Privacy Policy
About us
We, Aromatherapy Trade Council (also referred to as ‘ATC’, ‘us’, ‘we’ or ‘our’), are a company registered in England No. 4118726 and our registered address is Connexions, 159 Princes Street, Ipswich IP1 1QJ
The purpose of this notice
This Notice is designed to help you understand what kind of information we collect in connection with providing membership benefits and technical and regulatory advice to both the representatives and employees of member organisations and non-member organisations and the general public and how we will process and use this information. In the course of providing the benefits of membership and/or technical and regulatory advice, we will collect and process information about you commonly known as ‘personal data’.
This Notice describes how we collect, use, share, retain and safeguard personal data.
This Notice sets out your individual rights; we explain these later in the Notice but in summary these rights include your right to know what data is held about you, how this data is processed and how you can place restrictions on the use of your data.
What is personal data?
Personal data is information relating to an identified or identifiable natural person. Examples include an individual’s name, age, address, date of birth, gender and contact details both business and private.
Personal data may contain information which is known as special categories of personal data. This may be information relating to and not limited to: an individual’s health, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic and biometric data, or data relating to sexual orientation.
Personal data may also contain data relating to criminal convictions and offences.
For the purposes of safeguarding and processing criminal conviction and offence data responsibly, this data is treated in the same manner as special categories of personal data, where there are legal obligations to comply with specific data processing requirements.
PERSONAL DATA WE COLLECT
In order for us to provide and administer membership benefits and consultancy services for you and/or provide you with technical and regulatory advice, we will collect and process personal data about you. We will also collect your personal data where you request information about our consultancy services and categories and conditions of membership.
We may also need to collect personal data relating to others in order to provide and administer these services. In most circumstances, you will provide us with this information. Where you disclose the personal data of others, you must ensure you are entitled to do so.
You may provide us with personal data when completing online contact forms, when you contact us via the telephone, when writing to us directly or where we provide you with paper-based forms for completion or we complete a form in conjunction with you.
We will share your personal data with members of the management team, administrator and directors in order to provide you with membership and consultancy services and specialist advice.
We may also share personal data with authorised third parties, including our accountants and insurers and when booking venues for events like the Annual General Meeting and as required by law.
We will collect your personal data when you visit our website (contact us) and communicate with us, when we will collect your unique online electronic identifier; known as an IP address and any other personal data that you provide to us.
We may make a written record of your communications with us when contacting our administrator using our telephone contact point, but we do not record telephone calls electronically.
Where we collect data directly from you, we are considered to be the controller of that data i.e. we are the data controller. Where we use third parties to process your data, these parties are known as processors of your personal data.
A data ‘controller’ means the individual or organisation which, alone or jointly with others, determines the purposes and means of the processing of personal data.
A data ‘processor’ means the individual or organisation which processes personal data on behalf of the controller.
In the process of providing the benefits of membership, consultancy and technical and regulatory information to you we will process the following categories of data:
Personal data such as an individual’s name, address, date of birth, gender, business and private contact details.
We do not intend to process special categories of personal data such as that related to health or data relating to criminal convictions and offences for example, relating to Company law, but if it is provided or we discover it as a result of performing due diligence, we will process it according to the provisions laid down in the UK GDPR.
If you object to the collection, sharing and use of your personal data we may be unable to provide you with the benefits of membership and/or consultancy and other services.
For the purposes of meeting the UK GDPR territorial scope requirements, the United Kingdom is identified as the named territory where the processing of personal data takes place.
Further information can be obtained from The Administrator
WHY DO WE NEED YOUR PERSONAL DATA?
For the representatives and employees of member organisations we will use your personal data to provide the benefits of membership in accordance with our contractual obligations described in our terms and conditions and codes of practice and to administer ATC in accordance with our Articles and Memorandum of Association, to provide consultancy, technical and regulatory advice and other services related to membership, to respond to requests for help and advice we receive from you and to process complaints.
The lawful basis for processing personal data in this way is:
Regulation (EU) 2016/679 Article 6, 1(b) where ‘processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract’.
For the representatives and employees of non-member organisations and the general public we will use your personal data to provide you with information and advice relating to membership and to provide you with technical, regulatory and business advice in response to requests for help and advice received from you.
The lawful basis for processing personal data in this way is in part (see section underlined):
Regulation (EU) 2016/679 Article 6, 1(b) where ‘processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract’.
And in part Regulation (EU) 2016/679 Article 6, 1(f) where “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
In particular ATC considers it has a legitimate interest in processing personal data where technical, regulatory and/or business advice has been provided to an individual and is retained in order to protect both the interests of the individual and ATC as described below under data retention.
