CIL MANAGEMENT CONSULTANTS LIMITED – PRIVACY NOTICE

INTRODUCTION
CIL Management Consultants Limited (“we”, “our” and “us”) is committed to protecting and respecting your privacy and personal information. This policy sets out the basis on which any personal information, which we collect from you, that you provide to us or that we have received from a third party source, will be processed by us.

This policy also sets out your relevant legal rights and you should refer to section 11 for this information.

1 DEFINITIONS
References in this notice to “data protection law” mean (as applicable) the Data Protection Act 1998, the General Data Protection Regulation (Regulation (EU) 2016/679) and all related data protection legislation having effect in the United Kingdom from time to time.
References in this notice to “personal information” shall have the same meaning as “personal data” under data protection law. Where applicable, both “data” and “information” shall include “sensitive personal data” and “special categories of data” (as defined under data protection law).

2 OUR DETAILS
The data controller with conduct of your personal information is CIL Management Consultants Limited (company number 05138157) of 12 Kingsway, Frome, Somerset, England, BA11 1BT.
Our data protection officer can be contacted at CIL Management Consultants Limited, 12 Kingsway, Frome, BA11 1BT, or on DPO@cilconsultants.com

3 THIRD PARTY SITES
Our site may, from time to time, contain links to and from partners’, affiliates’ and social network sites. If you follow a link to any of these websites, please note that these sites have their own privacy notices and that we do not accept any responsibility or liability for those notices. Please check their privacy notices before you submit any personal data to those websites as they may not be on the same terms as ours.

4 SOURCES AND USE OF PERSONAL INFORMATION
Depending on your relationship to us, we obtain, process, store and share your information in different ways. We have separated these relationships into three categories:
(1) Individual clients and suppliers (section 5 below);
(2) Workers or representatives of clients and suppliers (section 6 below); and
(3) Other third parties (section 7 below).
Please read the above sections which apply to you and then continue reading this notice from section 8 onwards.

5 INDIVIDUAL CLIENTS AND SUPPLIERS
5.1 Sources and types of information we hold about you
Where you are a client or supplier of ours and you are also an individual, we:(a) Collect information about you directly. This includes where you contact us directly (such as by telephone, post or email) or give your details (such as your business card) to one of our employees or representatives in person.
(b) Collect information about you from third parties. For clients, we may receive information about you from third parties where you have consented to them sharing your information with us. We may also source information about you from information you make publicly available online, such as on your social media and website profiles. For clients and suppliers, this includes where you operate as a sole trader or within a partnership and we receive information about you from an employee or business partner of yours. For suppliers, this will typically be where we have been referred to you by a third party intermediary.
(c) Collect information about you through the use of our website. Through our website, we collect non-personally identifying information which web browsers and servers typically make available. This includes technical information, such as your IP address, your login information and information about your visit, such as records of how you navigate the pages on our site and how you interact with the pages. For details on how we use cookies, please see section 12 below.

The types of information we hold about you will typically include your name, contact address, email address, telephone number, job title and details of the organisation you work for. In the case of our clients, we may also process limited information about your interests (for example, that you enjoy watching cricket) for marketing purposes. If you are a sole trader or operate in a partnership then your bank details may also contain personal information about you.

If you are a client of ours then we may, in certain circumstances, process sensitive personal information about your dietary requirements, allergies, or other health information.

