This notice gives you information about who Citation are, our approach to data protection and provides you with information about how we manage your personal data and the importance data protection plays in how we operate as a company.

Our data protection approach is supported from the top of the business and is a core competence of how we operate, it is a fundamental which we continually strive to improve on. You can read more about our approach here.

For the purposes of this notice Citation is the data controller unless it has been specifically noted otherwise.

This notice relates to the collection and processing of personal data for Citation, it does not cover processing we do in relation to the service we provide to our clients, in that regard Citation are the data processor acting on the instruction of our clients. To that end, as a data processor we offer broadly the following services: (1) a SaaS platform to enable the management of HR and Health and Safety for clients, (2) On-site HR and Health and Safety support, (3) Fire and Electrical risk assessments and follow up services. There are also elements of these services where we also operate as a data controller.

This notice applies to the processing of personal data collected by us when you:

• Visit our websites (Citation, Citation Safety)
• Visit our social media pages
• Visit our offices
• Receive communications such as emails and phone calls
• Register for and/or attend events where we participate or host
• Are an applicant to join Citation
• Are a client where our services are of a data controller (employment law, responsible person for Health and Safety purposes)
• For sales and marketing
• For the understanding, development, growth, and administration of our business

Where we use social media or where you click a social media icon on our website, be aware that these companies are independent to Citation, they manage their own affairs and they will be a data controller in their own right. If you have any questions pertaining to how they process your personal data, you should review their privacy notices which will be available on their websites.

Finally, our websites may contain links to other websites for your ease and convenience, we are not responsible for them, how they operate or their security provision.

We collect personal data directly from you when:

• You express an interest in our products and services either over the phone, via email, social media, webforms, webinar attendance, contact us provision, when signing up to newsletters and other communications, when downloading certain content from our websites, at events we attend or host or through the live chat on our websites. The information we may require is contact information, name, phone number, email address, job title, company name, company address.
• If you contact our helpline you may be asked for you name, company name and confirmation of security credentials.
• When you make a purchase either through our SaaS products or with a Citation Colleague we will require financial information for invoicing and collection purposes, this may include bank details, credit card information, invoice name, address and point of contact.
• If you attend an event where we are participating, you may have given additional consents to be contacted by us following the event. This information may include name, phone number, email address, company name and job title.
• If you connect with us through a social media channel, we will know your social media handle and any other information including photos you make available through our interactions and your profile.
• If you use our websites or email’s we will have details about your usage of our sites through cookies, beacons, and similar technologies. This information may include IP address and information about your visit. This is also the case when you use our SaaS products, we may collect information about your usage.
• If you complete surveys or enter competitions they may require contact information such as name, phone number, email address, company name and job title.
• If you complete a registration form on our website when downloading content, we will ask for details such as name, email, company name and phone number
• When you interact with live chat we will need name and email address for the functionality to work.
• If you are an applicant for a role at Citation we will require information relating to your career history which could include name, address, phone number and email address along with the positions you held and the date range you held those positions in different companies along with any qualifications.
• If you visit one of our offices, we have CCTV in certain locations which may capture your image. You will be asked to provide your name, signature, company name and possible car registration.
• When you use of SaaS products data relating to your job role and how this influences your interaction with the platform and the client journey may be combined with other information relating to your organisation. For clarity, is generic and does not relate to you as specifically.
• If you participate in our referral program, we strongly advise you to give our details to the individual you want to refer to use and facilitate the process that way. If you decide to provide us with their details you represent that you have their authority to do so, act in accordance with data protection legislation and in accordance with this privacy notice.
• If we are delivering a Health and Safety service where our qualifications or role for your company requires an authorised person or in dealing with an accident, we may require information such as name, health information, working patterns, contact information such as address, phone number. The information we may require will be specific for that scenario and will be advised in full. We will only ask for the information that is necessary to fulfil our purpose and in many cases is a legal requirement. This may also be information we gather from your employer if you are involved in an accident or incident.

We will also gain personal information from other sources, this includes third parties we purchase data from to help us identify and grow our business which could include a greater degree of personalisation. Additionally, we may combine these records with other publicly available information to ensure that our records are accurate and up to date.

We also obtain information from other companies within the Citation Group in order to provide a greater level of service and service offering or to better understand clients and industries we operate in or where synergies apply to our business and to yours. We also obtain information from services to help us comply with data protection laws.

Typically, the personal information we get from third parties includes name, phone number, email address, company name, job title, contact preferences.

