ARCA GDPR Privacy & Cookies Policy

Updated for UK GDPR and PECR

Last updated: March 2026  |  Previous version: August 2018

1. Introduction

Asbestos Removal Contractors Association Limited ("ARCA", "we", "us", "our") is committed to protecting and respecting your privacy.

This policy applies to ARCA, Asbestos Testing and Consultancy (ATaC), and all associated websites:

•       www.arca.org.uk

•       www.atac.org.uk

•       www.arca.ie

•       asbestoselearning.uk

This Privacy and Cookie Policy explains how we collect, use, store, and protect your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Data Controller

ARCA Ltd Unit 1 Stretton Business Park 2 Brunel Drive Stretton Burton upon Trent Staffordshire DE13 0BY

Email: info@arca.org.uk

ICO Registration Number: Z9332145

We have assessed our processing activities and determined that we are not required to appoint a Data Protection Officer under Article 37 of the UK GDPR. Our processing does not involve large-scale systematic monitoring of individuals, nor do we process special category data on a large scale as a core activity. Responsibility for data protection compliance sits with senior management. If this changes, this policy will be updated accordingly.

3. Personal Data We Collect

We may collect and process the following categories of personal data:

•       Identity data (name, date of birth)

•       Contact data (address, email address, telephone number)

•       Employment and qualification data

•       National Insurance number (where required for certification or regulatory purposes)

•       Photographs (for ID or certification purposes)

•       Transaction data

•       Technical data (IP address, browser type, usage data)

•       Audio and video recordings (for example, training sessions, assessments, and meetings)

We only collect data that is necessary for the purposes set out in this policy.

4. How We Collect Your Data

We collect personal data through:

•       Membership applications

•       Training course and qualification bookings

•       Qualification assessments

•       Meetings (including recorded meetings where applicable)

•       Website forms and account registration

•       Direct communications (email, telephone, post)

•       Publicly available sources where relevant to our services

5. Purposes and Legal Bases for Processing

We process your personal data under the following legal bases:

Contract (Article 6(1)(b))

•       To administer membership

•       To deliver training, qualifications, and certifications

•       To fulfil contractual obligations

Legal Obligation (Article 6(1)(c))

•       To comply with regulatory and legal requirements

•       Fraud prevention and audit requirements

Legitimate Interests (Article 6(1)(f))

•       To manage and improve our services

•       To maintain records of qualifications and membership

•       To ensure security and prevent misuse

We carry out a balancing assessment before relying on legitimate interests to ensure that our interests do not override your fundamental rights and freedoms. In each case, we consider: the nature of our interest, the impact on you, and any safeguards we have in place. Where our legitimate interest is to maintain qualification records, for example, we consider this proportionate given the regulatory environment in which ARCA operates.

Consent (Article 6(1)(a))

•       To send marketing communications

•       For non-essential cookies

Where we rely on consent, you may withdraw it at any time. Withdrawal of consent will not affect the lawfulness of processing carried out before the withdrawal. To withdraw consent, contact info@arca.org.uk or use the unsubscribe link in any marketing email.

6. Special Category Data

We do not routinely process special category data as defined under Article 9 of the UK GDPR. National Insurance numbers, which we collect for certification purposes, are not classified as special category data but are treated with a higher level of care given their sensitivity. Where special category data is processed in future, we will identify an appropriate Article 9 condition, apply additional safeguards, and update this policy accordingly.

7. Data Sharing

We may share your personal data with:

•       Service providers acting as data processors on our behalf

•       Awarding organisations (for certification purposes)

•       Technology providers supporting smartcard systems, including Reference Point Limited and Custom Card Services International Limited

•       Regulators and law enforcement where required by law

All third parties are required to respect the security of your personal data and to process it only in accordance with our instructions and applicable law.

We do not sell your data or share it for third-party marketing purposes without your explicit consent.

AMI Smartcards

•       Reference Point Limited acts as a data processor for our smartcard ecosystem, keeping a log of online card transactions for support and statistical purposes.

•       When your card is read electronically via CSCS Smart Check, a copy of your card data is recorded along with the time and location where available.

•       Custom Card Services International Limited processes your data for the purpose of printing and encoding physical cards.

•       Card data may be shared with other systems where the user complies with applicable data protection rules.

