Client Privacy Notice
1.1 In the course of our providing consulting services to you, we may receive information relating to you, your directors, shareholders, beneficial owners, employees, agents, and associates. In this Notice, we refer to this information as “personal information“.
1.2 As a professional consulting business, Eden McCallum acts as a data controller in relation to the processing of personal information when providing consulting services for its clients. However, in some circumstances we may process personal data on your behalf as a data processor for the purposes of data protection laws. Where we process any personal information on your behalf as your data processor, the terms set out in the project contract shall apply.
1.3 This Notice sets out the basis on which we will process this personal information. Please read the Notice carefully to understand our practices regarding personal information and how we will use it.
1.4 ABOUT US
1.5 We are Eden McCallum LLP, a limited liability partnership registered in England and Wales under number OC375785 with its registered office at 5 Upper St Martin’s Lane, London WC2H 9EA (“Eden McCallum”, “we”, “our”, and “us”).
1.6 We are registered with the Information Commissioner’s Office (“ICO”) under registration number Z3279079.
1.7 Questions about your personal information:
If you have any questions about this privacy notice or your information, or to exercise any of your rights as described in this policy or under applicable data protection laws, you can contact us at:
Eden McCallum LLP
5 Upper St Martin’s Lane
London WC2H 9EA
By email: firstname.lastname@example.org
By telephone: +44 (0) 20 7361 7000
2. DATA PROTECTION PRINCIPLES
2.1 Anyone processing personal data must comply with the principles of processing personal data, as follows:
2.1.1 Lawfulness, fairness and transparency – data must be processed lawfully, fairly and in a transparent manner.
2.1.2 Purpose limitation – data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
2.1.3 Data minimisation – data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
2.1.4 Accuracy – data must be accurate and, where necessary, kept up to date.
2.1.5 Storage limitation – data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
2.1.6 Integrity and confidentiality – data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage by using appropriate technical or organisational measures.
2.2 This policy describes the personal data that we collect, and explains how we comply with these principles.
3. INFORMATION WE COLLECT
3.1 We collect the personal information as necessary to enable us to perform our services for you and to manage and operate our business, and to comply with our legal and regulatory obligations.
3.2 The personal information that we collect includes, but is not limited to, the following:
3.2.1 the name, title and contact details (such as telephone numbers and email address) of your employees, directors, shareholders and other stakeholders;
3.2.2 information relating to the matters in which you are seeking our services;
3.2.3 other personal information contained in correspondence and documents which you may provide to us or which we receive in the course of our providing services to you.
3.3 You confirm that you are authorised to provide to us the personal information which we process in the course of our providing services to you.
3.4 Where the personal information relates to your directors, shareholders, beneficial owners, employees, agents, or associates it is not reasonably practicable for us to provide to them the information set out in this Notice. Accordingly, where appropriate you are responsible for providing this information to any such person.
4. HOW YOUR INFORMATION IS COLLECTED
4.1 We collect most of this information from you directly. However, we may also collect information:
4.1.1 from publicly accessible sources (for example, Companies House);
4.1.2 directly from a third party (for example, client due diligence providers);
4.1.3 from a third party with your consent (for example, another professional you or we may engage in relation to your matter).
5. LEGAL BASIS FOR PROCESSING
5.1 We process personal information on the basis of one or more of the following:
5.1.1 Processing is necessary for the performance of our contractual engagement with you: this relates to all personal data we reasonably need to process to perform our services for you.
5.1.2 Processing is necessary for compliance with a legal obligation to which we are subject: this relates to our legal obligations in relation to, for example, anti-money laundering.
5.1.3 Processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data: this relates to our processing for our legitimate marketing purposes, for our management, accounting and administration purposes and for data security.
6. SPECIAL CATEGORIES OF (“SENSITIVE”) PERSONAL DATA
6.1 You may also supply us with, or we may receive, special categories of (or “sensitive”) personal data. This is defined by data protection laws to include personal data revealing a person’s racial or ethnic origin, religious or philosophical beliefs, or data concerning health.
6.2 We process these special categories of personal data on the basis of one or more of the following:
6.2.1 where the data subject has given explicit consent to the processing of the personal data for one or more specified purposes;
6.2.2 where the processing relates to personal data which are manifestly made public by the data subject;
6.2.3 where the processing is necessary for the establishment, exercise or defence of legal claims;
6.2.4 for the provision of confidential advice.
7. HOW WE USE YOUR INFORMATION
7.1 Eden McCallum shall use personal information and any other information which we may collect for the purpose of:
7.1.1 our provision of professional consulting services to you as reasonably necessary in order to carry out the consulting contract between us, including associated administration and accounting;
7.1.2 marketing our services (for our legitimate interest of promoting our services to clients);
7.1.3 compliance with our legal and regulatory obligations; and
7.1.4 any dealings with any governmental, regulatory authority or professional body, in order to comply with our legal and regulatory obligations.
8.1 We may use personal information to notify you about important developments and services which we think you may find valuable, for sending you newsletters, invitations to events and similar marketing.
8.2 In this connection we may disclose personal data to our affiliated international offices or to third parties providing marketing services to us, or with whom we are conducting joint marketing exercises.
8.3 We may contact you by post, email, telephone or SMS.
8.4 You can tell us if you do not wish to receive direct marketing by contacting us using the details set out above.
8.5 If you would like to unsubscribe from any email newsletter or other email marketing, you can also click on the ‘unsubscribe’ button at the bottom of the email. It may take a few days for this to take effect.
9. THIRD PARTY PROCESSORS
9.1 Our information technology systems are operated by us but some data processing is carried out on our behalf by third parties. Details regarding these third-party data processors can be obtained by contacting us using the details given above.
