1.1 This is the Privacy Notice of the relevant company in contract or otherwise engaged with you (“we”, “us” or “our”), as listed in the annual report:https://www.rentokil-initial.com/investors/annual-reports.aspx.
The company, which is the data controller, is a subsidiary of Rentokil Initial 1927 plc whose registered office is at Compass House, Manor Royal, Crawley, West Sussex, RH10 9PY. This Notice sets out how we collect and process your personal data and also provides certain information that is legally required and lists your rights in relation to your personal data.
1.2 This Privacy Notice relates to personal information that identifies “you” where you are a customer or potential customer, an individual who browses our website or an individual outside our organisation with whom we interact. This Privacy Notice also relates to the processing of personal data of non-executive directors. If you are a shareholder, an employee, supplier or otherwise engaged in work for us or applying to work for us, a separate privacy notice or data processing agreement applies to you instead.
1.3 We refer to this information throughout this Privacy Notice as “personal data” and section 3 sets out further detail of what this includes.
1.4 Please read this Privacy Notice to understand how we may use your personal data.
1.5 This Privacy Notice may vary from time to time so please check it regularly.
2.1 Data controller and contact details
2.1.1 For the purposes of relevant data protection legislation, we are a controller of your personal data and as a controller we use the personal data we hold about you in accordance with this Privacy Notice. See section 11 for further details about the data protection legislation that may apply to you.
2.1.2 If you need to contact us in connection with our processing of your personal data, you can contact us in the following ways:
(a) via your local customer services centre or account manager, details of which you will find on your contract with us or on our website; or
(b) via your Country Local Privacy officer see the list here; and
(c) you can contact the Data Protection Officer directly using the details at paragraph 2.2 of this notice.
2.2 Data Protection Officer
You can contact our Data Protection Officer:
(a) by email at: dpo@rentokil-initial.com;
(b) by post to: Data Protection Officer, Rentokil Initial 1927 plc, Compass House, Manor Royal, Crawley, West Sussex RH10 9PY.
3.1 Personal data is any data which enables us to identify you, either directly or indirectly, such as your name, address, telephone number, email address or the IP address of your computer.
3.2 The categories and types of personal data about you that we may collect are:
3.2.1 when you make an enquiry with us, visit our premises or visit our website:
(a) personal data, such as your name, address and telephone number, you provide or that is recorded when you write to us, visit us, email or call us;
(b) personal data that you enter via our website or portal such as MyRentokil or MyInitial, including the contact details you supply when establishing a profile on our website;
(c) personal data gathered using cookies; see here for more information on what information we collect and how we use cookies: https://www.rentokil-initial.com/site-services/cookie-and-privacy-policy/cookie-policy.aspx;
(d) details of your visits to our website including but not limited to traffic data, location data, weblogs and other communication data; and
(e) CCTV or other equivalent technology may capture images of you and/or your vehicle when visiting our premises.
3.2.2 in relation to the services we provide:
(a) personal data that you provide in the course of instructing us to carry out the services requested from us, such as your name, address, telephone number and email details;
(b) personal data that, in the case of a business relationship, your employer provides about you in the course of instructing us to carry out the services requested from us, such as your name and contact details as a representative of the business;
(c) personal data, such as your name and financial position, from credit reference agencies;
(d) personal data from tracing agents in the event you fail to pay any invoice by the due date and we are unable to locate you using the contact details you have provided us with;
(e) personal data in the form of images or video footage that is taken at one of our locations or at your location if required for us to effectively carry out or assess and report on the services you have requested from us;
(f) personal data you provide if you complete customer care surveys from us.
