This User Privacy Notice applies to individuals who use our services and send us general enquiries and complaints in relation to services provided by us.
This notice explains what data we process, why, how it is legal and your rights.
This User Privacy Notice applies to your use of the Competency Training Marketplace.
We are a “Processor” of your Personal Data for the purposes of Data Protection Legislation. The only processing of such Personal Data that we are authorised to do is set out in this User Privacy Notice. Sopra Steria Limited, a company registered in England and Wales with registered number 4077975, whose registered office is at Three Cherry Trees Lane, Hemel Hempstead, Hertfordshire, HP2 7AH (“Sopra Steria”, “we”, ”us” and so forth) is responsible for the collection and processing of your personal data in connection with the provision of our Services.
How to Contact Us
If you need to contact us about this User Privacy Notice, use the details below.
Data Protection officer: Peter Cashmore
Address: Three, Cherry Trees Lane, Hemel Hempstead, Hertfordshire, HP2 7AH
Changes to this Privacy Notice
The latest version of this User Privacy Notice can be found on the CTM platform. Sopra Steria may change this User Privacy Notice from time to time by posting the revised User Privacy Notice on the CTM platform and indicating the effective date We will alert you on the website when changes are made.
What personal data we collect and process
We collect your personal data when you use our Services. We collect the following personal data:
- Contact information: Your name, address, telephone numbers, email addresses
- Data regarding bookings, accreditations or Training Courses that you provide in a transaction (including data that you provide in relation to your staff or other persons on whose behalf you may act).
- Content that you share with other users through the CTM.
- Data of your employees that you choose to put onto CTM, such as their name, role and qualification history
- Financial information (e.g. credit card and account numbers, payment details) in connection with a transaction and account setup
- Communication preferences. Information provided to us by you through a web form or by updating or adding information to your CTM account, enquiries, dispute resolution, customer service calls recorded with your consent, or if you contact us for any other reason regarding our Services.
- Other data that we need for your authentication or identification, or for the verification of the data we collect.
Personal information about other individuals
- By providing us with information about other individuals (e.g. your employees or colleagues), you confirm that you have obtained the agreement of the relevant individuals.
Personal Data we collect automatically when you use our Services or create a CTM account
- Data that is generated as part of one of your transactions (bookings or Training Course information) or that is linked to your CTM account as a result of a transaction in which you are involved, such as transaction amounts, time and location of transactions and payment methods.
- Data that is generated through your other actions when you use our Services and which is linked to your CTM account.
- Data regarding all other interactions with our Services and your communications with us.
- We currently use essential cookies to provide the CTM system on both the website and when you log in to or register on the portal
- Cookies are small text files that are placed on your computer by websites that you visit. They serve a number of purposes from benefits to the users experience and the security of the site. Allowing cookies means some information is stored, for example the number of times you have visited the site, this means your experience can be tailored
- All of the essential cookies that we currently use are mandatory for the user to accept in order to use the platform. These cookies are closely related to security and function.
- Essential cookies that we use are listed below:
Cookie Name: Cross-site request forgery
Purpose: Prevents a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts.
Cookie Name: Correlation ID Patterns
Purpose: A unique identifier value that is attached to requests and messages that allow reference to a particular transaction or event chain.
Cookie Name: Show Tool Tips On Forms
Purpose: A parameter to specify if tool tips are shown on forms. A tool tip is a message that appears when a cursor is positioned over an icon, image, hyperlink, or other element in a graphical user interface.
Cookie Name: Culture
Purpose: Retrieves the language setting from the user’s browser for use in the application.
Cookie Name: Header Collapse Settings
Purpose: A parameter to specify if headers should be displayed collapsed or not in the application.
Cookie Name: Theme
Purpose: A parameter to specify how the platform will be displayed depending on the device being used to view the platform.
Cookie Name: Timezone
Purpose: Receives the time zone from the user’s computer for use on the platform.
Cookie Name: Colour Palette Cookie
Purpose: Saves information regarding the colour palette and branding elements used on the platform
Cookie: WordPress Test Cookie
Cookie Name: WordPress Test Cookie
Purpose: Checks if cookies are enabled on the browser so that an appropriate user experience can be provided
Cookie Name: WordPress Time
Purpose: Customises the view of the front end of the website
- We also use Google Analytics on both the website and your CTM portal. You can opt in to, or change your preferences for Google Analytics at any time on the CTM website[CC1] . If you opt in, we use Google Analytics to monitor how you use our website by placing cookies on your device. You can see how Google collects and processes data by following the link to the site: “How Google uses data when you use our partners’ sites or apps”, (located at www.google.com/policies/privacy/partners/ , or any other URL Google may provide from time to time).
