Consilio Data Protection Notice
Data Protection Notice
(GDPR Act 13)
Consilio Global SPRL (“Consilio”, “we”, “us”, or “our”) understands that privacy is important and that you consider carefully how your Personal Data is used and shared. We respect and value the privacy of everyone who interacts with us and will only collect and use Personal Data in ways that are described in this statement, and in a manner that is consistent with our obligations and your rights under the law.
Please read this Privacy Notice carefully as it sets out the basis on which we process any Personal Data we collect from you or that you provide directly to us. If you do not agree and/or accept the way that we process your Personal Data, then please let us know by emailing GDPR@consilio.com.
Definitions and Interpretation
‘Personal Data’ means any and all data that relates to an identifiable person who can be directly or indirectly identified from that data. This definition shall, where applicable, incorporate the definitions provided in the EU Regulation 2016/679 – the General Data Protection Regulation (“GDPR”).
‘Data Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
‘European Economic Area’ (“the EEA”) consists of all EU member states, plus Norway, Iceland, and Liechtenstein.
‘Consilio Group’/ ’Group Company(ies)’ means one or more of the Consilio group of companies, being companies sharing the same ultimate parent/controlling shareholder as Consilio Global SPRL.
Information About us
Consilio Global SPRL is a Belgian company, with a registered address at Tour Bastion – Etage 20, Place du Champ de Mars 5, Ixelles (1050 Bruxelles), and enterprise number 0883.063.353.
Consilio Global SPRL has a United Kingdom branch office which has its registered office at 3rd Floor, 10 Aldersgate Street, London EC1A 4HJ and registration with Companies House as company number FC027259.
What Does This Notice Cover?
This Privacy Notice applies only to Personal Data that we hold as a Data Controller. This includes Personal Data that is collected through our websites (www.consilio.com, uk.consilio.com, de.consilio.com), by telephone, by email, in person, through job-boards and any related event or social media applications.
How and Why we Process your Personal Data
All Personal Data is processed and stored securely. We will always comply with our obligations and safeguard your rights under the GDPR. For more details on security, please see the corresponding section, below.
We may process your Personal Data for purposes including:
- To fulfil our obligations arising from any contracts we have entered, or plan to enter into, between you and us.
- To respond to queries you have raised with us.
- To comply with applicable legal requirements and industry standards.
- To provide you with the information, products and services that you request from us.
- To provide you with the information, products and services we believe will be of interest to you or to your organisation.
If you are a Job applicant, we may process your Personal Data for purposes including:
- To notify you of potential roles or opportunities.
- To assess and review your suitability for roles including, at times, in conjunction with our Clients, including reviewing your CV and contacting referees.
Legal Basis for Processing your Personal Data
As laid out under Article 6(1) of the GDPR, our legal bases for processing your Personal Data may include the following:
- Processing is necessary for the performance of a contract or in order to take steps prior to entering into a contract;
- Processing is necessary for compliance with a legal obligation;
- Processing is necessary for the purposes of our legitimate interests; and/or
We may rely on “Contract” (number 1 above) as the legal basis if, for example, it necessary to process your Personal Data in order for us to fulfil the obligation arising from the contract we entered with you.
We may rely on “Legal Obligation” (number 2 above) in certain circumstances where we are legally required to process your Personal Data pursuant to regulatory and/or statutory obligations. We must comply with several statutory and regulatory obligations relating to the services we provide and as a business generally, for example complying with fraud/crime prevention, tax, bribery and data protection legislation. We must also co-operate with regulatory authorities such as HMRC or the Information Commissioners’ Office.
If in any circumstances you are required under contract, or by law, to provide your Personal Data to us, failure to do so may render you unsuitable to work with or for us.
We may rely on legitimate interests (number 3 above) to offer you services which we reasonably believe you will have an interest in obtaining from us. Our legitimate interests include (without limitation):
- To provide you with information, news and updates on our products and services.
- To maintain records of your business function and expertise in order for us to provide you with the right service offerings.
If you are a job applicant, we may rely on legitimate interest to contact you regarding open positions within Consilio, including Document Review and Consulting.
Your Right to Object to our use of your Personal Data
You have the right to object to us using your Personal Data at any time. If you wish to exercise this right, please contact us by emailing GDPR@consilio.com. You also have the ability to opt-out of receiving emails from us, which you may do by unsubscribing using the links provided in our emails to you and at the point of providing your details.
Other Rights Under GDPR
As a Data Subject, you have the following additional rights under the GDPR, which this Notice and our use of Personal Data have been designed to uphold:
- The right to be informed about our collection and use of Personal Data;
- The right of access to the Personal Data we hold about you;
- The right to rectification if any Personal Data we hold about you is inaccurate or incomplete;
- The right to erasure – i.e. the right to ask us to delete any Personal Data we hold about you;
- The right to restrict (i.e. prevent) the processing of your Personal Data;
- The right to data portability (i.e. obtaining a copy of your Personal Data to re-use with another service or organisation); and
- The right not to be subject to automated decision making and profiling.
