Convergent Risks Privacy Policy
Effective Date: May 25, 2018
Convergent Risks (“Convergent Risks”, “we”, “us” or “our”) respects your privacy and is committed to protecting your personal information. This Privacy Policy (together with our terms of use and any other document referred to within it) sets out the basis on which any personal information we collect from you, or that you provide to us, will be processed by us when you: (i) register or visit our website (the “Site”); or (ii) engage with us to use the products or services that we provide (our “Services”). This Privacy Policy will also inform you as to how we look after your personal information and tell you about your privacy rights and how the law protects you.
Who we are and what we do
Convergent Risks provide services relating to the identification, assessment and mitigation of risk. Our services include but are not limited to infrastructure and utilities security and risk management consultancy, Media & Entertainment security, compliance and consultancy including security assessments via the Trusted Partner Network and privacy compliance consultancy.
Convergent Risks is made up of different legal entities. This Privacy Policy is issued on behalf of the Convergent Risks corporate group of companies, so when we mention “Convergent”, “we”, “us” or “our” in this Privacy Policy, we are referring to the relevant Convergent Risks company responsible for your personal information when you register or visit our Site or when you engage with us to use the products or services that we provide (i.e., the data controller). Where Convergent acts as a processor in respect of certain service offerings, we process the personal information you provide in accordance with the instructions of the relevant data controller organisation.
We have appointed a data protection officer (DPO) who is responsible for overseeing questions in relation to this Privacy Policy. If you have any questions about this Privacy Policy, including any requests to exercise your legal rights, please contact the DPO using the details set out below.
How to contact us
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues or any other appointed supervisory authority in your jurisdiction. We would, however, appreciate the chance to deal with your concerns before you approach any supervisory authority, so please contact us in the first instance.
Data Protection Officer
Convergent Risks
Basepoint Business Centre
377 – 399 London Road
Camberley
GU15 3HL
E: [email protected]
T: +44 (0) 1276 415 725
What personal information do we collect
1.) Information you provide on a voluntary basis
We may collect, store and process personal information about you in the course of our business, including through your use of our Site, when you contact or request information from us, when you engage us to provide our products or services or as a result of your relationship with one or more of our staff or clients. This information may include:
- contact details including name, email, telephone number and address
- login and account information, including screen name, password and unique user ID
- personal details including gender and date of birth
- payment or credit card information
- personal preferences including your marketing and cookie preference
- content you may provide via an assessment, form, questionnaire or on our website.
The provision of such information is voluntary, however, failure to provide certain information may affect your experience of our Site, as well as the goods and/or services we are able to offer. Some of the information may include sensitive information, the processing of which is either based on a legal obligation or on your freely-given consent (which can be withdrawn at any time), as appropriate in each case.
2). Personal data we collect automatically
When you visit our Site, certain information may automatically be collected and stored on our servers for the purpose of system administration, security, backup and technical support and for statistical use. Such information may comprise may include:
- date and time
- originating IP address;
domain name - type of browser and operating system used (if provided by the browser)
- URL of the referring page (if provided by the browser)
- object requested
- completion status of the request
- geographic location
- language preferences
Our Site uses cookies to distinguish you from other users. This helps us to provide you with a good experience when you browse our Site and also allows us to improve our Site. For detailed information on the cookies we use and the purposes for which we use them, see our Cookies Policy.
Purposes for which we will use your personal information
We may use your information for the following purposes:
1). Fulfilment of Services
Where relevant, we collect and maintain personal information that you voluntarily submit to us during your use of the Site and/or our Services to enable us to perform the Services.
What is our legal basis? It is necessary for us to process your information to perform our obligations in accordance with any contract that we may have with you (either directly or via a third-party organisation such as the Trusted Partner Network). It is in our legitimate interest or a third party’s legitimate interest to use your personal information in such a way to ensure that we provide the very best client service we can to you or others.
2). Client services
Our Site uses various user interfaces to allow you to request information about our Services including electronic enquiry forms and a telephone enquiry service. Contact information may be requested in each case, together with details of other personal information that is relevant to your Service enquiry. This information is used in order to enable us to respond to your requests.
What is our legal basis? It is in our legitimate interest or a third party’s legitimate interest to use your personal information in such a way to ensure that we provide the very best client service we can to you or others.
3). Business administration and legal compliance
Where relevant, we use your personal information for the following business administration and legal compliance purposes:
- to comply with our legal obligations (including any Know Your Client or Anti-Money Laundering or Anti-Bribery, conflicts or similar obligations including, but without limitation, maintaining regulatory insurance)
- to enforce our legal rights
- to protect the rights of third parties
- in connection with a business transaction such as a merger, or a restructuring, or sale.
