Data protection policy
Last updated April 2022.
Veremark Ltd (“us”, “our”, “we”, “Veremark”) acts as the processor of your personal data collected on behalf of third party organisations using the Veremark service.
This privacy policy (the “Policy”) sets out the types of personal data we collect when you use the Service, or when organisations use it to verify details which you have provided to them.
1. Introduction
This Privacy Policy explains who we are, why and how we process personal data collected through your use of the Website and, if you are the subject of any of the personal data concerned, what rights you have and how to get in touch with us if you need to.
When you supply any personal data to us we have legal obligations towards you in the way we use that data. For ease of reading, we have divided this Policy into several sections:
- Introduction
- What information can we collect?
- How is your personal information collected?
- How and why do we use and share your personal information?
- For how long do we keep your personal information?
- Security
- International Data Transfers
- Your Rights
- Contact Details
It is important that you read this Policy together with any other privacy notice or fair processing notices that we may provide on the Service at or around the time that we collect or process personal data about you (for example, fair processing notices that we may display to you at the time that you consent to us collecting or processing specific types of data).
This Policy supplements other notices on the Service and our website and is not intended to override or replace them.
We reserve the right to revise or amend this Policy at any time to reflect changes to our business or changes in the law. Where these changes are significant we will endeavour to let users of the Service know (most likely by e-mailing you if you have registered an individual account).
Please note that the Service is not directed at children under the age of 13 (each "Child" or "Children") and we do not knowingly collect personal data about Children. If you believe we have collected personal data about your Child, you may contact us using the contact details set out below.
2. What information do we collect?
What is personal data?
Where this Policy refers to ‘personal data’ it is referring to data about you from which you could be identified – such as your name, your date of birth, your contact details and even your IP address.
What types of data we collect from you when you use the Website
The personal data we collect from you may include:
- Identity Data, which includes your name, date of birth and gender.
- Contact Data, which includes your e-mail address, billing address and delivery address.
- Historical Data, which includes details of your previous employment, residence, and academic achievements.
- Document Data, which includes copies of any documents that you provide to us, or which an organisation provides to us for verification (such as ID Documents or Immigration Documents).
- Verification Data, which includes the outcomes of verification checks performed in relation to you (such as outcomes of criminal background checks, or of visa status checks).
3. How is your personal information collected?
From Third Parties
Where an organisation wishes to use the Service to verify your identity, or other details about you, it will supply us with your Identity Data and various Contact Data. We will use that data to contact you (usually by e-mail) and to ask you to engage with the verification process that has been requested. Once you have indicated that you are willing to engage with the process that organisation may provide us with further Historical Data, Document Data and Identity Data for us to verify.
Where you do choose to engage with a verification process, you may also provide us with your consent to make contact with other third parties (such as previous academic institutions or employers) and to seek additional Personal Data from them. Where you do so, we are likely to obtain data from them and to share it with the organisation which originally initiated the relevant verification process.
From You
Where you choose to engage with a verification process you may provide us with a range of Identity Data, Historical Data and Document Data. We will use that Personal Data as described above, taking steps to verify its accuracy and authenticity, and calling upon various third parties to assist us in that process (for example, if you respond to a request for a check of your criminal history, we will make contact with relevant criminal record checking authorities to obtain verification of your history of previous convictions).
4. How and why do we use/share your personal data?
Lawful basis for processing your information
We will only use your Personal Data for the purpose of conducting verification and authenticity checks in respect of it. We carry out that activity on the basis that we have a lawful basis for making initial contact with you to communicate the commencement of a request for verification, and thereafter on the basis that you have consented to the relevant verification process being carried out.
In certain circumstances, you may also use our Service to enter into a contract with us in which we undertake to store historic results of verification processes performed in relation to you. Where that is the case we will store the Personal Data which you direct us to hold for the duration of that contract.
We do not share your Personal Data with third parties other than the organisation which originally requested verification of it, and the third parties required to obtain verification of it.
5. For how long do we keep your personal data?
We will hold your personal information on our systems only for as long as required to perform verification on it in response to requests made by our customers, and for those customers to access and review the results.
Unless you enter into a contract with us in which you ask us to store results of verifications for a longer period, you can expect that your Personal Data will be erased from our systems within a year of the initial collection of it, however the length of data retention is defined by the organisation using the Veremark service as data controller.
The only exception to the above position is where the law compels us to hold any particular Personal Data for a period of time defined by statute.
6. International Data Transfers
Please note that some of our service providers may be based outside of the European Economic Area (the “EEA”). These service providers may work for us or for one of our suppliers and may be engaged in, among other things, the fulfillment of your request for information and the provision of services or support services.
On most occasions where an international transfer of your data is made, you will be aware of the transfer and will be asked to give specific authorisation for it (such as where you authorise us to approach an overseas academic institution for verification of your academic history).
Where we transfer your data to a service provider that is outside of the EEA in circumstances where we have not received your specific approval in advance, we seek to ensure that appropriate safeguards are in place to make sure that your personal data is held securely and that your rights as a data subject are upheld. Transfers of personal data are made:
- to a country recognised by the European Commission as providing an adequate level of protection; or
- to a country which does not offer adequate protection but whose transfer has been governed by the standard contractual clauses of the European Commission or by implementing other appropriate cross-border transfer solutions to provide adequate protection.
7. Third Party Processors
Our carefully selected partners and service providers may process personal information about you on our behalf as described below:
Digital Marketing Service Providers:
We periodically appoint digital marketing agents to conduct marketing activity on our behalf, such activity may result in the compliant processing of personal information. Our appointed data processors include:
(i)Prospect Global Ltd (trading as Sopro) Reg. UK Co. 09648733. You can contact Sopro and view their privacy policy here: http://sopro.io. Sopro are registered with the ICO Reg: ZA346877 their Data Protection Officer can be emailed at: [email protected].”
8. Your Rights
As a data subject you have a number of rights in relation to your personal data. You can read more about your rights by visiting the website of your local data protection regulator. In the UK, the appropriate regulator is the Information Commissioner’s Office. Please note the following things about your rights in relation to our Service:
Unless you have contracted with us for the storage of your Personal Data, we act as a processor of your data for the organisation on whose behalf we have performed verification of it. Accordingly, if you make a subject access to us, we will forward that request to the relevant controller of that data for consideration and action.
Please note that making a subject access request will not entitle you to receive copies of confidential references supplied by previous employers (or other organisations) to a prospective employer. Such references are exempt from the scope of subject access requests and will not be provided to you if you request them.
Please also note that we do not hold or process full details of background checks performed by third party agencies, we only receive the outcomes of those checks. Accordingly, making a subject access request to Veremark is unlikely to result in you receiving any insight into the performance or methodology of those tests.
9. Contact Details
If you have any queries regarding this Privacy Policy, if you wish to exercise any of your rights set out above or if you think that the Privacy Policy has not been followed, please contact us by emailing at [email protected].
You may also lodge a complaint to the supervisory authority about the way we process your personal data. We would, however, appreciate the chance to address your concerns before you approach the supervisory authority, so please contact us in the first instance.