Data Protection Policy
Your right to privacy is very important to us and we know that when you give us information about yourself, you trust us to be responsible with it. We’re committed to protecting the privacy of those using our services and the confidentiality of the personal information that learners and customers give us. We take appropriate technical and organisational security measures to protect your personal information in compliance with the Regulation (EU) 2016/679 (General Data Protection Regulation) from 25th of 2018. This Data Protection Policy statement and other documents related to GDPR sets out the basis on which any personal data we collect from you, or that you provide to us, will be controlled by us. Please read the following information carefully in order to understand our views and practices regarding your personal data and how we treat it.
The purpose of this policy is to ensure that the staff, learners, candidates volunteers and clients of NEW HSE are clear about the purpose and principles of Data Protection and to ensure that it has guidelines and procedures in place which are consistently followed. Failure to adhere to the Regulation (EU) 2016/679 (General Data Protection Regulation) from 25th of 2018 is unlawful and could result in legal action being taken against NEW HSE or its staff, volunteers or trustees.
The General Data Protection Act 2018. regulates the processing and controlling of information relating to living and identifiable individuals (data subjects). This includes the obtaining, holding, using or disclosing of such information, and covers computerized records as well as manual filing systems and card indexes. Data users must comply with the data protection principles of good practice which underpin the Act. To comply with the law, information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully. To comply with GDPR 2018. NEW HSE as a ‘Controller’ will:
· Ensure fair collection and use of information
· Meet its legal obligation to specify the purposes for which information is used
· Collect and process appropriate information needed to fulfil operational need or comply with legal requirements
· Ensure the quality of information used; Ensure that information is held for no longer than necessary
· Ensure that the rights of an individual are fully exercised under the Act
· Take appropriate technical and organisational security measures to safeguard personal information
· Ensure that personal information is not transferred to a country outside the EEU without suitable safeguard and consent of the individual (data subject)
Personal data (Data subject)
Means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Data Controller (NEW HSE)
Means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Data Processor (NEBOSH)
Means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
Means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Data Protection Procedure
The following procedures have been developed in order to ensure that NEW HSE as a company meets its responsibilities in terms of Regulation (EU) 2016/679 (General Data Protection Regulation) from 25th of 2018 . For the purposes of these procedures data collected, stored and used by NEW HSE falls into 2 broad categories:
1. NEW HSE Company’s internal data records; Staff, tutors, invigilators and volunteers
2. NEW HSE Company’s external data records; Learners, Candidates, customers and clients.
NEW HSE as a body is a DATA CONTROLLER under the Act (NEBOSH is DATA PROCESSOR), and Managing Director is ultimately responsible for the policy’s implementation.
How does NEW HSE control your data if you are a NEBOSH Candidate/Learner
Information about you that is required to either enroll or register for a NEBOSH qualification or assessment is collated by NEW HSE using company formal Booking Form and entered into a secure portal. By registering for an assessment you give express consent for your data to be transferred between NEW HSE and NEBOSH; specifically your full name, date of birth address, email address, gender and telephone contact details for the purpose of registration, examination and certification of qualifications only. Information provided in the secure portal can be accessed by NEBOSH and NEW HSE and will only be used to provide a professional service. We will retain this information permanently in order to verify your qualification or successful units, however we cannot be responsible for the accuracy of contact details over the passage of time. We may also invite you to complete surveys that we use for research purposes, although a response is not mandatory. Surveys will be sent on completion of the qualification.
How does NEW HSE control your data if you are Client (not related to NEBOSH courses)
NEW HSE obtains personal data of candidates, contractors and clients (such as names, addresses, and phone numbers, date of birth, gender, diet specification, company details for invoicing purposes). This data is obtained, stored and processed for, different projects realization, learning process as well as examination arrangements. Personal details supplied are only used to send examination material that is potentially useful, realization of projects, contact, cooperation and informing about NEW HSE undertakings. We will not pass any information about you or your company to a third party without your consent. Most of this information is stored on the company’s database.
NEW HSE obtains only needed personal data and information only with main purpose in order to provide high quality services outlined in the agreement and service specification signed by the candidate, contractors and clients:
Enrolment, investigation complaints and appeals
Equal Opportunities monitoring
Learning and examination Process
To distribute relevant learning and examination material, etc
Invoices and other financial documentation
How does NEW HSE control your data if you are Employee, candidate or volunteer
NEW HSE obtains personal data of its employees (names, addresses, phone numbers, email addresses), application forms, and references and in some cases other documents from staff, candidates and volunteers. This data is stored and processed for the following purposes:
• Equal Opportunities monitoring
• Working Process
• To distribute relevant company material, etc.
Can NEW HSE give information about a learner to their employer or financial sponsor?
As someone responsible for financing a learners education, a relative or formal financial sponsor (organization or individual) often feel they have the right to access the information NEW HSE holds about the learner. Under these circumstances the general rule remains that learners are private individuals and NEW HSE has no obligation or responsibility to keep financial sponsors informed of any aspect of their studies or private data. If a learner and formal sponsor have signed a contract setting out data access rights for the sponsor, information can be supplied in accordance with that contract once NEW HSE has received a copy of the signed contract.
How does NEW HSE process your data if you are a member of staff?
Personal data collected about the member of staff may be used in any malpractice or maladministration case. Any photographic identification collected is stored in a separate secure system only accessible by relevant members of our Company. This data is stored for the life time unless a lawful basis for retaining the data is identified. This is monitored on a case-by-case basis and affected parties will be made aware of the lawful basis for retaining data.
How does NEW HSE process your data if you are a visitor to our website?
When someone visits www.newhse.pl we use a third party service to collect standard internet log information and details of visitor behavior patterns. We do this so that we can measure statistics such as the number of visitors to the site. This information is only processed in a way that does not identify anyone. We will keep this information indefinitely for comparison purposes. We do not make, and do not allow anyone to make, any attempt to find out the identities of those visiting our website. If we do want to collect personally identifiable information through our website, we will inform users about this. We will make it clear when we collect personal information and will clearly explain what we intend to do with it. No user-specific data is collected by either NEW HSE or any third party.
How does NEW HSE process your data if you email or phone us?
People who contact us via our contact numbers
When you call NEW HSE personnel we collect your telephone number. We use your number in informational purposes related to NEW HSE undertakings. We will not pass your phone number to any third party without your consent except if you are NEBOSH learner or on request from law authorities.
People who contact us via e-mail
We monitor any emails sent to us, including file attachments, for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send is within the bounds of the law.
Where NEBOSH enquiries are submitted to us we will only use the information supplied to us to deal with the enquiry and any subsequent issues and to check on the level of service we provide.
Regarding other clients other than NEBOSH Learners, we will use your email for informational purposes related to NEW HSE undertakings , and we will not pass your email address to any third party without your consent.
People who make a complaint to us
When we receive a complaint we create a file containing the details of the complaint (see Complaints Log). This normally contains the identity of the complainant and any other individuals involved in the complaint. We will only use the personal information we collect to process the complaint and to check on the level of service we provide.
We usually have to disclose the complainant’s identity to whoever the complaint is about. This is inevitable where, for example, the accuracy of a person’s record is in dispute. If a complainant doesn’t want information that identifies him or her to be disclosed, we will try to respect that, however it may not be possible to handle a complaint on an anonymous basis (this excludes whistleblowing). We will keep personal information contained in complaint files no longer than it is needed. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.
How does NEW HSE control data about prospective employees? What will we do with the information you provide to us?
All of the information you provide during the recruitment process will only be used for the purpose of progressing your application, or to fulfil legal or regulatory requirements if necessary. We will not share any of the information you provide with any third parties for marketing purposes or store any of your information outside of the European Economic Area. The information you provide will be held securely by us and/or our data processors, whether the information is in electronic or physical format. We will use the contact details you provide to us to contact you to progress your application. We will use the other information you provide to assess your suitability for the role you have applied for.
Data Subjects’ rights
Data Subjects shall have the rights contemplated in the Regulation (articles from 15-21) in respect of the processing of data contemplated thereto, including the right to:
Obtain confirmation of the existence of personal data concerning him/her and to gain access to them (right of access);
Obtain the updating, modification and/or rectification of their personal data (right of rectification);
Obtain erasure, or to set limits to processing, of personal data whose processing is unlawful, including that which is no longer necessary in relation to the purposes for which it was collected or otherwise processed (right to be forgotten and right to the restriction of processing);
Object to processing (right to object);
Withdraw previously given consent, if any, without prejudice to the lawfulness of processing based on that consent;
Lodge a complaint with their local EU Data Protection Authority or to the data protection authority of Poland, if they believe that the Company has handled their information in an unlawful manner;
Receive a copy in electronic form of their data which has been provided to the Company in the framework of an agreement and to have such data transmitted to another controller (right to data portability).
What information do we ask for, and why?
We do not collect more information than we need to fulfil our stated purposes. We will retain this information until your application has been completed. The information we ask for is used to assess your suitability for employment. You don’t have to provide the information that we ask for but it might affect your application if you do not comply.
What other ways does NEW HSE use information held about me?
From time to time NEW HSE will send marketing emails to clients to keep them up-to-date with all the latest news. This includes invitations to events, newsletters, qualification updates, surveys about further events and products and where you have consented to be contacted by NEW HSE. We provide customers the opportunity to opt out of receiving further marketing communications at the point where personal information is requested at the ‘Contact Us’ stage. Customers may also opt out of receiving future survey mailings by contacting us. Removal requests will be acted upon within 28 days.
Personal information found on the internet
For full compliance with the General Data Protection Regulation NEW HSE will not use any personal information held in the public domain. Only information collected by NEW HSE will be used for marketing purposes on receipt of your consent.
How and where does NEW HSE securely store your personal data?
We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this policy. We are committed to the security of your information and have security procedures in place to protect against the loss, misuse or alteration of information under our control. Access to our database is restricted internally. All information you provide to us is stored on our secure computers and servers. Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorized access. We ask learners and clients to take steps to ensure they protect their own data related to NEBOSH course or NEW HSE cooperation.
