Our General Data and Privacy Policy
Privacy Policy 2023
Access 2 Comfort Limited
Access 2 Comfort Ltd (A2C) provides a team of Assessors competent in the delivery of Workplace and Display Screen Equipment (DSE) assessments. In addition, we can advise on equipment provision, setup and follow up as required. Our team comprises of health professionals with a wealth of expertise and experience, including – Ergonomists, Physiotherapists, Occupational Therapists and Health and Safety consultants.
Based in Spixworth since 2004, the team provides not only an efficient local service but also a reliable nationwide service throughout Great Britain, including IoM, Jersey and Guernsey.
A2C may collect and use certain personal data in relation to our customers, their employees, our suppliers, website visitors and others. We take the protection of personal data very seriously. We endeavour to follow best practice guidelines and safeguard the personal data we hold at all times.
This Privacy Policy tells you what data we collect, how we will use it, what your rights are and what we would do in the event of any security breach. It is intended to be a transparent and helpful guide to our procedures. If you have any questions or concerns at any time, please contact us at info@access2comfort.com
In this Policy we have set out:
- The types of data that we will process.
- The purposes for which we will process it.
- The legal basis on which we process data.
- Your data rights.
- How to exercise your data rights.
- Data security information.
- What happens if a data breach occurs.
TYPES OF DATA AND PURPOSES OF PROCESSING
Customer sales details and transaction data and correspondence: We may process personal data provided by our customers (and prospective customers) in the course of our business. This may include names, addresses and other contact details, customer relationship information etc. We use a word-based system to manage this information. For us to use this system, we use an authentication process to access the data. We use this information for internal reference, sales fulfilment and processes and providing our services.
Product orders: To ensure that any requested equipment can be delivered and installed, we may share delivery information such as the customer’s name and address with the relevant manufacturer or installation partner. At the customer’s request, we may refer the customer to a trusted partner service for a speciality we are unable to conduct internally e.g. as an interior architect or construction company.
Accounts information: For accounting purposes, we are required to keep delivery and contact details on our accounting system Sage. This data is kept for 6 years so that we can review the purchase history for warranty claims. We do not save any payment details on our accounting systems but use a separate secure gateway via an online banking system. Our accounting software is password protected.
Direct contact: If you should choose to contact us directly, we will respond to the email address or phone number we have been provided at the time of contact. This will be inputted onto our Word system for future reference. If an address has been provided, we may send you an introductory welcome brochure to the company address given to introduce you to our services.
Display Screen Equipment Assessments: A core service we provide is conducting Display Screen Equipment assessments for employees (and other personnel) working for our customers. These require us to work directly with the employees and provide a written assessment for our customers. This will consist of a Word document consisting of a blank assessment form for us to conduct on-site with the employee.
Once completed the assessment form will not be shared with their employer (our customer) unless and to the extent that we are given written consent to do so by the employee. This consent will be sought when the assessment takes place. As we consult on behalf of the customer, we are required to keep a copy of this report in our secure UK-based server should we need them for professional liability cases. These records are safely disposed of after a 5-year period. The customer may wish to keep their copy of the assessment on file for the duration of the individual’s employment and for a period afterwards, subject to the customer’s own file retention policy.
Sensitive Personal Data: These Display Screen Equipment assessments and other consultant reports may consist of questions of a sensitive personal nature, which may include height, weight, pre-existing medical conditions, evidence (i.e. photographs of the employee working (see below)) and details on how we can correspond with the employee at work. We use this information to make ‘reasonable adjustments’ in accordance with The Health and Safety (Display Screen Equipment) Regulations 1992 and the Equality Act of 2010. We will only request information that we need to make an adequate suggestion to ensure that the employee can work safely and in accordance with these HSE acts. In accordance with the Display Screen Equipment act 1992, the customer will be required to keep a copy of this Display Screen Equipment assessment we have conducted for their records. We are occasionally asked by the customer to justify the specialist equipment that we have recommended.
As we are contracted to work on behalf of our customer to conduct DSE assessments, and our customer will need to acquire consent from the individual receiving the assessment for us to record this information. We may discuss the pre-existing medical condition or musculoskeletal issue on the pre-assessment questionnaire to justify the recommendations for workplace adjustments. If we have received a written warning from the employer that the individual has requested for specific conditions not to be mentioned on the report, we will not specify issues on our written report.
