WorksOut Privacy Policy 2019

1.     Who we are

WorksOut (“us”, “we”, “our”) provides ergonomics advice, support, training and research to organisations and employees to help prevent and manage discomfort associated with work activities.

2.     Scope of Privacy Policy

This document informs you of our policies regarding the collection, use, storage, disposal and disclosure of any Personal Information in line with the General Data Protection Regulation (GDPR).

We use your personal information only for providing advice to you and your manager on the ergonomics issues of your work and workstation(s). By participating in an assessment you agree to the collection and use of information in accordance with this policy.

3.     What is GDPR?

“General Data Protection Regulation (GDPR) is, essentially, an upgraded version of the existing Data Protection Act legislation”

The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU).

The GDPR sets out the principles for data management and the rights of the individual. The General Data Protection Regulation covers all companies that deal with data of EU citizens and came into effect across the EU on May 25, 2018.

4.     What personal information we hold

As an organisation, WorksOut holds minimal identifiable personal information. Under GDPR, personal information is defined as “any information relating to an identified or identifiable natural person.”

We hold the following information:

  • Names, company name, business email addresses, business addresses and business telephone numbers of our clients, suppliers and people who work with us.
  • For ergonomics assessment we may hold:
    • Data consisting of individuals’ names, job title, company, self-disclosed health condition and how it affects their ability to work, and body dimensions.
    • Photos or video of individuals at work.
    • On occasion, this data may include contact details such as work email address, work phone number and/or work address for the purposes of arranging a consultation visit.
    • We will only collect what is relevant and necessary for an assessment or the service you require.
  • WorksOut do not sell or broker any data.

5.     How we acquire this information

  • Organisations requiring assessments: Provided to us at the time of an enquiry or during the course of our work with them.
  • Individuals requiring assessment: Supplied to us either directly by the individual or (with their consent) via their manager, or an organisation that subcontracts work to us.
  • Suppliers: directly from our Suppliers.

6.     Legal basis for processing any personal data

We hold personal data as described above, to enable us to:

  • Conduct assessments for individuals who require our advice.
  • Conduct assessments, training or research for organisations who require our advice.

7.     Legitimate interests pursued by WorksOut

To provide ergonomics advice related to work activities.

8.     Consent

We understand that consent for us to hold personal data must be freely given, specific, informed and unambiguous.

We will ask individuals who will be assessed to sign a consent form, which will be kept with their assessment. Through signing a consent form you are consenting to WorksOut processing your personal data for the purposes outlined. You can withdraw consent at any time by using the postal or email address provided at the end of this Privacy Notice.

9.     Individual’s Rights

Under GDPR, we acknowledge the following rights of the individual, in respect of any personal data that we hold:

  • the right to be informed
  • the right of access
  • the right to rectification
  • the right to erasure
  • the right to restrict processing
  • the right to data portability
  • the right to object
  • the right not to be subject to automated decision-making including profiling.

10.    Data security

The security of your Personal Information is important to us, but no method of transmission over the Internet, or method of electronic storage, is 100% secure. While we strive to use commercially acceptable means to protect your Personal Information, we cannot guarantee its absolute security.

Our IT systems are monitored and backed up daily to a safe, confidential, encrypted virtual server, which is compliant with GDPR. All of our laptops have an activated encryption function in the event of theft/misuse.

11.    Data retention

We hold personal data for a minimum of 5 (five) years, and a maximum of 8 (eight) years after the work is undertaken, to meet any legal obligations, after which time it will be securely deleted. After eight years all personal data will be deleted, unless basic information needs to be retained by us to meet our future obligations to you, such as erasure details.

12.    Who we share this information with

In line with our ICO registration statement, we sometimes need to share the personal information we process with the individual, their employer and also with other organisations. Where this is necessary we are required to comply with all aspects of the Data Protection Act (DPA). The types of organisations we may need to share some of the personal information we process with for one or more reasons are:

  • managers, associates and representatives of the person whose personal data we are processing
  • suppliers and service providers involved with meeting the need of the client
  • central government, police forces & security services (if applicable lawful request made).

13.    Communication of Privacy Information

We are communicating our privacy policy via this document which will be available at all times on our website.

14.    Subject Access Requests

As outlined in GDPR guidelines, we will respond to and comply with all subject access requests within one month. If we feel that the individual’s request is manifestly unfounded or excessive, we reserve the right refuse or to make a charge. If we refuse any requests on the above grounds, we will tell the individual why and inform them that they have the right to complain to the supervisory authority and to a judicial remedy. We will do this within one month of the request.

15.    Registration with ICO

WorksOut is registered with the Information Commissioner’s Office. You can view our registration by visiting the Information Commissioner’s Website at and entering our reference number: Z3111814.

16.    Changes to this Privacy Policy

This Privacy Policy is effective as of 24th May 2018 and will remain in effect except with respect to any changes in its provisions in the future, which will be in effect immediately after being posted on this page.

We reserve the right to update or change our Privacy Policy at any time and you should check this Privacy Policy periodically. Your continued use of the Service after we post any modifications to the Privacy Policy on this page will constitute your acknowledgment of the modifications and your consent to abide and be bound by the modified Privacy Policy.

If we make any material changes to this Privacy Policy, we will notify you either through the email address you have provided us, or by placing a prominent notice on our website.

17.    Complaints

In the event that you wish to make a complaint about how your personal data is being processed by WorksOut you have the right to complain to us. If you do not get a response within 30 days, you can complain to the ICO.

18.    Contact Us

If you have any questions about this Privacy Policy, please contact us:

Subject access requests should be submitted in writing to: Margaret Hanson, WorksOut, The Green House, 41 St Bernard’s Crescent, Edinburgh, EH4 1NR


Last updated: 24th May 2018.

© WorksOut – 2019