Security & Privacy Policy

Contents:

  1. The information we collect and how we use it
  2. How we protect your information
  3. Updating your details
  4. Your consent
  5. Sale of business
  6. Google Analytics
  7. Security Standards
  8. Access
  9. How to contact us
  10. Accountability
  11. Privacy Impact Assessments
  12. The Rights of Data Subjects
  13. Keeping Data Subjects Informed

Youatwork Limited (Registered in England with number 4234654) and Youatwork Financial Services Limited (Registered in England with number 6503351) Limited (each a “Company”) of 6th Floor, Corinthian House, 17 Lansdowne Road, Croydon CR0 2BX are committed to ensuring that your privacy is protected.

This Security & Privacy Policy explains how we use the information we collect about you, how you can instruct us if you would prefer to limit our use of that information and the procedures we have in place to safeguard your privacy.

Introduction

This Policy sets out the obligations of each Company regarding data protection and your rights as users of our site (or “data subjects”) in respect of your personal data under the General Data Protection Regulation (“the Regulation”).

The Regulation defines “personal data” as any information relating to an identified or identifiable natural person (a data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

This Policy sets out the procedures that are to be followed when dealing with personal data. The procedures and principles set out herein must be followed at all times by us, our employees, agents, contractors, or other parties working on our behalf.

We are committed not only to the letter of the law, but also to the spirit of the law and places high importance on the correct, lawful, and fair handling of all personal data, respecting the legal rights, privacy, and trust of all individuals with whom it deals.

The Data Protection Principles

This Policy aims to ensure compliance with the Regulation. The Regulation sets out the following principles with which any party handling personal data must comply. All personal data must be:

a) processed lawfully, fairly, and in a transparent manner in relation to the data subject;

b) collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;

c) adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;

e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the Regulation in order to safeguard the rights and freedoms of the data subject;

f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

1.The information we collect and how we use it

Processed for Specified, Explicit and Legitimate Purposes

We only process personal data for the specific purposes set out in this Policy (or for other purposes expressly permitted by the Regulation). We will only collect and process personal data for and to the extent necessary for the specific purpose(s) informed to you.

Registration

When you register to use our site we will request information from you including your name and e-mail address. We may also request other limited information about you or your business. We, our agents and subcontractors may check some of the information that you provide to us against third party databases to confirm that it is accurate.

We gather and use this information to allow us to process your registration and provide you with our services. We, our agents and sub-contractors, partners and third parties that provide services to you may also use this information to communicate with you on any matter generally relating to the provision of our services. Any calls that you make to our customer team may be recorded and the information obtained used for the purposes of our business management, training and security. You will always be able to see and amend the registration information we hold about you by contacting us at Youatwork Limited, 6th Floor, Corinthian House, 17 Lansdowne Road, Croydon CR0 2BX.

Suppliers

When you order goods or services from any supplier via our site, the supplier may need to know your credit card or other payment details and delivery details, and may collect other information from you. The supplier will be responsible for maintaining the security of the information (including credit card details) you provide to it, and its use of that information will be governed by the supplier's privacy policy.

When you place an order with a supplier via our site that supplier may send back to us information about you and your order. We may also be provided with data, including personal data, relating to fulfilment of your order and any complaint you may make. We may use that data in accordance with this policy, including to monitor site usage, supplier performance and customer satisfaction. On occasions we carry out surveys or other promotional activities, which may be for our own benefit or for more general interest, and may collect further information about you in connection with them. Participation in any survey is entirely optional.

Certain of the tools and functionality provided on our site may permit you to enter and/or store data on our site. We may access and use that data in accordance with this Privacy Policy, including to improve and tailor our services to you.

Our use of information gathering technologies

A cookie is a small piece of information that a web site puts on your hard disk or stores in your computer's memory so that it can remember something about you at a later time. A cookie records your preferences when using a particular site, ensuring that you are not shown the same information and/or are only shown information you have indicated that you are interested in. In order to use our site you must agree to let cookies be saved on your computer's memory as they are an essential part of the site navigation.