Your rights will differ depending on the lawful basis for processing, however, we will endeavour to act on the subject request without undue delay and at the latest within one month of receipt. We can extend the time to respond by a further two months if the request is complex or if we have received a number of requests from you. If we wish to apply for an extension, we will let the you know within one month of receiving your request and explain why the extension is necessary.
We can refuse to comply with a subject request if it is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature. If we refuse to comply with a subject request, we will let you know the reasons why, your right to make a complaint to the ICO or another supervisory authority and your ability to seek to enforce this right through a judicial remedy.
If we have doubts about the identity of the person making the request, we can ask for more information. If this occurs, we will let you know as soon as possible that we need more information from you to confirm your identity, before responding to your request. The period for responding to the request will then begin when we receive the additional information.
If you would like to exercise any of your rights or have any cause for complaint about our use of your Personal Data, please contact us by emailing GDPR@consilio.com and we will do our best to resolve the problem for you.
If we are unable to help or you are not satisfied with our response, you also have the right to lodge a complaint with the relevant Supervisory Authority respective to your EU Member State. For the UK, this is the ICO (Information Commissioner’s Office). For further information about your rights, please contact the Information Commissioner’s at https://ico.org.uk/concerns/.
Personal Data we Obtain from a Third Party
In certain circumstances we may obtain your personal information from third parties including job-boards, CV libraries, personal recommendations and publicly available sources such as LinkedIn. Where this occurs, we will provide you a Privacy Notice within a reasonable period of obtaining the Personal Data and no later than one month. We will inform you of the fact we hold your Personal Data, the source the Personal Data originates from and whether it came from publicly accessible sources. We will also provide the purpose of processing, legal basis and how long we intend to retain your Personal Data.
How Long we Keep your Data
We will continue to process your Personal Data for as long as is reasonably necessary for us to comply with our contractual or legal obligations, to pursue our legitimate interests. We will retain your Personal Data in accordance with our “Data Retention and Disposal Policy” document. For more information, please email GDPR@consilio.com.
If you are an unsuccessful job applicant, we will continue to process your Personal Data for a period of up to 5 years in the event that new opportunities arise that we think you are suitable for and may wish to contact you about.
Sharing your Personal Data
For marketing or monitoring purposes, we do not share your Personal Data beyond the companies within the Consilio Group and our third-party service providers.
We may share your Personal Data with third parties, for reasons including:
- Business Administration
- HR Administration (including the recruitment process)
- Office Management
In certain circumstances, we may be legally required to share certain data held by us, which may include your Personal Data, for example, where we are involved in legal proceedings, where we are complying with legal requirements, a court order, or a governmental authority.
If we use processing services from any third party, including those that are located outside of the European Economic Area, we will take all reasonable steps to ensure that your Personal Data will be handled safely, securely, and in accordance with your rights, our obligations, and the legal obligations of such third party.
Transferring your Personal Data outside of the EEA
Some of your Personal Data may be transferred outside of the EEA. Where information is to be so transferred, it may be to a country in respect of which there is an adequacy decision from the EU Commission. However, in any event, it is our policy to take steps to identify risks and ensure that your Personal Data is protected by the appropriate safeguards such as Standard Contractual Clauses and/or the EU-US Privacy Shield framework.
Data security is extremely important to us, and we have taken suitable technical and organisational measures to safeguard and secure any Personal Data we collect, including:
- Consilio is certified to the ISOIEC 27001:2013 information security standard. We comply with ITAR regulations, E.U.-U.S. and Swiss-U.S. Privacy Shield frameworks with the U.S. Department of Commerce and have met stringent requirements in order to appropriately handle sensitive Personal Data.
Our ISO/IEC 27001:2013 certification Scope applies to the business units, premises and resources at Chicago, New York, Los Angeles, London and Frankfurt.
The business units in Chicago, New York, Los Angeles, London and Frankfurt that are covered under ISO/IEC 27001:2013 are:
- Information Technology
- Physical Security & Office Administration
- Human Resource
- Application Development and Support
- Information Security
- Business Operations – Document Review Services, Digital Forensics & Expert Services, Data Operations and Project Management
Our colocation data centres in Chicago, New York, London and Frankfurt is covered under ISO 27001 certification process.
- All our staff are committed to confidentiality;
- We ensure the resilience of our processing systems and have processes that allow us to restore Personal Data in a timely fashion in the event of a physical or technical event, and
- We have a process for testing the effectiveness of our organisational and technical measures that is designed to provide data protection.
What Happens If our Business Changes Hands?
We may, from time to time, expand or reduce our business and this may involve the sale and/or the transfer of control of all or part of our business. Any Personal Data that you have provided to any Group Company will, where it is relevant to any part of our business that is being transferred, be transferred along with that part and the new owner or newly controlling party will, under the terms of this Privacy Notice, be permitted to use that Personal Data only for the same purposes for which it was originally collected by us. In the event that any of your Personal Data is to be transferred in such a manner, you will be contacted in advance and/or informed of the changes.
If you have any questions about this Privacy Notice, please contact us by email at GDPR@consilio.com.
Changes to our Privacy Notice
We may change this Privacy Notice from time to time (for example, if the law changes). Any changes will be immediately posted on our website at http://uk.consilio.com/privacy-policy/ and you may additionally be notified by email.