WHO ARE WE?
Creative Spaces is a trading name of G T Marketing Services Limited (GTMS), which is a private limited company that operates within the private industry sector within the UK to provide, instal and maintain fire alarm and security systems.
GTMS has a commitment to comply with the General Data Protection Regulation (GDPR) (EU) 2016/679 in the acquisition, processing and disposal of your personal data. This policy notice describes what that data is likely to be and outlines our commitment to process it, store it, access it and dispose of it in such a way that your personal data is protected at every stage of the operation. In certain circumstances, it will outline how we share this information and with whom.
WHO ARE YOU?
You are either a customer, a supplier or a member of staff of GTMS. In this case you will have provided or will provide certain personal data to us.
Alternatively, if you are merely a visitor to our web site or our premises, this policy notice informs you what data is captured and how.
HOW DO WE GET YOUR INFORMATION?
Most of the personal information we process is provided to us directly by you for one of the following reasons:
- You are a customer or client of ours;
- You are a supplier or subcontractor to us;
- You have made a complaint or enquiry to us;
- You have made a complaint about us to a regulatory body;
- You have made an information request to us;
- You wish to attend, or have attended, an event;
- You subscribe to our e-newsletter;
- You have applied for a job or secondment with us; or
- You are representing your organisation, which falls into one of the categories above.
We also receive personal information indirectly, in the following scenarios:
- We have contacted an organisation about a complaint you have made and it gives us your personal information in its response.
- A complainant refers to you in their complaint correspondence.
- Whistleblowers include information about you in their reporting to us.
- From other regulators or law enforcement bodies.
- An employee of ours gives your contact details as an emergency contact or a referee.
If it is not disproportionate or prejudicial, we will contact you to let you know we are processing your personal information.
FOR WHAT DO WE USE YOUR INFORMATION?
This privacy notice tells you what to expect when GTMS collects personal information. It applies to information we collect about:
- visitors to our websites;
- survey on our blog;
- complainants and other individuals in relation to a data protection or
- freedom of information complaint or enquiry;
- people who use our services, e.g. who subscribe to our newsletter or request
- a publication or enquire about our services;
- visitors to our premises;
- people who notify under the Data Protection Act; and
- job applicants and our current and former employees.
VISITORS TO OUR WEBSITES
When you browse this website, you do so anonymously, unless you have previously indicated that you wish GTMS to remember your personal information or login and password. We use a third-party service, Google Analytics, to collect standard Internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make any attempt to find out the identities of those visiting our website. If we do want to collect personally identifiable information through our website, we will be up front about this. We will make it clear when we collect personal information and will explain what we intend to do with it.
CREDIT CARD PAYMENTS
When you order products and pay via a credit or debit card, we will process transaction-related personal data, such as your first and last name, mailing and shipping address, phone number and email address. We will also process information about your purchases with us.
We will use such personal data to process and deliver your order, to provide notification of order status, and to update your profile periodically to ensure that we have the most accurate personal data available. We will also use said personal data to analyze customer behaviour and to customize our communication with you, if applicable.
If you opt-in (or upon request), we will send you promotional and marketing emails. These may be targeted to you based on your purchase history or online browsing behaviour.
For the protection of GTMS and others we release account and other personal information when we believe release is appropriate to comply with the law; enforce or apply our Conditions of Use and other agreements; or protect the rights, property or safety of GTMS, our users or others. This includes exchanging information with other companies and organisations for fraud protection and credit risk reduction. This does not include selling, renting, sharing or otherwise disclosing personally identifiable information from customers for commercial purposes in a way that is contrary to the commitments made in this Privacy Notice.
Other than as set out above, you will receive notice when information about you might go to third parties and you will have an opportunity to choose not to share the information.
All external transmissions of personal data facilitated by us are protected by encryption. Processing of personal data will take place in accordance with applicable legislation and best practices concerning data security.
We use WorldPay, an approved service provider, to collect and process transaction information.
Here is a link to their Security Policy:
SECURITY AND PERFORMANCE
GTMS uses a third-party service, WEBxMedia Limited, to help maintain the security and performance of GTMS website. To deliver this service it processes the IP addresses of visitors to GTMS website.
PEOPLE WHO TELEPHONE US
For customers who call GTMS’s service centre to use the customer support service or service desk, we will collect and handle that information for as long as is necessary to ensure the support has been given effectively. If the caller is a registered customer, the data will be handled in accordance with our policy on handling customer data. If not, the information will be retained for 6 months from the date of the call.
When you call GTMS by telephone we collect Calling Line Identification (CLI) information. We use this information to help improve its efficiency and effectiveness.
