CAG is a limited liability company registered in England and Wales (Company number 12333026). The registered office is 4 Cunningham Drive, Locks Heath, Southampton, England, UK.
CAG is committed to protecting the privacy and security of personal information. In particular, we are fully committed to meeting all of our legal requirements regarding how we collect and use personal data in a manner that is consistent with the Data Protection Act 2018, specifically UK General Data Protection Regulation (UK GDPR) which deals with the general processing of personal data. This came into effect on 1 January 2021 superseding the EU Regulation 2016/679 General Data Protection Regulation (EU GDPR) as part of the UK’s withdrawal from the EU under the European Union (Withdrawal) Act 2018.
We are registered with the Information Commissioner’s Office (ICO), the UK data-protection regulator. CAG will be the ‘data controller’ for the purposes of data-protection laws in relation to any personal information we hold about living data subjects.
This privacy notice explains how we collect and use information about you.
2. Purpose of this Privacy Notice
The purpose of this privacy notice is to inform our business partners (such as existing or prospective clients, partner/associate organisations, institutions, vendors or suppliers, recruiters), website visitors and other relevant stakeholders how we process any personal data i.e. about ‘natural’, living people. When processing personal data, CAG adheres to the overarching principles that data should be processed in a manner which is responsible, secure, proportionate, lawful, fair and transparent.
3. Data Protection Principles
This privacy notice reflects the following data protection principles as provided for by the GDPR, namely that processed personal data should be:
Used lawfully, fairly and in a transparent way.
Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
Relevant to the purposes we have told you about and limited only to those purposes.
Accurate and kept up to date.
Kept only as long as necessary for the purposes we have told you about.
4. Types of personal data collected
There are two types of personal data which we may collect: general and special category data.
General personal data
Typically, we collect the following types of personal data in the course of our business activities:
Personal details, including name and contact information.
Professional details, including areas of expertise, educational and employment history, copy of contract with us.
Financial details, including bank details, pensions, payroll, credit card payment details.
IT and security details, such as device details, user activity details and user preferences, browser history details.
Location details, including your geographical location which may be relevant to the provision of services to or participation of projects in partnership with us.
Contractual details, including the goods and services provided.
Special categories of personal data
Normally we do not collect special categories of personal data (formerly known as ‘sensitive data’). Examples of special category data include information about an individual’s: race; ethnic origin; politics; religion; trade union membership; genetics; biometrics; health; sexual orientation, or unspent criminal convictions.
When we do need to process this kind of personal data, it will be done with the explicit consent of the individual or based on the very strict criteria outlined by Article 9 GDPR.
Examples of such personal data that we may obtain include:
Personal identification documents that may reveal race or ethnic origin, and possibly biometric data of private individuals, beneficial owners of corporate entities, or applicants.
Adverse information about potential or existing clients and applicants that may reveal criminal convictions or offences information. We may need to hold details of any unspent criminal convictions (governed by the rules of their respective jurisdiction where imposed) for so long as they remain unspent.
Other data provided to us by our clients in the course of a professional engagement.
Normally we do not intentionally process information regarding minors, but may access such data during the course of our business activities (such as research projects undertaken).
5. How personal data is collected
Personal data may be collected directly or indirectly.
There are a number of ways in which we may directly obtain personal data from individuals in the course of our business dealings. This includes through establishing a business relationship which may involve entering into a contractual relationship for the performance of professional services, completing our online forms, subscribing to our newsletters and any other website-based subscription services we may set up from time to time, registering for and attending any meetings or events that we organise, applying for vacancies or other opportunities.
There are a number of ways in which we may obtain other personal data indirectly about individuals. Such data may come from a variety of sources such as in the course of recruitment, business activities, be publicly available or provided to us by others including our clients.
Public open sources— Personal data may be obtained from public registers (such as Companies House), news articles, open data sources, Internet searches and social media platforms (e.g. professional networking sites).
Recruitment services. We may obtain personal data about candidates from an employment agency, and other parties including former employers, credit reference agencies, immigration status and criminal convictions/DBS background checks.
Internal management/administrative systems – We may attach personal data to our customer relationship management records to better understand and serve our business clients, subscribers and individuals, satisfy a legal obligation, or pursue our legitimate interests.
6. Legal bases for processing personal data
The GDPR is not intended to prevent the processing of personal data, but to ensure that it is done lawfully, fairly and transparently, without adversely affecting the rights of the data subject. Its provisions are more extensive than those of the Data Protection Act 1998, with the GDPR placing more emphasis on accountability for and transparency about the lawful basis relied upon for data processing.
For personal data to be processed lawfully, they must be processed on the basis of one or more of the legal grounds set out in the GDPR. These specified legal bases are as follows:
Consent: you have given clear consent for us to process your personal data for a specific purpose.
Contract: the processing is necessary for a contract we have with you, or because you have asked us to take specific steps before entering into a contract.
Legal obligation: the processing is necessary for us to comply with the law (not including contractual obligations).
Vital interests: the processing is necessary to protect someone’s life.
