Last updated: 26th November 2021
The key things this policy covers are:
You have important rights under laws aimed at protecting your personal data. This policy sets out your rights and how you can exercise them.
1 ABOUT DARWIN
This section explains who we are. It provides some useful information about us, including our company number, registered address and data controller registration number (provided by the Information Commissioner’s Office).
3 WHAT PERSONAL DATA DO WE COLLECT ABOUT YOU?
This section informs you of exactly what personal data we collect about you and why. This includes information that is provided to us directly by you as well as information that we gather from your visits to our website and information that we receive from other sources.
4 HOW IS YOUR PERSONAL DATA COLLECTED?
This section explains to you the different ways in which we will collect the personal data that you provide to us.
5 PURPOSES FOR WHICH WE WILL USE YOUR PERSONAL DATA
This section explains the purposes for which we will use your personal data that we hold. We also set out what we consider to be the legal basis for processing your personal data for each purpose. This is to ensure that you have all the information that we are required to provide you by law.
This section explains how we will ensure that you only receive communications that you wish to receive. We will ensure that you have total control over the information that you receive.
7 WHO WILL HAVE ACCESS TO YOUR PERSONAL DATA?
This section explains which of our employees will have access to your personal data. It also explains the reason for our employees accessing your personal data.
8 WHO ELSE MIGHT WE SHARE YOUR PERSONAL DATA WITH?
This section informs you of who we share your personal data with. It also explains the reason for sharing; this is largely so that we can provide our services to you.
9 HOW DO WE PROTECT YOUR PERSONAL DATA?
This section explains how we keep your personal data safe and where it will be held. It also explains how we may process your personal data outside the United Kingdom, but that we will only do so using recognised mechanisms which offer an adequate level of protection.
10 HOW LONG DO WE KEEP YOUR PERSONAL DATA?
This section explains the length of time that we will retain your personal data. It also explains why we would hold your personal data for such time periods.
11 WHAT ARE YOUR RIGHTS?
This section explains that you have rights in relation to your personal data. It also explains what these rights are and how you can go about exercising them.
13 WHO CAN YOU ASK FOR MORE INFORMATION?
This section provides you with contact information should you have any questions or concerns about the way we handle your personal data. It also explains how you can contact the data protection regulator should you be unsatisfied with our response to your data protection issues.
This policy is issued by Darwin Innovation Group Limited (company number 07854187), registered in England and Wales, whose registered offices are at 21 William Lucy Way, Oxford, OX2 6EQ.
We are registered as a data controller with the Information Commissioner’s Office (ICO) under registration number ZB126302.
This section informs you of what information we collect about you and why. Personal data means any information about an individual from which that individual can be identified.
We may collect, use, store and transfer different kinds of personal data about you, which we have grouped together as follows:
Special Category Data includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, health and genetic and biometric data. We do not seek to collect or otherwise process your Special Category Data, except where one or more of the following applies:
We use different methods to collect data from and about you, including through:
We collect personal data about you if you fill in forms on our website or correspond with us by telephone, email, social media or otherwise. This includes information you provide when you:
We may also ask you to share your personal data with us if it is necessary for us to provide our services to you – for example, we may ask if you require mobility assistance when travelling.
We may process personal data that you manifestly choose to make public, including via social media (e.g. we may collect information from your social media profile(s), to the extent that you choose to make your profile visible).
Automated technologies or interactions
If you use our website, we automatically collect the following information:
Where we collect information about you in the ways described above, we do so on the basis that it is in our legitimate interests to collect and process this data. In most situations this will be anonymised, but we collect and process this data to ensure that our site is functioning properly and that our customer experience is to the standard that you and we expect.
Our website may, from time to time, contain links to and from the websites of advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.
Information we receive from other sources
We may receive information about you if you use any other website we operate or the other services we provide. We are also working closely with third parties (including, for example, business partners, sub-contractors in technical, payment and delivery services, advertising networks, analytics providers, search information providers, credit reference agencies) and may receive information about you from them, in particular where you purchase any of our products or services through such third parties. In addition, we may receive information about you from third parties who provide it to us (e.g. your employer, our customers and law enforcement authorities).
