Updated 17/08/2019 Version 1.0-Website
Reason for collecting information
Dewi Development Ltd collects data in order to be able to deliver its services to its customers.
Dewi Development Ltd treats it’s data as a key asset of the business and recognises it importance and value to the business, as well as the customers who own it.
In order to ensure its security, Dewi Development Ltd, develops its IT policies and procedures to the ISO 27000 standards.
Information we collect
To deliver all of our services we will collect any of following information
- Contact name
- Contact job title
- Contact address
- Invoice name
- Invoice job title
- Invoice address
- Delivery address
- Contact phone numbers
- Contact e-mail addresses
- Service booked
- Payment details
- Service costs
- Customer feedback
By submitting an enquiry, we will collect the following additional information:
- Reason for enquiry
- Enquiry details
We will use invoice details to generate invoices which we will send to you electronically or post to you.
Where you request to pay by credit card, we will add invoice details into our partner organisation, iZettle invoice system to generate an invoice. This will provide you with the option to pay the invoice through a link. Our partner will take your credit card details and process payment to ourselves. They will not hold your card details, but maintain your contact information so we can easily invoice you again.
As part of providing training at your premises, we will collect any of the following additional information
- Candidate full name
- Candidate address
- Candidate e-mail address
- Candidate phone numbers
- Candidate event details
- Candidate event results
- Candidate evaluation of event
- Bookers feedback and impact of event
As part of providing application or website development, we will collect the following additional information:
- Service requirements
- Application requirements
- Test data
- User data, if hosting the system
As part of providing facilitated sessions or acting as consultant, we will collect the following information
- Information gathered during consultation or facilitation
- Names of people taking part
- Contact details of people takin part
As part of providing you on-line access to the details of the services we have provided to you, we will collect the following information to manage your account.
- Password in an encrypted format
- Language preference
- E-mail address
- User action logs
- Information provided by your browser
Using our website
Like many sites, we collect ‘Log Data’ provided by your browser. The ‘Log Data’ can include:
- Browser and version
- IP address
- Pages of the site visited
- Date and time of visit
- Country visited from
- Time spent on a webpage
- Terms used to search to find the site
We use Google Analytics to help us understand how our site is used. This may provide additional anonymous analytic information not listed above. Please review Google Analytics if you require further information.
How we process data
We collect data solely to be able to deliver services to our customers.
We do not sell any data to any other business.
We use contact details to:
- Communicate about an estimate, quote, order, feedback
- Communicate about the contract
- Update you on our services
- Maintain a relationship with you
- We use your invoice details to be able to:
- Invoice you for services or products
- Provide reminders of non-payments
- Provide receipts of payments
We use delivery address to:
- Deliver any products
- Log where a service is to be undertaken
We use order and service costs to:
- Provide you with history of products and services provided to you
- Provide financial accounting to HMRC and Companies House
We use customer feedback to promote our services:
- On the website
- In marketing materials
We process your enquiry to be able to respond your individual questions.
We log the type of enquiry to:
- To handle your enquiry through the right team and in the appropriate time frame
- Understand the trends in enquiries we receive.
We collect your candidate details to manage the event, this includes:
- Pre-event information
- Pre-event evaluation
- Post event information
- Post event evaluation
- Notification of changes to the event
We collect your candidate results and contact details to:
- Request the certificates from the awarding body
- Send you your certificates of completion
- Notify you of relevant CPD development opportunities
- Notify you of qualifications that you need to renew
We collect your evaluation information to:
- Improve the events in the future.
- Develop future courses/events.
We collect bookers feedback and impact assessments, to:
- Review how our courses supported your development in the workplace.
- Develop future courses/events
We will enter your candidate name and results information in NucoPlus system, administered by Nuco Training, in order request your certificates. We may add your delivery address information into the NucoPlus system in order for your courses certificates to be delivered direct to your company.
We work in partnership with Viking Training Ltd, who may deliver some courses on our behalf. We will share event and candidate information with Viking Training Ltd in order for them to deliver the event on our behalf.