- The Google Analytics cookies we use are:
Cookie Name: Universal Analytics (Google)
Purpose: These cookies are used to collect information about how visitors use our website. We use the information to compile reports and to help us improve the website. The cookies collect information in a way that does not directly identify anyone, including the number of visitors to the website and blog, where visitors have come to the website from and the pages they visited.
Purpose: Contains a token that can be used to retrieve a Client ID from AMP Client ID service. Other possible values indicate opt-out, inflight request or an error retrieving a Client ID from AMP Client ID service
Purpose: This is used to check how long you remain on the site, when the visit starts and roughly when it ends. This does not contain any personal information other than the IP Address of your device
Purpose: Is used to throttle request rate
Purpose: This cookie determines new sessions and visits and expires after 30 minutes
Purpose: This cookie is used to identify new users/sessions in conjunction with the cookie above. This is destroyed when you close the browser
Purpose: This cookie tells the site owner where visitors came from. It has a life span of 6 months and is updated every time data is sent to Google Analytics
Purpose: Allows the newest version of Google Universal Analytics Enhanced Tracking to be used. It allows a centralised script tag that can send all of the analytics data as the same time
How is processing your personal data lawful?
We are allowed to process your personal data for the following reasons and on the following legal bases:
Fulfilling our contract with you:
We process your personal data in order to fulfil our contract with you and to provide you with our Services. This includes the following purposes:
- Processing of data relating to you or your company for the purpose of entering into a contract with you and executing it.
- Provision of our Services, including but not limited to enabling and performing transactions with other users (including the transmission of your personal data to other users where necessary to perform the transaction, including in cases of terminated, failed or subsequently voided transactions), providing and enhancing features such as CTM account management, providing other services you may use (as described in connection with such services), and ensuring the functionality of our Services. In connection with the provision of our Services, we will send you notifications relating to the execution of transactions and the use of our Services in accordance with the communication preferences in your CTM account.
- Provision of analytics and reporting for your own use, available on the reporting dashboard on your account.
- Provision of analytics and reporting for our own use
- Solution of problems with your CTM account, guidance on your use of CTM including prompts and feedback requests, providing other services within the scope of customer service as well as enforcement of fee claims. For these purposes, we may contact you by email.
- Enforcement of our Agreement, this User Privacy Notice and other rules and policies.
- Where necessary, we transmit your personal data to processors and the following recipients for one or several of the purposes described above:
- Other CTM users
- Sopra Steria corporate family members
- External service providers
- External operators of websites, applications, services and tools
We process your personal data for the following purposes:
- Participation in proceedings (including judicial proceedings) conducted by courts, law enforcement agencies, government agencies or public authorities,
- Prevention, detection, mitigation and investigation of fraud, security breaches and other prohibited or unlawful activities, including the assessment of corresponding risks (e.g. through the use of captchas or the telephone number stored in your CTM account for two-factor authentication).
- Monitoring and improvement of the information security of our Services
- Evaluation of applications and comparison of information for accuracy and verification purposes.
- Provision of functions for users that make the processing of transactions easier or more convenient (e.g. administration of several delivery addresses).
- Processing your anonymised and generalised data (not personally identifiable) in order to provide reporting for other organisations such as showing the geographical break down of courses booked and enquired about, as well as the geographical data of staff in the rail industry.
- Analysis and improvement of the Services from Sopra Steria corporate family members, e.g. by reviewing information from users about blocked or crashed pages in order to identify and solve problems and to provide you with an improved user experience, including as part of product development.
- Assessment of the service status (e.g. on the basis of Training Course information if training providers provide Training Course booking status information).
- Initiation, preparation and execution of a company acquisition, e.g. in the event of a merger with another company or takeover by another company. If such an event occurs, we will require the merged entity to comply with this User Privacy Notice with respect to your personal data. Should your personal data be processed for any purpose not specified in this User Privacy Notice, you will be informed in advance of the processing of your data for this new purpose.