5.2 Reasons and grounds for processing your information
We process your information:
(a) If you are a client or potential client, to supply you with details of our services where you have requested these from us. This includes taking pre-contractual steps such as providing you with a price quote.
(b) If you are a client or potential client, to store your information on our client database for marketing purposes and, where you have opted into receiving the same, and/or where we have a legitimate interest in doing so, to send you marketing communications concerning our service offerings and events which we think may be of interest to you.
(c) If you are a client, to provide you with the services you have requested from us and to discharge our contractual obligations to you, including taking appropriate steps to administer your account with us.
(d) If you are a client and you have provided us with dietary, allergy or other health information, to ensure we accommodate your relevant requirements.
(e) If you are a client or a supplier, to comply with our record keeping, regulatory and other legal compliance responsibilities.
(f) If you are a client or a supplier, to administer any dispute or potential for dispute between us.
(g) If you are a supplier, to administer the contractual relationship between us, including taking pre-contractual steps such as obtaining a price quote from you.
Under data protection law we carry out this processing on the following grounds:
(i) For clients and suppliers, the processing is necessary for us to perform our contractual obligations to you, including us carrying out any pre-contractual steps we have been instructed to take.
(ii) In the case of sending marketing materials:
a. where we are relying on the soft opt-in under the Privacy and Electronic Communications Regulations, because we have a legitimate business interest in sending you news and information about our business and that interest is not overridden by your interests and fundamental rights and freedoms (for example because you can opt-out of such materials at any time); or
b. we otherwise have obtained your consent to us sending you marketing communications.
(iii) In certain cases, the processing is necessary for us to comply with our legal obligations.
(iv) Where you have provided us with sensitive personal information about your diet, allergies or health, because you have previously expressly consented to us processing such information for that purpose. Additionally and in very limited circumstances, we may be entitled to process such information on the basis that it is necessary to protect your vital interests should you become incapable (e.g. for adverse health reasons) of giving consent.
(v) In the event of a dispute arising between us we have a legitimate interest in processing your personal information to resolve that dispute and we are satisfied that your interests and fundamental rights and freedoms do not override our interest in doing so.

6 WORKERS OR REPRESENTATIVES OF CLIENTS AND SUPPLIERS
6.1 Sources and types of information we hold about you
Where you are a worker or representative of a client or supplier of ours then we:
(a) Collect information about you directly. This includes where you contact us directly (such as by telephone, post or email) or give your details (such as your business card) to one of our employees or representatives in person.
(b) Collect information about you from third parties. This is typically where another person from your organisation provides us with your details.
(c) Collect about you through the use of our website. Through our website, we collect non-personally identifying information which web browsers and servers typically make available. This includes technical information, such as your IP address, your login information and information about your visit, such as records of how you navigate the pages on our site and how you interact with the pages. For details on how we use cookies, please see our ‘Cookies’ section below.
The types of information we hold about you will typically include your name, contact address, email address, telephone number, job title and details of the organisation you work for. In the case of workers and representatives of our clients, we may also process limited information about your interests (for example, that you enjoy watching cricket) for marketing purposes.
If you work for or represent a client of ours then we may, in certain circumstances, process sensitive personal information about your dietary requirements, allergies, or other health information.

6.2 Reasons and grounds for processing your information
We process your information:
(a) If you work for or represent a client or potential client, to supply our client with details of our products and services where these have been requested from us. This includes taking pre-contractual steps such as providing a price quote.
(b) If you work for or represent a client or potential client, to store your information on our client database for marketing purposes and, where you have opted into receiving the same, and/or where we have a legitimate interest in doing so based on the soft opt-in under the Privacy and Electronic Communications Regulations, send you marketing communications concerning our service offerings and events which we think may be of interest to you.
(c) If you work for or represent a client, to provide that client with the services requested from us and to discharge our contractual obligations to the client, including taking appropriate steps to administer the client’s account with us.
(d) If you work for or represent a client and you have provided us with dietary, allergy or other health information, to ensure we accommodate your relevant requirements.
(e) If you work for or represent a client or a supplier, to comply with our record keeping, regulatory and other legal compliance responsibilities.
(f) If you work for or represent a client or a supplier, to administer any dispute or potential for dispute between the client/supplier and us.
(g) If you work for or represent a supplier, to administer the contractual relationship between the supplier and us, including taking pre-contractual steps such as maintaining a record of price quotes the supplier has provided to us and making payment to the supplier.
Under data protection law we carry out this processing on the following grounds:
(i) Where you work for or represent a client or supplier, we have a legitimate interest in processing your information in order to carry out our contractual obligations (including requested pre-contractual steps) with the client or supplier and we are satisfied that your interests and fundamental rights and freedoms do not override our interest in doing so.
(ii) In the case of sending marketing materials:
a. where we are relying on the soft opt-in under the Privacy and Electronic Communications Regulations, because we have a legitimate business interest in sending you news and information about our business and that interest is not overridden by your interests and fundamental rights and freedoms (for example because you can opt-out of such materials at any time); or
b. we have otherwise obtained your consent to us sending you marketing communications.
(iii) In certain cases, the processing is necessary for us to comply with our legal obligations, for example where regulations oblige us to keep records of our clients’ details and account information.
(iv) Where you have provided us with sensitive personal information about your diet, allergies or health, because you have previously expressly consented to us processing such information for that purpose.
(v) In the event of a dispute arising between the client/supplier and us, we have a legitimate interest in processing your personal information to resolve that dispute and we are satisfied that your interests and fundamental rights and freedoms do not override our interest in doing so.

