Make an enquiry
Stroma Group | Safety. Sustainability. Compliance

Data Protection

Stroma Certification is committed to safeguarding the personal data of our clients, members, staff and stakeholders in line with the requirements of the Data Protection Act. This page is currently under development to demonstrate our compliance with the General Data Protection Regulation (GDPR).

If you have any questions about how we process personal data, please contact our Data Protection Officer on:

Email: dataprotection@stromacert.com
Telephone: 0330 124 9660
Post: Stroma Certification, 1 Silkwood Park, Fryers Way, Wakefield, WF5 9TJ

1. General Data Protection Regulation

This section sets out the General Data Protection Regulation (GDPR) rights for individuals and how Stroma Certification will ensure compliance.

Legal Basis

Stroma Certification has reviewed the lawful basis for processing personal data under the General Data Protection Regulation. Stroma Certification have determined that the following lawful bases are applicable for the processing of personal data:

  • Consent.
  • Contract.
  • Legal Obligation.
  • Legitimate Interests.

These have been selected based on the purpose and relationship with the individual in accordance with the Stroma Certification business activities. Stroma Certification have also documented our lawful basis for processing as well as the purposes of the processing within our Privacy Policy.

Each of the 8 GDPR individual’s rights (see below), are detailed in the following sections of this page, along with the ‘at a glance’ comments statement from the Information Commissioners Office, with an explanation of how Stroma Certification will apply them to our business activities:

  • The right to be informed
  • The right to access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • The rights related to automated decision making

1.1 The Right to be Informed

Stroma Certification will ensure that everyone is informed about how we will use the data that they are providing us with. The key requirements of this are:

Individuals have the right to be informed about the collection and use of their personal data

Stroma Certification will only collate personal data for specific business purposes, for example: for the use of training and certification purposes, and for no other reason. The information collected will be for the specific agreed purpose and will not be used for any other reason. Only under the specific requirements will information be passed onto an external third party, for example: if part of the business relationship or requested by the individual.

Stroma Certification must provide individuals with information, including your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with. We call this ‘privacy information’

The information collected will be for the specific agreed purpose and will not be used for any other reason. Only under the specific requirements will information be passed onto an external third party, for example: if part of the business relationship or requested by the individual.

Stroma Certification will retain your personal details for as long as there is a relationship in place, for example: when a signed agreement is in place between Stroma Certification and yourself. Where this agreement is no longer in place – i.e. if it has been terminated or withdrawn – Stroma Certification will retain this information in accordance with the specific requirements, typically for a minimum of 7 years. After this time, Stroma Certification will delete all personal data.

We must provide privacy information to individuals at the time we collect their personal data from them

Stroma Certification operates our ‘Privacy Policy’, which is available on the Stroma Certification website. Where applicable, it is referenced in our customer-facing documentation. For example, a statement concerning privacy is also included within each training and certification application form.

If we obtain personal data from other sources, we must provide individuals with privacy information within a reasonable period of obtaining the data and no later than one month. Stroma Certification generally obtains personal data from submissions made directly from the person to whose data it applies to. In circumstances where we obtain data from third-party sources (e.g. a construction database) we will process this data in conjunction with one of the GDPR’s legal bases for processing.

There are a few circumstances when we do not need to provide people with privacy information, such as if an individual already has the information or if it would involve a disproportionate effort to provide it to them.

Stroma Certification will provide personal information based on a request being received; however, the request will be reviewed to determine its validity. Stroma Certification may not provide this information; in these instances, the person requesting the data will be informed of the reason, which will be in accordance with the GDPR requirements.

The information we provide to people must be concise, transparent, intelligible, and easily accessible, and it must use clear and plain language.

Stroma Certification will ensure that all information concerning privacy and personal data is easy to understand and follow. Stroma Certification will also ensure that where required, the information will be made available in a format that can be understood by all, e.g. increased font size, font type or format.

