Data
Protection




Stroma is committed to safeguarding the personal data of our clients, members, staff and stakeholders in line with the requirements of the Data Protection Act. This page is currently under development to demonstrate our compliance with the General Data Protection Regulation (GDPR).

If you have any questions about how we process personal data please contact our Data Protection Officer on:


Email: dataprotection@stroma.com
Telephone: 0845 621 1111
Post: Stroma, 4 Pioneer Way, Castleford, WF10 5QU


1. General Data Protection Regulation

This section sets out the General Data Protection Regulation (GDPR) rights for individuals and applies to the following divisions of the Stroma Group:

  • Stroma Certification
  • Stroma Software
  • Stroma Technology
  • Greendoor Building Control*
  • Approved Design Consultancy*
  • BBS Building Control*
  • BBS Environmental*
  • HRS Services*

* These companies are part of the Stroma Group and therefore the privacy requirements outlined in this policy document apply to them as well.

Legal Basis

Stroma have reviewed the lawful basis for processing personal data under the General Data Protection Regulation. Stroma have determined that the following lawful bases are applicable for the processing of personal data:

  • Consent.
  • Contract.
  • Legal Obligation.
  • Legitimate Interests.

These have been selected based on the purpose and relationship with the individual in accordance with the Stroma Group business activities. It has been agreed that these 4 are the most suitable, and the justifications for selecting these are detailed below. Stroma have also documented our lawful basis for processing as well as the purposes of the processing within our Privacy Policy.

Each of the 8 GDPR individual’s rights (see below), are detailed in the following sections of this page, along with the ‘at a glance’ comments statement from the Information Commissioners Office, with an explanation of how Stroma will apply them to our business activities:

1.1 The Right to be Informed

Stroma will ensure that everyone is informed about how we will use the data that they are providing us with. The key requirements of this are:

Individuals have the right to be informed about the collection and use of their personal data

Stroma will only collate personal data for specific business purposes, for example: for the use of training and certification purposes, and for no other reason. The information collected will be for the specific agreed purpose and will not be used for any other reason. Only under the specific requirements will information be passed onto an external third party, for example: if part of the business relationship or requested by the individual.

Stroma must provide individuals with information including: your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with. We call this ‘privacy information’

The information collected will be for the specific agreed purpose and will not be used for any other reason. Only under the specific requirements will information be passed onto an external third party, for example: if part of the business relationship or requested by the individual.

Stroma will retain your personal details for as long as there is a relationship in place, for example: when a signed agreement is in place between Stroma and yourself. Where this agreement is no longer in place – i.e. if it has been terminated or withdrawn – Stroma will retain this information in accordance with the specific requirements, typically for a minimum of 7 years. After this time, Stroma will delete all personal data.

We must provide privacy information to individuals at the time we collect their personal data from them

Stroma operates our ‘Privacy Policy’ which is available on the Stroma website. Where applicable, it is referenced in our customer facing documentation, for example: a statement concerning privacy is also included within each training and certification application form.

If we obtain personal data from other sources, we must provide individuals with privacy information within a reasonable period of obtaining the data and no later than one month. Stroma generally obtains personal data from submissions made directly from the person whose data it applies to. In circumstances where we obtain data from third party sources (e.g. a construction database) we will process this data in conjunction with one of the GDPR’s legal bases from processing.

There are a few circumstances when we do not need to provide people with privacy information, such as if an individual already has the information or if it would involve a disproportionate effort to provide it to them.

Stroma will provide personal information based on a request being received; however, the request will be reviewed to determine its validity. Stroma may not provide this information; in these instances, the person requesting the data will be informed of the reason which will be in accordance with the GDPR requirements.

The information we provide to people must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language.

Stroma will ensure that all information concerning privacy and personal data is easy to understand and follow. Stroma will also ensure that where required, the information will be made available in a format that can be understood by all, e.g. increased font size, font type or format.

Stroma wants to ensure that everyone needing to be informed of GDPR has access to the content in a format that is easy for them to understand. Please refer to Section 3.0 for how you can contact Stroma to request any alternatives or to raise any questions.

It is often most effective to provide privacy information to people using a combination of different techniques including layering, dashboards, and just-in-time notices.

Stroma operates our ‘Privacy Policy’ which is available on the Stroma website and, where applicable, it is referenced in our customer facing documentation, for example: a statement concerning privacy is also included within each training and certification application form.

