Privacy notice
Last updated: November 2023
Version 1.3
Overview
tmc3 is a business located in the United Kingdom (UK). As such, we have a legal responsibility to comply with the UK version of the General Data Protection Regulation (UK GDPR) and Data Protection Act 18 (DPA 18). One of the requirements of the UK GDPR is to provide individuals with information on how tmc3 uses personal data. This privacy notice aims to meet that legal requirement.
Terminology
This privacy notice uses terminology that is defined in the UK GDPR. Examples include ‘personal data’, ‘processing’, ‘data subject’, etc.
‘We’ or ‘us’ refers to tmc3 limited. ‘You’ or ‘your’ refers to the reader, the intended audience of this privacy notice (external data subjects of tmc3 such as Potential Clients, Clients, Suppliers, etc.).
Scope
This Privacy Notice provides information on tmc3’s external data subjects, e.g., Potential Clients, Clients, Suppliers, Potential Employees, Employee Emergency Contacts, and Website Visitors. It does not cover tmc3’s internal data subjects; Employees and Associates. For Employees and Associates wishing to see the Internal Privacy Notice, please contact your line manager
Data Processing Details
Purpose of Processing and Lawful Basis
tmc3 may use your personal data for a variety of purposes. Below is a list of the processing activities that occur on a regular or frequent basis. The brackets indicate the most applicable UK-GDPR Article 6 lawful basis that tmc3 relies on for this processing activity.
- Recruitment (Contract) - Recruitment of new employees, including the collection of CVs, interviews, and job offers.
- Emergency Contacts (Vital Interests) - The storage of emergency contacts for employees.
- Invoicing (Contract) - The issuing of invoices, in particular invoicing independent consultants.
- Incident Logs (Legal Obligation) - Records of security incidents, following the incident management standard, collection of evidence, and related investigations.
- Sales Prospect Management (Legitimate Interests) - Storage of contact information for sales prospects alongside records of meetings, conversations and calls.
- Hosting of Events (Legitimate Interests) - Records of events that tmc3 have hosted.
- Email Marketing (Consent) - Management of email marketing campaigns.
- Website Cookies (Consent) - The use of website cookies and related data on the tmc3 website.
Transfers of Personal Data
As part of tmc3’s standard business operations, we may transfer your personal data to third parties. Depending on the third party that data is transferred to, your information may be sent outside of the UK. In these instances, tmc3 will ensure that the appropriate safeguards have been applied to this transfer of data, including insuring that any relevant contracts are UK-GDPR complaint.
Depending on your specific circumstances, your personal data may be sent to the following third parties or categories of third party:
- tmc3 clients.
- Microsoft 365.
- Financial & accounting management platforms.
- Government organisations (e.g., HMRC).
- Third parties that are related to information security management.
- Sales management platforms & bid management software.
- Third parties that control cookies on tmc3’s website.
If you need more specific information on these transfers, please contact us.
Retention Periods
tmc3 has set retention schedules which state how long we will keep personal data for. The majority of our data processing activities fall within the below categories; however, for some less frequent data processing activities we may have different retention schedules set. For more information on these other retention schedules, please contact us.
- Default Retention Schedule – For data which does not fit into another category, data is kept for 7 years after the data entry was created, at which point it is reviewed for further retention, deletion, or archiving.
- Emergency Contact Data – For data relating to the emergency contacts of employees, data is kept for 1 year after the end of employment, at which point, data is deleted.
- Financial Data – For any financial related data such as payroll data, pension data, tax records, invoices, etc., data is kept for 6 years after the end of the financial year, at which point, data is deleted.
- Incident Logs – For any data relating to an information security incident, data is held for 6 years after the date of last action, at which point, the data is reviewed for further retention or is deleted.
- Sales Prospect Data – For any data relating to a potential sales prospect or unsuccessful sales prospect, data is held for 4 years after the point of last contact, at which point, data is deleted.
- Contract Register – For any basic contact data relating to a current or previous client (data that includes contract negotiation, statements of work, meeting notes, etc.), data is held for 6 years after the end of the contract, at which point, data is deleted.
