Privacy Notice

This privacy notice aims to give you information on how Base 3 Systems Ltd (“We”/“Us”) collects and processes your personal data through your use of this website, including any data you may provide through this website when you sign up to our newsletter, purchase a product or service or take part in a competition.

This website is not intended for children and we do not knowingly collect data relating to children.

It is important that you read this privacy notice together with any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This privacy notice supplements the other notices and is not intended to override them.

About Base 3 Systems

We are committed to respecting your privacy and protecting your personal data. Base 3 Systems Ltd is a company registered in England and Wales (number 03268508) at Stuart House, 15/17 North Park Road, Harrogate, North Yorkshire, HG1 5PD and is registered with the Information Commissioners Office (number Z6344793) in respect of its activities as a Data Controller.

Should you have any questions relating to how we process your personal data you can contact our Data Protection Officer (DPO) at the email address Helen_Skillicorn@base3.com or by post at The Low Barn, Beamsley, Skipton, North Yorkshire, BD23 6HJ.

How you can complain

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

Updates to our privacy notice

We regularly review data privacy. Any updates to our privacy notice will be reflected on this page.

This privacy notice is effective from the 25th May 2018.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

How we use your data

We lawfully process your data in order to: enter into or execute a contract with you; comply with a legal obligation; or, pursue legitimate interests. We may also, on an infrequent basis, process your data for specific purposes that you have given us explicit consent for. You have the right to withdraw consent to marketing at any time by contacting us.

Further information relating to how we use your data can be obtained here.

What data we collect about you

We have set out below the different types of personal data that we will generally capture about you depending on who you are and how you interact with us.

How we collect your data

We obtain personal data:

  • when you browse our websites;
  • directly from you when you provide it to us, e.g. when you apply for a job with us;
  • from other organisations and individuals, e.g. during employment or deployment screening;
  • from publicly available sources of information, e.g. professional networks; from referrals, e.g. when someone who knows you believes you may be interested in developing a relationship with us;
  • from e-service usage such as e-learning and our other training programmes; and,
  • during the course of setting up and managing a relationship with you.

How long we store your data for

We only store your data for as long as it is required for the original or compatible purposes for which it was originally gathered. This will vary depending on the specific nature of the processing. When data is no longer required it is securely destroyed.

How we protect your data

If your data is in electronic form it is stored on our secure servers or within secure systems. Where your data is physical (e.g. a paper-based format) it is secured in locked storage cupboards.

We implement appropriate organisational and technical measures to ensure that your data is kept secure and its integrity is maintained. We:

  • have implemented and configured multiple layers of firewalls;
  • have anti-virus and anti-spyware software installed on all computers which is automatically updated with the latest definitions;
  • utilise encryption for data storage and transmission;
  • control all physical access to our sites;
  • employ logical and system access controls to ensure that only our employees who need access to personal data, to perform their duties, have access;
  • automatically patch our systems with the latest security updates;
  • have a robust data backup procedure to maintain onsite and offsite backups;
  • physically destroy all paper-based confidential waste;
  • securely remove data when it is no longer required and from all computers prior to secure physical disposal; and,
  • provide training and guidance to our employees who handle personal data in order to comply with our IT, Data Protection and related policies.

A copy of our IT security policy can be provided to you on request by contacting us.

Who we share your data with

We do not generally share your data with third parties for the purposes of direct marketing, except where you have given us your clear unambiguous consent for that marketing. Depending on the relationship we have with you and the type of processing being conducted, we do share your data with third parties who provide outsourced services for our business.

Our outsourced suppliers and the type of processing they perform are summarised below.

Cloud Heroes Ltd

Hosting our CRM system that holds contact details associated with our relationships.

TSOHOST
(Paragon Internet Group Ltd)

Hosting our primary e-learning web service.

Google LLC

Providing e-mail services and limited online collaboration applications.

Holeys Ltd

Payroll processing and accountancy services.

Royal London Mutual Insurance Society Ltd

Pension administration.

Experian Ltd

Providing employment and deployment screening services, including credit, sanctions and criminal checks.

(BackupVault) Blueraq Networks Ltd

Providing secure cloud backup services.

Lloyds Bank plc

Providing payment services via a secure platform.

Statutory and Legal Bodies

As required by law.

Our legal bases for using your data

We process your data lawfully on the following bases:

  • Contract
    Where we require the information to enter into or perform a contract with you.
  • Legal obligation
    Where we must meet a statutory obligation such as providing details of an employee’s salary payment to HMRC.
  • Legitimate interests
    Where we have a legitimate interest and the information is necessary to pursue that interest and is not outweighed by risks to your rights and freedoms. We will describe our legitimate interests in this policy and if you cannot find the description you are looking for then please contact us.
  • Consent
    Where we have sought your consent and you have explicitly given this for a specific purpose. You are free to withdraw your consent by contacting us at any time and we can let you know how this will affect our services to you.

