WASTE FACILITIES AUDIT ASSOCIATION

Privacy Notice

1.1 At WFAA, we respect your privacy and commit to protecting your personal
data. This notice explains what we do with your personal data, why we want to
use it, how we protect it, and what rights you have to control our use of it.
1.2 It applies to use of our website and personal data that we process via other
interactions in the course of running our organisation, with individuals such as the
staff of our member group companies.
1.3 Our website and services are not intended for children and we do not knowingly
collect data relating to children.
1.4 WFAA is a membership organisation for businesses which generate waste.
1.5 We collect, use and are responsible for certain personal data about you and those
activities are regulated under the EC Regulation 2016/679 (General Data Protection
Regulation (“GDPR”), which applies across the European Union and UK GDPR and the
Data Protection Act 2018 which applies in the United Kingdom. We are responsible as
“data controller” of that personal information under the Data Protection 2018.
1.6 Our contact address is c/o Tempcon Instrumentation Limited, Unit 19, Ford Lane
Business Park, Ford Lane, Ford, nr Arundel, West Sussex BN18 0UZ.
1.7 Our mission is to assist members in obtaining authoritative information on UK, Irish
and European waste management facilities through commissioning and sharing
independent audits and providing information exchange between members through
provision of a discussion forum on our website, regular seminars, meetings and the
WFAA web site’s document management system.
1.8 If you want to contact us about this privacy notice, or generally about how we
protect your privacy, please email us at secretariat@wfaa.org.uk

2 The purpose and lawful basis for processing your personal data, how we
collect it and how long we hold it for:
2.1 Personal data, or personal information, means any information about an individual
from which that person can be identified. It does not include data where the identity
has been removed (anonymised data).
2.2 We use personal data from different categories of individual for several different
purposes and these each have a different lawful basis. This section describes these
in detail and, although it’s technical, we’re required by law to explain this to you.
2.3 (a) If you fill in a “contact us” form we will hold your name, contact details and any
other text you enter for the purpose of corresponding with you. We do this on the
basis that it is necessary for our legitimate interests in running our business.
(b) If you are an employee or contractor of a WFAA Member or if you are an
industry contact including, for example, a member of a professional body (such as
the Chartered Institute of Waste Management) or a consultant and materials
management expert or working in a field relevant to our mission, we may hold your
name, company, job title and contact details. We may have been provided with this
data by you or your employer or in some cases we may have sourced it from publicly
available sources, such as LinkedIn and internet searches. We need this data in
order to interact with you (or your employer) for the following purposes:
(i) Running and developing our business;
(ii) Communicating with an industry contact regarding industry events, news and
updates.
We do this on the basis that it is necessary for our legitimate interests in running and
growing our business. We will hold your details only for as long as we need to
interact with you for these purposes. In all cases if you would like us to update or
delete your information, just send us an email (see “How to contact us” below).
(c) If you are a supplier ,of goods or services to WFAA, or an employee, or
contractor of a supplier, we may hold your name and contact details because we
have a legitimate interest in doing business with your company. Our purpose for
processing your personal data is to interact with you or your employer to procure and
pay for goods and services. We will aim to hold this information only for as long as
we need to interact with you.
2.4 In some cases where we are required to collect personal data by law or under a
contract with you or your employer, if you fail to provide the personal data requested we
will not be able to perform the contract we have or are trying to enter into with you or
your employer.
2.5 Who we share your personal data with:
(a) We may share personal data with our suppliers of professional services. In all such
cases WFAA has entered into Data Privacy Agreements to protect your personal data in
accordance with GDPR.
(b) If you work for a customer, partner or supplier or are an industry contact we may hold
your name and contact details in email and contacts applications provided and hosted
by Microsoft (as our ‘data processor’). Microsoft will process any such personal data in
accordance with its privacy policy https://privacy.microsoft.com/en-GB/
(c) We may also have access, indirectly, to your contact details stored on our
accounting system, managed, on our behalf by our Sub-Processor, Tempcon
Instrumentation Limited which in turn uses Sage Group accounting software. Sage will
process any personal data in accordance with its Privacy Policy Privacy and Cookies |
Sage UK
2.6 We may also share your personal data with third parties in the following
circumstances:
(a) We will share personal information with law enforcement or other authorities (such as
tax authorities) if required by applicable law.
(b) We may share personal information with professional advisors such as lawyers,
accountants or auditors in order to provide legal, accounting or auditing services.
2.7 We will not sell or rent your information to third parties and we will never share your
information with third parties for marketing purposes

