Privacy Policy

Simbec-Orion Group Limited (the ‘Company’) and its affiliates are aware of its obligations under the EU General Data Protection Regulation (EU GDPR), UK General Data Protection Regulation (UK GDPR) and domestic data protection legislation and are committed to processing your data securely and transparently. In this privacy notice whenever you see the words ‘We’, ‘Us’ or ‘Our’, it refers to the Company. This privacy notice sets out, in line with current data protection obligations, the types of data that we hold on when you visit our corporate website https://www.simbecorion.com/. It also sets out how we use that information, how long we keep it for and other relevant information about your data.

Data controller details

We are the data controller of your personal data, meaning that we determine the purpose and the way your personal data is used and processed. We are located at:

Simbec House,
Merthyr Tydfil Industrial Park,
Pentrebach, Merthyr Tydfil,
CF48 4DR,
United Kingdom

We have appointed a data protection officer (DPO) to oversee compliance with this privacy notice. If you have any questions about this privacy notice, how we handle your personal data, or you want to exercise any GDPR rights, please contact the DPO. DPO contact details are as follows:

TechGDPR DPC GmbH
Prenzlauer Allee 53, 10405
Berlin, Germany

Email: dpo@simbecorion.com

If you have any questions regarding our privacy practices, please contact us at privacy@simbecorion.com

Data protection principles

In relation to your personal data, we will:

  • Process it fairly, lawfully and in a clear, transparent way
  • Collect your data only for reasons that we find proper for the course of your employment and/or the fulfilment of contractual obligations in ways that have been explained to you
  • Only process personal data that is relevant to the purposes we have told you about and limited only to those purposes
  • Ensure it is correct and up to date
  • Keep your data for only as long as we need it for the purposes we have told you about
  • Keep it secure

Types of data we process

Contact form/RFI/RFP

The following data points are collected from you when you submit a contact form: Full name, email, phone (optional), company (optional).

  • We will use this information to send you information or proposals regarding your requested service.
  • We won’t share this information with third-parties.
  • We will store this data for a period of 3 years from submission.

The applied legal basis under the GDPR for this processing is the performance of a contract, particularly
to take steps at the request prior to entering into a contract (GDPR Art. 6.1(b).

Enquiries via email

The following data points are collected from you when you leave your inquiry on information@simbecorion.com: name (optional), email address and content of the message.

  • We will use this information to reach out to you and help you with your inquiry. We can also use
    the content of your request to improve our products and services or analyse our marketing
    efficiency if it contains valuable information.
  • The applied legal basis for these activities is our legitimate interests (GDPR Art. 6.1.f)
  • We will store this information for a period of 3 years from the date it was received.

Newsletter Distribution

When you subscribe to our newsletter through the website, we collect your full name and email address.

  • We use this information to prepare, personalise (by including your name and your preferred
    services) and send our newsletter to you. Those newsletters contain information about new
    events, webinars, projects, initiatives, among others.
  • This processing takes place under the legal basis of consent (GDPR Art. 6.1.a).
  • We will store this information for as long as you don’t unsubscribe.

Cookies and similar technologies

A cookie is a small text file that is downloaded onto your device (e.g., a computer or smartphone) when
you access our website. It allows us to recognize your device and store some information about your
preferences or past actions.

View our cookie policy for more details

Social network pages

To promote our products and services, we maintain public pages on social networks, such as Facebook, Twitter, LinkedIn. We track the efficiency of those social network pages based on the user traffic data provided by the social network providers. The applied legal basis for these activities is our legitimate interests (GDPR Art. 6.1.f), for which we are joint-controllers with the social network providers.

If you would like to learn more about how to exercise your rights on social networks pages, do not hesitate to contact us or the social network provider directly.

Job applications

Our website offers a page for anyone to apply for an open job position at the Company. For us to consider your application, we collect your First, Last Name and Email, Ethnic group, salary expectation, CV and covering letter.

We assess this information against the job requirements for our recruitment purposes only. The applied legal basis for this activity is our legitimate interests, GDPR Art. 6.1.f.

We will store CVs and related job data for a period of 1½ years. Notwithstanding the foregoing, if we keep such information for a longer period of time, we will ask for your consent.

Your personal data will be shared with colleagues within the Company where it is necessary for them to undertake their duties and where this is reasonably necessary for the processing purposes set out above. This includes, for example, your line manager for their management of you and the HR department for recruiting purposes.

From time to time we will need to share your information with external people and organisations. We will only do so where we have a legitimate or legal basis for doing so and in compliance with our obligations under data protection laws.

We share your personal data with third parties in order to obtain references and health screening, where permitted.

Sharing your data with third parties

We may involve third parties to provide our services. These include cloud hosting, email notification providers, technical support ticket providers, CRM platforms, analytics services, and logistics partners. These third parties process personal data based on our instructions only, and we ensure these companies apply the appropriate level of protection to your personal data.

