Privacy Statement

Last updated: 24/05/2018

1. INTRODUCTION

In order to work with you, Wordbank Marketing Ltd (“the Company”) collects and processes your personal data.

When it comes to capturing and using data relating to individuals, there are some key legal requirements with which the Company needs to comply. The purpose of this statement is to set out how the Company meets these requirements and to ensure that every individual who provides data to the Company understands the legal basis on which that data is held, what it is used for, how it is stored and who has access to it.

This policy should be viewed alongside the:

The legislation that details the legal requirements the Company must follow in relation to data is the General Data Protection Regulation 2016 (“GDPR”).

2. KEY TERMS

GDPR is an extensive piece of legislation that seeks to protect individuals’ right to privacy. There are some key terms with which you need to be familiar in order to understand the Company’s approach in relation to GDPR. These are:

Data Subject: the individual to whom the data relates
Personal data: any information relating to an identified or identifiable person
Processing: any action performed with the personal data (collection, recording, sharing, storing, etc.)
Controller: the person or entity who determines what data to collect and the use of that data
Processor: the person (or people) who collects and processes the data as instructed by the Controller

3. KEY ROLES WITHIN THE COMPANY

Within the Company, the following roles fulfil duties under this Privacy Statement:

Controller: COO and HR
Processors: COO, HR, Finance, Global Senior Management, Resource Network Management, employees of Wordbank Marketing Ltd

4. THE SIX PRIVACY PRINCIPLES

GDPR sets out six privacy principles with which the Company must comply. These principles are:

4.1 PURPOSE LIMITATION
The Company must clearly state the reason that data is being held and can then only process data for that reason. If the Company wants to use the data for a different reason than that for which the data was collected, the Company must inform the data subject.

4.2 DATA MINIMIZATION
The Company must only collect the data that is needed.

4.3 ACCURACY
The Company must take all reasonable steps to ensure that the data held is accurate.

4.4 STORAGE LIMITATION
The Company must only keep the data for as long as it is necessary.

4.5 INTEGRITY AND CONFIDENTIALITY
The Company must take all reasonable steps to ensure that the data held is kept securely and is only shared with people who have a legitimate need to have access to it.

4.6 LAWFULNESS, FAIRNESS AND TRANSPARENCY
The Company must have a legal basis for processing data and must be transparent about the data held, why and how it is held, who has access to it and for how long it is retained.

5. OUR LEGAL BASES FOR PROCESSING DATA

GDPR states that data can only be processed for one of six reasons – consent, contract, legal obligation, vital interests, public task and legitimate interests. Of these, four are applicable to the Company. These are:

5.1 CONTRACT
Contract is a lawful basis for processing data if a company is required to hold the data to fulfil their contractual obligations to the data subject. Much of the data that the Company holds on you falls under this basis.

5.2 LEGAL OBLIGATION
Legal obligation, as the name implies, relates to data that is needed for a company to fulfil a legal obligation. Some of the data that the Company holds on you falls under this basis.

5.3 VITAL INTERESTS
Vital Interests means there is a need to process data to save someone’s life. It is extremely unlikely that this will ever apply to the Company. It is possible, however, that the Company may need to share information with the emergency services should something happen to you and it would be on this basis that the Company would rely.

5.4 LEGITIMATE INTERESTS
Legitimate Interests refer to situations where data is used in a way that an individual would reasonably expect.

6. THE RIGHTS OF DATA SUBJECTS

You, as a data subject, have particular rights under GDPR. These are:

6.1 THE RIGHT TO BE INFORMED
You have the right to know what data the Company holds about you, how it is held, what it is used for, who has access to it, how long it is held for, how you can see the data and the legal basis on which the data is held. The Company will meet the obligations under this right through this Privacy Statement and the additional policies named in the introduction.

6.2 THE RIGHT OF ACCESS
You have the right to see the data that the Company holds about you. The Company will meet the obligations under this right through the Subject Access Request Procedure.

6.3 THE RIGHT TO RECTIFICATION
You have the right to have any errors corrected in the personal data held about you.

6.4 THE RIGHT TO ERASURE
You have a right to request that personal data is deleted or destroyed where there is no compelling reason for the Company to continue to hold this data. It is important to note that if the Company is required to keep the data to fulfil a legal obligation, then the right to erasure does not exist.

6.5 THE RIGHT TO RESTRICT PROCESSING
You have a right to “block” the processing of personal data. This means that the Company can continue to store it but can no longer process it. This applies in very specific circumstances and cannot be applied if the restriction would prevent the Company from meeting any obligations under your contract of employment or from meeting a legal obligation.

6.6 THE RIGHT TO DATA PORTABILITY
You have a right to move, copy or transfer data from one IT environment to another. This is unlikely to be relevant to the data held by the Company.

6.7 THE RIGHT TO OBJECT
You have the right to object to data being processed where the legal basis for that processing is either one of legitimate interest or the performance of a task in the public interest. You can also object if the processing of that data is for direct marketing.

6.8 RIGHTS IN RELATION TO AUTOMATED DECISION MAKING AND PROFILING
You have a right to request that a human be involved in automated decision making. This is unlikely to be applicable in relation to the Company as no automated decision making processes are used.

