1. Introduction
Symprex Limited respects your privacy and is committed to protecting your personal data. This privacy policy will explain how your personal data is processed by us. It applies to anyone visiting our websites (the “Sites”) (regardless of where you visit them from), using our products and services, working with any of our teams, meeting us at events, applying for a role with us or when you otherwise interact with our business.
For the purposes of the General Data Protection Regulation (“GDPR”) and the Data Protection Act 2018, Symprex Limited is the controller and responsible for your personal data (“we”, “us” or “our” in this privacy policy). If you have any questions about this privacy notice, please contact us at [email protected]. Alternatively, you can write to us at Symprex Limited, 2 Guildford Business Park, Guildford, GU2 8XG, United Kingdom.
In the event that you are not satisfied with our response, and wish to make a complaint about how your personal data is being processed by us, or how your request has been handled, you have the right to lodge a complaint directly with the Information Commissioner's Office.
2. What information do we collect?
We collect personal data which you provide to us directly and information related to your use of the Sites. Other types of information may be collected automatically from your device such as device data and service data.
We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:
- Identity, contact and company information including: first and last names, email address, phone number, company name and your role in the company.
- Financial information including: bank account, payment card information, billing and mailing address.
- Device data including: IP address, browser type, operating system and platform and other technology on the devices you use to access the Sites.
- Usage data including: information about how you use our Sites i.e. how long you spent on a page or screen, date and time, web pages viewed and content that you access.
- Visitation data including: time and date of arrival, photograph ID, signature.
Recruitment information
We may collect, use, store and transfer the following recruitment information including: passport or visa information, CV or cover letter.
Certain categories of personal data such as that about race, ethnicity, religion, health or criminal convictions are considered ‘sensitive personal information’ under data protection law. Generally, we try to limit the circumstances where we process sensitive personal information and to ensure we do not collect this information unless it is necessary. There will, however, be circumstances where we collect and process sensitive personal information as part of the recruitment process. For example, we may collect information about your race, ethnicity or health for the purposes of conducting equal opportunities monitoring. We may also ask you for details of medical conditions in order to make arrangements for you to attend an interview or assessment centre or because we need to be aware of certain medical conditions in order to assess your suitability for a particular role.
3. How we use your personal data
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
- Where we need to perform the contract we are about to enter into or have entered into with you.
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
- Where we need to comply with a legal obligation.
Generally, we do not rely on consent as a legal basis for processing your personal data although we will get your consent before sending third party direct marketing communications to you via email. You have the right to withdraw consent to marketing at any time by contacting us.
Purposes for which we will use your personal data
We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.
Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.
| Purpose | Type of data | Lawful basis for processing including basis of legitimate interest |
|---|---|---|
| To create, administer and manage your user account. | Identity, contact and company information. | a) Performance of a contract with you; b) Necessary for our legitimate interests (to operate and administer the Symprex services and Sites). |
| To manage our relationship with you which will include: a) Customer support; b) To send you service, technical and other administrative messages; c) To respond to your comments and questions. |
Identity, contact and company information. | Necessary for our legitimate interests (to operate and administer the Symprex services and Sites). |
| To display personalised adverts to you including by serving and managing adverts on our Sites and on third-party websites. | (a) Identity, contact and company information; (b) Device data; (c) Usage data. |
Necessary for our legitimate interests (to support our marketing activities and advertise our products and services). |
| To send you marketing communications via email about our products, services and upcoming events that might interest you. | (a) Identity, contact and company information; (b) Usage data. |
a) Necessary for our legitimate interests; b) Consent (see ‘Marketing’ below to learn how you can control your marketing preferences). |
| To use data analytics to improve our Sites, products/services, marketing, customer relationships and experiences. | (a) Usage data; (b) Device data. |
Necessary for our legitimate interests (to define types of customers for our products and services, to keep our Sites updated and relevant, to develop our business and to inform our marketing strategy). |
| To register office visitors. | (a) Identity, contact and company information; (b) Visitation information. |
Necessary for our legitimate interests (to protect our premises and confidential information against unauthorised access and the safety of our staff and office visitors). |
| To comply with legal obligations in accordance with our obligations under applicable laws. | Identity, contact and company information. | Necessary to comply with legal obligation. |
| To carry out other legitimate business purposes, including invoicing, audits, fraud monitoring and prevention. | (a) Identity, contact and company information; (b) Financial information; (c) Device data. |
Necessary for legitimate interests (in order to carry out legitimate business purposes). |
| To control unauthorised use or abuse of the Symprex services and Sites, or otherwise detect, investigate or prevent activities that may violate Symprex policies or applicable laws. | (a) Usage data; (b) Device data. |
Necessary for our legitimate interests (to maintain and promote the safety and security of the Symprex Sites and services). |
| To consider your application for a job role that you may have applied for. | (a) Identity, contact and company information; (b) Visitation information; (c) Recruitment information. |
To decide whether or not to enter into a contract of employment with you. |
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.
