Scotland’s latest Minimum Energy Efficiency Standards (MEES) rollout has been postponed until after the COVID-19 crisis
Stroma Director of Energy Certification and Chair of PEPA briefs Lord Foster regarding the Domestic Property Energy Performance Bill
The first cohort of Retrofit Assessors, trained by Stroma Certification on the new PAS 2035 standard have now become fully certified
Stroma is committed to safeguarding the personal data of our clients, members, staff and stakeholders in line with the requirements of the Data Protection Act. This page is currently under development to demonstrate our compliance with the General Data Protection Regulation (GDPR).
If you have any questions about how we process personal data please contact our Data Protection Officer on:
Email: firstname.lastname@example.org Telephone: 0845 621 1111 Post: Stroma, 4 Pioneer Way, Castleford, WF10 5QU
This section sets out the General Data Protection Regulation (GDPR) rights for individuals and applies to the following divisions of the Stroma Group:
* These companies are part of the Stroma Group and therefore the privacy requirements outlined in this policy document apply to them as well.
Stroma have reviewed the lawful basis for processing personal data under the General Data Protection Regulation. Stroma have determined that the following lawful bases are applicable for the processing of personal data:
Each of the 8 GDPR individual’s rights (see below), are detailed in the following sections of this page, along with the ‘at a glance’ comments statement from the Information Commissioners Office, with an explanation of how Stroma will apply them to our business activities:
Stroma will ensure that everyone is informed about how we will use the data that they are providing us with. The key requirements of this are:
Individuals have the right to be informed about the collection and use of their personal data
Stroma will only collate personal data for specific business purposes, for example: for the use of training and certification purposes, and for no other reason. The information collected will be for the specific agreed purpose and will not be used for any other reason. Only under the specific requirements will information be passed onto an external third party, for example: if part of the business relationship or requested by the individual.
Stroma must provide individuals with information including: your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with. We call this ‘privacy information’
The information collected will be for the specific agreed purpose and will not be used for any other reason. Only under the specific requirements will information be passed onto an external third party, for example: if part of the business relationship or requested by the individual.
Stroma will retain your personal details for as long as there is a relationship in place, for example: when a signed agreement is in place between Stroma and yourself. Where this agreement is no longer in place – i.e. if it has been terminated or withdrawn – Stroma will retain this information in accordance with the specific requirements, typically for a minimum of 7 years. After this time, Stroma will delete all personal data.
We must provide privacy information to individuals at the time we collect their personal data from them
If we obtain personal data from other sources, we must provide individuals with privacy information within a reasonable period of obtaining the data and no later than one month. Stroma generally obtains personal data from submissions made directly from the person whose data it applies to. In circumstances where we obtain data from third party sources (e.g. a construction database) we will process this data in conjunction with one of the GDPR’s legal bases from processing.
There are a few circumstances when we do not need to provide people with privacy information, such as if an individual already has the information or if it would involve a disproportionate effort to provide it to them.
Stroma will provide personal information based on a request being received; however, the request will be reviewed to determine its validity. Stroma may not provide this information; in these instances, the person requesting the data will be informed of the reason which will be in accordance with the GDPR requirements.
The information we provide to people must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language.
Stroma will ensure that all information concerning privacy and personal data is easy to understand and follow. Stroma will also ensure that where required, the information will be made available in a format that can be understood by all, e.g. increased font size, font type or format.
Stroma wants to ensure that everyone needing to be informed of GDPR has access to the content in a format that is easy for them to understand. Please refer to Section 3.0 for how you can contact Stroma to request any alternatives or to raise any questions.
It is often most effective to provide privacy information to people using a combination of different techniques including layering, dashboards, and just-in-time notices.
Stroma will ensure that all communications concerning GDPR are issued internally and externally by issuing these communications through posts on applicable dashboards, websites, email or post.
User testing is a good way to get feedback on how effective the delivery of your privacy information is.
Where appropriate, Stroma will seek feedback on the effectiveness of our privacy information from clients and members.
We must regularly review, and where necessary, update your privacy information. We must bring any new uses of an individual’s personal data to their attention before we start the processing.
Stroma will conduct reviews concerning privacy and data protection as part of our internal Management Review Meetings. Where data is to be used for different purposes than previously agreed, Stroma will communicate this to the affect person(s) and explain the change in use. In these instances, and where not restricted by certification scheme requirements for example, the person(s) will be given the opportunity to be removed from our records and therefore their personal data will not be used.
Due to the nature of Stroma business activities, changes in use of personal data will only happen under instruction from the appropriate body, for example: the applicable training or certification this is being undertaken through.
