GDPR Privacy Notice
1. INTRODUCTION
1.1 Spirent Communications plc and its affiliates (we or us) are committed to protecting your personal information and respecting your privacy.
1.2 This Privacy Notice, together with any other documents referred to in it, sets out the basis on which any personal data that we collect from or about you, or that you provide to us, will be processed by us. Please read the following carefully to understand our views and practices regarding your personal data and how we treat it.
1.3 For the purpose of the General Data Protection Regulation, the data controller is Spirent Communications plc (company number 470893), whose registered office is at Spirent Communications plc, Origin One, 108 High Street, Crawley, West Sussex RH10 1BD, United Kingdom.
1.4 We may update this Privacy Notice from time to time. Any changes we make in the future will be posted on our website here. Please check back regularly to see any updates or changes to this Policy.
2. DATA PROTECTION LEAD
2.1 The contact details for our Data Protection Lead::
2.1.1 Email: DataProtection@Spirent.com
2.1.2 Telephone: +44 (0) 1293 767676
2.1.3 Letter: Data Protection Lead, Spirent Communications plc, Origin One, 108 High Street, Crawley, West Sussex RH10 1BD, United Kingdom
2.2 It is the responsibility of the Data Protection Lead to keep our organisation and our staff informed and advised about their obligations to comply with data protection laws, to monitor compliance with those laws, to advise on data protection impact assessments, to train staff and conduct internal audits, and to be the first point of contact for supervisory authorities and for individuals whose personal data we are processing.
2.3 You can contact the Data Protection Lead if you have any questions or concerns about personal data and privacy matters, or about this Privacy Notice. Please include the words DATA PRIVACY REQUEST in the subject line of your email, or at the top of your letter.
3. PARTICULARS OF PROCESSING
3.1 We process personal data about Spirent’s stakeholders (by which we mean current and former employees and contractors, customers and potential customers, shareholders, and any other person who has contact with Spirent) in a range of ways, and for a range of purposes.
3.2 The other categories of person about whom we process personal data are described in more detail in the Particulars of Processing that are set out in the Schedules to this Privacy Notice. The specific Schedules are as follows:
3.2.1 Customer contacts and sales prospects;
3.2.2 Shareholders;
3.2.3 Suppliers; and
3.2.4 People whose data we receive from third parties.
3.3 It may be the case that you have contact with us in more than one capacity, so please look at all the Schedules that may apply to you if you wish to know more about how we process your personal data.
4. YOUR RIGHTS AS A DATA SUBJECT
4.1 This Section 4 sets out the rights that you have as a data subject, by reason of the General Data Protection Regulation.
4.2 You have the following rights:
4.2.1 The right to request access to the personal data that we hold about you;
4.2.2 The right to request rectification of the personal data that we hold about you;
4.2.3 The right to request erasure of the personal data that we hold about you;
4.2.4 The right to request restriction of processing about you;
4.2.5 The right to object to processing; and
4.2.6 The right to data portability.
You can find more details about the above rights by going to the ICO website which is at https://ico.org.uk/. If you wish to invoke any of the above rights, please notify our Data Protection Lead, using the contact details set out in Section 2 above. Please include the words DATA PRIVACY REQUEST in the subject line of your email, or at the top of your letter.
4.3 Where our processing of personal data is based on your having given consent, you have the right as a data subject to withdraw that consent at any time. If you wish to invoke this right, please notify our Data Protection Lead using the contact details set out in Section 2 above. Please include the words DATA PRIVACY REQUEST in the subject line of your email, or at the top of your letter.
