Fleet Operator Recognition Scheme (FORS) – Privacy Policy

Privacy Policy Quick links

Overview
Scope – The what and who that this policy covers
Who are FORS
- What does FORS do?
- Who are TfL?
Data protection principles
The personal data we collect
Data Accuracy
How your personal data is used
Sharing your personal data with others
Your controls, rights and choices
- No fee usually required
- What we may need from you
Our data security and retention policies and practices
- Security
- Keeping your data
Cookie Policy
Contacting us, complaints, and updates to this policy

Overview

When you use FORS, you trust us with your personal data. We’re dedicated to keeping that trust. This commitment starts with helping you to understand what we need your data for, what we will do with it and what rights you have over your data. This privacy policy governs our use of the personal data we collect for FORS, and we designed it to provide clarity for our practices and principles in a format that those using our service can easily navigate, read, and understand.

Scope – The what and who that this policy covers

We will use this privacy policy to describe the processing of personal data for those who visit our website and interact with us, i.e. through social media, as well as our affiliate partners and training delegates who use the FORS services we provide. It covers any personal data that is provided or collected on our website, social media, and any applications where this privacy policy is posted. We also collect personal data through the classroom training sessions carried out for FORS by third parties and through our call centres. Processing in this context includes collecting, categorising, storing, using, and deleting data.

We follow this privacy policy and process your personal data in accordance with UK data protection legislation including the Data Protection Act 2018 (DPA 2018), the UK General Data Protection Regulation (UK GDPR), and the Privacy in Electronic Communications Regulations 2003 (PECR) (together the Data Protection Laws}. In some cases, we may provide additional data privacy notices specific to certain products or practices. The terms of those notices should be read in conjunction with this policy.

Please keep in mind that when you provide information to us through a third party, such as a trainer, the information you provide may be separately collected by the third-party. The information we collect is covered by this privacy policy, and the information the third-party collects is subject to their privacy practices or those of their site or platform. Privacy choices you have made for the third-party will not apply to our use of the information we have collected directly through our website or applications.

Please also keep in mind that our sites and applications may contain links to other sites not owned or controlled by us and we are not responsible for the privacy practices of those sites. We encourage you to be aware when you leave our sites or applications and to read the privacy policies of other sites that may collect your personal data.

Who are FORS

FORS stands for the ‘Fleet Operator Recognition Scheme’ which is operated by Sopra Steria (‘us, we’) on behalf of Transport for London (TfL). For our and TfL’s contact details and registration details with the ICO please see our individual privacy policies below. For the purposes of this processing activity, TfL are the ‘Controller’ which means they hold the ultimate responsibility for the security and lawful processing of your personal data. Sopra Steria as the day-to-day managers of the FORS website and system are the ‘Processor’, which means we carry out the instructions given to us by TfL when processing your personal data.

Sopra Steria – Privacy Policy

Transport for London – Privacy Policy

What does FORS do?

Under contract to TfL, Sopra Steria provide a service called FORS (Fleet Operator Recognition Scheme) which is a voluntary, industry recognised accreditation for transport and haulage businesses, which demonstrates their dedication to running their operations efficiently, safely, and in a manner as environmentally considerate as possible. Although this is a voluntary scheme, a vast number of some of the most relied upon transport businesses across the UK have a level of FORS accreditation (levels of Bronze, Silver & Gold are accredited dependant on various standards) which often gives them the edge when customers choose their dedicated transport partner.

Who are TfL?

TfL are the Controllers for the FORS scheme who carry the ultimate legal responsibility for the protection and use of your personal data. They have passed this responsibility on to Sopra Steria with a contract in place to ensure the continued protection of your personal data.

Data protection principles

We actively comply with the data protection principles set out in Data Protection Laws. Together, these say that personal data we hold about you must be:

used lawfully, fairly and in a transparent way;
collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes;
relevant to the purposes we have told you about and limited only to those purposes;
accurate and kept up to date;
kept only as long as necessary for the purposes we have told you about;
kept securely and where we share this data with third parties, we will inform you, particularly if this is outside of the UK.

