Privacy Policy

Privacy Policy

Privacy Notice – Howden AllofUs 2023

We are Howden Group Services ("we", "us", "our"), acting as the Controller, and have created this privacy notice to explain when, why and how we process your personal data, the third parties with which we may share your personal data, what your rights are in the event we hold your personal data, and how you can enforce these rights with us.

1. Definitions

To be clear on what we mean in this privacy notice:

  • “personal data” means any information that can be used to identify a living individual;
  • “controller” means an organisation that decides why and how to collect personal data from or about an individual;
  • “processor” means an organisation that is engaged by a controller to process personal data on its behalf;
  • “Howden Group” means Howden Group Holdings Limited and any company or organisation in which Howden Group Holdings Limited holds significant share capital;
  • “third-party” means someone who isn’t you, us, or a company in the Howden Group.

2. Our contact details

We have a dedicated Data Protection Officer who can be contacted in the follow ways should you have a data protection query, wish to enforce one of your rights, or wish to make a data protection complaint:

By e-mail: dpo@howdengrp.com

3. The types of individuals that this privacy notice relates to

This privacy notice relates to the following types of individuals, where we hold your personal data:

  • Individuals who are employees who submit a pledge.

4. The types of personal data that we collect

To administer the Howden AllofUs pledges, we may collect the following types of information about you:

  • Identity and contact data: for example, name, job title country, and pledge.

5. How and when do we collect personal data

We may collect personal data at different times and through different channels, for example if: 

  • You visits our website;
  • You provide information in online forms or via email;
  • You provide us personal data through other channels such as direct.

6. The lawful reasons we rely upon to process personal data

We will only collect and process your personal data where we can satisfy one of the following lawful reasons:

  • To achieve our legitimate business interests; for example, to arrange and administer the AllOfUs campaign.

  • To comply with our contractual/legal obligations; for example, to comply with the terms of the Howden AllOfUs campaign to track your pledge activity and report on total number of pledges.

  • With your consent; for example, when information is collected via the online form. Note that you can withdraw your consent by contacting us using the contact details included in this privacy notice;

  • To protect your vital interests: in extreme or unusual circumstances, we may need to use your information to protect your life or the lives of others.

As explained under the data rights section of this privacy notice, you have the right to object to us processing your personal data to achieve our legitimate business interests.

7. Who we share personal data with

Where applicable, we share personal data with the following recipients when we have a valid reason to do so:

  • Other Howden Group companies;
  • Service Providers who help us manage our IT and back office systems, or who provide platforms to us that we then use or make available to you;
  • Marketing fulfilment, webinar and customer satisfaction service providers, acting on our behalf in facilitating online events, providing marketing communications and capturing feedback on the Howden AllOfUs campaign,

8. Sharing personal data within the Howden Group

As stated above, and depending on our relationship with you and the services you may receive from us, we may share your personal data with other companies within the Howden Group. This will generally be for the following purposes:

  • To receive administrative support from those companies, such as the receipt of IT services;
  • For promotional purposes.

We will only share the minimum amount of personal data required to achieve these purposes, ensuring that we have a lawful basis to share personal data and that any processing undertaken on our behalf (even by another Howden Group company) is governed by a suitable data processing agreement.

9. International data transfers

For business purposes, to help prevent/detect crime or where required by law or regulation, we may need to transfer your personal data to parties based outside the UK. Where we do this, we will ensure that your information is protected in accordance with the applicable data protection requirements.

If the data protection laws of the country that the recipient of your data is based in are not recognised as providing sufficient protection by the UK, we will ensure that the recipient enters into a formal and enforceable legal agreement that reflects the standards required.

You can ask us for more information about the safeguards we use when sending your personal data overseas by contacting us on the details shown in the “our contact details” section of this privacy notice.

10. Retaining personal data

We retain personal data to meet a number of legal and regulatory requirements, as well as our own legitimate business interests.

In most cases we will retain your personal data for seven (7) years following the end of the AllOfUs campaign. We maintain a retention schedule that gives further information on the types of information we retain, how long we hold it for and why we hold it. You can request a copy of this by contacting us on the details included in this privacy notice.

11. Your data rights

Data protection law gives you rights relating to your personal data. This section gives you an overview of these rights, how they relate to the information you give us, the circumstances under which a right may not be absolute, and how you can send us a request to enforce one of these rights. We aim to provide a final response within one month of receiving a request, unless the request is particularly complex in which case we will let you know when we expect to complete it by:

Right to access You have a right to request a copy of the personal data that we hold on you, along with meaningful information on how it is used and who we share it with. This right always applies, but there are some instances where we may not be able to provide you with some or all of the information we hold. Where this is the case we will explain to you why when we respond to your request, unless the relevant laws or regulations prevent us from doing so.
Right to rectification You have a right to ask us to correct inaccurate or incomplete personal data that we hold about you. We will either confirm to you that this has been done, or if there is a valid reason that this cannot be done, we will let you know why.
Right to erasure Also known as the right to be forgotten, you can request that we delete your personal data in certain circumstances, for example if we no longer need the personal data for the purpose(s) for which we collected it. We will either confirm to you that this has been done, or if we are unable to delete it due to a compelling overriding reason we will let you know why and also inform you how long we will hold it for.
Right to restrict processing You can ask us to restrict the processing of your personal data in certain circumstances. If you do so, we will either confirm to you that this has been done, or if we are unable to do so, we will inform you why.
Right to data portability In certain circumstances you have the right to request that your personal data be transferred to yourself or a nominated third party in a common, machine readable format. If you request this, we will either act upon your instruction and confirm to you that we have done so, or if there is a valid reason that this cannot be done, we will tell you why.
Right to object to direct marketing You can object to receive direct marketing from us, and this right is absolute. You can do this by simply clicking on the unsubscribe link in any email you receive from us or alternatively getting in touch with us.
Right to object to processing based on our legitimate interests Where we process your personal data to achieve a legitimate business interest of ours, as opposed to where we process your personal data to fulfil a contractual obligation or to satisfy a legal obligation, you have the right to challenge this. If you do so, we will either confirm to you that the processing has stopped, or if we believe there is a valid reason for the processing to continue, we will inform you why.
Right to object to automated decision-making You have the right to object to decisions made about you using your personal data and undertaken by purely automated means. If you do so, we will arrange for someone to assess the automated decision and confirm the outcome of this assessment to you.

You can exercise any of these rights by contacting us using the information in the “our contact details” section of this notice and telling us which right (or rights) you would like to exercise. If you are unhappy with how we have used your personal data or if you believe we have failed to fulfil your data rights, you have the right to complain to us.

If you remain unhappy with our response, you may raise a complaint directly with the supervisory authority as shown in the table below. Although supervisory authorities do not award compensation, they can investigate concerns brought to them and take action if they decide that an organisation has failed to meet its data protection obligations:

United Kingdom Information Commissioner’s Office By e-mail: casework@ico.org.uk By telephone: 0303 123 1113 By post: ICO, Wycliffe House, Water Lane, Wilmslow, SK9 5AF