Our site uses "in-memory" cookies, which essentially remember, during any one visit to the site, who a user is between page clicks, so that we can deliver personalised information and navigation by shaping the information you receive. Since each user has individual access rights to areas of the site we must be able to identify users at all times. As soon as your browser is shut down or you log out of our site, any cookies stored on your computer from our web site will expire. Each time you enter our site you will be given a new "in-memory" cookie. We reserve the right to use other tracking technologies in the future.

We, or our third party advertisers, may also use cookies to monitor the effectiveness of advertising on our site and we may provide those advertisers with the information we have gained from using cookies to allow them to do this. Our suppliers may use cookies on their sites and should inform you as to how and when they are doing this. You can accept or decline cookies by modifying the setting in your browser. Please note that if you disable cookies you may not be able to use all the features of our site.

We (or our customer service agencies) may use the information we collect about you using cookies to monitor site usage, supplier performance and customer satisfaction or for other research and analytical purposes, in order to improve and better tailor the services we provide and to decide which customers to include in any promotional campaigns we may run. We or our agents and sub-contractors may occasionally contact you including by post, email or telephone to ask you for your feedback and comments on our services.

We may also use aggregate information and statistics for the purposes of monitoring web site usage in order to help us develop and improve our site and our services and we may provide such aggregate information to third parties. These statistics will not include information that can be used to identify any individual.

We and our group companies may also wish to provide you with information about special features of our web site or any special service or products which we think may be of interest to you. We may also want to provide you with related information from third parties which we think may interest you. If you would rather not receive such information from us, please log on to the website and update your personal information in the "My Account" section of the site to inform us of this. We will check in with you from time to time to see if you wish to amend your preferences.

All personal information supplied by you will be treated in confidence by us and our Group companies and will not be disclosed to any third parties except where your consent has been received or where required by law. In order to provide you with products and services this information will be held in the data systems of our Group companies or our agents or sub-contractors.

2. How we protect your information

The Internet is not a secure medium. However we take security issues very seriously and abide by strict internal standards. Some of the relevant security procedures are described in this Privacy Policy.

We capture the information we collect through our site over a secure link using recognised industry standard techniques which encrypt data while travelling over the internet. When you access certain pages of our site which involve the transmission of confidential information over the Internet, your computer's browser will be provided with an electronic certificate confirming that you have accessed our site and communications between you and us will be encrypted. We recommend that you use the facilities of your computer's browser to confirm which pages are secured in this way.

Firewalls are used to attempt to block unauthorised traffic to the servers that host our site and the actual servers are located in a secure location, which can only be accessed by authorised personnel.

We keep the information we have about you confidential. Our internal procedures cover the storage, access and disclosure of that information.

You should ensure you keep your password confidential and remember to sign out when not using the site to prevent unauthorised access.

3. Updating your details

You can update your details

To update any of your details, please log on to the site and update your personal information in the "My Account" section. Alternatively, you may let us know the correct details by sending a letter to youatwork Limited, 6th Floor, Corinthian House, Lansdowne Road, Croydon CR0 2BX

Accuracy of Data and Keeping Data Up To Date

We shall ensure that all personal data collected and processed is kept accurate and up-to-date. The accuracy of data shall be checked when it is collected and at regular intervals thereafter. Where any inaccurate or out-of-date data is found, all reasonable steps will be taken without delay to amend or erase that data, as appropriate.

Timely Processing

We shall not keep personal data for any longer than is necessary in light of the purposes for which that data was originally collected and processed. When the data is no longer required, all reasonable steps will be taken to erase it without delay.

Your Rights as Data Subjects

The Regulation sets out the following rights applicable to data subjects:

a) The right to be informed;

b) The right of access;

c) The right to rectification;

d) The right to erasure (also known as the ‘right to be forgotten’);

e) The right to restrict processing;

f) The right to data portability;

g) The right to object;

h) Rights with respect to automated decision-making and profiling.

