Woodsure Privacy Notice

Personal Data we collect

When you are a customer of a Woodsure registered business

If you as a consumer raise a complaint about a Woodsure-registered business that you have used, we will ask for you for your contact details. If we decide we need to investigate further, we will request further information on the product/service from the relevant registrant.

Woodsure also manages a whistleblower process so that we can capture concerns about potential breaches of regulations and unsafe practices. Some of the cases alerted to us turn out to involve consumers who have not used Woodsure-registered businesses. We record:

• Name and contact detail of the whistleblower
• Names and contact details of consumers affected
• Names and details of suppliers/installers including (where applicable) businesses and individuals not registered with us
• Further background on incidents or concerns.

When you make enquiries with us

You may make an enquiry with Woodsure, by phone, email, webform or post, giving your contact details and explaining your enquiry.

If you visit the Woodsure website to find information, in running and maintaining our websites we may collect and process data about you. Please refer to our website privacy and cookie policy here: www.woodsure.co.uk/cookies-policy

When you apply for Woodsure registration 

When you apply to join one of the Woodsure schemes (including listings run by us on behalf of regulatory authorities), renew your registration, or give us your details for an event or another industry activity, we collect the following personal information: 

• Name, address, email address and phone number 
• Company details and your role within the company 
• Details of insurance policies held 
• Site information i.e. quality manuals and site maps
• Payment details (i.e. bank account number, sort code, card details) 

If a registrant does not provide us with all of the personal information that we need to enable us to deliver a specific scheme, that may prevent us from accepting an application and it may affect the services and benefits we can deliver. 

Information from other sources 

As well as information about you supplied by you, for the purposes of assessing scheme applicants or registrants, we may receive supporting information on finances, individuals’ competence and business conduct. These sources may include: 

• Public information on your website(s), webpages, social media or internet listings  
• Woodsure auditors 
• Businesses registered/registering with us, who wish to include you on their registration 
• Professional bodies  
• Other certification or assessment bodies who operate or support registration schemes  
• Companies House, for limited companies and directorships 
• Credit rating agencies and court judgements 
• Local Authorities, or other enforcement bodies  
• Customers of your work  
• Whistleblowers who raise concerns about your suitability to be registered on our schemes 
• Current or prior employers in the industry. 

Copies or notes of information received may be retained by us with your application or registration records. 

Necessary for contract 

As a certification body, it is our purpose to assess against criteria to allow for a certification decision regarding sustainability and fuel quality.  .  To be able to do this, certain information must be collected.  We collect personal information so that we can manage your registration, administer Woodsure registration certificates and deliver goods and services. Woodsure uses this information to: 

• For registrants, assess your eligibility to meet the requirements of our schemes 
• Provide certificates and supporting documentation 
• Provide scheme services and registration documentation.  
• List registrant business details and categories of registration, for potential customers, on our public websites and (where applicable) in printed directories  
• Process payments of scheme fees
• Manage registration account(s) including annual renewal communications and reminders of scheme requirements 
• Set up your online account(s), enabling you to access services and manage your preferences
• Organise audits and events. 

Reasons why we need your personal information

Legal obligations

Woodsure must comply with many regulations. Some of these are generic to companies trading in the UK and some others are specific to our specialist areas of operation in buildings, heat and combustion. The following are legal obligations which may require us to process personal information relating to consumers:

• The Companies Act 2006 requires us to maintain accounts for our businesses, and related documents including income and payment records
• Trading Standards may require witness statements from us, in criminal proceedings such as unauthorised use of logos/marks and enforcement of consumer protection legislation.

Legitimate interests

We also process the personal information of consumers in pursuit of our organisation’s legitimate interests, as defined under GDPR. The following are business activities of Woodsure, in our role as certification and standards organisations, which use personal information about consumers:

• Assess applicants/registrants – check whether the work and/or products of applicants/registrants comply with regulations and with scheme rules. This may involve getting feedback from consumers. We may request inspections/audits on-site at those businesses. We may ask you to comment on whether concerns have been addressed.
• Complaints – investigate complaints received over the service or the products supplied by scheme applicants, current registrants or ex-registrants
• Whistleblowing – investigate allegations over the service or the products supplied by businesses or individuals in the industry
• Assurance – where there are serious concerns relating to service or products supplied by a business or individual, we may endeavour to contact relevant consumers from our records, in order to:
  • Seek evidence on the service/product of the business/individual being investigated
  • Request permission for an audit or quality check
  • Alert consumers to possible risks, and suggest next steps.
• Unauthorised use of brands and marks – investigate whether businesses or individuals are falsely claiming to have certification from Woodsure
• Public awareness – share information publicly on safety campaigns and technical developments in the industry
• Industry statistics – collate reports and analyse industry trends, and share with government departments, Local Authorities or other trade bodies
• Respond to your questions, suggestions and feedback

