This Privacy Statement explains what we do with your personal data, whether we are in the process of assisting you verify your identity, continuing our relationship with you once have, providing you with a service, receiving a service from you, using your data to ask for your assistance in relation to a user of our services, or you are visiting our website.
It describes how we collect, use and process personal data, and how, in doing so, we comply with our legal obligations.
This Privacy Statement applies to the personal data of our website users, clients, suppliers and other people and organisations whom we may contact digitally to find out more about users of our services or whom they indicate is an emergency contact. It also applies to the emergency contacts of W2 Global Data Solutions Ltd staff.
For the applicable data protection legislation (including but not limited to the General Data Protection Regulation (Regulation (EU) 2016/679)) (the “GDPR”), the company responsible for your personal data is W2 Global Data Solutions Ltd or “us”.
This Privacy Statement applies in relevant countries throughout our international network. Different countries may approach data privacy in slightly diverse ways. W2 Global Data Solutions Ltd wishes to ensure that it is compliant with all applicable data privacy protections, no matter where you are.
It is very important you read the statement carefully to understand our views and practices regarding the processing of personal information and how W2 Global Data will treat it.
By visiting the W2 Global Data website and/or providing your information to us via use of any of our services, you are accepting and consenting to the practices described in this statement.
When using W2 Global Data services, our clients will require you to provide explicit consent to the collection and use of any personal information you may provide to us, and to transfer of your personal information, for the purposes of validation and verification, to W2 Global Data and its partners located in the UK or elsewhere as outlined in this statement. Please note that this includes your explicit consent to the processing of any sensitive personal information you may provide, as described herein.
If you do not agree with any of the content of this statement: please do not use W2 Global Data services or this site.
Your privacy is important to us, and W2 Global Data is committed to protecting the rights and freedoms of data subjects and safely and securely processing their data in accordance with all its legal obligations and it values your right to control what personal information is collected about you and how this information is used.
While information is the foundation for providing you with superior service, protecting the privacy of your personal information is of highest importance to us. W2 Global Data believes that responsible stewardship of the information entrusted to us is crucial in developing and maintaining the public trust essential for our continued success.
We are sensitive to your privacy concerns and are committed to letting you know how the information collected is being used and what choices you have regarding the collection and use of the information you have provided. In seeking to protect personal data and ensure that our staff understand the rules governing their use of the personal data to which they have access during their work; staff must ensure that the Data Protection Officer (DPO) is consulted before any significant new data processing activity is initiated to ensure that relevant compliance steps are addressed.
All information supplied by you to the W2 Global Data service will be used and protected by us in accordance with current applicable data protection law and this Privacy Statement.
W2 Global Data seeks to comply with the principles of data protection (the Principles) enumerated in the EU General Data Protection Regulation and makes every effort possible in all that we do to do so. The Principles are:
- Lawful, fair and transparent; data collection must be fair, for a legal purpose and we must be open and transparent as to how the data will be used.
- Limited for its purpose; data will only be collected for a specific purpose.
- Data minimisation; any data collected must be necessary and not excessive for its purpose.
- Accurate; the data we hold must be accurate and kept up to date.
- Retention; we will not store data longer than necessary.
- Integrity and confidentiality; the data we hold will be kept safe and secure.
Who We Are
W2 Global Data is responsible for the processing of any personal information you provide to it while using its services to engage with you. W2 Global Data Solutions Limited is registered in the United Kingdom with the UK Information Commissioner’s Office under Registration No: Z2736945.
In the event you provide W2 Global Data with personal data, W2 Global will in that instance be what’s known as the ‘Controller’ of any personal data you provide to us. In the event you provide W2 Global Data with personal data through one of our clients, W2 Global will in that instance be what’s known as the ‘Processor’ of any personal data you provide to us.
What We Do
W2 Global Data provide a wide range of online screening tools and services to help organisations make time critical and informed decisions about the people and businesses they are interacting with.
What Kind of Personal Data Do We Collect?
W2 Global Data collects data from users of its services and this website; its suppliers and others and it does so to operate effectively and provide the best possible service.
SERVICE USERS (the end-user of a W2 Client) – PERSONAL DATA: You have choices about the data we collect at W2 Global Data. When you are asked to provide personal data, you may decline or, the end users may decline. The data we collect depends always on the context of the interactions between end-user and W2 Client and in turn, with W2 Global Data. The personal data shared will depend upon the choices made, and the services and features chosen.