Keeping Data Subjects Informed

We shall ensure that the following information is provided to every data subject when personal data is collected:

a) Details of our company including, but not limited to, the identity of its Data Protection Officer;

b) The purpose(s) for which the personal data is being collected and will be processed (as detailed above in this Policy) and the legal basis justifying that collection and processing;

c) Where applicable, the legitimate interests upon which we are justifying our collection and processing of the personal data;

d) Where the personal data is not obtained directly from the data subject, the categories of personal data collected and processed;

e) Where the personal data is to be transferred to one or more third parties, details of those parties;

f) Where the personal data is to be transferred to a third party that is located outside of the European Economic Area (the “EEA”), details of that transfer, including but not limited to the safeguards in place;

g) Details of the length of time the personal data will be held by us (or, where there is no predetermined period, details of how that length of time will be determined);

h) Details of data subject’s rights under the Regulation;

i) Details of data subject’s right to withdraw their consent to our processing of their personal data at any time;

The information set out above shall be provided to the data subject at the following applicable time:

a) Where the personal data is obtained from the data subject directly, at the time of collection;

b) Where the personal data is not obtained from the data subject directly (i.e. from another party):

c) If the personal data is used to communicate with the data subject, at the time of the first communication; or

d) If the personal data is to be disclosed to another party, before the personal data is disclosed; or

e) In any event, not more than one month after the time at which the Company obtains the personal data.

Data Subject Access

A data subject may make a subject access request (“SAR”) at any time to find out more about the personal data which the Company holds about them. We are normally required to respond to SARs within one month of receipt (this can be extended by up to two months in the case of complex and/or numerous requests, and in such cases the data subject shall be informed of the need for the extension).

All subject access requests received must be forwarded to our data protection officer.

The Company does not charge a fee for the handling of normal SARs. The Company reserves the right to charge reasonable fees for additional copies of information that has already been supplied to a data subject, and for requests that are manifestly unfounded or excessive, particularly where such requests are repetitive.

Rectification of Personal Data

If a data subject informs us that personal data held by us is inaccurate or incomplete, requesting that it be rectified, the personal data in question shall be rectified, and the data subject informed of that rectification, within one month of receipt the data subject’s notice (this can be extended by up to two months in the case of complex requests, and in such cases the data subject shall be informed of the need for the extension).

In the event that any affected personal data has been disclosed to third parties, those parties shall be informed of any rectification of that personal data.

Erasure of Personal Data

Data subjects may request that we erase the personal data it holds about them in the following circumstances:

a) It is no longer necessary for us to hold that personal data with respect to the purpose for which it was originally collected or processed;

b) The data subject wishes to withdraw their consent to us holding and processing their personal data;

c) The data subject objects to us holding and processing their personal data (and there is no overriding legitimate interest to allow us to continue doing so;

d) The personal data has been processed unlawfully;

e) The personal data needs to be erased in order for us to comply with a particular legal obligation

Unless we have reasonable grounds to refuse to erase personal data, all requests for erasure shall be complied with, and the data subject informed of the erasure, within one month of receipt of the data subject’s request (this can be extended by up to two months in the case of complex requests, and in such cases the data subject shall be informed of the need for the extension).

In the event that any personal data that is to be erased in response to a data subject request has been disclosed to third parties, those parties shall be informed of the erasure (unless it is impossible or would require disproportionate effort to do so).

Restriction of Personal Data Processing

Data subjects may request that we ceases processing the personal data we hold about them. If a data subject makes such a request, we shall retain only the amount of personal data pertaining to that data subject that is necessary to ensure that no further processing of their personal data takes place.

In the event that any affected personal data has been disclosed to third parties, those parties shall be informed of the applicable restrictions on processing it (unless it is impossible or would require disproportionate effort to do so).

Data Portability

The Company processes personal data using automated means.

Where data subjects have given their consent to us to process their personal data in such a manner or the processing is otherwise required for the performance of a contract between us and the data subject, data subjects have the legal right under the Regulation to receive a copy of their personal data and to use it for other purposes (namely transmitting it to other data controllers, e.g. other organisations).

All requests for copies of personal data shall be complied with within one month of the data subject’s request (this can be extended by up to two months in the case of complex requests in the case of complex or numerous requests, and in such cases the data subject shall be informed of the need for the extension).

Objections to Personal Data Processing

Data subjects have the right to object to us processing their personal data based on legitimate interests (including profiling), direct marketing (including profiling), and processing for scientific and/or historical research and statistics purposes.