4.4 You have the right to lodge a complaint with a supervisory authority. In the United Kingdom, the supervisory authority is the Office of the Information Commissioner, full contact details for which can be found at https://ico.org.uk/global/contact-us/
SCHEDULES
Schedule 1
Data subject category: personal data relating to customer contacts and sales prospects
Category of data subject | Customer contacts and sales prospects |
Categories of personal data that we process | Name, Company name, Job function, Email address, Phone number, Country |
Source of information | The personal data is collected either (a) directly from the data subject via an online form or (b) provided through a third party such as a trade show organiser or online media owner who has the consent of the data subject or other authority to share the relevant personal data with us. |
Purposes of the processing | The personal data is collected for marketing purposes, and for communicating with actual or prospective customers for Spirent solutions, products and services. |
Lawful basis of processing | The lawful basis of processing is that at least one of the following applies: (a) the data subject has given consent to the processing of his or her personal data for the purposes of receiving marketing communications from Spirent; (b) the processing is necessary for the purposes of the legitimate interests pursued by Spirent, including the conduct of direct marketing activities; and/or (c) the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. |
Recipients of the personal data | We do not share personal data with other data controllers outside the Spirent group. However, we do engage third parties such as Marketo and Salesforce to process personal data for Spirent in connection with our marketing activities, under written contracts that comply with the controller-processor requirements mandated by applicable data protection law. |
Overseas transfers | Personal data that is processed by Marketo and Salesforce may be stored in Cloud services where the data centres are located outside the EEA. This will only be done where we are satisfied that our contractual arrangements include sufficient safeguards for the rights and freedoms of data subjects. |
Duration of processing | We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. The appropriate retention period for any given type of personal data depends on a range of factors, including the nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure, the purposes for which it was collected, and the applicable legal requirements. |
Is the provision of this personal data a statutory or contractual requirement, or a requirement necessary to enter into a contract? If so, is the data subject obliged to provide the personal data in question? What are the possible consequences of failure to provide such data? | No. The personal data relating to customer staff will be needed for the purposes of the effective management of relationships with the customer as a business: it is not a pre-requisite of forming a contract with the data subject. |
Is there any automated decision-making done using the personal data (including profiling)? If so, (a) what logic is involved, and what are the significance and envisaged consequences of the processing for the data subject? | Spirent undertakes a limited amount of automated decision-making, in order to target our mailing activities according to the data subject’s answers to technology and solution questions, job role, company and regional information. None of this automated decision-making will result in decision-making that has legal or similarly significant effects on the data subject. |
Plans for further processing | None other than for the reason the data was collected. |
Schedule 2
Data subject category: shareholders
Category of data subject | Shareholders |
Categories of personal data that we process | Name, Address, Email address, Phone number, Country. Bank details are also required in order that dividend payments can be made directly to the shareholder’s account. |
Source of information | The personal data is collected directly from the data subject or via their broker or share dealing service when they purchase shares in Spirent. |
Purposes of the processing | The personal data is collected in order that Spirent can include the data subject on its share register, and send them information about their shareholdings, dividends, shareholder meetings and voting. |
Lawful basis of processing | The lawful basis of processing is that at least one of the following applies: (d) the data subject has given consent to the processing of his or her personal data for the purposes of receiving shareholder communications from Spirent; (e) the processing is necessary for the purposes of the legitimate interests pursued by Spirent; and/or (f) the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. |
Recipients of the personal data | We do not share personal data with other data controllers outside the Spirent group. However, we do engage share registrars to process personal data for Spirent in connection with its shareholders, under written contracts that comply with the controller-processor requirements mandated by applicable data protection law. |
Overseas transfers | Personal data may be processed outside the EEA, subject to appropriate safeguards for the rights and freedoms of data subjects. |
Duration of processing | We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. The appropriate retention period for any given type of personal data depends on a range of factors, including the nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure, the purposes for which it was collected, and the applicable legal requirements. |
Is the provision of this personal data a statutory or contractual requirement, or a requirement necessary to enter into a contract? If so, is the data subject obliged to provide the personal data in question? What are the possible consequences of failure to provide such data? | Yes. If we do not receive the required shareholder data, we will be unable to record the individual as a shareholder and consequently unable to perform our other obligations as a company to the relevant shareholder. |
Is there any automated decision-making done using the personal data (including profiling)? If so, (a) what logic is involved, and what are the significance and envisaged consequences of the processing for the data subject? | No. |
Plans for further processing | None other than for the reason the data was collected. |
Schedule 3
Data subject category: personal data relating to Suppliers