If you submit personal details or documents on request from an enterprise using a W2 Global Data service or do so direct to W2 Global Data, depending on the relevant circumstances and applicable local laws and requirements, we may collect some or all of the information listed below to enable us to offer you services which are tailored to your circumstances and the W2 Global Data client you may be engaged with, including:
- Name and contact data. We collect your first and last name, email address, postal address, phone number and other similar contact data if you provide such data.
- Age/Date of birth information.
- Sex/Gender information.
- We collect passwords, password hints and similar security information used for authentication and account access.
- Demographic data. We collect data about you such as your age, gender, address, country of origin and residence, ethnicity, religious affiliation if you provide such data.
- Status data. We collect data about your current circumstances including nationality, citizenship, residency, employment, household, dependants, financial, criminal, immigration, academic, medical, well-being, dependencies and more.
- Achievement data. We collect data about you such as your personal attainments including educational history and results achieved, and professional and/or vocational qualifications and memberships if you provide such data.
- Employment data. We collect data about you such as your employment status and employment history if you provide such data including details about your current remuneration, pensions and/or benefits arrangements where it applies.
- Diversity information including racial or ethnic origin, religious or other similar beliefs, and physical or mental health, including disability-related and well-being information.
- Social information including but not limited to information on your interests and needs, both collected directly and inferred.
- Payment data. We collect data necessary to process your payment if you make purchases.
- Financial information (where we need to carry out financial background checks).
- National Insurance or Social security information (or equivalent in your country) and other tax-related information.
- Photographs and documents. We may collect data about your driving licence and/or passport/identity card and/or other documents containing personal information and we may collect facial images of you which you provide for facial recognition purposes.
- Criminal Conviction information (where/if it applies).
- Device and Usage data. We collect data about your device and how you and your device interact with W2 Global Data and our services.
- Interests and favourites. We collect data about your interests and favourites if you provide such data.
- Contacts and relationships. We collect data about your emergency and referee contacts and your relationships to those contacts if you provide such data.
- Extra information you choose to tell us.
- Extra information referees choose to tell us about you.
- Extra information that W2 Global Data clients may tell us about you or that we receive from other sources including but not limited to credit reference agencies and other data providers.
- Location data. For products with location-enhanced features, we collect data about your location, which can be either precise or imprecise. Precise location data can be Global Navigation Satellite System (GNSS) data (e.g. GPS), as well as data identifying nearby cell towers and Wi-Fi hotspots, we collect when you enable location-based products or features. Imprecise location data includes, for example, a location derived from your IP address or data that indicates where you are located with less precision, such as at a city or postcode level.
- We collect the content of any files you upload directly to our systems.
- IP address
- The dates, times and frequency with which you access our services; and
- Geo-location information relating to you.
(Please note: that the above list of categories of personal data we may collect is not exhaustive and to the extent that you access our website we will also collect certain data from you).
W2 Global Data – CLIENT DATA: The data we collect about our clients is actually very limited. We generally only need to collect company contact details and/or the details of individual contacts at a client organisation (such as their names, telephone numbers and email addresses) to enable us to ensure that our relationship runs smoothly. We also hold information relating to a client’s engagement with user’s profiles through their use of our services. We may also hold extra information that someone in a client organisation has chosen to tell us and to the extent that they access our website we will also collect certain data from them.
W2 Global Data – SUPPLIER DATA: We don’t collect much data about our suppliers – we simply need to make sure that our relationships run smoothly. We’ll collect the details for our contacts within supplier organisations, such as names, telephone numbers and email addresses. We’ll also collect bank details, so that we can pay them. We may also hold extra information that someone in a supplier organisation has chosen to tell us and to the extent that they access our services, we will also collect certain data from them.
PEOPLE WHOSE DATA WE RECEIVE FROM SERVICE USERS SUCH AS REFEREES AND EMERGENCY CONTACTS: All we need from referees is confirmation of what they already know about our service user. Emergency contact details give our clients somebody to call on in an emergency. To secure references, we’ll obviously need referee contact details (such as name, email address and telephone number). We’ll also need these details if our service user has put provided anyone as their emergency contact so that clients can contact you in the event of an accident or an emergency.