Data from your device, usage of our website and applications

When you access our website or use our SaaS products we use tools such as cookies, beacons and similar technologies to automatically collect information which may contain personal data from your device and usage of our site and services. The nature of what these tools collect differ between website and SaaS product but still fall into similar categories.

This information may include IP address, application or system identification number, browser you are using, pages you have searched, files you have looked at and actions you have taken. There is also the time and date that these actions were taken or association with your browsing. We use this information to help us improve our service or your experience, to improve how you and others view the site or locations within our applications, to improve functionality, engagement and performance, to help us identify opportunities to develop our services further, our compliance with applicable usage terms and for overall security of Citation products, services and applications. The collection of this type if data may either on its own, or when combined with other data we have become personal data. It will be used primarily to identify the uniqueness of each user for security and identification of user purposes.

Cookies, beacons and similar technologies on our website and in email communications

Our use of cookies, beacons and similar technologies is to better understand how you interact with our website and email communications.

We use cookies on our websites for a variety of reasons including remembering your settings, load balancing, marketing and analytics. These will be either our cookies or third-party cookies, all of which can be configured by you using the cookie preference centre to configure the settings you are most comfortable with.

We use session cookies which expire after the session is closed, we also use persistent cookies which remain on your computer when you close the browser or turn your computer off. We also use beacons and pixels in our email communications and on our website, this enables us to understand if our communications are useful to you or not and how you then interact with the website or our service as a result of those email communications.

Where we use 3rd party cookies such as Google Analytics or third parties we use for advertising purposes we are joint controllers with them, if you do not wish for Google to have your IP address and understand your browsing actions please do decline cookies

The cookies we use fall into four basic categories, they are:

Type of Cookie	Description
Strictly necessary cookies	These cookies are necessary for the website to function and cannot be switched off. They are usually only set in response to actions made by you which amount to a request in service, such as setting privacy preferences, logging, or completing a form. You can set your browser to block or alert you about these cookies, but some parts of the site may not work.
Functional cookies	These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose service we may have added to these pages. If you do not allow these cookies, then some or all of these services may be function properly.
Performance cookies	These cookies allow us to count visits and traffic sources so we can measure and improve our site. This helps us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies, we will not know you have visited our site, and will not be able to monitor its performance.
Targeting cookies	Targeting cookies may be set through our site by advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information but are based on unique identifiers in your browser and device. If you do not allow these cookies, you will experience less targeted advertising.

In our Atlas application we also use cookies to identify users against their profiles, to attribute a users’ actions and for session authentication purposes. We also use analytics to understand how many users we have in Atlas at any given time and to see how long they interact with Atlas. We may also use a website recording service which may record mouse clicks, mouse movements and page scrolling. This is used to improve our website usability and to discover what works for users and what doesn’t. The information collected isn’t attributed to an individual user but is aggregated and used for statistical reporting. There is no personal data recorded or retained in this process, However, if you prefer, you can switch this off by following this link https://sessioncam.com/choose-not-to-be-recorded/

Social Media

Our website uses social media icons such as Facebook and Twitter logos and other social sharing widgets. By using these features you will be connecting to and sharing information from your browsing session with these organisations. If you are logged into your social media account it is also possible that they will connect your activity on our site to your social media account.

This is also the case if you access our social media pages on a social media platform. The respective social media company may add your interaction to any information they may already have about you or your interests.

In all cases, in that transfer of data the social media provider is a data controller in their own right and responsible for what they do with your personal data. If you want to find out more it is worth accessing their privacy notices.

We collect and process personal data for the following purposes and with the following legal bases engaged:

