Legal
Notice
The site is property of Corporate Value Associates (CVA). All rights reserved. Reproduction and use of the contents of this site, in part or in full, are prohibited. Trademarks and logos are registered trademarks of CVA and its licensors.
All text, images, charts, and their arrangement on the CVA website, are protected by copyright and other protective laws. The content of this website must not be copied, distributed, altered, or made available to third parties for commercial purposes. Some website pages also contain images copyrighted by third parties. We may provide links to third-party websites. CVA has no responsibility for these third-party websites, which are governed by the terms of use and privacy policies, if any, of the respective third-party content providers.
The information contained on this site is general in nature and does not claim or indicate contractual agreement or value. Moreover, and in spite of regular updates of the contents of the site, CVA cannot be held responsible for the administrative or legal provisions occurring after modifications. In no circumstances can CVA be held responsible for any direct and/or indirect damages which may result from the use of information and analysis contained within this site.
Corporate Value Associates is a trademark of CORVAL BV (Registered in Amsterdam No. 33195120) Companies House Registration No: FC14314
Privacy Policy governing the use of personal data
Last updated: September 2019
A: Purpose
This Privacy Policy explains how CVA uses personal data it is provided with by you (the ‘data subject’), or collects from other sources, and explains your rights regarding our use of this data, in accordance with the requirements of the EU’s General Data Protection Regulation (GDPR).
GDPR lays down several general principles for the use of personal data. Such data must be collected for specified, explicit, and legitimate purposes. It must be adequate, relevant and limited to what is necessary in relation to the purposes for which the information is processed. It must be kept no longer than necessary, and it must be processed in a manner than ensures appropriate security.
CVA is a ‘data controller’ as defined by GDPR. This means that CVA determines how the personal data it holds is to be used (‘processed’), and is therefore responsible for ensuring this data is processed in accordance with GDPR requirements. In some cases, CVA undertakes this ‘processing’ of the data. In other cases, trusted third party suppliers undertake processing on our behalf. The term ‘processing’ as defined by GDPR essentially covers anything that might be done to or with the data, including simply accessing it to read from a screen.
CVA’s data controller can be contacted by emailing data.controller@corporate-value.com, for instance if you wish to assert any of the data rights outlined in Section D, below.
B: Purposes, categories of personal data, and legal basis of processing
CVA processes personal data for the following purposes:
B1: Business development (direct marketing, and client relationship management)
B2: The performance of contracts with clients
B3: Business and operations management
B4: Recruitment of employees and contractors
B5: Research and development
B6: Supplier management
B1: Business development
The legal basis of processing is that it is necessary for the purposes of CVA’s legitimate interests. CVA’s legitimate interests are:
B1.1: Maintaining relationships with existing clients, ensuring that we remain informed about their businesses and so can continue developing solutions to help improve their business performance and solve business challenges, including proactively suggesting relevant solutions based on our understanding of our clients’ needs.
B1.2: Marketing relevant solutions to appropriate individuals at prospective clients, based on our understanding of prospective clients’ needs, which they would otherwise remain unware of.
B1.3: Responding to direct requests or enquiries about possible solutions to business problems by existing or prospective clients.
The categories of personal data processed for this purpose are:
Contact information
The content of emails
Opinions expressed by individuals relating to their business or industry
Provision of personal data for this purpose by a data subject is entirely at his or her discretion, with no statutory or contractual obligation to do so.
We may also collect personal data for this purpose from other sources, including: a data subject’s own business contacts with whom we have a prior relationship; news and other media publications; content published on social media; company reports; investor relations presentations; publicly available industry analyses; industry conferences; and other networking events.
Potential recipients of personal data collected for this purpose are all CVA staff involved in business development activities.
Personal data processed for this purpose will be retained for a period not exceeding 4 years from the date of the last contact with an individual for this purpose.
B2: The performance of contracts with clients
The legal basis of processing is that it is necessary for the performance of a contract to which the data subject is party. The categories of personal data processed for this purpose are:
Contact information
The content of emails
Opinions expressed in relation to the performance of the contract
Opinions expressed in relation to an industry or individual competitors within an industry
Personal data relating to the client’s own customers, provided to us by the client, or obtained via market research
Provision of personal data for this purpose by a data subject is entirely at his or her discretion, with no statutory or contractual obligation to do so. Failure to provide the requested personal data may substantially impact the quality of the work we are contracted to perform.
Potential recipients of personal data collected for this purpose are all CVA staff involved in delivery of the relevant contract, and all CVA staff involved in managing the client relationship with the data subject’s employer.