In some situations, we may request your consent to collect additional data from you.
Where we require consent, your rights and what you are consenting to will be clearly communicated to you. Where you provide consent, you can withdraw this at any time by contacting The Administrator.
DATA RETENTION
For the representatives and employees of member organisations we will retain your personal data whilst the organisation is a member and at the end of any contractual agreement, i.e. when membership ends for a period of 15 years. This data will be retained for both your protection and the protection of ATC, its administrator, management team and its directors should a late discovered incident give rise to a claim under the terms of our Directors and Officer’s Indemnity insurance when we will be able to provide full disclosure to both yourself and our insurers concerning correspondence and contractual arrangements in place at the time of the incident.
Where you make a complaint, we will retain the data for 15 years from the date of the complaint or termination of membership whichever is the later. Where we are made aware that an individual is no longer associated with a member organisation or the organisation is no longer a member of ATC we will delete their contact details from our address book within three months.
For representatives and employees of non-member organisations and the general public we will retain your personal data for a period of 15 years from the date of last contact. This data will be retained for both your protection and the protection of ATC it’s administrator, management team and its directors should a late discovered incident give rise to a claim under the terms of our Directors and Officer’s Indemnity insurance when we will be able to provide full disclosure to both yourself and our insurers concerning correspondence and contractual arrangements, if any, in place at the time of the incident.
Where you make a complaint, we will retain the data for 15 years from the date of the complaint or date of last contact whichever is the later.
Where you or law enforcement agencies inform us about any active investigation or potential criminal prosecution, we will comply with legal requirements when retaining this data.
The retaining of data is necessary where required for contractual, legal or regulatory purposes or for our legitimate business interests for statistical analysis and product development purposes.
Sometimes we may need to retain your data for longer, for example if we are representing you or defending ourselves in a legal dispute or as required by law or where evidence exists that a future claim may occur. For further information contact The Administrator.
You should be aware that before membership of ATC is granted to a company or organisation where you are a director or sole trader, we may seek and/or collect additional sources of information about you and your business activities including but not limited to a search at Companies House, and with financial and credit agencies. This information is required to complete our process of due diligence and to judge suitability for membership.
Please contact The Administrator if you object to the use of, or you have any questions relating to the use of, your data, the retention of your personal data or the way we intend to collect data.
YOUR RIGHTS
The UK GDPR provides individuals with legal rights governing the use of their personal data, including the right to understand what personal data relating to them is held, for what purpose, how it is collected and used, with whom it is shared, where it is located, to object to its processing, to have the data corrected if inaccurate, to take copies of the data and to place restrictions on its processing. Individuals can also request the deletion of their personal data.
These rights are known as Individual Rights under the UK GDPR. The following list details these rights:
- The right to be informed about the personal data being processed
- The right of access to your personal data
- The right to object to the processing of your personal data
- The right to restrict the processing of your personal data
- The right to rectification of your personal data
- The right to erasure of your personal data
- The right to data portability (to receive an electronic copy of your personal data)
- Rights relating to automated decision-making including profiling
Individuals can exercise their Individual Rights at any time. As required by law we will not charge a fee to process these requests, however if your request is considered to be repetitive, wholly unfounded and/or excessive, we are entitled to charge a reasonable administration fee.
In exercising your Individual Rights, you should understand that in some situations we may not be able to fully meet your request, for example if you make a request for us to delete all your personal data, we may be required to retain some data for taxation, prevention of crime and for regulatory and other statutory purposes and in pursuit of our legitimate interests as described above.
You should understand that when exercising your rights, a substantial public or vital interest may take precedence over any request you make. In addition, where these interests apply, we are required by law to grant access to this data for law enforcement, legal and/or health related matters.
If you require further information on your Individual Rights or you wish to exercise your Individual Rights, please contact The Administrator, or write to The ATC Administrator at our registered office – Connexions, 159 Princes Street, Ipswich IP1 1QJ.
PROTECTING YOUR DATA
We will take all appropriate technical and organisational steps to protect the confidentiality, integrity, availability and authenticity of your data, including when sharing your data within the management of ATC and authorised third parties.
COMPLAINTS
If you are dissatisfied with any aspect of the way in which we process your personal data, please contact The Administrator. You also have the right to complain to the UK’s data protection supervisory authority, the Information Commissioner’s Office (ICO). The ICO may be contacted via its website, by live chat or by calling their helpline on 0303 123 1113.
HOW TO CONTACT US
If you have any questions regarding this Notice, the use of your data and your Individual Rights please contact The Administrator.
Aromatherapy Trade Council is not and is not required to be registered with the UK Information Commissioner.