Directory Privacy Notice
The aim of this data protection notice (Privacy Notice) is to inform the users of our directory www.uksupplychaindirectory.com ("the Directory") on the collection, use, disclosure, transfer, and other processing of their individually identifiable information (Personal Data). Please read this Privacy Notice carefully as it explains how we use any Personal Data that you provide to us in connection with the Directory. We may change this Privacy Notice and, when we do, we will post any changes on this page, so please check back frequently.
- Who we are
High Value Manufacturing Catapult (a company incorporated in England and Wales under company number 07708659) ("HVMC") ("we", "us" or "our") is the data controller for Personal Data processed on this Directory - and we work with Data City Innovations Ltd. (a company incorporated in England and Wales under company number 10958787) ("The Data City"), who help to co-ordinate and manage the Directory.
- Personal Data: collection, purposes and lawful basis
Categories of data subject: this Privacy Notice applies to the collection and processing of your Personal Data by us for the provision of the Directory. We collect Personal Data from you directly through your registration and use of our Directory, and through any additional Personal Data you provide during manual verification of your employment at a particular company. We also receive Personal Data indirectly from open source, public domain information gathered from reputable sources, which we utilise to verify company employment of data subjects who have claimed to work for a particular company and may use such information/sources/platforms to contact you as part of the verification process.
The table below provides this information including how we will use the Personal Data and the context for which we use your Personal Data:
Types of Personal Data Purpose Legal Basis Retention Source: Directly from you First name, surname, email address, company employer, job description, any Personal Data uploaded by the Data Subject for the purpose of registration and/or claiming a company on the Directory, and communications/complaints. To process and administer accounts and registration in relation to access to our Directory and services, including to verify employment at a particular company. The processing is necessary for performance of a contract. 6 years following the Data Subject's deregistration from the Directory To resolve any complaints Our legitimate interest to respond to any correspondence or queries you send us, and to send service information about products and/or services you've bought or requested. Your first name, surname, email address. To send you marketing material, email newsletters and other related information. Where required by privacy laws, your consent or where information is solicited. Otherwise, our legitimate interest to send you communications related to similar products or services to which you have previously purchased or entered into negotiations to purchase, where permitted by privacy laws.
Please see section 8 of this Privacy Notice for more information.
Until consent is withdrawn, or an objection / opt-out is received, as appropriate. Technical and usage data in relation to your use of the Directory (including information on which users are active on the Directory, the time they last logged in and the duration of their activity on the Directory). To analyse use of the Directory for product improvement purposes. Our legitimate interest to pursue opportunities to improve our Directory product. 6 years following the Data Subject's deregistration from the Directory All data mentioned. In connection with any merger, sale, reorganisation, transfer of our assets, investment, acquisition, bankruptcy, or similar event or corporate transaction. Necessary for our legitimate interests to ensure we can protect and grow our businesses and this joint venture. See above mentioned retention periods. All data mentioned. To help us improve and optimise our products and services. Necessary for our legitimate interests to maintain a high performing directory. See above mentioned retention periods. All data mentioned. To fully download directory data for disaster recovery and backup purposes. Necessary for our legitimate interests to ensure the continual function of the directory. See above mentioned retention periods. Source: Indirect Personal Data found in at least one of (i) a Claimant's LinkedIn profile or (ii) the relevant company's website To verify a user's employment with a company to ensure that they work for the company and can represent it properly on the Directory. Necessary for our legitimate interests to ensure that users of the Directory, that answer questions and act as the company's representative, actually work at the company. For until a decision has been made as to whether the user is verified and can access the Directory as a company representative or not. Personal Data provided by a company representative of other data subjects, to be specified as company contacts and to have their names and email addresses listed.* To specify a relevant company's contact(s) and contact details. Necessary for our legitimate interests to ensure that the Directory includes the appropriate company contacts. For until a contact objects to their Personal Data being processed
By acknowledging this Privacy Notice, you agree that you may only provide Personal Data of other individuals for registration to the Directory or to be put down as company contacts, if you have the individuals' express authorisation to do so. You also agree to make such individuals aware of this Privacy Notice when you provide us with their Personal Data.
In limited circumstances we may process any of the Personal Data we hold to the extent necessary to defend, establish and exercise legal claims or to comply with legal or regulatory obligations.
Where we need to collect Personal Data due to a legal or regulatory obligation, or for performance of a contract, and you do not provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with our Directory). We will notify you of this at the time.
