This Privacy Notice sets out:
- who we are;
- why we need to collect your personal data;
- the general categories of personal data that we may process;
- the purposes for which we may process your personal data;
- the legal bases of the processing;
- who has access to your data and who the data may be shared with;
- how we will protect your data;
- how long we will retain your data;
- your rights as a data subject;
Who we are
ACM Limited (company number 04437689) is the data controller. ACM is a subsidiary of EMB-Group Limited (company number 07087597) and is part of the EMB Group of companies: www.emb-group.co.uk. More information about ACM can be found at: www.acmcert.com
ACM is committed to being transparent about how it collects and uses personal data and to meeting its data protection obligations.
ACM’s Data Privacy Manager can be contacted at:firstname.lastname@example.org
Why we need to collect your personal data
We need to collect personal data in order to maintain records and in order to communicate with you or your organisation about the services that we provide to you or your organisation.
The categories of personal data that we may process
The personal data that we normally collect includes your name, job title, address and contact details, including email address and telephone number. For certain projects or contracts that we deliver, we may be required to collect other data, including sensitive personal data. Where this is the case, we will explain the purpose and lawful basis for processing your sensitive personal data before requesting the data.
Purposes of the processing
The purposes for which we may process your personal data are:
- to maintain records of our customers for legal or contractual purposes;
- to communicate with you or your organisation in order to make appointments, to send invoices or similar (service communication);
- to send you marketing information about similar services that we offer.
Lawful basis for the processing
Personal data may be processed by ACM under a number of lawful bases:
- Contract: Processing of your personal data may be necessary for the performance of a business or employment contract to which you are party or in order to take steps at your request prior to entering into a contract.
- Legal Obligation: Processing of your personal data may also be necessary to enable ACM to comply with legal obligations to which ACM is subject, for example, we may be required to collect personal data of interviewees in the course of an audit.
- Legitimate Interest: Personal data may be collected to respond to enquiries and to supply relevant marketing information about our services. Personal data will also be collected in response to job advertisements or recruitment enquiries.
Who has access to your data?
Your information may be shared internally, including with ACM and EMB Group staff and managers and IT staff if access to the data is necessary for performance of their roles.
Your data may be shared with UK Accreditation Service (UKAS), the national accreditation body for the United Kingdom that oversees organisations that provide certification, testing, inspection and calibration services. Your data may also be shared with the Chartered Quality Institute for the International Register of Certificated Auditors (IRCA) and Safety Schemes in Procurement Limited (SSIP) for compliance and registration purposes.
ACM, as data controller, also shares your data with third parties that process data on its behalf and which provide services to ACM and its clients, including agents and auditors employed by ACM to undertake audits. ACM does not permit third parties to use the data for any other purpose.
How does ACM protect your data?
ACM takes the security of your data seriously. The organisation has internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by authorised employees in the performance of their duties. The EMB Group of companies holds ISO27001:2013 information security certification as well as Cyber Essentials Plus certification.
Where ACM engages third parties to process personal data on its behalf, they do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.
ACM will not transfer your data to countries outside the European Economic Area.
ACM normally holds data for seven years after performance. Data held by ACM is securely destroyed at the end of the retention period.
Consequences of failure to provide personal data
Failure to provide the required personal data may mean that ACM is unable to provide you with services.
Automated decision making
ACM does not use automated decision-making.
Your rights as a data subject
As a data subject, you have a number of rights. You can:
- access and obtain a copy of your data on request;
- require the organisation to change incorrect or incomplete data;
- request the organisation to delete or stop processing your data, when the data is no longer necessary for the purposes of processing.
If you would like to exercise any of these rights, please contact ACM’s Data Privacy Manager by e-mail at: email@example.com
If you believe that ACM has not complied with your data protection rights, you can complain to the Information Commissioner’s Office: https://ico.org.uk/concerns/handling/