3 International transfers of personal data, and the measures in place to safeguard
personal data.
3.1 WFAA has entered into a Data Privacy Addendum (DPA) with its member
companies to ensure that personal data is processed and transferred in accordance with
GDPR ,UK GDPR and the Data Protection Act 2018. The DPA obliges member
companies to execute Standard Contractual Clauses (SCCs) which are mandated by the
European Commission. The UK Information Commissioner’s Office (ICO) has also
issued an “Approved Addendum” setting out amendments to the SCCs which apply in
the UK. The SCCs also include a Restricted Transfer Addendum (RTA) to cover
transfers of personal data to “Restricted” Countries which essentially means all countries
outside the European Economic Area (EEA) and a small number of countries which the
European Commission has determined on the basis of Article 45 of GDPR have
adequate data protection.
3.2 We do not directly transfer any of your personal data outside the European
Economic Area (EEA). However, an individual member company of WFAA may transfer
personal data to its parent company, subsidiary or affiliate outside the EEA if the
relevant member has put in place a RTA. The WFAA will also need an RTA to be in
force if an WFAA member is itself outside the EEA.

4 Your personal data rights
4.1 The personal data we hold about you is your data, so you have certain rights over
the data under the GDPR. This section summarises your rights and how you can
exercise them, generally free of charge.
4.2 You have the right to request a copy of all personal data we hold relating to you. You
also have the right to require us to correct any mistakes in the personal data we hold
relating to you.
4.3 Where we are processing your data based on your consent you can withdraw that
consent at any time and we must immediately stop processing your data. Please note
that up to that point, we’re acting lawfully with your consent, withdrawal of consent
cannot be backdated.
4.4 Where we process your data based on a “legitimate interest” (set out in the section
on “purpose and lawful basis”, above) you still have the right to object to our processing
of that data if you feel it impacts on your fundamental rights and freedoms. From the
point that you make your objection known to us, we must stop processing your data until
we have determined whether your rights override our interests.
4.5 In certain situations, you have the right to require us to erase personal data where
there is no good reason for us continuing to process it. However, note that we may not
always be able to comply with your request of erasure for specific legal reasons which
will be notified to you, if applicable, at the time of your request.
4.6 You have the right to request us to restrict our processing of your personal data.
This enables you to ask us to suspend the processing of your personal data in the
following scenarios:
(a) if you want us to establish the data’s accuracy;
(b) where our use of the data is unlawful, but you do not want us to erase it;
(c) where you need us to hold the data even if we no longer require it as you need it to
establish, exercise or defend legal claims; or
(d) where you have objected to our use of your data but we need to verify whether we
have overriding legitimate grounds to use it.
4.8 For further information on each of these rights, including the circumstances in which
they apply, see the Guidance from the ICO on individuals’ rights under the General Data
Protection Regulation.
4.9 If you would like to exercise any of these rights, the easiest way is by dropping us
an email (see “How to contact us” below). Please note:
(a) We may need to request specific information from you to help us confirm your identity
and ensure your right to access your personal data (or to exercise any of your other
rights). This is a security measure to ensure that personal data is not disclosed to any
person who has no right to receive it.
(b) We try to respond to all legitimate requests as soon as we can but note that it may
take us more time if your request is particularly complex or you have made a number of
requests. In this case, we will notify you and keep you updated.

5 Your rights to lodge a complaint with the Regulator
5.1 At all times, you have the right to report a concern or lodge a complaint with the ICO
at https://ico.org.uk/concerns/ or by calling them on 0303 123 1113. Of course, we hope
that we can resolve your issue quickly and fairly.

6 Automated processing of your personal data
6.1 We do not undertake any automated processing of personal data, or profiling.
6.2 Note that you have a right to object to any decisions being taken through the
processing of your personal data by automated means if they produce legal effects
concerning you or similarly significant effects on you. We do not use your personal data
in a way that makes such decisions.

7 Keeping your personal information secure
7.1 We have appropriate security measures in place to prevent personal information
from being accidentally lost or used or accessed in an unauthorised way. In addition, we
limit access to your personal data to those employees, contractors and other third
parties who have a business need to know. They will only process your personal data on
our instructions, and they are subject to a duty of confidentiality.
7.2 We also have procedures in place to deal with any suspected data security breach.
We will notify you and any applicable regulator of a suspected data security breach
where we are legally required to do so.

8 Other purposes for processing personal data
8.1 We don’t process your personal data for any other purpose than we’ve described
here. We won’t sell your personal data to other companies.

9 Changes to this privacy notice
9.1 This privacy notice was last updated on 1 April 2022 and before that on 10 July
2019 .
9 .2 We may change this privacy notice from time to time by amending this page.

How to contact us:
If you have any questions, concerns or just want some more information about our
privacy management, drop us a line at secretariat@wfaa.org.uk
WFAA GDPR Privacy Notice 1.4.2022