The following information sets out who Citation Ltd are, information about other companies in the Citation Group and tells you about how we use your personal data and why.
Citation Limited is one of a part of the Citation Group. A group of companies operating in aligned industries of compliance and standards; together we provide a wider and more comprehensive range of services to our customers.
Our Group Companies Include:
Citation Limited Food Alert QMS HS Direct EPM Citation Fire & Electrical SMAS Avec Southall Associates
As for Citation Limited, we act as both data controller and data processor depending on which service we are providing. Further information about how we process your data as a processor and controller can be found throughout this notice.
Whilst we don’t share that data outside the group, we do share it internally on occasion to help improve our service offering, which of our services we talk to you about and better support the compliance and standards of your business.
Under data protection laws you have rights; if you think something is not quite right with the way we are handling your data please get in touch, the email address is DPO@Citation.co.uk
Below is what you can expect in the way that we handle your data. Let us know if you think something is missing or you feel it is incorrect, we’d love to put it right.
The cookies we use for analytics, marketing and advertising are Google and Facebook. Where Google and are concerned they collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site, which pages people prefer and which we need to put more effort into. This information can also be helpful in helping us to understand what prospective clients are looking for, how easy our site is to navigate and how effective our site is. This information is only processed in a way which does not identify anyone, its anonymised. For more information about them, follow the links below:
We use Facebook Custom Audiences to deliver advertisements to Website Visitors on Facebook based on email addresses we have collected and through information collected via cookies. You can learn more about Facebook Custom Audiences here
We also use other cookies which help with our advertising and link to advertising networks via Facebook.
Cookies we use on our site and why:
|_qca||Collects anonymous data on the user’s visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded with the purpose of generating reports for optimizing the website content.|
|_biz_flagsA||This cookie is used to by Cloudflare – Cookies are used to remember users’ settings as well as for authentication and analytics.|
|_biz_nA||This cookie is used to by Cloudflare – Cookies are used to remember users’ settings as well as for authentication and analytics.|
|_biz_pendingA||This cookie is used to by Cloudflare – Cookies are used to remember users’ settings as well as for authentication and analytics.|
|_dc_gtm_UA_15304393-3||Used to throttle request rate. If Google Analytics is deployed via Google Tag Manager.|
|_fbp||Used by Facebook to deliver a series of advertisement products such as real time bidding from third party advertisers.|
|_ga||This cookie name is associated with Google Universal Analytics – which is a significant update to Google’s more commonly used analytics service. This cookie is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page request in a site and used to calculate visitor, session and campaign data for the site’s analytics reports. By default, it is set to expire after 2 years, although this is customized by website owners.|
|_gcl_au||Used by Google AdSense for experimenting with advertisement efficiency across websites using their services.|
|_gid||This cookie name is associated with Google Universal Analytics. This appears to be a new cookie and as of Spring 2017 no information is available from Google. It appears to store and update a unique value for each page visited.|
|intercom-id-saz8xa7c||Anonymous visitor identifier cookie. As people visit your site, they get this cookie.|
Cookies used by the Intercom messenger are “first-party” cookies assigned to the domain of your website. We take the privacy of your data seriously and these cookies cannot be read by Intercom on other sites, or by other sites using the Intercom messenger. All cookies are unique to your domain.
|Trustpilot_info||Expiry – temporary in nature and are deleted when you exit your web browser.|
This cookie is used by trust pilot.
|visitor_id169532||This is a cookie pattern that appends a unique identifier for a website visitor, used for tracking purposes.|
|This is a cookie pattern that appends a unique identifier for a website visitor, used for tracking purposes.|
When you fill out a contact us form on our website, we will use your details to answer your questions by the means that you have provided us.
It’s the same if you complete the “Get a free consultation” enquiry form, we’ll be in touch to arrange that consultation and answer any additional questions you have.
In both cases you’re providing consent for us to contact you and we have a legitimate interest in opening a record to ensure that we have made contact and can track our communications, ensuring your questions and requests have been answered, and information that we have discussed can be recorded.
Once your request has been actioned the initial request will be deleted, if your initial request has turned into a record, this will be retained until it is no longer required. It’s a legitimate interest to retain a record of what communications we have had with companies that have expressed an interest in our services.
