Data Protection Privacy Notice

This notice sets out how the Euro-Tec organisation seeks to protect personal data collected and processed during an investigation.  It covers all aspects relevant to our business as set out in General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA). This notice informs clients and other affected parties in understanding how we process personal data, along with the rights of individuals to be informed who may wish to query what data is held about them.

Reasons/purposes for processing information

We process personal information to enable us to provide investigatory services to government departments and the legal profession, also to maintain our own accounts and records.

Type/classes/categories of information processed

We process information relating to the above reasons/purposes. This information could include:

• personal details
• the investigation brief, results and related information
• family details 
• financial details
• education and employment details
• goods and services
• lifestyle and social circumstances

We also process sensitive data/special categories of information that could include:

• physical or medical health information

Who the information is processed about

• We process personal information about:
• government and commercial debtors
• witnesses 
• the subjects of investigations   
• clients
• business contacts 
• advisers and other professional experts
• suppliers

Lawful Basis for processing

Euro-Tec processes all personal data lawfully, fairly and in a transparent manner when providing investigatory services under the following lawful basis stated in The General Data Protection Regulation:

Article 6(1)(f)  Necessary for the purposes of Legitimate Interests pursued by the controller or a third party

Where Legitimate Interests is relied upon as a lawful basis we conduct a Legitimate Interest Assessment.

Euro-Tec processes all special categories data lawfully, fairly and in a transparent manner when providing investigatory services under the following Lawful Bases stated in the General Data Protection Regulation:

 Article 9(2)(e)  processing relates to personal data which are manifestly made public by the data subject.

 Article 9(2)(f)   processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity

Source of personal data

The data we process originates from legally compliant publicly available and open source information, and personal data manifestly made public by the data subject. In addition it is supplied by Clients under the lawful basis of Legitimate Interests.

Automated decision making and profiling

Euro-Tec does not utilise automated decision making and profiling as stated in GDPR and DPA.

Who the information may be shared with

We sometimes need to share the personal information we process with the individual themselves and also with other organisations. Where this is necessary we are required to comply with all aspects of the GDPR and DPA. What follows is a description of the types of organisations we may need to share some of the personal information we process with for one or more reasons.  Where necessary or required we share information with: 

• police forces 
• government clients 
• legal clients 
• current, past or prospective employers
• professional investigators
• business associates and other professional bodies and advisers
• suppliers
• education and examining bodies
• family, associates or representatives of the person whose personal data we are processing
• regulatory and statutory bodies
• certification bodies for audit purposes

Client Information

Prior to any business relationship we will request from Clients personal information such as name, address, telephone number and email. We also obtain consent to process said information to confirm the accuracy of such details. In the event we do not proceed with an assignment the information will immediately be destroyed.

Transfer of data to third countries

The GDPR imposes restrictions on the transfer of personal data outside the European Union, to third countries or international organisations, in order to ensure that the level of protection of individuals afforded by the GDPR is not undermined.  It may sometimes be necessary to transfer personal information overseas. When this is needed information is only shared within the European Economic Area (EEA). Any transfers made will be in full compliance with all aspects of the GDPR and DPA.

Handling of personal data - Security, Protection and Retention

Euro-Tec adheres to the requirements and individual's rights contained in GDPR and DPA and ensures that personal data is:

 Fairly and lawfully processed;

 Processed for limited purposes;

 Adequate, relevant and not excessive;

 Accurate and up to date;

 Not kept for longer than is necessary;

 Processed in line with your rights;

 Secure; and

 Not transferred to other countries without adequate protection

Euro-Tec takes all reasonable technical and organisational precautions to prevent the loss, misuse or alteration of personal information. We have put in place appropriate security measures to prevent personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed including the following by way of example:

• Securely storing hard copy files that are strictly accessible only by the Euro-Tec partners.
• Complying with the data protection principal that data is kept for no longer than is necessary, after which it is securely disposed of.
• Wherever possible CJSM - Criminal Justice Secure eMail - which has end to end encryption is used for e-mail communications. If standard email is used Euro-Tec has the ability to encrypt information being sent.
• Not using mobile devices to send or receive emails.
• Not collecting or storing personal data from or on our web site
• Not storing personal data on computer databases
• Maintaining and reviewing data protection policies, procedures and assessments  
• Having firewalls, malware/anti-virus and recommended cyber security measures in place.
• Euro-Tec are certified to Cyber Essentials which is part of the UK National Cyber Security Programme. Displaying the Cyber Essentials badge demonstrates that Euro-Tec is adhering to Government endorsed standards to protect itself against cyber attacks. This certification is reviewed via an independent specialist third party assessment on an annual basis, and is recommended by ICO as part of its guidance on Information Security.
• Holding British Standards Institution BS102000:2013 for the provision of investigative services, certificated annually via UKAS by means of an annual external audit.

Individual's Rights

Under certain circumstances, by law you have the right to:

• Request access to your personal information (commonly known as a "data subject access request"). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
• Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
• Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
• Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground.
• Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.

If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, please submit your request in writing to: The Data Controller, Euro-Tec Investigation Service, The Malthouse, off Hummer Road, Egham, Surrey TW20 9BD. Please note Under the DPA & GDPR Euro-Tec are required to verify the identity of the person submitting an objection, therefore all such requests must include the individual's full name, address and telephone number. The sender may also be requested to supply paper evidence of their identity.

You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

Data Controller

The data controller responsible for your personal data is Euro-Tec Investigation Service. Our data protection registration number is Z5102686. If you have any questions about this privacy notice or how we handle your personal information, please contact The Data Controller, Euro-Tec Investigation Service, The Malthouse, off Hummer Road, Egham, Surrey TW20 9BD.

Right to complain

You have right to lodge a complaint with the Information Commissioner’s Officer (ICO). The ICO can be contacted by telephone on 0303 123 113 - Monday to Friday, between 9am and 5pm - or by email at casework@ico.org.uk. You can also visit the ICO’s website by following this link: https://ico.org.uk/.

Last updated October 2018