www.mdrtraininguk.com – Website
This privacy notice was last updated on 24th May 2018.
1. What is the purpose of this Privacy Notice?
Your ‘personal data’ or ‘personal information’ is any piece of information that would allow us to identify you as an individual. The processing of personal data is governed by the EU General Data Protection Regulation (the “GDPR”) and national laws that implement the GDPR in each European Economic Area (“EEA”) country.
We take your privacy very seriously, and this document sets out what personal information we collect from you in relation to this service, how we intend to use it and what your rights in respect of that information are. By visiting our websites, you are accepting and consenting to the practices described in this Privacy Notice.
It is important that you read this Privacy Notice (together with any other privacy notice or fair processing notice we may provide you with on specific occasions when we are collecting or processing personal data about you) and we encourage you to keep copies of all such notices for your records.
2. Who controls your personal information, and how do you get in touch?
The controller of your personal information is MDR Training (UK) Limited, (“we”, “us”, “our”).
Should you have any query in respect of this Privacy Notice or your personal information, you can contact us at the following:
Data controller MDR Training (UK) Limited
Address Unit 3 Warren Park Way, Enderby, Leicester, LE19 4SA
Telephone 0116 200 1866
3. What information do we collect about you, and for what purpose?
We may collect, use, store and/or transfer technical data and usage information about you if you interact with our websites, including:
• IP Address and approximate location information;
• Browser connection string;
• Browser type;
• Platform or system type;
o Usage information (pages visited, length of time spent, referral location).
We may also collect, use, store and/or transfer information about your identity, contact details and profile if you use our “contact us” forms, for example:
• Email address;
• Telephone Number;
o Any other information that you share in the message body.
If you make a purchase from our websites or create an account with us we may collect, use, store and/or transfer information about your identity, contact details, transaction data, profile data and marketing & communications preferences, such as your:
• Email address;
• Telephone Number;
• Address (billing and shipping);
o Password (which is stored securely if you create an account);
o Transaction information such as details about payments from you (although your financial data, such as payment card details, will be captured by our payment service providers and not by us directly);
o Preferences in receiving marketing from us and our third parties and your communication preferences.
We may also collect, use and share aggregated data such as statistical or demographic data for any purpose if you cannot be identified in any way. Aggregated data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. However, if we combine or connect aggregated data with your personal information so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.
We do not collect any special categories of personal data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.
Please be aware that our websites may include links to third party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements.
4. How do we collect and use your personal information?
We collect your personal information through different methods, including:
• Information you give us. You may give us your identity, contact and financial data when you fill in our contact forms, make a purchase from any of our websites or create an account with us.
• Information we receive from other sources . We may receive personal data about you from various third parties and public sources. For example, we may receive:
o technical data from analytics providers;
o contact, financial and transaction data from providers of technical, payment and delivery services; and
o identity and contact data from selected business partners, data brokers or aggregators.
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
· where we need to perform a contract we are about to enter into, or have entered into with you;
· where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests; or
· where we need to comply with a legal or regulatory obligation.
Generally, we do not rely on consent as a legal basis for processing your personal information other than in relation to sending direct marketing communications to you by electronic means or permitting our selected third parties to do so. You have the right to withdraw consent to marketing at any time by contacting us.
5. What is our legal basis for collecting and using your personal information?
We will use your personal information in the following ways and for the purposes set out below. We have identified our legitimate interests where appropriate.
Your data collected as part of access to our site and the platform it resides upon (e.g. technical data). Detection and prevention of crime, improvement of the site based on access methods, availability and capacity planning of our website, to deliver relevant website content and advertisements and to make suggestions about goods and/or services that may interest you. We need this information for our legitimate interests as the controller of this data (for running our business, provision of IT and administration services, network security, growing our business and informing our marketing strategy).
Your personal information is shared with regulatory bodies (Driver and Vehicle Standards Authority for Driver CPC and Oxford & Cambridge RSA Examinations for Transport Manager Certificate of Professional Competence qualifications) This information is shared to these 3rd parties to confirm your identity and to issue certificates and confirm your identity For the regulatory bodies for both the Driver CPC and Transport manager CPC need to confirm your personal information to allow them to record qualifications gained against you.
The data you share with us as part of the contact us form (e.g. information about your identity, profile and your contact details). To be able to answer queries and respond to your requests that you make to us. Necessary for our legitimate interests (to run our business, manage our relationship with you and keep our records updated).
You have also agreed for us to process your data in this manner to answer the query that you have, in the first instance.
Our basis for processing your data might also include performance of a contract with you, if we are bound by contract and your query relates to a purchase you have made.
It is also necessary for our legitimate interests (e.g. to recover debts due to us, manage our relationship with you and keep our records updated).
6. What if you do not want to provide your personal information?
You do not have to provide your personal information to us. However, should you choose not to provide it, you may be unable to use our website and will not be able to request our assistance or make a purchase. Where we need to collect personal data by law or under the terms of a contract we have with you (e.g. if you try to buy anything from us) and you fail to provide it when requested, we may not be able to perform the contract we have or are trying to enter into with you and may have to cancel the product and/or service you have with us (but we will notify you at the time if this is the case).
7. How is your personal information protected?
We maintain strong physical, electronic and procedural safeguards to protect the confidentiality, integrity and availability of your personal information. We have taken appropriate security measures against illegal and/or unauthorised access to your personal information, and against the accidental loss of, or damage to, it.
8. Do we share your personal information with anyone?
Data is shared as part of the usage of the website with several parties outside of MDR that allow us to process your data. These parties, and the purposes for sharing the data, are set out below:
Microsoft Microsoft provide our email service and when you use our contact us forms these will be
Hosting providers These provide the physical devices that we use to host the website and provide the connectivity so that you can access it.
