- be transparent about the information we are collecting and what we will do with it
- only pass your details onto third parties who have contracted A&A Training to provide you with training on their behalf or to allow course certification to be issued. These organisations could include your employer, your education establishment or the Resuscitation Council (UK)
- not send you any marketing messages
- have measures in place to protect your information and keep it secure
- respect your data protection rights and aim to give you control over your own information.
If you have further questions, please get in touch with us by:
Post: Data Privacy Manager, A&A Training Ltd, Unit B Future Court, George Summers Close, Rochester, Kent, ME2 4EL.
Telephone: 01634 733841
DATA WE COLLECT ABOUT YOU
Personal data, or personal information, means any information about an individual from which that person can be identified. We may collect, use, store and transfer different kinds of personal data about you:
- Identity Data: includes first name, last name, job title, employer or university details, place of work or study, username or similar identifier.
- Contact Data: includes billing address, delivery address, contact telephone numbers and e-mail address.
- Financial Data: includes bank account data and payment card details.
- Course Data: includes dates and times of courses that you have attended or completed online, the location of and course attended, whether you passed or failed a course and in some instances a score.
- Profile Data: includes your username and password and purchases made by you.
Where we need to collect personal data by law, or under the terms of a contract we have with you or an organisation who is providing you with training on their behalf, and we do not have that information, we may not be able to deliver the services to you.
We process personal data for several purposes and the means of its collection, the lawful basis of processing, storage, disclosure and retention periods for each purpose may differ.
Personal data will only be collected if you or another organisation that you are contracted to submits it, such as when signing up to our website, attending an event, purchasing a product or where needed to provide access to our services. Our policy is to only collect the personal data necessary for the agreed purposes and to only share where it is strictly needed for those purposes.
WHY YOUR DATA IS COLLECTED?
The law requires us to determine under which of the defined bases we process different categories of your personal information, and to notify you of the basis for each category.
If a basis on which we process your personal information is no longer relevant then we shall immediately stop processing your data. If the basis changes then, where required by law, we shall notify you of the change and of any new basis under which we have determined that we can continue to process your information.
Information we process for the purposes of Legitimate Interests
“Legitimate Interest” means the interest of our business in conducting and managing our business to enable us to give you the best service and secure experience. To run our business and pursue our legitimate interests, we need to use your information.
Our legitimate interests include keeping our records accurate and up to date, fulfilling our legal, compliance and contractual duties to our customers that may include you, your employer, your educational establishment or any other organisation that has provided training to you through us on their behalf.
In addition, our legitimate business interests include providing the best shopping and browsing experiences to our customers and visitors, to enable the use of our website and functionality and to protect their operation, to identify and resolve possible technical issues, and to continuously improve and protect our company, property and customers.
We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests.
We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.
Information we process because we have a contractual obligation with you
Contractual obligation means processing your data where it is necessary for the performance of a contract to which you are a party. When you purchase a product or service from us, or otherwise agree to our terms and conditions, a contract is formed between you and us.
If you fail to provide personal data that we require for the performance of a contract with you, we cannot enter into a contract with you for the provision of our products or services.
Information we process because we have a legal obligation
Legal obligation means processing your data where it is necessary to comply with the law or other statutory obligation.
For example, we may be required to give information to legal authorities if they so request or if they have the proper authorisation such as a search warrant or court order. Information that we give them may include your personal data.
METHODS USED TO COLLECT PERSONAL DATA
We use different methods to collect information from you and about you.
We collect information when you purchase a product or service or use our services that have been provided by your employer, educational establishment or other organisation. This includes completing e-learning courses, face to face training, website store visits and corresponding with us.
We use CCTV in our office building and company vehicles for the prevention and detection of crime and for safety and security reasons of our staff, contractors and customers.
Our website may place and access certain cookies on your computer or device that are used to improve your access to it including, but not limited to, any login and personal settings. Cookies are small text files that are placed on your computer by websites you visit. Cookies help make our websites work and provide information to us about how users interact with our sites.
You can choose to enable or disable cookies in your internet browser and you can choose to delete cookies at any time.
By using our websites, you agree that we can place these types of cookies on your device. Automatically collected information may include:
- IP address
- Web browser type and version
- Operating system
- Your start page, pages visited and the page from where you exited our sites
Some data we collect automatically. We measure visitors to our website using Google Analytics. This records what pages you view on our website, how you arrived at our website and some basic information about your computer. All of that information is anonymous. We don’t know who you are – just that somebody visited our website and where they visited from.