Transfers of data outside of the EEA

Some of our IT service providers are based in the US and host specific IT platforms outside of the EEA. If it is necessary to transfer your data outside of the EEA this will only be on the basis that you are afforded equivalent rights as under EU data privacy legislation. Our contracts with these suppliers contain model contract clauses that have been approved by the EU and our providers are also certified to comply with EU data protection requirements. Further information regarding EU model contract clauses can be obtained from:

https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en

Third-party links

This website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.

Your rights relating to your data

Data Privacy legislation provides for the following rights:

  • To withdraw consent at any time where we are relying on consent to process your personal data.
    However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
  • To be informed.
    You have the right to be notified about how we collect and use your data. Base 3 Systems seeks to be transparent in its use of your data and should you have any concerns or questions regarding this you are encouraged to contact our DPO.
  • Of access.
    You have a right to see and have a copy of your personal data that we hold and to verify the lawfulness of the processing we carry out with that data.
  • To rectification.
    You have the right to have inaccurate information we hold about you corrected and incomplete information completed, though we may need to verify the accuracy of the new data you provide to us.
  • To erasure.
    You have the right to request that data we hold about you is deleted if:

    • you are entitled to object to our processing of your personal data;
    • it is no longer necessary for the purpose it was originally gathered;
    • the lawful basis for processing was consent and this has been withdrawn;
    • the lawful basis is legitimate interest and the risks to your rights and freedoms outweigh our legitimate interest;
    • we are processing your data to directly market to you and you have objected to such processing;
    • we have processed your data unlawfully; or,
    • the data is no longer required to be processed on the lawful bases of contract or legal obligation.
  • To restrict processing.
    This enables you to ask us to suspend the processing of your personal data in the following scenarios:

    • if you want us to establish the data’s accuracy;
    • where our use of the data is unlawful but you do not want us to erase it;
    • where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or,
    • you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.

    To explicitly request that the processing of your data is restricted please see How to Exercise Your Rights.

  • To data portability.
    If you have provided data about yourself to us, and we process this data on the basis of contract or consent, and the nature of processing is automated, then you have the right to request that data is made available, to you or a third party you have chosen, in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
  • To object.
    You can object to our processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
  • With respect to automated decision making and profiling.
    You have the right to not be subject to decisions and profiling based solely on automated processing. Base 3 Systems does not carry out automated decisioning or profiling with the data it holds about individuals.

Individuals’ data

We collect only that data which is necessary and process your data to develop and maintain our relationship with you; we do not and will not pass your information to third parties for the purpose of marketing. The relationships we have are with our employees, prospective employees, customers, prospective customers, suppliers, prospective suppliers, visitors to our website and visitors to our premises.

Prospective employees

When you apply for employment with us you provide us with the data contained in your CV. This information is processed in order to select you for interview. Should you be unsuccessful in your application this information is stored for six months following the end of the recruitment campaign and in any event no longer than twelve months in total.

If you are selected for interview you will complete an application form and provide us with additional information relating to your contact details (including postal address), evidence of your right to work (including Change of Name Deed if appropriate), educational qualifications and details of any adverse financial indicators or criminal convictions. You will also complete several aptitude tests that contribute to our decision whether to continue progressing a contract of employment with you. Where you provide us with medical details for health and safety reasons this data will be processed on the basis of legitimate interests in order for us to meet our obligations as your employer, to comply with health and safety legislation or for occupational health reasons.

If you are not made an offer of employment or reject such an offer then your data will be stored for six months following the end of the recruitment campaign.

If you are made and accept a conditional offer of employment, in order to put in place a contract of employment, we will undertake pre-employment screening. Our screening provider conducts this processing on our behalf and its purpose is to verify the information you have provided and conduct credit and basic criminal records checks. In order to complete this, further information is required: proof of current address, address history, full details of occupational history, educational history and explanation of any activity gaps. At this point we also approach your referees (previous employers and educational contacts).

Except for evidence of your right to work in the UK, the legal basis for processing relating to recruitment is to establish a contract of employment with you and Base 3 Systems in pursuit of our aligned legitimate interests. For right to work verification the lawful basis is legal obligation.

Employees (including contractors and other workers)

When you enter into a contract of employment with us we will ask you for additional information so that we can execute our contract with you and meet our legal obligations. We will ask you for your bank account details so that we can pay you, emergency contact details so we can notify your nominee if you have an emergency at work, any medical information you feel we should be aware of that is relevant to your health and safety, and your National Insurance number.

Where you provide us with medical details for health and safety reasons this data will be processed on the basis of legitimate interests in order for us to meet our obligations as your employer, to comply with health and safety legislation or for occupational health reasons.

We have a legal obligation to provide your name, address, gender, National Insurance number, employment start date, date of birth, salary and student loan details to HMRC. With the exception of student loan details, we also have a legal obligation to provide this information to our workplace pensions provider for auto-enrollment.

Further information relating to how we process employee data is available at the Company’s internal policy portal. A written copy may be obtained by contacting the DPO.