WEBSITE USERS: We collect a limited amount of data from our website users which we use to help us to improve your experience when using our website and to help us manage the services we provide. This includes information such as how you use our website, the frequency with which you access our website, your browser type, the location you view our website from, the language you choose to view it in and the times that our website is most popular. If you contact us via the website, for example by using the contact form function, we will collect any information that you provide to us, for example your name and contact details.
SERVICE USER DATA (the end user of a W2 Client): We collect service user personal data in three primary ways:
- Personal data that you give to us; such as when you create a W2 Global Data account, administer your organisation’s account, are invited by a W2 Global Data client to complete a process step for a reason you will be aware, upload a document, purchase a service, or contact us for support.
- Personal data that we receive from other sources; including from service providers that help us determine the validity of any data element you have provided for example, to verify a document or confirm your address on an electoral roll; and publicly-available sources such as open government databases or other data in the public domain. We protect data obtained from third parties according to the practices described in this statement, plus any additional restrictions imposed by the source of the data.
- Personal data that we collect automatically; by recording for example how you interact with our site or services using technologies like cookies.
W2 CLIENT DATA: We collect client personal data in three ways:
- Personal data that we receive directly from you; We both share the same goal – to enable better, faster trust decisions. We will receive data directly from you principally in two ways: 1. where you contact us proactively, usually by phone or email; and/or 2. where we contact you, either by phone or email, or through our consultation activities more generally.
- Personal data that we receive from other sources; Where appropriate and in accordance with any local laws and requirements, we may seek more information about a client organisation and its employees from other sources generally by way of due diligence or other market intelligence activity including from third party market research and by analysing online and offline media (which we may do ourselves, or employ other organisations to do for us) and from other limited sources and third parties.
- Personal data that we collect automatically; To the extent that you access our website or read or click on an email from us, where appropriate and in accordance with any local laws and requirements, we may also collect your data automatically or through you providing it to us.
WEBSITE USERS: When you visit our website, there is certain information that we may automatically collect, whether you decide to use our services. This includes your IP address, the date and the times and frequency with which you access the website and the way you browse its content. We will also collect data from you when you contact us via the website, for example by using the contact form function. We collect your data automatically via cookies, in line with cookie settings in your browser.
SERVICE USER DATA (in other words, the end user of a W2 Client): In general terms, when W2 Global Data collects personal data, it uses the data it collects for four basic purposes:
- to operate its business and provide (including improving and personalising) the services it offers,
- to provide you with the services you have chosen to engage with in line with the requirements of the enterprise that has invited you to provide W2 Global Data with personal details
- to send communications, including promotional communications, and
- to validate and/or verify the data you have provided with third parties including for the purposes of establishing or proving identity as described in the “How Do We Use Personal Data” section of this statement.
In carrying out these purposes, W2 Global Data combines data that it collects to provide a more seamless, consistent and complete experience. W2 Global Data will not collect any personal data from you it does not need to provide and oversee a service to you.
Where we collect information, which may be classified as ‘sensitive’ personal information and where slightly stricter data protection rules apply to it; we will in all cases need to obtain your explicit consent before we can use it. We’ll ask for your consent by offering you an opt-in. This means that you must explicitly and clearly tell us that you agree to us collecting and using this information.
Where we may need to collect other sensitive personal data about you, such as health-related information, religious affiliation, or details of any criminal convictions if this is appropriate in accordance with local laws and is required for the service you are using; we will never do this without your explicit consent.
Whatever else, service users can be certain that W2 Global Data has a Data Protection regime in place to oversee the effective and secure processing of all personal data provided, always, which includes the following key principles, namely:
- The personal data you provide to us and which we process with your consent is processed by our staff in the UK.
- For the purposes of IT hosting and maintenance your data is located on servers within the European Union.
- No 3rd parties have access to your personal data unless the law allows them to do so.
- W2 Global Data may disclose any of the information it collects about you to other W2 Global Data companies and information may be hosted outside of the European Economic Area by such W2 Global Data companies.
- W2 Global Data may provide aggregated data about the use of its services to select third parties for such purposes as we deem, in our sole discretion, to be appropriate.
- W2 Global Data may equally segment its users by age, geographic location, gender, etc. If you would like to be excluded from aggregated research at any time you should contact the enterprise that has invited, you to use this service for assistance.
- Aggregated or segmented data will not ever contain personal information about you and will not enable you to be identified or located.
- W2 Global Data engages third parties to assist in the provision of specific verification and validation related services and the uses of the information as described in this statement. It does so with your explicit consent, always.
- Third party service providers who have access to your personal information for these purposes are authorised to use this information only in a manner consistent with this statement and for no other unrelated purpose.
- In most all cases where we process sensitive personal data, W2 Global Data will require your explicit consent, as the data subject, to do this unless exceptional circumstances apply, or we are required to do so by law (e.g. to comply with legal obligations to ensure health and safety at work).
- Any such consent given by you to us will always clearly identify what the relevant data is, why it is being processed and to whom it will be disclosed. Your consent can be revoked at any time.
- W2 Global Data uses the basic personal data it collects to communicate with you and personalise it communications with you. For example, we may contact you by phone or email or other means to remind you about your outstanding items or actions, update you or enquire about a request you submitted, or tell you that you need to act to keep your account active.
- W2 Global Data does not use anything data you provide including anything you say in email, or your documents, photos or other personal files to target ads to you directly or indirectly and it will not sell, rent or otherwise make available any personal information relating to you to any persons or companies who could use your personal information for sales purposes or in any manner unintended by you without your consent.
- Information about you collected by W2 Global Data on your behalf to the enterprise that has invited you to use the W2 Global Data service will be displayed to you and be available to you at any time.
- Information collected on your behalf from sources other than freely and publicly available sources will only be displayed to you at the discretion of the enterprise that has invited you to provide your details.
W2 CLIENT DATA: In general terms, when W2 Global Data collects client data it uses the client information it collects for three basic purposes: namely
- Marketing activities: including storing your details (and updating them when necessary) on our database, so that we can contact you in relation to marketing activities, keeping records of our conversations, emails and meetings, so that we can provide targeted services to you; Undertaking customer satisfaction surveys and processing your data for targeting appropriate marketing campaigns. Please note that in certain of the jurisdictions in which we operate, we comply with additional local law requirements regarding marketing activities. Subject to any applicable local laws and requirements, we will not, as a matter of course, seek your consent when sending marketing materials.
- Service provision & maintenance: including use of contact information collected in the ordinary day-to-day activities of supporting a client relationship and service; and
- To help us establish, exercise or defend legal claims: where we may use or be required to use your personal data.
W2 SUPPLIER DATA: To find the right balance, we will only use supplier information:
- To store (and update when necessary) your details on our database, so that we can contact you in relation to our agreements;
- To offer services to you or to obtain support and services from you;
- To perform certain legal obligations;
- To help us to target appropriate marketing campaigns; and
- In more unusual circumstances, to help us to establish, exercise or defend legal claims.
We may use your personal data for these purposes if we deem this to be necessary for our legitimate interests. We will not, as a matter of course, seek your consent when sending marketing messages to a corporate postal or email address. If you are not happy about this, in certain circumstances you have the right to object and can find out more about how to do so in this statement. Please note that in certain of the jurisdictions in which we operate, we comply with additional local law requirements.
PEOPLE WHOSE DATA WE RECEIVE FROM SERVICE USERS SUCH AS REFEREES AND EMERGENCY CONTACTS: We will only use the information that service users give us about you for the following three purposes:
- If our service users provide your information as an emergency contact, we’ll provide access to your information to our client organisation to contact you in the case of an accident or emergency affecting the service user; or
- If you were put down by our service user as a referee, we will contact you to take up a reference. This is an important part of our service user identity assurance process.
- We may use your personal data for these purposes if we deem this to be necessary for our legitimate interests. If you are not happy about this, you have the right to object and can find out more about how to do so in this statement.
Where appropriate and in accordance with local laws and requirements, we may share your personal data with your consent, in many ways and for assorted reasons, with the following categories of people or organisations:
- Any of our group companies;
- A W2 Global Data client organisation for or through which you are completing a W2 Global Data process
- Individuals and organisations who hold information related to a reference including current, past or prospective employers, educators and examining bodies and employment and recruitment agencies;
- Tax, audit, or other authorities, when we believe in good faith that the law or other regulation requires us to share this data (for example, because of a request by a tax authority or in connection with any anticipated litigation);
- Third party service providers who perform functions on our behalf (including external consultants, business associates and professional advisers such as lawyers, auditors and accountants, technical support functions and IT consultants carrying out testing and development work on our business technology systems);
- Third party outsourced IT and document storage providers where we have an appropriate processing agreement (or similar protections) in place;
- Marketing technology platforms and suppliers; and
- Third party reference data sources including credit reference agencies where there is a requirement to validate or verify your identity or any attribute of the information or documents you have provided to us.