When we receive information from other sources, we rely on them having the appropriate provisions in place telling you how they collect data and who they may share it with. We carefully check our sources to ensure that we only receive your information when it is lawful for us to do so.
We employ CCTV and audio recording to capture, record and monitor what takes place at our offices, at our car parks and on our vehicles in order to help provide a safe environment for our employees and customers, and to prevent, deter and detect crime.
For further information on CCTV and retention periods, please contact us using the details provided in section 13 below.
If you upload images to our website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.
This section explains how we will use personal data you provide to us in order to carry out the activities relevant to the provision of our services to you.
We must have a legal basis for processing your personal data. We consider that we have a legal basis where:
Where we process your personal data on the basis of our legitimate interests, these are our (or our third party’s) interests in providing our services to you in an efficient and secure manner.
We have set out below a list of all the ways we may use your personal data and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are, where appropriate.
In some cases we may use more than one legal basis for processing your personal data; this will depend on the specific purpose for which we are using your personal data. Please contact us if you have any queries about the specific legal basis that we rely on for processing your personal data.
|What we use your personal data for (purpose)||Type of data||Legal basis for processing (including basis of legitimate interest)|
|To register you as a new customer||(a) Identity
|Performance of a contract with you|
|To carry out our obligations arising from any contracts entered into between you and us, including:
(a) managing payments, paying refunds or compensation, fees and charges;
(b) collecting and recovering money owed to us;
(c) running fraud checks if we have reasonable suspicions;
(d) providing you with necessary information, products and services including, but not limited to, contacting you about a journey you have booked with us
(f) Marketing and Communications
|(a) Performance of a contract with you
(b) Necessary for our legitimate interests (to recover debts due to us, to pay refunds or compensation owed to you, and to prevent us from facilitating fraud)
|To respond to your enquiries or to process your requests in relation to your information.||(a) Identity
|Performance of a contract with you|
|To maintain a suppression list should you opt out of receiving communications||(a) Identity||Necessary for our legitimate interests (to ensure that we are not at risk of breaching data protection laws by communicating with you where you have asked us not to)|
|To manage our relationship with you, which will include:
(b) asking you to leave a review, take a survey or participate in market research;
(c) maintaining a record of our interactions with you when you contact us
(d) Marketing and Communications
|(a) Performance of a contract with you
(b) Necessary to comply with a legal obligation
(c) Necessary for our legitimate interests (to evidence our customer interactions and improve the services we offer to our customers)
|To help provide a safe environment for our employees and customers; to reduce the number of assaults on our employees during revenue enforcement duties; and to improve the quality of evidence available for submission to the authorities||(a) Identity||(a) Necessary for our legitimate interests (to protect employee and customer safety and assist with the verification of claim)|
|To enable you to partake in a prize draw, enter a competition or complete a survey||(a) Identity
(e) Marketing and Communications
|(a) Performance of a contract with you
(b) Necessary for our legitimate interests (to study how customers use our products/services, to develop them and grow our business)
|To administer and protect our business and our website (including training our employees, troubleshooting, data analysis, testing, system maintenance, security audits, support, reporting and hosting of data)||(a) Identity
|(a) Necessary for our legitimate interest (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)
(b) Necessary to comply with a legal obligation
(c) Performance of a contract with you
|To conduct health and safety assessments and record keeping, and compliance with related legal obligations||(a) Identity
|(a) Necessary for our legitimate interest (in providing a safe and secure environment at our premises)
(b) Necessary for compliance with a legal obligation
(c) Necessary to protect the vital interests of any individual
|To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you||(a) Identity
(e) Marketing and Communications
|Necessary for our legitimate interest (to study how you use our products/services, to develop them, to grow our business and to inform our marketing strategy)|
|To use data analytics to improve our website, products/services, marketing, customer relationships and experiences||(a) Technical
|Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy)|
|To make suggestions and recommendations to you about goods or services that we feel may interest you||(a) Identity
(f) Marketing and Communications
|Necessary for our legitimate interest (to develop our products/services and grow our business)|
|To establish, exercise and defend our legal rights||(a) Identity
(i) Marketing and Communications
|(a) Necessary for compliance with a legal obligation
(b) Necessary for our legitimate interest (for the purpose of establishing, exercising or defending our legal rights)
This section is to explain how we will ensure that you only receive communications that you wish to receive.