Personal data processed for this purpose will be retained for a period not exceeding 6 years from the termination of the contract in question.
B3: Business and operations management
This includes: paying salaries and tax / national insurance, making pension contributions, reimbursement of work-related expenses, performance assessment, employee coaching and training, undertaking recruitment activities, internal and external communications, resource planning, and profitability management.
The legal bases of processing are: consent; that it is necessary for the performance of a contract to which the data subject is party; for compliance with a legal obligation to which CVA is subject; and / or for the purposes of the legitimate interests pursued by CVA.
CVA’s legitimate interests are:
B3.1: Ensuring employees are of the requisite standard in terms of skills, capabilities, experience and business ethics / behaviour.
B3.2: Ensuring underperforming employees can be identified quickly, and appropriate action taken, while high performing employees can be appropriately rewarded.
B3.3: Ensuring effective management of available human resources and the timely availability of appropriate management information about resource utilisation and profitability.
B3.4: Ensuring effective communication between employees.
B3.5: Ensuring the company is able to effectively communicate the benefits of the services it offers to clients, and its value proposition to employees, to an external audience.
The categories of personal information processed for this purpose are:
Contact information
Details of employment including contractual terms and remuneration
National Insurance details
Bank account details and pension details
Performance assessments
Records of complaints, warnings, and / or disciplinary actions
Dates of planned vacations and sick days
Timesheets
Work-related expenses incurred
Staff photographs
Emergency contact details
Attributable quotes made to support external communication
Provision of personal data for this purpose by a data subject is a contractual requirement: failure to provide the personal data will mean we are unable to meet our contractual obligations to the data subject, for instance paying his or her salary, or reimbursing expenses.
We will also collect personal data for this purpose from other sources, including: colleagues in a management or other supervisory role, and the output of the firm’s HR processes.
Potential recipients of personal data collected for this purpose are staff involved in the firm’s administration and management.
Personal data processed for this purpose will be retained for a period not exceeding 6 years after the data subject leaves CVA’s employ, with the exception of: bank account details, which will be deleted as soon as practically possible following the termination of employment; and any personal data where retention of data could be beneficial to a data subject beyond this date (e.g. to enable CVA to provide references or confirmation of employment).
B4: Recruitment of employees and contractors
This includes solicitation and assessment of job applications, reimbursement of travel expenses, and on-boarding of new hires.
The legal basis for processing is that it is for the purposes of CVA’s legitimate interest; and for compliance with a legal obligation to which CVA is subject.
CVA’s legitimate interest is:
B4.1: Ensuring its new recruits are of the requisite standard in terms of skills, capabilities, experience and trustworthiness.
As a minimum, the categories of personal data processed for this purpose are:
Contact information
Details of employment including contractual terms and remuneration
National Insurance details
Bank account details and pension details
Performance assessments
Records of complaints, warnings, and / or disciplinary actions
Dates of planned vacations and sick days
Timesheets
Work-related expenses incurred
Staff photographs
Emergency contact details
Attributable quotes made to support external communication
Information relating to employee mental or physical health
Information on the commission or alleged commission of a criminal offence
Provision of the above personal data collected for this purpose by a data subject is entirely at his or her discretion, with no statutory or contractual obligation to do so. However, failure to provide the requested information will usually mean that the data subject’s job application cannot be progressed.
For applications received through our recruiting website, some of the information a data subject provides is used in an automatic scoring process that prioritises candidates in terms of academic excellence, evidence of mathematical ability, and language skills. However, in every case, a final decision on whether or not to invite a candidate for interview is made by an assessment panel consisting of at least two experienced staff members.
Potential recipients of the above personal data collected for this purpose are staff involved in administration and management of the business, and staff involved in conducting candidate interviews.
Personal data on unsuccessful candidates will be retained for a period not exceeding 6 months from the date their application is rejected, with the exception of bank details, which will be deleted immediately following payment of any travel expenses.
In the case of successful candidates, additional categories of personal data are processed:
Proof of identity and work status (copy of passport and, where relevant, work visa)
Proof of qualifications
Personal references
Provision of personal data in these additional categories is either a statutory or contractual requirement. Failure to provide this additional personal data may result in an offer of employment being rescinded.
Potential recipients of this additional personal data are staff involved in the firm’s administration and management.
Personal data relating to successful candidates will be retained for a period not exceeding 6 years after the data subject leaves CVA’s employ.
B5: Research and development
The legal basis of processing is the purpose of pursuing CVA’s legitimate interests.
