1. COMPANY REGISTRATION DETAILS
Montrose Management Group Limited, a company registered in Jersey under number 112829.
Registered office: Trojan House, 20 Sand Street 1st Floor, St Helier, Jersey, JE2 3QF (“we”, “us”, “our”, “Montrose”).
We, and our affiliated Group companies worldwide, are committed to respecting your privacy and recognises your need for appropriate protection and management of any personally identifiable information (“personal data”) you share with us.
Montrose has established this Policy so that you can understand the care with which we intend to treat your personal data.
Montrose strives to comply with all applicable laws around the globe that are designed to protect your privacy. Although legal requirements may vary from country to country, Montrose intends to adhere to the principles set out in this Policy even if, in connection with the above, we transfer your personal data from your country to countries outside of the EEA that may not require a high level of protection for your personal data.
This Policy describes how we collect and process personal data by persons who provide us with their personal data, whether through our website (http://www.montroseint.com) or otherwise interacting with us, as set out below.
This Policy applies to individuals who use any of our websites, as well as to those individuals that use any database, software, questionnaire, form, service or other document that hyperlinks to this Policy.
2. HOW TO CONTACT US
If you have any questions regarding your personal data and how we may use it, including any queries relating to this Policy, please contact us at firstname.lastname@example.org.
3. TERMINOLOGY USED
From 25 May 2018, our data processing activities will be governed by the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”). For the purpose of the GDPR, we are the ‘Data Controller’ of all personal data obtained by us as set out in this Policy, because we ultimately determine how your personal data will be handled by us or our sub-contractors, who would be our ‘Data Processors’.
If we handle your personal data then you are a ’Data Subject‘. This means you have certain rights under the GDPR in relation to how your personal data is processed, which are set out in this Policy.
‘Personal data’ is any information that can be used to identify you, including your name, e-mail address, IP address, or any other data that could reveal your physical, physiological, generic, mental, economic, cultural or social identity.
‘Special category data‘ means information about you that is sensitive and includes your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data.
4. PERSONAL DATA THAT WE COLLECT IN RELATION TO YOU
Personal data that we collect in relation to you (but is not limited to):
- Your name.
- Your e-mail address and contact information
- Your internet protocol address or other online identifiers.
- Location data.
- Pseudonymous data.
- Event attendance and dietary requirements.
5. HOW WE COLLECT YOUR PERSONAL DATA
If you contact us (by telephone, e-mail, instant messenger or Skype) we will collect your personal data and process it in accordance with the processes outlined in this Policy, including our Privacy Principles and the basis for processing your personal data. This may include discussing matters with you in relation to an enquiry about our services or a contract that we may enter into with you, or because you have subscribed to a newsletter or request a publication from us.
We may also collect personal data about you from use of CCTV which may be in operation at our offices, or those offices where we provide our services. Any personal data collected from use of CCTV will be used by us for the purposes of ensuring the safety and security of our staff or those people coming onto our premises, or the premises where we provide our services. Such CCTV will be retained for as long as is necessary to ensure there are no issues relating to safety and security that need to be addressed and then only for so long as needed to deal with such issues. If there are no issues to address, then such footage shall be kept for no longer than we believe is reasonably necessary.
6. HOW WE USE YOUR INFORMATION
This Policy tells you what to expect when we collect your personal data.
We will only process your personal data if we have a legal basis for doing so, as outlined in this Policy or otherwise notified to you in advance, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you prior to commencing that processing and we will explain the legal basis which allows us to do this. Please note that we may process your personal data without your knowledge or consent, where this is required or permitted by law.
Your personal data may be shared in accordance with our principles on transfers to third parties as set out later in this Policy, including (but not limited to) the following:
- any member of our Group, including our subsidiaries or branches;
- third parties where we are under a duty to disclose your personal data to comply with any legal obligation, or to appropriate regulators or other law enforcement organisations;
- third parties to whom we choose to sell, transfer, or merge parts of our business or our assets
- third party suppliers to us, including (for example) insurance providers, brokers, auditors and our IT providers.
If your personal data is to be shared with any other third parties, we will take steps to protect your personal data.
Where you provide us with special category data, we may use such data on an anonymised basis for the purposes of monitoring and producing anonymised reports, including for the purposes of our reporting on equality, diversity and inclusion. However, we shall obtain your consent for such processing.
7. ON WHAT BASIS WE COLLECT YOUR PERSONAL INFORMATION
We are not allowed to process your personal data unless we have a legal basis for doing so.
There are four main legal bases that we rely on when it comes to processing someone’s personal data.
