Stroma is committed to safeguarding the privacy of our clients, members, applicants, website visitors and other service users. Your information is very important to us and we handle all of this in line with the current Data Protection laws and regulation. Stroma works to a quality management system recognised by international standards which facilitates our operational activity in working to the required policies and procedures.
Stroma have reviewed the lawful basis for processing personal data under the General Data Protection Regulation. Stroma have determined that the following lawful bases are applicable for the processing of personal data:
These have been selected based on the purpose and relationship with the individual in accordance with the Stroma Group business activities. It has been agreed that these 4 are the most suitable, and the justifications
Stroma use consent as a legal basis as the most appropriate way of dealing with personal data that does not fit under one of the other 3 options. It will be used when we have received a positive ‘opt-in’ action within our
marketing and customer facing business documents.
We have made the request for consent prominent and separate from our terms and conditions, adding a Permissions to Contact section for the customer to complete at the point of joining entering into an agreement with Stroma, i.e. certification scheme application form or online enquiry submission. Members, Clients or Contacts of Stroma are able to update these permissions at any time, and by deciding to ‘opt-out’ this will not be detrimental to the agreement with Stroma. It is not a precondition of working with Stroma that a customer has to ‘opt-in’ to anything; however, where the agreement in place requires updates to be made relating to that agreement, Stroma will have to contact the customer.
Stroma use contract as a legal basis as the most appropriate way of dealing with personal data that does not fit under one of the other 3 options. This will be used based on an agreement being in place between ourselves and someone enquiring about our services or where a formal agreement has been signed and is active. The requirement to process data will be detailed within the contract.
Stroma use legal obligation as a legal basis as the most appropriate way of dealing with personal data that does not fit under one of the other 3 options. It will be used for the retention and use of personal information, this for example can include employment records, accident reports for health and safety, DBS checks etc.
Stroma uses legitimate interests as a legal basis as the most appropriate way of dealing with personal data that does not fit under one of the other 3 options. In processing personal data under legitimate interests, Stroma will:
The legitimate interests can be our own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits; however, we will ensure that that evidence can be provided as the necessity of using the personal data. Stroma will balance our interests against the individual’s. If they would not reasonably expect the processing, or if it would cause unjustified harm, their interests will override your legitimate interests of using their personal data, and therefore it will not be used.
Stroma collects data to operate effectively and provide the best services for our clients and members. You provide some of this data directly, such as when you request a quote for a Stroma service, apply for membership of a certification scheme, register for a Stroma event, download a Stroma Software product, upload a document to the Installer Portal, purchase a Stroma Warranty product or contact us for technical support. We also obtain data from third parties. We protect data obtained from third parties according to the practices described in this statement, plus any additional restrictions imposed by the source of the data. These third party sources vary over time, but have included:
You have control about the data we collect and if asked to provide personal data you have the option to decline. However, if certain data is required to provide a specific Stroma service or product, you may not be able to access that service or product. The data we collect depends on the context of your interactions with Stroma and the products and services you use. The data we collect can include the following:
Stroma may process ‘Account Data’ when you apply or request a quote for one of our services. We collect your first and last name, email address, postal address, phone number and other similar contact data via you or your employer. The account data collected will be in accordance with the business relationship between Stroma and the individual or company in order to fulfil contractual requirements.
We collect data about you such as your age, gender, country and preferred language.
We collect data necessary to process your payment if you make purchases, such as your payment instrument number (such as a credit card number), and the security code associated with your payment instrument.
We may process data about your use of our website and services, referred to as ‘usage data’. The usage data may include your IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views and website navigation paths, as well as information about the timing, frequency and pattern of your service use.
We also collect information you provide to us and the content of messages you send to us, such as feedback and product reviews you write, or questions and information you provide for technical support. When you contact us, such as for technical support, phone conversations with our representatives may be monitored and recorded.
Product-specific sections below describe data collection practices applicable to the use of those products.
