Privacy Notice (Updated 28th July 2022)
Civica Election Services (CES) is the UK’s leading independent provider of end-to-end ballot, election and voting services. At CES we take data privacy very seriously and we are committed to protecting and respecting the data rights of all individuals. We are dedicated to ensuring the confidentiality and privacy of information entrusted to us and aspire to be transparent when we collect and use personal data.
This privacy notice relates to the data for which CES are the data controller. If you submit information on a website, platform or service that we supply on behalf of a client, (to whom you are associated e.g. a member, a candidate or elector etc.), then, our clients, who are clearly identified on those sites, are the data controllers on behalf of their members, candidates or electors. We refer you to their privacy notice and DPO if you wish to review anything with them or contact them.
This privacy notice covers the following: -
- Our contact details
- How CES collects personal information
- CES’ purposes and lawful bases of personal data processing
- How we store your information
- Sharing information
- International transfers
- Your rights
- Rights related requests
- How to complain
- Changes to this privacy notice
Our contact details
Civica Election Services (formerly trading as Electoral Reform Services) is the trading name of registered company no. 02263092, a Civica Group company.
Our headquarters is located at:
Southbank Central (8th Floor)
30 Stamford Street
Tel: 020 7760 2800
Civica Election Services (CES) is registered with the Information Commissioner’s Office, with registration number Z857675X. CES is a company within the Civica Group, and data may be collected on our behalf, or shared with, Civica UK Limited whose privacy notice can be found at https://www.civica.com/en-gb/policies-and-statements/privacy-notice/
If you have questions or comments about the CES privacy notice or how we handle personal data, please direct your correspondence either to the above postal address (marking the envelope FAO – Data Protection Officer) or to email@example.com.
How CES collects personal information
At CES we may obtain personal data directly from individuals in a number or ways including:
- When you fill in a form on our website
- When you give us your business card
- When you become a client
- When you submit a job application
- When you use our support and service portals
- When you email or call us
- When you visit our offices or attend events, conferences and meetings
CES may also obtain personal information indirectly from a variety of sources including:
- Third parties, such as joint marketing partners and data brokers, that share business contact information with us
- Recruitment services that provide us with CV’s
- Existing clients that share their employees’ contact details with us
- Publicly available sources such as LinkedIn, Companies House or freely available news articles
- CCTV located at Civica offices
- Reports that are raised through our whistleblowing process
We will always ensure you know we are processing your personal information except where it is disproportionately difficult to do so.
CES’ purposes and lawful bases of personal data processing
CES processes personal data for the following reasons:
To fill job vacancies
If you submit a job application either directly or through a recruiter, we will use your information in connection with the specific job that you have applied for and will store your information for 12 months in case any legal claim for discrimination is made.
To consider you for other vacancies for which you may be suitable, which may arise during this 12-month period, we will add your information to our talent pool. If you’d rather not be added to the talent pool, or wish to be removed at any time, please let us know.
Sometimes we use publicly available sources of data such as LinkedIn to source candidate information. However, you will always be contacted before we add your information to our recruitment system and provide you with the opportunity to opt-out.
For certain roles, such as those concerning applicants from Northern Ireland, we are legally required to collect community background information. This is information which may reveal religious beliefs and we will retain this for a period of three years from your application.
For all roles we also request equality and diversity data for monitoring purposes. This information is not mandatory, although we encourage you to provide it. We make every attempt to anonymise this information and ensure it cannot be linked back to an individual.
If you would like to remove the data that you've submitted to us during the recruitment process, please contact our Recruitment Team at PeopleTeam@civica.co.uk. There may be occasions where we are unable to immediately fulfil this request, including for reasons set out above.
The legal basis for processing your data for recruitment purposes is our legitimate interest in operating our business and fulfilling vacancies.
The legal basis for processing community background information for applicants from Northern Ireland is legal obligation.
To provide customer support and access to self-service portals and to provide service delivery
When you become a partner/customer of ours, we collect your data from our portal login pages, for example, our MyElection and Sharepoint portals. We do this in order to provide online and telephone support services to help deliver contracted services to you via web portals, email or over the telephone. We use this information to process online requests, solve problems, answer questions and respond to communications from individuals and organisations.
If you have access to parts of our websites or use our on-line services, you remain responsible for keeping your user ID and password confidential.
Our legal basis for processing these data is our Legitimate Interest in providing our services.
For purposes of product development
There may be occasions where we use personal data for the purposes of training and developing machine-learning algorithms. We only use pseudonymised data for this processing and have appropriate controls in place to ensure it is processed securely.
The legal basis for processing your data for purposes of product development is our legitimate interest in developing our software and services
For purposes of financial management
We gather and retain business contact details for financial management purposes. Personal information such as names and contact information will be needed to ensure purchase orders, requisitions, invoices and debts are handled appropriately.
Our legal basis for processing financial information is the performance of a contract. Retention period for this type of information is up to seven years in line with legal and tax regulations.
For some services, and in order to process transactions, Civica collects payment card data on behalf of customers as part of the service provision.
To send you marketing materials by email
We use your contact to send you marketing and product information. You can opt out of marketing messages at any time. We will remove your details from our marketing list if there is no activity (such as opening an email) for a 3 year period.
We only send marketing information to corporate subscribers (business emails). From time to time, we may supply some of our marketing lists to our trusted third-party brokers (prior to purchasing a list). This is to allow them to cross-reference both lists, ensuring that we receive accurate and up to date information.
We may also contact you to conduct customer satisfaction and market research surveys.
Our legal basis for this processing is our legitimate interest in promoting and improving our business.
To tell you about our products and services
If you complete an enquiry form on our website or give us your details in person, for example at a conference, we will contact you by email or phone so that we can discuss the products or services in which you have indicated an interest.
As a CES customer you may wish to join our special interest and user group forums. These are groups of people that share a common interest in CES products and services. In such cases CES will store personal contact information such as name & email address to facilitate the organisation of group events and meetings. CES may share this personal information amongst other group members to aid in discussions, knowledge sharing and distribute information relating to new products that the group may be interested in.
Our lawful basis for processing is our Legitimate Interest in selling our products and services.
To invite you to conferences or exhibitions
We use your data to invite you to conferences and events. Sometimes CES uses this information to provide assistance with travel and/or hotel arrangements at the request of the individual.
Our lawful basis for processing data for these purposes is Legitimate Interest.
To host meetings with you at CES or Civica Offices, conferences or exhibitions
We need to process your data in order to manage access and physical security at our offices. At some sites, visitors may be required to provide photo proof of id, but this information will not be stored. Our lawful basis is legitimate interest to ensure the security of our business premises and authorised attendance at our events.
We may also ask for dietary restrictions or access requirements that reveal religious beliefs or physical health conditions. Our legal basis for processing these data is your consent which you can withdraw at any time.
To provide our Bring Your Child to Work Event
Civica may process information relating to you and your children in order to ensure safe access to and participation in our Bring Your Child to Work Event at our Southbank facility, led by our Parents & Guardians Affinity Group, if you choose to attend.
Your children’s personal information will only be processed for the purpose of providing the Bring Your Child to Work Event. The information provided in the online form will only be retained until the day of the event, after which time it will be permanently deleted. Any additional information provided via email will be retained as per our retention schedule.
We collect your name and contact information in the online form to confirm attendance and make necessary arrangements. We will also temporarily process information about your children, including their first name and the age bracket they fall into (for example, 3-5 years). We will ask you if your child requires any reasonable adjustments in order to safely access the event and for details of these adjustments.
Our legal basis for processing this information is our legitimate interests in providing an event for our colleagues and their children that meets their needs.
Details of your child’s reasonable adjustments may constitute special category data. Additional rules apply to the processing of special category data and, where we process these data, we need to tell you the additional lawful basis for processing. Our additional legal basis for processing in this case is the 'equality of opportunity or treatment' basis within the Data Protection Act 2018.
We may also process photographs of your children for the purposes of posting on Civica’s Instagram and LinkedIn pages. We will ask for your consent prior to the event if you are happy for images of your child to be taken and published. If your child is aged 13 or older, we will ask for this consent from them directly.
Our legal basis for processing this information is consent, for the purpose of marketing Civica culture.
Whilst your children are in attendance they will be captured on our CCTV system. Our policy is to automatically overwrite CCTV footage within 60 days.
Our lawful basis for the processing this data is legitimate interest to ensure the security of our business premises.
To manage the security of our facilities
Some of our offices have CCTV systems that monitor the perimeter of the buildings. These collect location and time based images of you and, sometimes, of your vehicle in order to our protect buildings and assets from damage, vandalism or other crime.
Our lawful basis for the processing this data is legitimate interest to ensure the security of our business premises and help prevent and detect crime
Our policy is to automatically overwrite CCTV footage within 60 days.
How we store your information
CES is dedicated to keeping your data safe. We are certified under ISO27001 as having put technical and organisational policies and procedures in place to protect personal data from loss, misuse, alteration or destruction. We ensure that access to your personal data is limited only to those who need to access it and those individuals are required to maintain the confidentiality of such information. Where necessary, we apply encryption and anonymisation techniques to further protect personal data.
How long we keep personal data
We retain personal data for no longer than necessary for the purposes for which it is processed, unless we are required to do so by law.
Where appropriate, we may retain personal data for the establishment, exercise or defence of legal claims.
We will never sell your data to third parties.
We may share your data with our parent company Civica UK Ltd and companies with whom we have a direct business arrangement in order to jointly market CES related products.
We may also use third party data processors who provide marketing, marketing automation and lead-generation services for us. We have contracts in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation and they will hold it securely and retain it for the period we instruct.
The legal basis for sharing these data is our legitimate interest in cost effectively marketing our business.
Civica operates and provides services from its locations across the globe. As such we may transfer personal information to Civica group locations outside of the EEA when we have a business reason to do so. We have Intra-Group Transfer Protocols in place based on Standard Contract Clauses which provide legal safeguards for such transfers.
- Your right of access – You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process.
- Your right to rectification – You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.
- Your right to erasure – You have the right to ask us to erase your personal information in certain circumstances.
- Your right to restriction of processing – You have the right to ask us to restrict the processing of your information in certain circumstances.
- Your right to object to processing – You have the right to object to processing if we are using legitimate interests as our lawful basis for processing.
- Your right to data portability – This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another, or give it to you. The right only applies if we are processing information based on your consent or as part of a contract, or in talks about entering into a contract and the processing is automated.
- Your right to withdraw consent – You can withdraw your consent that you have previously given to one or more specified purposes to process your personal data. This will not affect the lawfulness of any processing carried out before you withdraw your consent. It may mean we are not able to provide certain products or services to you and we will advise you if this is the case.
Rights related requests
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information or to exercise any of your other rights. This helps us to ensure that personal data is not disclosed to any person who has no right to receive it.
No fee is required to make a request unless your request is clearly unfounded or excessive. Depending on the circumstances, we may be unable to comply with your request based on other lawful grounds.
There are circumstances, where we have an obligation, legal or otherwise, or the right to process your personal information, and therefore your request may be challenged or denied where we believe there is good cause to do so.
How to complain
If you disagree with how we are processing your data, please contact our DPO at firstname.lastname@example.org or address your letter to the DPO at the CES headquarters address listed in the ‘Contact Details’ section.
You can also complain to the ICO if you are unhappy with how we have used your data.
The ICO’s address:
Information Commissioner’s Office
Helpline number: 0303 123 1113
Civica has appointed an EU representative in accordance with Article 27 of the EU GDPR. Their contact details are as follows:
The DPO Centre Europe Ltd
3 Ballsbridge Park
Dublin, D04C 7H2
+353 1 631 9460
Where applicable, we will share your contact details with our EU representative.
Changes to this privacy notice
CES will occasionally update this privacy notice to reflect changes in legislation, our practices and services. When we post changes to this privacy notice, we will revise the “last updated” date at the top of this privacy notice. If we make any material changes in the way we collect, use, and share personal data, we will notify you by prominently posting notice of the changes on this website. We recommend that you check this page from time to time to inform yourself of any changes in this privacy notice.