Eversholt Rail Limited (Eversholt Rail, we, us, our) respects the privacy of those who provide personal information to us.
This policy describes the information we collect which identifies you, how we use this information, the legal basis upon which we process it, with whom it is shared and how it is stored. This policy also describes other important topics relating to information privacy in respect of contractors and employees of businesses that offer services to us.
Please read this policy carefully to understand how we handle your personal information.
By accessing or browsing www.eversholtrail.co.uk (our Website), by your offering services to us (whether as an individual job applicant applying for a position with us or as an employee or other representative of a company or a contractor tendering to provide consultancy, maintenance, procurement or other services to us), and/or by your using any of the services that we provide to you, you confirm that: (a) you have read and understood the entirety of this policy; and (b) where we require your consent in order to use your personal information, you are providing your consent as specifically set out in this policy.
1. Information collection
We may collect and use any of the following information about you and we refer to this as personal information throughout this policy:
1.1 Personal information you (or your employer) give us. You may provide us with personal information by contacting us by phone, email or other means. This includes, for example, when you or your employer provide your personal information to us in order to receive our services. You or your employer may also give us your personal information in the course of offering or providing services to us.
Whether you are a job applicant, customer, supplier or Website visitor, the personal information given to us may include:
(a) your name;
(b) your job title;
(c) your work and/or personal email address;
(d) your work and/or personal telephone number;
(e) your work and/or personal address;
(f) bank account information;
(g) information provided when you correspond with us;
(h) any updates to information provided to us;
(i) CCTV footage;
(j) pre-employment check information;
(k) details pertaining to your job or position;
(l) demographic information; and
(m) system and application access data and information required to access Eversholt Rail systems and applications.
Please note that we need certain types of personal information so that we can either provide services to you or so that you, or your employer, can provide services to us. If you do not provide us with such personal information, or ask us to delete it, you may no longer be able to access our services or provide services to us.
1.2 Personal information we collect about you if you visit the Website. Each time you visit the Website we may automatically collect any of the following information:
(a) technical information, including the internet protocol (IP) address used to connect your computer to the internet, domain name and country which requests information, the files requested, browser type and version, browser plug-in types and versions, operating system and platform;
(b) information about your visit, including the full URL clickstream to, through and from our site (including date and time), time and length of visits to certain pages, page interaction information (such as scrolling, clicks and mouseovers), methods used to browse away from the page, traffic data, location data, weblogs and other communication data and information provided when requesting further service or downloads.
2. Use of information
We, or third party data processors acting on our behalf, may collect, use and/or store the personal information listed above for the following reasons.
2.1 Visiting our Website
(a) to allow you to access and use the Website;
(b) to assist with the technical support of the Website and supporting services;
(c) to provide you with the information and services that you request from us;
(d) to ensure the security of our services and the Website;
(e) to store information about your preferences;
(f) to recognise when you return to our Website;
(g) to improve and maintain our Website, prepare reports or compile statistics in order to improve our services. Such details will be anonymised or pseudo-anonymised as far as is reasonably possible, so you will not be identifiable from the information collected.
2.2 Receiving services from you
(a) to enable us to receive and manage services from you (including payment and expense reporting);
(b) for health and safety records and management;
(c) to assess your working capacity (for example, to assess whether you are under the influence of drugs or alcohol and thereby pose a danger to yourself or to others);
(d) to verify your identity in order to prevent and detect money laundering and fraud;
(e) for security vetting and criminal records checks (where applicable and allowed by law);
(f) to confirm information on CVs and to assess your or your employer’s suitability to work for us;
(g) for equal opportunities monitoring;
(h) for CCTV monitoring and other security of company facilities;
(i) to ensure adequate insurance coverage for our business.
2.3 Providing services to you
(a) to provide services to you or your employer;
(b) to verify your identity in order to prevent and detect money laundering and fraud;
(c) to pursue debt from our customers;
(d) to notify you about changes to our services and to keep you informed about relevant aspects of our business; and
(e) to contact you for business development and marketing purposes (including by email or post) with information which either you request or we feel will be of interest to you.
2.4 To comply with any procedures, laws and regulations which apply to us or to comply with our legal obligations.
2.5 To establish, exercise or defend our legal rights where it is necessary for our legitimate interests or the legitimate interests of others.
3. Legal basis for use of your personal information
3.1 We consider that the legal basis for using your personal information, for the reasons set out in this policy, is either because our use is:
(b) necessary for our legitimate interests or the legitimate interests of others (for example, to ensure the security of our Website). Our legitimate interests are to:
• run, grow and develop our business and our Website;
• select appropriately skilled and qualified personnel;
• ensure a safe working environment for our staff and visitors;
• ensure the safe operation of our assets;
• maintain and/or modify our assets;
• make and receive payment; and
• know and support the customers we provide services to and the suppliers who provide services to us.
If we rely upon one of the above legitimate interests to process your personal information, you have the right to object to the processing based on such interest.
3.2 Certain types of personal information are given additional legal protection by data protection legislation. These are called special categories of personal data or sensitive personal data. We do not collect such special categories of information, except where you have given your express consent for this or for routine or pre-employment drug and alcohol tests which are necessary for Eversholt Rail to process in the field of employment, including, without limitation, its rights and obligations under health and safety law and/or for the assessment of the working capacity of Eversholt Rail personnel.
