Issue date: March 3, 2020
NCC Group is committed to protecting and respecting your right to privacy. This Privacy Notice explains who we are, how we collect, share and use your personal data, and how you can exercise your privacy rights.
This Privacy Notice (and the detailed service privacy notices below) apply to all the entities within NCC Group plc (“we”, “us” and “NCC Group”) and the way we handle personal data. It applies to all individuals who access our website at nccgroupplc.com ("Website"), engage our products and services ("Services"), or who participate in our recruitment activities. We recommend that you read this Privacy Notice in full to ensure you are fully informed.
Data Protection Overview
In May 2018, a new Data Protection law called the General Data Protection Regulation (the “GDPR”) came into force in the EU. This, in combination with a variety of global privacy laws, gives people more control of their data and guides the way businesses collect and use personal data.
How we use your data will depend on the nature of our relationship. To make sure you feel confident with how we use your data, we’ve created an Executive Privacy Statement and updated our detailed Privacy Notices to make things clearer.
For further information please contact us by email at DataProtection@nccgroup.com or by post to NCC Group, XYZ Building, 2 Hardman Boulevard, Spinningfields, Manchester, M3 3AQ.
We’ll continue to update these notices as we receive feedback on how to make them easier to understand.
Executive Privacy Statement
NCC Group are committed to respecting the data entrusted to us and to making sure that we keep it safe. This Privacy Statement applies to personal information provided to us, both by you, your employer or any other third party through engagement with NCC Group and our services.
Where we are a Data Controller (also known as a Business under US privacy law) we will:
- Only collect information that is needed to provide our services to you.
- Make sure that we use and share your personal data fairly and in a way you’d expect.
- Tell you how we use your data whenever we collect it, so you can make an informed decision.
- Keep your data up to date when you tell us about changes.
- Make it easy for you to exercise your rights.
- Take appropriate measures to protect your data.
NCC Group has a range of subsidiary businesses which we utilise to deliver our range of services, including Security Consulting, Assurance and Escrow. Where we are a Data Processor (also known as a Service Provider under US privacy law) we will:
- Only collect information that is needed to provide our services to you and our clients.
- Make sure that we use and share your personal data fairly and in a way you’d expect and has been agreed by our client (the Data Controller/Business).
- Tell our clients how we will use your data whenever we collect it, so they can make an informed decision and provide you with all the information you need.
- Keep your data up to date whenever we are notified about changes.
- Support our clients to aid you in exercising your rights.
- Take appropriate measures to protect your data.
For more information about NCC Group and the services we provide, please see the “What We Do” section of our Website at https://www.nccgroupplc.com/what-we-do/at-a-glance/
What personal data does NCC Group collect when you visit our Website and why?
The personal information that we may collect about you when you visit our website broadly falls into the following categories:
Information that you provide voluntarily
We collect personal data that you provide voluntarily through our Website, for example when completing online forms to contact us or register for events that we are organising or to enquire about our services. The data we collect about you may include some or all of the following:
- Name and job title;
- Company or organisation;
- Contact information, including email address and telephone number(s);
- Demographic information such as postcode, preferences and interests;
- Other information relevant to client surveys or similar research;
- Information pertinent to fulfilling our Services to you; and
- Any other personal information that you voluntarily choose to provide to us.
If we ask you to provide any other personal data not described above, the personal data that you are asked to provide, and the reasons why you are asked to provide it, will be made clear to you at the point that you are asked to provide your personal data.
Information that we collect automatically
When you visit our Website, we may collect certain personal information automatically from your device.
Specifically, the information we collect automatically may include information like your IP address, device type, unique device identification number, browser-type, broad geographic location (e.g. country or city-level location) and other technical information. We may also collect information about how your device has interacted with our Website, including the pages accessed and links clicked.
What data does NCC Group collect when you engage in recruitment activities?
If you engage in recruitment activities with NCC Group, such as applying for a role with us, we will have a number of legal and organisational reasons to collect and use your personal data. Please see the below privacy notice for more information:
What data does NCC Group collect when you invest in NCC Group?