Stroma will ensure that all communications concerning GDPR are issued internally and externally by issuing these communications through posts on applicable dashboards, websites, email or post.

User testing is a good way to get feedback on how effective the delivery of your privacy information is.

Where appropriate, Stroma will seek feedback on the effectiveness of our privacy information from clients and members.

We must regularly review, and where necessary, update your privacy information. We must bring any new uses of an individual’s personal data to their attention before we start the processing.

Stroma will conduct reviews concerning privacy and data protection as part of our internal Management Review Meetings. Where data is to be used for different purposes than previously agreed, Stroma will communicate this to the affect person(s) and explain the change in use. In these instances, and where not restricted by certification scheme requirements for example, the person(s) will be given the opportunity to be removed from our records and therefore their personal data will not be used.

Due to the nature of Stroma business activities, changes in use of personal data will only happen under instruction from the appropriate body, for example: the applicable training or certification this is being undertaken through.

1.2 The Right of Access

Stroma will ensure that all individuals have the right to access their personal data and supplementary information. The right to access allows individuals to be aware of and verify the lawfulness of the processing.

What Information are your entitled to under the GDPR?

Under the GDPR, individuals will have the right to obtain the following from Stroma:

  • Confirmation that their data is being processed.
  • Access to their personal data.
  • Other supplementary information – this largely corresponds to the information that should be provided in a privacy notice.

What is the purpose of the right of access under GDPR?

The GDPR clarifies that the reason for allowing individuals to access their personal data is so that they are aware of and can verify the lawfulness of the processing.

Can we charge a fee for dealing with a subject access request?

Stroma will provide a copy of the information free of charge; however, Stroma may charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.

Stroma may also charge a reasonable fee to comply with requests for further copies of the same information. This does not mean that Stroma can charge for all subsequent access requests.

The fee must be based on the administrative cost of providing the information. Each application for information will be treated on an individual basis, and Stroma will communicate any fees payable to the person requesting the information.

How long do we have to comply?

Stroma will ensure that all information is provided without delay, and will be issued within one month of receipt.

Stroma can extend the period of compliance by a further two months where requests are complex or numerous. If this is the case, Stroma will inform the individual within one month of the receipt of the request and explain why the extension is necessary.

What if the request is manifestly unfounded or excessive?

Where requests are manifestly unfounded or excessive, in particular because they are repetitive, Stroma can:

  • Charge a reasonable fee taking into account the administrative costs for providing the information.
  • Refuse to respond.

Where Stroma refuses to respond to a request, we will explain why this is the case to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay at the latest within one month.

How should the information be provided?

Stroma must verify the identity of the person making the request using reasonable means to do this. If the request is made electronically, Stroma will provide the information in a commonly used electronic format.

Stroma will submit the personal information direct to the person submitting the request using the means of communication they have specified in the request. Stroma is not able to provide a secure self-service system to provide the information to the individual. Not having access to this remotely secure system will not adversely affect the rights and freedoms of others, as Stroma will ensure that personal data is provided as agreed with the individual to meet their requirements.

What about requests for large amounts of personal data?

Where Stroma processes a large quantity of information about an individual, the GDPR permits us to ask individuals to specify the information the request relates to.

The GDPR does not include an exemption for requests that relate to large amounts of data, but Stroma may be able to consider whether the request is manifestly unfounded or excessive. In these instances, Stroma will communicate this to the individual concerned to ensure that they are kept informed.

How does an Individual make a Subject Access Request?

Stroma will accept a Subject Access Request from an individual using one of the following methods:

Stroma will confirm receipt of the submitted request within 72 hours on receipt and we will process the request in accordance with the above requirements.

If you have any questions concerning the subject access request process please contact us by calling 0845 621 1111 or email dataprotection@stroma.com.

Stroma will confirm receipt of the submitted request within 72 hours on receipt and we will process the request in accordance with the above requirements.

1.3 The Right to Rectification

The GDPR gives individuals the right to have personal data held by Stroma to be rectified. Personal data can be rectified if it is inaccurate or incomplete.

When should personal data be rectified?

Individuals are entitled to have personal data rectified if it is inaccurate or incomplete.

If Stroma has disclosed the personal data in question to others, we will contact each recipient and inform them of the rectification – unless this proves impossible or involves disproportionate effort. If asked to, Stroma will also inform the individuals about these recipients.

How long do we have to comply with a request for rectification?

Stroma will respond within one month to a request for rectification. This can be extended by two months where the request for rectification is complex.