7 OTHER THIRD PARTIES
7.1 Sources and types of information we hold about you
In certain circumstances we may process your personal information where you are not a client or supplier of ours (or a worker or representative of the same). This includes where we conduct market research as part of the services we provide to our clients.
We will usually process information about you which we have obtained from you directly (such as from your business card) or which is publicly available online (such as from your social media or website profiles). Sometimes your information will be provided to us by our client.
The information we hold about you will usually comprise your name, job title, details of the organisation you work for or represent and your business contact information (principally your email address).
7.2 Reasons and grounds for processing your information
We process your information for the following reasons, depending on the circumstances, to:
(a) Advise our client;
(b) Store your information on our database for marketing purposes and to send you marketing communications; and/or
(c) Keep an internal record of our interaction with you;
Under data protection law we carry out this processing because we have a legitimate interest in:
(i) processing your information for the purpose of advising our client;
(ii) sending you news and information about our business; and
(iii) keeping internal business records of communications with key contacts,
and those interests are not overridden by your interests and fundamental rights and freedoms.

8 HOW LONG WE KEEP YOUR INFORMATION FOR
We only keep your information for so long as is reasonably necessary.
When setting our data retention periods, we consider the amount, nature, and sensitivity of the information we hold, the potential risk of harm from unauthorised use or disclosure of the information and the purposes for which we process the information (including whether we can achieve those purposes by other means). We also take into account our other legal obligations to keep or securely dispose of personal information.
Generally speaking, we keep your information for the following periods of time:
(a) If you or your organisation make an enquiry with us but ultimately do not become a client of ours 10 years from the date of our discussions ending (or if we did not reply, from the date of your enquiry).
(b) If you or your organisation are a potential supplier of ours but a contract is not entered into between us 10 years from the date of our discussions ending (or if we did not reply to your enquiry, from the date of your enquiry).
(c) If you are or have been a client of ours, 10 years from the date your engagement with us ends.
(d) If you work for or represent a client of ours, 10 years from the date of the client’s last contact with us (or, if sooner, from the date we are notified that you are no longer a contact for that client).
(e) If you are or have been a supplier of ours, 7 years from the date your contract with us ends.
(f) If you work for or represent a supplier of ours, 7 years from the date the supplier’s contract with us ended (or, if sooner, from the date we are notified that you are no longer a contact for that supplier).
(g) In all other cases 10 years.
If we need to keep your information for a longer period then we will notify you of the reason and grounds for doing so.

9 WHO IS YOUR INFORMATION SHARED WITH?
Your personal information is not shared with anyone except where we are required to do so to comply with the law, to protect our rights, to perform our contractual obligations to you or to keep you updated of developments to our business and services.
In order to achieve these purposes, we share your data with the following people or group of people:
(a) If you are an employee of a client or supplier of ours then we may share your information with your employer. Similarly, if you are a sole trader or partner in a business partnership then we may share your information with your employees (and if applicable, other partners). This is only done to the extent necessary for us to properly provide our services.
(b) Our IT providers will sometimes be given access to our databases in order to monitor and improve our IT systems. Our IT providers have a strict contractual obligation to handle your information in accordance with data protection law and to keep it confidential at all times.
(c) Where you provide us with dietary or allergy information, or information about your health-related requirements, we may share that information with facility providers such as caterers (for dietary requirements) or venue organisers (e.g. hotels and transportation companies). You will have been notified of this fact at the point you shared that information with us (e.g. when signing our consent form).
(d) Our outsourced financial administrator receives personal information for the purpose of, amongst other things, raising client invoices on our behalf. The provider is based in Israel. As Israel is the subject of a European Commission adequacy decision, and because the provider is subject to strict contractual duties to ensure the confidentiality and security of your information, we are satisfied that your information is shared in full accordance with data protection law.
(e) Our professional advisers (including accountants, book keepers and lawyers). All such people are subject to strict duties of confidentiality.
(f) Potential purchasers of our business would have access to redacted information about our clients, suppliers and their workers/representatives. Before we shared such information the potential purchaser would need to sign a non-disclosure agreement which fully complies with data protection law.
Except as set out above, to the best of our knowledge, understanding and belief, your information will not be transferred outside of the European Economic Area or to any country which is not approved by the European Commission. If this changes then we will let you know.