3.2.3 in order to develop, personalise or promote our products and services:
(a) personal data obtained directly from you, such as your name and contact details and preferences relating to particular services and / or products;
(b) personal data, such as contact details, your interests and preferences and professional activity obtained from public or social media sources, such as LinkedIn, Facebook and Twitter;
(c) personal data gathered from data brokers who have sought your consent to share your personal data with us for the purposes of direct marketing, such as your name, postal and / or email address and professional activity;
(d) personal data you provide such as your name and email address, if you enter into a competition, promotion or prize draw;
(e) personal data gathered using cookies; see here for more information on what information we collect and how we use cookies: https://www.rentokil-initial.com/site-services/cookie-and-privacy-policy/cookie-policy.aspx;
(f) details of your visits to our websites including but not limited to traffic data, location data, weblogs and other communication data.
3.3 We may also create personal data about you if you, for example, contact us by telephone to make a complaint about our services or goods, then we may record key details of the conversation so that we can take steps to address the complaint. This may include obtaining data concerning health. Data concerning health is considered a “Special Category of Data” and this Privacy Notice specifically sets out how we may process these types of personal data at paragraph 4.1.2.
4.1 Where we are relying on a basis other than consent
4.1.1 We will only process your personal data using one or more of the following lawful bases permitted under applicable data protection legislation. The table below also sets out the linked purposes for which we may use your personal information.
Purposes for which we process your personal data | The basis on which we can do this (this is what the law allows) |
In order to perform our contractual obligations to you. This would include our fulfilling orders you have placed for goods or services. | The processing is necessary in connection with any contract that you may enter into with us. |
In order to comply with our own legal obligations, e.g. health and safety or tax legislation. | The processing is necessary for us to comply with the law. |
In order to use your personal data in life or death situations and there is no time to gain your consent (e.g. in the event of an accident and we have to give your personal details to medical personnel). | The processing is necessary in order to protect the vital interests of an individual. |
In order to operate our business, but otherwise than in performing our contractual obligations to you, for example:
|
We have a legitimate interest in carrying out the processing, which is not overridden by your interests, fundamental rights or freedoms.
This includes our legitimate interest in:
|
4.1.2 In addition, in a limited number of circumstances we may lawfully process Special Categories of Data in certain ways. We set these out below along with the legal bases on which we process these Special Categories of Data:
Purposes for which we process your personal data | The bases on which we can do this (this is what the law allows) | |
In order for us to respond to any claim or potential claim by you involving personal injury or a health issue.
|
We have a legitimate interest in carrying out the processing, which is not overridden by your interests, fundamental rights or freedoms. Our legitimate interest is:
|
The processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.
|
4.2 Where we rely on consent
4.2.1 We would like to use your personal data for a variety of different purposes. For some of these purposes it may be appropriate for us to obtain your prior consent. These circumstances are as follows:
(a) where, in the handling of a complaint, we collect Special Categories of Data relating to health;
(b) where we may process a child’s personal data, we will ask for evidence of the consent;
(c) where we would like to use photos or images taken of you in promotional materials;
(d) where we or our carefully selected third parties have new products and services which we think you will be interested in.
(e) where we sell your personal data to a third party or derive a ‘financial benefit’.
4.2.2 The legal basis of consent is only used by us in relation to processing that is entirely voluntary – it is not used for processing that is necessary or obligatory in any way.
4.2.3 You may at any time withdraw the specific consent you give to process your personal data where we are relying on your consent. Please contact us using the contact details set out in section 2. Please note even if you withdraw consent for us to use your personal data for a particular purpose we may continue to rely on other bases to process your personal data for other purposes. We will tell you if this is the case.
5.1 We may disclose your personal data to:
5.1.1 our group companies and affiliates who may process data on our behalf to enable us to carry out or improve our usual business practices. Any such disclosure will only be so that we can process your personal data for the purposes set out in this Privacy Notice;
5.1.2 third party data processors to enable us to carry out or improve our usual business practices. You can find out more details about the third party processors we use in section 12. We have contracts in place with our data processors, which means that they cannot do anything with your personal information unless we have instructed them to do it and they must hold your data securely and retain it only for the period we instruct. Occasionally a third party data processor will still need your permission to process your personal data, such as certain types of third party cookies. See our Cookie Policy for more details.