Public task: the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.
Legitimate interests: the processing is necessary (i.e. conducted in a targeted and proportionate way) for our legitimate interests or the legitimate interests of a third party unless there is a good reason to protect your personal data which overrides those legitimate interests (i.e. a balancing test has been undertaken between our legitimate interests and your interests, rights and freedoms to assess whether your interests override our legitimate interests). When this legal basis is relied upon, we are under an obligation to keep it under review.
7. Why we need to process personal data
There are a number of reasons why we may need to process personal data in the course of our business dealings as previously outlined. Typically, though not exhaustively, this will be for one or more of the following reasons:
Maintaining and enhancing CAG’s products and services.
Providing products and services and customer management.
To obtain products and services.
To provide products and services, such as our professional technical advice, research, analysis, capacity development, quality assurance.
Vendor administration, order management, and accounts payable.
Evaluating potential suppliers
Direct marketing of our professional services, products and capabilities to existing and prospective business clients.
Making contact or sending our invitations in relation to events (physical or virtual) that we organise, either on our own accord or on behalf of clients.
Communication, such as processing online requests, responding to business proposals.
Recruitment and selection of employees, who are also governed by our ‘job applicant’ privacy notice, or personalising online landing pages reflecting your previous interactions with us.
External outreach activities aimed at promoting the business, such as sending out company press releases, organising networking events.
Supporting network and system security, including of our information systems, applications and websites, or authenticating registered users to certain areas of our sites.
Detecting and preventing fraud.
Complying with legal and regulatory obligations, such as in relation to money laundering, terrorist, fraud and other forms of crime, child safety, tax and immigration requirements.
Conducting web analytics.
8. How we hold your data
In order to adequately protect your personal data from loss, misuse, alteration or destruction we have put various organisational and technical policies and procedures in place. Your data is held and accessed in accordance with the overarching data protection guiding principles outlined earlier in this privacy notice (para. 3 above). Furthermore, we respect the principle of confidentiality whereby your information should only be accessed by those persons authorised to do so.
Key organisational and technical measures in place include:
Encryption of some personal data.
Segregation of personal data from other networks.
Access control and user authentication.
Employee training on information security.
Written information security policies and procedures.
So far as it is reasonable for us to do so, we aim not to transmit personal data via insecure means such as the Internet. Please be advised that whilst we do our best to protect the security of your personal data, we cannot ensure or guarantee its security if you transmit it to us by insecure means such as our website.
9. How long we retain personal data for
As a basic principle, we only retain personal data for as long as is necessary. We retain personal data to provide our services, stay in contact with you and to comply with applicable laws, regulations and professional obligations that we are subject to.
Unless a different time period is specified, e.g. under specific legislative, regulatory or contractual obligations, we will normally hold personal data for the following lengths of time:
Personal details including name and contact information: While actively engaged commercially and up to six years after commercial activities cease.
Areas of expertise: While actively engaged commercially and up to six years after commercial activities cease.
Contractual details including the goods and services provided: Six years following the termination of the contract date (or each individual contract date if more than one).
Financial details: While actively engaged commercially and up to six years after commercial activities cease.
Credit card information and payment details: While actively engaged commercially and up to six years after commercial activities cease.
Location details: While actively engaged commercially and up to six years after commercial activities cease.
Device details: While actively engaged commercially and up to six years after commercial activities cease.
User activity details and user preferences: While actively engaged commercially and up to six years after commercial activities cease.
Browser history details: While actively engaged commercially and up to six years after commercial activities cease.
Electronic identification data including IP address and information collected through cookies: While actively engaged commercially and up to six years after commercial activities cease.
Recruitment details: If applicant unsuccessful, then up to 6 months following the end of the related recruitment round; up to 6 years on reduced information including name, email address, brief description of areas of expertise, and why an applicant was unsuccessful (in accordance with our ‘job applicant’ privacy notice; successful applicants are covered by our separate ’employee’ privacy notice).
When the applicable time period has expired, if there are no other legitimate grounds for retaining personal data, it will be disposed of in an appropriate and secure way.
10. Sharing personal data with third parties
CAG may disclose personal data to the following categories of recipients, some of which may be located within the Economic European Area (EEA) and in other third countries or may be international organizations as defined in Article 4(26) of the GDPR:
Auditors and professional advisors, such as lawyers and consultants.
Local and national (federal and state) law enforcement or immigration officials.
Other governmental or regulatory agencies (such as HMRC) or other third parties as required by applicable law or regulation.
Third-party service providers, such as providers of:
IT system management;
Marketing service providers;
Recruitment service providers;
Human resources management;
Payroll administration; or
Retirement plan administration.
In circumstances whether it is necessary or appropriate to share personal data with third parties, we will ensure that they comply with the same data protection principles that we are obligated to meet, including under the GDPR.
