The following information applies to those who receive services from us or seek to do so (“our Clients”) or those who work for our Clients or are otherwise connected to our Clients’ businesses. These conditions apply in addition to those for the use of our website. Where any conflict arises between the Website conditions and these, the conditions contained in this statement shall prevail.
Types of Personal Data Processed
The types of personal data processed will vary depending on the data we are required to process to enter into a contract to deliver or to deliver the requested service(s) to our Clients and by our engagement terms with our Clients. We may be asked to process ‘personal data’ as defined in Section 3(2) of the Data Protection Act 2018 and ‘Special c=Category Personal Data’ as defined in Article 9(1) GDPR.
Categories of Data Subjects
Personal data we process for our own purposes and/or by contracts with our Clients may include but may not be limited to a third-party and prospective clients’ data, our Client’s staff data, our Client’s contractor data, supplier data and data of children.
Data about these individuals may include but not be limited to the following categories:
| Category | Examples (not an exhaustive list) |
|---|---|
| Demographic | Name, address, date of birth, telephone number, email address, marital status |
| Financial | Bank details, salary information, tax liabilities, other pay deductions, payments to others |
| Employment | Employer, job title, employment contact details, employment history |
| Social | Achievements, social media information, education |
| Special category | Racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health data, sexual orientation |
As we act as a data processor, our clients will determine the categories of data subjects as contemplated by our contracts with them. Usually, we will only require limited aspects of our Client’s staff data for our own purposes. We will advise our clients on whether we should process any other categories of personal data for our own purposes.
Legal Basis for Data Processing
Generally, it will be our Client’s responsibility as a Data Controller to ensure we are provided with personal data for processing activities for which they have identified a legal basis for such processing. We will not accept responsibility for our Client providing us with personal data where they have no legal basis for doing so.
Where we require personal data from our Clients for our own purposes, we usually do so on the following legal bases as defined under GDPR:
- Contract entry and performance: To commence working with our Clients, we are legally required to take specific steps, such as assuring ourselves of their identity. To do so, we require personal data from our clients and personal data relating to the individuals they are connected with. During our work with clients, we may need to process personal data about individuals to enable us to deliver service(s) to them.
- Our legitimate interests: We may also use personal data based on our legitimate interests to promote and develop our services and assess our performance. Activities promoting our services include direct marketing, which individuals may opt out of at any time. Opt-out can be achieved by responding using the unsubscribe options contained within the information you have received or by emailing our Data Protection Officer at privacy@chathams.co
- Legal obligations: Certain statutory and/or regulatory professional rights and obligations apply to Chatham International’s work, which requires us to process personal data and, in some circumstances, provide it to third parties such as our regulators and supervisory authorities, law enforcement authorities and agencies, or other competent authorities.
Where we receive Special Category Personal Data as a result of our professional engagements with Clients, we process it on the basis that our clients have given explicit consent to provide such data to us or in accordance with the other legal bases set out through Article 9 GDPR (Section 10 DPA).
Where we process Special Category Personal Data relating to an individual for our own purposes, we seek consent to process such data or otherwise process the same by the other legal bases set out through Article 9 GDPR (Section 10 DPA).
Duration of Processing
We will process personal data for as long as we are required to do so for the purposes of the services we provide to our Clients, to meet our legal and statutory rights and/or obligations, and for our prudent risk management purposes of data retention in accordance with our Data Retention Policy. At the cessation of our processing activities, it is our Client’s choice as to what happens to the personal data we have been provided with. We will work with our clients to follow their reasonable instructions.
Our Data Retention Policy will manage the personal data we collect to reflect current legal and regulatory rights and obligations.
Use of Sub-Processors / Service Providers
As part of our service delivery, we may need to use subprocessors. Where we engage a subprocessor to work directly on the services provided to our Clients, we will notify the Clients of this.
We also use several ancillary service providers to deliver our services.
Our IT support is primarily provided by Chatham International Ltd and utilised by several external parties. Some solutions we utilise are cloud-based, and our need to rely upon those systems varies depending on the services we deliver.