PEOPLE WHO EMAIL US
We use Transport Layer Security (TLS) to encrypt and protect email. If your email service does not support TLS, you should be aware that any emails we send or receive may not be protected in transit.
We will also monitor any emails sent to us, including file attachments, for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send is within the bounds of the law.
PEOPLE WHO MAKE A COMPLAINT TO US
When we receive a complaint from a person we make up a file containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint.
We will only use the personal information we collect to process the complaint and to check on the level of service we provide. We do compile and publish statistics showing information like the number of complaints we receive, but not in a form which identifies anyone.
We usually have to disclose the complainant’s identity to whoever the complaint is about. This is inevitable where, for example, the accuracy of a person’s record is in dispute. If a complainant does not want information identifying him or her to be disclosed, we will try to respect that. However, it may not be possible to handle a complaint on an anonymous basis.
We will keep personal information contained in complaint files in line with our retention policy. This means that information relating to a complaint will be retained for two years from closure. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.
Similarly, where enquiries are submitted to us we will only use the information supplied to us to deal with the enquiry and any subsequent issues and to check on the level of service we provide.
When we take enforcement action against someone, we may publish the identity of the defendant in our Annual Report or elsewhere. Usually we do not identify any complainants unless the details have already been made public.
SERVICE PROVIDERS REPORTING A BREACH
Public electronic communications service providers are required by law to report any security breaches involving personal data to GTMS. If we are advised of any breach that affects the data that we hold about you, we will inform you as soon as possible, and at least within 48 hours.
JOB APPLICANTS, CURRENT AND FORMER GTMS EMPLOYEES
GTMS is the data controller for the information you provide during the recruitment and employment process, unless otherwise stated. If you have any queries about the process or how we handle your information, please contact us at Hr@gtms.co.uk
WHAT WILL WE DO WITH THE INFORMATION YOU PROVIDE TO US?
All of the information you provide during the process will only be used for the purpose of progressing your application, or to fulfil legal or regulatory requirements if necessary.
We will not share any of the information you provide during the recruitment process with any third parties for marketing purposes or store any of your information outside of the European Economic Area. The information you provide will be held securely by us and/or our data processors whether the information is in electronic or physical format.
We will use the contact details you provide to us to contact you to progress your application. We will use the other information you provide to assess your suitability for the role you have applied for.
WHAT INFORMATION DO WE ASK FOR, AND WHY?
We do not collect more information than we need to fulfil our stated purposes and will not retain it for longer than is necessary.
The information we ask for is used to assess your suitability for employment. You do not have to provide what we ask for, but it might affect your application if you do not.
We ask you for your personal details including name and contact details. We will also ask you about your previous experience, education, referees and for answers to questions relevant to the role you have applied for. Our recruitment team will have access to all of this information.
You will also be asked to provide equal opportunities information. This is not mandatory information – if you do not provide it, it will not affect your application. This information will not be made available to any staff outside of our recruitment team, including hiring managers, in a way that can identify you. Any information you do provide, will be used only to produce and monitor equal opportunities statistics.
Our hiring managers shortlist applications for interview. They will not be provided with your name or contact details or with your equal opportunities information if you have provided it.
We might ask you to participate in assessment days; complete tests or occupational personality profile questionnaires; and/or to attend an interview – or a combination of these. Information will be generated by you and by us. For example, you might complete a written test, or we might take interview notes. This information is held by GTMS.
If you are unsuccessful following assessment for the position you have applied for, we may ask if you would like your details to be retained in our talent pool for a period of six months. If you say yes, we would proactively contact you should any further suitable vacancies arise.
If we make a conditional offer of employment we will ask you for information so that we can carry out pre-employment checks. You must successfully complete pre-employment checks to progress to a final offer. We are required to confirm the identity of our staff, their right to work in the United Kingdom and seek assurance as to their trustworthiness, integrity and reliability.
You will therefore be required to provide:
- Proof of your identity – you will be asked to attend our office with original documents, we will take copies. For your convenience, this will be done at the interview.
- Proof of your qualifications – you will be asked to attend our office with original documents, we will take copies. For your convenience, this will be done at the interview.
We will contact your referees, using the details you provide in your application, directly to obtain references.
We may ask you to complete a questionnaire about your health. This is to establish your fitness to work. This is done through a data processor (please see below).
If we make a final offer, we will also ask you for the following:
- Bank details – to process salary payments
- Emergency contact details – so we know who to contact in case you have an emergency at work
- Membership of an existing pension scheme – so we can send you a questionnaire to determine whether you are eligible to re-join your previous scheme.