Where a data subject objects to us processing their personal data based on its legitimate interests, we shall cease such processing forthwith, unless it can be demonstrated that we have legitimate grounds for such processing override the data subject’s interests, rights and freedoms; or the processing is necessary for the conduct of legal claims.

Where a data subject objects to us processing their personal data for scientific and/or historical research and statistics purposes, the data subject must, under the Regulation, ‘demonstrate grounds relating to his or her particular situation’. We are not required to comply if the research is necessary for the performance of a task carried out for reasons of public interest.

4. Your consent

By submitting information on our site you consent to the use of that information as set out in this Privacy Policy. In particular, you agree that by providing any health or other sensitive data as part of your use of our site (or any services provided via our site) you explicitly consent to the use of that information as set out in this Privacy Policy. You also agree, by entering our site, to the acquiring and use of other information we gain about you (including through using cookies), as set out in this Privacy Policy. These consents are additional to, and do not affect, any consents you may have given, or may give, to us, our suppliers, agents or subcontractors, sending you marketing information by email, fax or telephone.

If we change this Privacy Policy we will post the changes on this page, and may place notices on other pages of our site to alert you to them. Continued use of our services will signify that you agree to any such changes.

Because the Internet infrastructure is global, the information you provide may be transferred during use as set out in this Privacy Policy outside the European Economic Area ("EEA") for processing purposes to countries that do not have similar data protection legislation to protect your rights to that that within it. However, we have taken steps to ensure that that information will be kept securely and only used for the purposes for which you provided it. Details of the countries and recipients involved will be provided to you on request.

5. Sale of business

In the event that our business is sold or integrated with another business (such as in a joint venture arrangement) the details we have about you may be disclosed to our advisers and any prospective purchasers' advisers, and will be passed on to the new owners of the business.

6. Google Analytics

This website uses Google Analytics, a web analytics service provided by Google, Inc. ("Google"). Google Analytics uses "cookies", which are text files placed on your computer, to help the website analyse how users use the site. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States. Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf. Google will not associate your IP address with any other data held by Google. You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website. By using this website, you consent to the processing of data about you by Google in the manner and for the purposes set out above.

7. Security Standards

Hundreds of companies trust us to manage their benefits & rewards programmes, so our top priority is to ensure that all transaction and sensitive data is kept secure at all times.

We maintain high standards of data security and have implemented key international standards of best practice in online and data security at our Data Centre and where data held by our systems can be accessed.

  • PCI Data Security Standard (Data Centre provider and Youatwork Ltd)
  • ISO27001 (Data Centre provider)
  • SSAE 16 Reporting Standards (Data Centre provider)

We take an active role in the overall reduction of identity theft and fraud on the Internet by ensuring the security of our IT systems, personnel and infrastructure.

Our employees are trained in all aspects of web application security, including infrastructure vulnerabilities, cross-site scripting, secure data storage, and using the software development lifecycle to maintain and improve security.

Transaction security

All transaction and credit card information entering Youatwork Ltd systems is encrypted using 128-bit SSL certificates from VeriSign. No sensitive information is ever passed unencrypted in a web browser to Youatwork systems. You can be completely secure in the knowledge that nothing you enter as part of a secure Youatwork transaction can be examined, used or modified by any third parties attempting to gain access to sensitive information.

Encryption and data storage

At our Data Centre rigorous physical, electronic, and personnel security measures protect your data. Those measures are regularly assessed by Youatwork Ltd IT Management and our systems are scanned quarterly by Security Metrics, an official Visa Qualified Security Assessor.

Once on our systems, payment card and password data is encrypted and securely stored in our dedicated hosting facilities at our Data Centre. Our servers and network infrastructure are owned and used by Youatwork Ltd and are not shared with any other company or industry.

All sensitive information and authentication data passed to the Youatwork web site in a web browser is encrypted and protected during transmission using SSL certificates from Symantec and Thawte.

Links to banks

Youatwork Ltd authorises credit card transactions in partnership with Barclaycard Merchant Services (BMS). Any cardholder information sent to the banks and any authorisation message coming back is secure and cannot be tampered with.

If you have questions about security or privacy on our site, please contact our Customer Care Team.