• Where our website is concerned, we are processing your personal data with your consent if it is required and for other elements of our website we are processing based on the legitimate interest to operate and administer the site. Where site security is concerned and the activities through our cookies that enable a secure site, this is administered as a legitimate interest.
• To download some content from our site you are required to complete a form, this is done with your consent. We may also get in touch with you either by email and/or phone as a result of the download.
• The recording of phone calls by default on all calls is done as a legitimate interest in protecting both your interests and citations. Call recording are used for security, monitoring and training purposes.
• We may ask you for personal data when dealing with enquires, this data would be processed as a legitimate interest in being able to effectively follow up on your enquiry. This is also the case where it relates to a service enquiry or complaint, unless of course it is linked to a contractual obligation, this could include service updated and client communications, in which case it is processed as part of the fulfilment of our contract.
• Setting up and managing your journey as a client is again done as part and parcel of the performance of the contract. This is also the case when it comes to good administration of matters relating to your contract with Citation.
• Where you use the chatbot in our SaaS products you are freely inputting your questions and so consenting to processing. Where we then used pseudonymised data to either train the AI or use to improve our services we are doing as a legitimate interest. Your reference ID from the chat is also used to provide information specific to your question and may also be a reference point back to your organisation, which could in turn enable us to better tailor services and promotional messages accordingly.
• Managing event registration and administration of the event is done as a legitimate interest in ensuring the efficient administration and follow up of the event. We also rely on legitimate interests to for processing client contact data for service surveys. If you choose to complete the survey with our partner this is done on the basis of consent.
• Managing your payments and payments relating to the service we provide. This also includes the entirety of the payment process in line with the terms and conditions of our service. We may also from time to time have to escalate this process to a third-party debt collection service. This disclosure of such data would be as a legitimate interest and further processed as part of the contractual terms.
• The identification of opportunities both with prospects and opportunities within our existing client base is done in the furthering the legitimate interests of the business. Any sharing of data internally within Citation Group companies is also a legitimate interest when it is done for similar purposes. This data may also be used to improve user experience and our understanding of both the client journey and appropriateness of products and services at different points of client lifecycle either within Citation or across the group.
• Personal advertising on our website is done with the consent of you when you select cookie settings on the cookie consent management tool. Where advertising of our products and service offline is done in the pursuit of our legitimate interest and done so with prior consent that you have provided.
• Registering your information as a visitor to one of our offices will be done as a legitimate interest to protect our building, business and colleagues. It may also be used to administer non-disclosure and confidentiality agreements.
• If you provided a testimonial of our service, you will be doing so of your own free will and will be retained until you ask us to remove it.
• If we provide employment law and tribunal services, we will do so under the performance of a contract. This is also the case for some of our health and safety services where we are investigating and accident, liaising with the HSE and acting as a competent individual.
• Where you have applied as a candidate for a role at our company we will process your information in order to progress you application, contact you with updates, asses your qualities and capabilities against the requirements of the role and against other candidates. You will also be asked for proof of qualifications, references and other right to work information such as identification documents. This processing is done in part as a legitimate interest, in part with your consent and in part as a legal obligation. We may also use recruitment companies from time to time, where data is shared with these organisations we will both be data controllers and you will have been referred to us from them. Further data protection information regarding their activities can be gained from them.
• We may use personal data relating to usage of our SaaS products for reporting and analytical purposes, this is a legitimate interest in trying to improve or offering and further the growth of the business.
• We will send sales and marketing communications such as emails or phone calls related to our services and those services of other companies in the Citation Group only if we can do so in accordance with data protection legislation.
• There are legal obligations that we must comply with, these could be tax-related or generally dealing with local or national government, authorities, agencies or courts and professional advisors. It may be in our legitimate interest to protect our rights and if necessary, to disclose information for the protection of these rights or complying with court orders.
• Running, managing and administration of our business are critical to its success and the successful delivery of our service. It includes but is not limited to aspects such as account management (sales, service and financial), IT (support to clients, use of or migration to platforms, running and improving the business and its security) Development of our applications, reporting and improvement. The legal bases for these activities will differ from performance of contract to legitimate interests and if there is information required by the government (such as tax information) this would be a statutory obligation.

We may share your personal data in the following circumstances:

• Where we are using contracted service partners for services such as IT, web conferencing, hosting and system administration, email communications, analytics and research, data enrichment, survey providers and customer support. All these purposes and legal bases for processing are done in accordance with the information provided above
• If you are a client we may share your details internally within the Citation Group in order to improve the service offering and range of services we provide, for the good administration and control of the business, marketing, reporting and account management purposes. Our group companies are data controllers in their own right. A list of Group Companies can be found here
• If you registering for events where we are partnering with another organisation or if a third party is running the event on our behalf, we may be required to share your details for the purpose of registration, security and administration of the event. This will be done in accordance with the legal bases noted above.
• Where you interact with third party social media companies either through our website or directly through your social media profiles your data will be shared by you with them. This is also the case if you do not switch off third party cookies where advertising, targeting and analysis is concerned. These parties are likely to be data controllers in their own right.
• To any competent law enforcement body, regulatory, government agency, court or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation, (ii) to exercise, establish or defend our legal rights, or (iii) to protect your vital interests or those of any other person;
• To a potential buyer (and its agents and advisers) in connection with any proposed purchase, merger or acquisition of any part of our business, provided that we inform the buyer it must use your personal information only for the purposes disclosed in this Privacy Notice;
• To enforce or apply our Terms of Service or other agreements or to protect Citation and its customers (including with other companies and organisations for the purposes of fraud protection and credit risk reduction)
• To any other person with your consent to the disclosure.