What is our legal basis? Where we use your personal information in connection with a business transition, to enforce our legal rights, or to protect the rights of third parties it is in our or a third party’s legitimate interest to do so. For all other purposes described in this section, it is our legal obligation to use your personal information to comply with any legal obligations imposed upon us.
4). Recruitment
Where relevant, we use your personal information for the following recruitment purposes:
- to assess your suitability for any position for which you may apply at Convergent Risks whether such application has been received by us online, via email or by hard copy or an in-person application
- to review Convergent Risks’ equal opportunity profile in accordance with applicable legislation to ensure that we do not discriminate on the grounds of gender, race, ethnic origin, age, religion, sexual orientation, disability or any other basis covered by local legislation. All employment related decisions are made entirely on merit.
What is our legal basis? Where we use your personal information in connection with recruitment it will be in connection with us taking steps at your request to enter a contract we may have with you or it is in our legitimate interest to use personal information in such a way to ensure that we can make the best recruitment decisions for Convergent Risks. We will not process any special category data except where we are able to do so under applicable legislation or with your explicit consent.
5). Marketing communications
Where relevant, we carry out the following marketing activities using your personal information:
- Postal marketing
- Email marketing
We use information that we observe about you from your interactions with our Site, our email communications to you and/or with Services to send you marketing communications.
What is our legal basis? It is in our legitimate interest to use your personal information for marketing purposes. We will only send you marketing communications where you have consented to receive such marketing communications, or where we have a lawful right to do so.
6). Client insight and analysis
Where relevant, we analyse your contact details with other personal information that we observe about you from your interactions with our Site, our email communications to you and/or with our Services such as the Services you have viewed.
Where you have given your consent (where lawfully required), we use cookies, log files and other technologies to collect personal information from the computer hardware and software you use to access the Site, or from your mobile. This includes the following:
- an IP address to monitor Site traffic and volume
- a session ID to track usage statistics on our Site
- information regarding your personal or professional interests, demographics, experiences with our products and contact preferences.
Our web pages contain “cookies” “web beacons” or “pixel tags” (“Tags”). Tags allow us to track receipt of an email to you, to count users that have visited a web page or opened an email and collect other types of aggregate information. Once you click on an email that contains a Tag, your contact information may subsequently be cross-referenced to the source email and the relevant Tag. In some of our email messages, we use a “click-through URL” linked to certain Site administered by us or on our behalf. Please see our Cookies Policy further information.
By using this information, we are able to measure the effectiveness of our content and how visitors use our Site and our Services. This allows us to learn what pages of our Site are most attractive to our visitors, which parts of our Site are the most interesting and what kind of offers our registered users like to see. We also use this information for marketing purposes (see the marketing section above for further details).
What is our legal basis? Where your personal information is not in an anonymous form, it is in our legitimate interest to use your personal information in such a way to ensure that we provide the very best products and services to you and our other clients. Any other purposes for which we wish to use your personal information that are not listed above, or any other changes we propose to make to the existing purposes will be notified to you using your contact details, where available.
Legal basis to use or process your personal information
We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:
- where we need to perform the contract, we are about to enter into or have entered into with you
- where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests
- where we need to comply with a legal or regulatory obligation.
Change of purpose
We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
Who do we share your personal information with?
We share personal information with third parties who perform services on our behalf and where relevant, for whom we perform services for. These third parties are not authorised by us to use or disclose the information, except as necessary for the performance of a relevant contract, to perform services on our behalf or comply with legal requirements. We may share personal information with analytics and search engine providers that assist us in the improvement and optimisation of our Site. Where a condition of us entering into a contract with you, we may share personal information with credit reference agencies for the purpose of assessing your credit score. We may also share the personal information we obtain with our affiliates, subsidiaries and other group companies.
If we share your personal information with such persons, we will ensure that an adequate level of protection is in place to protect your personal information in accordance with applicable law.
We may also disclose information about you in the following circumstances
- if we are required to do so by law, regulation or legal process (such as a court order or subpoena) including lawful requests by public authorities to meet national security or law enforcement requirements
- in response to requests by government agencies, such as law enforcement authorities
- for the purpose of or in connection with legal proceedings, or otherwise for the purpose of establishing, exercising or defending our legal rights
- when we believe disclosure is necessary or appropriate to prevent physical harm or financial loss or in connection with an investigation of suspected or actual illegal activity.