Opt-in consent

We may ask you if we can process your personal information for other purposes, such as for direct marketing. Where we do so, we will seek your opt-in consent, in accordance with GDPR.

Personal data we publish 

Woodsure publish details online of registered businesses, so that consumers and prospective customers can search for a supplier or validate the credentials of a business. We may issue printed listings with some of the same information, and we also answer similar requests by phone or email. Note that Registered Businesses not wishing to be listed publicly must make that request in writing giving their justification for their details not being available to consumers.

How we protect your data

Woodsure do not publish listings of consumers. If we want the opportunity to publish details of your case, or photographs (or other material) supplied by you, to support Woodsure campaigns, we will ask your permission in advance.

Sharing your data with other businesses

To facilitate Woodsure schemes, it is often necessary to share your information with third party service providers. These suppliers may process personal information on our behalf for purposes requested by us and are subject to written contractual conditions. This includes but not limited to:

• Woodsure Auditors
• Database maintenance  
• Woodsure website provider 
• Accountancy processing 
• Secure third party payment processing i.e. PayPal 
• Marketing and SMS third party tools 
• Providers of postal fulfilment 
• Legal advice

Where your personal information is stored

Woodsure store your personal information on servers, email accounts and scheme databases which are protected in secure environments hosted in the UK. Your data is accessed by our staff and contractors only for the purposes set out above. Where printed files are required, these are stored at secure business premises.

How long we keep your personal information
As a safety and standards organisation, our policy on retention of consumer data is summarised here:

Where personal data is processed and retained by Woodsure solely for the purposes of providing listing or other services to a regulatory authority, that data will be deleted (or returned to that authority) if instructed by the authority.

Summary of Your Rights under GDPR

Under the GDPR, as a data subject you have the right to:

• Request access to, deletion of, or correction of, your personal data held by us
• Complain to a supervisory authority
• Be informed of what data processing is taking place
• Restrict processing and/or object to processing of your personal data
• Data portability.

To enforce any of the foregoing rights or if you have any other questions about our use of your data or this Privacy Policy, please contact us using the details set out below.

Special GDPR restrictions would apply if we wished to automate decision-making about individuals or to “profile” them based on personal data. Currently decisions at Woodsure are made by staff and are not automated. We do not profile individuals

Your communication preferences

If you would like to request changes to your contact settings, or if you want to know more about the data we hold on you, or have any queries about our privacy notice, this is how you can get in touch:

• To unsubscribe from Woodsure newsletters, click on “unsubscribe” at the foot of any of the emails
• Email our dedicated mailbox for any GDPR queries, including requests to change or delete your personal data, or confirmation of the data which we hold: [email protected]
• Call us on 01684 278188.
• Contact us in writing at Severn House, Unit 5, Newtown Trading Estate, Green Lane, Tewkesbury GL20 8HD.

If you are dissatisfied with our protection of your personal data, you have the right to raise a complaint with the Information Commissioner’s Office at www.ico.org.uk

Data Processing Annexe

Definitions

Data Protection Legislation: (i) unless and until the GDPR is no longer directly applicable in the UK, the Data Protection Act 2018 and any national implementing laws, regulations and secondary legislation, as amended or updated from time to time, in the UK and then (ii) any successor legislation to the GDPR or the Data Protection Act 2018.

1 Data Protection

1.1 In so far as required, both parties agree that they will comply with all applicable requirements  of the Data Protection Legislation. This Annexe is in addition to, and does not relieve, remove or  replace, a party’s obligations under the Data Protection Act

1.2 The parties acknowledge that for the purposes of the Data Protection Legislation, the business  registered with or applying to the scheme (“the Registrant”) is the data controller and Woodsure is the data processor (where Data Controller and Data Processor have the meanings as defined  in the Data Protection Legislation). Schedule 1 sets out the scope, nature and purpose of processing by Woodsure, the duration of the processing and the types of personal data (as defined in the Data Protection Legislation, Personal Data) and categories of Data Subject.