Unless we are requested to do so in a court of law, we do not share this sensitive personal data with persons outside our organisation, except our sub-contractors performing services on our behalf provided they are under equivalent restrictions and obligations.
Use of photographs: Our DSE consultancy services require us to evidence the working conditions of the user. The most efficient way for us to do this is to take photographs. Photographs must be taken on an assessor’s personal device and will be permanently deleted from the device once it has been attached to the report.
We will always request written consent via email from the employee to include their photograph in our report. In addition to this, we request that no recognisable sensitive company information is visible in the photograph such as identifiable documents on the screen. We do not share imagery with third parties, but photos may be used internally for training purposes.
We will not imply consent to share personal data between the employee and our employer point of contact.
Suppliers’ data: We may process personal data relating to our suppliers, including names, personal data provided by our suppliers in the course of our business. This may include names, addresses and other contact details, supplier relationship information etc. We will use this data for the purposes of our day-to-day dealings with our suppliers.
Staff data: We may process personal data relating to our employees as necessary, in which case the terms of this Privacy Policy shall apply.
Marketing data: We do not buy lists or share information with third parties about our customers or prospective customers for marketing purposes. We do not sell any marketing lists to third parties. We only market our own services based on the following legitimate interests/consent:
• When we have obtained a person’s details during a sale or negotiations for a sale of a product or service.
• When a person has asked or consented to be contacted.
• For marketing similar products or services.
• Where the person is given a simple opportunity to refuse marketing when their details are collected, and if they don’t opt-out at this point, are given a simple way to do so in future messages.
Cookies and Google analytics: Our website, like many others, uses Google Analytics to help analyse how visitors use our websites and to assist your user experience e.g. remembering what is in your basket or pre-populating web form fields. Google Analytics collects anonymous information using “cookies”.
Cookies are small pieces of data which are stored on your web browser while using a website. These cookies are used to store and retrieve browsing information when you load a webpage.
All cookie information we collect is completely anonymous and is only used to improve our website performance and usability.
Events: We often host events for educational, sales, partnership and marketing purposes. We only invite our pre-existing customers after seeking their permission to do so.
Sharing data: We may disclose your Information to others, subject to equivalent restrictions as contained in this Privacy Policy in these circumstances:
Any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 736 of the UK Companies Act 1985.
When we subcontract the running of our services, business or any part of it to a third party.
Where our website interacts with a third-party service provider.
In the event that we sell or buy any business or assets, in which case we may disclose your Information in confidence to the prospective seller or buyer of such business or assets.
If we or substantially all our assets are transferred to or acquired by a third party, in which case all of your information will be one of the transferred assets on the equivalent terms and conditions as herein.
If we are under a duty to disclose or share your Information in order to comply with any legal obligation, or in order to enforce or apply our terms and conditions other agreements; or to protect the rights, property, or safety of us, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
Retention of your information: We will endeavour not to keep your Information for longer than necessary in order to facilitate your use of our services and websites. You can request deletion of your data, as explained below, except that some prior content may remain in backup or cached copies for a reasonable time (but we will not make it available again to third parties) except that we may retain certain information to prevent identity theft, legal disputes and misconduct, even if deletion has been requested.
LEGAL BASIS OF PROCESSING
We shall only be entitled to process your Information as above to the extent that at least one of the following applies:
You have given consent to the processing of your information for one or more specific purposes.
Processing is necessary for the performance of a contract to which you are a party or to take steps at your request prior to entering into a contract.
Processing is necessary for compliance with a legal obligation to which we are subject.
Processing is necessary in order to protect your vital interests or those of another natural person.
Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by the interests of your fundamental rights and freedoms, which require protection of personal data.
Our legitimate interests may include:
The proper administration of our business, our services and our website.
The performance of our contractual obligations.
Monitoring and improving our services.
Taking steps at your request.
Communicating with users of our business and website.
The protection and assertion of legal rights.
The protection of our business against risks.
YOUR DATA RIGHTS
You have several rights as a data subject as summarised below:
Access: You have the right to obtain confirmation as to whether or not personal data concerning you are being processed and, where that is the case, to access your information and details of how we process it, as long as this does not adversely affect the rights and freedoms of others. You may request a copy of information undergoing processing, subject to evidence of your identity (normally a certified copy of your passport plus an original copy of a utility bill showing your current address). The first copy shall be provided without charge, but reasonable administration fees shall be charged for additional or subsequent copies.