We reserve the right to transfer any information we have about you in the event we sell or transfer all or a portion of our business or assets (including in the event of a reorganisation, dissolution or liquidation), but only where we have first taken reasonable steps to ensure the security and confidentiality of your information.
International data transfers
In order to provide the Services, we may need to transfer your personal information to locations outside the jurisdiction in which you provide it. If you are based within the European Economic Area (EEA), please note that where necessary to deliver the Services, this may involve the transfer of your personal information to countries outside the EEA, including to the United States. Whenever we transfer your personal information out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring an appropriate safeguard is implemented. Please contact us if you want further information on the specific mechanism used by us when transferring your personal information out of the EEA.
Data security
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions, and they are subject to a duty of confidentiality. We have put in place procedures to deal with any suspected personal information breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
How long do we keep your personal information for?
For visitors to the Site, we will retain relevant personal information for at least three years from the date of our last interaction with you and in compliance with our obligations under the EU General Data Protection Regulation or similar legislation around the world, or for longer if we are required to do so according to our regulatory obligations or professional indemnity obligations.
For Service provision to any client, we will retain relevant personal information for at least six years from the date of our last interaction with that client and in compliance with our obligations under the EU General Data Protection Regulation or similar legislation around the world, or for longer as we are required to do so according to our regulatory obligations or professional indemnity obligations. We may then destroy such files without further notice or liability.
If personal information is only useful or relevant for a short period e.g. for specific marketing campaigns, we will delete such personal information as soon as it is no longer required for the purpose in which it was collected for.
How to access your information and your other legal rights
You have the following rights in relation to the personal information we hold about you:
1). Your right of access
If you ask us, we’ll confirm whether we’re processing your personal information and, if necessary, provide you with a copy of that personal information (along with certain other details). You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
2). Your right to rectification
If the personal information we hold about you is inaccurate or incomplete, you are entitled to request to have it rectified. If you are entitled to rectification and if we’ve shared your personal information with others, we’ll let them know about the rectification where possible. If you ask us, where possible and lawful to do so, we’ll also tell you who we’ve shared your personal information with so that you can contact them directly.
3). Your right to erasure
You can ask us to delete or remove your personal information in some circumstances such as where we no longer need it or if you withdraw your consent (where applicable). If you are entitled to erasure and if we’ve shared your personal information with others, we’ll let them know about the erasure where possible. If you ask us, where it is possible and lawful for us to do so, we’ll also tell you who we’ve shared your personal information with so that you can contact them directly.
4). Your right to restrict processing
You can ask us to ‘block’ or suppress the processing of your personal information in certain circumstances, such as where you contest the accuracy of that personal information or you object to us. If you are entitled to restriction and if we’ve shared your personal information with others, we’ll let them know about the restriction where it is possible for us to do so. If you ask us, where it is possible and lawful for us to do so, we’ll also tell you who we’ve shared your personal information with so that you can contact them directly.
5). Your right to data portability
You have the right, in certain circumstances, to obtain personal information you’ve provided us with (in a structured, commonly used and machine-readable format) and to reuse it elsewhere or to ask us to transfer this to a third party of your choice.
6). Your right to object
You can ask us to stop processing your personal information, and we will do so, if we are:
- relying on our own or someone else’s legitimate interests to process your personal information, except if we can demonstrate compelling legal grounds for the processing
- processing your personal information for direct marketing purposes.
7). Your right to withdraw consent
If we rely on your consent (or explicit consent) as our legal basis for processing your personal information, you have the right to withdraw that consent at any time.
8). Your right to lodge a complaint with the supervisory authority
If you have a concern about any aspect of our privacy practices, including the way we’ve handled your personal information, you can report it to the relevant Supervisory Authority. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal information (or to exercise any of your other rights). This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
Please note that some of these rights may be limited where we have an overriding interest or legal obligation to continue to process the data or where data may be exempt from disclosure due to reasons of legal professional privilege or professional secrecy obligations.
Third-party links
This Site may include links to third-party Sites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party Sites and are not responsible for their privacy statements. When you leave our Site, we encourage you to read the Privacy Policy of every Site you visit
Changes to the Privacy Policy and your duty to inform us of changes
We may make changes to this Privacy Policy from time to time. To ensure that you are always aware of how we use your personal information we will update this Privacy Policy from time to time to reflect any changes to our use of your personal information. We may also make changes as required to comply with changes in applicable law or regulatory requirements. Where it is practicable, we will notify you by email of any significant changes. However, we encourage you to review this Privacy Policy periodically to be informed of how we use your personal information.