Stroma will ensure that all individuals have the right to access their personal data and supplementary information. The right to access allows individuals to be aware of and verify the lawfulness of the processing.
What Information are your entitled to under the GDPR?
Under the GDPR, individuals will have the right to obtain the following from Stroma:
What is the purpose of the right of access under GDPR?
The GDPR clarifies that the reason for allowing individuals to access their personal data is so that they are aware of and can verify the lawfulness of the processing.
Can we charge a fee for dealing with a subject access request?
Stroma will provide a copy of the information free of charge; however, Stroma may charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.
Stroma may also charge a reasonable fee to comply with requests for further copies of the same information. This does not mean that Stroma can charge for all subsequent access requests.
The fee must be based on the administrative cost of providing the information. Each application for information will be treated on an individual basis, and Stroma will communicate any fees payable to the person requesting the information.
How long do we have to comply?
Stroma will ensure that all information is provided without delay, and will be issued within one month of receipt.
Stroma can extend the period of compliance by a further two months where requests are complex or numerous. If this is the case, Stroma will inform the individual within one month of the receipt of the request and explain why the extension is necessary.
What if the request is manifestly unfounded or excessive?
Where requests are manifestly unfounded or excessive, in particular because they are repetitive, Stroma can:
Where Stroma refuses to respond to a request, we will explain why this is the case to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay at the latest within one month.
How should the information be provided?
Stroma must verify the identity of the person making the request using reasonable means to do this. If the request is made electronically, Stroma will provide the information in a commonly used electronic format.
Stroma will submit the personal information direct to the person submitting the request using the means of communication they have specified in the request. Stroma is not able to provide a secure self-service system to provide the information to the individual. Not having access to this remotely secure system will not adversely affect the rights and freedoms of others, as Stroma will ensure that personal data is provided as agreed with the individual to meet their requirements.
What about requests for large amounts of personal data?
Where Stroma processes a large quantity of information about an individual, the GDPR permits us to ask individuals to specify the information the request relates to.
The GDPR does not include an exemption for requests that relate to large amounts of data, but Stroma may be able to consider whether the request is manifestly unfounded or excessive. In these instances, Stroma will communicate this to the individual concerned to ensure that they are kept informed.
How does an Individual make a Subject Access Request?
Stroma will accept a Subject Access Request from an individual using one of the following methods:
Stroma will confirm receipt of the submitted request within 72 hours on receipt and we will process the request in accordance with the above requirements.
If you have any questions concerning the subject access request process please contact us by calling 0845 621 1111 or email email@example.com.
The GDPR gives individuals the right to have personal data held by Stroma to be rectified. Personal data can be rectified if it is inaccurate or incomplete.
When should personal data be rectified?
Individuals are entitled to have personal data rectified if it is inaccurate or incomplete.
If Stroma has disclosed the personal data in question to others, we will contact each recipient and inform them of the rectification – unless this proves impossible or involves disproportionate effort. If asked to, Stroma will also inform the individuals about these recipients.
How long do we have to comply with a request for rectification?
Stroma will respond within one month to a request for rectification. This can be extended by two months where the request for rectification is complex.
Where Stroma is not taking action in response to a request for rectification, we will explain why to the individual and inform them of their right to complain to the supervisory authority and to a judicial remedy.
How does an Individual submit a Rectification request?
Stroma will accept a Rectification Request from an individual using one of the following methods:
If you have any questions concerning the rectification request process please contact us by calling 0845 621 1111 or email firstname.lastname@example.org.
Stroma will comply with the requirement of the right to erasure, also known as ‘the right to be forgotten’. The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
When does the right to erasure apply?
The right to erasure does not provide an absolute ‘right to be forgotten’. Individuals have a right to have personal data erased and to prevent processing in specific circumstances:
Under the GDPR, this right is not limited to processing that causes unwarranted and substantial damage or distress; however, if the processing does cause damage or distress, this is likely to make the case for erasure stronger.
Stroma is aware that there are some specific circumstances where the right to erasure does not apply and that we can refuse to deal with a request.
When can we refuse to comply with a request for erasure?
Stroma can refuse to comply with a request for erasure where the personal data is processed for the following reasons:
Do Stroma have to tell other organisations about the erasure of personal data?
If Stroma have disclosed the personal data in question to others, we will contact each recipient and inform them of the erasure of the personal data - unless this proves impossible or involves disproportionate effort. If asked to, Stroma will also inform the individuals about these recipients.
Stroma undertakes activities in the online environment and makes personal data public, and we are aware that we will need to inform other Organisations who process the personal data to erase links to, copies or replication of the personal data in question.