In certain circumstances, we may collect your personal data on a different legal basis. If we do, or if we use your personal data for purposes that are not compatible with, or are materially different than, the purposes described in this notice, we will explain how and why we use your personal data in a supplementary notice at or before the point of collection.
Please note these legal bases only apply to you if you are resident in the European Economic Area (‘EEA’), the UK or Switzerland, or if the GDPR (or in the UK, the Data Protection Act 2018) otherwise applies.
4. Marketing
We may send marketing communications to our current and prospective customers and so, depending on your marketing preferences, we may use your personal data to send you such messages by email. Some of these messages may be tailored to you, based on the information we hold about you.
If you no longer want to receive marketing communications from us, you can change your preferences at any time by following the opt-out links on any marketing message.
Please note that where you unsubscribe or opt out from a marketing communication, we need to keep a record of your email address to ensure we do not send you marketing emails in the future.
5. Third-party websites
Our Sites may also contain links to third-party websites. This privacy policy applies solely to information processed by us. You should contact the relevant third-party websites for more information about how your personal data is processed by them.
6. Cookies
We may also obtain information about your general internet usage through the use of ‘cookies’ or other internet tracking technologies which enable us to make certain parts of the Sites easier to use, to improve the functionality of the Sites and so we can undertake analysis on the usage of our Sites and on our users. Please see our Cookie Policy for more information.
7. Sharing your personal data
We may share your personal data with the following third parties:
- Service Providers:
- Consultants and vendors engaged by us to support our provision of the Symprex services and Sites and the operation of our business;
- Any such other Service Providers as may be added to the Subprocessor List, from time to time.
- Advertising Partners:
- Third-party advertising companies may use cookies and similar technologies to collect information about your activity on the Sites and other online services over time to provide targeted advertisements, including the companies listed in the third-party cookies section of our Cookie Policy.
- Professional Advisors:
- Professional advisors, such as lawyers, auditors and insurers, in the course of the professional services they provide to us.
- Compliance with Law Enforcement:
- To cooperate or comply with public and government authorities, courts or regulators in accordance with our obligations under applicable laws.
- Business Transfers:
- Third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy policy.
8. International transfers
We may also sometimes transfer your personal data and/or store it outside the UK or the EEA in order to operate our business, services or the Sites.
Wherever we transfer personal data outside of the UK or EEA, we will take legally required steps to ensure that appropriate safeguards are in place to protect it. You may contact us for an explanation of the basis on which we have transferred your personal data and, where relevant, to request a copy of the legal safeguards we have put in place.
9. Data retention
We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
Details of retention periods for different aspects of your personal data are set out below:
- Where we have collected your personal information during the course of your and our organisations doing business, we will keep your personal information for as long as this business continues, or for as long as we have a commercial interest in holding your personal information, for example, with a view to doing business in the future.
- If you have consented to receiving marketing information, we will keep your personal information for as long as we still have your consent.
- Where you have provided us with your bank account details in connection with paying us for our services to you, we will keep this information for 1 year.
- Where you use our Sites and one of our cookies are activated, that cookie will operate for the duration set out in our Cookie Policy.
And for job applicants:
- Where you are successful in your application for employment with us, we will provide further information at your employment as to how we use your information.
- Where you are unsuccessful, we will keep your personal information for 6 months.
10. Data security
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
11. How we store and safeguard personal data
Personal information is usually stored on our servers within the UK.
Certain services we provide, such as Signature 365, store personal information on our servers in the location chosen by you. If you choose for any such service to be provided in the European Union, for example, then personal information is stored on our servers within the European Union.
Where we use third-party service providers to assist us, personal information may also be stored in accordance with their practices and procedures. We only use third parties that respect privacy and protect personal information in accordance with the law.
12. Your legal rights
If you are a resident of the EEA or the UK you have the following data protection rights:
- You can request access to your personal data, request correction, or request erasure of your personal data at any time. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
- You can object to processing, ask us to restrict processing or request portability of your personal data.
- You have the right to opt-out of marketing communications we send you at any time.
- You have the right to withdraw consent at any time where we are relying on consent to process your personal data. This will not affect the lawfulness of any processing we conducted prior to your withdrawal.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights).
You can exercise any of these rights by submitting a request to us at [email protected].
Last updated: 23 February 2021