7. THE DATA WE TYPICALLY HOLD

The table below sets out full information relating to our data processing. This helps us to ensure that you are fully informed. However, you also have shared responsibility for this. If you feel that there is anything missing from the list, please contact data_support@wordbank.com.

1. CONTRACT

For clients who are currently, or have previously engaged with us for service delivery, we hold the following data to communicate with you, fulfil client-specific contractual obligations and have a full history of Wordbank’s project execution for strategy, reporting and analysis. This data is accessible by the Project Management teams in our global Wordbank offices, as well as the Business Development and Finance teams. It is owned by Client Services.

In rare cases, personally identifiable information (PII) may be contained in content we are required to localize, such as a quote from a company CEO, internal communication content, etc. We hold that data to be able to fulfil our client-specific contractual obligations. This data is accessible by the Project Management teams in our global Wordbank offices. It is owned by Client Services.

DATA ITEM	USE
Name and company address Telephone number Individual company email address	To communicate with you and fulfil our client-specific contractual obligations
PII content contained in text for localization	To fulfil client-specific contractual obligations (provision of localization services)

2. LEGITIMATE INTEREST

We hold the below data for customers who are currently engaged with us for service delivery or who have previously engaged with us. Based on that current or past activity with Wordbank, we believe that we have an ongoing legitimate interest to send you information about related services or relevant content. If your interests have changed or our offering is not relevant to you, you can unsubscribe from those communications at any time.

Additionally, we may from time to time approach individuals within corporate bodies publicizing their business interests on LinkedIn, to send information about relevant services or content we believe to fit requirements. In this case, we believe the information we are imparting in our communications is pertinent to your company and corporate position and therefore is of commercial interest. However, we have a clear responsibility to protect the interests of those we are contacting and send messages via LinkedIn or email during a time-limited communication period to any one individual. At the end of that period, we delete the below data items. It’s easy for you to opt out of these communications at any time.

DATA ITEM	USE
Name	We have a legitimate interest in marketing our services to existing, past and future customers to increase sales.
Individual company email address

8. TRANSFER OF PERSONAL DATA

Transfers of personal data outside the European Union must be reviewed carefully, prior to the transfer taking place, to ensure that the transfer falls within the limits imposed by the GDPR. This depends partly on the European Commission’s judgement as to the adequacy of the applicable safeguards for personal data in the receiving country and this may change over time.

As part of an international company, there are times when we will need to transfer personal data relating to you to Wordbank LLC, Denver, USA. Wordbank Marketing Ltd has a legally binding agreement referred to as Binding Corporate Rules (BCR) in place with Wordbank LLC, which ensures that data is handled in a way that is aligned to the UK Privacy Statement.

9. PRIVACY BY DESIGN

The Company has adopted the principle of privacy by design and will ensure that the definition and implementation of all new or significantly changed systems (that collect or process personal data) will be subject to due consideration of privacy issues, including the completion of one or more data protection impact assessments.

The data protection impact assessment will include:

Consideration of how personal data will be processed and for what purposes
Assessment of whether the proposed processing of personal data is both necessary and proportionate to those purpose(s)
Assessment of the risks to individuals in processing the personal data
Which controls are necessary to address the identified risks and demonstrate compliance with legislation

10. DATA PROTECTION OFFICER

A defined role of Data Protection Officer (DPO) is required under the GDPR if an organization is a public authority, if it performs large scale monitoring or if it processes particularly sensitive types of data on a large scale. The DPO is required to have an appropriate level of knowledge and can either be an in-house resource or outsourced to an appropriate service provider.

Based on these criteria, the Company does not require a Data Protection Officer to be appointed.

11. BREACH NOTIFICATION

It is the Company’s policy to be fair and proportionate when considering the actions to be taken to inform affected parties regarding breaches of personal data. In line with the GDPR, where a breach is known to have occurred which is likely to result in a risk to the rights and freedoms of individuals, the relevant Data Protection Authority (DPA) will be informed within 72 hours. This will be managed in accordance with the Data Breach Notification Procedure, which sets out the overall process of handling information security incidents.

12. ADDRESSING COMPLIANCE TO THE GDPR

The following actions are undertaken to ensure that the Company complies at all times with the accountability principle of the GDPR:

The legal basis for processing personal data is clear and unambiguous
The Company communicates with all individuals regarding the data held and the rights that individuals have in relation to that data
All staff involved in handling personal data understand their responsibilities for following good data protection practice
Routes are available to data subjects wishing to exercise their rights regarding personal data and such enquiries are handled effectively
Regular reviews of procedures involving personal data are carried out
Privacy by design is adopted for all new or changed systems and processes

13. CONCERNS AND QUESTIONS

GDPR is new legislation and its interpretation will evolve over time. The Company will continue to adopt best endeavours to ensure ongoing compliance. However, if you have concerns about any of the actions that are being taken, or are unclear as to how the Company is complying with specific elements of the legislation, please contact the COO via data_support@wordbank.com. We will then investigate the matter and respond to you within 28 days.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-for-gtm	11 months	Imported Cookie
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
Necessary	1 year
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.