Stroma Certification wants to ensure that everyone needing to be informed of GDPR has access to the content in a format that is easy for them to understand. Please refer to Section 3.0 for how you can contact Stroma Certification to request any alternatives or to raise any questions.

It is often most effective to provide privacy information to people using a combination of different techniques, including layering, dashboards, and just-in-time notices.

Stroma Certification operates our ‘Privacy Policy’ which is available on the Stroma Certification website, and, where applicable, it is referenced in our customer-facing documentation, for example: a statement concerning privacy is also included within each training and certification application form.

Stroma Certification will ensure that all communications concerning GDPR are issued internally and externally by issuing these communications through posts on applicable dashboards, websites, email or post.

User testing is a good way to get feedback on how effective the delivery of your privacy information is.

Where appropriate, Stroma Certification will seek feedback on the effectiveness of our privacy information from clients and members.

We must regularly review, and where necessary, update your privacy information. We must bring any new uses of an individual’s personal data to their attention before we start the processing.

Stroma Certification will conduct reviews concerning privacy and data protection as part of our internal Management Review Meetings. Where data is to be used for different purposes than previously agreed, Stroma Certification will communicate this to the affected person(s) and explain the change in use. In these instances, and where not restricted by certification scheme requirements, for example, the person(s) will be given the opportunity to be removed from our records and therefore, their personal data will not be used.

Due to the nature of Stroma Certification’s business activities, changes in use of personal data will only happen under instruction from the appropriate body, for example the applicable training or certification this is being undertaken through.

1.2 The Right of Access

Stroma Certification will ensure that all individuals have the right to access their personal data and supplementary information. The right to access allows individuals to be aware of and verify the lawfulness of the processing.

What Information are you entitled to under the GDPR?

Under the GDPR, individuals will have the right to obtain the following from Stroma Certification:

Confirmation that their data is being processed.

Access to their personal data.

Other supplementary information – this largely corresponds to the information that should be provided in a privacy notice.

What is the purpose of the right of access under GDPR?

The GDPR clarifies that the reason for allowing individuals to access their personal data is so that they are aware of and can verify the lawfulness of the processing.

Can we charge a fee for dealing with a subject access request?

Stroma Certification will provide a copy of the information free of charge; however, Stroma Certification may charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.

Stroma Certification may also charge a reasonable fee to comply with requests for further copies of the same information. This does not mean that Stroma Certification can charge for all subsequent access requests.

The fee must be based on the administrative cost of providing the information. Each application for information will be treated on an individual basis, and Stroma Certification will communicate any fees payable to the person requesting the information.

How long do we have to comply?

Stroma Certification will ensure that all information is provided without delay and will be issued within one month of receipt.

Stroma Certification can extend the period of compliance by a further two months where requests are complex or numerous. If this is the case, Stroma Certification will inform the individual within one month of the receipt of the request and explain why the extension is necessary.

What if the request is manifestly unfounded or excessive?

Where requests are manifestly unfounded or excessive, in particular because they are repetitive, Stroma Certification can:

Charge a reasonable fee taking into account the administrative costs for providing the information.

Refuse to respond.

Where Stroma Certification refuses to respond to a request, we will explain why this is the case to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay at the latest within one month.

How should the information be provided?

Stroma Certification must verify the identity of the person making the request using reasonable means to do this. If the request is made electronically, Stroma Certification will provide the information in a commonly used electronic format.

Stroma Certification will submit the personal information directly to the person submitting the request using the means of communication they have specified in the request. Stroma Certification is not able to provide a secure self-service system to provide the information to the individual. Not having access to this remotely secure system will not adversely affect the rights and freedoms of others, as Stroma Certification will ensure that personal data is provided as agreed with the individual to meet their requirements.

What about requests for large amounts of personal data?

Where Stroma Certification processes a large quantity of information about an individual, the GDPR permits us to ask individuals to specify the information the request relates to.