If you invest in NCC Group we will have a number of legal and organisational reasons to collect and use your personal data. Please see the below privacy notice for more information:
Shareholder Privacy Notice
What data does NCC Group collect when you visit our offices?
We meet visitors at our corporate offices, including:
- external training providers;
- job applicants;
- suppliers; and
If your visit is planned, we’ll send your name and visit information to reception before your visit. We ask all visitors to sign in and out at reception and show a form of ID. The ID is for verification purposes only, we don’t record this information.
We capture CCTV images of visitors to our offices for the purposes of security, including crime prevention and detection, and the apprehension and prosecution of offenders.
Any CCTV used outside of NCC Group offices, including the exterior of the building and in communal areas of multi-tenanted sites, is not operated by us, so we are not the controller. It will be under the control of the relevant building landlord.
This information is processed for security and safety reasons which is in NCC Group’s legitimate interest.
How do we use your personal information, and what are our legal grounds?
In addition to using your information to fulfil our contract to provide you with requested products or services, we may also use your information in the following ways:
- to monitor and improve our products, services and the Website;
- to provide you with information about other goods and services we offer that are similar to those that you have already purchased or enquired about or that we feel may be of interest to you;
- to notify you about changes to our services;
- to administer the Website and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;
- to enable us to comply with any legal or regulatory requirements.
The basis on which we collect your information
We collect much of your information on the grounds of: (i) legitimate interests (for example, to send you direct marketing about products and services similar to those you have purchased from us or negotiated or enquired about, or to help us administer the Website); and (ii) fulfilment of a contract with you (for example, to provide you with products or services you have purchased from us).
If we require your personal data for fulfilment of a contract with you (for example, to provide services or products to you or to receive payment from you), we may be unable to fulfil the contract without your personal data.
Where we rely on legitimate interests, our legitimate interests are the promotion of the products and services offered by NCC Group and the provision of information in respect of products and services you have already purchased from us or in which you have expressed an interest in purchasing. This may include analytics on the effectiveness of sales and marketing campaigns in relation to business to business activities.
If we are unable to rely on legitimate interests, fulfilment of a contract or any other ground set out in the GDPR (or other applicable privacy law) to process your personal data, we will obtain consent from you to the processing. This will be the case if, for example, you download documentation from us and we would like to send you marketing communications about our products and services. If you give us your consent, you can withdraw it at any time by clicking on the link in the email we send to you, or by emailing email@example.com. Withdrawal of your consent won’t affect any processing we have carried out in respect of your personal data prior to you withdrawing consent.
How long do we keep personal information for?
We will review and delete or destroy personal data on a regular basis. If we are unable, using reasonable endeavours, to delete or destroy personal data we will ensure that the personal data is encrypted or protected by security measures so that it is not readily available to, or accessible by, us.
When you visit our website
When you visit our offices
Any CCTV records are kept for a period of up to 90 days.
Who do we share your personal information with?
We may share your personal information with any member of the NCC Group, which means our subsidiaries, our ultimate holding company and its subsidiaries.
We may disclose your personal information to third parties:
- if the third party contracts with us to provide certain of the services you have requested and requires your personal information in order to do so;
- if we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets;
- if NCC Group or substantially all of its assets are acquired by a third party, in which case personal data held by it about its customers will be one of the transferred assets; or
- if we are under a duty to disclose or share your personal data in order to comply with any legal obligation; or to protect the rights, property, or safety of NCC Group, our customers, or others.
The organisations we share personal data with are as follows;
- IT Systems providers such as:
- Salesforce (our Customer Relationship Management system)
- Workday (our financial management and human capital software provider)
- IT infrastructure providers such as Microsoft (Azure) or Amazon (AWS)
- Government bodies and Regulators such as UWV, HMRC, the Health & Safety Executive (HSE), Federal Trade Commission, data protection regulators worldwide
- External auditors and professional advisors (such as Financial auditors or our ISO 27001:2013 certification body)
We will always ensure that personal data will only be shared where there is a requirement to do so, and where appropriate technical, organisational, and where necessary, contractual measures are in place in order to ensure its protection.
Do Not Sell My Personal Information
For more information, please see the “Your rights” section below or contact us at firstname.lastname@example.org.
