Contact

Privacy Policy

 

PRIVACY POLICY GOVERNING THE USE OF PERSONAL DATA

Last updated: May 2018

 

A: Purpose

This Privacy Policy explains how CVA uses personal data it is provided with by you (the ‘data subject’), or collects from other sources, and explains your rights regarding our use of this data, in accordance with the requirements of the EU’s General Data Protection Regulation (GDPR).

GDPR lays down several general principles for the use of personal data.  Such data must be collected for specified, explicit, and legitimate purposes.  It must be adequate, relevant and limited to what is necessary in relation to the purposes for which the information is processed.  It must be kept no longer than necessary, and it must be processed in a manner than ensures appropriate security.

CVA is a ‘data controller’ as defined by GDPR.  This means that CVA determines how the personal data it holds is to be used (‘processed’), and is therefore responsible for ensuring this data is processed in accordance with GDPR requirements.  In some cases, CVA undertakes this ‘processing’ of the data.  In other cases, trusted third party suppliers undertake processing on our behalf.  The term ‘processing’ as defined by GDPR essentially covers anything that might be done to or with the data, including simply accessing it to read from a screen.

CVA’s data controller can be contacted by emailing data.controller@corporate-value.com, for instance if you wish to assert any of the data rights outlined in Section D, below.

B: Purposes, categories of personal data, and legal basis of processing

CVA processes personal data for the following purposes:

 

B1: Business development

The legal basis of processing is that it is necessary for the purposes of CVA’s legitimate interests.  CVA’s legitimate interests are:

B1.1: Maintaining relationships with existing clients, ensuring that we remain informed about their businesses and so can continue developing solutions to help improve their business performance and solve business challenges, including proactively suggesting relevant solutions based on our understanding of our clients’ needs.

B1.2:  Marketing relevant solutions to appropriate individuals at prospective clients, based on our understanding of prospective clients’ needs, which they would otherwise remain unware of.

B1.3: Responding to direct requests or enquiries about possible solutions to business problems by existing or prospective clients.

The categories of personal data processed for this purpose are:

Provision of personal data for this purpose by a data subject is entirely at his or her discretion, with no statutory or contractual obligation to do so.

We may also collect personal data for this purpose from other sources, including: a data subject’s own business contacts with whom we have a prior relationship; news and other media publications; content published on social media; company reports; investor relations presentations; publicly available industry analyses; industry conferences; and other networking events.

Potential recipients of personal data collected for this purpose are all CVA staff involved in business development activities.

Personal data processed for this purpose will be retained for a period not exceeding 4 years from the date of the last contact with an individual for this purpose.

 

B2:  The performance of contracts with clients

The legal basis of processing is that it is necessary for the performance of a contract to which the data subject is party.  The categories of personal data processed for this purpose are:

Provision of personal data for this purpose by a data subject is entirely at his or her discretion, with no statutory or contractual obligation to do so.  Failure to provide the requested personal data may substantially impact the quality of the work we are contracted to perform.

Potential recipients of personal data collected for this purpose are all CVA staff involved in delivery of the relevant contract, and all CVA staff involved in managing the client relationship with the data subject’s employer.

Personal data processed for this purpose will be retained for a period not exceeding 6 years from the termination of the contract in question.

 

B3:  Business and operations management

This includes: paying salaries and tax / national insurance, making pension contributions, reimbursement of work-related expenses, performance assessment, employee coaching and training, undertaking recruitment activities, internal and external communications, resource planning, and profitability management.

The legal bases of processing are: that it is necessary for the performance of a contract to which the data subject is party; for compliance with a legal obligation to which CVA is subject; and / or for the purposes of the legitimate interests pursued by CVA.

CVA’s legitimate interests are:

B3.1:  Ensuring employees are of the requisite standard in terms of skills, capabilities, experience and business ethics / behaviour.

B3.2: Ensuring underperforming employees can be identified quickly, and appropriate action taken, while high performing employees can be appropriately rewarded.

B3.3:  Ensuring effective management of available human resources and the timely availability of appropriate management information about resource utilisation and profitability.

B3.4:  Ensuring effective communication between employees.

B3.5:  Ensuring the company is able to effectively communicate the benefits of the services it offers to clients, and its value proposition to employees, to an external audience.

The categories of personal information processed for this purpose are:

Provision of personal data for this purpose by a data subject is a contractual requirement: failure to provide the personal data will mean we are unable to meet our contractual obligations to the data subject, for instance paying his or her salary, or reimbursing expenses.

We will also collect personal data for this purpose from other sources, including: colleagues in a management or other supervisory role, and the output of the firm’s HR processes.

Potential recipients of personal data collected for this purpose are staff involved in the firm’s administration and management.

Personal data processed for this purpose will be retained for a period not exceeding 6 years after the data subject leaves CVA’s employ, with the exception of: bank account details, which will be deleted as soon as practically possible following the termination of employment; and any personal data where retention of data could be beneficial to a data subject beyond this date (e.g. to enable CVA to provide references or confirmation of employment).

 

B4:  Recruitment of employees and contractors

This includes solicitation and assessment of job applications, reimbursement of travel expenses, and on-boarding of new hires.

The legal basis for processing is that it is for the purposes of CVA’s legitimate interest; and for compliance with a legal obligation to which CVA is subject.

