Third party privacy policy
This policy describes how and why we collect store and use the personal data of third parties including our customers, suppliers, subcontractors, business partners, other stakeholders or members of the public during the course of running our business.
Please read this privacy policy carefully as it contains important information on who we are and how and why we collect, store, use and share your personal data. It also explains your rights in relation to your personal data and how to contact us or supervisory authorities in the event you have a complaint.
We collect, use and are responsible for certain personal data about you. When we do so we are subject to the UK General Data Protection Regulation (UK GDPR).
Key terms
It would be helpful to start by explaining some key terms used in this policy:
| We, us, our | VolkerWessels UK and our group companies | |
| Personal data | Any information relating to an identified or identifiable individual | |
| Special category personal data | Personal data revealing racial or ethnic origin, political opinions, religious beliefs, philosophical beliefs or trade union membership Genetic data Biometric data (where used for identification purposes) Data concerning health, sex life or sexual orientation | |
| Data subject | The individual who the personal data relates to |
Personal data we collect about you
The personal data we collect about you depends on the particular services and/or work we are carrying out and our relationship with you. We may collect and use the following personal data about you which will include but is not limited to:
- your name and contact information, including email address and telephone number, job title and company details;
- the name of your organisation;
- information to check and verify your identity, eg your date of birth;
- location data, if you choose to give this to us;
- personal information contained within whistleblowing reports, a complaint or report of a concern;
- personal data necessary for subcontractor or supplier prequalification, tendering or subcontractor/supplier onboarding;
- personal data necessary to manage and administer orders, contracts, invoices or other general administration which is necessary to manage our business relationship with your organisation or a third party.
- information to enable us to comply with professional, legal or regulatory obligations to which we are subject.
- your contact history;
- information processed via our CCTV systems (where applicable);
- information from our IT systems;
- photographs;
- information obtained via our corporate communication system.
How your personal data is collected
We collect most of this personal data directly from you—in person, by telephone, text or email and/or via our website and apps. However, we may also collect information:
- from publicly accessible sources, eg Companies House or HM Land Registry or social media;
- directly from a third party;
- from cookies on our website—for more information on our use of cookies, please see our cookie policy which is available on our website
- via our IT systems, eg:
- from door entry systems and reception logs;
- CCTV and access control systems, communications systems, email and instant messaging systems;
How and why we use your personal data
Under data protection law, we can only use your personal data if we have a proper reason, eg:
- where you have given consent;
- to comply with our legal and regulatory obligations;
- for the performance of a contract with you or to take steps at your request before entering into a contract; or
- for our legitimate interests or those of a third party.
The table below explains what we may use your personal data for and why.
| What we use your personal data for | Our reasons | |
|---|---|---|
| Providing services to you | To perform our contract with you or to take steps at your request before entering into a contract | |
| Preventing and detecting fraud against you or us | For our legitimate interest, ie to minimise fraud that could be damaging for you and/or us | |
Conducting checks to identify our customers and verify their identity Screening for financial and other sanctions or embargoes Other activities necessary to comply with professional, legal and regulatory obligations that apply to our business, eg under health and safety law | Depending on the circumstances: —to comply with our legal and regulatory obligations —for our legitimate interests | |
| To enforce legal rights or defend or undertake legal proceedings | Depending on the circumstances: —to comply with our legal and regulatory obligations; —in other cases, for our legitimate interests, ie to protect our business, interests and rights | |
| Gathering and providing information required by or relating to audits, enquiries or investigations | Depending on the circumstances: —to comply with our legal and regulatory obligations; —in other cases, for our legitimate interests, ie to protect our business, interests and rights | |
| To investigate whistleblowing reports or reported concerns | For our legitimate interests | |
| Ensuring business policies are adhered to, eg policies covering security and internet use | For our legitimate interests, ie to make sure we are following our own internal procedures | |
| Operational reasons, such as improving efficiency, training and quality control | For our legitimate interests, ie to be as efficient as we can so we can deliver the best service to you. | |
| Ensuring the confidentiality of commercially sensitive information | Depending on the circumstances: —for our legitimate interests, ie to protect trade secrets and other commercially valuable information; —to comply with our legal and regulatory obligations | |