We can only use your personal information to send you marketing messages if we have either your consent or a ‘legitimate interest’. A ‘legitimate interest’ is when we have a business or commercial reason to use your information. It must not unfairly go against what is right and best for you.
The personal data we have for you is made up of what you tell us and the data we collect about you when you use our services, or data provided to us from third parties we work with. We study this to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you.
If you have provided your consent to receive marketing communications from us and you change your mind, you can change your preferences and unsubscribe at any time by unsubscribing from the relevant communication channel or contacting us using our contact page form. If you choose not to receive this information we will be unable to keep you informed of new products, services and promotions that may interest you.
Whatever you choose, you’ll still receive booking confirmations and other important information, for example service updates.
As detailed in the table in section 5, we may send you communications such as service updates (e.g. information on service disruption) or provide customer satisfaction surveys. We consider that we can lawfully send these communications to you as we have a legitimate interest to do so, namely to effectively provide you with the best service we can and to grow our business.
This section is to explain who, within Darwin, will have access to your data.
We take your privacy seriously and have implemented appropriate physical, technical and organisational security measures designed to secure your personal data against accidental loss, destruction or damage and unauthorised access, use, alteration or disclosure.
We may share your personal data with you, and, where appropriate, your family, your associates and your representatives.
We may share your personal data with any member of our group, which means our subsidiaries, our ultimate holding company (Enterprise IT Consulting Limited) and its subsidiaries as defined in section 1159 of the UK Companies Act 2006.
We may disclose your personal data to the police or any other law enforcement agency or court to the extent necessary for purposes including preventing, investigating, detecting and prosecuting criminal offences; preventing threats to public security in accordance with applicable law; or validating a claim.
We may share your personal data with the following third parties who assist us with administering the provision of our services to you:
We may also pass Aggregated Data on the usage of our site to third parties (e.g. we might disclose the median age of visitors to our site, or the numbers of visitors to our site who come from different geographic areas), but this will not include information that can be used to identify you personally.
When visitors to our website, web app, mobile app or social media leave comments, we may collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection. These comments may be checked through an automated spam detection service.
If a business transfer or change of business ownership takes place or is envisaged, we may transfer your personal data to the new owner (or a prospective new owner). If this happens, you will be informed of this transfer.
This section explains how we keep your personal data safe and where it will be held.
We take your privacy seriously and are committed to maintaining the privacy and security of the personal data you provide to us, and the choices you have regarding our collection and use of your personal data.
Once we have received your personal data, we follow strict security procedures as to how your personal data is stored and used, and who sees it, to help stop any unauthorised access.
Any payment transactions will be encrypted. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site, you are responsible for keeping this password confidential. You should not share this information with anyone.
We use a wide range of Cloud Service Providers (CSPs) as part of our processing environment. Unless we specifically state otherwise, we are, in respect of all these CSPs, the data controller.
The information that we collect from you may be transferred to, and stored at, a destination outside the United Kingdom. When we transfer and store your personal data outside the UK, we will ensure that it is adequately protected by using appropriate safeguards as further detailed below.
Staff operating outside the UK who work for us, or one of our suppliers, may process the information. Such staff may be engaged in, among other things, the fulfilment of your order, the processing of your payment details and the provision of support services.
Where your personal data is transferred from the UK to a recipient outside the UK in a country not recognised by the UK as providing an adequate level of protection for personal data, such transfer shall be covered by a framework recognised by the relevant authorities or courts as providing an adequate level of protection for personal data including but not limited to Standard Contractual Clauses (the agreement in the form annexed to the European Commission’s decision of 5 February 2010 on Standard Contractual Clauses for the transfer of personal data to processors established in third countries, which can be found here).
Unfortunately, the transmission of your personal data via the internet is not completely secure and, although we do our best to protect your personal data, we cannot guarantee the security of your data transmitted to us over the internet. You acknowledge that any transmission is at your own risk.
This section explains the length of time that we will retain your personal data.