- Banks and other entities that process payment transactions or provide other financial services, and for fraud prevention and credit risk reduction when you make a payment to us.
W2 Global Data shares your personal data with your consent or as necessary to complete any transaction or provide any service outcome you have requested or authorised. We will however access, transfer, disclose and preserve personal data, including your content, when we have a good faith belief that doing so is necessary to:
- comply with applicable law or respond to valid legal process, including from law enforcement or other government agencies. If this happens W2 Global Data will only disclose the information necessary to comply with the request. We may also, if we deem it necessary, disclose information to prevent a violation of the law and by accepting this statement, you consent to our doing so, in our sole discretion;
- protect our customers, for example to prevent spam or attempts to defraud users of our products, or to help prevent the loss of life or severe injury of anyone;
- operate and maintain the security of our services, including to prevent or stop an attack on our computer systems or networks; or
- protect the rights or property of W2 Global Data, including enforcing the terms governing the use of the services – however, if we receive information indicating that someone is using our services to traffic in stolen intellectual or physical property belonging to W2 Global Data, we will not inspect a user’s private content ourselves, but we may refer the matter to law enforcement.
We are committed to taking all reasonable and appropriate steps to protect the personal information that we hold from misuse, loss, or unauthorised access. We do this by having in place a range of appropriate technical and organisational measures. These include measures to deal with any suspected data breach.
If you suspect any misuse or loss of or unauthorised access to your personal information, please let us know immediately. Details of how to contact us can be found in this statement.
W2 Global Data retains personal data for as long as necessary to provide the products and fulfil the transactions you have requested, or for other essential purposes such as complying with our legal obligations, resolving disputes and enforcing our agreements and it retains such information for no longer than is necessary. Because these needs can vary for different data types in the context of various products, actual retention periods can vary significantly.
What is “necessary” will depend on the circumstances of an individual’s case, considering the reasons that the personal data was obtained, but is always determined in a manner consistent with our data retention guidelines; the criteria used to determine these which include:
- How long is the personal data needed to provide the W2 Global Data services and operate our business? This includes such things as maintaining and improving the performance of the services, keeping our systems secure and maintaining appropriate business and financial records. This is the general rule that establishes the baseline for most data retention periods.
- Do users provide, create or maintain the data with the expectation W2 Global Data will retain it until they affirmatively remove it? Examples include a document you may upload e.g. a passport. In such cases, we maintain the data until you actively delete it or request it be deleted.
- Is there an automated control, such as in the W2 Global Data online system, that enables you to access and delete the personal data at any time? If there is not, a shortened data retention time will generally be adopted.
- Is the personal data of a sensitive type? If so, a shortened retention time would generally be appropriate.
- Has the user provided consent for a longer retention period? If so, we will retain data in accordance with your consent.
- Is W2 Global Data subject to a legal, contractual, regulatory or similar obligation to retain the data? Examples can include mandatory data retention laws in an applicable jurisdiction; government orders to preserve data relevant to an investigation or data that must be retained for the purposes of litigation.
In general terms, we will otherwise delete personal data from our systems if we have not had any meaningful contact with you (or, where appropriate, the W2 Global Data client organisation through which you were using our services) for two years unless you have consented otherwise (or for such longer period as we believe in good faith that the law or relevant regulators require us to preserve your data). After this period, it is likely your data will no longer be relevant for the purposes for which it was collected.
When we refer to “meaningful contact”, we mean, for example, communication between us (either verbal or written), or where you have or are actively engaging with our online services. Your receipt, opening or reading of an email or other digital message from us will not count as meaningful contact – this will only occur in cases where you click-through or reply directly.
The GDPR exists to protect and clarify the rights of EU citizens and individuals in the EU with regards to data privacy. This means that you retain various rights in respect of your data, even once you have given it to us. You have rights to your data which we must respect and comply with to the best of our ability. These are described in more detail here. To get in touch about these rights or if you have any concerns whatsoever, please contact us via the contact information options provided in this statement. We will seek to deal with your request without undue delay, and in any event within one month (subject to any extensions to which we are lawfully entitled). Please note that we may keep a record of your communications to help us resolve any issues which you raise.