Your data is retained for up to six years after the end of the last calendar year of your contract of employment.

Prospective customers

To grow our business and in our legitimate interests we may use contact information (from you, publicly available sources or from referrals) we hold about you to make you aware of goods and services that we feel may be of interest to you. You have the right to suppress this processing by opting out of this at any time.

To opt-out please email privacy@base3.com specifying ‘Opt-out Request’ as the subject of the email and include the text ‘I do not wish to be contacted about goods or services’ in the body of the email. Alternatively a brief online form can be completed, www.base3.com/optout.

Where we send you communications using this legal basis (our legitimate interests) we will provide you with an unsubscribe link in each email we send to you.

Customers

When we enter into a contract with you to provide goods and/or services we will capture your contact details (this may also include job title and department where relevant) to maintain the contract and support our invoicing process.

We may also use your contact details to pursue our aligned legitimate interests by contacting you with information about further goods and services we feel may be of interest to you. You have the right to suppress this processing by opting out of this processing at any time. Where we send you communications using this legal basis (our legitimate interests) we will provide you with an unsubscribe link in each email we send to you.

To opt-out please email privacy@base3.com specifying ‘Opt-out Request’ as the subject of the email and include the text ‘I do not wish to be contacted about goods or services’ in the body of the email. Alternatively a brief online form can be completed, www.base3.com/optout.

Where you are a user of our e-learning services we will use your email address to create a corresponding user-id. Your email address will be used to notify you of service related activities such as planned maintenance and password resets. These types of communications fall outside the scope of the GDPR as they are a necessary part of the contract we have with you and we are carrying out those rights and obligations.

We have a legitimate interest to improve our services to you and your activity will be captured and used to achieve this. To accomplish this we use cookies. These are small text files that are placed on your computer to enhance or facilitate usage of our services. They are predominantly set for the duration of a session and are destroyed when you close your browser. However, some cookies may exist for several weeks to identify that you have already performed some action (e.g. confirmed understanding that our e-learning services use cookies).

Prospective suppliers

When we consider new suppliers for the provision of goods and services we capture and store contact details in order to enter into a contract with you. By providing your details to us in this context, we both have a legitimate interest in potentially establishing a business relationship.

Suppliers

When we have entered into a contract with you for the provision of goods and/or services we will use your contact details and bank account details in order to maintain the contract and manage our obligations under that contract.

Visitors to our website

When you visit our corporate website we record your IP address and record your activity related to our website. We do this on the basis of legitimate interest in order to improve the content therein.

We may use cookies to enhance your experience or deliver specific functionality through our website. These are small text files stored on your computer predominantly for the duration of your browsing session. When you close your browser they are destroyed. However, some cookies may exist for several weeks to identify that you have already performed some action (e.g. confirmed understanding that our website uses cookies).

Visitors to our premises

We log physical entry and exit to our premises for security and health & safety reasons on the lawful basis of legitimate interest. We capture your name and the company you represent. If you are the subject of an accident whilst at our premises we also use this data and details of the accident for reporting purposes to the Health & Safety Executive in order to comply with our legal obligations.

Other relationships with Base 3 Systems

We maintain a list of property contacts in the locale of our offices that we share with our employees. These details are obtained with explicit consent and used by our employees when they require short-term accommodation near our offices.

To withdraw consent please email privacy@base3.com specifying ‘Consent Withdrawal Request’ as the subject of the email and include the text ‘I wish to withdraw my consent to have my contact information processed’ in the body of the email. Please also include any additional information that may be necessary to identify you, such as company name.

Following receipt of a consent withdrawal request your data will be securely removed from our systems if we are satisfied that your request is valid.

Special category data

GDPR defines special category data as more sensitive than other personal data, requiring additional protection as they could represent more significant risk to an individual’s fundamental rights and freedoms. The following are considered as special category data: race; ethnic origin; politics; religion; trade union membership; biometrics (if used for ID purposes); health; sex life; or, sexual orientation.

In the course of its relationship with its employees Base 3 Systems may process special category data in order to meet its legitimate interests in managing your employment and complying with its legal obligation for your health and safety at work. You provide this data if you believe we need it to consider and implement reasonable adjustments to your workplace or work activities, or to manage your health and safety. It may also be necessary to process such information you provide in the context of preventive or occupational medicine or in the context of your employment (or prospective employment) with us.

How we keep your data safe

Your personal data is processed securely via appropriate technical and organisational measures. These security measures are implemented to ensure that:

  • only authorised individuals have access to your data;
  • your personal data continues to be accurate, complete and relevant for the purposes it is processed for; and,
  • we can attempt to recover your personal data in the event of complete, or partial, loss or modification arising from an accident, IT system failure or other unplanned incident.

How to exercise your rights

Generally, if you wish to exercise any of your rights set out above please email privacy@base3.com specifying an appropriate subject and including appropriate detail in the body of the email.

No fee usually required
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

We may need further information
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Time limit to respond
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.