| Preventing unauthorised access and modifications to systems | Depending on the circumstances: —for our legitimate interests, ie to prevent and detect criminal activity that could be damaging for you and/or us; —to comply with our legal and regulatory obligations | |
| Protecting the security of systems and data used to provide the services | To comply with our legal and regulatory obligations We may also use your personal data to ensure the security of systems and data to a standard that goes beyond our legal obligations, and in those cases our reasons are for our legitimate interests, ie to protect systems and data and to prevent and detect criminal activity that could be damaging for you and/or us | |
| Updating and enhancing customer records | Depending on the circumstances: —to perform our contract with you or to take steps at your request before entering into a contract; —to comply with our legal and regulatory obligations; —for our legitimate interests, eg making sure that we can keep in touch with our customers about existing orders and new orders | |
| Statutory returns | To comply with our legal and regulatory obligations | |
| Ensuring safe working practices, staff administration and assessments | Depending on the circumstances: —to comply with our legal and regulatory obligations; —for our legitimate interests, eg to make sure we are following our own internal procedures and working efficiently so we can deliver the best service | |
| Credit reference checks via external credit reference agencies | For our legitimate interests | |
| External audits and quality checks, eg for ISO accreditation and the audit of our accounts | Depending on the circumstances: —for our legitimate interests, ie to maintain our accreditations so we can demonstrate we operate at the highest standards; —to comply with our legal and regulatory obligations |
Who we share your personal data with
We may share your personal data with companies within the VolkerWessels UK group to the extent necessary to fulfil the relevant purpose. We may also share your personal data with third parties we use to help us to deliver our services and our customers or other suppliers and stakeholders where it is in our legitimate interests to do so.
We only allow those organisations to handle your personal data if we are satisfied they take appropriate measures to protect your personal data.
We or the third parties mentioned above occasionally also share personal data with:
- our and their external auditors, eg in relation to the audit of our or their accounts, in which case the recipient of the information will be bound by confidentiality obligations;
- our and their professional advisors (such as lawyers and other advisors), in which case the recipient of the information will be bound by confidentiality obligations;
- law enforcement agencies, courts, tribunals and regulatory bodies to comply with our legal and regulatory obligations.
How long your personal data will be kept
We will not keep your personal data for longer than we need it for the purpose for which it is used.
Transferring your personal data out of the UK and EEA
It is sometimes necessary for us to transfer your personal data to countries outside the UK and EEA.
We will only transfer your personal data to a country outside the UK/EEA where:
- the UK government has decided the particular country ensures an adequate level of protection of personal data (known as an ‘adequacy regulation’) further to Article 45 of the UK GDPR.
- there are appropriate safeguards in place, together with enforceable rights and effective legal remedies for you; or
- a specific exception applies under relevant data protection law.
Your rights
You have the following rights, which you can exercise free of charge:
| Access | The right to be provided with a copy of your personal data |
| Rectification | The right to require us to correct any mistakes in your personal data |
| Erasure (also known as the right to be forgotten) | The right to require us to delete your personal data—in certain situations |
| Restriction of processing | The right to require us to restrict processing of your personal data in certain circumstances, eg if you contest the accuracy of the data |
| Data portability | The right to receive the personal data you provided to us, in a structured, commonly used and machine-readable format and/or transmit that data to a third party—in certain situations |
| To object | The right to object: —at any time to your personal data being processed for direct marketing (including profiling); —in certain other situations to our continued processing of your personal data, eg processing carried out for the purpose of our legitimate interests unless there are compelling legitimate grounds for the processing to continue or the processing is required for the establishment, exercise or defence of legal claims |
If you would like to exercise any of those rights, please email us at gdpr@volkerwessels.co.uk and let us know what right you want to exercise and the information to which your request relates.
Keeping your personal data secure
We have appropriate security measures to prevent personal data from being lost accidentally or used or accessed unlawfully.
We also have procedures to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
How to complain
Please contact us if you have any queries or concerns about our use of your personal data on gdpr@volkerwessels.co.uk. We hope we will be able to resolve any issues you may have.
You may also have the right to lodge a complaint with the Information Commissioner (the UK data protection regulator).
Updating your personal data
We take reasonable steps to ensure your personal data remains accurate and up to date. To help us with this, please let us know if any of the personal data you have provided to us has changed.