If an accident or safeguarding concern takes place during the event, we may use data to pass to the appropriate authority to help protect your interests and life. This may include but limited to Police, Ambulance Service or Social Services.
We use information to setup services to meet your needs. This may be with our systems or with third parties as discussed with you.
We use application requirement information to build the websites or specialised applications to meet your needs.
We use username information to setup uses in the systems, to allow your uses to access the websites or applications.
We utilise provided data to test the application or website works as specified. We will generate data as part of this testing.
We will use application requirements and may use test data to support the development of user manuals for your systems.
We will store the data generate by the websites or applications we have developed for you, where you have requested we host your systems.
We will only access this data when requested by yourselves for support.
To diagnose a reported problem by yourselves.
To test the system when implementing an upgrade.
We will use the data collected during a facilitated session or consultation to:
- Progress the facilitation or consultation
- Produce a post session report
- Carry out research into area of consultation, as requested by yourselves
We will use names and contact details of people taking part in the facilitation or consultation for:
- Distribution of pre event information, where required
- Information within post event reports, written for your attention
- Distribution of post facilitation or consultation information or reports
- Distribution of post event evaluation, where applicable
If you register for the on-line portal, we will store your account details and site preferences.
We will use your account details to manage your access to your own account, so you can view the services you have booked or received with us and manage your personal details.
We will use user log details to
- Report your login in history and identify breaches to access
- Investigating concerns raised of inappropriate user use of the system
- Investigate reports of incorrect data in the system
We will use account settings to lock accounts where there concern of attempted breaches of access.
We will use account settings to block access where we have reasonable information of misuse of the system.
Information provided by the browser
We collect browser to:
Identify attempted breaches to the system
Help us to improve our website experience by understanding the devices, browsers and countries accessing our systems.
Understand the pages that:
- receive a lot of visits
- people spend a long time reading
- people do not stay on
- fail to load and provide errors
Understand what search words bring people to the website
Legal basis for processing data
By ordering with us, you begin a contract with us to deliver a service or product to you. We process your data for the duration of contract in order to deliver your service or product.
We have legal obligation to maintain financial records and to report to HMRC and Company House on a yearly basis.
We will utilise your order, invoice and payment details to support us in producing these reports.
We will share data with the police, where we identify an illegal act has occurred or there is deemed to be risk to life.
We will share data with the police where an appropriate warrant is produced, identifying that an illegal act has occurred and the data is required as evidence.
By raising a request with us, we process your information to respond to your request and providing you with your required information.
By ordering a service or product with us, we will use your contact details to:
- maintain a relationship with you
- keep you up to date with relevant services or products
- Keep you up to date with changes to the business
By undertaking training with us, we use your results to remind you of your options for Continual Professional Development (CPD) or renewal of qualifications, up to year after the expiry of your qualification. This allows you to keep skills up to date and book renewal or CPD sessions with a relevant organisation.
You have the option to opt out of these services and to define which is your preferred communication method.
If during an event a Safeguarding concern arises with an adult and the decision is made to refer to the appropriate support agency, which could include but not limited to the Police, Ambulance Service or Social Services, the consent of the adult will be sought verbally.
If a Safeguarding concern arises with an adult or child, where the life is in danger, a referral will be made to the Police or Ambulance Service.
If an accident occurs during an event and the individual’s life is in danger, a referral will be made to the Ambulance Service, which may include the Police.
The appropriate data held by Dewi Development Ltd will be shared, where it is deemed appropriate in protecting the individuals life.
Keeping your data secure
We work to the ISO 27000 standard for securing out IT infrastructure.
We use dual factor authentication for accessing information, where provided by the supplier.
We build our websites to use dual factor authentication.
We expect all administrators of your sites to use dual factor authentication.
We build all our websites with SSL encryption as standard.
We apply the latest updates released by vendors.
We backup all data with our hosts or on our internal backup drives.