- Disclosure of your Personal Data
Depending on your dealings with us, we may share some or all of the Personal Data we collect from and obtain about you to the following:
Affiliates. Personal Data is shared between the High Value Manufacturing Catapult and its Affiliates (the centres listed at https://hvm.catapult.org.uk/ and specifically https://hvm.catapult.org.uk/who-we-are/our-centres/), as required for internal administrative purposes, management purposes, accessing the Personal Data to fulfil the purposes listed in this Privacy Notice, and other business-related purposes as described in this Privacy Notice.
Personnel. Personal Data is shared on a need-to-know basis to staff and personnel including Directory administrators, directors, shareholders, employees, contractors and other temporary workers, across HVMC and HVMC’s Affiliates.
Service Providers and Processors. We have appointed The Data City as our processor to assist with the coordination and management of the Directory.
We also engage third party vendors, from time to time, including:
- IT & website service providers
- Professional advisors such as tax or legal advisors (for example, as necessary for the establishment, exercise or defence of legal claims or to protect the rights or safety of the Directory and HVMC, its Affiliates)
- Agents, suppliers or sub-contractors and other associated organisations where they are engaged by us to help deliver a service that we have instructed them on.
We may provide information to analytics and search engine providers to help us improve and optimise our products and services (and anonymise this in line with industry standards where possible). We will only share this information in a form that does not directly identify you.
Third parties in case of a legal requirement. We also disclose your Personal Data if disclosure is required by law or in the context of an investigation, regulatory requirement, judicial proceeding, court order or legal process (including to law enforcement or competent authorities like the police / public tax authorities, including Her Majesty's Revenue & Customs in the UK).
Third parties in case of a corporate transaction. In addition, information about our customers, including Personal Data, may be disclosed as part of any merger, sale, transfer of our assets, investment, acquisition, bankruptcy, or similar event, including while engaging with our actual or potential investors.
Third parties who are verified as working at the same company as you who have registered with the Directory. We also disclose your name and email address to individuals verified as working at the company you claim to work at who have registered with the Directory. We do this for verification purposes to ensure details on the Directory are accurate and up to date.
- International transfers of your Personal Data
Some of the recipients listed in section 3 above may be based outside the European Economic Area and/or the United Kingdom. Whenever we make transfers of your Personal Data, we implement appropriate safeguards in accordance with applicable data protection laws, e.g., by sending to countries that have an adequacy decision by the European Commission and/or the UK Information Commissioner's Office or implementing appropriate safeguards such as the UK Addendum to the EU's Standard Contractual Clauses. If you would like to find out more about any such transfers or obtain a copy of safeguards, please contact us using the details set out in section 1.
- Retention of your Personal Data
We will not retain your Personal Data longer than it is necessary to carry out the purposes listed in this Privacy Notice or than is required by law.
We will generally store Personal Data in line with local statute of limitation laws to defend and manage claims (e.g. in the UK six years) from the end of the calendar year in which the engagement between the data subject and us has ended; but more specific retention periods are outlined above. These storage periods may however be exceeded if it is necessary to comply with legal retention periods.
- Your rights and how to exercise them
You have several rights in relation to your Personal Data set out in this section. In certain circumstances these rights might not be absolute, as they depend on our reason for processing your Personal Data. You are not required to pay any charge for exercising your rights, although we may charge a reasonable fee if your request is unfounded, repetitive or excessive. We have one month to respond to you (unless you have made a number of requests or your request is complex, in which case we may take up to an extra two months to respond).
Please note that, where we ask you for proof of identification, the one-month time limit does not begin until we have received this. If we require any clarification and/or further information on the scope of the request, the one-month deadline is paused until we receive that information.
If you would like to exercise any of your rights set out in this Privacy Notice, you can do so by contacting us at:
By post: 3rd Floor, Munro House, Duke Street, Leeds, Yorkshire, LS9 8AG
By phone: 0333 335 5665
By email: at [email protected].
Right to information
You have the right to request confirmation if your Personal Data is processed. When we process your Personal Data, you have a right to information about this Personal Data and for a copy of this information. For more information on your right to information, see Art. 15 of the GDPR/ UK GDPR.
Right to rectification
You have the right to request the rectification of incorrect Personal Data concerning you without delay. Taking into account the purposes of processing, you have the right to request the completion of incomplete Personal Data. For more information on your right to rectification, see Art. 16 of the GDPR/ UK GDPR.