CVA’s legitimate interests are:
B5.1: Ensuring the firm remains up to date with the latest developments in industry sectors it works in, or aspires to work in.
B5.2: Enabling the development of new solutions that provide CVA with a competitive advantage.
The categories of personal data processed for this purpose are:
Contact details
The content of emails
Opinions expressed by data subjects in relation to their areas of expertise
Provision of personal data for this purpose by a data subject is entirely at his or her discretion, with no statutory or contractual obligation to do so.
We may also collect personal data for this purpose from other sources, including: a data subject’s own business contacts with whom we have a prior relationship; news and other media publications; content published on social media; company reports; investor relations presentations; publicly available industry analyses; industry conferences; and other networking events.
Potential recipients of personal data collected for this purpose are all CVA staff involved in research and development activities.
Personal data processed for this purpose will be retained for a period not exceeding 4 years from the date of last contact with the data subject.
B6: Supplier management
The legal basis of processing is that processing is necessary for the performance of a contract to which the data subject is party.
The categories of personal information processed for this purpose are:
Contact details
The contents of emails
Provision of personal data for this purpose by a data subject is entirely at his or her discretion, with no statutory or contractual obligation to do so. However, failure to do so may hinder CVA’s ability to do business with the data subject’s employer.
Potential recipients of personal data processed for this purpose are staff involved in business administration and management.
Personal data processed for this purpose will be retained for a period not exceeding 7 years from the date of termination of the supplier contract.
C: Transfers to third countries (outside the EEA)
All our IT providers store data at rest on servers physically located within the EEA. In the case of our cloud file server provider (Egnyte), there is a specific contractual clause stating that data will only be stored and processed within the EEA.
In the case of other suppliers (e.g. Microsoft), in order to provide their services (e.g. email server), some of our IT suppliers indicate in their privacy policies and terms of service that they may, in some circumstances, transfer data to subsidiaries or their own IT suppliers outside the EEA, either under EU Model Clauses, or the EU-US Privacy Shield Framework.
In very limited cases, CVA may transfer personal data outside of the European Economic Area (EEA). We will only do so where a) we have your explicit consent in advance; or b) in a limited number of circumstances detailed below where we are satisfied an adequate level of protection exists for the rights of the individuals whose personal data is being transferred, given the nature of the personal information and the risk posed to the rights of the individual. The scenarios where such data transfer may occur without explicit consent being sought, and the protections that are in place, are detailed below.
When CVA employees travel outside of the EEA for work purposes, and access files stored either locally on their laptop hard drive or on our cloud file server, or emails on our email server. In all cases, the data is protected by strong encryption both in transit and at rest, and we are able to remote wipe data stored on the local hard drive in the event a laptop is lost or stolen. In no case will any personal information be downloaded to a system other than the employee’s device(s).
When CVA employees collaborate on projects with colleagues from offices outside the EEA, they may transfer basic personal information about themselves and other employees such as contact information. This information is not intended to be disseminated outside the firm, is subject to the security measures in place in the office in question, and the potential for harm to the individuals concerned from inadvertent exposure of the information is extremely small.
To make it easy for potential clients to contact us, personal information of some employees appears on various corporate websites which may be accessed from outside the EEA. The information is limited to employee photographs, email addresses and phone numbers. As such, the potential for harm to the individual is small, and it is easy for any employee to request their information be removed, without prejudice.
D: Your rights as a data subject
GDPR creates a number of data rights that you can exercise in relation to any personal data relating to you that we process.
An overview of the main elements of these rights is as follows:
You have the right to ask whether we process your personal data, and if so, you may request (free of charge in most circumstances) a copy of all personal data we hold on you, as well as details of how we use it.
You have the right to ask that any incorrect information we hold about you is corrected without undue delay.
You have the right to have all personal data we hold on you erased without undue delay, unless there is an overriding ground not to do so, for instance if erasing data would undermine the firm’s ability to mount a legal defence in case of future litigation, or prevent us from performing a legal obligation.
You have the right to ask us to stop processing your personal data until you say otherwise, without deleting it.
You have the right to receive any personal data you have provided to us in a structured, commonly used and machine-readable format, which you are then free to do with as you please.
You have the right to object to any processing of personal data for purposes where the only legal grounds are the pursuit of CVA’s legitimate interest – in which case we must immediately cease processing of the data for the purposes you object to.
You have the right not to be subject to any decision based solely on automated processing, including profiling, which produces legal effects concerning you, or similarly significantly affects you, unless we obtain your prior consent to such automated processing in advance.