When you provide your contact details at the point of downloading available content from our website, we’ll keep a record of these for two reasons. The first is to understand the relevance of our content to site visitors and the second is to make contact with you if it’s appropriate.
We use an external third party to manage our website, this company and the hosting is in the UK. The other third party we use provide us with the online chat option. If you use the Live Chat service, we may collect your name, email address, company name, phone number or any other personal details you choose to share with us at the time. For more information, please see Intercom’s privacy notice
If you call our helpline as an existing client, we will make a note in your company record that we and you can refer to later. As a client calling the helpline, we’ll be processing your personal data in order to perform our duties under our contract with you.
If you’re not a client, we will ask for basic contact details in the first instance. We take more during the call if it’s appropriate, but you’ll be in complete control of that, and if you don’t want to provide more information you don’t have to. In this regard we’ll be processing your data in a legitimate interest of good business administration.
Our calls are recorded for quality, security and fraud prevention/detection purposes. Recordings are retained for 90 days and access to recording is strictly controlled.
At events where Citation is either a co-host or partner (we act as either the data controller or joint data controller), we will use the contact details you have provided in response to the invitation to provide you with further information about the event in the run up to the event.
Events are very well attended, oftentimes we don’t get an opportunity to talk with everyone and find out if they enjoyed the event, what they’ve got out it. Don’t worry we’ll make sure we follow up after the event.
We have a legitimate interest to contact you before and after an event. This is to ensure you have the information you need in advance, help us understand if we met your expectations and answer any questions you have. We may invite you to future events and discuss how Citation’s services could support your business. If for whatever reason you don’t want us to follow up with you, be sure to let us know.
We may also ask about accessibility and any dietary considerations to help us cater correctly for you, this is a legal obligation under the Equality Act and Health and Safety legislation.
We use social media to provide information, answer questions and to interact with you. If you have liked a post or followed us, the details you make available on the platform will be known to us and will be used on the platform in this regard (For this purpose we are classed as controllers in common). We might also use your contact data and any knowledge we have about your interests in certain areas which relate to Citation to place adverts in front of you. See Facebook and customer audiences.
Any personal data you put into the platform will be used by the platform provider for their own purposes as a data controller.
If as a client you provide us with a testimonial or similar comment to be published on our website, and/or hard copy format we’ll do so only with your consent. These are retained indefinitely or until you ask us to remove them.
As clients we will often ask you which other companies you know that would benefit from our service. This will often be done either by email, in person or the use of a third-party tool (this enables confidentiality of the referral so we can’t see it).
Citation offers various services some are online and other services relating to human resources and health and safety. Additionally, we offer related advice and consultancy.
Where we provide online services through one of our platforms, we are the data processor. The company you work for is the data controller. It is in your employer’s hands which of our online services are used and will use it in accordance with what is appropriate for their business and all concerned.
We maintain and administer the platforms and therefore have access to your personal data at the request of our clients, your employers. This is typically to help with queries or when assistance is needed. Our clients can cancel their subscription to this service at any time and any data stored within shall be archived at 30 days post deletion. Any archived documents shall be held for a further 6 months and then deleted.
Where Citation are providing advice and consultancy, we are the data controller, and processing personal data in accordance with the services we provide under our contracts. Any personal data gained in this regard with only be used for their intended purposes. We are registered with the Information Commissioners Office; our registration number is Z510281S. For service owners, Health and Safety and HR Managers we will send general operational and service updates direct to the platform along with other information about products and services which are subscribed to by other similar clients. Some of these services will be targeted based on the what services you do and don’t access, and others will be generic, to everyone.
To enable us to develop and communicate our services in a more effective way we export data and analyse, enabling greater insights into our clients and how all our services across the group are used and if there are other services which could be used to provide greater benefit. Sometimes we will communicate these services through our platforms, via email or in person or in phone calls.
Personal information we collect from you as a data controller shall be retained for as long as we have on ongoing legitimate business reason (for example to continue to provide a service, legal, accounting or taxation reasons. There are likely to be different legal conditions for this processing).