Personal data security

Our team is located within the European Union, UK and U.S. Additionally, personal data is stored on servers that are located in the EEA, UK and U.S. We have implemented appropriate technical and organisational measures to ensure the adequate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. For international transfers of personal data, we implement appropriate safeguards (e.g., EU and UK Standard Contractual Clauses) as required by the EU and UK GDPR. To learn more about transfer mechanisms implemented please contact us by email.

To ensure safety our services are encrypted with SSL technology; operational rules for the collection, storage and processing of personal data, including physical security measures, are updated on an ongoing basis; only our employees, as well as our service providers that need access to personal data to perform their duties, are granted access to personal data. All staff members are subject to confidentiality obligations; most transfers of data outside the Company’s systems are encrypted.

Sharing your data outside of the EEA

If you are employed in an operational role, we may need to share your personal data with bodies outside of the European Economic Area (‘EEA’). This will be because your personal data is included in bid defence documents and trial master files. The type of personal data shared in this situation will be limited to names, photos, professional registration numbers (for medical staff only), educational establishments attended and names of previous employers.

If we do transfer your personal data outside the EEA, we will use one of these safeguards to make sure it is protected:

  • We will only transfer it to a non-EEA country which the European Commission or the UK Secretary of State (as the case may be) has decided has an adequate level of protection for personal data. You can find more about such countries here https://ec.europa.eu/info/law/lawtopic/data-protection_en; or
  • We will put a written contract in place between us and the recipient that incorporates EC model clauses relating to the transfer of personal data outside the EEA issued by the European Commission or the standard contractual clauses for the transfer of personal data to processors in third countries, issued by the UK Information Commissioner’s Office (“ICO”) as varied, supplemented, amended or replaced by the ICO from time to time.
  • If none of the above situations apply, we will not transfer your personal data unless you have given your express consent to the proposed transfer, after having been informed of the possible risks.

Automated decision making

No decision will be made about you solely on the basis of automated decision making (where a decision is taken about you using an electronic system without human involvement) which has a significant impact on you.

Your rights in relation to your data

The law on data protection gives you certain rights in relation to the personal data we hold on you. These are:

  • The right to be informed. This means that we must tell you how we use your personal data, and this is the purpose of this privacy notice
  • The right of access. You have the right to access the data that we hold on you. To do so, you should make a subject access request.
  • The right for any inaccuracies to be corrected. If any data that we hold about you is incomplete or inaccurate, you are able to require us to correct it
  • The right to have information deleted. If you would like us to stop processing your data, you have the right to ask us to delete it from our systems where you believe there is no reason for us to continue processing it
  • The right to restrict the processing of the data. When you contest the accuracy of your information, believe we process it unlawfully or want to object against the processing, you have the right to temporarily stop the processing of your information to check if the processing was consistent. In this case, we will stop processing your data (other than storing it) until we are able to provide you with evidence of its lawful processing;
  • The right to portability. In certain circumstances, you may have the right to require that we provide you with an electronic copy of your personal information either for your own use or so that you can share it with another organisation. Where this right applies, you can ask us, where feasible, to transmit your personal data directly to the other party.
  • The right to object to processing of your personal data. You have the right to object to the way we use your
  • The right to regulate any automated decision-making and profiling of personal data. You have aright not to be subject to automated decision making in a way that adversely affects your legal rights.

Where you have provided consent to our use of your data, you also have the unrestricted right to withdraw that consent at any time. Withdrawing your consent means that we will stop processing the data that you had previously given us consent to use. There will be no consequences for withdrawing your consent. However, in some cases, we may continue to use the data where so permitted by having a legitimate reason for doing so.

If you wish to exercise any of the rights explained above, please contact us at privacy@simbecorion.com or contact our DPO dpo@simbecorion.com

Making a complaint

If you believe that our use of personal information violates your rights, or if you are dissatisfied with a response you received to a request you formulated to us, you have the right to lodge a complaint with the competent data protection authority of your choice.

Available authorities in Europe can be found here:

https://edpb.europa.eu/about-edpb/board/members_en

The supervisory authority in the UK for data protection matters is the Information Commissioner’s Office (ICO). If you think your data protection rights have been breached in any way by us, you are able to make a complaint to the ICO at:

ICO
icocasework@ico.org.uk
Telephone: 0303 123 1113
Textphone: 01625 545860
Monday to Friday, 9am to 4:30pm

Additionally, we are registered with the French Data Protection Authority (CNIL), which can be contacted at:

Commission Nationale de l’Informatique et des Libertés
3 Place de Fontenoy
TSA 80715
75334 PARIS CEDEX 07
France
Telephone +33 (0)1.53.73.22.22
Monday to Friday from 1000h to 1200h and from 1400h to 1600h.

If the personal data for which deletion is requested must be kept due to legal provisions on accounting, we will inform you about the existence of such limitations and clarify the procedure for deletion.