This Privacy Notice informs you of our privacy practices and of the choices you can make and rights you can exercise in relation to your personal data, including information that may be collected from your online activity and interactions you have with us offline. This Privacy Statement applies to Goodwin PLC and its subsidiary companies (collectively “Goodwin Group”). Goodwin PLC is the Data Controller, a company registered in England with number 305907 with its registered office address at Ivy House Foundry, Ivy House Road, Stoke-on-Trent, Staffordshire, ST1 3NR, United Kingdom. Questions, comments and requests regarding this privacy statement are welcomed and should be addressed to our appointed Data Protection Officer (DPO):

    Data Protection Officer
    privacy@goodwingroup.com – 01782 220000
    Goodwin PLC, Ivy House Road, Hanley, Stoke-on-Trent, ST1 3NR, United Kingdom

All communications will be treated confidentially. Upon receipt of your communication, our representative will contact you within a reasonable time to respond to your questions or concerns. We aim to ensure that your concerns are resolved in a timely and appropriate manner.

This Privacy Notice may be published in a number of languages. In case of inconsistencies between any translations and the English version of the Privacy Statement, the English version will prevail.

 

Retaining Your Data

In most circumstances your data will not be retained for more than 6 years from the last point at which we provided any services or otherwise engaged with you and it is our policy to only store your personal data for as long as is reasonably necessary for us to comply with our legal obligations and for our legitimate business interests. However, we may retain data for longer than a 6 year period where we have a legal or contractual obligation to do so, or we form the view that there is otherwise a continued basis to do so, we have a compelling reason to do so, or we are subject to a legal obligation which applies for a longer period.

 

Disclosure of Your Information

We may disclose your personal information to any member of our group when appropriate, which includes our subsidiaries as defined in section 1159 of the UK Companies Act 2006, only when appropriate and required for legitimate business purposes.

In the event of a sale, merger, liquidation, receivership or the transfer of all or part of our assets to a third party, we may need to transfer your information to a third party. Any such transfer will be subject to the agreement of the third party to this Privacy Notice and any processing being only in accordance with this Privacy Notice.

 

Data Security and Confidentiality

To prevent loss, unauthorised access, use or disclosure and to ensure the appropriate use of your information, we utilise reasonable and appropriate physical, technical, and administrative procedures to safeguard the information we collect and process. We retain data as required and permitted by law and while the data continues to have a legitimate business purpose. When collecting, transferring or storing sensitive information such as financial information we use a variety of additional security technologies and procedures to help protect your personal data from unauthorised access, use, or disclosure. When we transmit highly-confidential information over the internet, we protect it through the use of encryption. As part of real-time payment processing, we also subscribe to fraud management services. These services provide us with an extra level of security to guard against credit card fraud and to protect your financial data in accordance with industry standards.

 

Your Rights

You have the right to ask us for a copy of any personal data that you have provided to us or that we maintain about you and to request an explanation about the processing; and to obtain the personal data you provide with your consent or in connection with a contract in a structured, machine readable format and to ask us to transfer this data to another data controller. In addition, you have the right to withdraw any consent previously granted or to request rectification or erasure of your personal data, or to request a restriction on the processing of your personal data.

In certain cases, these rights may be limited, for example if fulfilling your request would reveal personal data about another person or if you ask us to delete information which we are required by law to keep or have compelling legitimate interests to keep this information. You also have the right to object to the processing of your personal data in some circumstances, in particular when we are using your data for direct marketing. To exercise your rights, or if you have any questions or concerns about our Privacy Statement, our collection and use of your data or a possible breach of local privacy laws, you can contact or write to our Data Protection Officer (see contact details above).

 

Complaints and Queries

Goodwin Group tries to meet the highest standards when collecting and using personal information. For this reason we take any complaints we receive about this very seriously. We encourage people to bring it our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures. This privacy notice was drafted with brevity and clarity in mind and does not provide exhaustive detail of all aspects of our collection and use of personal information.

If you are unhappy about the way we use your personal data or the way in which we respond to your request to exercise your data protection rights, you can contact the Data Protection Officer at Goodwin PLC but you also have the right to lodge a complaint with a supervisory authority, the Information Commissioner at the Information Commissioner’s Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

 

Access to Personal Information

Goodwin Group tries to be as open as it can be in terms of giving people access to their personal information. Individuals can find out if we hold any personal information by making a ‘Data Subject Access Request’ under the EU General Data Protection Regulation 2018. If we do hold information about you, subject to verifying your identity, we will: (a) give you a description of it; (b) tell you why we are holding it; (c) tell you who it could be disclosed to; and (d) let you have a copy of the information in an intelligible form. To make a request to Goodwin PLC for any personal information we may hold you need to put the request in writing addressing it to our Data Protection Officer. If we do hold information about you, you can ask us to correct any mistakes by contacting our Data Protection Officer.

