General Data Protection Regulation (GDPR)
Introduction
Samarkand Limited are committed to protecting the data of the individuals and companies that we engage with. We fully support your data privacy and its alignment to the requirements of the Data Protection Act 1998 and, in substitution from 25 May 2018, the General Data Protection Regulation 2018 (“GDPR”) in respect of handling and processing personal data.
Data received from Clients
We will collect and process data that is provided to us from our clients. Personal data may be included in the data they provide about our consultants and trainers. It is important that contractual arrangements with those individuals clearly set out how our clients will use their data and with whom it could potentially be shared. We require all our clients to comply with the GDPR. By adding individuals’ personal data to our systems, or by sending personal data via email or by other methods to Samarkand Limited, the clients give consent to us processing the data and they confirm that they have obtained the appropriate consent from the relevant individuals for the personal data to be processed by Samarkand Limited. Samarkand Limited will retain and use this data to perform the contract between us and our clients whilst they remain in contract and will further use it where it is in Samarkand Limited’s legitimate interest, for example fraud prevention.
External Consultants and Suppliers
Samarkand Limited engage the services of external freelance consultants and suppliers for various purposes within the company.
It is necessary to obtain and retain personal data for the fulfilment of contracts. We collect this personal data in the capacity of a Data Controller. Data including but not limited to: names, addresses, contact details, professional qualifications, identification documents, bank details – will be held on our
Systems. We collect tutor and assessor personal data and use it for the purpose of maintaining centre approval to use them for formal qualifications through the awarding bodies of which we are members. Contracts are reviewed annually, and inactive partnerships deleted from systems. It is necessary to share bank details with our bankers to make payments for services, Samarkand Limited will always make sure that the details are only processed using secure banking systems. Samarkand Limited will never share this information elsewhere, outside of the company unless required to do so by a regulatory or legal authority.
Learners’ Data You may provide us with personal data when you book onto our courses. The personal data is usually limited to the details required for us to undertake the basic functions of an Approved Training Centre and processed as a ‘third party’ to related Awarding Bodies for the applicable certification process. These details will include a learner’s name, date of birth, gender and contact details.
Data sharing
Other than as set out in the next paragraph and even where we collect personal data in the capacity of a Data Controller, we will never distribute or share personal data that is held on our system with any third parties other than Samarkand Limited’s employees, consultants, sub-contractors only if required for operational delivery. We may also share personal data with Awarding Bodies in respect of:
- Security qualifications: learner details, including photo ID and signatures, will be provided to the SIA; and
- All qualifications or endorsed training : including names, dates of birth, addresses, signatures and contact details
- The Learning Record Service (LRS) – where unique learner numbers (ULNs) have been provided, learner and qualification data is shared with the LRS.
- Investigations carried out by Awarding Bodies and/or Regulatory Bodies.
Website use – tracking and monitoring
Our website uses cookies to distinguish you from other users of our website. We may automatically collect the following information when you visit our website: your IP (Internet Protocol) address, your login information, your browser type, time zone settings, browsers and operating systems used; and
information about your visit, such as the pages visited, or documents downloaded.
Where we store data
All data in Samarkand Limited’s systems is stored on an encrypted hard drive, our emails are hosted by our hosting provider(the server resides in Canada). The drive resides in the UK. Data is frequently backed up and stored in the backup/disaster recovery secure external hard drive. The hard drive have the necessary environmental, physical and technical controls in place to ensure unapproved access is prevented.
Data breach incidents
In line with our regulatory requirements, Samarkand Limited has a set of processes for issue and incident management, including data breaches. These processes include the required notifications to be sent to the Information Commissioners Office and to our clients, contractors and learners. This is reviewed annually and may be subject to change.
The General Data Protection Regulation 2018
Samarkand Limited has adapted its policies and procedures to ensure it is compliant with the GDPR. This document has been produced to represent our current status and will be reviewed annually and updated as processes are developed.
Under GDPR, individuals have certain rights when it comes to the control of personal data:
The right to be informed – Each individual has the right to be given information about how their data is being processed and why. Samarkand Limited have provided this policy to show how we handle your data.
The right of access – Samarkand Limited have a duty to comply with the requirements of Subject Access Requests (SAR)
The right to rectification – The GDPR includes a right for individuals to have inaccurate personal data rectified or completed if it is incomplete.
The right to be forgotten – You have the right to ask Samarkand Limited to remove your data.
The right to restrict processing – You may restrict processing for a legitimate reason, we would still have the right to hold that information.
The right to data portability – You may be able to obtain the information we hold about you and use it for your own purposes. Conditions apply.
Should you wish to exercise any of your rights above, please email enquiries@samarkandgroup.co.uk stating the following information:
* Name
* Contact details
* Relationship to Subject
* Full details of information relating to your request
* Reason for request and the right being exercised.
You will be asked to verify your identity if you are the subject, alternatively you will be asked to provide consent from the subject if you are a representative.
Should we require further information we will contact you.
Your request will be dealt within one month of receipt of your request.