- Assertion of or defence against legal claims, including those asserted by one CTM user against another CTM user.
- Where necessary, we transmit your personal data to processors and the following recipients for one or several of the purposes described above:
- Sopra Steria corporate family members;
- External service providers;
- Other CTM users;
- Law enforcement agencies, courts, government agencies or public authorities, intergovernmental or supranational bodies;
- Other companies in the context of a company acquisition.
Data Sharing between Sopra Steria Corporate Family Members: To the extent that other Sopra Steria corporate family members have access to your personal data, they will follow practices that are at least as restrictive as the practices described in this User Privacy Notice.
International Data Transfers
Some recipients of your personal data are located outside your country or have offices in countries where data protection laws may provide a different level of protection than the laws in your country. When transferring personal data to such recipients, we provide appropriate safeguards. (e.g. standard data protection clauses (2010/87/EU, 2001/497/EC or 2004/915/EC)) with the recipients, or through other measures provided for by law. A copy of the documentation of the measures taken by us is available on request
Data transfers to Sopra Steria corporate family members:
The transmission of personal data between different Sopra Steria corporate family members is based on our worldwide data protection principles, which are appropriate safeguards (e.g. standard data protection clauses issued or approved by the European Commission (2010/87/EU, 2001/497/EC or 2004/915/EC)). The Sopra Steria corporate family members undertake to protect your personal data and to comply with data protection obligations.
How we keep your personal data secure:
We strive to implement appropriate technical and organisational measures in order to protect your personal data against accidental or unlawful destruction, accidental loss or alteration, unauthorised disclosure or access and any other unlawful forms of processing. We aim to ensure that the level of security and the measures adopted to protect your personal data are appropriate for the risks presented by the nature and use of your personal data.
When will we delete your data?
In relation to the processing activities covered in this Privacy Notice, the following categories of personal data and special categories of data will be kept for the following periods:
Personal Categories of Data: CTM User’s Contact Details
Retention Period: Deleted from the portal after 1 year of no activity on the account. A user login is counted as activity, so if a user does not log in in 1 year, then they are removed.
Personal Categories of Data: Staff details, including training records, name, ID, address, and any other data linked to an employee of your organisation
Retention Period: Deleted from the portal after 5 years of no activity on the account. Any of the following are counted as an activity for the staff member:
– The adding / editing / removing of any of their basic information – role, name, id, training records, address
– Being part of a course enquiry process
– Having their qualifications updated / added / removed – Being added onto a project
Personal Categories of Data: Financial Information
Retention Period: Deleted from our records and the portal after 5 years of no activity on the account
Personal Categories of Data: Details relating to a support request
Retention Period: 3 months after resolution
Personal Categories of Data: Audit Logs
Retention Period: Deleted after 5 years and 1 month. Audit logs that we keep have been assessed so that we only store what we need to support you. They are kept for 5 years and 1 month in order for us to fulfil our need to identify and delete inactive users. If you delete information from the portal, it may still be held in audit logs for 5 years. Access to audit logs is restricted and protected.
Personal Categories of Data: Backup Data
Retention Period: Any backed up personal data is deleted 35 days after the backup was taken.
You have the following rights under Data Protection Laws:
- the right to object to processing of your personal data
- the right of access to personal data relating to you (known as data subject access request)
- the right to correct any mistakes in your information
- the right to prevent your personal data being processed
- the right to withdraw your consent
- the right to erasure
These rights are explained in more detail below. If you want to exercise any of your rights, please contact us (please see ‘How to contact us’).
We will respond to any rights that you exercise within a month of receiving your request, unless the request is particularly complex, in which case we will respond within three months.
Please be aware that there are exceptions and exemptions that apply to some of the rights which we will apply in accordance with the Data Protection Laws.
Your rights in detail:
- Right to object to processing of your personal data:
- You may object to us processing your personal data where we rely on a legitimate interest as our legal grounds for processing.
- If you object to us processing your personal data we must demonstrate compelling grounds for continuing to do so. We believe we have demonstrated compelling grounds in the section headed ‘How is processing your personal data lawful’.