The personal data we collect

To be able to carry out our activities managing and maintaining FORS, we collect a range of personal data and as a user of our website, someone who interacts with us on social media, a supplier, a client, or a prospect of FORS, we may collect, use, store and transfer various kinds of personal data about you which we have listed together as follows:

Type of Data	Description	Users Data Collected
Identity Data	Including first name, last name, company name, Job Title/ Position.	Supplier, Client, prospect of FORS
Photographic, Video or Audio Data	With your explicit consent we may collect photos, videos or audio from you for purpose of promoting and marketing FORS and its service.	Client
Contact Data	Including physical address, email address, social media handle and telephone numbers, location/country.	Supplier, Client, prospect of FORS
Technical Data	Including internet protocol (IP) address, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.	Site User
Profile Data	Including your interests, preferences, feedback, and survey responses, what accreditations are held by your business and learning/skills/qualifications record if applicable.	Site User
Usage Data	Including information about how you use our website and your interactions with marketing content	Site User
Marketing and Communications Data	Includes your preferences in receiving marketing materials from us and our third parties and your communication preferences.	Client, prospect of FORS
Contains Session ID, making it empty on logout	FORS	Session
Client Data	Where we perform a service for you.	Client

We may also use your personal data to generate Aggregated Data. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. Aggregated Data is not personal data in law as it is anonymised.

There are “Special Categories” of more sensitive personal data which require a higher level of protection, such as details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data, and financial information. In rare cases, data relating to children and criminal offence information may be processed as part of the services we offer.

The data we hold about different categories of data subjects is as follows:

Audience	What data do we hold
FORS Operators	· Contact data for key contacts i.e. name, email, company name, company postal address etc. · Company registration number · Company payment details including financial/bank and/or credit card details (this data is not stored with FORS, but with a 3^rd party Paypal service), · Credit reports from credit reference agencies.
Delegates	· Names · Personal contact details, such as email or phone number · Drivers Licence Number · Training record, qualifications, skills, including courses and grades.
Partners – Organisations which sign up to promote FORS	Partner contact details including name, email, phone number.
Website users	We collect personal data via cookies on the website to obtain information about how you use our website and your interactions with content and also your data collection preferences linked to your IP address. See Cookie Policy for details
Those who contact us directly (including through social media).	Whatever contact details you provide via the method you use to contact us, could be social media handle, email, sms text etc.

How we collect your personal data

We will collect your personal data about you in the following ways:

Information you give us. This is personal data (including Contact Data and Identity Data) you provide to us by: visiting our website, calling our call centre, agreeing to photography or video and other interactions with our staff when required. Please note that your payment details are not held by us, this information is collected by third‐party payment processors, who specialise in the secure online capture and processing of credit/debit card transactions. We will also get some of this information by you corresponding with us (for example, by email, text or using social media messaging services).

Information we observe. We will gather personal data about you through the monitoring of our systems including use of telephones, social media and the internet and through our interactions with you if you undertake training with us.

Information we create. If you attend a training course, we will create personal data relating to your attendance at that course.

Information given to us by third parties. We may receive personal data about you from various third parties and public sources as set out below:

Identity and Technical Data from the following parties: analytics providers such as Eloqua and social media channels such as Facebook, LinkedIn, Twitter, Instagram, YouTube; etc.
Identity and Contact Data from data brokers or aggregators where you have given consent.
Identity and Contact Data from publicly available sources such as Companies House and the Electoral Register.

Automated technologies or interactions. As you interact with our website, we may automatically collect Technical Data about your equipment, browsing actions and patterns which might be used with other identifying data to establish other personal information about you. We collect this data by using cookies, server logs and other similar technologies. We may also receive Technical Data about you if you visit other websites employing our cookies. Please see our Cookie Policy for further details.

Data Accuracy

It is important to us that the information we hold about you is accurate and up to date. Please keep us informed of any changes to your personal data at [email protected]. Your personal data may also be amended where you are a driver employed by a FORS operator. The operator might ask us to update the organisation that you are affiliated with in order to maintain the accuracy of their employee data.

How your personal data is used

We will use your data to deliver and administer the services you sign up to receive. We will also use your personal data in the following ways.