The GDPR does not include an exemption for requests that relate to large amounts of data, but Stroma Certification may be able to consider whether the request is manifestly unfounded or excessive. In these instances, Stroma Certification will communicate this to the individual concerned to ensure that they are kept informed.

How does an Individual make a Subject Access Request?

Stroma Certification will accept a Subject Access Request from an individual using one of the following methods:

Online Form - https://group.stroma-form.com/view.php?id=15322

Post - Using a paper-based form available here and posted to 6 Silkwood Park, Fryers Way, Wakefield, WF5 9TJ

Email - Using a paper-based form available here and emailed to dataprotection@stromacert.com.

Stroma Certification will confirm receipt of the submitted request within 72 hours of receipt, and we will process the request in accordance with the above requirements.

If you have any questions concerning the subject access request process, please contact us by calling 0330 124 9660 or emailing dataprotection@stromacert.com.

1.3 The Right to Rectification

The GDPR gives individuals the right to have personal data held by Stroma Certification to be rectified. Personal data can be rectified if it is inaccurate or incomplete.

When should personal data be rectified?

Individuals are entitled to have personal data rectified if it is inaccurate or incomplete.

If Stroma Certification has disclosed the personal data in question to others, we will contact each recipient and inform them of the rectification – unless this proves impossible or involves disproportionate effort. If asked to, Stroma Certification will also inform the individuals about these recipients.

How long do we have to comply with a request for rectification?

Stroma Certification will respond within one month to a request for rectification. This can be extended by two months, where the request for rectification is complex.

Where Stroma Certification is not taking action in response to a request for rectification, we will explain why to the individual and inform them of their right to complain to the supervisory authority and to a judicial remedy.

How does an Individual submit a Rectification request?

Stroma Certification will accept a Rectification Request from an individual using one of the following methods:

Online Form – https://group.stroma-form.com/view.php?id=12978

Post - Using a paper-based form available here and posted to 6 Silkwood Park, Fryers Way, Wakefield, WF5 9TJ

Email - Using a paper-based form available here and emailed to dataprotection@stromacert.com.

Stroma Certification will confirm receipt of the submitted request within 72 hours of receipt, and we will process the request in accordance with the above requirements.

If you have any questions concerning the rectification request process, please contact us by calling 0330 124 9660 or emailing dataprotection@stromacert.com.

1.4 The Right to Erasure

Stroma Certification will comply with the requirement of the right to erasure, also known as ‘the right to be forgotten’. The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.

When does the right to erasure apply?

The right to erasure does not provide an absolute ‘right to be forgotten’. Individuals have a right to have personal data erased and to prevent processing in specific circumstances:

Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/ processed

When the individual withdraws consent

When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing

The personal data was unlawfully processed (i.e. otherwise in breach of the GDPR)

The personal data has to be erased in order to comply with a legal obligation

The personal data is processed in relation to the offer of information society services to a child

Under the GDPR, this right is not limited to processing that causes unwarranted and substantial damage or distress; however, if the processing does cause damage or distress, this is likely to make the case for erasure stronger.

Stroma Certification is aware that there are some specific circumstances where the right to erasure does not apply and that we can refuse to deal with a request.

When can we refuse to comply with a request for erasure?

Stroma Certification can refuse to comply with a request for erasure where the personal data is processed for the following reasons:

To exercise the right of freedom of expression and information

To comply with a legal obligation for the performance of a public interest task or exercise of official authority

For public health purposes in the public interest

For archiving purposes in the public interest, scientific research, historical research or statistical purposes

The exercise or defence of legal claims

Does Stroma Certification have to tell other organisations about the erasure of personal data?

If Stroma Certification has disclosed the personal data in question to others, we will contact each recipient and inform them of the erasure of the personal data - unless this proves impossible or involves disproportionate effort. If asked to, Stroma Certification will also inform the individuals about these recipients.

