This Policy sets out how the WPM Group (“WPM”) comprising of the following companies:
- WPM Group Limited (CRN: 05237838)
- WPM Education Limited (CRN: 05811211)
- WPM Payment Security Limited (CRN: 11676164)
- WPM Group Services Limited (CRN: 12794679)
- WPM Payments Limited (CRN: 05811259)
all of which have their registered office at 26 Victoria Way, Burgess Hill, West Sussex, RH15 9NF (each a “WPM Company”) use and protect any personal data it is provided with.
We will let you know which WPM Company you have a relationship with when you contact us or purchase a service from us.
WPM is firmly committed to respecting and protecting the privacy of all personal data received or collected by it, in strict adherence to applicable data protection legislation and best business practice. WPM has established this Policy so that you can understand the care with which WPM intend to treat personal data, as a standard.
How To Contact Us
If you have any questions regarding your personal data and how we may use it, including any queries relating to this Policy, please contact us via our Website or by writing to the “Group Data Protection Manager” at the office address noted above.
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes.
For the purpose of applicable data protection legislation:
- where personal data is provided directly to WPM through use of the Websites, registration for WPM-run events or training, participation in WPM surveys, email, or other means where WPM is determining the way in which that personal data is processed for its own use, then the applicable WPM Company will be a data controller of such information.
Personal Data and Basis for Collection
Personal data means any data or information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). WPM may collect, use, store and transfer different kinds of personal data about you which WPM has grouped together as follows:
- Identity Data includes first name, last name, username or similar identifier, title, job title and date.
- Contact Data includes postal address, email address and telephone numbers.
- Usage Data includes information about how you use WPM’s Websites, events you have registered for or attended, or where you submit an enquiry or query through the Website.
- Marketing Data includes your preferences in receiving marketing from us.
- Preference Data, relating to the manner that you would like to be contacted by us.
Subject to where WPM needs to verify your identity or where WPM require your information about your access or dietary requirements for events and you provide your express consent for WPM to process such information, WPM does not process any Special Category personal data (as defined by applicable data protection legislation) about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data), nor does WPM collect any information about criminal convictions and offences (unless otherwise notified to you).
If You Fail to Provide Personal Data
Where WPM needs to collect personal data by law, or under the terms of a contract WPM has with you and you fail to provide that data when requested, WPM may not be able to perform the contract it has or is trying to enter.
How is Your Personal Data Collected?
WPM uses different methods to collect personal data from and about you including through:
- Direct interactions. You may give a WPM Company your contact information by filling in forms, registering for events WPM run, or by corresponding with us by post, phone, email, through the Website or otherwise. This includes personal data you provide when WPM provides its Services;
- Events. We may meet you at events and you may provide us with your contact details or share your details with our event partners or event service providers in order for us to contact you about our Services; or
How WPM Uses Your Personal Data
Where we act as the data controller, we have set out below in the table a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are, where appropriate.
Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact WPM if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.
Type of Data
Lawful Basis for Processing, Including Basis of Legitimate Interest
To register you or the company that you are connected to as a new client and verify your identity (where required)
Performance of a contract
To perform credit checks
Legitimate interests to ensure creditworthiness
To process and deliver the Services including:
(a) Manage accounts, payments, fees and charges
(b) contacting you and corresponding about the Services
Necessary for our legitimate interests to fulfil our obligations and to ensure you benefit from the Services
To undertake marketing to you
Necessary for our legitimate interests to market our services
To respond to questions and to investigate and resolve actual and potential claims and complaints against us.
Necessary for our legitimate interests (to ensure complaints and questions are fairly addressed)
To conduct analytics/trouble shooting and security analysis
Necessary for our legitimate interests to improve and secure of services
Where we act as a data processor of personal data on behalf of our clients, we will process personal data in accordance with our clients’ instructions, or in order to comply with a legal or regulatory obligation.