We will keep your personal data for no longer than is necessary for the purposes for which it was obtained. The criteria for determining the duration for which we will retain your personal data are as follows:
During the periods in paragraphs (2)a and (2)b above, we will restrict our processing of your personal data to the storage of, and maintaining the security of, those data, except to the extent that those data need to be reviewed in connection with any legal claim or obligation under applicable law.
After this period your personal data will be anonymised so that you are no longer identified or identifiable from such information, or securely deleted/destroyed.
Any third parties that we engage will keep your data stored on their systems for as long as is necessary to provide the relevant services to you or us. If we end our relationship with any third-party providers, we will make sure that they securely delete your personal data or return your personal data to us.
The retention periods for CCTV vary depending on the location and system in use. Such periods tend not to exceed 30 days and will always be reasonable or as long as is required by law. For more information, please contact us.
We may retain personal data about you for statistical purposes (for example, to help us better advertise our services). Where data is retained for statistical purposes it will always be anonymised, meaning that you will not be identifiable from that data.
On our website, web apps, mobile apps and social media, if you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognise and approve any follow-up comments automatically instead of holding them in a moderation queue.
For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.
This section explains that you have a number of rights in relation to your personal data. There are circumstances in which your rights may not apply.
As a data subject whose personal information we hold, you have certain rights. If you wish to exercise any of these rights, please contact us. Your rights are as follows:
The right to be informed
The right of access
You may request a copy of the personal data we hold about you free of charge. Once we have verified your identity and, if relevant, the authority of any third-party requester, we will provide access to the personal data we hold about you as well as the following information:
If there are exceptional circumstances that mean we can refuse to provide the information, we will explain them. If requests are frivolous or vexatious, we reserve the right to refuse them. If answering requests is likely to require additional time or occasion unreasonable expense (which you may have to meet), we will inform you.
The right to rectification
When you believe we hold inaccurate or incomplete personal information about you, you may exercise your right to correct or complete this data. This may be used with the right to restrict processing (below) to make sure that incorrect/incomplete information is not processed until it is corrected.
The right to erasure (the ‘right to be forgotten’)
Where no overriding legal basis or legitimate reason continues to exist for processing personal data, you may request that we delete the personal data. This includes personal data that may have been unlawfully processed. We will take all reasonable steps to ensure erasure.
The right to restrict processing
You may ask us to stop processing your personal data. We will still hold the data, but will not process it any further. This right is an alternative to the right to erasure. If one of the following conditions applies, you may exercise the right to restrict processing:
The right to data portability
You may request your set of personal data be transferred to another controller or processor, provided in a commonly used and machine-readable format. This right is only available if the original processing was on the basis of consent, if the processing is by automated means and if the processing is based on the fulfilment of a contractual obligation.
The right to object
You have the right to object to our processing of your data where any of the following apply:
If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal or security purposes.
You also have the right to make a complaint to the Information Commissioner’s Office if you are unhappy with how we have handled your personal data.
In summary, you have the right to request that we:
For more information on your rights and how to use them, or if you would like to make any of the requests set out above, please contact us.
We will respond to all such requests within the time period required by law. Occasionally it may take us longer, if your request is particularly complex, you have made a number of requests or you have not supplied the information we need to respond to you. In this case, we will notify you and keep you updated.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
As explained in the section on Communications above (section 6), even if you consented to the processing of your personal data for marketing purposes (by ticking the relevant box or by requesting information about services), you have the right to ask us to stop processing your personal data for such purposes. You can exercise this right at any time by unsubscribing from the relevant communication channel or by contacting us using our contact page form.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
If you leave a comment on our site you may opt in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.
If you visit our login page, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.
When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select ‘Remember Me’, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.
If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after one day.
If you have any questions or concerns about how we handle your personal data, you can contact us using the following methods:
Post: Data Protection Enquiries, Darwin Innovation Group, Harwell Science Campus, R70, Fermi Avenue, OX11 0QX
Email: Use our website contact page form
If you are unsatisfied with our response to any data protection issues you raise with us, you have the right to make a complaint to the Information Commissioner’s Office (ICO). The ICO is the authority in the UK regulating the protection of personal data and privacy.