- Right to access personal data relating to you:
You may ask to see what personal data we hold about you and be provided with:
- a copy of the personal data
- details of the purpose for which the personal data is being or is to be processed
- details of the recipients or classes of recipients to whom the personal data is or may be disclosed, including if they are overseas and what protections are used for those overseas transfer
- the period for which the personal data is held (or the criteria we use to determine how long it is held)
- any information available about the source of that data
- whether we carry out an automated decision-making, or profiling, and where we do information about the logic involved and the envisaged outcome or consequences of that decision or profiling
- To help us find the information easily, please provide us as much information as possible about the type of information you would like to see.
- Right to correct any mistakes in your information
You can require us to correct any mistakes in your information that we hold. If you would like to do this, please let us know what information is incorrect and what it should be replaced with.
- Right to restrict processing of personal data
You may request that we stop processing your personal data temporarily if:
- you do not think that your data is accurate. We will start processing again once we have checked whether or not it is accurate;
- the processing is unlawful but you do not want us to erase your data;
- we no longer need the personal data for our processing, but you need the data to establish, exercise or defend legal claims; or
- you have objected to processing because you believe that your interests should override our legitimate interests
- Right to withdraw consent:
You may withdraw any consent that you have given us to process your personal data at any time. This means that we will not be able to carry out any processing which required use of that personal data.
- Right to erasure:
You can ask us to erase your personal data where:
- you do not believe that we need your data in order to process it for the purposes set out in this Privacy Notice
- if you had given us consent to process your data, you withdraw that consent and we cannot otherwise legally process your data
- you object to our processing and we do not have any legitimate interests that mean we can continue to process your data
- your data has been processed unlawfully or have not been erased when it should have been
What will happen if your rights are breached?
You may be entitled to compensation for damage caused by contravention of the Data Protection Laws.
Complaints to the regulator
It is important that you ensure you have read this Privacy Notice – and if you do not think that we have processed your data in accordance with this notice – you should let us know as soon as possible. You may also complain to the ICO. Information about how to do this is available on its website at www.ico.org.uk.
The exercise of the above data subjects’ rights (e.g. right to access or erasure) is generally free of charge. Where requests are manifestly unfounded or excessive, in particular because of their repetitive character, we may charge an appropriate fee (at most our actual costs) in accordance with the applicable statutory regulations or refuse to process the application.
Other important information regarding data protection
This section contains important additional information about the submission and protection of personal data in connection with the use of our Services, including whether you are required to provide personal data.
It remains your responsibility to ensure that the safety of any data subject is not in any way put at risk by you uploading data to the CTM.
What happens when you share your personal data on our sites or applications?
- Other users have access to the information you share on CTM or disclose to other users. For example, other users can see your Training Course information, reviews and associated comments. Other users can also see any information you chose to share in your profile.
- Notices sent to other users about suspicious activity and notice violations on our sites may refer to your public user ID and specific items. Accordingly, if you use a username that allows others to identify you, these others may be able to identify your CTM activities.
- When users are involved in a transaction, they have access to each other’s name and email address.
Your responsibilities over transactional information you receive through CTM:
- When you complete a user transaction with a training provider (or a transaction has been cancelled, failed or subsequently invalidated), we will provide the training provider with the user’s personal data (such as name, email address, contact information, Independent from us, you are the controller of such data and responsible for any processing.
- Unless you act for purely personal purposes, we recommend that you explain your data processing activities in your own privacy notice and protect the privacy of other users. As a training provider, you must in any case comply with the applicable data protection laws and in particular protect the rights of other users as data subjects, e.g. give them the opportunity to access the personal data collected by you and demand that it be erased.
- You may use the personal data that you have access to only for CTM transaction related purposes, or for other Services offered through CTM (such as user to provider communications), Using personal data of other users that you have access to for any other purpose constitutes a violation of our User Agreement.
Personal data relating to third parties
If you provide us with personal data relating to another person, you must obtain the consent of this person or the disclosure of the data to us must be otherwise legally permissible. You must inform the other person of how we process personal data in accordance with our User Privacy Notice.
Are you obliged to provide your personal data to us?
Some of the personal data that you provide to us (e.g. data by which we can identify you) are required to enter into the User Agreement. The provision of any other personal data is voluntary, but may be necessary for the use of our Services, such as purchasing a Training Course and other data required to complete a transaction.
Our services are not intended for use by children. We do not knowingly collect personal data from users who are considered children under applicable national laws. According to our User Agreement, children are not permitted to use our Services.