Where Stroma is not taking action in response to a request for rectification, we will explain why to the individual and inform them of their right to complain to the supervisory authority and to a judicial remedy.

How does an Individual submit a Rectification request?

Stroma will accept a Rectification Request from an individual using one of the following methods:

Stroma will confirm receipt of the submitted request within 72 hours on receipt and we will process the request in accordance with the above requirements.

If you have any questions concerning the rectification request process please contact us by calling 0845 621 1111 or email dataprotection@stroma.com.

1.4 The Right to Erasure

Stroma will comply with the requirement of the right to erasure, also known as ‘the right to be forgotten’. The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.

When does the right to erasure apply?

The right to erasure does not provide an absolute ‘right to be forgotten’. Individuals have a right to have personal data erased and to prevent processing in specific circumstances:

  • Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/ processed
  • When the individual withdraws consent
  • When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing
  • The personal data was unlawfully processed (i.e. otherwise in breach of the GDPR)
  • The personal data has to be erased in order to comply with a legal obligation
  • The personal data is processed in relation to the offer of information society services to a child

Under the GDPR, this right is not limited to processing that causes unwarranted and substantial damage or distress; however, if the processing does cause damage or distress, this is likely to make the case for erasure stronger.

Stroma is aware that there are some specific circumstances where the right to erasure does not apply and that we can refuse to deal with a request.

When can we refuse to comply with a request for erasure?

Stroma can refuse to comply with a request for erasure where the personal data is processed for the following reasons:

  • To exercise the right of freedom of expression and information
  • To comply with a legal obligation for the performance of a public interest task or exercise of official authority
  • For public health purposes in the public interest
  • For archiving purposes in the public interest, scientific research, historical research or statistical purposes
  • The exercise or defence of legal claims

Do Stroma have to tell other organisations about the erasure of personal data?

If Stroma have disclosed the personal data in question to others, we will contact each recipient and inform them of the erasure of the personal data - unless this proves impossible or involves disproportionate effort. If asked to, Stroma will also inform the individuals about these recipients.

Stroma undertakes activities in the online environment and makes personal data public, and we are aware that we will need to inform other Organisations who process the personal data to erase links to, copies or replication of the personal data in question.

While this might be challenging where Stroma processes personal information online (for example, on social networks, forums or websites), we will endeavour to comply with these requirements. There may be instances where Organisations that process the personal data may not be required to comply with this provision because an exemption applies.

How does an Individual submit a Right to Erasure request?

Stroma will accept a Right to Erasure Request from an individual using one of the following methods:

Stroma will confirm receipt of the submitted request within 72 hours on receipt and we will process the request in accordance with the above requirements.

If you have any questions concerning the right to erasure request process please contact us by calling 0845 621 1111 or email dataprotection@stroma.com.

1.5 The Right to Restrict Processing

Stroma will comply where the individuals have a right to ‘block’ or suppress processing of personal data. When processing is restricted, Stroma are permitted to store the personal data, but not further process it. Stroma can retain just enough information about the individual to ensure that the restriction is respected in future.

When does the right to restrict processing apply?

Stroma will be required to restrict the processing of personal data in the following circumstances:

  • Where an individual contests the accuracy of the personal data, Stroma will restrict the processing until we have verified the accuracy of the personal data
  • Where an individual has objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and we are considering whether your Organisation’s legitimate grounds override those of the individual
  • When processing is unlawful and the individual opposes erasure and requests restriction instead
  • If we no longer need the personal data but the individual requires the data to establish, exercise or defend a legal claim

If Stroma has disclosed the personal data in question to others, we must contact each recipient and inform them of the restriction on the processing of the personal data - unless this proves impossible or involves disproportionate effort. If asked to, Stroma must also inform the individuals about these recipients.

Stroma must inform individuals when we decide to lift a restriction on processing.

1.6 The Right to Data Portability

Stroma will comply with the right to data portability which allows individuals to obtain and reuse their personal data for their own purposes across different services.

It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way without hindrance to usability.

When does the right to data portability apply?

The right to data portability only applies:

  • To personal data an individual has provided to a controller
  • Where the processing is based on the individual’s consent or for the performance of a contract
  • When processing is carried out by automated means

How do we comply?

Stroma will provide the personal data in a structured, commonly used and machine readable form. Open formats include CSV files. Machine readable means that the information is structured so that software can extract specific elements of the data. This enables other Organisations to use the data.