Sharing of information
We only share data with our partners in order to deliver a service to our clients. We do not share data for any other reason.
We do not sell data to any other source.
We share data with partners when applicable for the following actions:
- Registering candidates on accredited courses with our awarding body and to issue certificates
- Informing our partner training organisation of the course they are delivering and for them to inform us of the candidate results
- To provide you with an invoice that you can pay by credit card
- Providing data to our accountants to complete our legal requirements for year end and tax reporting.
We are partnered with the following organisations:
- Nuco Training Ltd and First Aid Awards for accreditation of our courses
- Viking Training Ltd for partnered training
- iZettle to raise invoices that can be paid by credit card
- WBV Ltd for our yearly accounts
Hosting your website
Websites that we have developed for our clients are externally hosted.
We contract with 1&1 IONOS to provide this service.
1&1 IONOS provide the following services:
- Domain name management
- SSL certificates for domains
- E-mail management
- File storage
- MS Office licencing and hosting
Their services are hosted in the EU and compliant with EU GDPR regulations.
Your contract is held with Dewi Development Ltd and your contract data is not stored with 1&1 IONOS. Only data you store on the services listed in 3.3 is held with 1&1 IONOS.
1&1 IONOS manage the back up of their services.
We will at times create our own backup before implementing any changes to the systems we are managing for you.
Storage of your data
We store active work in the Cloud, allowing us to work remotely.
We store archived work on our own secure servers.
OneBox provides our Cloud storage solution. Their servers are based in Europe and meet the EU GDPR requirements.
Your data is encrypted and cannot be access by OneBox support staff without our authorisation.
If we need to transfer files between Dewi Development Ltd and yourselves, that contain personal or sensitive information, we will not do so by e-mail.
We will transfer files through OneBox, where we can control who can access files.
We will remove transfer files from OneBox, once they have been successfully transferred or the collaboration on the files has ended.
Data hosted in Cloud environment will be backed up by the provider.
Data hosted on our secure servers will be backed up locally on daily basis and off site on a weekly basis.
We have a Data Retention policy which defines the specifics of how long each type of data is held. This schedule is available on request.
In general, we keep customer data for the following lengths of time:
- Your customer file, order history and candidate results are kept for 6 years after you close your account.
- Your customer correspondence is kept for 6 years.
- Event information is kept for 1 year.
- Event evaluation and event candidates is kept for 4 years.
- Our financial records are kept for 7 years.
If an on-line account is held, the user can review their information through the on-line account and update their personal information.
Data information requests will be responded to within a maximum of 1 month.
There is no fee to request to review personal data, except the following cases may incur a charge to cover the administration cost where:
- Repeated requested that are excessive
- Request is manifestly unfounded
Right to object
An individual may request not to have their data processed for particular activities. We can stop data being processed for:
- Updates on the service or product
- Information on similar relevant services or products
- Information on changes to the business
We will aim to change preferences the same working day, but it may take up to 30 working days to filter into already planned activities.
Right to be forgotten
An individual will be required to answer security questions to prove their identify and ownership of the data, before any data will be released.
All deletion requests will be considered and responded to in writing within one month.
All deletion requests will be considered against the General Data Protection Act (GDPR) 2018.
The erasure will not take place, where it meets a reasonable need in line with General Data Protection Act 2018. This may be due to, but not limited to, data being held:
- As part of legal requirement
- For the establishment, exercise or defence of a legal claim
We will review the policy to ensure it still meets need in the following situations:
- On a yearly basis
- When our systems which process our data are changed
- When there is an incident
We will investigate any concern of a data breach.
We will inform the Information Commissioners Office of any breaches within 72 hours.
We will inform individuals affected by the data breach, once individuals and impact are identified.
We will make changes to our policy and reasonable improvements to our systems to prevent the breach from occurring again.
Changes to the policy
The policy takes affect from the dates covered in the version control.
Privacy policies should be review periodically.
Material changes to the policy will be notified to individuals via e-mail or through a prominent notification on the website.