- ‘Legitimate interest’ – this is where we need to process your personal data, for example, if we need to contact you because you have raised a general query with us or where we are in contact with you about this or similar issues, or, in terms of your IP address and any information gathered via “Cookies”, to aid your use and navigation of our website (http://www.montroseint.com). We may also have a legitimate interest to contact you about services that may be of interest to you as part of our marketing campaigns, in accordance with this Policy. As mentioned above, we may market to you on the basis that we have legitimate interests to market our business and we may have identified the organisation that you work for as a business that we would like to market to. We will therefore rely on legitimate interests as our legal basis for processing your personal data that may be connected to your organisation’s contact records for this purpose, however we will balance this against your rights as a data subject and will no longer market to you if you wish to unsubscribe from receiving such marketing communications directly to your contact details. Alternatively, where we do not have a legitimate interest to market to you, then we will seek your consent to do so, which will then be our legal basis for contacting you in that way.
- ‘Necessary for performing a contract’ – this is where if we are in a contract with you (or about to enter into a contract with you and you have requested certain pre-contract details) and we need to use your personal details to complete this contract – for example, we might need to use your e-mail address or phone number to communicate with you, which would count as processing your personal data.
- ‘Consent’ – this is where we set out specific circumstances where we want to process your personal data and request your consent for this. We will make sure that your consent is explicit. We will usually ask you to tick a box (or similar) to confirm that you have provided your consent. For example, unless we have a legitimate interest to contact you about our services that we would like to market to you, then we would obtain your consent to market to you in this way. If you have any questions about the specific circumstances, please contact our Data Protection Manager at email@example.com. Please note that you can withdraw your consent at any point by contacting our Data Protection Manager for further information.
- ‘Compliance with a legal obligation’ – this is where we might need to process your personal data in order to comply with a common law or statutory obligation, such as disclosures for compliance with HMRC requirements, requirements relating to money laundering or other such disclosures. We will only process your personal data for this reason if it is necessary and we would not otherwise be able to comply with that legal obligation without such processing.
8. OUR PRIVACY PRINCIPLES
Notice about what we do with your data
We will only process your personal data in accordance with notices set out in this Policy, or as provided to you at the time we collect your personal data (if necessary for the intended processing).
Choice on providing us your personal data
If you choose not to provide the personal data we request, you can still visit Montrose’s website, but you may be unable to access certain services that involve our interaction with you.
If you chose to have a relationship with Montrose, such as a contractual or other business relationship or partnership, we will naturally continue to contact you in connection with that business relationship, in accordance with this Policy and any additional contractual terms agreed with you.
Access and accuracy of your data
To the extent that you do provide us with personal data, we wish to maintain accurate personal data. Where we collect personal data from you, we want to provide a means for you to contact us should you need to update or correct that information. If for any reason those means are unavailable or inaccessible, you may send updates and corrections about your personal data to firstname.lastname@example.org and we will incorporate the changes to your personal data that we hold and try to do so as soon as practicable.
Third party services/processing
Third parties provide certain services available on our behalf. We may provide personal data that we have collected on the website to third party service providers to help us deliver programmes, products, information, and services. Service providers are also an important means by which Montrose maintains its website and mailing lists.
Where we provide your personal data to third parties who are acting on our behalf (known as “Data Processors”) we will have in place an agreement with each third party confirming on what basis the third party will handle your personal data and will ensure that there are sufficient safeguards and processes in place to protect your personal data.
The third parties that we may send your personal data to are either within the European Economic Area (“EEA”) or to Group companies under the protection of our Binding Corporate Rules or other suitable protection mechanism as laid out in the GDPRs (see section below).
We are part of a global group of companies with offices in locations in the UK, Channel Islands, Africa and Asia-Pacific.
From time to time we may transfer your personal data from within the EEA to our offices outside of the EEA, such as those listed above. To ensure that your personal data will be adequately handled in such circumstances, we have put in place ‘binding corporate rules’ for our group companies to comply with. Binding corporate rules set out rules by which all of our group companies have to abide and these rules set out that your personal data will be handled in a way that matches the GDPR so that where your personal data is being transferred to one of our global companies it will be processed in line with our EEA-based companies, regardless of which country they are in (even if they are outside of the EEA).
Separate to the above, we may also transfer your personal data to countries outside of the EEA to other people or companies for one of the legal bases for processing your personal data as indicated above. Where we do so, we will take all steps to ensure that for any country to which the personal data has been transferred has suitable protection mechanisms in place to protect personal data, including (if applicable) use of EU Model Clauses in any contract with that third party for steps to be taken to keep personal data secure.
9. HOW LONG WE RETAIN YOUR PERSONAL DATA
We cannot definitively set out how long we will retain all personal data in this Policy – this is a general notice that deals with different personal data collected for a variety of reasons. However, we decide how long we will retain your personal data based on the following factors:
If we are performing a contract for you – for the length of that contract and for approximately 10 years afterward to deal with any post-contract issues.