W2 Global Data adheres to applicable data protection laws in the European Economic Area, and therefore, we must where applicable ensure individuals can exercise their rights in the following ways:
Right to be Informed: by being provided with privacy notices which are concise, transparent, intelligible and easily accessible, free of charge, that are written in clear and plain language, particularly if aimed at children and by keeping a record of how we use personal data to demonstrate compliance with the need for accountability and transparency.
Right of Access: which we satisfy by enabling individuals to access their personal data and supplementary information and by allowing individuals to be aware of and verify the lawfulness of our processing activities.
Right to Object: this right enables you to object to us processing your personal data where we do so for one of the following four reasons:
- our legitimate interests;
- to enable us to perform a task in the public interest or exercise official authority;
- to send you direct marketing materials; and
- for scientific, historical, research, or statistical purposes.
If your objection relates to us processing your personal data because we deem it necessary for your legitimate interests, we must act on your objection by ceasing the activity in question unless:
- we can show that we have compelling legitimate grounds for processing which overrides your interests; or
- we are processing your data for the establishment, exercise or defence of a legal claim.
If your objection relates to direct marketing, we must act on your objection by ceasing this activity.
Right to Withdraw Consent: Where we have obtained your consent to process your personal data for certain activities (for example, for our marketing arrangements or automatic profiling), you may withdraw this consent at any time and we will cease to carry out the particular activity that you previously consented to unless we consider that there is an alternative reason to justify our continued processing of your data for this purpose in which case we will inform you of this condition.
Data Subject Access Requests (DSAR): You may ask us to confirm what information we hold about you at any time, and request us to modify, update or delete such information. We may ask you to verify your identity and for more information about your request. If we provide you with access to the information we hold about you, we will not charge you for this unless your request is “manifestly unfounded or excessive”. If you request further copies of this information from us, we may charge you a reasonable administrative cost where legally permissible. Where we are legally permitted to do so, we may refuse your request. If we refuse your request, we will always tell you the reasons for doing so.
Please note that in certain of the jurisdictions in which we operate, we comply with additional local law requirements regarding data subject access requests and may refuse your request in accordance with such laws.
Right to Erasure: You have the right to request that we erase your personal data in certain circumstances. Normally, the information held must meet one of the following criteria:
- the data is no longer necessary for the purpose for which we originally collected and/or processed them;
- where previously given, you have withdrawn your consent to us processing your data and there is no other valid reason for us to continue processing;
- the data has been processed unlawfully (i.e. in a manner which does not comply with the GDPR);
- it is necessary for the data to be erased for us to comply with our legal obligations as a data controller; or
- if we process the data because we believe it necessary to do so for our legitimate interests, you object to the processing and we are unable to demonstrate overriding legitimate grounds for our continued processing.
Please note that in certain of the jurisdictions in which we operate, we comply with additional local law requirements regarding data subject right to erasure and may refuse your request in accordance with local laws. We would only be entitled to refuse to comply with your request to erasure for one of the following reasons:
- to exercise the right of freedom of expression and information;
- to comply with legal obligations or for the performance of a public interest task or exercise of official authority;
- for public health reasons in the public interest;
- for archival, research or statistical purposes; or
- to exercise or defend a legal claim.
When complying with a valid request for the erasure of data we will take all reasonably practicable steps to delete the relevant data.
Right to restrict processing: You have the right to request that we restrict our processing of your personal data in certain circumstances. This means that we can only continue to store your data and will not be able to carry out any further processing activities with it until either:
- one of the circumstances listed below is resolved;
- you consent; or
- further processing is necessary for either the establishment, exercise or defence of legal claims, the protection of the rights of another individual, or reasons of important EU or Member State public interest.
The circumstances in which you are entitled to request that we restrict the processing of your personal data are:
- where you dispute the accuracy of the personal data that we are processing about you. In this case, our processing of your personal data will be restricted for the period during which the accuracy of the data is verified;
- where you object to our processing of your personal data for our legitimate interests. Here, you can request that the data be restricted while we verify our grounds for processing your personal data;
- where our processing of your data is unlawful, but you would prefer us to restrict our processing of it rather than erasing it; and
- where we have no further need to process your personal data but you require the data to establish, exercise, or defend legal claims.
If we have shared your personal data with third parties, we will notify them about the restricted processing unless this is impossible or involves disproportionate effort. We will, of course, notify you before lifting any restriction on processing your personal data. We are permitted to store personal data if it has been restricted, but not process it further. We must retain enough data to ensure the right to restriction is respected in the future.
