FAB Awards 2024 - Privacy Policy

Privacy Policy

https://awarding.org.uk/privacy-policy/

1. INTRODUCTION

The Federation of Awarding Bodies (“the Federation”,”we”, “us”) takes data protection seriously. The use of the internet pages of the Federation is not possible without the provision of some personal data; however, if a data subject wishes to use certain services via our website, processing of further personal data could become necessary. If the processing of personal data is necessary and there is no statutory basis for such processing, we will obtain consent from the data subject.

Personal data processing shall always be in line with the General Data Protection Regulation (GDPR) and in accordance with the country-specific legislation applicable to the Federation. By means of this privacy notice, we would like to inform the public why we collect and process personal data and data subjects rights relating to the collection and processing of personal data.

2. DEFINITIONS

This Privacy Policy of the Federation is based on the terms used by the European legislator for the adoption of the General Data Protection Regulation (GDPR) but for ease of understanding the following definitions apply.

Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law.

Personal data: any information relating to an identified or identifiable natural person (data subject). An identifiable natural person is one who can identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic mental, economic, cultural or social identity of that natural person.

Data subject: any identified or identifiable natural person, whose personal data is processed by the controller responsible for the processing.

Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Recipient: a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.Third Party: a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

Restriction of processing: the marking of stored personal data with the aim of limiting their processing in the future.

Processing: any operation or set of operations which is performed on personal data or on sets of personal data whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation of alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available alignment or combination, restriction, erasure or destruction.

Profiling: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

3. NAME AND ADDRESS OF THE CONTROLLER

The controller is:

52 Grosvenor Gardens
London
SW1W 0AU

Phone: 07719 552157
Email: enquiries@awarding.org.uk
Website: www.awarding.org.uk

A data subject may contact our data protection officer directly with any enquiries relating to data protection.

4. NAME AND ADDRESS OF THE DATA PROTECTION OFFICER

The data protection officer of the controller is:

Karen Daws
Federation of Awarding Bodies
52 Grosvenor Gardens
London
SW1W 0AU

Phone: 07843 370685
Email: karen.daws@awarding.org.uk
Website: www.awarding.org.uk

5. NAME AND ADDRESS OF THE LEAD SUPERVISORY AUTHORITY

The lead supervisory authority overseeing the controller is:

Information Commissioner’s Office
Wycliffe House, Water Lane
Wilmslow
Cheshire, SK9 5AF
United Kingdom

Phone: 0303 123 1113
Email: casework@ico.org.uk
Website: ico.org.uk

6. COOKIES AND SITE VISITATION TRACKING

The internet pages of the Federation use cookies. Cookies are text files that are stored in a computer system via an internet browser. They enable visited internet sites and servers to differentiate the individual browser of a data subject from other internet browsers that contain other cookies. Through the use of cookies, the Federation can provide the users of this website with more user-friendly services that would not be possible without the cookie setting. A data subject may, at any time, prevent the setting of cookies through our website by means of a corresponding setting of the internet browser used and may thus permanently deny the setting of cookies. Furthermore, already set cookies may be deleted at any time via an internet browser or other software programs. This is possible in all popular internet browsers. If a data subject deactivates the setting of cookies in the internet browser used, not all functions of our website may be entirely usable.

Like most websites, this site uses Google Analytics to track user interaction. We use this data to determine the number of people using our site, to better understand how they find and use our web pages and to see their journey through the website. Although Google Analytics records data such as your geographical location, device, internet browser and operating system, none of this information personally identifies you to us. Google Analytics also records your computer’s IP address which could be used to personally identify you but Google does not grant us access to this. We consider Google to be a third party data processor (see section 16 below). Google Analytics makes use of cookies. Disabling cookies on your internet browser will stop Google Analytics from tracking any part of your visit to pages within this website.

7. REASONS/PURPOSES FOR PROCESSING INFORMATION

The following is a broad description of the way the Federation processes personal information. To understand how your own personal information is processed you may also need to refer to any personal communications you have received.

We process personal information to enable us to provide representative and support services to qualifications and assessment organisations and related stakeholders, to promote our services, to maintain our own accounts and records and to support and manage our employees.

We collect information relating to the above reasons/purpose from the following sources:

The data subject directly (e.g. from information entered into forms)
The data subject indirectly (e.g. information collected when you browse our site such as IP address and operating system)
Research provided by third party providers including search engines

We sometimes need to share the personal information we process with the individuals themselves and also with other organisations such as suppliers and service providers. Where this is necessary, we are required to comply with all aspects of the Data Protection Act (DPA), Privacy and Electronic Communications Regulation (PECR) and the EU General Data Protection Regulation (GDPR) as it applies.

8. RIGHTS OF THE DATA SUBJECT

GDPR affords EU Data Subjects with rights. These rights are summarised below. In order to assert any of these rights the Data Subject may contact the Data Protection Officer designated by FAB or another employee at any time.

The right of Confirmation: Each data subject shall have the right to obtain from the controller the confirmation as to whether or not personal data concerning him or her are being processed.

The right of Access: Each data subject shall have the right to obtain from the controller, free information about his or her personal data stored at any time and a copy of this information. Furthermore, the data subject shall have a right to obtain information as to whether personal data are transferred to a third country or to an international organisation. Whether this is the case, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer.

Right to Rectification: Each data subject shall have the right granted by the European legislator to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Right to Erasure (Right to be forgotten): Each data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay, and the controller shall have an obligation to erase personal data without delay where one of the statutory grounds applies, as long as the processing is not necessary.