NCC Group operates globally, therefore the information we process may be transferred outside your country of residence. As such, the below is designed to give you a clear understanding of any overseas transfers as it relates to your country of residence.
The data that we process about you may be transferred to, or stored at, a destination outside of your country of residence, for example to the UK, the EU and/or the US. It may also be processed by staff operating outside of your country of residence who work for us or for one of our suppliers/partners.
As NCC Group operate a global data privacy programme, we have assessed our legal grounds to transfer you data and have an appropriate mechanism to facilitate this that ensures the security and confidentiality of any transferred data and compliance with local privacy laws. This includes having Standard Contractual Clauses (SCCs) in place to allow sharing between NCC Group entities globally and ensuring that our supply chain has appropriate transfer mechanisms in place, such as the EU-US Privacy Shield, SCCs or Binding Corporate Rules.
There are a number of rights available to people under the different global privacy laws, including the GDPR and the California Consumer Privacy Act (CCPA). Not all rights apply in all situations, but for clarity we have not included full details here. The easiest way to exercise any of your rights, or enquire if a right is applicable in a specific circumstance, would be to contact our Data Privacy Team using the contact details below. If we need further information to comply with your request we’ll let you know.
If you are not based within the, United Kingdom, the European Union or are located in a location which does not have specific data privacy rights, we will assess your request based on our ability to provide for your rights rather than your location.
These rights include the following:
Access to your data
You have the right to ask for access to and receive copies of your personal data. You can also ask us to provide a range of information relating to our processing of your data.
Rectification of your data
If you believe personal data we hold about you is inaccurate or incomplete, you can ask us to correct that information.
Right to be forgotten
In some circumstances, you have the right to ask us to delete personal data we hold about you.
Right to restrict processing
In some circumstances you are entitled to ask us to restrict processing of your personal data. This means we will stop using your personal data but we don’t have to delete it.
You have the right to ask us to provide your personal data in a structured, commonly used and machine-readable format so that you are able to transmit the personal data to another data controller.
Right to object
You are entitled to object to us processing your personal data if the processing is based on legitimate interests and/or is for the purposes of scientific or historical research / statistics.
Right to opt-out of the sale of your information
Under the CCPA, Californian residents have the right to direct a business that sells personal information about you to third parties not to sell your personal information.
Right to disclosure of information sold
Under the CCPA, Californian residents have the right to request that a business that sells personal information about you, or who discloses your personal information for a business purpose, provide you with information about the information disclosed and the recipients of that information.
Right to non-discrimination
Under the CCPA, Californian residents have the right to not be discriminated against for exercising their rights. NCC Group shall not discriminate against any person who exercises their rights under the CCPA, the GDPR or any other privacy law.
This includes, but is not limited to:
- denying services;
- charging different rates for services;
- providing different levels or quality of services
NCC Group do not offer financial incentives for the collection or use of personal data. If NCC Group were to offer any financial incentives for the collection or use of personal information, including but not limited to the sale of personal information or the deletion of personal information, it shall notify consumers and provide the option for consumers to opt-in. Such an opt-in may be revoked at any time by the consumer.
The Website may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.
Changes to this Privacy Notice
If you would like to exercise any of your rights in respect of your personal data, or would like any more information, our Group Data Protection Officer can be contacted using the following email address: email@example.com, or alternatively by writing to XYZ Building, 2 Hardman Boulevard, Spinningfields, Manchester, M3 3AQ.
If you have any concerns about the ways in which we process your personal data, you have a right to complain to the relevant supervisory authority in your jurisdiction. We’d encourage you to contact us first, so we can address with your concerns.
Please see below for details of some of the key regulators;
- T: 33 19 32 00
- Bayerisches Landesamt für Datenschutzaufsicht
- 0981 1800930
- State Data Protection Inspectorate
- T: 271 2804 / 279 1445
- Autoriteit Persoonsgegevens
- T:070 888 8501
- Agencia Española Protección Datos
- T: 901 100 099 / 91 266 35 17
- Information Commissioner’s Office (ICO)
- T: 0303 123 1113
If you are based in the United States, then you should contact the Attorney General within your State – information on who your Attorney General is can be found here.