POST START DATE
Our Code of Conduct requires all staff to declare if they have any potential conflicts of interest, or if they are active within a political party. If you complete a declaration, the information will be held on your personnel file.
USE OF DATA PROCESSORS
Data processors are third parties who provide elements of our recruitment service for us. We have contracts in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct.
If you accept a final offer from us, some of your personnel records will be held on Peninsular, which is an internally used HR records system.
If you accept a final offer from us, some of your personnel records may be held by Peninsular. This data will be held by Peninsular but GTMS will have access to it.
Here is a link to their Privacy Notice:
If you are employed by GTMS, relevant details about you will be provided to In2Events who provide payroll services to GTMS. This will include your name, bank details, address, date of birth, National Insurance Number and salary.
Likewise, your details will be provided to Legal & General who are the administrators of the company pension scheme, of which GTMS is a member organisation. You will be auto-enrolled into the pension scheme and details provided to Legal & General will be your name, date of birth, National Insurance number and salary. Your bank details will not be passed to Legal & General at this time.
Simply Health provide our Occupational Health service. If we make you a conditional offer, we will ask that you complete a questionnaire which will help to determine if you are fit to undertake the work that you have been offered or advise us if any adjustments are needed to the work environment or systems so that you may work effectively.
We will send you a link to the questionnaire which will take you to Simply Health’s website. The information you provide will be held by Simply Health, who will provide us with a fit to work certificate or a report with recommendations. You are able to request to see the report before it is sent to us. If you decline for us to see it, then this could affect your job offer. If an occupational health assessment is required, this is likely to be carried out by Health Management.
Here is a link to their Privacy Notice:
USE OF A RECRUITMENT AGENCY
For vacancies, we sometimes advertise through Workshop Recruitment. Workshop Recruitment will collect the application information and might ask you to complete a work preference questionnaire which is used to assess your suitability for the role you have applied for, the results of which are assessed by recruiters. Information collected by Workshop Recruitment will be retained for 12 months following the end of our agreement.
Here is a link to their Privacy Notice:
FOR HOW LONG IS THE INFORMATION RETAINED?
If you are successful, the information you provide during the application process will be retained by us as part of your employee file for the duration of your employment plus 6 years following the end of your employment. This includes your criminal records declaration, fitness to work, records of any security checks and references.
If you are unsuccessful at any stage of the process, the information you have provided until that point will be retained for 6 months from the closure of the campaign.
Information generated throughout the assessment process, for example interview notes, is retained by us along with all other recruitment records.
Equal opportunities information is retained for 6 months following the closure of the campaign whether you are successful or not.
Workshop Recruitment will provide us with management information about our recruitment campaigns. This is anonymized information which tells us about the effectiveness of campaigns, for example, from which source did we get the most candidates, equal opportunities information for monitoring purposes. This anonymized information will be retained for 7 years from the end of the campaign.
Under the Data Protection Act 2018 and the General Data Protection Regulation (GDPR) (EU) 2016/679, you have rights as an individual which you can exercise in relation to the information we hold about you.
The GDPR provides the following rights for individuals:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
You can read more about these rights here:
COMPLAINTS OR QUERIES
GTMS tries to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.
This privacy notice was drafted with brevity and clarity in mind. It does not provide exhaustive detail of all aspects of GTMS’s collection and use of personal information. However, we are happy to provide any additional information or explanation needed. Any requests for this should be sent to the address below.
If you want to make a complaint about the way we have processed your personal information, you can contact the Information Commissioner’s Office in their capacity as the statutory body that oversees data protection law – www.ico.org.uk/concerns.
ACCESS TO PERSONAL INFORMATION
GTMS tries to be as open as it can be in terms of giving people access to their personal information. Individuals can find out if we hold any personal information by making a ‘subject access request’ under the Act or the Regulation.
YOUR RIGHT OF ACCESS
You have the right to find out if an organisation is using or storing your personal data. This is called the right of access. You exercise this right by asking for a copy of the data, which is commonly known as making a ‘subject access request’.
HOW TO ACCESS YOUR DATA
You can make a subject access request to find out what data is held and how it is used. You may make a subject access request before exercising your other information rights.
You can make a subject access request verbally or in writing. If you make your request verbally, we recommend you follow it up in writing to provide a clear trail of correspondence. It will also provide clear evidence of your actions.
To exercise your right of access, follow these steps:
- Identify where to send your request.
- Think about what personal data you want to access.
- Make your request directly to the organisation.
- State clearly what you want.