 

Changes to our Privacy Policy

If we modify our Privacy Statement, we will post the revised statement on our website, with an updated revision date. This Privacy Notice was last updated on 25th May 2018.

 

Website Visitors

Website Contact Forms

Information entered voluntarily into Goodwin Group website contact forms (typically enquiries about products, services or employment opportunities), will be directed to the appropriate company representatives in order for them to respond. If you contact us, we may send you an automatic acknowledgement of your request and we may keep a record of this correspondence. If you report a problem with one of our websites we may contact you for further information about the reported problem. This information is not processed by or shared with any third parties.

 

Website Analytics

Goodwin Group websites use both internally deployed software and third party services, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make, and do not allow these service providers to make, any attempt to find out the identities of those visiting our website. If we do want to collect personally identifiable information through our website, we will be up front about this. We will make it clear when we collect personal information and will explain what we intend to do with it. Our website analytics data is retained for 50 months.

 

Website Live Chat

Some of the Goodwin Group websites and internal systems may from time to time provide a ‘live chat’ feature enabling a real-time dialogue with a company representative and for this some third party services are used. Information processed by these services includes name, email address, IP address, approximate geographic location (city and country), real-time browsing activity on the same website the conversation was initiated, and a full conversation transcript including dates and times.

 

I.T. Network Security and Reliability

We process the IP addresses of all inbound and outbound connections to and from our corporate I.T. infrastructure for the purpose of ensuring network security and reliability (this will include visitors to our websites). Suspicious network activity will be investigated and malicious activity may be reported to the Police for further investigation at our discretion, to security product vendors when appropriate to improve the capability of their products in the detection and prevention of attacks, and may be published to information security forums as Indicators of Compromise (IoCs) to the benefit of all participants.

 

Mailing List Subscribers

Email Marketing

Some of our subsidiary companies use third party service providers to deliver electronic newsletters. The information we process for mailing lists includes individual names and the companies they work for along with associate email and postal addresses and telephone numbers, on the legal basis of written or verbal consent. You may withdraw your consent to our processing of your personal data by unsubscribing to the mailing list. We gather statistics around email opening and clicks using industry standard technologies including image tracking to help us monitor and improve our e-newsletters.

 

Customers

Order Details and Payment Information

When customers (businesses and individuals) place orders with Goodwin Group companies, this information is processed in the UK, and know-your-customer compliance takes place, for which a data processing agreement is held, such data being kept proportionate to the business continuity.

 

Visitors and Employees at our Business Premises

Visitor Identification

Visitors to Goodwin Group business premises may be required to sign-in upon arrival and sign-out upon departure, so that in the event of a fire evacuation we have a record of visitors on-site in accordance with our Health and Safety at Work Act 1974 Section 3 statutory duty to ensure so far as reasonably practicable, the health, safety and welfare at work of all who are not in our employment but who may be affected by the activities of our undertaking, including visitors. The information we process includes the name and company of the visitor, the employee name or department whom they are visiting, their vehicle registration number (if applicable) and the date and time they sign-in and out.

 

Vehicle Identification

Vehicle registration information is requested for the legitimate interest of ensuring we are able to contact the owner/driver in the event of an issue relating to their vehicle or where it is parked while on Goodwin Group business premises, for example if it is obstructing the turning space required for a long vehicle, double-parked where available parking is limited, or to inform the driver in the event of discovering they have left their headlights on or the vehicle left unsecured.

When an electronic system is used to capture visitor and vehicle information, the information may be stored electronically at the premises concerned and/or stored on private servers located within the UK, for a time proportionate to business need.

 

Recorded CCTV Video Footage

CCTV recording cameras and equipment are installed at Goodwin Group business premises, internally for the legitimate business interest of ensuring a safe working environment, and externally for the legitimate business interest of preventing (as a deterrence) and detecting crime (including identifying individuals engaged in criminal activity such as theft), a risk reduction control required by our insurers. The CCTV data is used and kept only to fulfil this original purpose, stored securely. Individuals have the right to request a copy of any CCTV footage in which they are in focus and/or clearly identifiable, they will need to provide details of which camera, location, date and times in order for the CCTV operator to locate the recording requested. CCTV data is retained for 3 months, except in the event of a security or health and safety incident when relevant records are then retained indefinitely as evidence.