Right to Rectification: You also have the right to request that we rectify any inaccurate or incomplete personal data that we hold about you. If we have shared this personal data with third parties, we will notify them about the rectification unless this is impossible or involves disproportionate effort. This must be done without delay, and no later than one month. This can be extended to two months with permission from the DPO. Where appropriate, we will also tell you which third parties we have disclosed the inaccurate or incomplete personal data to. Where we think that it is reasonable for us not to comply with your request, we will explain our reasons for this decision.
Right of Data Portability: If you wish, you have the right to transfer your personal data between data controllers. In effect, this means that you can transfer your W2 Global Data account details to another online platform. To allow you to do so, we will provide you with your data in a commonly used machine-readable format that is password-protected so that you can transfer the data to another online platform. Alternatively, we may directly transfer the data for you.
This right of data portability applies to:
- personal data that we process automatically (i.e. without any human intervention);
- personal data provided by you; and
- personal data that we process based on your consent or to fulfil a contract.
Rights in relation to Automated Decision Making and Profiling: which require us to respect the rights of individuals in relation to automated decision making and profiling including ensuring that individuals retain their right to object to such automated processing, have the rationale explained to them, and request human intervention.
Right to lodge a Complaint with a Supervisory Authority: You also have the right to lodge a complaint with your local supervisory authority. Details of how to contact them can be found in this statement.
If you would like to exercise any of these rights or withdraw your consent to the processing of your personal data (where consent is our legal basis for processing your personal data), details of how to contact us can be found in this statement. Please note that we may keep a record of your communications to help us resolve any issues which you raise.
Cookies may be used by W2 Global Data to provide you with customised information from our web service. A cookie is an element of data that a web site can send to your browser, which may then store it on your system. Cookies allow us to understand who has seen which pages and advertisements, to determine how frequently particular pages are visited and to determine the most popular areas of our web site.
Cookies may also allow us to make our web site more user friendly by, for example, allowing us to save your password so that you do not have to re-enter it every time to visit our web site. Some website browsers can remember website passwords, to save you having to enter the password each time you visit a website. If you choose to let your browser remember your password for this site, one of our cookies helps this to happen. Your browser should not remember your password unless you have allowed it to. Your browser settings will allow you to erase password data at any time.
W2 Global Data is committed to protecting the security of your personal data. We use a variety of security technologies and procedures to help protect your personal data from unauthorised access, use or disclosure. For example, we store the personal data you provide on computer systems that have limited access and are in controlled facilities. When we transmit highly confidential data (such as a credit card number or password) over the Internet, we protect it using encryption. When we transfer personal data from the European Economic Area, we do so using a variety of legal mechanisms.
W2 Global Data takes all reasonable steps to ensure that the data we collect under this privacy statement is processed according to the provisions of this statement and the requirements of applicable law wherever the data is located. Because W2 Global Data operates throughout the world in providing its goods and services, we on occasion transfer personal data from the European Economic Area and Switzerland to other countries, some of which have not been determined by the European Commission to have an adequate level of data protection, including transfers:
- between and within W2 Global Data entities;
- to third parties (such as advisers or other suppliers to the W2 Global Data business);
- to overseas W2 Global Data clients;
- to W2 Global Data clients within your country who may, in turn, transfer your data internationally;
- to cloud-based storage providers; and
- to other third parties, as referred to in this statement.
If we do so, we use a variety of legal mechanisms, including contracts, to help ensure your rights and equivalent protections travel with your data. Above all else, we want to make sure that data is stored and transferred in a way which is secure. We will therefore only transfer data outside of the European Economic Area or EEA (i.e. the Member States of the European Union, together with Norway, Iceland and Liechtenstein) where it is compliant with data protection legislation and the means of transfer provides adequate safeguards in relation to your data, for example:
- by way of data transfer agreement, incorporating the current standard contractual clauses adopted by the European Commission for the transfer of personal data by data controllers in the EEA to data controllers and processors in jurisdictions without adequate data protection laws; or
- by signing up to the EU-U.S. Privacy Shield Framework for the transfer of personal data from entities in the EU to entities in the United States of America or any equivalent agreement in respect of other jurisdictions; or
- transferring your data to a country where there has been a finding of adequacy by the European Commission in respect of that country’s levels of data protection via its legislation; or
- where it is necessary for the conclusion or performance of a contract between ourselves and a third party and the transfer are in your interests for the purposes of that contract (for example, if we need to transfer data outside the EEA to meet our obligations under that contract if you are a client of ours); or
- where you have consented to the data transfer.