Stroma Certification undertakes activities in the online environment and makes personal data public, and we are aware that we will need to inform other Organisations who process the personal data to erase links to, copies or replication of the personal data in question.

While this might be challenging where Stroma Certification processes personal information online (for example, on social networks, forums or websites), we will endeavour to comply with these requirements. There may be instances where Organisations that process personal data may not be required to comply with this provision because an exemption applies.

How does an Individual submit a Right to Erasure request?

Stroma Certification will accept a Right to Erasure Request from an individual using one of the following methods:

Online Form - https://group.stroma-form.com/view.php?id=14053

Post - Using a paper-based form available here and posted to 6 Silkwood Park, Fryers Way, Wakefield, WF5 9TJ

Email - Using a paper-based form available here and emailed to dataprotection@stromacert.com.

Stroma Certification will confirm receipt of the submitted request within 72 hours of receipt, and we will process the request in accordance with the above requirements.

If you have any questions concerning the right-to-erasure request process, please contact us by calling 0330 124 9660 or email dataprotection@stromacert.com.

1.5 The Right to Restrict Processing

Stroma Certification will comply where the individuals have a right to ‘block’ or suppress the processing of personal data. When processing is restricted, Stroma Certification are permitted to store the personal data, but not further process it. Stroma Certification can retain just enough information about the individual to ensure that the restriction is respected in future.

When does the right to restrict processing apply?

Stroma Certification will be required to restrict the processing of personal data in the following circumstances:

Where an individual contests the accuracy of the personal data, Stroma Certification will restrict the processing until we have verified the accuracy of the personal data

Where an individual has objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and we are considering whether your Organisation’s legitimate grounds override those of the individual

When processing is unlawful and the individual opposes erasure and requests restriction instead

If we no longer need the personal data but the individual requires the data to establish, exercise or defend a legal claim

If Stroma Certification has disclosed the personal data in question to others, we must contact each recipient and inform them of the restriction on the processing of the personal data - unless this proves impossible or involves disproportionate effort. If asked to, Stroma Certification must also inform the individuals about these recipients.

Stroma Certification must inform individuals when we decide to lift a restriction on processing.

1.6 The Right to Data Portability

Stroma Certification will comply with the right to data portability which allows individuals to obtain and reuse their personal data for their own purposes across different services.

It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way without hindrance to usability.

When does the right to data portability apply?

The right to data portability only applies:

To personal data an individual has provided to a controller

Where the processing is based on the individual’s consent or for the performance of a contract

When processing is carried out by automated means

How do we comply?

Stroma Certification will provide the personal data in a structured, commonly used and machine readable form. Open formats include CSV files. Machine readable means that the information is structured so that software can extract specific elements of the data. This enables other Organisations to use the data.

The information will be provided by Stroma Certification free of charge.

If the individual requests it, Stroma Certification may be required to transmit the data directly to another Organisation if this is technically feasible. However, we are not required to adopt or maintain processing systems that are technically compatible with other Organisations.

If the personal data concerns more than one individual, Stroma Certification must consider whether providing the information would prejudice the rights of any other individual.

How long do we have to comply?

Stroma Certification will respond without undue delay and within one month.

This can be extended by two months where the request is complex or Stroma Certification receives a number of requests. Stroma Certification will inform the individual within one month of the receipt of the request and explain why the extension is necessary.

Where Stroma Certification are not taking action in response to a request, we will explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month.

1.7 The Right to Object

Stroma Certification will comply with the requirements of the right to object for processing based on legitimate interests or the performance of a task in the public interest/ exercise of official authority (including profiling), direct marketing (including profiling).

How do we comply with the right to object if we process personal data for the performance of a legal task or my Organisation’s legitimate interests?

Individuals must have an objection on “grounds relating to his or her particular situation”.

Stroma Certification will stop processing personal data unless:

We can demonstrate compelling legitimate grounds for the processing of personal data which override the interests, rights and freedoms of the individual

The processing of personal data is for the establishment, exercise or defence of legal claims.