Audience	What we do with it	Lawful basis for processing
FORS Operators	Communicate with you about your FORS account including any queries, feedback or complaints you have and making sure any data we hold about you is accurate. We will also provide you with account updates, notify you of changes to our terms and will keep data about any transactions you have with us. Provide you with information about the FORS accreditation service, and industry sector news. Provide you with information, offers and promotions about other goods and services we offer that are similar to those you have already purchased or enquired about. We will also record any marketing preferences you have.	Contract – where you are a sole trader or limited liability partnership we hold information about you to administer your FORS account. This is necessary as part of our contract with you. Legitimate interests – it is a legitimate interest of ours to contact you where you are a corporate customer in respect of your account. We will do this where it is necessary as part of our account management and in the provision of our services to you in accordance with our contractual obligations. Legitimate interest – it is a legitimate interest of ours to send you marketing materials and information about other goods and services we offer that are similar to those you have already purchased or enquired about. Consent – in addition to legitimate interests sometimes we use consent as our basis for marketing of offers and promotions. Where we use consent you will be asked to opt-in to our marketing. If we ask for your consent but you don’t give it, we will not send you marketing messages. Even if you consent you can change your mind at any time by withdrawing your consent
Delegates	We will use your information for course administration. We will communicate with you about your account or transactions with us and send you information about the FORS service for training certifications. Provide your employer with independent evidence that they are FORS accredited.	Contract – where you are a sole trader or limited liability partnership we hold information about you to administer any training you are receiving from us and to manage information about that training. This is necessary as part of our contract with you. Legitimate interests – it is a legitimate interest of ours to process information about you where you are a corporate customer in respect of any training you have received or will receive. We will do this where it is necessary as part of our management of training services pursuant to any contract you have with us.
Website and social media users	We will process your data where you engage with us through our website or on social media. We will do this to administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data) and to deliver relevant content to you. For details about our use of cookies, please go to our cookie policy. To use data analytics to improve our website, products/services, marketing, customer relationships and experiences. We may collect your data via marketing forms in Social Media or our Marketing Platform.	Consent – we use consent as a basis for processing data we hold about you about cookies. Legitimate interests – it is a legitimate interest of ours to make sure our business and systems are safe and secure. We will use data about you when we do this. Legitimate Interest – It is a legitimate interests of ours to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy). Consent – as part of these forms we will ask for your agreement to process your data for the activity and wider marketing activities.
Those who contact us directly (including through social media).	We will use your data to respond to your question or query.	Legitimate interests – where you have contacted us directly either by using an email address you’ve found online or you message us through a social media platform, it is a legitimate interest of ours to respond to you.
Photographic, Video or Audio Data	We may use photos, videos or audio from you for purpose of promoting and marketing FORS and its service.	Consent – before recording your image, voice or both we will get your agreement to do so and will ensure that you understand how it will be used.

Marketing

Where we do not currently have your consent to send you marketing communications:

and you are an existing customer (or have negotiated to buy a product or service from us), we use soft opt-in under PECR rules to deliver content to you. This means we do not ask for you to ‘opt-in’ via a checkbox, and instead provide you with the ability to ‘opt out’ at any time, for example at the footer of each email we send to you;
and you are not an existing customer or prospective candidate, we use either your explicit consent (via an opt-in checkbox), or another positive action, such as completing a registration form.

If you would like to know about your marketing preferences, please contact Enquiries.

We may use your Identity, Contact, Technical, Usage and Profile Data to form a view on what we think may be of interest to your organisation.

While the operators who are members of FORS may notify us of their own customers who might be interested in our services, we do not send out marketing directly to those FORS operator customers..

Legal Basis for processing

Data protection laws require us to have a processing condition (such as consent, or processing required by law) for processing data. The above table sets out the lawful basis for processing for various activities.

The lawful bases we use are:

Consent: your consent to one or more specific purposes. We will set out the basis for consent in a consent notice or in some other form of notice where it is clear we are asking for your consent. Where we do not get your consent, we will not use your data for that purpose;

Contract – in order to enter into any contract we may have with you and to meet our obligations under that contract;

Legitimate interests: we’ve identified this type of processing is a legitimate interest of ours or a third party; we consider that use of your personal data is necessary to achieve that legitimate interest; and we’ve balanced all that against your interests, rights and freedoms.

We may in some circumstances have to share your personal data with third parties, including third-party service providers. We require third parties to respect the security of your personal data and to treat it in accordance with the law.

We may in some circumstances transfer your personal data outside the UK.