Right of Restriction of Processing: Each data subject shall have the right granted by the European legislator to obtain from the controller restriction of processing where a statutory reason applies.

Right to Data Portability: Each data subject shall have the right granted by the European legislator, to receive the personal data concerning him or her, which was provided to a controller, in a structured, commonly used and machine-readable format.

Right to Object: Each data subject shall have the right to object, on grounds relating to his or her particular situation, at any time, to the processing of personal data concerning him or her.

Automated individual decision-making, including profiling: Each data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling.

Right to withdraw consent: Where consent forms the basis for processing, data subjects shall have the right to withdraw his or her consent to the processing of his or her personal data at any time. Data subjects can withdraw consent by logging into the user portal, clicking the privacy link in the menu and then updating the privacy settings as required. Data subjects can also contact the Data Protection Officer or any other employee to withdraw consent.

Right to Complain to the Supervisory Authority: Where consent forms the basis for processing, data subjects shall have the right to withdraw his or her consent to the processing of his or her personal data at any time. The details of the Supervisory Authority are contained at the top of this Privacy Notice.

9. LEGAL BASIS FOR THE PROCESSING

The legal basis for processing shall be where:

The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into contract;
Processing is necessary for compliance with a legal obligation to which the controller is subject;
Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
Processing is necessary for the purposes of the legitimate interests pursed by the controller or by a third party, except where such interests are overridden by the interests of fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

10. THE LEGITIMATE INTERESTS PURSUED BY THE CONTROLLER OR A THIRD PARTY

Where the processing of personal data is based on our legitimate interest, it is to carry out our business in favour of the well-being of all our employees and members

11. SECURITY OF PROCESSING

As the controller, the Federation has implemented technical and organisational measures to ensure personal data processed remains secure. However, absolute security cannot be guaranteed. Should a data subject have a particular concern about a particular method of data transmission, we will take reasonable steps to provide an alternative method.

12. TRANSFERS

It may sometimes be necessary to transfer personal information overseas. When transfers are needed, information may be transferred to countries or territories around the world. Any transfers made will be in full compliance with all aspects of the General Data Protection Regulation and in accordance with the country-specific legislation applicable to the Federation.

13. PERSONAL DATA RETENTION PERIODS

The criteria used to determine the retention period of personal data is the respective statutory retention period within the UK. After the expiration of that period, personal data shall be securely deleted, as long as it is no longer necessary for the fulfilment of the contract, the initiation of a contract, or in relation to other legal proceedings.

14. CONTRACTUAL OBLIGATION OF THE DATA SUBJECT TO PROVIDE THE PERSONAL DATA AND THE POSSIBLE CONSEQUENCES OF FAILURE TO PROVIDE SUCH DATA

Sometimes in order to conclude a contract it may be necessary that the data subject provides us with personal data, which must subsequently be processed by us. The data subject is, for example, obliged to provide us with personal data when our company signs a contract with him or her. The non-provision of the personal data would have the consequence that the contract with the data subject could not be concluded.

15. AUTOMATED DECISION-MAKING & PROFILING

We do not process personal data for automatic decision-making profiling.

16. DATA PROTECTION FOR EMPLOYMENT & RECRUITMENT PROCEDURES

The Federation shall collect and process the personal data of applicants as part of the application procedure. The processing may be carried out electronically. This is the case, in particular, if an applicant submits corresponding application documents by e-mail or by means of a web form on the Federation website. If we conclude an employment contract with an applicant, the submitted data will be stored for the purpose of processing the employment relationship in compliance with legal requirements. If no employment contract is concluded with the applicant, the application documents shall be automatically erased two months after notification of the refusal decision, provided that no other legitimate interests of the Federation are opposed to the erasure. Other legitimate interests could be complying with country-specific legislation, e.g. the UK Equality Act 2010.

17. DATA PROTECTION NOTIFICATION CONCERNING THE USE OF THIRD PARTY APPLICATIONS/SERVICES

We use a number of third parties to process personal data on our behalf. These third parties have been carefully chosen and all of them comply with the General Data Protection Regulation (GDPR).

Privacy Policies

SageOne (Privacy Policy)

Nyman Lisbon Paul (Privacy Policy)

Google (Privacy Policy)

MailChimp (Privacy Policy)

SurveyMonkey (Privacy Policy)

SageOne (Terms of Use/Data Protection)

Nyman Libson Paul (Terms of Use/Data Protection)

Google Analytics (Terms of Use/Data Privacy and Security)

MailChimp (Terms of use)

SurveyMonkey (Terms of use/GDPR Terms for Customers in Europe)

The last 2 of these third parties are based in the USA and are EU-U.S Privacy Shield compliant.

18. GENERAL

You may not transfer any of your rights under this privacy notice to any other person. We may transfer our rights under this privacy notice where we reasonably believe your rights will not be affected.

If any court or competent authority finds that any provision of this privacy notice (or part of any provision) is invalid, illegal or unenforceable, that provision or part-provision will, to the extent required, be deemed to be deleted, and the validity and enforceability of the other provisions of this privacy notice will not be affected.

Unless otherwise agreed no delay, act or omission by a party in exercising any right or remedy will be deemed a waiver of that, or any other, right or remedy.

This notice will be governed by and interpreted according to the law of England and Wales. All disputes arising under the notice will be subject to the exclusive jurisdiction of the English and Welsh courts.

19. CHANGES TO THIS NOTICE

This notice was last updated on 24/01/23. We may change this policy by updating this page to reflect changes in the law or our privacy practices. However, we will not use your Personal Data in any new ways without your consent.