CVA’s legitimate interest is:

B4.1:  Ensuring its new recruits are of the requisite standard in terms of skills, capabilities, experience and trustworthiness.

As a minimum, the categories of personal data processed for this purpose are:

Provision of the above personal data collected for this purpose by a data subject is entirely at his or her discretion, with no statutory or contractual obligation to do so.  However, failure to provide the requested information will usually mean that the data subject’s job application cannot be progressed.

For applications received through our recruiting website, some of the information a data subject provides is used in an automatic scoring process that prioritises candidates in terms of academic excellence, evidence of mathematical ability, and language skills.  However, in every case, a final decision on whether or not to invite a candidate for interview is made by an assessment panel consisting of at least two experienced staff members.

Potential recipients of the above personal data collected for this purpose are staff involved in administration and management of the business, and staff involved in conducting candidate interviews.

Personal data on unsuccessful candidates will be retained for a period not exceeding 6 months from the date their application is rejected, with the exception of bank details, which will be deleted immediately following payment of any travel expenses.

In the case of successful candidates, additional categories of personal data are processed:

Provision of personal data in these additional categories is either a statutory or contractual requirement.  Failure to provide this additional personal data may result in an offer of employment being rescinded.

Potential recipients of this additional personal data are staff involved in the firm’s administration and management.

Personal data relating to successful candidates will be retained for a period not exceeding 6 years after the data subject leaves CVA’s employ.

 

B5:  Research and development

The legal basis of processing is the purpose of pursuing CVA’s legitimate interests.

CVA’s legitimate interests are:

B5.1:  Ensuring the firm remains up to date with the latest developments in industry sectors it works in, or aspires to work in.

B5.2:  Enabling the development of new solutions that provide CVA with a competitive advantage.

The categories of personal data processed for this purpose are:

Provision of personal data for this purpose by a data subject is entirely at his or her discretion, with no statutory or contractual obligation to do so.

We may also collect personal data for this purpose from other sources, including: a data subject’s own business contacts with whom we have a prior relationship; news and other media publications; content published on social media; company reports; investor relations presentations; publicly available industry analyses; industry conferences; and other networking events.

Potential recipients of personal data collected for this purpose are all CVA staff involved in research and development activities.

Personal data processed for this purpose will be retained for a period not exceeding 4 years from the date of last contact with the data subject.

 

B6:  Supplier management

The legal basis of processing is that processing is necessary for the performance of a contract to which the data subject is party.

The categories of personal information processed for this purpose are:

Provision of personal data for this purpose by a data subject is entirely at his or her discretion, with no statutory or contractual obligation to do so.  However, failure to do so may hinder CVA’s ability to do business with the data subject’s employer.

Potential recipients of personal data processed for this purpose are staff involved in business administration and management.

Personal data processed for this purpose will be retained for a period not exceeding 7 years from the date of termination of the supplier contract.

 

C:  Transfers to third countries (outside the EEA)

All our IT providers store data at rest on servers physically located within the EEA.  In the case of our cloud file server provider (Egnyte), there is a specific contractual clause stating that data will only be stored and processed within the EEA.

In the case of other suppliers (e.g. Microsoft), in order to provide their services (e.g. email server), some of our IT suppliers indicate in their privacy policies and terms of service that they may, in some circumstances, transfer data to subsidiaries or their own IT suppliers outside the EEA, either under EU Model Clauses, or the EU-US Privacy Shield Framework.

In very limited cases, CVA may transfer personal data outside of the European Economic Area (EEA).  We will only do so where a) we have your explicit consent in advance; or b) in a limited number of circumstances detailed below where we are satisfied an adequate level of protection exists for the rights of the individuals whose personal data is being transferred, given the nature of the personal information and the risk posed to the rights of the individual.  The scenarios where such data transfer may occur without explicit consent being sought, and the protections that are in place, are detailed below.

 

D:  Your rights as a data subject

GDPR creates a number of data rights that you can exercise in relation to any personal data relating to you that we process.  You can read about these rights in full at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/.

An overview of the main elements of these rights is as follows:

  1. You have the right to ask whether we process your personal data, and if so, you may request (free of charge in most circumstances) a copy of all personal data we hold on you, as well as details of how we use it.
  2. You have the right to ask that any incorrect information we hold about you is corrected without undue delay.
  3. You have the right to have all personal data we hold on you erased without undue delay, unless there is an overriding ground not to do so, for instance if erasing data would undermine the firm’s ability to mount a legal defence in case of future litigation, or prevent us from performing a legal obligation.
  4. You have the right to ask us to stop processing your personal data until you say otherwise, without deleting it.
  5. You have the right to receive any personal data you have provided to us in a structured, commonly used and machine-readable format, which you are then free to do with as you please.
  6. You have the right to object to any processing of personal data for purposes where the only legal grounds are the pursuit of CVA’s legitimate interest – in which case we must immediately cease processing of the data for the purposes you object to.
  7. You have the right not to be subject to any decision based solely on automated processing, including profiling, which produces legal effects concerning you, or similarly significantly affects you, unless we obtain your prior consent to such automated processing in advance.
  8. If you are unhappy with the firm has responded to requests to exercise any of the above rights, you have the further right to lodge a complaint with a supervisory authority.  In the UK, this is the Information Commissioner’s Office, which can be contacted at http://www.ico.org.uk/concerns.