We use third parties in three areas. The first is for some direct marketing campaigns, these parties are only allowed to use the information to send out the publications. This is who we use:
The second is for the hosting of our platforms, we use Microsoft, a link to their privacy notice
The third are analytic tools to help us understand how you engage with us, the services you use, and how we could further support you in the future. In many instances we will either anonymise or pseudonymise your data. In most cases is contact details and inference. The applications we use are:
In all cases they fulfil their obligations under Article 28 of the GDPR and data is hosted in the EU or transferred using one of the lawful mechanisms set out in GDPR Chapter V.
If any of these parties change, we will update our privacy notice, please keep an eye out on the changes if and when they happen, this will be our way of communicating them to you.
Where promoting our services, we may purchase databases of business contacts within our target sectors. These contacts will only be purchased from credible sources who can provide sufficient assurances that they are meeting their data protection obligations. These providers are:
Additionally, we may combine these records with other publicly available information to ensure that our records are accurate and up to date.
Our primary market is Business to Business therefore Citation will only email, call or direct mail prospects where doing so would be in accordance with all applicable data protection laws. Opting out, unsubscribing or objecting is your right, should you do so, it will be respected, and we will not contact you again.
Citation is the data controller for the information you provide during the process unless otherwise stated. If you have any queries about the process or how we handle your information, please contact us on the details at the bottom of the page.
What will we do with the information you provide to us?
All information you provide during the application process will only be used for the purpose of progressing your application, or to fulfil legal or regulatory requirements if necessary.
We will not share any of the information you provide during Citation’s internal recruitment process with any third parties for marketing purposes. The information you provide will be held securely by us. If you have provided your data in electronic form it shall be held securely in a third-party data centre in the EU.
We will use the contact details you provide to us to contact you to progress your application. We will use the other information you provide to assess your suitability for the role you have applied for.
What information do we ask for, and why?
We do not collect more information than we need to fulfil our stated purposes. The information we ask for is used to assess your suitability for employment. You don’t have to provide what we ask for, but it might affect your application if you don’t.
Applications may be received by email, physically by post or through a third-party recruitment agency. We will ask you for your personal details including name and contact details. We will also ask you about your previous experience, education, referees and for answers to questions relevant to the role you have applied for. Our recruitment team will have access to this information.
We might ask you to participate in assessment days; complete tests or occupational personality profile questionnaires; and/or to attend an interview – or a combination of these. Information will be generated by you and by us. For example, you might complete a written test, or we might take interview notes. This information is held by the Citation.
If you are unsuccessful following assessment for the position you have applied for, we will retain your details for 12 months.
If we make a conditional offer of employment, we will ask you for information so that we can carry out pre-employment checks. You must successfully complete pre-employment checks to progress to a final offer. We are required to confirm the identity of our staff, their right to work in the United Kingdom and seek assurance as to their trustworthiness, integrity and reliability.
You will therefore be required to provide:
• Proof of your identity – you will be asked to attend our office with original documents, we will take copies
• Proof of your qualifications – you will be asked to attend our office with original documents, we will take copies>
• You will be asked to complete a criminal records declaration to declare any unspent convictions
• For certain positions we will contact you to complete an application for a Basic Criminal Record check via the Disclosure and Barring Service, which will verify your declaration of unspent convictions
• We will contact your referees, using the details you provide in your application, directly to obtain references
• We will also ask you to complete a questionnaire about your health. This is to establish your fitness to work. This is done through a data processor (please see below)
If we make a final offer, we will also ask you for the following:
• Bank details – to process salary payments
• Emergency contact details – so we know who to contact in case you have an emergency at work
Use of third-party recruitment
Where recruitment is concerned Citation is a data controller, where we use third party recruitment agencies in support of this, they are a joint controller. This is because they will try to place you with other organisations. Where we use other third-parties, job sites that you have registered with they are a data processor. We ensure that appropriate controls and contracts are in place with these third parties.
If you are employed by Citation, relevant details about you will be provided to a number of third-party providers, including our payroll and pensions providers. All colleagues will be given an appropriate privacy notice to explain this in detail.
How long is the information retained for?
If you are successful, the information you provide during the application process will be retained by us as part of your employee file for the duration of your employment plus 7 years following the end of your employment. This includes your criminal records declaration, fitness to work, records of any security checks and references.