5.1.3 legal and regulatory authorities who request your personal data or to report any potential or actual breach of applicable law or regulation;
5.1.4 external professional advisers such as accountants, auditors and lawyers, provided that they are under duties of confidentiality;
5.1.5 law enforcement agencies, courts or other relevant party, to the extent necessary for the establishment, exercise or defence of legal rights;
5.1.6 third parties where necessary for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties;
5.1.7 third parties which are considering or have decided to buy some or all of our assets or shares (including in the event of a reorganisation, dissolution or liquidation); and
5.1.8 third party data controllers operating plugins or content (such as Facebook, Twitter, Instagram, Demandbase) on our website or providing services which you choose to interact with (such as learning solutions by Fuse Universal Limited). In relation to these products and services you should familiarise yourself with the Privacy Notice of the relevant data controller for information about the scope of their data processing and implementation of your rights; and
5.1.9 credit reference agencies (for UK only we share your payment data with Credit Reference Agencies who will share your data with other organisations for the purpose of credit risk assessment. For more information see www.experian.co.uk/crain).
6.1 It is possible that personal data we collect from you may be transferred, stored and/or processed outside the country of origin such as those within the European Economic Area.
6.2 In connection with international transfers we ensure we apply the safeguards required by the country of origin such as:
6.2.1 using EU standard data protection contractual clauses between us and them; and/or
6.2.2 ensuring the recipient country has been deemed adequate for transfers by the applicable country of origin such as via a country ‘adequacy decision’ from the European Commission.
6.3 Transfer impact assessments are completed where the requirement is identified.
7.1 We will store your personal data for the time period which is appropriate in accordance with our data retention policy and using appropriate security measures. Please see section 13 to find our data retention periods that apply to you. The length of time set out in our retention policy is determined by one or more of the following criteria:
7.1.1 we are required to retain your personal data in order to comply with any legal requirements, such as under trade law, tax law or competition law;
7.1.2 where retention of your personal data is necessary to facilitate and support the original purpose for processing your personal data;
7.1.3 protection against any potential claims arising from the original purpose of processing; or
7.1.4 where we rely upon your consent to process your personal data and you continue to consent to the processing.
7.2 If you would like details about how long we hold your data, please contact us using the contact details set out in section 2.
7.3 We keep the length of time that we hold your personal data for under review. These reviews take place annually.
7.4 We endeavour to take technical and organisational security measures to protect your personal data against unintentional or unlawful deletion, alteration or loss, and against unauthorised disclosure or unauthorised access. Our employees are accordingly committed to secrecy and privacy.
7.5 Please note that data protection and security safeguards are not always observed by other persons or organisations outside our area of responsibility. We have no technical influence on this. You are advised to always be vigilant and take the necessary measures to safeguard your own personal data where we have no influence.
8.1 In certain circumstances the provision of personal data by you is a requirement:
8.1.1 to comply with the law or a contract; or
8.1.2 necessary to enter into a contract.
8.2 It is your choice as to whether you provide us with your personal data necessary to enter into a contract or as part of a contractual requirement. If however you do not provide your personal data then we may be unable to perform all or some of the services you expect under our contract with you. An example of this would be where we are unable to provide you with certain products or services as we do not have your full details, or where we cannot perform our contract with you because we rely on the personal data you provide in order to do so. Please see our terms and conditions for further details.
9.1 Subject to applicable law including relevant data protection laws, in addition to your ability to withdraw any consent you have given to our processing your personal data (see section 4.2.3), you may have a number of rights in connection with the processing of your personal data, including:
9.1.1 the right to request access to your personal data that we process or control;
9.1.2 the right to request rectification of any inaccuracies in your personal data or, taking into account the purposes of our processing, to request that incomplete data is completed;
9.1.3 the right to request, on legitimate grounds as specified in law:
(a) erasure of your personal data that we process or control; or
(b) restriction of processing of your personal data that we process or control;
9.1.4 the right to object, on legitimate grounds as specified in law, to the processing of your personal data;
9.1.5 the right to receive your personal data in a structured, commonly used, machine-readable format and to have your personal data transferred to another controller, to the extent applicable in law; and
9.1.6 the right to lodge complaints regarding the processing of your personal data with the Information Commissioner’s Office or other relevant supervisory body. Please see https://edpb.europa.eu/about-edpb/board/members_en for how to do this within the European Economic Area; and
9.1.7 – the right to opt out of the sale of your personal information.
If you would like to exercise any of the rights set out above, please click here or contact us using the contact details set out in section 2.
10.1 This Notice only sets out how we will collect and use your personal data. If you link to another website from our website, you should remember to read and understand that website’s Privacy Notice as well. We are not responsible for any use of your personal data that is made by unconnected third party websites.
11.1 This Notice sets out our global approach to data protection. We cannot list all applicable data protection legislation globally as it is changing constantly. The Notice is primarily based on the requirements of the General Data Protection Regulation ‘GDPR’.
11.2 If you believe that we are not addressing your privacy rights, then please contact us using the contact details set out in section 2. Further to contacting us, if you are still not satisfied with how we manage your personal data then you should contact your country data protection supervisory authority. See paragraph 9.1.6 about how to to do this within the European Economic Area and other linked country Authorities.
12.1 Your personal data will be shared with third party processors we use to help us with our business operations. We only use third party processors who comply with data protection standards and who implement appropriate security and privacy controls. Examples of the categories of third party data processors we use include but are not limited to the following:
(a) Credit Reference Agencies (for UK only we share your payment data with Credit Reference Agencies who will share your data with other organisations for the purpose of credit risk assessment. For more information see www.experian.co.uk/crain);
(b) Marketing Systems;
(c) Payment Processing Systems;
(d) Health and Safety Management Systems;
(e) Route Management Systems;
(f) Customer Communication Systems;
(g) Debt Management;
(h) Analytics and APIs (Application Programming Interfaces) tools provided by various companies (such as Google) to help with service delivery technology and functionality of websites.
13.1 Click here to view the retention periods for documents that contain information that applies to customers, suppliers, prospective customers, prospective employees, visitors to our premises and/or websites.
13.2 Rentokil Initial uses reasonable endeavours to ensure business operations do not retain documents for longer than the stated retention period, unless there are justifiable reasons for extending such as legal disputes.
13.3 Note that periods may vary in regions to reflect any country specific data retention requirements.
13.4 Employees can find additional details in the Document Retention Policy available on the Group intranet.
13.5 Further details can be obtained via the Data Privacy team at dpo@rentokil-initial.com.
14.1 We will automatically contact you with regard to your services, products or bill payments. We will contact you for feedback about our products and services; if you do not want to give us feedback then please let us know by opting out via your local customer service representative.
14.2 With your permission we will use your contact details to share with you information about other services, products, offers or other news that may be of interest to you.
14.3 Where we have permission to market to you, then from time to time, we may contact you by mail, telephone, email, and other electronic messaging services (such as text, voice, sound or image messages) with information about our products and services.
14.4 Managing your Marketing Preferences
14.4.1 If you would like to change your marketing preferences at any time you can do this in the following ways:
(a) Locate any email sent from us and click “Update Email Preferences” located at the footer of the email (you may still receive vital service emails that are related to your contract);
(b) Alternatively please contact your local branch and ask for the marketing team who can help you and provide information on what the different subscription types mean.
15.1 We apply Privacy by Design principles throughout our processing lifecycle. Controls are implemented to ensure that personal data processed is necessary for each specific purpose, subject to storage limitations and only made available to those who need it. We operate in accordance with a Privacy by Design and Default Policy based on the following principles:
- Being proactive and not just reactive by identifying and mitigating risks before they become an issue.
- The highest level of data protection should be the default setting.
- Privacy must be considered as early as the design stage and embedded into any associated processes.
- Use of privacy controls should not sacrifice usability, functionality or security.
- Personal information must be kept adequately protected at every stage – from design to deletion/anonymisation.
- The business seeks to be transparent about how personal data is used.
- The business wants users to trust our approach to managing personal data.