11. Transferring personal data outside of the UK
Sometimes it will be necessary for us to store personal data on servers located in the EEA and in other third-party states. Furthermore, on occasion, such as in the performance of our services, it may be necessary for us to transfer a limited amount of personal data subject to Article 49(1) UK GDPR which are necessary for CAG’s compelling legitimate (business) interests. This will only be to reputable third-party organisations, with each such organisation being required to safeguard personal data in accordance with our contractual obligations and data protection legislation.
Any such transfers will be in accordance with governing legislation and regulations at the time. The position regarding the transfer of personal data to countries outside of the UK has changed since 1 January 2021. Currently, the regulations are in a period of ongoing review and transition. At the time of writing, the position is as follows.
Restricted transfers from the UK to other countries, including to the EEA, are now subject to transfer rules under the UK regime. These UK transfer rules broadly mirror the EU GDPR rules, but the UK has the independence to keep the framework under review.
There are transitional arrangements which aim to smooth the transition to the new UK regime.
First, there are provisions which permit the transfer of personal data from UK to the EEA and to any countries which, as at 31 December 2020, were covered by a European Commission ‘adequacy decision’. This is to be kept under review by the UK Government. The UK government has the power to make its own ‘adequacy decisions’ in relation to third countries and international organisations. In the UK regime these are now known as ‘adequacy regulations’.
Then, for transfers from the EEA into the UK, the EU GDPR rules on restricted transfers will apply. The UK Government is seeking a European Commission ‘adequacy decision’ which will allow the free flow of data under those rules. To allow time for the EU to consider whether to grant such an ‘adequacy decision’, as part of the new trade deal, the EU has agreed to delay transfer restrictions for at least four months (known as the bridge). This may be extended to six months. In the absence of an EU ‘adequacy decision’ at the end of the bridge, these transfers will need to comply with EU GDPR transfer rules.
To ensure that your data (whether or not this is personal information) does receive an adequate level of protection we have put in place appropriate measures to ensure that your information is treated by those third parties in a way that is consistent with and which respects UK laws on data protection. We will ensure that these measures are protected within our commercial contracts.
12. Rights of data subjects in relation to personal data we process
Whenever we process your personal data, you have a number of rights under data protection law in relation to that data which you may exercise at any time, subject to any overriding interests that e.g. we or the public may have in retaining such information. The rights are briefly explained here:
Right of access – You may make a ‘subject access request’ at any time to find out more about the personal data which we hold on you, what we are doing with that personal data, and why.
Right to rectification – You can ask us to correct our records if you believe they contain incorrect or incomplete information about you. Personal data is deemed to be inaccurate if it is incorrect or misleading as to any matter of fact.
Right to erasure (so-called ‘right to be forgotten’) – You can ask us to erase (delete) your personal data after you withdraw your consent to processing or when we no longer need it for the purpose it was originally collected. Other grounds include that the personal data has been processed unlawfully, or that the personal data needs to be erased in order for us to comply with a particular legal obligation.
Right to restriction of processing – You can ask us to restrict or suppress the processing of your personal data in certain circumstances, as an alternative to erasing it. This includes where you contest the accuracy of your personal data, or the data has been unlawfully processed but you prefer to restrict its use by us rather than our erasing it.
Right to data portability – In certain circumstances, such as where it is technically feasible, this right allows you to obtain and reuse your personal data for your own purposes across different services. For instance, it allows you to move, copy or transfer personal data easily from one IT environment (such as our company’s IT systems) to another in a safe and secure way, without affecting its usability.
Right to object– You have the right to object to our processing of your personal data in certain circumstances, such as if we use it for direct marketing purposes. We may need to keep some minimal information to comply with your request to cease marketing to you.
Right to withdraw consent – If the legal ground for us processing particular personal data of yours is consent, you may withdraw this at any time. Such withdrawal of consent, however, with not impact upon the lawfulness of any processing carried out before you exercise this right.
You may exercise these rights in writing or orally (see contact details below). Where there is any uncertainty regarding your identity, we may ask you to verify e.g. three pieces of personal information before we release any data to you.
Normally we have one calendar month in which to respond (and where appropriate also resolve) your request, acting without undue delay. In certain limited circumstances, such as where a request is complex or multiple requests are received from the same person, it may be possible to extend the time period by a further two months.
No fee is required to make a request unless your request is clearly unfounded or excessive. Depending on the circumstances, we may be unable to comply with your request based on other lawful grounds.
13. Website analytics and cookies
The cookies that we use retain user preferences and provide anonymised tracking data to third party applications like Google Analytics (see further Google’s privacy site including to understand how these cookies work and are used). They help us to better understand how visitors navigate around and interact with our website (e.g., they record how many times particular pages are visited). Such information can assist us in better focusing our website content and experience to suit the preferences of our site’s users.
On occasion, postings on our website may include links to other vetted and reputable sites which are governed by their own privacy policies, cookies, website analytics and so forth over which we have no control or responsibility for. You therefore choose to select such links at your own risk.
If you wish to contact us in relation to how your personal data is processed, this may be done in writing (e.g. by email or a letter) or orally. The relevant contact details are:
CAG Data Protection Officer: Gordon Pendleton, Director