If you have been unsuccessful at either the shortlisting stage or assessment stage your data will only be retained for 12 months with the exception of your name. This will be kept for 2 years so we have a record of who we have previously interviewed. This is a legitimate reason to ensure a consistent robust selection and recruitment process.
When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymise it or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
If you sign up to our newsletters and other communications, you can easily unsubscribe at any time following the link at the bottom. These communications are sent using a third-party tool which enables us to see how useful the content has been to you and if the email has been opened. This is done with the use of beacons and pixels in our emails.
Under data protection legislation, you have rights as an individual which you can exercise in relation to the information, we hold about you.
These rights include:
The Right of Subject Access
This is the right to access data we hold about you and, where required, an explanation of that data.
The Right to Rectification
This is the right to have inaccurate or incomplete data rectified.
The Right to Erasure
This is also known as the ‘right to be forgotten’ and means that in certain circumstances you have the right to ask us to delete data we hold on you.
The Right to Restrict Processing
This is where you can request that we restrict/block processing of personal data (but still retain it).
The Right to Object
This right allows you to object to us processing your personal data. This is typically related to processing based on legitimate interest, performance of a task in the public interest, direct marketing and processing for scientific or historical research.
You can read more about these rights here – https://ico.org.uk/for-the-public/is-my-information-being-handled-correctly/
In some instances, our use of your personal information may result in automated decisions being taken (including profiling) that legally affect you or similarly significantly affect you.
Automated decisions mean that a decision concerning you is made automatically on the basis of a computer determination (using software algorithms), without human review. For example, we use automated decisions to assess the current engagement level of customers and potential customers visiting the website or otherwise engaging with Citation. We have implemented measures to safeguard the rights and interests of individuals whose personal information is subject to automated decision-making.
When we make an automated decision about you, you have the right to contest the decision, to express your point of view, and to require a human review of the decision. You can exercise this right by contact us using the contact details provided under the “How to contact us” heading below.
Citation tries to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.
This privacy notice was drafted with brevity and clarity in mind. It does not provide exhaustive detail of all aspects of Citation’s collection and use of personal information. However, we are happy to provide any additional information or explanation needed. Any requests for this should be sent to the address below.
If you want to make a complaint about the way we have processed your personal information, you can contact the Information Commissioner’s Office in their capacity as the statutory body which oversees data protection law –
Citation tries to be as open as it can be in terms of giving people access to their personal information. Individuals can find out if we hold any personal information by making a ‘subject access request’. If we do hold information about you, we will:
• Give you a description of it;
• Tell you why we are holding it;
• Tell you who it could be disclosed to;
• Let you have a copy of the information in an intelligible form
To make a request to the Citation for any personal information we may hold you need to put the request in writing to the address provided below.
If you agree, we will try to deal with your request informally, for example by providing you with the specific information you need over the telephone.
If we do hold information about you, you can ask us to correct any mistakes by, once again, contacting the Group Data Protection Officer.
In many circumstances we will not disclose personal data without consent, unless legally obliged to do or as part of contractual obligations with our customers (where you are a party to the agreement or service).
We may disclose your personal information to the following categories of recipients:
• To our group companies (as identified at the top of this notice), third party services providers and partners who provide data processing services to us (for example, to support the delivery of, provide functionality on, or help to enhance the security of our Website), or who otherwise process personal information for purposes that are described in this Privacy Notice or notified to you when we collect your personal information.
• To any competent law enforcement body, regulatory, government agency, court or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation, (ii) to exercise, establish or defend our legal rights, or (iii) to protect your vital interests or those of any other person;
• To a potential buyer (and its agents and advisers) in connection with any proposed purchase, merger or acquisition of any part of our business, provided that we inform the buyer it must use your personal information only for the purposes disclosed in this Privacy Notice;
• To enforce or apply our Terms of Service or other agreements or to protect Citation and its customers (including with other companies and organisations for the purposes of fraud protection and credit risk reduction)
• To any other person with your consent to the disclosure
If you have questions about or need further information concerning the legal basis on which we collect and use your personal information, please contact us using the contact details provided under the “How to contact us” heading below.
This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.
We keep our privacy notice under regular review. This privacy notice was last updated on 11th February 2020.