Stroma Certification informs all individuals of their right to object “at the point of first communication”. For example, this is included on the Stroma Certification website in all application forms and in our Privacy Policy document.

Stroma Certification ensures that this is explicitly brought to the attention of the data subject and is to be presented clearly and separately from any other information.

How do we comply with the right to object if we process personal data for direct marketing purposes?

Stroma Certification will stop processing personal data for direct marketing purposes as soon as we receive an objection. There are no exemptions or grounds to refuse.

Stroma Certification will deal with an objection to processing for direct marketing at any time and free of charge.

Stroma Certification informs all individuals of their right to object “at the point of first communication”. For example, this is included on the Stroma Certification website, in all application forms and in our Privacy Policy document.

Stroma Certification ensures that this is explicitly brought to the attention of the data subject and is to be presented clearly and separately from any other information.

How do we comply with the right to object if we process personal data for research purposes?

Individuals must have “grounds relating to his or her particular situation” in order to exercise their right to object to processing for research purposes.

If Stroma Certification is conducting research where the processing of personal data is necessary for the performance of a public interest task, we are not required to comply with an objection to the processing.

How do we comply with the right to object if my Organisation’s processing activities fall into any of the above categories and are carried out online?

Stroma Certification offers a way for individuals to object online.

Change your permission settings

Current Data Protection law provides Data Subjects with the right to update and change your permissions at any time to specify how Stroma Certification may contact you. To change your preferences, please complete this form, or email our Data Protection officer at dataprotection@stromacert.com.

1.8 Rights in Relation to Automated Decision-Making and Profiling

Stroma Certification will comply with the Rights in relation to automated decision-making and profiling, where the GDPR has provisions on:

Automated individual decision-making (making a decision solely by automated means without any human involvement)

Profiling (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision-making process

The GDPR applies to all automated individual decision-making and profiling

Article 22 of the GDPR has additional rules to protect individuals if Stroma Certification are carrying out solely automated decision-making that has legal or similarly significant effects on them

Stroma Certification can only carry out this type of decision-making where the decision is:

Necessary for the entry into or performance of a contract

Authorised by Union or Member state law applicable to the controller

Based on the individual’s explicit consent

Stroma Certification must identify whether any of our processing falls under Article 22 and if so, make sure that you:

Give individuals information about the processing.

Introduce simple ways for them to request human intervention or challenge a decision.

Carry out regular checks to make sure that your systems are working as intended.

Does Stroma Certification carry out Profiling activities?

Stroma Certification only carries out profiling activity in terms of Google Analytics. This records data (i.e. Cookies) regarding the use of our website (including the time spent on the website and in some circumstances, the individual’s IP address). This information is solely collected for internal analysis to improve the performance of our website and its relevance to the customer.

Full information about how Stroma Certification uses cookies and how to control what cookies are set on your device through the Stroma Certification website can be found on our website.

**Google Signals

If you have a Google user account and have consented with Google that they may collect visitation information from the sites you visit, then some Stroma Certification websites may use this information for the purpose of performance tracking on our website. This information can include end-user location, search history, YouTube history and data from sites that partner with Google. Stroma Certification is able to use this to collect anonymised insights into your cross-device behaviours. This feature can only be enabled if you consent with Google and can be deactivated at any time using the My Activity section of your Google account.

2.0 Additional Information

The Stroma Certification Privacy Policy and Data Protection Policy are available to view on our website.

If you require any further details on GDPR and how this affects your rights, please contact the following for further information:

Email - dataprotection@stromacert.com

Telephone - 0345 621 1111

Writing - 1 Silkwood Park, Fryers Way, Wakefield, WF5 9TJ

Information Commissioners Office

This policy statement has been endorsed and approved by:

Andrew Parkin

Stroma Certification Managing Director

27th January 2023