STRIPE / Payment service provider / Bank If you purchase something from one of our e-liquid brand sites then to process your payment we may need to share information with our partners to process this payment.
Mail and courier companies If you buy something from us we will need to post / deliver this to you so we need to share information with these companies to fulfil your request.
Your personal information is shared with regulatory bodies (Driver and Vehicle Standards Authority for Driver CPC and Oxford & Cambridge RSA Examinations for Transport Manager Certificate of Professional Competence qualifications) This information is shared to these 3rd parties to confirm your identity and to issue certificates and up upload CPC awards onto their systems
We may also need to share your personal information with the following in limited circumstances:
• IT security providers;
o External advisors (for example solicitors or auditors); and
o Public authorities or law enforcement.
If we sell or buy (or plan to sell or buy) any business or assets or seek investment from a third-party investor, we may disclose your personal data to the investor or prospective seller or buyer of such business or assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this Privacy Notice.
Any time we provide access to your personal information to someone else, we will ensure that it is adequately secured to protect your privacy and that they comply with the requirements of the applicable data protection legislation.
9. Will your personal information be transferred outside of the EEA?
If you are a resident of a country in the EEA, we may need to transfer your personal information outside of the EEA, for example where our data storage facilities or processing locations are in another country.
Whenever we transfer your personal data outside of the EEA, we ensure a similar degree of protection is afforded to it by putting adequate, legally-approved safeguards in place, including at least one of the following:
• we will only transfer your personal information to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission;
• where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe; and
• where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between Europe and the US.
If you would like more information about our safeguards, please contact us using the details inserted in Section 2 above.
10. How long do we keep your personal information?
We will only retain your personal data for as long as necessary to fulfil the purposes we hold it for, including for the purposes of satisfying any legal, accounting or reporting requirements. In general, we will need to keep the information that we collect from you for the following periods of time:
Your information Retention Period
Your data collected as part of access to our site and the platform it resides upon We will retain the analytics data for twenty-six (26) months. At which point the data will be anonymised or removed.
Data will be maintained on our servers including your IP address for 1 year from date of collection.
The data you share with us as part of the contact us form This will be retained for as long as the relationship between us to answer your query.
If your query relates to a purchase you have made then we will keep this for six (6) years in relation to the purchase you made and our business record requirements.
If you create an account or purchase something from us Your account information will be retained for the lifetime of the relationship between us.
Your transactional information will be maintained for six (6) years in line with MDR Training standard business records.
Your payment card information will be maintained for twenty-three (23) months as required by the card schemes under a contract that we hold with them.
We may sometimes need to keep a copy of your personal information for a longer period, for example in the event of an incident, to investigate a data breach or to comply with legal requirements. We will never keep your personal information for longer than we consider necessary.
In all cases, your personal information will be securely destroyed once the retention periods described above expire.
11. Email Newsletter
This website operates an email newsletter program (Mail Chimp), used to inform subscribers about products and services supplied by this website. Users can subscribe through an online automated process should they wish to do so but do so at their own discretion. Some subscriptions may be manually processed through prior written agreement with the user.
Users are clearly asked to select whether or not they wish to receive information from us in the future.
In compliance with GDPR Regulations subscribers are given the opportunity to un-subscribe at any time through an automated system. This process is detailed at the footer of each email campaign. If an automated un-subscription system is unavailable clear instructions on how to un-subscribe will by detailed instead.
12. What are your rights in respect of your personal information?
You have rights in respect of the personal information we hold on you, including the right to ask us to:
• inform you on how we collect and use it (this Privacy Notice is designed to do that);
• rectify it if you believe that it is incorrect;
• delete it (only to the extent you consented to us using it);
• provide you with a copy of any information we hold on you;
• request the transfer of it to you or a third party;
• tell you about automated decision-making solutions that we use; and
• restrict the processing of it e.g. stop processing or using it temporarily.
You can also object to our use of your personal information for our legitimate purposes at any time.
Should you want to exercise any of those rights, please contact us using the details set out in Section 2 above. We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made several requests. In this case, we will notify you and keep you updated.
Out partners use automated decision making for the following reasons:
· To decide if you are over 18 and able to purchase our products;
· To process your payment card for your purchase to be approved.
MDR Training (UK) Ltd does not handle these processes directly and they are provided to us. If you would like to know more about these processes and which companies to contact to find out how this data is processed then please contact us using the details set out in Section 2 above.
13. Will we do anything else with your information in the future?
Where we need to use your personal data for another reason, other than for the purpose for which we collected it, we will only use your personal data where that reason is compatible with the original purpose.
Should it be necessary to use your personal data for a new, unrelated purpose, we will endeavour to notify you and communicate the legal basis which allows us to do so before starting any new processing.
The exception to this is where use of the personal information is required or permitted by law e.g. to a recall of any of our products, updated allergy advice or for another legal reason that may require us to contact you. In this case, we may process your personal information without your knowledge or consent.
14. You have the right to complain to us or our supervisory authority
You also have the right to lodge a complaint with our supervisory authority, the Information Commissioner’s Office, which can be contacted at the following:
Supervisory Authority UK Information Commissioner’s Office
Address Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom
Telephone 0303 123 1113
15. Changes to this Privacy Notice and your duty to inform us of changes
We may need to make changes to this Privacy Notice in the future (for example, to comply with new legal requirements).
Where that is the case, we will provide you with a revised Privacy Notice on our website, which you will be able to access. If required by law, we will seek your prior approval before revising this Privacy Notice.
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your relationship with us
Updated May 2018