We strive to ensure the accuracy of your Personal Data. We therefore ask you to notify us immediately of any changes to your data (such as changes in address), so that we can ensure that your Personal Data is up-to-date.
Right to erasure
If the legal requirements are met, you may request us to erase your Personal Data immediately. This shall be the case, in particular, where:
- your Personal Data will no longer be required for the purposes for which it was collected or otherwise processed;
- the processing of your Personal Data is based on your consent, you revoke this consent and we cannot base the processing on another legal basis;
- you have objected to the processing of your Personal Data on grounds relating to your particular situation and there are no overriding grounds for the processing of your Personal Data.
- if your Personal Data have been passed on to third parties and we are obligated to erase your Personal Data, we will inform these third parties about the erasure, insofar as this is required by law.
We would like to point out that your right to erasure is subject to restrictions. For example, we may not erase any Personal Data that we have to keep further due to legal requirements. Data that we need in order to assert, exercise or defend legal claims are also excluded from your right to erasure. For more information on your right to erasure, see Art. 17 of the GDPR/ UK GDPR.
Right to restriction
If the legal requirements are met, you may request a restriction on the processing of your Personal Data. This is particularly the case where:
- the accuracy of your Personal Data is contested by you, or the processing of your data will be limited for a period that allows us to verify the accuracy of your Personal Data;
- the processing of your Personal Data is not lawfully carried out and you require a restriction on the use of your Personal Data instead of the erasure of your Personal Data;
- we no longer need your Personal Data for the purposes of processing, but you need these data for the establishment, exercise or defence of legal claims;
- you have objected to the processing of your Personal Data on grounds relating to your particular situation, as long as it is not clear whether our legitimate grounds for processing outweigh your grounds.
For more information on your right to restriction of processing, see Art. 18 of the GDPR/ UK GDPR.
Right to data portability
You have the right to receive the Personal Data you have provided us and which we process for the fulfilment of the contract, on the basis of your consent or by automated procedures, in a structured, customary and machine-readable format. You also have the right to ask us to transmit this data directly to a third party, if this is technically feasible. For more information on your right to data portability, see Art. 20 of the GDPR / UK GDPR.
Right to complain
If you consider that the processing of your Personal Data violates applicable data protection laws, you may lodge a complaint with the Information Commissioner's Office in the UK. We would, however, appreciate the chance to deal with your concerns before you approach the supervisory authority so please contact us in the first instance using the details at the start of this Privacy Notice.
Withdrawal of consent
If you have given your consent to the processing of your Personal Data, you can revoke it at any time with effect for the future. The lawfulness of the processing of your data before this remains unaffected.
RIGHT TO OBJECT
Right to object to the processing of your Personal Data during processing based on our legitimate interests.
If we process data on the basis of a legitimate interest, you can object to the processing at any time for reasons that arise from your particular situation. We will no longer process your Personal Data unless we can demonstrate compelling legitimate grounds for processing that override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.
For more information on your right of objection, see Art. 21 of the GDPR/ UK GDPR.
We take steps to limit direct marketing to a reasonable and proportionate level and to send you communications which we believe may be of interest or relevance to you, based on the information we have about you. You may change your marketing preferences at any time by contacting us.
In particular, you can always opt-out of email marketing communications by clicking the "unsubscribe" link at the bottom of marketing emails, or by contacting the contact details provided in section 1. With postal and telephone marketing communications, you may opt-out by contacting the contact details in section 1.
When you choose to unsubscribe, your data is automatically moved to a suppression list to prevent your email address being accidentally added to our database again. If you wish your data to be fully deleted from our systems, we will do so at your request but, if your email address is at any point added back in to our newsletter database, by you or on your behalf, there will be no automated process in place to prevent a newsletter being emailed to you again. Please note that where we have another lawful basis for processing, we will continue to process Personal Data for other purposes - for example, we may process information based on contract necessity. You may also receive indirect marketing from us by way of general marketing communications (e.g. post or non-targeted adverts in the media etc).
- Any questions?
We hope this Privacy Notice has been helpful in setting out the way we handle your Personal Data and your rights to control it. If you have any questions that have not been covered, please contact the designated contact who will be pleased to help you via email: [email protected].
This Privacy Notice was last updated in March 2023.