduct of subcontract first or second party audits, personal information may be collected from client employees such as details of educational background, personal qualifications, employment history, performance and disciplinary action etc, which may be recorded in audit reports provided to the client. EPC will never solicit, either for its own purposes or on behalf of a client or any other party, the collection of sensitive personal information such as ethnic background, political, religious or philosophical beliefs, sexual orientation, or particulars of trade union membership or activities. In some cases, client or third-party employees may knowingly or inadvertently disclose such personal data during the course of an audit or other business, but this will not be recorded by or on behalf of EPC.
Under exceptional circumstances, particularly during the course of audit activity, EPC may detect or become aware of serious illegal or unethical activities such as record falsification, illegal employment practises or employee gross misconduct. Such incidents, whether organisationally sanctioned or purely on the part of an individual or group of individuals, may be reported to the client or client’s customer/ supplier as appropriate, or to appropriate authorities in the event of a serious threat to life or the well-being of an individual, and where EPC would be in contravention of its legal obligations by not doing so.
EPC occasionally receives CVs from prospective employees or may review CVs or conduct interviews together with or on behalf of a client to assist in assessing an individual’s suitability for a role.
3 How we collect your information:
We collect information by email, in person or through visiting publicly accessible client or supplier websites. On occasion professional social media platforms may be used, but only where EPC already has a pre-existing business connection.
4 Why we process your information (the Purpose):
To quote for, carry out and invoice for our quality and environmental management services including training, second-party audits and management system development, to demonstrate the effectiveness of client’s and/ or their suppliers’ management systems, and to advance the quality and environmental management professions.
5 The Lawful Basis for which we process your information:
The primary lawful basis under which we process personal data is the performance of a contract (Article 6(1)(b) of the UK_GDPR). It is essential we process this data in order to be able to make contractual arrangements, provide and invoice for our services.
A secondary lawful basis under which we process lawful data is EPC and third party legitimate interests (Article 6(1)(f) of the UK_GDPR). It is in our clients’ interests to be able to demonstrate that personnel, including supplier personnel are appropriately experienced and qualified for the work they are undertaking and that they are subject to fair and lawful employment. This is balanced with consideration of the rights and freedoms of auditee personnel.
6 Who has access to your information:
EPC will not disclose client personal data to any other party without express written permission to do so.
Auditee personal information may be disclosed to clients within an audit report. Such information will be strictly limited to data regarding work being performed including compliance with documented work processes and pertinent education, training and experience and will not include sensitive personal data. Client’s suppliers are always asked to review audit reports prior to disclosure to the client, and as such have the opportunity to request the removal of personal information. However, EPC recognise that the existence of such requests, and compliance with them or otherwise does not absolve it of its obligations under UK_GDPR or the DPA.
EPC will not expose this data to any other party without anonymisation unless explicitly required to do so by a legitimate law enforcement authority.
Where a CV is reviewed jointly by EPC and a client, or a joint interview is performed, no copy of the CV or other personal data will be retained by EPC once the activity is complete.
7 How your information is used:
Personal data is only used for the purpose(s) defined in section 4, in accordance with the lawful bases detailed in section 5.
8 How we secure your information:
We take appropriate technical and operational measures to ensure that your information is managed carefully and appropriately and to protect against unlawful or unauthorised use and accidental loss or destruction, including:
- Only providing access to those who need access to carry out the purpose of processing
- Passwords are protected and not shared
- Hard-copy information is stored securely with access limited to only those who need to have access to carry out the purpose.
9 Data Transfers:
(A) Transfers within the UK and European Economic Area:
David K. Hardiman Chartered Accountant – receives a copy of client invoices for accounting purposes
EPC Clients – receive a copy of audit reports
(B) Transferring of your information outside the European Economic Area:
Information you submit to us is shared with our third-party cloud-based data storage and email provider’s servers (iCloud/ OneDrive)
Country: United States of America
Safeguard(s) used: our email and cloud-based provider is subject to a Data Processing Agreement (DPA) incorporating the UK Information Commissioner’s Office (ICO) standard contractual clauses (SCCs).
10 How long we will hold onto your information:
In the case of client contact details, we will retain these as long as we have an active business relationship, and up to a maximum of seven years.
In the case of audit reports we will retain these for a period of two years unless instructed otherwise by a client or where there is a regulatory obligation to retain them for longer.
11 Your rights in relation to your information:
(A) You have the right to object to the processing of your information, or to request that we restrict how your information is processed. We are obliged to comply with such requests unless there is a legitimate basis for not doing so. Please contact enquiries@eaglepeakconsulting.co.uk to register any objections to or request any restrictions of processing.
(B) Access requests – you may request that we supply all the information we hold about you, at any time. We will endeavour to respond with such information within 30 days. There is no charge for this, except where such requests are clearly unreasonable, in which case a fee of £10 may be charged. We may require proof of ID to ensure such information is not disclosed to persons other than those to which the information pertains. Please contact enquiries@eaglepeakconsulting.co.uk if you wish to make a subject access request.
(C) If you feel your information has not been processed in a lawful, fair or transparent manner you have the right to lodge a complaint with the Information Commissioner’s Office (ICO). Their website can be accessed at www.ico.org.uk and concerns may be reported at https://ico.org.uk/concerns/.
12 What happens if your information is compromised?
In the event we discover a breach in the way we handled your personal information, we will notify the Information Commissioner’s Office within 72 hours of discovery. Where we consider there to be any risk to you as a consequence of the breach we will notify you immediately with details of any resulting risks and measures we have taken or intend to take, and any recommended actions that may help you.
13 Sensitive Personal Information:
We do not collect or process sensitive personal information in the course of normal business activities.
Where a client or second/ third party auditee discloses sensitive personal information during the course of an audit this information shall not be included in the audit report or disclosed to any other party without the individual’s explicit written consent or where it is in the vital interests of the individual to do so.
