1. Introduction
1.1 This paper sets out the policies operated by the International Dispute Resolution Centre (“IDRC”, “we” or “us”) in respect of Personal Data (as defined below) and privacy (the “Policy”).
1.2 We ensure that all our directors, employees, consultants and agents comply with this Policy.
1.3 Please read this Policy carefully to understand how we will treat your Personal Data.
1.4 If you have any comments on, or questions about this Policy, please email them to compliance@idrc.co.uk or to IDRC’s Data Protection Officer, as shown below.
2. Our obligation
2.1 IDRC is bound to comply with the UK Data Protection Act 2018, as amended from time to time, and the UK General Data Protection Regulation (UK GDPR) and all other data protection laws and regulations to which it is subject in respect of the protection of “Personal Data”, which is defined as any information relating to an identified or “Identifiable Natural Person”1 (“Data Subject”).
2.2 In compliance with UK GDPR, IDRC will, so far as is reasonably possible, ensure that all Personal Data that it obtains will be:
a) processed lawfully, fairly, and in a transparent manner in relation to the Data Subject;
b) collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes2;
c) adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
d) accurate and, where necessary, kept up to date3;
e) kept in a form that permits identification of a Data Subject for no longer than is necessaryfor the purposes for which the Personal Data is processed4;
f) processed in a manner that ensures appropriatesecurity of the Personal Data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
3. Who we are
3.1 The details that UK GDPR requires us to provide as a Data Controller are as follows:
- ourwebsite address is www.idrc.co.uk;
- our company name is International Dispute Resolution CentreLtd;
- our registered addressis70 Fleet Street, London, EC4Y 1EU, UK;
- our Data Protection Officer isDamian Hickman, cdh@idrc.co.uk
4. What we may collect
4.1 We may collect and process the following Personal Data:
- information that you put into forms or surveys on our website at any time;
- arecord of any correspondence between us;
- details of transactions that you carry out through our website;
- details of your visits to our website and the resources you use there;
- information about your computer (including your IP address, browser, operating system) for system administrationpurposes and to report aggregated information to our advertisers.
5. How we treat the data we collect
5.1 We use information about you to:
- present website content effectively;
- provide information about services that you request, or (with your consent) which we think may interest you, regarding which, other people may also contact you;
- perform our contracts with you.
- allow you access to our interactive services; and
- tell you about our charges.
5.2 In accordance with UK GDPR, we will ensure that your Personal Data is processed lawfully, fairly and transparently, without adversely affecting your rights.
5.3 We will only process your Personal Data if at least one of the following applies:
a) you have given consent to the processing of your Personal Data for one or more specific purposes;
or processing is necessary:
b) for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract;
c) for compliance with a legal obligation to which we are subject;
d) to protect your vital interests or thoseof another naturalperson;
e) for the performance of a task carried out in the public interest or in the exercise of official authority vested in us as DataController;
f) for the purposes of our legitimate interests orthose of athird party such as our credit card payment processors, except where such interests are overridden by the fundamental rights and freedoms of the Data Subject, which require the protection of Personal Data.
5.4 In some cases, the collection of Personal Data may be a statutory or contractual requirement, and we will be limited in the services we can provide you if you do not provide your Personal Data in these cases.
5.5 It may be necessary to process and store data outside the United Kingdom to fulfil our contract with you and to deal with payments; in which case, we will take all reasonable steps to keep your data secure, but we cannot guarantee complete security of such data, which is at your risk.
5.6 If we give you a password in connection with any service we provide or any payment to be made, you must keep it confidential and not share it.
5.7 We do not identify individuals to our advertisers, but we do give them aggregated information to help them reach their target audiences, and we may use information we have collected to display advertisements to that audience.
5.8 If you are already a client of IDRC, we will only contact you electronically about services that are the same as, or similar to those which you have previously had from us.
5.9 If you are a new client, you will only be contacted by us if you have agreed that we may contact you.
5.10 If you do not want to be contacted for marketing purposes, please tick the relevant box that you will find on our website.
5.11 We will always take steps to notify you of:
- the purpose or purposes for which we intend to process your Personal Data;
- the details of third parties, if any, with whom we will share or to whom we will disclose your Personal Data;
- how you can limit our use and disclosure of your Personal Data;
- if we receive Personal Data relating to you from another source.
5.12 We will check your Personal Data regularly and keep it accurate and up-to-date to the best of our knowledge. If we identify inaccurate or out-of-date Personal Data, we will take reasonable steps to amend or to erase that data.
6. How we deal with Personal Data internally
6.1 IDRC:
- trains its employees in relation to our responsibilities under UK GDPR and in regard to data collection, retention and privacy, generally;
- ensures that only appropriately-trained, supervised and authorised personnel have access to the PersonalData we hold;
- regularly evaluates and reviews its collection and processing of Personal Data and the performance of employees and third parties working on our behalf, to ensure compliance with UK GDPR.
6.2 We keep internal records of the Personal Data that we collect and process, including (in relation to that Personal Data) details of the categories of data, any transfers of data, our security measures, the purpose of our data collection, and the duration of retention of the data. We also retain details of all third parties that either collect your Personal Data for us or who we use to process your Personal Data.
6.3 We carry out privacy impact assessments as required by law.
7. Security and storage
7.1 All Personal Data are stored securely5 to avoid misuse or loss, and we take all reasonable measures to safeguard against unlawful or unauthorised processing of Personal Data, and against the accidental loss of, or damage to, Personal Data.
7.2 We have in place practice and procedures to maintain the security, confidentiality, integrity and availability6 of all Personal Data from the point of collection to the point of destruction.