8. International Transfers

Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place. We do not rely on the EU-US Privacy Shield, which was invalidated by the Schrems II ruling. Instead, we use the following mechanisms:

•       UK International Data Transfer Agreement (IDTA)

•       UK Addendum to Standard Contractual Clauses (SCCs)

•       Transfers to countries covered by UK adequacy regulations

Where third-party service providers such as email or messaging platforms process data outside the UK, we ensure they are subject to one of the above safeguards before any transfer takes place.

9. Data Retention

We retain personal data only as long as necessary for the purposes for which it was collected, taking into account legal obligations, regulatory requirements, and industry standards. Our retention periods are:

•       Membership data: for the duration of membership, plus up to 6 years after membership ends (to meet contractual limitation periods under the Limitation Act 1980)

•       Training and qualification data: 3 years after the training or qualification has been completed

•       AMI Smartcard data: for the duration of card validity, plus 3 years thereafter

•       Marketing data: until consent is withdrawn or an unsubscribe request is received

•       Audio and video recordings: deleted once meeting minutes are accepted as a true record, or once the training or assessment purpose has been fulfilled

Where data is retained beyond the initial purpose, we will ensure appropriate safeguards are applied and records maintained.

10. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or disclosure. These include:

•       Access controls and user authentication

•       Secure, password-protected storage systems

•       Encryption where appropriate and practicable

•       Regular staff training on data protection obligations

•       Data minimisation practices to limit collection to what is necessary

Whilst we take all reasonable steps to protect your data, the transmission of information over the internet cannot be guaranteed to be completely secure. Any transmission is at your own risk.

11. Automated Decision-Making

Some of our smartcard systems involve automated processing. For example, data on your AMI Smartcard may be used to determine automatically whether you hold the required qualifications to access a particular site. This constitutes automated decision-making under Article 22 of the UK GDPR where it produces a legal or similarly significant effect.

You have the right to:

•       Request human review of an automated decision

•       Contest a decision made by automated means

•       Express your view to us regarding the decision

To exercise these rights, contact info@arca.org.uk.

12. Your Rights

Under the UK GDPR, you have the following rights:

•       The right to access your personal data

•       The right to correct inaccurate or incomplete data

•       The right to request erasure of your data

•       The right to restrict processing in certain circumstances

•       The right to object to processing based on legitimate interests

•       The right to data portability

•       The right to withdraw consent at any time (without affecting the lawfulness of prior processing)

To exercise any of these rights, please contact: info@arca.org.uk

13. Complaints

You have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe your data has been processed unlawfully:

Information Commissioner's Office https://www.ico.org.uk Telephone: 0303 123 1113

14. Consequences of Not Providing Data

Where personal data is required to enter into a contract with us, failure to provide it may mean we are unable to deliver the relevant service. We will make clear at the point of collection whether provision of data is mandatory or optional.

15. Cookies

We use cookies in accordance with the Privacy and Electronic Communications Regulations (PECR) and the UK GDPR.

Types of cookies we use

•       Strictly necessary cookies: required for the website and member login to function. These do not require your consent.

•       Analytics cookies: used to understand how visitors use our sites, helping us improve performance. These are only set with your consent.

•       Functional cookies: used to remember your preferences and settings. These are only set with your consent.

Your cookie choices

We do not rely on implied consent for non-essential cookies. When you first visit our sites, a cookie banner will be displayed offering you the choice to accept, reject, or set your preferences for each category of cookie. Non-essential cookies will only be set after you provide explicit consent via this banner.

You can manage or withdraw your cookie preferences at any time using our cookie settings tool. You can also delete or block cookies through your browser settings, though this may affect your ability to use certain parts of our sites.

16. Changes to This Policy

We may update this policy from time to time to reflect changes in law, technology, or our services. Updates will be posted on our website with a revised "last updated" date. Where changes are material, we will notify you by email where appropriate.

17. Contact

If you have any questions about this policy or how we handle your personal data, please contact:

Email: info@arca.org.uk

Post: ARCA Ltd, Unit 1 Stretton Business Park 2, Brunel Drive, Stretton, Burton upon Trent, Staffordshire, DE13 0BY

Privacy and Cookie Policy  |  Version 2  |  March 2026

Replaces policy effective 10 August 2018