Rectification: We will rectify any errors in the information we hold on request.
Erasure: You may erase your information from our systems in the following situations:
The information is no longer necessary in relation to the purpose for which it was collected.
You withdraw your consent on which the processing is based and where there is no other legal ground for the processing.
You object to the processing and there are no overriding legitimate grounds for the processing.
The information has been unlawfully processed.
The information has to be erased for compliance with a legal obligation to which we are subject.
Right to restriction of processing: You have the right to restrict our processing on specified grounds.
Notification: Where you have asked us to rectify, erase or restrict processing of your information, we shall communicate the same to each recipient to whom your information has been disclosed, unless this proves impossible or involves disproportionate effort, in which case we shall let you know.
Data portability: You have the right in specific circumstances where processing is based on consent to receive your information in a structured, commonly used and machine-readable format and have the right to transmit the information to another controller without hindrance, provided that our processing is carried out by automated means.
Right to object: In certain circumstances, you have the right to object to our processing of your information, including in relation to profiling, direct marketing or scientific or historical research purposes.
EXERCISING YOUR DATA RIGHTS
You can exercise these rights by contacting us at tim@access2comfort.com or by post to:
Data Requests
Access 2 Comfort Ltd.
103 Buxton Road
Spixworth
Norwich
NR10 3PW
We shall respond to your requests without undue delay and in any event within one month unless we need to extend such period by up to two further months in specific circumstances. Please note that if you delete or restrict your account or required Information, this may prevent you from making full use of our services.
DATA SECURITY
Customer passwords: Where we have given you (or where you have chosen) a password, which enables you to access certain parts of our websites, you are responsible for keeping this password confidential. We ask you not to share a password with anyone, including people who work for us.
The transmission of your information via the Internet is not completely secure. Although we will do our best to protect your information, we cannot guarantee the security of your information transmitted to or from our websites; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
LOCATIONS
Just Host is based in the USA, and although not directly approved by the EU-US Privacy Shield agreement, we Access2Comfort Ltd have assessed their data and privacy practices and policies as being sufficiently satisfactory and secure. Just Host has been GDPR compliant since 25 May 2018. This included work “behind the scenes,” such as reviewing and updating our agreements, policies, internal processes, features and templates to assure our compliance
Internal security protocols: We take many precautions to safeguard our data including using the services of external IT providers who regularly update our devices with anti-virus software and ensure that every internal work device is password protected.
Within our organisation, it is a contractual obligation to only use password-protected devices that have been issued by A2C. To ensure that the data is protected, no information is to be recorded directly on to the device, but to assigned folders on our company cloud-based server. This cloud-based server is based in a UK data Centre and has a full audit trail. Dependent on the role within our organisation, these folders will be restricted within assigned permission sets.
Physical data: We are required to keep physical copies of accounting information for our references such as receipts, Purchase Orders and Invoices. These are kept in secure locked storage facilities. We do not keep physical copies of sensitive personal data.
Personnel: We regularly spot check assessor’s devices to ensure that no data is store on their devices and passwords are regularly changed. If our internal procedures are not adhered to, an investigation will be conducted and may result in disciplinary actions.
Devices and hard drives: If we are required for any reason to replace company devices i.e. computers or phones we will delete and destroy all information from the hard drive before reusing the device within the company, or recycling. We would seek the expertise of our contracted IT company to ensure that any data is destroyed absolutely.
WHAT HAPPENS IF A DATA BREACH OCCURS
Whilst we maintain that we do everything in our power to keep our data safe, we have an internal investigation procedure in case of data protection security breaches.
In the event of data theft, we are able to suspend access to our cloud-based servers, emails and online CRM systems to prevent further third party access to our data.
If we believe that our data has been compromised, we will report the issue to the Information Commissioner’s Office (ICO).
We will notify you without delay of any personal data that is likely to result in a high risk to your rights and freedoms. Any notification will describe in clear and plain language the nature of the personal data breach and contain all required information.
GENERAL
Amendments: We may amend this Privacy Policy from time to time by publishing a new version on our websites and/or by notifying you of changes by email. You should check this page regularly to ensure you are happy with any changes to this policy.
OUR DETAILS
Access 2 Comfort Ltd. is a company registered in England & Wales: No. 8786755.
Registered Address: The Union Building, 51-59 Rose Lane, Norwich, Norfolk, NR1 1BY