How Your Personal Data May Be Shared
Where we act as the data controller for client contact information, or where permitted by WPM’s data controller clients, personal data processed by WPM may be shared as follows:
- with other WPM Companies;
- with permitted third party contractors of WPM for the purposes of performing its Services, to help us to deliver our products and information such as security infrastructure and marketing services (“Data Processors” or “Sub-Processors”);
- where WPM is under a duty to disclose your personal data to comply with any legal obligation, or to enforce or apply WPM’s or terms and conditions and other agreements;
- to protect the rights, property, or safety of WPM, WPM’s client, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and for compliance with laws; or
Where we provide your personal data to Data Processors or Sub-Processors we will have in place a written agreement with each third party confirming on what basis the third party will handle your personal data and will ensure that there are sufficient safeguards and processes in place to protect your personal data. We require all third parties to respect the security of your personal data and to treat it in accordance with the law and only process that personal data in accordance with our instructions. The third parties that we may send your personal data to are either within the United Kingdom (“UK”) or European Economic Area (“EEA”) or to third parties under suitable protection mechanisms as laid out in applicable data protection legislation.
How WPM Stores Personal Data
WPM stores personal data it process on its servers located in the UK or EEA.
Separate to the above, we may transfer your personal data to countries outside of the UK or EEA to other people or companies for one of the legal bases for processing your personal data as indicated above, or at the request of our data controller clients. Where we do so, we will take all steps to ensure that any country to which the personal data has been transferred has suitable protection mechanisms in place to protect personal data, including (if applicable) use of appropriate Standard Contractual Clauses in any contract with that third party for steps to be taken to keep personal data secure.
We have put in place appropriate security measures to prevent personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed and have various information security policies in place to which we adhere to. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
Personal Data Retention
We will only retain personal data in accordance with our internal retention practices.
We will only process personal data as a data controller, for as long as necessary to fulfil the purposes we collected it for or for the period required for the purposes of satisfying any legal, accounting, regulatory or reporting requirements.
Under certain circumstances, you have rights under data protection laws in relation to your personal data. These include:
- The right to be informed – this is information on for what purpose we are processing it and what personal data we are processing.
- The right of access – you have the right to be provided with copies of the personal data of you that we are processing as well as confirmation of the processing we are doing. You can do this by sending a “subject access request” to the contact details noted above for our consideration.
- The right to rectification – if you think the personal data that we hold on you is wrong you can tell us and we will fix it.
- The right to erasure (also known as the right to be forgotten) – if you want us to permanently delete the personal data we hold for you then you can ask us to do so.
- The right to restrict processing – if you do not like how we are using your personal data then you can let us know and we will stop processing it in that way.
- The right to data portability – if you want us to pass on your personal data to someone else then please let us know. This transfer should not affect the integrity or otherwise damage your personal data.
- The right to withdraw your consent – you can withdraw your consent for us to process your personal data (if we have relied on your consent to process your personal data) at any time by contacting us. If we have relied only on your consent as the basis to process your personal data then we will stop processing your personal data at the point you withdraw your consent. Please note that if we can also rely on other bases to process your personal data aside from consent then we may do so even if you have withdrawn your consent.
- Rights in relation to automated decision making and profiling – if we use either automated decision making or profiling then you have a right to know. Also, we need your consent if either of these are used to make a decision that affects you. As with all consent, you can withdraw it at any time.
To exercise any of the above rights please contact the Group Data Protection Manager and confirm which WPM Company you request relates to.
Where you exercise your right to erasure (and we do not have another legal basis to hold on to that personal data) or where information is deleted in accordance with WPM’s retention policy, please note that after the deletion of your personal data, it cannot be recovered, so if you require a copy of this personal data, please request this during the period WPM retains the data.
Where you exercise your right to request access to the information WPM processes about you, you will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances. WPM will try to respond to all legitimate access requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
The Website is not intended for children and WPM will not knowingly collect any personal data from persons under the age of 18 and will immediately delete any such data subsequently so determined.
If you would like to make a complaint in relation to how WPM may have stored, used or processed your personal data, you have the right to make a complaint at any time to the Information Commissioner's Office (“ICO”), the UK supervisory authority for data protection issues (www.ico.org.uk). WPM would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
We may also analyse information that does not contain personal data for trends and statistics.
Remember the Risks Whenever You Use the Internet
WPM is committed to ensuring that your information is secure and has in place reasonable and proportionate safeguards and procedures to protect your personal data. While WPM does its best to protect your personal data, WPM cannot guarantee the security of any information that you transmit to WPM and you are solely responsible for maintaining the secrecy of any passwords or other account information.
Changes to This Policy and Your Duty to Inform Us of Changes
We reserve the right to make changes to this Policy from time to time. As and when necessary, changes to this Policy will be updated here. Where changes are significant, we may also email all our registered users with the new details, and where required by law, we will obtain your consent to these changes.