This privacy notice was last updated on the 25th of May 2018
We will update this Notice from time to time and you should review it whenever you visit our website or before providing us with any personal data about yourself.
Who We Are
We are Rotacentral Limited, a company registered in England and Wales, referred to here as Rotacentral.
Rotacentral is a company providing rota management services to UK organisations. For the purpose of the General Data Protection Regulation (Regulation (EU) 2016/679) (“the GDPR”), Rotacentral is a data processor in respect of any personal data we collect. The data controller is the organisation whose rota you are a member of.
How We Collect Your Personal Data
We will only collect and use your personal data where we have legitimate business reasons to do so. We obtain personal data from one of our customer organisations.. This includes personal data provided to us in regard to the rota management service that we provide.
The Personal Data We Collect
We collect personal data in order to provide the best possible rota management service that we can. We only collect the data we need and we will ensure we have appropriate physical and technological security measures to protect your personal data.
For members of organisations using our services, we may collect some or all of the following information: name, title, email address, telephone numbers, and identifying membership number, and rota roles. We may also hold extra information regarding diary availability or similar information relevant to rota management that you or someone in your organisation has chosen to tell us and we have a good reason to hold it.
What we use your information for
Rotacentral collects and processes your personal data for legitimate rota management purposes including:
- selecting people for rota shifts based on how long it has been since they were last selected;
- sending you notifications of rota shifts by email
- managing availability and preferences relating to dates and times;
- sharing your rota dates and times to other organisations where that organisation has a legitimate interest in measuring rota attendance, for example to a partner organisation of one of our customer organisations;
- internal record-keeping;
- we may use the information to improve our services to you or;
- to fulfil contractual obligations with our customer organisations.
We may use your personal data for these purposes if we deem this to be necessary for our legitimate interests or for mutually beneficial legitimate interests. Our legitimate interests are explained a little further down this notice.
Sharing your personal data
Where appropriate and in accordance with local laws and requirements, we may share your personal data with:
- third party service providers who perform functions on our behalf (including external consultants, business associates and professional advisers such as lawyers, auditors and accountants, technical support functions and IT consultants carrying out testing and development work on our business technology systems);
- third party outsourced IT and document storage providers where we have an appropriate processing agreement (or similar protections) in place;
- marketing technology platforms and suppliers;
- third party organisations affiliated to one of our customer organisations where the third party organisation has a legitimate interest in measuring rota attendance, and with the agreement of our customer organisation.
If RotaCentral acquires, merges with or is acquired by another business or company in the future, (or is in meaningful discussions about such a possibility) we may share your personal data with the other business or company.
You have individual rights under the GDPR. You can exercise any of these rights by contacting us using our contact details at the end of this notice or by any other means. Your rights are listed and explained below. You have:
The right to be informed – you have the right to be informed of what we do with your data. The detail of what we do is in this privacy notice.
The right of access – you have the right to ask us to confirm what information we hold about you. You can exercise this right by submitting a Data Subject Access Request. We may ask you to verify your identity and for more information about your request. We will respond to any request to access your data within one month.
The right to rectification – you have the right to update your data if you think it’s incorrect. We may ask you to verify your identity and for more information about your request.
The right to erasure – You have the right to have your personal data deleted (right to be forgotten). We will make every reasonable effort to remove your personal data however this may not always be possible if we need to retain your data for purposes of billing or if there are legal requirements for us to keep your data. We may ask you to verify your identity and for more information about your request. We will respond to any request to delete your data within one month and let you know the outcome of your request.
The right to restrict processing – you have the right to ask us to stop processing your data. Where consent has been given to process your data, you can withdraw that consent at any time by contacting us using the details at the bottom of this notice. You can raise any concerns to the processing or use of your personal data by us either to us or to the appropriate data protection authority.
The right to data portability – you have the right to have the personal data you have given us transferred to another company and we will make every reasonable effort to comply with your request.
The right to object – you have the right to object to us processing your personal data where we do so under legitimate interests or to enable us to perform a task in the public interest or exercise official authority or to send you direct marketing materials or for scientific, historical, research or statistical purposes. The “legitimate interests” and “direct marketing” categories above are the ones most likely to apply to our Candidates, Clients and Suppliers. If your objection relates to us processing your personal data because we deem it necessary for your legitimate interests, we must act on your objection by ceasing the activity in question unless we can show that we have compelling legitimate grounds for processing which overrides your interests or we are processing your data for the establishment, exercise or defence of a legal claim.
Rights in relation to automated decision making and profiling – Automated individual decision-making is a decision made by automated means without any human involvement like a recruitment aptitude test which uses pre-programmed algorithms and criteria. Rotacentral does not use any automated decision making tools. Profiling is where we use the information we have on you to classify you into different groups or sectors, using algorithms and machine-learning. This analysis identifies links between different behaviours and characteristics to create profiles for individuals. Rotacentral does not use any profiling techniques. However, if you think we are doing so you have the right to ask us to explain and to ask us to stop doing so.
Transfer of data outside the EU
Rotacentral makes use of a highly secure data centre owned by Amazon in order to provide hosting and infrastructure facilities for the Rotacentral.com website. This data centre is located in the United States. It has been established that there is an adequate level of protection and appropriate safeguards are in place to protect your data rights and freedoms. Your data will not be transferred to any other country outside the EEA for any purpose.
It is our policy to only keep records of your personal data for as long as required to allow us to effectively manage any rotas that you are a member of and to ensure that previous history of rota attendance can be considered in planning future rotas. Our retention records are currently as follows:
Rota attendance records will be kept for 4 years from the date of the shift.
Name and contact details will be kept for 4 years from the date of the most recent shift.
The GDPR states (in Article 6(1)(f)) that we can process your data where it is necessary for the purposes of the legitimate interests pursued by us except where such interests are overridden by your interests or fundamental rights or freedoms. Our legitimate interests explained – Rotacentral thinks it’s reasonable to expect that if you are a member of a voluntary or staff rota operated by an organisation that you are associated with that you are happy for us to use your personal data to contact you for a relevant reason such as notifying you of a rota shift. If you don’t want any further contact with us you can ask us to stop by contacting us using the details at the end of this Privacy Notice.
When someone visits our website we use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website. We do not collect personally identifiable information through our website, we will be up front about this. We will make it clear when we collect personal information and will explain what we intend to do with it.
You can use your browser settings to accept or reject new Cookies and to delete existing Cookies. You can also set your browser to notify you each time new Cookies are placed on your computer or other device. You can find more detailed information about how you can manage Cookies at the All About Cookies and Your Online Choices websites.
By using this website, you declare that you consent to the processing of data collected about you by Google in the manner described above, and for the purposes described above. You can counteract the saving and collection of data with a plugin for your browser, here.
We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect. Our services are all hosted from a datacentre within the United States which are ISO27001 certified.
To exercise any relevant rights, queries of complaints please contact us by email as at firstname.lastname@example.org.
Contact Your Local Supervisory Authority
If you wish to make a complaint then you can contact your local supervisory authority. If you are in the UK your local Supervisory Authority is the Information Commissioner’s Office (ICO) who can be contact in the following ways:
By Phone: +44 (0)303 123 1113
Information Commissioner’s Office
Other contact options can be found on the ICO website.
Supervisory Authorities for other countries can be found on the European Commissioners website.