7.3 Personal Data will only be transferred to a third-party data processor if there is agreement by them to comply with IDRC practice and procedures.
7.4 Any Personal Data security breach will be managed by IDRC in accordance with UK GDPR. Any Data Subject becoming aware of such a breach must report it immediately to our Data Protection Officer.
7.5 We will notify the Information Commissioner’s Office (ICO) and any Data Subject of any security breach if and as required by UK GDPR. Even if such disclosure is not required by UK GDPR, we will nevertheless investigate the circumstances and seriousness of the breach and consider whether disclosure might, in an event, be appropriate (such as to limit the risk of fraud) and especially if your rights and freedoms as Data Subject are affected.
8. Disclosing your information
8.1 We may disclose your information:
- toa potential buyer of our business;
- if we have a legal obligation to do so, or in order to protect other people’s property, safety or rights; and
- in an exchange of information with others to protect against fraud or credit risks.
8.2 We may contract with third parties to supply services to you on our behalf. These may include payment processing, search engine facilities, advertising and marketing. In some cases, the third parties may require access to some or all of your data. Where any of your data is required for such a purpose, we will take all reasonable steps to ensure that your data will be handled safely, securely, and in accordance with your rights, our obligations, and the obligations of the third party under UK GDPR and applicable law.
9. Automated decision-making and profiling
9.1 If we use your Personal Data for the purposes of automated decision-making and those decisions have a legal (or similarly significant) effect on you, you have the right to challenge such decision under UK GDPR, and to obtain an explanation of the decision from us, except when
a) the decision is necessary for the entry into,or performance of, a contractbetween you and us;
b) the decision is authorised by law; or
c) you have given you express
9.2 Where we use your Personal Data for profiling purposes:
a) clear information explaining the profiling will be provided by us to you, including its significance and the likely consequences;
b) appropriate mathematical or statistical procedures will be used;
c) technical and organisational measures necessary to minimise the risk of errors and to enable such errors to be easily corrected will be implemented;
d) all Personal Data processed for profiling purposeswill be secured in order to prevent discriminatory effects arising out of profiling.
10. Retention, destruction and disposal
10.1 Subject to paragraph 10.2, below, we only keep your Personal Data for as long as we need to for the purposes set out in this Policy and for as long as we have your permission to keep it.
10.2 Not with standing paragraph 10.1, above, it may sometimes be necessary to retain Personal Data or to access historical Personal Data if, for example, we are contractually bound to do so or if we have become involved in litigation or business disaster recovery in respect of which the Personal Data is relevant
10.3 If you do not want us to use your Personal Data, you can let us know at any time by contacting our Data Protection Officer, and, subject to paragraphs 10.1 and 10.2, we will delete your data from our systems. This may, however, limit our ability to provide the best possible services to you.
10.4 Our Data Protection Officer has overall responsibility for a continuing process of identifying data that are no longer required, or in respect of which we no longer have permission or authority to retain the data, and for supervising their destruction. For these purposes, an annual review of data will be conducted.
10.5 Confidential, financial, and personal records will be permanently deleted, if electronic, or securely shredded, if paper. Non-confidential records may be destroyed by recycling.
11. Your rights
11.1 You can ask us at any time not to use your data for marketing by ticking the relevant boxes on our website, or by contacting us at compliance@idrc.co.uk
11.2 Under UK GDPR, you have the right to:
- request access to,deletion orcorrection of, your Personal Data held by us at no cost to you;
- request that your Personal Data be transferred to another person (“data portability”);
- be informed of what data processing is taking place;
- restrict processing;
- object to processing of your Personal Data; and
- complain to a supervisory authority.
11.3 Any request made pursuant to paragraph 11.2, above, must be made in writing and addressed to our Data Protection Officer. We will not disclose Personal Data requested by telephone, and we will only disclose Personal Data requested in writing or in person if we are satisfied that the person making the request is the Data Subject.
12. Links to other sites
12.1 This Policy will not apply to other websites that you access via a link from our site. We have no control over how your data is collected, stored or used by other websites and we advise you to check the privacy policies of any such websites before providing any data to them.
13. Changes
13.1 Any changes to our Policy will be posted on our website.
14. Governing law and Dispute Resolution
14.1 This Policy shall be governed by and interpreted in accordance with English law.
14.2 In the event of a dispute arising out of or in connection with this Policy, the parties to the dispute (the Parties) shall use all reasonable efforts to resolve the dispute amicably.
14.3 If the dispute has not been amicably resolved within thirty (30) days of one Party giving written notice of a dispute to the other, the Courts of England shall have jurisdiction over such dispute.
1 An Identifiable Natural Person is one who can be identified, directly or indirectly, in particular by reference to an identifier (such as a name, an identification number, location data, an online identifier), or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
2 Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes is not considered to be incompatible with the initial purposes.
3 Every reasonable step will be taken to ensure that Personal Data that is inaccurate is erased or rectified without delay, having regard to the purposes for which they are processed.
4 Personal Data may be stored for longer periods if the Personal Data is processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by UK GDPR in order to safeguard the rights and freedoms of the Data Subject.
5 On premises storage: Dell PowerEdge server, bit locker protected data partition. Off-site storage: Dell PowerEdge server, bit locker protected partition. Server physically held in tier 1 data centre (details supplied on request).
6 Confidentiality means that only people who are authorised to use the data can access it; integrity means that Personal Data should be accurate and suitable for the purpose for which it is processed; availability means that only those authorised to do so should be able to access the data and only for authorised purposes.