If you are in contact with us – we will retain your personal data as long as it is necessary for us to conclude the relevant correspondence with you.
Whether we think there is a likelihood of you contacting us again in the near future or if we think we need to contact you again, provided that the legal basis (see above) for doing so still exists, for no longer than is necessary in respect of that legal basis.
10. AUTOMATED DECISION MAKING
We may introduce various technologies that may make an automated decision which uses your personal data to reach a specific decision. If we intend to use such automated decision-making technologies, you will be told at the time we wish to introduce such technologies and we will obtain your consent to such use and processing of your personal data.
11. YOUR RIGHTS AS A DATA SUBJECT
You have the following rights in relation to your personal data:
- The right to be informed – this is information on for what purpose we are processing it and what personal data we are processing.
- The right of access – you have the right to be provided with copies of the personal data of you that we are processing as well as confirmation of the processing we are doing. You can do this by sending a “subject access request” to the contact details noted above for our consideration.
- The right to rectification – if you think the personal data that we hold on you is inaccurate or incomplete you can tell us and we will fix it.
- The right to erasure (also known as the right to be forgotten) – if you want us to permanently delete the personal data we hold for you then you can ask us to do so.
- The right to restrict processing – if you do not like how we are using your personal data then you can let us know and we will stop processing it in that way.
- The right to data portability – if you want us to pass on your personal data to someone else then please let us know. This transfer should not affect the integrity or otherwise damage your personal data.
- The right to withdraw your consent – you can withdraw your consent for us to process your personal data (if we have relied on your consent to process your personal data) at any time by contacting us. If we have relied only on your consent as the basis to process your personal data then we will stop processing your personal data at the point you withdraw your consent. Please note that if we can also rely on other bases to process your personal data aside from consent then we may do so even if you have withdrawn your consent for different purposes under that different legal basis.
- Rights in relation to automated decision making and profiling – if we use either automated decision making or profiling then you have a right to know. Also, we will seek your consent if either of these are used to make a decision that affects you. As with all consent, you can withdraw it at any time.
To exercise any of your rights, please contact our Data Protection Manager at email@example.com. In addition to the above, as a data subject you can file a complaint with your local data protection authority within the EEA if you are not happy with how we are processing your personal data. Please note that you can use whichever local data protection authority within the EEA that is most convenient for you.
Where you exercise your right to request access to the personal data we process about you, you will not have to pay a fee to access your personal data (or to exercise any of your other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances. We will try to respond to all legitimate access requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
12. CHILDREN’S PRIVACY
Our website is not structured to necessarily attract children. Accordingly, we do not intend to collect personal data from anyone we know to be under 13 years of age.
Although our services are not targeted at children, there may be some incidental collection of personal data relating to children that takes place as part of our service offering, or in respect of our staff arrangements. If we know or suspect we are going to handle personal data in relation to children and are relying on consent to do so, then we will obtain consent from a parent or guardian of the relevant child before handling that child’s personal data.
13. VISITORS TO OUR WEBSITE
When someone visits www.montroseint.com, our main corporate website, we collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. We collect this information in a way which does not identify anyone. We do not make any attempt to find out the identities of those visiting our website. We will not associate any data gathered from these sites with any personally identifying information from any source. If we do want to collect personally identifiable information through our website, we will make it clear when we collect it and explain what we intend to do with it.
Montrose’s website may contain links to external websites. Please note that we are not responsible for the privacy practices of any websites other than our own.
Remember the risks whenever you use the internet. While we do our best to protect your personal data, we cannot guarantee the security of any information that you transmit to us and you are solely responsible for maintaining the secrecy.
We would like to place cookies on your computer to help us improve your use of our website. Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site. The main cookies on our site are from Google Analytics tracking and there is also a session cookie generated by our website that is essential to the running of the website but holds no personal data. However, disabling your Cookies will not interfere with the functionality of this site and you have the right to choose to do this.
Most web browsers allow some control of most cookies through the browser settings. To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit www.allaboutcookies.org.
Other tracking technologies: Some of our website pages utilise other tracking technologies. Tracking technologies may record information such as internet domain and host names, internet protocol addresses, browser software and operating system types, clickstream patterns and dates and times that our website is accessed.
We may also analyse information that does not contain personal data for trends and statistics.
Where personal data is sent from our website about visitors to our website, this is secured by encryption using the latest protocols and working methods to keep such data secure.
15. CHANGES TO THIS POLICY
As and when necessary, changes to this Policy will be posted on our website. Where changes are significant, we may also email you and where required by law, we will obtain your consent to these changes.