- Third Party Website Cookies – Please see the tmc3 cookie management system for details on the retention schedule of specific cookies.
tmc3 employs a retention schedule +1 system for management of data. We will keep data for the stated duration and then review data for deletion during an annual review of all data at some point during the following year.
Source of the Data
For the majority of cases, tmc3 will collect your personal data directly from you. In some instances, we may obtain your personal data from third parties:
- In the area of recruitment, if you applied for a job at tmc3, we may have obtained your personal data from recruitment agencies or from job listing websites. We may have obtained your data from your public information listed on social media websites (such as LinkedIn).
- For emergency contact data, we have been provided your data by the relevant employee.
tmc3 is often given access to Client systems. In this instance, we act as a data processor and do not control the data that we see or have access to.
Statutory and Contractual Obligations
For some data processing activities that tmc3 undertakes, you may have a statutory or contractual requirement to provide tmc3 with your personal data. In these instances, if you decide not to provide tmc3 with your personal data, this may have consequences. For example, it may void a contract which you have with tmc3.
General Information
Your UK GDPR Rights
Under the UK GDPR, you have rights that you may exercise at any time. Whilst you may exercise these rights at any time, tmc3 is not always obliged to comply with your requests. Each right has requirements and exemptions that are associated with them. For further information on these requirements and exemptions, please visit the Information Commissioner's Office (ICO) website:
- The Right to be Informed – You have the right to be informed about how tmc3 uses your personal data. We are required to provide you with details of our data processing activities (where they involve your personal data). Typically, tmc3 will provide this information to you in privacy notices such as this one.
- The Right of Access – You have the right to request a copy of the personal data that tmc3 holds about you.
- The Right to Rectification – If tmc3 holds personal data about you that is inaccurate or outdated, you have the right to request that this information is changed.
- The Right to Erasure – You have the right to request that tmc3 deletes personal data that relates to you.
- The Right to Restrict Processing – You have the right to request that tmc3 restricts or suppresses the further processing of your personal data.
- The Right to Data Portability – You have the right to request that tmc3 provide a copy of your personal data to you in a commonly used digital format.
- The Right to Object – You have the right to object to specific processing activities that tmc3 undertakes. Specifically, you may object if tmc3 is using your data form marketing purposes, for a task carried out in the public interest, for an exercise of official authority, or where we have relied on legitimate interests as a lawful basis.
- Rights in Relation to Automated Decision-Making Including Profiling – Where tmc3 uses IT systems to make decisions about you (with no human involvement or oversight), you have UK GDPR rights in relation to this. These rights include the ability to request for human intervention to challenge a computer made decision, or to request a check that an automated system is working as intended. Currently, tmc3 does not carry out any automated decision making or profiling.
The Right to Withdraw Consent
Where tmc3 has relied on consent as a UK GDPR Article 6 lawful basis or an Article 9 exemption, you have the right to withdraw this consent at any time. When you withdraw your consent for data processing, tmc3 will make reasonable efforts to stop the associated processing activity as soon as possible.
Right to lodge a complaint
You have the right to complain to the Information Commissioners Office (ICO) if you are concerned about the way we have processed your personal information. They can be contacted via:
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Tel: 0303 123 1113
tmc3’s Data Protection Officer
tmc3 has appointed a Data Protection Officer. They can be contacted here:
Name: Nathan Tittensor
Email: dataprotectionservices@tmc3.co.uk
Contact tmc3
If you have any questions or comments regarding the content of this Privacy Notice, please contact:
info@tmc3.co.uk
Or alternatively:
The Data Protection Officer
tmc3 Limited
Leeming Building
Ludgate Hill
Leeds
LS2 7HZ
Changes to our Privacy Notice
This Privacy Notice may be updated from time to time so you may wish to check it each time you submit personal information to us. The date of the most recent revisions will appear on this page. If material changes are made to our Privacy Notice(s), for instance affecting how we would like to use your personal information, we will provide a more prominent notice (including email notification of the changes to the notice).