Category of data subject | Supplier staff, meaning the permanent, temporary or contract staff of organisations that provide goods or services to Spirent (including companies, partnerships, sole traders, independent contractors and freelance workers) (each a “Supplier”) |
Categories of personal data that we process | Contact details for Supplier staff including: Name, Company name, Job function, Email address, Phone number, Country. Bank details may also be required in order that Spirent can pay Suppliers for any goods and services they provide. However, this is not generally regarded as personal data (except in the case of sole traders using personal bank accounts). |
Source of information | The personal data is collected either (a) directly from the data subject during the course of our business dealings with the relevant Supplier or (b) from another contact within the relevant Supplier. If the relevant individual has accessed the Spirent website or clicked on a link in an email from Spirent, their personal data may also be collected automatically by means of website cookies. For more information about our use of cookies, please refer to our Cookie Policy which can be found on the Spirent.com website. |
Purposes of the processing | The personal data about Supplier staff is collected and used for the purposes of doing business with the relevant Supplier, to enable Spirent to communicate with them. |
Lawful basis of processing | The lawful basis of processing is that at least one of the following applies: (g) the data subject has given consent to the processing of his or her personal data for the purposes of communicating with Spirent on behalf of the Supplier; (h) the processing is necessary for the purposes of the legitimate interests pursued by Spirent, including the procurement of and payment for goods and services from Suppliers; and/or (i) in the case of sole traders and partnerships, the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. |
Recipients of the personal data | We do not share personal data with other data controllers outside the Spirent group. However, we may engage third parties to process personal data for Spirent in connection with our procurement activities, under written contracts that comply with the controller-processor requirements mandated by applicable data protection law. |
Overseas transfers | Personal data may be processed outside the EEA, subject to appropriate safeguards for the rights and freedoms of data subjects. |
Duration of processing | We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. The appropriate retention period for any given type of personal data depends on a range of factors, including the nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure, the purposes for which it was collected, and the applicable legal requirements. |
Is the provision of this personal data a statutory or contractual requirement, or a requirement necessary to enter into a contract? If so, is the data subject obliged to provide the personal data in question? What are the possible consequences of failure to provide such data? | No. |
Is there any automated decision-making done using the personal data (including profiling)? If so, (a) what logic is involved, and what are the significance and envisaged consequences of the processing for the data subject? | No. |
Plans for further processing | None other than for the reason the data was collected. |
Schedule 4
Data subject category: people whose data we receive from third parties
Category of data subject | Individuals who are not themselves stakeholders in Spirent (such as current and former staff, customers, suppliers or shareholders of Spirent), but whose details we have been given for specific purposes such as being an emergency contact or providing employment references. |
Categories of personal data that we process | Basic contact details including: Name and address, Company name (if relevant), Job function (if relevant), Email address, Phone number, Country |
Source of information | The personal data is collected only where a member of Spirent staff or a job applicant has provided the relevant details. |
Purposes of the processing | Where personal data relates to emergency contacts, it will be used only for the purpose of contacting the data subject in the event of an accident or emergency affecting the individual concerned. Where personal data relates to referees, it will be used only to verify the employment history and experience, and the referee’s impressions of the individual concerned. |
Lawful basis of processing | The lawful basis of processing is that at least one of the following applies: (j) the processing is necessary for the purposes of the legitimate interests pursued by Spirent; (k) the processing is necessary for the performance of a contract with the data subject, or in order to take steps at the request of the data subject prior to entering into a contract; and/or (l) to help us to comply with legal obligations such as (in the case of emergency contacts) ensuring the safety of our staff. |
Recipients of the personal data | We do not share personal data with other data controllers outside the Spirent group. However, we may engage third parties to process personal data for Spirent in connection with our business activities, under written contracts that comply with the controller-processor requirements mandated by applicable data protection law. |
Overseas transfers | Personal data may be processed outside the EEA, subject to appropriate safeguards for the rights and freedoms of data subjects. |
Duration of processing | In the case of emergency contacts, the personal data will remain on file until it is updated by the relevant Spirent staff member. (Spirent staff are asked periodically to validate their emergency contact details.) In all other cases, we will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. The appropriate retention period for any given type of personal data depends on a range of factors, including the nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure, the purposes for which it was collected, and the applicable legal requirements. |
Is the provision of this personal data a statutory or contractual requirement, or a requirement necessary to enter into a contract? If so, is the data subject obliged to provide the personal data in question? What are the possible consequences of failure to provide such data? | No. |
Is there any automated decision-making done using the personal data (including profiling)? If so, (a) what logic is involved, and what are the significance and envisaged consequences of the processing for the data subject? | No. |
Plans for further processing | None other than for the reason the data was collected. |