8. Access

We will give you access to the web-site provided always that your employer has paid our licence fee, upgrades fees, administration fees, and any other fees (as applicable). We reserve the right to change our licence fees, upgrade fees, administration fees, and any other fees from time to time and will notify your employer accordingly.

9. How to contact us

We welcome your views about our web site and this Privacy Policy. If you would like to contact us with any queries or comments, please contact our Customer Care Team.

10. Accountability

10.1 The Company’s data protection registration is available to view on the ICO Data Protection Register

10.2 The Company shall keep written internal records of all personal data collection, holding, and processing, which shall incorporate the following information:

  1. The name and details of the Company, its data protection officer, and any applicable third party data controllers;
  2. The purposes for which the Company processes personal data;
  3. Details of the categories of personal data collected, held, and processed by the Company; and the categories of data subject to which that personal data relates;
  4. Details (and categories) of any third parties that will receive personal data from the Company;
  5. Details of any transfers of personal data to non-EEA countries including all mechanisms and security safeguards;
  6. Details of how long personal data will be retained by the Company; and
  7. Detailed descriptions of all technical and organisational measures taken by the Company to ensure the security of personal data.

11. Privacy Impact Assessments

 The Company shall carry out Privacy Impact Assessments when and as required under the Regulation. Privacy Impact Assessments shall be overseen by the Company’s data  protection officer and shall address the following areas of importance:

11.1 The purpose(s) for which personal data is being processed and the processing operations to be carried out on that data;

11.2 Details of the legitimate interests being pursued by the Company;

11.3 An assessment of the necessity and proportionality of the data processing with respect to the purpose(s) for which it is being processed;

11.4 An assessment of the risks posed to individual data subjects; and

11.5 Details of the measures in place to minimise and handle risks including safeguards, data security, and other measures and mechanisms to ensure the protection of  personal data, sufficient to demonstrate compliance with the Regulation.

12. The Rights of Data Subjects

 The Regulation sets out the following rights applicable to data subjects:

a) The right to be informed;

b) The right of access;

c) The right to rectification;

d) The right to erasure (also known as the ‘right to be forgotten’);

e) The right to restrict processing;

f) The right to data portability;

g) The right to object;

h) Rights with respect to automated decision-making and profiling.

13. Keeping Data Subjects Informed

 13.1 The Company shall ensure that the following information is provided to every data subject when personal data is collected:

  1. Details of the Company including the contact details of the customer care team, contactable at customercareteam@youatwork.co.uk;
  2. The purpose(s) for which the personal data is being collected and will be processed (as detailed in Part 21 of this Policy) and the legal basis justifying that collection and processing;
  3. Where applicable, the legitimate interests upon which the Company is justifying its collection and processing of the personal data;
  4. Where the personal data is not obtained directly from the data subject, the categories of personal data collected and processed;
  5. Where the personal data is to be transferred to one or more third parties, details of those parties;
  6. Where the personal data is to be transferred to a third party that is located outside of the European Economic Area (the “EEA”), details of that transfer, including but not limited to the safeguards in place (see Part 24 of this Policy for further details concerning such third country data transfers);
  7. Details of the length of time the personal data will be held by the Company (or, where there is no predetermined period, details of how that length of time will be determined);
  8. Details of the data subject’s rights under the Regulation;
  9. Details of the data subject’s right to withdraw their consent to the Company’s processing of their personal data at any time;
  10. Details of the data subject’s right to complain to the Information Commissioner’s Office (the ‘supervisory authority’ under the Regulation);
  11. Where applicable, details of any legal or contractual requirement or obligation necessitating the collection and processing of the personal data and details of any consequences of failing to provide it;
  12. Details of any automated decision-making that will take place using the personal data (including but not limited to profiling), including information on how decisions will be made, the significance of those decisions and any consequences.

 13.2 The information set out above in Part 12.1 shall be provided to the data subject at the following applicable time:

 13.2.1 Where the personal data is obtained from the data subject directly, at the time of collection;

 13.2.2 Where the personal data is not obtained from the data subject directly (i.e. from another party):

  1. If the personal data is used to communicate with the data subject, at the time of the first communication; or
  2. If the personal data is to be disclosed to another party, before the personal data is disclosed; or
  3. In any event, not more than one month after the time at which the Company obtains the personal data.