GDPR Policy

Data Protection and Confidentiality

KO PLANT CONSTRUCTION TRAINING (Southern) observes and complies with all applicable legal obligations including those relating to data protection and confidentiality of information. The same level of legal compliance is encouraged and expected of our contractors, agents, and all individuals and organisations working with us

This policy sets out terms relating to data protection and confidentiality legal compliance.

The terms ‘controller’, ‘data subject,’ ‘processor’, ‘personal data,’ personal data breach’ and ‘processing’ shall have the meanings given to them in the EC General Data Protection Regulation (EU) 2016/679 (the “GDPR”).

The parties acknowledge that in complying with their obligations and enjoying their rights contained in these terms and conditions they may (dependants upon the circumstances) act as a controller, processor, or a joint controller and reference to those terms and their application to a party shall be circumstance dependent.

In respect of any personal data held or processed by either party as a result of or pursuant to these terms and conditions:

  1. Each party warrants to the other that it has made all necessary registrations and notifications of its particulars in accordance with applicable data protection or privacy laws of the EU, including GDPR, or any other country (collectively, “Data Protection Laws”) and any regulations made thereunder and will ensure that such registrations and notifications are kept accurate and up to date and supply on request to the other a copy of such registrations and notifications, together with any amendment particulars that may be filed from time to time; and
  2. Each party shall always comply with the Data Protection Laws and any regulations made thereunder as are applicable to them and their obligations pursuant to these terms and conditions

The parties acknowledge that the GDPR is expected to enter into force on 25th May 2018 (“GDPR Date”). The parties agree to co-operate in good faith to ensure that any processing of personal data by them under or in connection with these terms and conditions shall comply with the GDPR [from the date it is effective]. Such co-operation may include, without limitation, the implementation of technical and organisation measures, and the variation of this Agreement.

In respect of processing undertaken by the parties:

  1. The subject matter is for the provision of training and assessing by the Trainers or Assessors
  2. The duration is 7 years
  3. The nature and purpose of the following is:
    • Storage of operator’s personal data
    • Transferring such personal data to awarding or accrediting bodies
    • Updating instructors and assessors on policies and procedures of the KO PLANT CONSTRUCTION TRAINING (Southern) by email and other communication methods
  1. The type of personal data subject to processing is that set out in the KO PLANT CONSTRUCTION TRAINING (Southern) application paperwork, test paperwork, operator registration documentation and NVQ portfolio collection
  2. The categories of data subjects whose personal data is subject to processing its operators, instructors and assessors who represent KO PLANT CONSTRUCTION TRAINING (Southern)

In addition to and notwithstanding any other right or obligation arising under their terms and conditions each party shall (and shall ensure that its staff and contractors shall):

  1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk to the rights and freedoms of natural persons implement all appropriate technical and organisational measures necessary or desirable to ensure that personal data is protected against loss, destruction and damage, and against unauthorised access, use, modification, disclosure or other misuse and to ensure protection of the rights of data subjects in accordance with Data Protection Laws;
  2. Take all reasonable steps to ensure the reliability and trustworthiness of staff which will have access to any personal data.
  3. Assist the other in ensuring compliance with its obligations pursuant to Articles 32 to 36 of GDPR, taking into account the nature of processing and the information available to the relevant party and any other processors.
  4. Comply with Article 26 of the GDPR
  5. Process the personal data obtained from the strictly only for the purposes of fulfilling its obligations under these terms and conditions.
  6. Ensure that it has in place all necessary notices and consents to enable lawful transfer of personal data to the other party
  7. to the extent that the relevant party is acting as a processor comply with the express instructions or directions of the controller in connection with the processing of such personal data and the requirements of any Data Protection Laws and specifically not otherwise modify, amend, combine with other personal data or alter the contents of the personal data or disclose or permit the disclosure of any of the personal data to any third party (including the data subject) unless specifically authorised in writing by the controller or required to do so under Data Protection Laws (in such case the processor from doing so on grounds of public interest);
  8. promptly comply with any request from the controller requiring the processor to amend, transfer or delete the personal data; and without prejudice to the above, the processor shall, at the controller’s direction, return or delete all personal data immediately upon the suspension or termination of the accreditation, unless Data Protection Laws require ongoing storage of such data;
  9. consider all suggestions made by the other to ensure that the level of protection provided for personal data is in accordance with these terms and conditions and to make the changes suggested unless they can prove to the other’s reasonable satisfaction that they are not necessary or desirable to ensure ongoing compliance with these terms and conditions;
  10. not disclose personal data without the controller’s prior written authority;
  11. not do or omit to do nothing which causes the other to breach any Data Protection Laws or contravene the terms of any registration, notification or authorisation under any Data Protection Laws;
  12. take all reasonable steps to ensure the reliability of any of their personnel who have access to the personal data;
  13. ensure that only those of their personnel who need to have access to the personal data are granted access to it and only for the purposes of the performance of these terms and conditions and ensure that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality;
  14. not transfer personal data which has been obtained by or made available to it to any country outside the European Economic Area without the prior written consent of the other, such consent may be subject to and given on such terms as the other may in its reasonable discretion prescribe. In the event that the other party consents to the transfer of Personal Data outside the European Economic Area, the parties shall enter into a further agreement taking a form substantially in accordance with any applicable model clauses relating to the transfer of personal data outside the EU in order to ensure that the personal data is processed in accordance with the Data Protection Laws;
  15. not engage another processor without the prior written authorization of the controller. The processor shall notify the controller of any intended changes concerning the addition or replacement of other processors. If. Within fifteen (15) days or receipt of such notice, the controller notifies the processor in writing of any objections (on reasonable grounds) to the proposed appointment of another processor, the processor shall not appoint the proposed processor until reasonable steps have been taken to address the objections raised by controller and the controller have been provided with a reasonable written explanation of the steps taken.
  16. Where engaging another processor for carrying out processing activities on behalf of the controller, ensure the same data protection obligations as set out in these terms and conditions shall be imposed on that other processor and shall remain fully liable to the controller; for the performance of that other processor’s obligations.
  17. Make available to the other, at the others expense, all information reasonably necessary to demonstrate compliance with Data Protection Laws and allow for and contribute to audits, including inspections, conducted by the other or another auditor mandated by the after reasonable notice.

Each party will (and will ensure that its staff will) immediately notify the other if it:

  1. Becomes aware that a disclosure of personal data may be required by law.
  2. Receives a request from an individual to access their personal data or to cease or not begin processing, or to rectify, block, erase or destroy personal data. The parties will cooperate in promptly investigating and dealing with such request in order to ensure that the individual’s right under the Data Protection Laws are satisfied and each party shall assist the other by implementing appropriate technical and organisational measure, insofar as this is possible, for the fulfilment of the relevant party’s obligation to respond to such request;
  3. Receives any request, correspondence, notice or other communication whether orally or in writing from the Office of the Information Commissioner, or any other person, relating to the personal data.
  4. Becomes aware of a breach of Data Protection Laws by or in connection with these terms and conditions and provide the other party with such assistance as reasonable requested to ensure that party to fully investigate and remediate the breach and prevent any reoccurrence; and
  5. Becomes aware of a breach of Data Protection Laws by or I connection with these terms and conditions and provide the other party with such assistance as reasonably requested to ensure the other party to fully investigate the breach and prevent any reoccurrence.

Each party acknowledges that any unauthorised access, destruction, alteration, addition or impediment to access or use of that personal data when stored in any computer, or the publication or communication of any fact or document by a person which has come to his knowledge or into his possession or custody by virtue of the performance of this Agreement (other than to a person to whim a party is authorised to publish or disclose the fact or document) may be a criminal offence and/or be likely to cause significant loss or damage to the other party.

Each party will indemnify, defend, and hold harmless the other and their respective directors, officers, agents, successors and assigns from any and all direct losses, liabilities, fines, damages, costs, and expenses including reasonable legal fees and disbursements and costs of investigation, litigation, settlement, judgment and penalties arising from or in connection with any breach by that first party, its contractors and/or staff of the obligations set out in clauses 2.8.1 to 2.8.9.

This policy will be reviewed at least every 12 months to ensure currency and appropriateness

Scroll to Top