 

Job Applicants

Recruitment

Personal information of job applicants processed as part of our recruitment process, a legitimate business purpose, includes name, contact details, date of birth, employment history, education history, details of qualifications and skills, identity information including VISA and right-to-work information, contact details of references, personal information relating to hobbies, interests and pastimes volunteered by the applicant, equal opportunities information. Depending on the specific positions advertised we may at our discretion choose to advertise available roles using third party recruitment companies, for example, those which target specific subject areas of specialism. Before you express interest in an advertised position or submit an application to an advertised position using a third party website, please note that these companies have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.

Business Administration

Personal information processed as part of a statutory obligation includes names, addresses, and contact details of company directors, secretaries, shareholders, and copies of shareholder agreements. Shareholder information is processed through Data Processors with whom GDPR data privacy agreements are held.

 

Current and Former Employees

Employee Administration

Personal information processed of employees includes individual name, home address, telephone number, birth date, next of kin information including contact details for them, their initial application form, references and medical questionnaire/declaration, identification papers, residence and work permits, employment contracts, terms and conditions of employment, employee agreements and patent assignments, training records, grievances, discipline, leaver information, company administered life insurance and medical insurance policies, security clearances, disclosure and barring service checks, job titles, photographs (for health and safety needs), and details of car insurance cover for business purposes. Information used for the purpose of preparing wage slips, payment of salaries and arranging employment benefits pursuant to the contract of employment includes: bank details, National Insurance identification number (referred to as health insurance number in some countries), tax and employment benefit details, workplace pension arrangements, holiday booking, sickness and attendance records. Personal mobile and home telephone numbers are stored confidentially on the corporate phone system for use upon the invocation of our disaster recovery procedures. This information is kept strictly protected and held securely and may only be accessed by authorised persons.

 

Mobile Device Management

Mobile device information including telephone number (if applicable) for corporately owned and issued mobile devices is processed along with the employee name, and shared with the mobile telephony network operator for the duration the device is assigned to the employee. This is a contractual requirement imposed by the network operator which applies to all employees who are issued with a mobile device. This information is used for the legitimate business purpose of itemised billing.

 

Corporate Travel Information

Goodwin group employees who travel abroad as part of their employed responsibilities are encouraged to voluntarily submit personal information to be held by the company’s Internal Group Travel Agent and/or Company Secretary in case of emergency and for their safety. Information processed includes copies of passport and driving licence, high quality digital photograph, details of identifying marks and identifying possessions, details of credit cards which might need cancelling or replacing, home address, home telephone number, next of kin name and contact details, a list of dependencies and home responsibilities, a list of relevant medical conditions, the name and address of the employee’s General Practitioner (GP), a list of any medication taken regularly, a list of three proof-of-life questions and answers. This information may also be used in assisting employees with VISA applications and making travel arrangements such as booking flights and hotels when required.

 

Product Safety Assurance

Goodwin Group employees involved in the manufacture and/or inspection of integrity long design life products for critical life dependent service which require an assurance of health and safety functionality will be required to attest to the quality of their work with their individual name, relevant industry qualifications and signature. This information is contractually required by our customers but we also have a compelling reason to retain this information indefinitely and also to transfer it to the customers along with copies of qualification certificates because the qualification of the individual doing the work forms part of the product safety assurance.
The rights and freedoms of these employees are considered, and this information is retained on the legal basis of a legitimate interest, with adequate protection afforded when the information is shared with customers, for example, under EU-U.S. Privacy Shield participation when personal data is transferred to the U.S., or contractual equivalent.

 

Occupational Health Monitoring

Goodwin Group employees, depending on the risks involved in their designated workplace and role, may be subject to Occupational Health Surveillance in accordance with our Health and Safety at Work Act 1974 duty to ensure so far as reasonably practicable, the health, safety and welfare at work of all employees. We have a compelling reason to retain employment records, training and qualification records, and occupational health monitoring records for these employees, for at least 40 years following termination of employment, to act in any insurance claims that may arise any time in the future in connection with the employee or their work. We need to be able to process these records as required by insurers to either defend or prosecute claims. We may also be required to share some of these records with the Health and Safety Executive (HSE).