Access Alba, Disability Access Consultants, is a controller of personal information for the purposes of the General Data Protection Regulation (GDPR). Our contract details for data protection purposes are as follows:
Purpose of Privacy Notice
This privacy notice tells you what to expect when Access Alba process personal information. It applies to personal information about our customers, partners and clients. It tells you the purposes for which we may process information and the legal basis for the processing of personal data (‘processing’ includes us just keeping your personal information).
Why do we collect and store personal information?
We will need to collect, process and store personal information about you to provide our training, research, consultancy and advice services.
We will use your information to provide advice, products and services in line with the agreed contract or agreement in place. This includes responding to your enquiries and providing services to you via correspondence, such as email and phone. We may also use the information to ensure that our services have met your needs or to improve our services.
Our legal basis for processing
Access Alba has a lawful basis for obtaining personal data from customers and clients in accordance with the GDPR to fulfil our business obligations for our training, research, consultancy and advice services.
Some personal information that we collect about our customers or clients may be classified as “Special Category” personal data, for example, information provided relating to health and disability. The reason for gathering this sensitive information may be for the purposes of delivering effective research, training, and/or consultancy services. Customers and clients can choose whether to provide this personal information.
When we need to process personal information for purposes, other than defined in this privacy
policy, we will ask you to complete a consent form to grant us authorisation.
We may collect the following information about our customers under a lawful basis:
• To arrange and deliver training to our customers which may include understanding your access needs to provide reasonable adjustments
• To provide advice and support
• To provide access consultancy services
• To carry out research
• To deliver products purchased by our customers
Sharing your personal information
In delivering our services to customers and clients we may have occasion where we need to share your information to ensure a full and effective service. The sharing of information will be minimised and our service suppliers, as data processors, are required to treat the information confidentially and in in line with the GDPR.
There may be times when we will share your information with third parties to provide Access Alba services, or where we are legally required to do so. When sharing personal information, we will comply with all aspects of the GDPR. Sensitive information about health, sexual life, race, and religion for example, is subject to particularly stringent security and confidentiality measures.
When necessary, or as required, we may share information for the following:
- • To ensure premises are suitable for use for the purposes of training
- • Where there is a clear health or safety risk to an individual or members of the public, evidence of fraud against Access Alba, other irregular behavior or a matter Access Alba is investigating
- • To protect the vital interests of an individual in an emergency
How we manage your personal information
We will process your personal information in accordance with the principles of the GDPR.
We will treat your personal information fairly and lawfully.
We will ensure that your personal information is:
- • Processed for limited purposes
- • Kept up-to-date, accurate, relevant and not excessive
- • Not kept longer than necessary
- • Kept secure
Access to personal information will be restricted to authorised individuals on a strictly need to know basis. We are committed to keeping your personal details accurate, and we encourage you to inform us about any changes to ensure your details are correct.
Periods for which we will store your personal information
We will hold your records during the period of our contract or agreement, for a set period afterwards to allow us to meet our legal obligations, or where it is appropriate to retain for a longer period to enable ongoing business matters.
You have the right to withdraw your consent to us processing your information at any time. If the basis on which we are using your personal information is your consent, then we must stop using the information. We can refuse to stop processing your personal information if we can relay a legitimate interest such as legal reasons.
Your Rights under the GDPR?
You have a number of rights under the GDPR.
Access to personal information
Under the GDPR, you have a right to ask us what personal information we hold about you, and to request a copy of your information. This is known as a ‘subject access request’ (SAR). SARs need to be made in writing to the company Director and we ask that your written request is accompanied by a proof of your identity. We have one calendar month within which to provide you with the information you have asked for (although we will try to provide you with this as promptly as possible).
Information will be provided free of charge. However, a charge will apply for excessive or unreasonable requests for the costs of providing the information.
If you need us to correct any mistakes contained in the information we hold about you, you can let us know by contacting the company Director.
Erasure (‘right to be forgotten’)
You have the right to ask us to delete personal information we hold about you.
You can do this where:
- • The information is no longer necessary in relation to the purpose for which we originally collected or processed it
- • You withdraw your consent
- • You object to the processing and there is no overriding legitimate interest for us continuing the processing
- • We unlawfully processed the information
- • The personal information has to be erased in order to comply with a legal obligation
We can refuse to erase your personal information where the information is processed for the following reasons:
- • To exercise the right of freedom of expression and information
- • To enable the functions designed to protect the public to be achieved i.e. government or regulatory functions
- • To comply with a legal obligation or for the performance of a public interest task or exercise of official authority
- • For public health purposes in the public interest
- • Archiving purposes in the public interest, scientific research, historical research and statistical purposes
- • The exercise or defence of legal claims
- • Where we have an overriding legitimate interest for continuing with the processing
Restriction on processing
You have the right to require us to stop processing your personal information. When processing is restricted, we are allowed to store the information, but not do anything with it.
You can do this where:
- • You challenge the accuracy of the information (we must restrict processing until we have verified its accuracy)
- • You challenge whether we have a legitimate interest in using the information
- • If the processing is a breach of the GDPR or otherwise unlawful
- • If we no longer need the personal data but you need the information to establish, exercise or defend a legal claim
If we have disclosed your personal information to third parties, we must inform them about the restriction on processing, unless it is impossible or involves disproportionate effort to do so.
We must inform you when we decide to remove the restriction giving the reasons why.
Objection to processing
You have the right to object to processing where we say it is in our legitimate business interests. We must stop using the information unless we can show there is a compelling legitimate reason for the processing, which override your interests and rights of the processing is necessary for us or someone else to bring or defend legal claims.
Withdrawal of consent
You have the right to withdraw your consent to us processing your information at any time. If the basis on which we are using your personal information is your consent, then we must stop using the information. We can refuse if we can rely on another reason to process the information such as our legitimate interests.
Who can you complain to if you feel we are not handling your data correctly?
Access Alba, 23 Kellie Place, Dunbar, East Lothian, EH42 1GF
If you believe we are not handling your data correctly you have a right to make a complaint, this should be sent to us using the above contact details. If you are not satisfied with our response you should then contact the Independent Commissioner’s Office (ICO)