Where this is required, we will ensure your rights are adequately protected through:

Findings of adequacy (countries deemed by the ICO to have adequate protections for personal data);
Standard Contractual Clauses (UK the International Data Transfer Addendum (the UK Addendum) which is based on the EU Model Clauses; or
Any other protection deemed adequate by the ICO.

We will share your personal data with third parties where required by law. This may, in some circumstances, involve sharing special categories of personal data or, where relevant, data relating to criminal allegations.

We may also share your personal data with:

Suppliers involved in providing services as part of our contract with you or for the purpose of communications or events
Professional advisers including lawyers, bankers, auditors, and insurers who provide us with consultancy, banking, legal, insurance and accounting services
Government Authorities like HM Revenue & Customs, credit reference agencies, Environment Agency, regulators and other authorities who require reporting of processing activities in certain circumstances
Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy policy.

Which third-party service providers process your personal data?

Some of our systems are hosted by third parties who also process the data for the purposes set out in this privacy policy. These include Oracle, and our website hosting provider. Our website also contains cookies set by third parties, as set out in our Cookie Policy.

How secure is your personal data with third-party service providers?

All our third-party service providers are required to take appropriate security measures to protect your personal data in line with our policies. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

Our group systems are hosted in France. Your personal data may be transmitted to, stored, and processed in France. We may share your personal data with other companies in the UK group or with wider Sopra Steria Group organisations for the purposes set out in ‘Purposes for which we will use your personal data’ above.

Transferring personal data outside of the UK

In addition to our transfers to France [and other countries in the EEA], we may transfer the personal data we collect about you to the following countries outside the UK:

India
United States

There is no adequacy decision by the ICO in respect of India. This means that when we transfer your personal data to India, it is not deemed to provide an adequate level of protection for those data. There is also no adequacy decision by the ICO in respect of the United States but there is a data bridge. This provides adequacy where an organisation in the United States has registered for this with the US Department of Commerce.

To ensure that your personal data does receive an adequate level of protection we have put in place the following measures to ensure that it is treated by those third parties in a way that is consistent with, and which respects UK laws on data protection:

In respect of transfers of your personal data to Sopra Steria India; we use an Inter-Office Data Transfer Agreement to transfer data which, together with the UK Addendum and SCCs incorporated into the agreement, is deemed to provide an adequate level of protection.

In respect of transfers of your personal data to the United States; we transfer your personal data only to third parties who have signed up to Binding Corporate Rules or Standard Contractual Clauses (Model Clauses with the UK International Transfer Agreement Addendum) or have signed up to the UK-US Data Bridge or there are other safeguards deemed adequate by the ICO..

If you require further information about these protective measures, you can request it from Data Protection Officer, Sopra Steria Limited, Three Cherry Trees Lane, Hemel Hempstead HP2 7AH or at [email protected].

Your controls, rights and choices

Please be aware that if you do not allow us to collect personal data from you, we may not be able to deliver certain services to you, and some of our services may not be able to take account of your interests and preferences. If collection of personal data is mandatory, we will make that clear at the point of collection so that you can make an informed decision whether to participate. If you have questions about the specific personal data about you that we process or retain, and your rights regarding that personal data, please contact Enquiries.

We provide you the ability to exercise certain controls and choices regarding our collection, use and sharing of your personal data. In accordance with applicable law, your controls and choices include:

Your rights in connection with personal data. You have the following legal rights in connection with your personal data:

Request access to your personal data. This enables you to receive a copy of the personal data we hold about you as well as information on how your personal data will be processed and the lawful basis for this processing.

Request correction of the personal data that we hold about you. You can request to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.

Request deletion of your personal data. You can ask us to delete or remove personal data where there is no other reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing. Please note, however, that the right to erasure is not absolute. We may not always be able to comply fully with your request of erasure due to specific legal obligations which we will inform you about at the time of your request.

Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party), or automated decision making, and you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the absolute right to object where we are processing your personal data for direct marketing purposes. In some cases (with the exception of direct marketing), we may demonstrate that we have compelling legitimate grounds to process your personal data which override your rights and freedoms.

