The IAEA is committed to ensuring that your privacy is protected. Should we ask you to provide certain information by which you can be identified when using this website, then you can be assured that it will only be used in accordance with this privacy statement.
The IAEA may change this policy from time to time by updating this page. You should check this page from time to time to ensure that you are happy with any changes.
If you have any questions or need further information about our privacy practices, please contact us at firstname.lastname@example.org or via post at IAEA, Pennyroyal Court, Station Road, Tring, Hertfordshire HP23 5QY.
If you have membership of the IAEA or you have a contract with the IAEA for the purpose of delivering a qualification, this notice is intended to tell you how we use your Personal Information and describes how we collect and use your Personal Information during and after your relationship with us, in accordance with applicable Data Protection Laws.
Who we are
We at Plenham Ltd are a Processor of Data on behalf of the Institute of Automotive Engineer Assessors (IAEA). We can be contacted at +44 (0) 1296 642895 or email@example.com.
Data we process on behalf of the IAEA
Plenham Ltd processes in line with the instructions of the IAEA, the Data Controller. These instructions are laid out in the agreement between the IAEA and Plenham Ltd and includes the following details:
- The subject matter and duration of the processing;
- The nature and purpose of the processing;
- The type of personal data and categories of data subject; and
- The obligations and rights of the controller.
The agreement between the IAEA (the controller) and Plenham Ltd include the following terms:
- Plenham Ltd must only act on the written instructions of the controller (unless required by law to act without such instructions);
- Plenham Ltd must ensure that people processing the data are subject to a duty of confidence;
- Plenham Ltd must take appropriate measures to ensure the security of processing;
- Plenham Ltd must only engage a sub-processor with the prior consent of the IAEA and a written contract;
- Plenham Ltd must assist the IAEA in providing subject access and allowing data subjects to exercise their rights under the GDPR;
- Plenham Ltd must assist the IAEA in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments;
- Plenham Ltd must delete or return all personal data to the IAEA as requested at the end of the contract; and
- Plenham Ltd must submit to audits and inspections, provide the IAEA with whatever information it needs to ensure that they are both meeting their Article 28 obligations, and tell the controller immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state.
In some cases, Plenham Ltd may be handling Special Categories of Personal Data such as medical records. This data will be treated in accordance with the IAEA's instructions which includes ensuring that adequate safeguards are in place to protect this data from including but not limited to the following; theft, loss, unauthorised dissemination, accidental erasure and corruption.
How we may use your information
We need your information so that we can, in accordance with the agreement with the IAEA, provide you with our administrative services.
In addition to using your information for such purposes, we may also use your information in the following ways:
- To monitor, improve and protect our content, products and services, work with our business partners to improve the products and services we offer, and develop and test new products and services.
- We may transfer your information to our data processors within and outside the European Economic Area but will do so with appropriate measures and controls in place to protect that information in accordance with applicable data protection laws, regulations and regulatory guidance. In all instances, we will take into account the nature of the information we are transferring, and the level of protection provided by those processors.
- If false or inaccurate information is provided and fraud is identified or if any criminality is suspected, the details may be passed to the relevant agencies. Law enforcement agencies may access and use this information.
- We may use your data for market research within the rules laid down by data protection law.
- We may disclose your information to any successors of our business for them to use for the purposes set out in this privacy notice.
As part of our business processes we use 3rd parties (sub-processors). Some of these 3rd parties are based outside of the European Economic Area. Plenham Ltd makes every effort to ensure that these 3rd parties provide adequate safeguards for your personal data that is shared with them and that your personal data is always processed in accordance with the GDPR. These 3rd parties' services include software development, online payment processing, technical and account support, customer relationship management services and email platform services.
The IAEA will use your personal data for administrative and educational purposes and may share your data, whilst applying appropriate security measures, with third parties such as regional secretaries of the IAEA and employers for the performance of your membership contract with us. Some of these 3rd parties may be outside the EEA and Plenham Ltd and the IAEA works to ensure that adequate safeguards are in place to secure all personal data.
How long will we store/keep your information?