1.3 Without prejudice to the generality of clause 1.1, the Registrant will ensure that it has all  necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to Woodsure for the duration and purposes of this agreement.

1.4 Without prejudice to the generality of clause 1.1, Woodsure warrants and undertakes that it shall, in relation to any Personal Data processed in connection with the performance by Woodsure of its obligations under this agreement:

(a) conform to the Woodsure Consumer Privacy Notice in processing the data detailed in Schedule 1.

(b) if additional processing is required beyond what is stated in 1.4 (a) above, process that  Personal Data only on the written instructions of the Registrant unless the Provider is  required by the laws of any member of the European Union or by the laws of the European Union applicable to the Provider to process Personal Data (Applicable Laws). Where the Provider is relying on laws of a member of the European Union or European Union law as the basis for processing Personal Data, the Provider shall promptly notify the Registrant of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Provider from so notifying the Registrant;

(c) ensure that it has in place appropriate technical and organisational measures to protect  against unauthorised or unlawful processing of Personal Data and against accidental loss or  destruction of, or damage to, Personal Data, appropriate to the harm that might result from  the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development  and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability  and resilience of its systems and services, ensuring that availability of and access to Personal  Data can be restored in a timely manner after an incident, and regularly assessing and  evaluating the effectiveness of the technical and organisational measures adopted by it);

(d) ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential;

(e) not transfer any Personal Data outside of the European Economic Area;

(f) assist the Registrant, at the Registrant’s cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection  Legislation with respect to security, breach notifications, impact assessments and  consultations with supervisory authorities or regulators;

(g) notify the Registrant without undue delay on becoming aware of a Personal Data breach;

(h) at the written direction of the Registrant, delete or return Personal Data and copies thereof to the Registrant on termination of the agreement unless required by Applicable Law to store the Personal Data; and maintain complete and accurate records and information to demonstrate its compliance with this Annexe (and allow for audits by the Registrant or the Registrant’s designated auditor).

1.5 The Registrant consents to Woodsure appointing third-party processors of Personal Data under this  agreement. A list of the third-party processers is included in Woodsure’ s Consumer Privacy Notice.  Woodsure confirms that:

(a) it has entered or (as the case may be) will enter with the third-party processors into a written  agreement substantially on that third party’s standard terms of business or incorporating  terms which are substantially similar to those set out in this Annexe

(b) as between the Registrant and Woodsure, Woodsure shall remain fully liable for all acts or omissions  of any third-party processor appointed by it pursuant to this Annexe

(c) if Woodsure changes the third-party processors that it uses under this agreement, a notice will  be shown in the Woodsure Consumer Privacy Notice at least 30 days before the change. To object to changes in sub-processing, Registrants can write to Woodsure describing their reasons for objection within 14 days of the notice. Woodsure will resolve the objection by correcting our use of the third-party processor, or by deleting any data supplied by you under this Annexe which is not required for legal obligations as set out in the Consumer Privacy Notice

1.6 Each party agrees to indemnify and keep indemnified and defend at its own expense the other  party against all costs, claims, damages or expenses incurred by the other party or for which the  other party may become liable due to any failure by the first party or its employees or agents to  comply with any of its obligations under this Annexe.

Schedule 1 – Processing, Personal Data and Data Subjects 1 Processing by Woodsure

1.1 Scope

Information with specific reference to fuels and customers are stored and processed for the purposes of administering the Woodsure scheme.  

1.2 Duration of the processing

(a) During the period the Registrant is registered with Woodsure

(b) If the Registrant is no longer registered with the Woodsure scheme to which this Annexe applies,  Woodsure may retain and use the data in accordance with the Woodsure Retention Policy

(c) For applicants to the scheme, for the period the application to Woodsure is processed and recorded

2 Types of personal data

Recipient or a product or service.

Where applicable – Contact details for the customer – name, phone number and/or email address Usage/operation of fuels and/or services

Arrangements for inspections/audits, including address, contact details, and available date(s)/ time(s) to visit, and (where applicable)

Customer complaints, or concerns raised about safety and compliance

3 Categories of data subject

Customers of a Woodsure-registered business or applicant Users of an appliance, fuel or product.

WPrN – Version 1.0