- You might not want all the personal data that the organisation holds about you. It may respond more quickly if you explain this and identify the specific data you want.
- When making a subject access request, include the following information:
- Your name and contact details.
- Any information used by the organisation to identify or distinguish you from other people with the same name (account numbers etc).
- Any details or relevant dates that will help it identify what you want.
- For example, you may want to ask for:
- your personnel file
- emails between ‘person A’ and ‘person B’ (say from 1 June 2018 to 1 Sept 2018)
- CCTV camera data situated at ‘location E’ on, say, 23 May 2017 from 11am to 5pm records detailing the transfer of your data to a third party.
- Keep a copy of your request.
- Keep any proof of postage or delivery.
- When to re-submit a request
You can ask an organisation for access more than once. However, it may be able to refuse access if your request is, as the law says, ‘manifestly unfounded or excessive’.
If you are thinking of resubmitting a request, you should think about whether:
- it is likely that your data has changed since your last request
- enough time has passed for it to be reasonable to request an update on
- how your data is being used, or
- the organisation has changed its activities or processes recently.
WHAT TO DO IF YOU DISAGREE WITH THE OUTCOME OR REMAIN DISSATISFIED
If you are unhappy with how the organisation has handled your request, you should first make a complaint to it.
Having done so, if you remain dissatisfied you can make a complaint to the ICO.
You can also seek to enforce your rights through the courts. If you decide to do this, we strongly advise that you seek independent legal advice first.
WHAT ORGANISATIONS SHOULD DO
If an organisation reasonably needs more information to help it find your data or identify you, it has to ask you for the information it needs. It can then wait until it has all the necessary information before dealing with your request.
When it responds to your request, the organisation should provide you with a copy of your data. It may do this electronically. If you need your data in another format, you must ask if this is possible.
You are also entitled to be told the following things:
- What it is using your data for.
- Who it is sharing your data with.
- How long it will store your data, and how it made this decision.
- Information on your rights to challenge the accuracy of your data, to have it deleted, or to object to its use.
- Your right to complain to the ICO.
- Information on where your data came from.
- Whether your data is used for profiling or automated decision making and how it is doing this.
If it has transferred your data to a third country or an international organisation and, if so, what security measures it took.
WHEN CAN THE ORGANISATION SAY NO?
An organisation may refuse your subject access request if your data includes information about another individual, except where:
- the other individual has agreed to the disclosure, or
- it is reasonable to provide you with this information without the other individual’s consent.
In deciding this, the organisation will have to balance your right to access your data against the other individual’s rights regarding their own information.
The organisation can also refuse your request if it is ‘manifestly unfounded or excessive’.
In any case the organisation will need to tell you and justify its decision. It should also let you know about your right to complain to the ICO, or through the courts.
HOW LONG SHOULD THE ORGANISATION TAKE?
An organisation has one month to respond to your request. In certain circumstances it may need extra time to consider your request and can take up to an extra two months. If it is going to do this, it should let you know within one month that it needs more time and why. For more on this, see our guidance on Time Limits.
CAN THE ORGANISATION CHARGE A FEE FOR THIS?
A copy of your personal data should be provided free. An organisation may charge for additional copies. It can only charge a fee if it thinks the request is ‘manifestly unfounded or excessive’. If so, it may ask for a reasonable fee for administrative costs associated with the request.
DISCLOSURE OF PERSONAL INFORMATION
In many circumstances we will not disclose personal data without consent. However, when we investigate a complaint, for example, we will need to share personal information with the organisation concerned and with other relevant bodies.
Further information is available in our Information Charter about the factors we shall consider when deciding whether information should be disclosed.
You can also get further information on:
- agreements we have with other organisations for sharing information;
- circumstances where we can pass on personal data without consent for example, to prevent and detect crime and to produce anonymized statistics;
- our instructions to staff on how to collect, use and delete personal data; and
- how we check that the information we hold is accurate and up to date.
- Links to other websites
CHILDREN’S ONLINE PRIVACY PROTECTION
GTMS does not knowingly collect personal information from persons who are under 16 years of age. By agreeing to use our products or services, you represent that you are 16 years or older.
LINKS FROM OUR WEBSITES
Some pages of our websites contain external links. You are advised to verify the privacy practices of such other websites. We are not responsible for the manner of use or misuse of information made available by you at such other websites. We encourage you not to provide personal information, without assuring yourselves of the privacy practices of other websites.
CHANGES TO THIS PRIVACY NOTICE
We keep our privacy notice under regular review. This privacy notice was last updated on 16th May 2019.