Transfer of your data outside the EEA
NEW HSE will not export any Personal Data to, any country outside the European Economic Area unless it is obvious and necessary to do so in the circumstances and/or unless prior written consent has been obtained from the Data Subject.
Transferring data to a third party
Where a third party organization is contracted to process, handle or dispose of personal data on behalf of NEW HSE we will confirm that they undertake to abide by the General Data Protection Regulation.
How does NEW HSE handle the disclosure of your data?
We believe strongly in protecting your privacy and will only disclose information about you to any third party when we have your permission or when we are legally obliged to.
What are the instances where NEW HSE may disclose your personal information to third parties?
If NEW HSE will be acquired by a third party, in this case personal data held by NEW HSE about its customers will be part of the transferred assets.
Requests to stop processing
Individuals have the right to request that NEW HSE stop processing/controlling their information (section 10 of the GDPR). It is NEW HSE responsibility to remove individual information from any processing/controlling of their data e.g. marketing activity. Any requests to stop processing are dealt with on a case-by-case basis.
Subject access requests
You have also right to access your data and the right to rectify, delete and withdraw your consent at any time without affecting the legality of the processing, which was made on the basis of consent before its withdrawal.
If you find that we are processing/controlling data in an unlawful manner, you can file a complaint with a supervisory body that deals with the protection of personal data.
NEBOSH Learners information
Examination scripts are exempt from Subject Access Requests. NEBOSH policy is consistent with the GDPR, under which awarding bodies are not legally obliged to provide access to examination scripts. Subject access requests do not include re-prints of Unit certificates and parchments. To request re-prints of these documents please refer to NEBOSH Policy regarding candidate certificates including corrections and reissues.
The contact details of staff and volunteers will only made available to other staff and management. Information supplied is kept in a secure filing, paper and electronic system and is only accessed by those individuals involved in the delivery of the service and is not accessed during the day to day operations of the training center.
Contact details of staff and candidates will not be passed on to anyone outside the company without their explicit consent excluding statutory bodies or NEBOSH for marketing and examination purposes only.
Regarding clients other than NEBOSH learners NEW HSE will not pass Subject data to third parties, and will use it for realization of different projects, contact, NEW HSE marketing details, storage and certificate issue. A copy of staff and candidate emergency contact details will be kept in the Emergency File for Health and Safety purposes to be used in emergency situations e.g. fire or evacuations.
All confidential post must be opened by the addressee only.
All staff and candidates are made aware of the Data Protection Policy and their obligation not to disclose personal data to anyone who is not supposed to have it.
NEW HSE will take reasonable steps to keep personal data up to date and accurate. Personal data will be stored in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Where an individual ceases to use our services and it is not deemed appropriate to keep their records, their records will be destroyed accordingly Unless our company is specifically asked by an individual to destroy their details it will normally keep them on file for future reference. If a request is received from an organization/ individual to destroy their records, we will remove their details from the database and request that all staff holding paper or electronic details for the training center to destroy them. The Managing Director has responsibility for destroying personnel files.
Storage and Retention
Personal data is kept in paper-based systems and on a password-protected computer system. Every effort is made to ensure that paper-based data are stored in organized and secure systems. NEW HSE operates a clear desk policy at all times. . Personal data will be stored in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Such records must be made available to the regulatory authorities or NEBOSH on request.
Use of Photographs
Where practicable, NEW HSE will seek consent from individuals before displaying photographs in which they appear. If this is not possible (for example, a large group photo), the company will remove any photograph if a complaint is received. This policy also applies to photographs published on the NEW HSE website.
Personal data is collected in writing, for instance via email or signing a written consent (see Attachment: 3.1 Data Protection and Confidentiality Statement). During this initial contact, the data owner is given an explanation of how their personal data will be used, shared and protected from misuse.
Responsibilities of staff, volunteers and learners
During the course of their duties with NEW HSE employees including examination officers and tutors will be dealing with information such as names/v addresses/ phone numbers/ e-mail addresses of members/ candidates/ volunteers. They may be told or overhear sensitive information while working for NEW HSE. The Data Protection Act (2018) gives specific guidance on how this information should be dealt with. In short to comply with the law, personal information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully. Staff, paid or unpaid must abide by this policy. To help staff meets the terms of the Data Protection Act; the attached Data Protection/Confidentiality statement has been produced. Staff and volunteers are asked to read and sign this statement to say that they have understood their responsibilities as part of the induction program.
Compliance with the Act is the responsibility of all staff, paid or unpaid. NEW HSE will regard any unlawful breach of any provision of the Act by any staff, paid or unpaid, as a serious matter which will result in disciplinary action. Any employee who breaches this policy statement will be dealt with under the disciplinary procedure which may result in dismissal for gross misconduct. Any such breach could also lead to legal action taken against NEW HSE. Any questions or concerns about the interpretation or operation of this policy statement should in the first instance be referred to the Managing Director.
If you have any concerns regarding your privacy in relation to NEW please contact with us using: