(Updated 29th September 2022)
At Civica we take data privacy seriously and we are committed to protecting and respecting the rights of all individuals. We are dedicated to ensuring the confidentiality and privacy of information entrusted to us and aspire to be transparent when we collect and use personal data.
This policy relates to Civica, if you are a customer of Civica Election Services, please click here.
This privacy notice covers the following:-
- Our contact details
- How Civica collects personal information
- Civica’s purposes and lawful bases of personal data processing
- How we store your information
- Sharing information
- International transfers
- Your rights
- Rights related requests
- How to complain
- Changes to this Privacy Notice
Our contact details
Dr Paula James
Civica’s headquarters is located at
Southbank Central (8th Floor)
30 Stamford Street
Tel: 020 7760 2800
Civica is registered with the Information Commissioner’s Office, with registration number Z5268164.
If you have questions or comments about this Privacy Notice or how we handle personal data, please direct your correspondence either to the above postal address (marking the envelope FAO – Data Protection Officer), or to DPO@Civica.co.uk.
How Civica collects personal information
At Civica we may obtain personal data directly from individuals in a number or ways including:
- When you fill in a form on our website
- When you give us your business card
- When you become a client
- When you submit a job application
- When you use our support and service portals
- When you email or call us
- When you visit our offices or attend events, conferences and meetings
- When you subscribe to our newsletters and user groups
- When you participate in a white paper research project.
Civica may also obtain personal information indirectly from a variety of sources including:
- Third parties, such as joint marketing partners and data brokers that share business contact information with us
- Recruitment services will provide us with CV’s
- Existing clients may share their employees contact details with us
- Publicly available sources such as LinkedIn, Companies House or freely available news articles
- Companies providing security background checks
- CCTV located at Civica offices
- Reports that are raised through our whistleblowing process.
We will always ensure you know we are processing your personal information except where it is disproportionately difficult to do so.
Civica’s purposes and lawful bases of personal data processing
Civica processes personal data for the following reasons:
To fill job vacancies
If you submit a job application either directly or through a recruiter, we will use your information in connection with the specific job that you have applied for and will store your information for 12 months in case any legal claim for discrimination is made.
To consider you for other vacancies for which you may be suitable, which may arise during this 12-month period, we will add your information to our talent pool. If you’d rather not be added to the talent pool, or wish to be removed at any time, please let us know.
Sometimes we use publicly available sources of data such as LinkedIn to source candidate information. However, you will always be contacted before we add your information to our recruitment system and provide you with the opportunity to opt-out.
For certain roles, such as those concerning applicants from Northern Ireland, we are legally required to collect community background information. This is information which may reveal religious beliefs and we will retain this for a period of three years from your application.
For all roles we also request equality and diversity data for monitoring purposes. This information is not mandatory, although we encourage you to provide it. We make every attempt to anonymise this information and ensure it cannot be linked back to an individual.
If you would like to remove the data that you've submitted to us during the recruitment process, please contact our Recruitment Team at PeopleTeam@civica.co.uk. There may be occasions where we are unable to immediately fulfil this request, including for reasons set out above.
The legal basis for processing your data for recruitment purposes is our legitimate interest in operating our business and fulfilling vacancies.
The legal basis for processing community background information for applicants from Northern Ireland is legal obligation.
To provide customer support and access to self-service portals and to provide service delivery
When you become a partner / customer of ours, we collect your data from our portal login pages. We do this in order to provide online and telephone support services to help deliver contracted services to you via web portals, email or over the telephone. We use this information to process online requests, solve problems, answer questions and respond to communications from individuals and organisations.
If you have access to parts of our websites or use our on-line services, you remain responsible for keeping your user ID and password confidential.
Our legal basis for processing these data is our legitimate interest in providing our services.
For purposes of product development
There may be occasions where we use personal data for the purposes of training and developing machine-learning algorithms. We only use pseudonymised data for this processing and have appropriate controls in place to ensure it is processed securely.
The legal basis for processing your data for purposes of product development is our legitimate interest in developing our software and services
For purposes of financial management
We gather and retain business contact details for financial management purposes. Personal information such as names and contact information will be needed to ensure purchase orders, requisitions, invoices and debts are handled appropriately.
Our legal basis for processing financial information is the performance of a contract. Retention period for this type of information is up to 7 years in line with legal and tax regulations.
For some services, and in order to process transactions, Civica collects payment card data on behalf of customers as part of the service provision.
To send you marketing materials by email
We use your contact to send you marketing and product information. You can opt out of marketing messages at any time. We will remove your details from our marketing list if there is no activity (such as opening an email) for a 3 year period.
We only send marketing information to corporate subscribers (business emails). From time to time, we may supply some of our marketing lists to our trusted third-party brokers (prior to purchasing a list). This is to allow them to cross-reference both lists, ensuring that we receive accurate and up to date information.
We may also contact you to conduct customer satisfaction and market research surveys.
Our legal basis for this processing is our legitimate interest in promoting and improving our business.
To tell you about our products and services
If you complete an enquiry form on our website or give us your details in person, for example at a conference, we will contact you by email or phone so that we can discuss the products or services in which you have indicated an interest.
As a Civica customer you may wish to join our special interest and user group forums. These are groups of people that share a common interest in Civica products and services. In such cases Civica will store personal contact information such as name & email address to facilitate the organisation of group events and meetings. Civica may share this personal information amongst other group members to aid in discussions, knowledge sharing and distribute information relating to new products that the group may be interested in. Our lawful basis for processing is our legitimate interest in selling our products and services.
To invite you to conferences or exhibitions
We use your data to invite you to conferences and events. Sometimes Civica uses this information to provide assistance with travel and/or hotel arrangements at the request of the individual.
Our lawful basis for processing data for these purposes our legitimate interest in promoting our business.
To host meetings with you at Civica Offices, conferences or exhibitions
We need to process your data in order to manage access and physical security at our offices. At some Civica sites visitors may be required to provide photo proof of id, but this information will not be stored. Our lawful basis is our legitimate interest in ensuring the security of our business premises and authorised attendance at our events.
Additionally, during the COVID-19 pandemic, we will record the dates and times you visit a Civica facility. We will also collect a contact number from you (or the nominated lead, if you are part of a group) in the event that this may be needed to support the contact tracing scheme. This data is only retained for a period of 21 days.
Our lawful basis for processing data for this purpose is our legitimate interest in supporting the NHS Test & Trace programme.
We may also ask for dietary restrictions or access requirements that reveal religious beliefs or physical health conditions. Our legal basis for processing these data is your consent which you can withdraw at any time.
Once your access has been arranged, we do not retain this information.
To manage the security of our facilities
Some of our offices have CCTV systems that monitor the perimeter of the buildings. These collect location and time based images of you and, sometimes, of your vehicle in order to protect our buildings and assets from damage, vandalism or another crime.
Our lawful basis for the processing this data is legitimate interest to ensure the security of our business premises and help to prevent and detect crime.
Our policy is to automatically overwrite CCTV footage within 60 days.
To allow members of the public to participate in white paper research projects
If you agree to take part in either an Engagement Solutions research project or a research project on behalf of one of our customers, your data may be used to produce an industry white paper, thought leadership report, or set of research findings which may published either by us or our customer and as such in the public domain.
Our legal basis for this processing is our legitimate interest in promoting our business.
To comply with auditing requirements
In order to maintain our certifications and to comply with our legal obligations, Civica is required to assist and cooperate with external third-party auditors. We may need to share your information as part of these audits.
Our legal basis for this processing is our legitimate interest in maintaining our business .certifications and standards.
To train and develop our staff
We record calls that are made to our customer service centre to assist in our review of call quality standards. We use this information to help train and develop our staff.
Call recordings are retained for a period of 90 days before they are automatically deleted.
Our lawful basis for processing data for these purposes is our legitimate interest in improving our call quality standards.
How we store your information
Civica is dedicated to keeping your data safe. We are certified under ISO27001 as having put technical and organisational policies and procedures in place to protect personal data from loss, misuse, alteration or destruction. We ensure that access to your personal data is limited only to those who need to access it and those individuals are required to maintain the confidentiality of such information. Where necessary, we apply encryption and anonymisation techniques in efforts to further protect personal data.
How long we keep personal data
We retain personal data for no longer than necessary for the purposes for which it is processed, unless we are required to do so by law.
Where appropriate, we may retain personal data for the establishment, exercise or defence of legal claims.
We will never sell your data to third parties. We may, however, share your data with companies with whom we have a direct business arrangement in order to jointly market Civica related products.
We also use third party data processors who provide marketing, marketing automation and lead-generation services for us. We have contracts in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation and they will hold it securely and retain it for the period we instruct.
The legal basis for sharing these data is our legitimate interest in cost effectively marketing our business.
Civica operates and provides services from its locations across the globe. As such we may transfer personal information to Civica group locations outside of the UK when we have a business reason to do so. We have Intra-Group Transfer Protocols in place based on Standard Contract Clauses which provide legal safeguards for such transfers, where applicable.
Additionally, in order to support the provision of our services, we may transfer personal data to our third-party service providers outside the UK. We only transfer this data where it is necessary to do so and where a legal safeguard is in place.
Your right of access –You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process.
Your right to rectification – You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.
Your right to erasure – You have the right to ask us to erase your personal information in certain circumstances.
Your right to restriction of processing – You have the right to ask us to restrict the processing of your information in certain circumstances.
Your right to object to processing – You have the right to object to processing if we are using legitimate interests as our lawful basis for processing.
Your right to data portability – This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another, or give it to you. The right only applies if we are processing information based on your consent or as part of a contract, or in talks about entering into a contract and the processing is automated.
Your right to withdraw consent – You can withdraw your consent that you have previously given to one or more specified purposes to process your personal data. This will not affect the lawfulness of any processing carried out before you withdraw your consent. It may mean we are not able to provide certain products or services to you and we will advise you if this is the case.
Rights related requests
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information or to exercise any of your other rights. This helps us to ensure that personal data is not disclosed to any person who has no right to receive it.
No fee is required to make a request unless your request is clearly unfounded or excessive. Depending on the circumstances, we may be unable to comply with your request based on other lawful grounds.
There are circumstances, where we have an obligation, legal or otherwise, or the right to process your personal information, and therefore your request may be challenged or denied where we believe there is good cause to do so.
How to complain
If you disagree with how we are processing your data, please contact our DPO at DPO@civica.co.uk or address your letter to the DPO at the Civica Headquarters address listed in the ‘Contact Details’ section.
You can also complain to the ICO if you are unhappy with how we have used your data.
The ICO’s address:
Information Commissioner’s Office
Helpline number: 0303 123 1113
Civica has appointed an EU representative in accordance with Article 27 of the EU GDPR. Their contact details are as follows:
The DPO Centre Europe Ltd
3 Ballsbridge Park
Dublin, D04C 7H2
+353 1 631 9460
Where applicable, we will share your contact details with our EU representative.
Changes to this Privacy Notice
Civica will occasionally update this privacy notice to reflect changes in legislation, our practices and services. When we post changes to this privacy notice, we will revise the “last updated” date at the top of this privacy notice. If we make any material changes in the way we collect, use, and share personal data, we will notify you by prominently posting notice of the changes on the website. We recommend that you check this page from time to time to inform yourself of any changes in this privacy notice.
Summary of changes:
|27/05/2020||Amended retention information for job vacancies and marketing processes.|
|28/07/2020||Clarification of marketing for corporate subscribers only. Expanded upon requirement to share data with external auditors.|
|30/07/2020||Highlighted personal data used for contact tracing purposes.|
|15/02/2021||Updated references to legislation to recognise UK GDPR.|
|04/03/2021||Expanded upon our reasons for relying on legitimate interest.|
|08/04/2021||Included details of our EU Representative.|
|12/07/2021||Clarification of when personal data is shared with third-party auditors.|
|01/10/2021||Clarification of retention periods|
|05/11/2021||Extended upon our marketing processes|
|20/01/2022||Included data processed via our whistleblowing process|
|11/04/2022||Clarification on data being used in connection with legal proceedings|
|16/06/2022||Clarification on data used for market research purposes|
|13/07/2022||Inclusion of Northern Ireland ‘community background’ information & payment card processing.|
|15/07/2022||Clarification of CV retention & pseudonymised data for machine learning|
|22/07/2022||Clarification of retention of recruitment data & legal basis for product development|
|28/07/2022||Inclusion of the Bring Your Child to Work event|
|28/09/2022||Removal of the Bring Your Child to Work event|