Stroma have detailed in this section the following key elements of how we will use personal data:
The purpose for using the data we collect is either to operate our business and provide the services we offer; to send communications (including promotional communications) or to exercise the terms of a specific contract made with a client or member.
Each client or member of the Stroma Group has an account created within our internal CRM system. We use your Account Data to provide the services we offer and perform essential business operations. This includes quoting for our services, providing those services, conducting research and providing technical support:
The legal basis for this processing is our legitimate interests, namely the proper administration of our website and business.
Stroma may process information relating to transactions, including purchases of software products and services, that you enter into with us and/or through our website, and is referred to as ‘transaction data’. The transaction data may include your contact details, your credit/debit card details and the transaction details. The transaction data may be processed for supplying the purchased products and services and keeping proper records of those transactions. The legal basis for this processing is the performance of a contract between you and us and/or taking steps-at your request-to enter into such a contract and our legitimate interests, namely our interest in the proper administration of our website and business.
We use data we collect to communicate with you. For example, we may contact you by phone or email or other means to offer a quotation for relevant services within the Stroma Group, advertise forthcoming training courses, send industry news and newsletters, inform you of regulatory changes, update you or enquire about a service request, invite you to participate in a survey, or request information relating to the status of an
ongoing project. Additionally, you can sign up for email subscriptions and choose whether you wish to receive promotional communications from Stroma by email, post and telephone.
We process your data to analyse the use of our website and for business intelligence. This is done via Google Analytics to monitor and improve our website for all visitors and to report on the performance of our website. Further information can be found in our Cookies section. The legal basis for this processing is our legitimate interests.
Stroma may process any of your personal data identified in the other provisions of this policy where necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure. The legal basis for this processing is our legitimate interests, namely the protection and assertion of our legal rights, your legal rights and the legal rights of others. Please do not supply any other person's personal data to us, unless we prompt you to do so.
We share your personal data with your consent or as necessary to provide any service you have requested or authorised. For example, we share your data with third parties when you tell us to do so, such as when you request a quotation for Stroma Insurance or Stroma Warranty. When you provide payment data to make a purchase, we will share payment data with banks and other entities that process payment transactions or provide other financial services and for fraud prevention and credit risk reduction. Please note that some of our websites include links to the websites of third parties whose privacy practices differ from Stroma's. If you provide personal data to any of those products, your data is governed by their privacy statements.
You can request access to your personal data by completing the online form or by downloading and completing the paper based form under Section 1.2 Right of Access on the following webpage: https://www.stroma.com/data-protection.
You can make a request to rectify your personal data by completing the relevant form under Section 1.3 Right to Rectification on the following webpage: https://www.stroma.com/data-protection.
You can make a request to erase your personal data by completing the relevant form under Section 1.4 Right to Erasure on the following webpage: https://www.stroma.com/data-protection.
You can choose whether you wish to receive promotional communications from Stroma by email, postal mail and telephone. If you receive promotional email messages from us and would like to opt out, you can do so by
following the directions in those messages. These choices do not apply to mandatory service communications that are part of certain Stroma services, or to surveys or other informational communications that have their
own unsubscribe method.
Stroma ensures that data is managed in line with the latest Data Protection legislation and the General Data Protection Regulation (GDPR) to deliver the following rights. Further details on the remaining 8 individual rights are published on the Stroma website.
Upon receipt of a written request, we will provide stakeholders and employees with a report showing what data is held on them. This will be provided within 30 days of the request’s receipt.
Upon receipt of a written request, we will amend any inaccurate information held on stakeholders and employees within 30 days of the request’s receipt.
Upon receipt of a written request, Stroma will delete the information held on stakeholders and employees within 30 days of receipt. Where there is a clear reason for this data to remain on Stroma records this reason will be given to the individual in writing.
This policy statement has been endorsed and approved by:
Mr Martin Holt
Stroma Group Chief Executive Officer
8th May 2019