The IAEA will retain your personal data for as long as necessary to fulfil the purpose which the personal information has been collected unless a longer retention period is required by law. When personal data is no longer required for the purpose it was collected, it will be deleted or returned to you, in accordance with the applicable law.
- Personal information will be retained in line with the following timescales, unless we are requested otherwise:
- Personal information relating to membership and/or the delivery of IAEA qualifications will be retained for three years after the date the membership is cancelled or lapses.
- Personal information relating to the application and completion of the IAEA Code of Practice for the Categorisation of Salvage Competency assessment will be retained for a period of six years following the expiry of the AQP Unique Identifier.
- Personal Information relating to an education history will be retained for a period of ten years after the individuals membership of the IAEA ceases. The information contained within this provision is limited to the individual's name and details of examinations taken and qualifications achieved.
Rights that you have and how to exercise them.
Individuals whose personal data is held by the IAEA have a number of rights under the General Data Protection Regulation (the GDPR) that the IAEA fully support. These rights are:
1. The right to request a copy of your personal data which the IAEA holds about you. This right may be exercised by emailing us at firstname.lastname@example.org. We aim to respond to any requests for information promptly, and in any event within the legally required time limits.
2. The right to request that the IAEA corrects any personal data if it is found to be inaccurate or out of date. To update personal data submitted to us, you may email us at email@example.com. Once we are informed that any personal data processed by us is no longer accurate, we will make updates as appropriate based on your updated information as soon as practically possible.
3. The right to request your personal data is erased where it is no longer necessary for the IAEA to retain such data. You have the right to obtain deletion of your personal information in the following cases:
- The personal data is no longer necessary in relation to the purposes for which they were collected and processed;
- Our legal grounds for processing is consent, you withdraw consent and we have no other lawful basis for the processing;
- Our legal grounds for processing is that the processing is necessary for legitimate interests pursued by us or a third party, you object to our processing and we do not have overriding legitimate grounds;
- You object to our processing for direct marketing purposes;
- Your personal data have been unlawfully processed; or
- Your personal data must be erased to comply with a legal obligation to which we are subject.
To request deletion of your personal data, please email us at firstname.lastname@example.org
4. The right to withdraw any consent you have given to the processing of your data, at any time. Where we rely on your consent for our processing of your personal data, to withdraw your consent please email at email@example.com or to stop receiving an email from an IAEA marketing mailing list, please click on the unsubscribe link in the relevant email.
5. The right to request that the IAEA provide your personal data and where possible, to transmit that data directly to another data controller, (known as the right to data portability) for the performance of a contract with the data subject and in either case the data controller processes the data by automated means. To exercise your right to data portability, please email us at firstname.lastname@example.org
6. The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing. You have the right to restrict our processing of your personal data in the following cases:
- For a period enabling us to verify the accuracy of your personal data where you have contested the accuracy of the personal data;
- Your personal data has been unlawfully processed and you request restriction of processing instead of deletion;
- Your personal data is no longer necessary in relation to the purposes for which it was collected and processed but the personal data is required by you to establish, exercise or defend legal claims; or
- For a period enabling us to verify whether the legitimate grounds relied on by us override your interests where you have objected to processing based on it being necessary for the pursuit of a legitimate interest identified by us.
Where you are not already in communication with us, to exercise this right please email us at email@example.com
7. The right to object to the processing of personal data. You have the right to object to our processing of your personal data in the following cases:
- Our legal grounds for processing is that the processing is necessary for a legitimate interest pursued by us or a third party; or
- Our processing is for direct marketing purposes.
To object to our processing of your personal data, please email firstname.lastname@example.org
8. The right to lodge a complaint with the Information Commissioners Office (the ICO). We hope that you will not need to, but if you do want to complain about our use of personal data, please send an email with the details of your complaint to email@example.com. We will acknowledge your mail and investigate the circumstances of your complaint as a matter of urgency.
You also have the right to lodge a complaint with the supervisory authority in your country of residence, place of work or the country in which an alleged infringement of data protection law has occurred within the EU. The Information Commissioner's Office ("ICO") is the UK data protection regulator/supervisory authority. For further information on your rights and how to complain to the ICO, please refer to the ICO website.
This Privacy Notice was last updated February 2020.