10 AUTOMATED DECISION MAKING
We do not make automated decisions about you based on your information. If this changes in the future then we will let you know.

11 YOUR RIGHTS
Under data protection law you have the following rights:
(a) If we are processing your data on the basis of your consent then you have the right to withdraw that consent at any time. Consent can be withdrawn by and notifying us using the details set out in section 16 below. Consent to marketing communications can be withdrawn by following the steps outlined in that communication, such as clicking the ‘unsubscribe’ link in the marketing emails we send. The lawfulness of our historic processing based on your consent will not be retrospectively affected by your withdrawal of consent.
(b) The right to access a copy of your information which we hold. This is called a ‘subject access request’. Additional details on how to exercise this right are set out in section 13, below.
(c) The right to prevent us processing your information for direct marketing purposes. We will usually inform you (before collecting your data) if we intend to use your data for such purposes or if we intend to disclose your information to any third party for such purposes. You can exercise your right to prevent such processing by checking certain boxes on the forms we use to collect your data or by contacting us using the details set out in section 16, below.
(d) The right to object to decisions being made about you by automated means. We will inform you if your information is subject to automated processing.
(e) The right to object to us processing your personal information in certain other situations.
(f) The right, in certain circumstances, to have your information rectified, blocked, erased or destroyed if it is inaccurate.
(g) The right, in certain circumstances, to claim compensation for damages caused by us breaching data protection law.
From 25 May 2018 you will have the following additional rights under data protection law:
(h) Enhanced rights to request that we erase, rectify, cease processing and/or delete your information.
(i) In certain circumstances, the right to request the information we hold on you in a machine readable format so that you can transfer it to other services. This right is called ‘data portability’. Additional details on how to exercise this right are set out in section 13, below.
You also have the general right to complain to us (in the first instance) and to the Information Commissioner’s Office (if you are not satisfied by our response) if you have any concerns about how we hold and process your information. Our contact details are set out in section 16, below. The Information Commissioner’s Office website is www.ico.org.uk.
For further information on your rights under data protection law and how to exercise them, you can contact Citizens Advice Bureau (www.citizensadvice.org.uk) or the Information Commissioner’s Office (www.ico.org.uk).

12 COOKIES
Our site uses cookies to distinguish you from other users of our website. This helps us to provide you with a good browsing experience and also allows us to improve our website.
Visitors to our site who do not wish to have cookies placed on their computers should set their browsers to refuse cookies before using our website. This may mean that some features of our website may not function properly without the aid of cookies.

13 ACCESS TO INFORMATION
Under data protection law you can exercise your right of access by making a written request to receive copies of some of the information we hold on you. If you make your request before 25 May 2018, you will need to pay a £10 fee. You must send us proof of your identity, or proof of authority if making the request on behalf of someone else, before we can supply the information to you. Requests should be sent to us using the contact details in section 16 below.
From 25 May 2018 you will:
(a) no longer have to pay a £10 fee unless you are requesting copies of documents you already possess, in which case we may charge our reasonable administrative costs. We will also be allowed to charge you for our reasonable administrative costs in collating and providing you with details of the requested information which we hold about you if your request is clearly unfounded or excessive. In very limited circumstances, we are also entitled to refuse to comply with your request if it is particularly onerous; and
(b) in certain circumstances, be entitled to receive the information in a structured, commonly used and machine readable form.

14 DATA SECURITY
We will always store your digital information on secure servers. Unfortunately, however, the transmission of information via the internet is not completely secure. Although we will do our best to protect your information, we cannot guarantee the security of your information transmitted to our site or otherwise to our servers (such as by email). Any such transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.

15 CHANGES TO OUR PRIVACY NOTICE
This notice was last updated on 8 May 2018. Any material changes we may make to our privacy notice in the future will be uploaded to our website and if the change is significant we will send you the updated notice by email. Please check back frequently to see any updates or changes to our privacy notice.

16 CONTACT
Questions, comments and requests regarding this privacy notice are welcomed and should be addressed to our DPO, Tom Fletcher, using the following details:
(a) by post to: Data Protection Officer, CIL Management Consultants Limited, 12 Kingsway, Frome BA11 1BT; or
(b) by email to DPO@cilconsultants.com.