privacy

Reward Risk Management Privacy Policy  

Overview

This statement applies to personal information (data) provided to Reward Risk Management Limited (RRM LTD/we/our) by our customers (you) in relation to the services we are contracted to provide. It sets out the DATA you are likely to provide, an overview of what we do with that data, and how we will look after it. 

Personal information/Data

For the purposes of this statement data is any information that includes the identity of a living individual, or from which a living individual can be identified in conjunction with other information we hold or could readily obtain. The type of information we are likely to hold about an individual includes employer, role, salary, bonus and other variable pay, benefits, work location, protected characteristics, performance information. We may know the name of the role holder through information you have provided verbally or in writing or because we are able to identify the role holder.

Control of the data

You are the data controller and we are the data processor based on the arrangements set out in the contract we have with you.

    Using the data

    We process the data in order to provide services to you under the contract between us. The exact nature of this processing is dependent on the service(s) we are providing. We do not share the data with any third party except subcontractors we may be using to deliver services to you. Any subcontractors are contractually bound to the same duty of care. 

      Lawful basis

      Our lawful basis for processing the data is the contract we hold with you. We rely on you having a legal basis for processing the data and therefore for providing it to us to process on your behalf. In most cases you are likely to be processing the data because it is necessary for the performance of a contract you hold with the data subject, or to take steps in order to enter into that contract. Our service(s) are designed by us and each service starts life as a specification that focuses on functionality, privacy, and data protection. Your privacy and security of the information you provide to us in the course of delivery of our services is important to us. Your information will only be used for the lawful purposes of the services we develop using information taken from user credentials, personal data fields required, database security including ‘Data at Rest’, psuedonimisation, aggregation, hosting
      and storage arrangements, to secure data transport protocols.

      Data Storage

      As a general rule, data will be held for a minimum of one year so you have data for audit purposes. Data provided for benchmarking services will be held for up to six years in order to provide the basis for statistical analysis, for example to map trends in average salaries, and for support in legal cases.

      Subject access rights

      You will be responsible for managing subject access requests. We will not respond directly to requests from the data subject and will refer these to you. Should you have a request that affects the data we hold, we will cooperate with you and use reasonable business efforts to identify the data and to take the actions you request in order that you can fulfil your legal obligations. 

      Maintaining the Data

      You are responsible for ensuring that the data you provide to us is accurate, and to the extent that it is necessary that it is maintained so it remains accurate. We are responsible for ensuring that we update our records in order that we only process the most up to date data except where we have maintained historical records for statistical analysis purposes.

      Data Security

      The management of user access rights depends on the systems concerned. In-house server access is managed via Windows server authentication protocols. Access to external systems hosting data utilises two token authentication. Your data will be maintained in a secure environment. We use encrypted data transfer processes. Data files will be password protected. Cloud services hosting data are located in third party premises meeting the equivalent of tier 2 standards as a minimum, with relevant GDPR compliant practices. Our policy is that any data removed from company servers is stored on encrypted devices.

      Protecting data

      We run gateway, server, and user-device level software to protect against infections. Our employees are regularly reminded of the vital role they play in protecting our systems, for example in avoiding clicking on malicious links in emails.

      Business continuity

      Data and configuration settings are backed up to a cloud service that would allow us to rebuild a replica virtual server and provide remote access to all employees.

      Updates or amendments to this Privacy Policy

      We reserve the right to periodically amend or revise the Privacy Policy; material changes will be effective immediately upon the display of the revised Privacy policy. The last revision will be reflected in the "Last modified" section. Your continued use of the Platform, following the notification of such amendments on our website, constitutes your acknowledgment and consent of such amendments to the Privacy Policy and your agreement to be bound by the terms of such amendments.

      How to contact us

      If you have any general questions about the Site or the information we collect about you and how we use it, you can contact us on 07415 974 004 or email at janebaalam@rewardrisk.co.uk . Reward Risk Management Limited, 28 Tirlebank Way, Newtown, Tewkesbury, Glos, GL20 8ES.
      Reward Risk Management Ltd. Registered in England and Wales. VAT No: 245409802. Company Registration No. 10226923.
      Last Modified March 2020
      Last Reviewed: July 2018
      Next Review: June 2019
      Share by: