Privacy Policy

This policy sets out how Compound Semiconductor Applications (CSA) Catapult Limited (“the Catapult” or “we”) collects personal data, how we process it, and how we keep it secure. “Personal data” means information that relates to individuals (“data subjects” or “you”) and from which you are, or could be, personally identifiable. “Processing” of personal data means actions taken in relation to that personal data, including collection, storage, use, sharing and destruction/deletion.

This policy also explains your rights in relation to any personal data that we hold about you (see section 14).

Unless we state otherwise in this policy, the Catapult is the data controller responsible for the processing and protection of personal data under this policy. The Catapult is registered with the Information Commissioner’s Office (“ICO”) under registration number ZA499638.

This policy applies across all channels used to communicate with the Catapult (e.g., via our website, post, email, social media, etc). It applies to all external individuals that we interact with, including users of our website, job applicants, business partners, customers, collaborators and service providers. Such individuals are referred to as ‘data subjects’ under applicable data protection laws. This policy does not apply to Catapult staff – if you are a member of Catapult staff, including employees and non-executive directors, please refer instead to the internal Staff Privacy Notice.

We may amend this policy from time to time. Any significant changes to this policy or to the way we treat personal data will be communicated via our website. This policy was last updated on 05.06.24

You can contact us for further information as follows:

Address :           CSA Catapult, Imperial Park, Innovation Centre, Celtic Way, Newport NP10 8BE.

Email:               legal@csa.catapult.org.uk

Phone:             01633 373121

You can find more general information about the Catapult and what we do on our website: https://csa.catapult.org.uk.

This policy sets out the various types of personal data that we may process under this policy. This will generally include the following:

• Identity Data including name and title.
• Contact Data including email address and telephone number (we do not generally collect addresses for individuals since most of our dealings are with organisations rather than individuals).
• Employment data including job title and the organisation that an individual is employed by or otherwise associated with.

The headings listed above represent the main types of personal data that the Catapult may process about third party data subjects, but we may also process other types of personal data. If so, details of such additional processing are set out in the relevant sections below.

Special categories of personal data – certain categories of personal data are subject to additional legal protections because of their nature and potential sensitivity. These include details of a person’s race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, health information, genetic and biometric data, and information about criminal convictions and offences. If we do need to process special categories of personal data we will make this clear in the relevant sections below.

We may also collect, use and share aggregated data, for example statistical or demographic data. This is not personal data as you are not directly or indirectly identifiable from such aggregate data. For example, we may use aggregate data about attendees at events to help us analyse and understand trends in event attendance, which will help us improve our events going forward.

Further details about specific types of data processing that we undertake are set out in sections 5 to 9 below.

We will only retain personal data for as long as reasonably necessary to fulfil the purposes we collected it for, and we will not retain personal data for any longer than is necessary. How long we retain personal data therefore depends upon the purpose(s) for which we originally collected that personal data.

When determining the appropriate retention period(s) for personal data we consider the following factors:

• the amount, nature and sensitivity of the personal data,
• how long we need to keep the data to fulfil the original purposes for which it was collected, and whether we can achieve those purposes through other means,
• the potential risk of harm from unauthorised use or disclosure of personal data,
• the applicable legal, regulatory, tax, accounting or other requirements, and
• guidance from official bodies such as the ICO and Government funding departments.

Retention periods for some types of personal data are specifically noted in sections 5 to 9 below.

Once the applicable retention period has passed the personal data will be disposed of securely. However, we may retain personal data for longer in the event of a complaint, or if we reasonably believe there is a prospect of litigation in connection with our relationship with the data subject.

In some circumstances we will anonymise personal data (so that it can no longer be associated with the particular data subject), for example for research or statistical purposes, in which case we may continue to use such anonymised information indefinitely without further notice to the data subject.

If you require further information regarding our retention of personal data please contact us at legal@csa.catapult.org.uk.

Whenever and however we use your personal data, we make sure we have a lawful basis for processing that personal data. We may rely on one or more lawful basis when we process your personal data. The types of lawful basis include where:

• we need to process your personal data in order to perform our contractual obligations to you, or to enter into a contract with you (including pre-contractual discussions);
• we have obtained your consent – please note that if we are relying on your consent as a lawful basis for a particular purpose of processing, and you do not give us consent (or if you give it but then withdraw it), then we will not be able to process (or continue to process) your personal data for that purpose;
• we need to process your personal data in order to discharge our legal and regulatory obligations, for example under applicable health and safety legislation;
• we need to process your personal data to protect your vital interests – this applies in circumstances where you cannot give consent (for example as a result of an injury which has made you unconscious) and we reasonably need to process your personal data to protect your life (for example to call an ambulance and give the paramedics your details);
• we process your personal data where such processing is necessary for us to be able to conduct our business in accordance with our legitimate interests, for example to help us manage and administer our business effectively and efficiently, to maintain compliance with our internal policies and procedures, and to detect and prevent fraud. If we are relying on our legitimate interests as a lawful basis for processing your personal data, we will make sure we have considered and balanced any potential impact on you and your rights (both positive and negative) before we begin to process your personal data for such purposes. Please note that you have a right to object to us processing your personal data on the basis of our legitimate interest, see ‘Right to object to processing or to request restriction of processing’ under section 14 below;

For the special categories of personal data mentioned in section 2 above, we can also process such special category data if (a) one of the lawful bases above applies and (b) that processing is necessary for us to establish, maintain or defend legal proceedings, or that processing is necessary for employment, social security and/or social protection reasons in accordance with applicable laws.

The following sections 5 to 9 set out information about specific types of data subject and the specific activities for which the Catapult may process their personal data, plus relevant details about that processing.

The personal data we collect

If you apply for a position at the Catapult we will collect the following personal data about you:

• Full name and title.
• Contact details including email address, contact telephone number and postal address. This may include details necessary to create and/or join virtual meetings or conference calls.
• Date of birth.
• Education, employment history and qualification details, including details disclosed within CVs and job applications.
• Previous employer references.
• Notes made by interviewers during the interview.
• Applicant personality profiles.
• Identity checks (i.e. Passport / Driving Licence) and right to work status.

Special category data: we actively collect some special categories of personal data for job applicants, including health information (in the event of an accident), ethnicity, and disability information.

If you are offered a position following a successful job application we would also collect the following additional personal data as part of the job on-boarding process:

• Financial information including bank details and identifiers (e.g., National Insurance Numbers).
• Criminal record background checks.
• Next of kin details.

How we collect this personal data

We collect personal data relating to job applicants from several sources, including from applicant themselves via their CV and any associated job application forms they have completed and provided to us. We may also receive information via recruitment agencies we work with, and via other third parties who carry out background checks on the Catapult’s behalf.

As part of the recruitment process we also review personality profile analysis information procured through third-party suppliers that specialise in applicant personality profiling.

What we do with this personal data

We process the personal data noted above for the following purposes:

• Human Resources administration purposes, for example arranging interviews, preparing relevant information for interviewers, taking and storing interview notes, and evaluating candidates post-interview.
• Statutory compliance purposes, for example assessing eligibility to work in the UK and making reasonable adjustments for applicants where necessary to facilitate the recruitment process.
• Health and safety purposes, for example if you experience an accident or incident whilst attending our offices for interviews we will record the accident or incident, including any relevant health information, for health and safety purposes.
• For successful applicants, we process personal data as part of our screening and on-boarding processes.

Lawful basis for processing

We may rely on the following lawful bases for processing personal data of job applicants (see section 4 above for further information about lawful bases for processing personal data):

• Contractual obligations.
• Legal and regulatory obligations.
• Legal proceedings, if relevant (for special category data).
• Legitimate interests – this relates specifically to the collection and review of applicant personality profiles, which we do for the purposes of effective management of applicants and the application process.

How long we retain this personal data

If you apply for a position at the Catapult and your application is unsuccessful we will retain your personal data for six months after the job application process has ended, following which we will delete it. If your application is successful we will retain your personal data in accordance with our internal Staff Privacy Notice

The personal data we collect

We collect the following personal data about current and prospective business partners, customers and collaborators of the Catapult.

• Full name and title.
• Business contact details including email address, contact telephone number and postal address. This may include details necessary to create and/or join virtual meetings or conference calls.
• Job title / position, and the name of your organisation.

Special category data: we do not actively collect special categories of personal data for business partners, customers or collaborators and would usually only do so in specific, limited circumstances (for example we would collect health information in the event of an accident or incident).

How we collect this personal data

We generally collect this personal data directly from the individuals themselves, usually through their direct engagement with us and the services we offer. This may be collected via enquiry forms on our website, email and/or telephone enquiries, via social media platforms, or through networking conversations at conferences and events.

We may also receive personal data about individuals from other people within their organisations (for example we may have spoken to their colleague who has provided their name and contact details for us to follow up), through third parties (for example our other business partners, customers and/or collaborators) who have made an introduction and/or referral, or from publicly available sources (for example contact information listed on an organisation’s website).

What we do with this personal data

We process the personal data noted above for the following purposes:

• General administration and management purposes, for example contract and project management for ongoing activities, bid and/or quotation management for prospective activities, and for monitoring and management of general communications (for example enquiries via social media). This may include matching and storing personal data (alongside other information) within our Customer Relationship Management (CRM) systems.
• Providing access to the Catapult’s IT systems, including Microsoft Teams, where necessary for collaboration purposes. If so, we may request relevant information through our IT Service Desk including technical information about IT equipment and systems plus associated personal data (including geographic location). Such information will only be processed in connection with the provision of IT Service Desk support and will be subject to the terms set out in this privacy policy.
• Identifying, considering and responding to enquiries we have received from third parties, including prospective collaborators, customers and business partners.
• Meeting and event management purposes, for example collating information (including personal data) about third party organisers and/or attendees to facilitate the smooth running of meetings and events. From time to time we may also issue specific privacy notices in connection with specific events.
• Impact and reporting purposes. Specifically, we conduct an annual impact survey to enable us to assess and report on the impact the Catapult has had on the UK compound semiconductor industry. We may contact current or past business partners, customers and/or collaborators to ask them to complete an impact survey for these purposes. We manage impact surveys through SnapSurveys, a third party provider of survey tools (see https://www.snapsurveys.com/). Survey responses would be anonymised by SnapSurveys unless we advise otherwise at the time of sending out survey participation requests.
• Health and safety purposes, for example if somebody experiences an accident or incident whilst attending our offices for a meeting or event we will record the accident or incident, including any relevant health information, for health and safety purposes.
• Publicity and promotional purposes, for example we may request quotations or other relevant information from external business partners, customers, collaborators and/or other stakeholders for inclusion in our publicity materials (including press releases and website/social media announcements). This information may include the name and job title of relevant individuals, details of their employer and/or other relevant organisation, and relevant details of our engagement with them. Where we request such information we will also seek approval from such third parties for our proposed uses thereof.

Lawful basis for processing

We rely on legitimate interests as our lawful basis for processing the personal data noted above. Our specific legitimate interests for this processing are:

• Effective management of projects, collaborations, partnerships and other business relationships.
• Effective handling of enquiries and communications.
• Effective management of meetings and events.
• Assessing and reporting our impact for the benefit of the compound semiconductor industry as a whole.
• Publicity and promotional purposes.

In relation to health data specifically, we may also rely on Legal and Regulatory Obligations and/or Legal Proceedings as our lawful bases for processing such data.

How long we retain this personal data

Where we are retaining personal data for the legitimate interest processing activities noted above we will generally retain this data until it is no longer relevant, or until we have received a specific objection, restriction or deletion request in relation to such personal data, whichever is earlier. Any personal data that we process for health and safety purposes will be retained in accordance with applicable statutory and other regulatory retention periods.

The personal data we collect

We collect the following personal data about current and prospective service providers, being any third party that supports the Catapult in achieving our business aims and objectives:

• Full name and title.
• Business contact details including email address, contact telephone number and postal address. This may include details necessary to create and/or join virtual meetings or conference calls.
• Skills, experience, and any previous contact and/or relationship with the Catapult.
• Job title / position, and the name of your organisation.

Special category data: we do not actively collect special categories of personal data for service providers and would usually only do so in specific, limited circumstances (for example we would collect health information in the event of an accident or incident).

How we collect this personal data

We collect personal data about service providers and their personnel directly from the providers themselves, usually through their direct engagement with us (for example in response to a supplier tender or through our ongoing supplier relationship management). We may also receive personal data about service providers from third parties (for example our other business partners, customers and/or collaborators) who have made an introduction and/or referral, or from publicly available sources (for example contact information listed on an organisation’s website).

What we do with this personal data

We process the personal data noted above for the following purposes:

• General service provider management and administration purposes, for example contract and project management for ongoing activities.
• Providing access to the Catapult’s IT systems, including Microsoft Teams, where necessary for collaboration purposes. If so, we may request relevant information through our IT Service Desk including technical information about IT equipment and systems plus associated personal data (including geographic location). Such information will only be processed in connection with the provision of IT Service Desk support and will be subject to the terms set out in this privacy policy.
• Health and safety purposes, for example if somebody experiences an accident or incident whilst attending our offices for a meeting we will record the accident or incident, including any relevant health information, for health and safety purposes.

Lawful basis for processing

We may rely on the following lawful bases for processing personal data of service providers (see section 4 above for further information about lawful bases for processing personal data):

• Contractual obligations (whether the service provider is the data subject under the applicable contract).
• Legal and regulatory obligations.
• Legal Proceedings, if relevant (in relation to health data).
• Legitimate interests, including for the purposes of effective management of service providers and any associated projects or activities they are involved in, and generally growing and managing our business.

How long we retain this personal data

Where we are retaining personal data for contractual obligations, or for the legitimate interest processing activities noted above, we will generally retain this data until it is no longer relevant, or until we have received a specific objection, restriction or deletion request in relation to such personal data, whichever is earlier. Any personal data that we process for legal and regulatory obligations, or for legal proceedings, will be retained in accordance with applicable statutory and other regulatory retention periods.

The personal data we collect

We collect the following personal data about visitors to our offices:

• Full name and title.
• Business contact details including email address, contact telephone number and postal address. This may include details necessary to create and/or join virtual meetings or conference calls.
• Job title / position, and the name of your organisation.
• Car registration, if applicable.
• Details of the person(s) at the Catapult that the visitor is coming to see.
• Still images and video (but not audio), captured via CCTV (for which see section 9 below).

Special category data: we do not actively collect special categories of personal data for visitors to our offices and would usually only do so in specific, limited circumstances (for example we would collect health information in the event of an accident or incident).

How we collect this personal data

We collect personal data about visitors to our offices directly from the visitors themselves, usually when they sign in at our reception. We may also request information in advance, either from visitors themselves or from the person(s) at the Catapult that they are visiting. This information may be collected via email, telephone, or completion of an online form. Images and video (but not audio) may also be captured through CCTV, for which see section 9 below.

What we do with this personal data

We process the personal data noted above for the following purposes:

• Effective management of visitors at our offices, including facilitating visitor attendance at meetings and/or events.
• Health and safety purposes, for example if somebody experiences an accident or incident whilst visiting our offices we will record the accident or incident, including any relevant health information, for health and safety purposes.
• Security purposes, including to ensure the safety and security of people and equipment at our offices.

Lawful basis for processing

We may rely on the following lawful bases for processing personal data of service providers (see section 4 above for further information about lawful bases for processing personal data):

• Contractual obligations (whether the visitor is the data subject under the applicable contract).
• Legal and regulatory obligations.
• Vital interests where relevant in the event of a health and safety incident.
• Legal Proceedings, if relevant (in relation to health data).
• Legitimate interests, including for the purposes of effective management of visitors to our offices, and for the safety and security of our offices and the people and equipment located there.

How long we retain this personal data

Personal data relating to visitors is generally retained for six months after a visit, following which it is deleted unless there is a legitimate reason to retain it for longer. Personal data relating to health and safety incidents is retained for three years from the date of the incident. Any personal data that we otherwise process for legal and regulatory obligations, or for legal proceedings, will be retained in accordance with applicable statutory and other regulatory retention periods.

The Catapult’s offices, including our Innovation Centre in Newport, Wales, and our other offices elsewhere in the UK, may be subject to CCTV monitoring for safety and security purposes.

CCTV monitoring of external areas (for example car parks and exterior entrances and walkways) is generally maintained by the applicable landlord(s) of such sites. Such monitoring is outside of the Catapult’s control and will therefore be subject to separate monitoring terms and conditions. These should be available on signage displayed at the relevant site(s) or through making enquiries with the applicable landlord(s). If you need any assistance from the Catapult to make a CCTV-related enquiry to such a landlord please get in touch with the Catapult using the contact details in section 1 above.

CCTV monitoring of internal areas within the Catapult’s offices, where applicable, is maintained by the Catapult. CCTV monitoring is operational at the Innovation Centre and applicable signage is in place in the monitored areas. Details of CCTV monitoring for other Catapult sites can be made available upon request.

CCTV monitoring at the Innovation Centre is operational 24 hours a day. Some laboratory cameras are connected to screens in the laboratory corridor which display live feeds of the laboratory interiors. These live feeds are only visible on the corridor screens and are not available elsewhere. CCTV cameras only record images (video and still), they are not used to record sound as audio recording is disabled by default. Images are stored solely within the specific CCTV camera(s) that captured them and are not saved elsewhere on any internal or external servers. Images recorded by CCTV cameras are retained for a maximum of 90 days. CCTV images stored within cameras would only be accessed by limited, authorised members of Catapult staff, and would only be reviewed in response to a specific health and safety, security or other relevant incident or concern which required the Catapult to review the applicable CCTV images.

Where reasonably necessary, the Catapult appoints external suppliers to assist us with our business activities, including the management of personal data processing within our business. Where personal data is involved, we ensure that any data sharing is limited to only the personal data which reasonably needs to be shared for the recipient to provide their support, and we always ensure there is a contract in place which, amongst other things, requires the recipient to keep your information safe and confidential, and only to use your personal data in accordance with our instructions.

The main categories of recipients we may disclose your personal data to are:

• Banks, HMRC and auditors, to process and report financial transactions, complete and file statutory financial returns, comply with our financial reporting obligations, raise purchase orders and invoices, and pay external suppliers.
• Customer relationship management (CRM) systems, to securely hold and maintain contact information and manage our relationships with business partners, customers and collaborators.
• Visitor management systems, to effectively receive and manage visitors to our offices and to assist us in complying with our health and safety obligations.
• Third party professional advisors and service providers, for example external legal or tax advisors or external providers of software and systems, for those third parties to effectively provide their services to the Catapult.
• Bulk email providers (for example MailChimp) to send newsletters, event invitations and other direct marketing materials.

We are committed to processing personal data in a secure manner which ensures confidentiality, integrity and availably at all times. We have put appropriate technical and organisational security measures in place to protect the security of personal data, to prevent it from being accidentally lost, damaged or destroyed, and to prevent it from being used, accessed, altered or disclosed in unauthorised ways. These measures include encryption, implementation of appropriate policies and procedures, and regular staff training.

In addition, we limit access to personal data only to those members of Catapult staff (including employees, agents and contractors) who have a business need to access it. They will only process personal data on the Catapult’s instructions and subject to a duty of confidentiality.

We have also implemented procedures to deal with any suspected personal data breaches and we will notify affected data subjects and any applicable regulator of a breach where we are legally required to do so.

Where processing of personal data is carried out outside the UK, we ensure that further safeguards are implemented as necessary to protect the transfer of data to such territories as required by applicable laws. We will typically rely on adequacy regulations or prescribed Standard Contractual Clauses to ensure that the recipient in the receiving territory maintains the same standards of protection regarding personal data as we do in the UK. If you have any questions about the Catapult’s international data transfers, please contact us at legal@csa.catapult.org.uk.

Where you have given your specific consent to us doing so, we may use your information to notify you about events, opportunities, goods or services which may be of interest to you. We will only do this where you have given your consent and you have not since withdrawn such consent. See ‘Right to withdraw consent’ in section 14 below for more information.

CSA Catapult will process personal data that it holds about you in line with your rights under data protection law. These rights are set out below. If you wish to exercise any of these rights please contact us on legal@csa.catapult.org.uk.

Further information about your rights is available on the ICO website at https://ico.org.uk/for-the-public/.

Right to withdraw consent

Where we are relying on consent as a lawful basis for the processing of your personal data for a particular purpose, you have the right at any time to withdraw your consent to the processing of your personal data for that purpose.

Right of access

You have the right to obtain information from us regarding the processing of your personal data, including whether or not we are holding and/or processing your personal data, the extent of the personal data we are holding and the purposes and extent of the processing. You also have the right to ask for copies of the personal data that we hold about you, if any. This is commonly known as making a ‘subject access request’. Please note that in order for us to comply with a subject access request it may be necessary for us to request verification of your identity.

Right to rectification

You can ask us to rectify personal data that we hold about you which you think is inaccurate. You also have the right to ask us to complete personal data that we hold about you which you think is incomplete. To enable us to deal with these kinds of requests you will need to state clearly what personal data you believe is inaccurate and/or incomplete (providing evidence of the inaccuracies where available) and how this should be corrected.

Right to erasure

In some circumstances you have the right to ask us to erase personal data that we hold about you. This is commonly as the ‘right to be forgotten’. To enable us to deal with this kind of request you will need to state clearly what personal data you want erased. Please note that this right to erasure is not absolute, and there may be circumstances where you ask us to erase your personal data but we are legally entitled to retain it. If such circumstances apply to personal data that you have requested to be erased we will notify you accordingly.

Right to object to processing or to request restriction of processing

In certain circumstances you can object to the processing of your personal data, and/or you can request that the ways in which we process your personal data are restricted. To enable us to deal with this kind of objection or request you will need to provide as much information as possible about the processing you are objecting to and/or seeking to restrict, for example the type(s) of personal data that are being processes, how you want the processing of that personal data to be restricted, and why. In some cases, we may be able to demonstrate that we have compelling legitimate grounds to process your information which override your right to object (for example we need to continue to process your personal data in order to comply with our applicable legal or regulatory obligations). If such circumstances apply to your personal data we will notify you accordingly in our response to your request.

Right to object to processing – direct marketing

You have the specific and absolute right at any time to object to the processing of your personal data for direct marketing purposes. Where we are processing your data for direct marketing purposes you can exercise this right of objection by contacting us using the email address above, or by following the unsubscribe instructions in correspondence you have received from us.

Right to object to processing – automated decision-making

You have the right to be informed where decisions are being, or may be, made about you where such decisions (a) are based solely on automated processing, including profiling, and (b) produce legal effects or otherwise significantly affect you. For example, where a computer algorithm rather than a person makes decisions that affect your contractual or other rights. If such circumstances do exist then you also have the right to specifically object to such automated decision-making by contacting us as set out above. Please note that the Catapult does not carry out any such automated decision-making in respect of data subjects who are not members of Catapult staff (if you are a member of Catapult staff please refer to the internal Staff Privacy Notice).

Right to data portability

In some circumstances you have the right to request the transfer of your personal data to you or to a third party. This is commonly referred to as the right to ‘data portability’. If you exercise this right we will provide to you, or to a third party nominated by you, your personal data in a structured, commonly used, machine-readable format. Please note that this right only applies to personal data which (a) you initially provided consent for us to process, or where we processed the personal data to perform a contract with you, and (b) such processing was automated. If you request the right to data portability and it is not available to you we will notify you accordingly in our response to your request.

This website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share your personal data. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy policy of every website you visit.

Our website uses cookies and other similar technologies. Please see our cookie policy for information about the cookies we use.

If you have a complaint then please contact us in the first instance using our contact details set out in section 1 above as we would welcome the opportunity to resolve your complaint with you. However, if you believe that we have not been able to assist you to your satisfaction then you can also complain to the ICO, UK’s privacy regulator, using the following details:

The ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.

Helpline number: 0303 123 1113.

Via their website: https://ico.org.uk/make-a-complaint/