The information we collect from analytics helps us understand what parts of our website are doing well, which pages are viewed, and so on. We use this information to make our website better. You can learn more about Google Analytics here:
And to opt out go to:
HOW WE USE YOUR PERSONAL DATA
The registration information you provide when you create an online account on our website, or complete a course booking / application form, allows us to give you access to the services and to supply them to you under our terms and conditions. Your registration information also helps us contact you if necessary, for example to send your course certificate or any manuals or pre-course information.
Your transaction information, that is the items or services you are purchasing, allows us to process your order and send you an accurate bill. We may contact you by email, phone or text message to give you updates, resolve problems or provide other information in relation to your transaction.
Where you pay for your transaction with an online or mobile payment we will send you transaction information via confirmation e-mails to the email address you gave us.
We send the registration sheets from our courses to our offices in hard copy (paper) format, and electronic formats including through a bespoke IT application, e-mail and encrypted messages.
Where a training course has been requested by an employer, educational establishment or other organisation, and they have sent their staff to attend, we will forward copies of the sign in sheets to validate attendance of their staff by e-mail. We will also provide summarised anonymous information from evaluation forms completed by candidates but may have to send original evaluation forms to allow the investigation of complaints or compliance issues.
E-mails from Us
We will send you e-mail notifications relating to contracted services or events only.
Direct Marketing by A&A Training
We will never send you any direct marketing information about any of our additional products or services.
Third Party Marketing
We will never pass, sell, trade or rent your personal data to any company outside of A&A Training or, where appropriate, the organisation who arranged training on your behalf.
CCTV and Telephone Calls
We may review CCTV at our office and in our company vehicles and may also record telephone calls into and out of our office. The purposes of any review would be for the prevention, detection and investigation of crime, to ensure compliance and contractual obligations with our customers are adhered to and to protect our business and staff.
DISCLOSURE OF YOUR PERSONAL DATA (DATA SHARING)
In providing you with the product or service you request, we may occasionally use third party companies to manage collation, processing and storage of your personal information on our behalf. We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
Third parties that we use include those that provide the following services:
- Course accreditation, such as the Resuscitation Council (UK), to ensure the course you are completing is at an agreed standard
- Payment gateways, such as RBS WorldPay and PayPal, to enable you to pay by credit or debit card
- IT development, support, maintenance and hosting, including the provision of applications and website hosting.
Internally, we limit access to personal information about you to employees who we believe reasonably need to come into contact with that particular information to provide products or services to you or in order to do their job.
Personal data may be shared with government authorities and/or law enforcement officials for the prevention or detection of crime, if required by law or if required for a legal or contractual claim.
We use RBS WorldPay to process the payments you make to us. A&A Training does not have access to your payment details with the exception of minimum data, so we may identify the sender of the money transaction. This data is just your name, address, e-mail address, amount paid and transaction number.
None of our external third parties are outside of the European Union, so your data will always be processed in accordance with the GDPR.
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Details of retention periods for different aspects of your personal data are available by contacting our Data Privacy Manager.
In some circumstances you can ask us to delete your data.
SECURITY OF YOUR PERSONAL DATA
We take appropriate security measures against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data. We have put in place procedures and technologies to maintain the security of personal data from the point of collection to the point of destruction.
We maintain data security by protecting the confidentiality, integrity and availability of the personal data, defined as follows:
- Confidentiality means that only people who are authorised to use the data can access it.
- Integrity means that personal data should be accurate and suitable for the purpose for which it is processed.
- Availability means that authorised users should be able to access the data if they need it for authorised purposes.
We follow strict procedures in the storage and disclosure of your personal data, and to protect it against accidental loss, destruction or damage.
YOUR LEGAL RIGHTS
Under certain circumstances, you have rights under data protection laws in relation to your personal data.
You have the right to:
- Request access to your personal data (sometimes known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
- Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
- Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
- Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
- Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
- Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
- Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
No fee usually required
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
Time limit to respond
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
LINKS TO OTHER WEBSITES
REVIEW OF THIS POLICY
We may update this privacy notice from time to time as necessary. The terms that apply to you are those posted here on our website on the day you use our website. We advise you to keep a copy for your records.