3.3 Other uses for your personal information, which are not currently described in this policy, may require your consent (which can be withdrawn at any time, as described below). Where this is the case, this policy will be updated accordingly.
3.4 If we rely on your consent to use your personal information in a particular way, but you later change your mind, you may withdraw your consent by contacting the Company Secretary at firstname.lastname@example.org. You should note that if you withdraw your consent, this may affect our ability to continue our contractual relationship with you. Alternatively, if we need to continue processing your personal data and have an alternative lawful basis to rely upon in continuing to process your personal data, we will notify you of same before we begin relying on that alternative lawful processing ground.
5. Disclosure of personal information
5.1 We may share your personal information with any company that is a member of our group, where it is in our legitimate interests to do so for internal administrative and governance purposes. This includes companies that are based outside of the EEA, for example, by our Hong Kong based shareholder.
5.2 We will share your personal information with the following third parties:
(a) our service providers and sub-contractors, including but not limited to payment processors, suppliers of technical and support services and cloud service providers;
(b) companies that assist us in our marketing, event management, advertising and promotional activities; and
(c) analytics and search engine providers that assist us in the improvement and optimisation of our Website.
Any third parties with whom we share your personal information are limited (by law and by contract) in their ability to use your personal information for any purpose other than to provide services for us. We will seek to ensure that any third parties with whom we share your personal information are subject to privacy and security obligations consistent with this policy and applicable laws.
5.3 We may also disclose your personal information in the following situations:
(a) to a prospective or actual seller, buyer or transferee of any aspect of our business or assets;
(b) if we are under a duty to disclose or share your personal information in order to comply with any legal obligation, any lawful request from government or law enforcement officials and as may be required to meet national security or law enforcement requirements or prevent illegal activity;
(c) in order to enforce or apply our terms and conditions or any other agreement or to respond to any claims, to protect our rights or the rights of a third party or to protect the safety of any person; or
(d) to protect the rights, property or safety of Eversholt Rail, our customers, suppliers or other persons. This may include exchanging personal information with other organisations for the purposes of fraud protection and credit risk reduction.
5.4 We may also disclose and use anonymised, aggregated reporting and statistics about users of the Website or our services for the purpose of internal reporting to group companies or other third parties. None of these anonymised, aggregated reports or statistics will enable our users to be personally identified.
5.5 Except as explained above, we will not share, sell or rent any of your personal information to any third party without notifying you and, where necessary, obtaining your consent. If you have given your consent for us to use your personal information in a particular way (for example, for direct marketing purposes) but later change your mind, please refer to paragraph 3.4 above.
6. Retention of personal information
We keep your personal information for no longer than necessary, depending on the purposes for which we use it. Our retention periods are determined, and reviewed regularly, in accordance with our internal governance processes. If you would like further information on our retention periods for different categories of personal information, please contact us by email at email@example.com.
7. Your rights
7.1 You have certain rights in relation to your personal information. You have the right to request that we:
(a) provide access to, or copies of, any personal information we hold about you;
(b) do not use your personal information for direct marketing purposes unless you have given your express consent (which you can withdraw at any time);
(c) update any personal information which is out of date or incorrect;
(d) delete any personal information which we are holding about you; or
(e) restrict the way that we process your personal information.
If you would like to exercise any of your rights, please contact us by email at firstname.lastname@example.org. We will consider all such requests and provide our response within the time period required by law. Before we comply with your request, we may require information from you which confirms your identity. We may decline your request if we need to keep processing your personal information to fulfil our contractual obligations to you, for our legitimate interests or to comply with a legal obligation.
8. Transfers of personal information
8.1 Your personal information may be used, stored and/or accessed by our group companies or third party data processors who operate outside the EEA, for example, by our Hong Kong based shareholder. By providing us with your personal information, you acknowledge any such transfer, storage and use. We will take appropriate measures to ensure your personal information is adequately protected. These measures include:
(a) in the case of US based service providers, entering into European Commission approved standard contractual arrangements or ensuring they have signed up to the EU-US Privacy Shield (see further www.privacyshield.gov/welcome); or
(b) in the case of service providers based in other countries outside the EEA, entering into European Commission approved standard contractual arrangements.
8.2 Further details on the steps we take to protect your personal information is available on request by contacting us by email at email@example.com.
9.1 We are committed to protecting personal information from loss, misuse, disclosure, alteration, unauthorised access and destruction. We take all reasonable precautions to safeguard its confidentiality.
9.2 Where you transmit your personal information to us over the internet, you acknowledge and accept that we cannot guarantee the security of that transmission. Any such transmission is at your own risk.
9.3 Once we have received your personal information, our strict procedures and security features are designed to prevent unauthorised access.
10. Third party websites
The Website may from time to time contain links to websites operated by third parties. Please note that this policy only applies to the personal information that we collect through the Website. We cannot be responsible for personal information collected and stored by third parties. We do not endorse or otherwise accept any responsibility or liability for the content of third party websites, third party terms, conditions or policies.
12. Further questions or making a complaint
12.1 If you have any queries or complaints about our collection, use or storage of your personal information, or if you wish to exercise any of your rights in relation to your personal information, please contact the Company Secretary at firstname.lastname@example.org.
12.2 You may also make a complaint to the UK Information Commissioner’s Office (https://ico.org.uk/), the UK’s data protection supervisory authority. If you believe your rights have been breached, you may seek a remedy through local courts.
The practices described in this policy statement are current as of 25 May 2018.