While this might be challenging where Stroma processes personal information online (for example, on social networks, forums or websites), we will endeavour to comply with these requirements. There may be instances where Organisations that process the personal data may not be required to comply with this provision because an exemption applies.
How does an Individual submit a Right to Erasure request?
Stroma will accept a Right to Erasure Request from an individual using one of the following methods:
If you have any questions concerning the right to erasure request process please contact us by calling 0845 621 1111 or email email@example.com.
Stroma will comply where the individuals have a right to ‘block’ or suppress processing of personal data. When processing is restricted, Stroma are permitted to store the personal data, but not further process it. Stroma can retain just enough information about the individual to ensure that the restriction is respected in future.
When does the right to restrict processing apply?
Stroma will be required to restrict the processing of personal data in the following circumstances:
If Stroma has disclosed the personal data in question to others, we must contact each recipient and inform them of the restriction on the processing of the personal data - unless this proves impossible or involves disproportionate effort. If asked to, Stroma must also inform the individuals about these recipients.
Stroma must inform individuals when we decide to lift a restriction on processing.
Stroma will comply with the right to data portability which allows individuals to obtain and reuse their personal data for their own purposes across different services.
It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way without hindrance to usability.
When does the right to data portability apply?
The right to data portability only applies:
How do we comply?
Stroma will provide the personal data in a structured, commonly used and machine readable form. Open formats include CSV files. Machine readable means that the information is structured so that software can extract specific elements of the data. This enables other Organisations to use the data.
The information will be provided by Stroma free of charge.
If the individual requests it, Stroma may be required to transmit the data directly to another Organisation if this is technically feasible. However, we are not required to adopt or maintain processing systems that are technically compatible with other Organisations.
If the personal data concerns more than one individual, Stroma must consider whether providing the information would prejudice the rights of any other individual.
Stroma will respond without undue delay and within one month.
This can be extended by two months where the request is complex or Stroma receives a number of requests. Stroma will inform the individual within one month of the receipt of the request and explain why the extension is necessary.
Where Stroma are not taking action in response to a request, we will explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month.
Stroma will comply with the requirements of the right to object for processing based on legitimate interests or the performance of a task in the public interest/ exercise of official authority (including profiling), direct marketing (including profiling).
How do we comply with the right to object if we process personal data for the performance of a legal task or my Organisation’s legitimate interests?
Individuals must have an objection on “grounds relating to his or her particular situation”.
Stroma will stop processing the personal data unless:
Stroma ensures that this is explicitly brought to the attention of the data subject and is to be presented clearly and separately from any other information.
How do we comply with the right to object if we process personal data for direct marketing purposes?
Stroma will stop processing personal data for direct marketing purposes as soon as we receive an objection. There are no exemptions or grounds to refuse.
Stroma will deal with an objection to processing for direct marketing at any time and free of charge.
How do we comply with the right to object if we process personal data for research purposes?
If Stroma are conducting research where the processing of personal data is necessary for the performance of a public interest task, we are not required to comply with an objection to the processing.
How do we comply with the right to object if my Organisation’s processing activities fall into any of the above categories and are carried out online?
Stroma offer a way for individuals to object online.
Current Data Protection law provides Data Subjects with the right to update and change your permissions at any time to specify how Stroma Group companies may contact you. To change your preferences please complete this form, or email our Data Protection officer at firstname.lastname@example.org
Stroma will comply with the Rights in relation to automated decision making and profiling, where the GDPR has provisions on:
Does Stroma carry out Profiling activities?
Stroma only carries out profiling activity in terms of Google Analytics. This records data (i.e. Cookies) regarding use of our website (including the time spent on the website and in some circumstances the individual’s IP address). This information is solely collected for internal analysis to improve the performance of our website and its relevance to the customer.
If you have a Google user account and have consented with Google that they may collect visitation information from the sites you visit, then some Stroma websites may use this information for the purpose of performance tracking on our website. This information can include end user location, search history, YouTube history and data from sites that partner with Google. Stroma is able to use this to collect anonymised insights into your cross device behaviours. This feature can only be enabled if you consent with Google and can be deactivated at any time using the My Activity section of your Google account.
If you require any further details on GDPR and how this affects your rights, please contact the following for further information:
Registered Office: 4 Pioneer Way, Castleford, West Yorkshire, WF10 5QU
The Stroma Group
Stroma Building Control |
Stroma Built Environment |
Stroma Certification |
Stroma Software |
Stroma Specialist Access
©Stroma Group Ltd 2020