We retain your data for as long as necessary to fulfil the purpose for its collection and processing. In some instances, this may be a sort period of time, for instance, as an unsuccessful job applicant we may retain your records for only 6 months once the process has concluded. In other instances, and especially where there is a legal obligation to retain your information for a certain period of time, we will do so in order to comply with the legal requirement; this is typically 6 years.

Once your data is no longer required it shall be deleted or if it is technically not possible to delete, we shall ensure sufficient controls are in place to put it beyond future use.

Our data is typically hosted In the UK and other parts of the EEA, there are however some of our contracted technical service providers that process from the US and India. Where these transfers and any other transfer than may occur in the future are concerned, we ensure that there is a legal bases for the transfer and a lawful transfer mechanism in place prior to any transfers in place.

Any such transfers currently done are done using either a transfer to a country with an adequacy ruling, using European Commission Standard Contractual Terms.

Under data protection legislation, you have rights as an individual which you can exercise in relation to the information, we hold about you.

These rights include:

• The Right of Subject Access – this is the right to access data we hold about you and, where required, an explanation of that data.
• The Right to Rectification – this is the right to have inaccurate or incomplete data rectified.
• The Right to Erasure – this is also known as the ‘right to be forgotten’ and means that in certain circumstances you have the right to ask us to delete data we hold on you.
• The Right to Restrict Processing – this is where you can request that we restrict/block processing of personal data (but still retain it)
• The Right to Data Portability – this allows people to reuse their personal data by requesting it in a useable format.
• The Right to Object – this right allows you to object to us processing your personal data. This is typically related to processing based on legitimate interest, performance of a task in the public interest, direct marketing, and processing for scientific or historical research.

We take every reasonable and commercially viable precaution to protect personal and commercial data. These are organisational, technical, and physical measures to protect against unlawful or accidental access, disclosure, loss or alteration.

Whilst we taken a robust stance to security no method of storage and transmission is 100% secure and, in some instances, out of our control. For that reason, you are entirely responsible for password security, controlling access to your devices, access to your environment in our SaaS products and signing out and closing down web sessions once completed.

When you access our website or use our SaaS products we use tools such as cookies, beacons and similar technologies to automatically collect information which may contain personal data from your device and usage of our site and services. The nature of what these tools collect differ between website and SaaS product but still fall into similar categories.

This information may include IP address, application or system identification number, browser you are using, pages you have searched, files you have looked at and actions you have taken. There is also the time and date that these actions were taken or association with your browsing. We use this information to help us improve our service or your experience, to improve how you and others view the site or locations within our applications, to improve functionality, engagement and performance, to help us identify opportunities to develop our services further, our compliance with applicable usage terms and for overall security of Citaiton products, services and applications. The collection of this type if data may either on its own, or when combined with other data we have become personal data. It will be used primarily to identify the uniqueness of each user for security and identification of user purposes.

Where our SaaS applications are concerned, we have two other types of technologies which are not strictly functional. The first is for feedback if the user is having technical difficulties and need to provide feedback. The second to provide us with an understanding of how the site is used, how people navigate the site, which areas do and don’t get much use. This to help us ensure it is intuitive, user friendly and we deliver appropriate communications and servicers through the platform. In this regard the data is anonymised and you cannot be identified from it.

Citation tries to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading, or inappropriate. We would also welcome any suggestions for improving our procedures.

This privacy notice was drafted with brevity and clarity in mind. It may not provide exhaustive detail of all aspects of Citation’s collection and use of personal information. However, we are happy to provide any additional information or explanation needed. Any requests for this should be sent to the address below

Group Data Protection Officer

Kings Court

Water Lane

Wilmslow

SK9 5AR
Or you can email us

If you want to make a complaint about the way we have processed your personal information, you can contact the Information Commissioner’s Office in their capacity as the statutory body which oversees data protection law – www.ico.org.uk/concerns

We keep our privacy notice under regular review and would encourage you to do also. This privacy notice was last updated on 9th November 2020. Our old privacy policy can be found here.