Request restriction of processing of your personal data and we will suspend our processing of your personal data unless and until we establish that we are entitled to process the personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:

(a) if you want us to establish the data’s accuracy;

(b) where our use of the data is unlawful, but you do not want us to erase it;

(c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims;

(d) you have objected to our use of your data, but we need to verify whether we have overriding legitimate grounds to use it.

Ask not to be subject to automated processing or profiling in relation to your personal data. Typically, this is referring to decision-making made by automated means, such as by Artificial Intelligence, in order to make business decisions. Here, you have the right to ask for a living person to be involved in decision-making, called ‘person-in-loop.’ You also have the right to ask us to review any decision made by automated means.

Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing conducted before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

Please note that exemptions set out in Data Protection Laws may apply to the application of your rights, meaning that we do not have to grant your request in full. However, we will always meet your request as far as we are able.

You may exercise these controls, rights and choices by either emailing Enquiries at FORS or by clicking on the ‘email preferences’ option at the bottom of emails you have been sent by FORS.

No fee usually required

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we are allowed under the law to charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we can refuse to comply with the request in such circumstances.

What we may need from you

We sometimes need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal data is not disclosed to any person who has no right to receive it. If you do not provide such information in a timely manner, this may delay or deny your request.

Our data security and retention policies and practices

Security

As the processor, we take appropriate technical and organisational security measures to prevent unauthorised access and to ensure that the personal data we hold is kept secure.

We will store all personal data you provide to us on our secure servers, or those of our sub-contractors.

We will encrypt any electronic payment transactions and our third-party payment providers will conduct these in accordance with their terms.

Where we have given you (or where you have chosen) a password which enables you to access certain parts of the FORS website, you are responsible for keeping this password confidential.

The FORS website may, from time to time, contain links to and from the websites of our partner networks, advertisers and Affinity Partners. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.

Keeping your data

We will not hold your personal data for longer than necessary for:

our reasonable business purposes described in this privacy policy;
to comply with our obligations under applicable law;
to comply with our obligations under the FORS Concession Contract; and
if relevant, to deal with any claim or dispute that might arise between you and us.

Personal data held in member’s user accounts is maintained in line with the status within FORS of the organisation they are part of. If the organisation is made dormant due to lack of activity or you choose to withdraw from the scheme, the data is removed in accordance with the FORS data retention schedule. Dormant means that a company (or other body) is no longer an active member of FORS. For dormant members, membership data will be retained but anonymised after 12 months of becoming dormant. Within 12 months of becoming dormant, FORS retains the right to contact you with company updates, marketing and/or sales messaging.

FORS Professional or FORS Approved training records will be retained for the validity of the course and for 24 months after the validity of the training expires or as long as the training account is active.

Training accounts will be held for as long as any training record is valid and for 24 months after. Where no training records exist training accounts will be removed after 24 months of inactivity.

General enquiries, and complaints received from FORS members or from members of the public will be retained for 12 months.

Marketing Data will be retained for 24 months after your last digital interaction with our organisation, unless you have opted in to marketing, after which your records will be removed from our marketing database. Where you opt out of our communication, we will retain this instruction for an indefinite period until such time as you amend your consent.

Photography, Video or Audio data: Were you have agreed to allow us to use photography, audio or video content of you, we will retain this content for 5 years or until you remove consent.

More detailed information on data retention periods is held in the FORS data retention schedule. For any queries related to data retention periods, please contact us at [email protected]

Please click here for the cookie policy.

Contacting us, complaints, and updates to this policy

How to contact FORS

Questions, comments and requests regarding this privacy policy are welcomed and should be addressed to Enquiries.

How to contact TfL

Questions, comments and requests regarding the FORS operations and service can be addressed to TfL at Help & contacts – Transport for London (tfl.gov.uk)

How to contact the Authority

If you have a complaint about the way in which we collect, process and store your personal data which you do not feel can be resolved by contacting us, you have the right to complain to the Information Commissioners Office.

Policy updates

This privacy policy (together with the FORS Terms and Conditions, any additional data protection policy we may issue from time to time and any other related documents we provide to you) are designed to provide you with a full understanding of how we manage the FORS service in regards to your personal data. Any changes we make to this privacy policy in the future will be posted on this page and, where appropriate, notified to you by email or through the FORS eNews. This privacy policy is Version 2, dated June 2024 and will be reviewed and updated annually.