Privacy Policy

Key terms

We take your privacy very seriously. Please read this privacy policy carefully as it contains important information on who we are and how and why we collect, store, use and share your personal data. It also explains your rights in relation to your personal data and how to contact us or supervisory authorities in the event you have a complaint.

When we collect, store, use and share your personal data we are subject to the UK General Data Protection Regulation (UK GDPR). We are also subject to the EU General Data Protection Regulation (EU GDPR) in relation to services we offer in the European Economic Area (EEA).

Key terms

The following table explains some key terms used in this privacy policy:

“We”, “us”, “our”

IDGateway Limited (Company number 07918726) a company incorporated in England having its principal place of business at 33 Hercules Way, Farnborough GU14 6UU, and in the context of this privacy policy trading as VettingGateway.

We are registered with the Information Commissioner’s Office (registration number ZA009795).

For the purposes of data protection legislation we act as either a data controller or as a data processor, depending on the particular services we are providing to you or on the nature of our relationship with you.

“you” or “your”

This policy applies to the following categories of data subject:

1. Marketing prospects

2. Potential customers

3. Subscribed customers

4. Individuals who make use of or connect with our Services

5. Employees of IDGateway Limited

6. Potential employees of IDGateway Limited (ie job applicants)

7. Supplier contacts

8. Visitors to our website

“Personal data”

Any information relating to an identified or identifiable individual.

“Special category personal data”

Personal data revealing racial or ethnic origin, political opinions, religious beliefs, philosophical beliefs or trade union membership; or

Genetic data; or

Biometric data (where used for identification purposes); or

Data concerning health or sexual orientation.

“Data subject”

The identified or identifiable individual who the personal data relates to.

Personal data we collect about you

The personal data we may collect about you depends on the particular services we are providing to you or on the nature of our relationship with you. We may collect, store, use and share some or all of the following personal data about you:

Identity information including forenames, middle names, last names, maiden names, usernames or similar identifiers, gender, nationality, place and date of birth, any previous names and National Insurance number;
Information relating to your right to work in the UK;
Contact details including phone numbers and email addresses;
Job titles;
Current address and address history;
Copies of identification documents in relevant combinations in order to meet background checking or employment criteria, which may include but are not limited to your driving licence, passport, birth certificate, bank statements, council tax statements or other utility bills;
Current employment and/or previous employment details, including names, job titles and contact details of referees;
Current and/or previous educational details including where you studied, the qualifications and grades you achieved, and names, job titles and contact details of educational referees;
Details of personal and/or character referees including their names, job titles and contact details;
Information about how you use our website, IT, communication and other systems;
Details of IP addresses and other identifiers;
Criminal record history;
Bank details, billing information, transaction and payment card information;
Professional online presence, eg LinkedIn profile;

Personal data is collected, stored, used and shared in accordance with one or more legal basis described below under “How and why we use your personal data“. Where the legal basis requires your consent but you do not provide this, or where you do not provide the personal data we ask for, this may delay or prevent us from providing services to you and/or fulfilling our contractual obligations.

How your personal data is collected

How we collect your personal data depends on the particular services we are providing to you or on the nature of our relationship with you. In most cases we collect your personal data directly from you via our interactions with you. For example, we may collect your personal data directly from you through forms on our website, or by telephone, email or other communication methods. However, we may also collect information:

from marketing list providers;

from a third party with your consent, eg referees;
from direct recruitment campaigns;
from employer to employee interactions;
from business to business (B2B) interactions;
directly from a third party, eg customer due diligence providers;

from publicly accessible sources, eg Companies House;
using cookies on our website.

How and where we store your personal data

How and where we store your personal data depends on the particular services we are providing to you or on the nature of our relationship with you. Personal data is stored and accessed by us by using either:

our 3rd party cloud hosting service provider, Amazon Web Services (AWS). The AWS data centres which we use are located in either the United Kingdom or the European Economic Area (EEA);

our client relationship management (CRM) systems;
our third party service providers, whose data centres are located in either the United Kingdom or the European Economic Area (EEA);
our third party human resource (HR) management platforms eg payroll and absence recording solutions, whose data centres are located in either the United Kingdom or the European Economic Area (EEA);
other third party software management tools eg Microsoft Office or Google analytics;
Secure (on site) physical storage at our offices in the United Kingdom.

How and why we use your personal data

Under data protection law, we can only use your personal data if we have a lawful basis to do so, which may be any of the following:

a. Consent: you have given clear consent for us to process your personal data for a specific purpose.

b. Contract: the processing is necessary for a contract we have with the Client

c. Legal/Regulatory obligation: the processing is necessary for us to comply with the law (not including contractual obligations) or regulation.

d. Vital interests: the processing is necessary to protect someone’s life.

e. Public task: the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.

f. Legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a 3rd party, unless there is a good reason to protect your personal data which overrides those legitimate interests.

Except where we act as a data processor on behalf of our clients, we (as the data controller) determine the lawful basis for use of your personal data under the UK GDPR or the EU GDPR.

The following personal data we may use is treated as a special category, to which certain additional protections apply under data protection law:

personal data revealing racial or ethnic origin,
data concerning health

Where we use such special category personal data, we will also ensure we are permitted to do so under applicable data protection laws, eg where:

we have your explicit consent;
the processing is necessary to protect your (or someone else’s) vital interests where you are physically or legally incapable of giving consent; or

the processing is necessary to establish, exercise or defend legal claims.

We may also process criminal record data with your consent. When we process such data we do so in accordance with the Data Protection Act 2018 (Schedule 1, Part 1) because the processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the Client or the data subject in connection with employment, social security or social protection.