For further on information on how some of our suppliers treat your privacy and PII please see the below:
Article 6(1)(f) of the GDPR is the one that is relevant here – it says that we can process your data where it “is necessary for the purposes of the legitimate interests pursued by [us] or by a third party, except where such interests are overridden by the interests or fundamental rights or freedoms of [you] which require protection of personal data.”
However, you do have the right to object to us processing your personal data on this basis.
We have our own obligations under the law, which it is a legitimate interest of ours to insist on meeting! If we believe in good faith that it is necessary, we may therefore share your data in connection with crime detection, tax collection or actual or anticipated litigation.
In certain circumstances, we are required to obtain your consent to the processing of your personal data in relation to certain activities. Depending on exactly what we are doing with your information, this consent will be opt-in consent or soft opt-in consent.
Article 4(11) of the GDPR states that (opt-in) consent is “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” In plain language, this means that:
- you must give us your consent freely, without us putting you under any type of pressure;
- you must know what you are consenting to – so we’ll make sure we give you enough information;
- you should have control over which processing activities you consent to and which you don’t. We provide these finer controls within our privacy preference centre; and
- you need to take positive and affirmative action in giving us your consent – we’re likely to provide a tick box for you to check so that this requirement is met in a clear and unambiguous fashion.
We will keep records of the consents that you have given in this way.
We have already mentioned that, in some cases, we will be able to rely on soft opt-in consent. We can market products or services to you which are related to the recruitment services we provide if you do not actively opt-out from these communications. Please note that in certain of the jurisdictions in which we operate, we comply with additional local law requirements regarding consenting to receive marketing materials. As we have mentioned, you have the right to withdraw your consent to these activities. You can do so at any time by contacting us.
ESTABLISHING, EXERCISING OR DEFENDING LEGAL CLAIMS
Sometimes it may be necessary for us to process personal data and, where appropriate and in accordance with local laws and requirements, sensitive personal data in connection with exercising or defending legal claims. Article 9(2)(f) of the GDPR allows this where the processing “is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity”. This may arise for example where we need to take legal advice in relation to legal proceedings or are required by law to preserve or disclose certain information as part of the legal process.
W2 Global Data personnel have an obligation to report actual or potential data protection compliance failures. This allows us to:
- Investigate the failure and take remedial steps, if necessary
- Maintain a register of compliance failures
- Notify the relevant supervisory authority of any compliance failures that are material either or, as part of any pattern of failures.
W2 Global Data’s Data Protection Officer has overall responsibility for the day-to-day implementation of this privacy statement if, at any time, you:
- wish to access, amend or take back the personal data that you have given to us;
- suspect any misuse or loss of or unauthorised access to your personal information;
- wish to withdraw your consent to the processing of your personal data (where consent is the legal basis on which we process your personal data);
- want to make a complaint on how W2 Global Data has handled your personal data.
You can contact us at the following address:
W2 Global Data Solutions Ltd, 3 Alexandra Gate, FFordd Pengam, Cardiff, CF24 2SA, UK.
Alternatively, you can send an email to: email@example.com
For EU citizens you can contact our EU representative at the following address:
INSTANT EU GDPR REPRESENTATIVE LTD 69 Esker Woods Drive, Lucan Co. Dublin Ireland
Alternatively, you can send an email to: firstname.lastname@example.org
or use the portal link https://w2globaldata.gdprlocal.com/eu
W2 Global Data takes complaints very seriously and will respond to complaints within 30 days.
Unless otherwise stated, W2 Global Data Solutions Ltd is a processor for the personal data we collect through the services we provide which are subject to this statement.
If you are not satisfied with our response or believe we are processing your personal data not in accordance with UK law and the requirements of GDPR; you can complain to the UK Information Commissioner’s Office: You can contact them in the following ways:
- Phone: 0303 123 1113
- Email: email@example.com
- Web: www.ico.org.uk
- Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. UK
We are required under UK tax law to keep your basic personal data (name, address, contact details) for a minimum of 6 years after which time it will be destroyed. We must however retain personal data for no longer than is necessary. What is necessary will depend on the circumstances of an individual’s case, considering the reasons that the personal data was obtained, but is always determined in a manner consistent with our data retention guidelines.
*Updated: 23rd June 2021