- Purpose and lawful basis for processing
- What we need
- Why we need it
- What we do with it
- How long we keep it
- What are your rights?
- Do we use any data processors?
Purpose and lawful basis for processing
Our purpose for processing this information is to arrange and undertake an audit with an organisation to assess its compliance with the legislation.
The lawful basis we rely on to process your personal data is article 6(1)(e) of the UK GDPR, which allows us to process personal data when this is necessary to perform our public tasks as a regulator.
What we need
When we conduct an audit, we’ll take the name and contact details of the organisation’s main point of contact and the staff members who will be interviewed.
We may also receive additional personal data where this is contained within any evidence we gather as part of the audit process.
Why we need it
We use the data collected to arrange the audit, conduct interviews with relevant staff, undertake testing of processes and procedures, and evidence the audit findings.
What we do with it
We may publish a summary of the audit we have completed with your organisation, but this will not contain any personal data.
How long we keep it
For information about how long we hold personal data, see our retention schedule.
What are your rights?
We process personal data in the course of carrying out audits in our capacity as a regulator, so you have the right to object to our processing of your personal data. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it.
For more information on your rights, please see ‘Your rights as an individual’.
Do we use any data processors?
Yes – we use Symbiant audit management software to conduct some of our audits.