Use of your personal data for marketing

Depends on the particular services we are providing to you or on the nature of our relationship with you, we may use your personal data to send you updates (by email, text message, telephone or post) about our services, including exclusive offers, promotions or new products and/or services (marketing communications).We rely on either legitimate interest or your consent when using your personal data for marketing purposes (see above ‘How and why we use your personal data’). This means we may not always rely on your consent alone to send you marketing communications.

You have the right to opt out of receiving marketing communications at any time by either:

using the ‘unsubscribe’ link in emails;
updating your marketing preferences on the VettingGateway platform; or
contacting us at dataprotection@idgateway.co.uk.

We may ask you to confirm or update your marketing preferences if you ask us to provide further services to you in the future, or if there are changes in the law, regulation, or the structure of our business.

We will always treat your personal data with the utmost respect and never sell or share it with other organisations for marketing purposes.

Who we share your personal data with

We may share your personal data with third parties we use to help us run our business, eg:

a. our 3rd party cloud hosting service provider;

b. our client relationship management (CRM) systems;

c. our third party service providers;

d. our third party human resource (HR) management platforms eg payroll and absence recording solutions;

e. other third party software management tools;

We only allow those organisations to handle your personal data if we are satisfied they take appropriate measures to protect your personal data. Where appropriate, we also impose contractual obligations on them to ensure that they can only use your personal data to provide services to us.

We or the third parties mentioned above may occasionally also share personal data with:

external auditors, eg in relation to the audit of accounts, in which case the recipient of the information will be bound by confidentiality obligations;

professional advisors (such as lawyers and other advisors), in which case the recipient of the information will be bound by confidentiality obligations;
law enforcement agencies, courts, tribunals and regulatory bodies to comply with legal and regulatory obligations;

If you would like more information about who we share our data with and why, please contact us by email (see ‘How to contact us’ below).

How long your personal data will be stored

We will not store your personal data for longer than we need it for the purpose for which it is used.

We follow the UK GDPR principles of purpose limitation, data minimisation and storage limitation to ensure personal data is controlled lawfully and not stored for longer than it is required.

Transferring your personal data out of the UK but inside the EEA

We may need to transfer your personal data to sources out of the UK but inside the EEA depending on the particular services we are providing to you or on the nature of our relationship with you. For example, if you are a referee of an applicant being background-checked using VettingGateway services, we will transfer your personal data to the country where our web and data hosting services are located. . In such cases we will comply with applicable UK and EEA laws designed to ensure the privacy of your personal data.

We do not transfer your personal data to any sources outside the UK and the EEA.

If you would like further information about data transferred outside of the UK but inside the EEA then please contact our Data Protection Officer (see ‘How to contact us’ below).

Our use of cookies

A cookie is a small text file which is placed onto your device (eg computer, smartphone or other electronic device) when you use our website or access VettingGateway. These cookies help us recognise you and your device and store some information about your preferences or past actions.

Your rights as a data subject

You have the following rights, which you can exercise free of charge:

Access

The right to be provided with a copy of your personal data

Rectification

The right to require us to correct any mistakes in your personal data

Erasure (also known as the right to be forgotten)

The right to require us to delete your personal data—in certain situations

Restriction of processing

The right to require us to restrict processing of your personal data in certain circumstances, eg if you contest the accuracy of the data

Data portability

The right to receive the personal data you provided to us, in a structured, commonly used and machine-readable format and/or transmit that data to a third party—in certain situations

To object

The right to object:

—at any time to your personal data being processed for direct marketing (including profiling);

—in certain other situations to our continued processing of your personal data, eg processing carried out for the purpose of our legitimate interests unless there are compelling legitimate grounds for the processing to continue or the processing is required for the establishment, exercise or defence of legal claims

Not to be subject to automated individual decision making

The right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you

The right to withdraw consents

If you have provided us with a consent to use your personal data you have a right to withdraw that consent easily at any time

Withdrawing a consent will not affect the lawfulness of our use of your personal data in reliance on that consent before it was withdrawn

If you exercise any of the above rights, it may (depending on the circumstances) delay or prevent us from providing services to the client, and/or fulfilling our contractual obligations.

If you would like to exercise any of the above rights, please:

Utilise functionality available on the VettingGateway platform; or
Contact us by email—see below: ‘How to contact us’ providing enough information to identify yourself (eg your full name, address and date of birth) and any additional identity information we may reasonably request from you. Please also let us know what right you want to exercise and the information to which your request relates.

For more information on each of those rights, including the circumstances in which they apply, please contact us (see ‘How to contact us’ below) or see the Guidance from the UK Information Commissioner’s Office (ICO) on individuals’ rights.

How we keep your personal data secure

We maintain appropriate security measures to prevent personal data from being accidentally lost, or used or accessed unlawfully. We limit access to your personal data to those who have a genuine business need to access it. Those processing your personal data will do so only in an authorised manner and are subject to a duty of confidentiality.

We also have procedures to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

How to complain

Please contact us by email if you have any queries or concerns about our use of your personal data (see below ‘How to contact us’). We hope we will be able to resolve any issues you may have.

You also have the right to lodge a complaint with the Information Commissioner in the UK who may be contacted using the details at https://ico.org.uk/make-a-complaint or by telephone: 0303 123 1113.

Changes to this privacy policy

This privacy notice was last updated on 5th June 2023.We may change this privacy notice from time to time. When we do we will inform you via our website or, where appropriate, other means of contact such as email.

How to contact us

You can contact us by email at dataprotection@idgateway.co.uk by if you have any questions about this privacy policy or the information we hold about you, to exercise a right under data protection law or to make a complaint.