Chatham International bounds all ancillary service providers to provide at least the same level of protection for personal data as we do.
Most ancillary providers do not directly handle an individual’s data but simply provide secure storage solutions for the data we process. Unless we have expressly agreed to conditions with them, subprocessors and ancillary providers are prohibited from using an individual’s personal data for their own purposes.
Data Transfers
As a subsidiary of Chatham Management Consultancies Co, we use several suppliers to provide us with IT and other associated services to deliver our business and services. In some cases, the suppliers we use will be granted access to the data we are processing to provide us with technical assistance. Such processing activities are not directly related to our principal services to Clients and are considered ancillary to our internal activities.
As an International firm, our people must be able to work from anywhere in the world using our IT services. Data may be stored on Chatham encrypted devices and transported with individuals as necessary to deliver our services according to the terms and conditions we have agreed upon with our clients. We have implemented appropriate technical measures to ensure data remains secure irrespective of where our people deliver our services.
As part of our service delivery, we process limited personal data for the purposes of, including but not limited to, data storage, backup, destruction, billing, client management, administration, conflict checking, and know-how.
We may process an individual’s personal data through any of our other Group member firms worldwide. If this is necessary, we will ensure appropriate controls exist and execute EU-standard contractual clauses where necessary to protect personal data and data subject rights and freedoms.
Where we act as a data processor on our Clients’ behalf, we are permitted by our clients to use EU standard contractual clause agreements with our chosen sub-processors. All such contracts will be in our name, and individuals covered by this statement may enforce rights against the sub-processor(s) directly through us.
Your Data Subject Rights
You may exercise several rights where we act as a Data Controller for personal data.
You may:
- Request access to the personal data we hold about you
- Ask us to correct any inaccurate data
- Request to have your personal data deleted
- Put in place restrictions on our processing of your data
- Ask us to transfer your data to another controller (data portability)
We will handle all exercises of your data subject rights according to the requirements of GDPR and any national laws at your request. Requests should be submitted in writing to our Data Protection Officer (privacy@chathams.co).
Suppose you are dissatisfied with how we handled your personal data, and we cannot resolve the matter. You may take your complaint to the Information Commissioner’s Office. Further details can be found on their website at www.ico.org.uk.
Should we receive a request from any individual to exercise data subject rights, but we are only acting as a Data Processor, we will forward your request to our Client as Data Controller to process. Unless explicitly instructed not to, we will advise the individual that we have passed their request on to the Data Controller.
Data Security
Chatham Management Consultancies Co is responsible for our technological and organisational controls, including policies and procedures, to protect personally identifiable information from loss, misuse, alteration, or unintentional destruction. Our personnel with access to the data have been trained to maintain the confidentiality of such information. Conditions to protect data to at least the same standard as ours are cascaded to all our contractors, sub processors and suppliers.
We regularly monitor and test our security defenses to ensure they remain effective against the latest threats.
Data transferred over the Internet by us and through our website are protected using encryption technologies to ensure their security.
Please note that no communications over the Internet can be guaranteed to be secure. While we take appropriate steps to protect personal data, we cannot guarantee that it will remain secure in transit. Once data reaches your network, it is your responsibility to ensure it remains secure.
Controls put in place by Chatham Management Consultancies Co also apply to us as a direct subsidiary.
Marketing emails
Some of our marketing emails may contain web beacons, web bugs, cookies, or similar technologies that enable us to understand whether an individual opens, reads, or deletes the message and any interaction an individual makes with links. When an individual clicks on a link in a marketing email they receive from us, we may also use cookies to log what pages that individual views by our cookies policy.
Targeted emails from us may include additional data privacy information as required by applicable privacy laws.
Changes to this Statement
We recommend you check this statement regularly so you remain in agreement with our activities regarding ng personal data.
Should we make significant changes to the way we process data, we will draw your attention to the relevant part(s) of this statement through email and other appropriate communications as part of our business activities.
Any changes to our ‘Website’ privacy notice shall be managed by the terms stated.