9.2 Where processing of personal data is carried out by a third-party data processor on our behalf we endeavour to ensure that appropriate security measures are in place to prevent unauthorized access to or use of your data.
10. DISCLOSURE OF PERSONAL INFORMATION
10.1 Personal information will be retained by us and will not be shared, transferred or otherwise disclosed to any third party, except as set out in this Notice.
10.2 If we are working with other professional advisers on your behalf we shall assume that we may disclose your information to them, unless you instruct us otherwise.
10.3 We may disclose and share personal information:
10.3.1 with Eden McCallum partners, staff and independent consultants;
10.3.2 to other professional advisers and third parties in accordance with your instructions;
10.3.3 to our professional indemnity insurers, brokers or advisers, and auditors, lawyers or risk managers who we or they may appoint;
10.3.4 if we, acting in good faith, consider disclosure to be required by law or the rules of any applicable governmental, regulatory or professional body.
10.4 Should we be requested by certain authorities to provide them with access to your information in connection with the work we have done, or are doing, for you, we will comply with that request only to the extent that we are bound by law to do so and, in so far as it is allowed, we will notify you of that request or provision of information.
11. YOUR RIGHTS
11.1 You have the following rights:
11.1.1 to obtain access to, and copies of, the personal data that we hold about you (“subject access request”);
11.1.2 to require us not to process your personal data for direct marketing purposes;
11.1.3 to require us to erase your personal data (the “right to be forgotten”);
11.1.4 to require us to restrict our data processing activities;
11.1.5 to receive from us the personal data we hold about you which you have provided to us, in a reasonable format specified by you, including for the purpose of you transmitting that personal data to another data controller (“data portability”); and
11.1.6 to require us to correct the personal data we hold about you if it is incorrect, or to complete any data which is incomplete including by means of providing a supplementary statement (the “right to rectification”).
11.2 You also have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data which is based on our legitimate interests. In such event we shall no longer process your personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests or for the establishment, exercise or defence of legal claims.
11.3 Please note that some of the above rights are not absolute, and we may be entitled to refuse requests, wholly or partly, where exceptions under applicable law apply.
12. EXERCISING YOUR RIGHTS
12.1 You can exercise any of your rights as described in this policy and under data protection laws by contacting us using the details set out above.
12.2 Except as described in this policy or provided for under applicable data protection laws, there is no charge for the exercise of your legal rights. However, if your requests are manifestly unfounded or excessive, in particular because of their repetitive character, we may either: (a) charge a reasonable fee taking into account the administrative costs of providing the information or taking the action requested; or (b) refuse to act on the request.
12.3 Where we have reasonable doubts concerning the identity of the person making the request, we may request additional information necessary to confirm their identity.
13. DATA SECURITY
13.1 We store your personal data in hard copy and electronic format. We use appropriate technical and organisational safeguards to protect personal data both online and offline from unauthorised use, loss or destruction. We use industry standard physical and procedural security measures to protect information from the point of collection to the point of destruction.
13.2 Only authorised personnel and third party service providers are permitted access to personal data, and that access is limited by need. We will only transfer personal data to a third party if it puts in place adequate measures itself.
13.3 Despite these precautions, however, Eden McCallum cannot guarantee the security of information transmitted over the Internet or that unauthorised persons will not obtain access to personal data. In the event of a data breach, Eden McCallum have put in place procedures to deal with any suspected breach and will notify you and any applicable regulator of a breach where required to do so.
14. INTERNATIONAL TRANSFERS
14.1 The personal data we receive may be transferred to, and stored, at a location outside of the European Economic Area (“EEA”) for the purposes of processing by third party service providers that work for Eden McCallum.
14.2 We will normally only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
14.3 Where personal data is transferred to and stored in a country not determined by the European Commission as providing adequate levels of protection for personal data, we take steps to provide appropriate safeguards to protect your personal data, including:
14.3.1 entering into standard contractual clauses approved by the European Commission, obliging recipients to protect your personal data;
14.3.2 under the EU-U.S. Privacy Shield Framework (where we transfer personal data to the U.S.), which enables U.S. business to self-certify as a means of complying with EU data protection laws.
15. HOW LONG WE KEEP YOUR INFORMATION
15.1 We will retain the information we collect for seven years following the end of the year in which we completed work on the project for which we were engaged. The information is retained:
15.1.1 where necessary for the performance of the client contract in which we were engaged;
15.1.2 where necessary for compliance with any legal obligation to which we are subject;
15.1.3 in case needed for the establishment, exercise or defence of legal claims;
15.1.4 otherwise for the purposes of our legitimate interests, so long as such interests are not overridden by your interests or fundamental rights and freedoms.
15.2 After this retention period, your personal data will be destroyed unless we have engaged with you further on other business opportunities or projects. We may retain de-personalised statistical information, but no individuals are identifiable from that data.
16. EMAIL MONITORING
16.1 Whilst every member of the Eden McCallum team has a personal email address, email which you send to us or which we send to you may be captured in our database and visible to authorised partners and staff. All emails may also be monitored from time to time by Eden McCallum to ensure compliance with professional standards and our internal compliance policies.
17.1 If you have concerns about our use of your personal data, please send an email with the details of your complaint to email@example.com.
17.2 You also have the right to complain to the Information Commissioner’s Office (https://ico.org.uk/).
18.1 This policy will be reviewed and, if appropriate, updated from time to time. We will communicate any policy updates by email or any other appropriate method.
18.2 This privacy notice was last updated on 15 May 2018.