The information will be provided by Stroma free of charge.

If the individual requests it, Stroma may be required to transmit the data directly to another Organisation if this is technically feasible. However, we are not required to adopt or maintain processing systems that are technically compatible with other Organisations.

If the personal data concerns more than one individual, Stroma must consider whether providing the information would prejudice the rights of any other individual.

How long do we have to comply?

Stroma will respond without undue delay and within one month.

This can be extended by two months where the request is complex or Stroma receives a number of requests. Stroma will inform the individual within one month of the receipt of the request and explain why the extension is necessary.

Where Stroma are not taking action in response to a request, we will explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month.

1.7 The Right to Object

Stroma will comply with the requirements of the right to object for processing based on legitimate interests or the performance of a task in the public interest/ exercise of official authority (including profiling), direct marketing (including profiling).

How do we comply with the right to object if we process personal data for the performance of a legal task or my Organisation’s legitimate interests?

Individuals must have an objection on “grounds relating to his or her particular situation”.

Stroma will stop processing the personal data unless:

  • We can demonstrate compelling legitimate grounds for the processing of personal data which override the interests, rights and freedoms of the individual
  • The processing of personal data is for the establishment, exercise or defence of legal claims.

Stroma informs all individuals of their right to object “at the point of first communication”. For example, this is included on the Stroma website in all application forms and in our Privacy Policy document.

Stroma ensures that this is explicitly brought to the attention of the data subject and is to be presented clearly and separately from any other information.

How do we comply with the right to object if we process personal data for direct marketing purposes?

Stroma will stop processing personal data for direct marketing purposes as soon as we receive an objection. There are no exemptions or grounds to refuse.

Stroma will deal with an objection to processing for direct marketing at any time and free of charge.

Stroma informs all individuals of their right to object “at the point of first communication”. For example, this is included on the Stroma website, in all application forms and in our Privacy Policy document.

Stroma ensures that this is explicitly brought to the attention of the data subject and is to be presented clearly and separately from any other information.

How do we comply with the right to object if we process personal data for research purposes?

Individuals must have “grounds relating to his or her particular situation” in order to exercise their right to object to processing for research purposes.

If Stroma are conducting research where the processing of personal data is necessary for the performance of a public interest task, we are not required to comply with an objection to the processing.

How do we comply with the right to object if my Organisation’s processing activities fall into any of the above categories and are carried out online?

Stroma offer a way for individuals to object online.

Change your permission settings

Current Data Protection law provides Data Subjects with the right to update and change your permissions at any time to specify how Stroma Group companies may contact you. To change your preferences please complete this form, or email our Data Protection officer at dataprotection@stroma.com

1.8 Rights in Relation to Automated Decision Making and Profiling

Stroma will comply with the Rights in relation to automated decision making and profiling, where the GDPR has provisions on:

  • Automated individual decision-making (making a decision solely by automated means without any human involvement)
  • Profiling (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision-making process
  • The GDPR applies to all automated individual decision-making and profiling
  • Article 22 of the GDPR has additional rules to protect individuals if Stroma are carrying out solely automated decision-making that has legal or similarly significant effects on them
  • Stroma can only carry out this type of decision-making where the decision is:
    • Necessary for the entry into or performance of a contract
    • Authorised by Union or Member state law applicable to the controller
    • Based on the individual’s explicit consent
  • Stroma must identify whether any of our processing falls under Article 22 and, if so, make sure that you:
    • Give individuals information about the processing.
    • Introduce simple ways for them to request human intervention or challenge a decision.
    • Carry out regular checks to make sure that your systems are working as intended.

Does Stroma carry out Profiling activities?

Stroma only carries out profiling activity in terms of Google Analytics. This records data (i.e. Cookies) regarding use of our website (including the time spent on the website and in some circumstances the individual’s IP address). This information is solely collected for internal analysis to improve the performance of our website and its relevance to the customer.

Full information about how Stroma uses cookies, and how to control what cookies are set on your device through the Stroma website, can be found on our website.

2.0 Additional Information

The Stroma Privacy Policy is available to view on our website.

If you require any further details on GDPR and how this affects your rights, please contact the following for further information:


4 Pioneer Way, Castleford, West Yorkshire, WF10 5QU | info@stroma.com | 0845 621 11 11*

*Calls cost 7p per minute plus your phone company's network access charge or call 01977 665420.

©Stroma 2018

Top