Last updated 19 September 2018
This Policy explains:
What personal information we may collect about you
How we obtain personal information
How we use personal information
The lawful basis for using personal information
How long we keep personal information
Who we share personal information with
Transfer of personal information outside of the EEA
How we protect personal information
The legal rights of individuals whose personal information we process
1.3 By providing your personal information to us, and/or by visiting www.sproutconsulting.co.uk (“Website’), you understand, accept and consent to the practices described in this Policy.
1.4 Please take the time to read this Policy, which contains important information about the way in which we process personal information.
1.5 For the purposes of this Policy, “European Data Protection Legislation” is define as, for the periods in which they are in force, the General Data Protection Regulation (Regulation (EU) 2016/670 (“GDPR”), Data Protection Act 2018, any equivalent legislation amending, supplementing or replacing the GDPR and any other law applicable to us and otherwise relating to data protection.
1.6 This Policy may change from time to time and, if it does, the up-to-date version will always be available on our website and becomes effectively immediately. Unless your consent is specifically required, any changes will be binding on you when you continue to use the Website or work with us after the date of the relevant change.
2. Information we may collect about you
2.1 Personal information (or personal data) means any information relating to an identified or identifiable natural person. Due to the wide ranging nature of our work, and the different reasons why we need to use personal information, what we collect is very varied and includes:
Identity and contact data – including name, date of birth, email address, postal address, telephone numbers, passport details and information provided or collected as part of our business processes including client acceptance and employee recruitment
Financial, accounting and tax related information, as well as payment-related information
Technical and usage data – how people use our website including web usage, location, device and demographic information (Google Analytics provides age range and gender information. You can find out more about or Google collects demographic data here).
Marketing data – including individuals’ preferences in receiving marketing from us and information provided to us for the purpose of attending events such as dietary information and accessibility requirements
Information used to provide our services – including information provided to us by or on behalf of our clients or otherwise provided to us or generated by us in the course of providing services to our clients
3. how we obtain personal information
3.1 We obtain personal information in different ways, including through:
direct contact – individuals may give us their personal information by corresponding with us by post, email, via our website, telephone or otherwise.
clients – our clients may give us personal information of individuals (for example a client’s employees) to enable us to provide our services
third parties or publicly available sources – we may receive personal information of individuals from third parties in connection with the provision of services by us to our clients. We may also receive information from publicly available sources such as Companies House
4. How we use personal information
4.1 We use personal information in a variety of ways including:
to provide our services to our clients
to recruit employees
to manage and supervise our employees and partners
to promote our services
to meet our legal and regulatory obligations
to meet our audit and insurance obligations
5. Lawful basis for processing your information
5.1 We will only process personal information within the guidelines of European Data Protection Legislation. Most commonly, we will use personal data in the following circumstances where it is necessary:
to perform, or enter into a contract
for our legitimate interests (or those of a third party such as one of our clients) and the interests and fundamental rights of the individual whose personal information we are using do not override those interests
to comply with a legal or regulatory obligation
5.2 When we use special category data and data relating to criminal convictions and offences it will normally be when we need to do so as an employer.
5.3 Generally we do not rely on consent as a legal basis for processing personal information other than in relation to sending direct marketing communications. Consent to receiving direct marketing communications can be withdrawn at any time.
6. How long we keep personal information
6.1 We will keep personal information in accordance with our data retention practices, which apply appropriate retention periods for each category of personal information. In setting retention periods we take account of the purposes for which the personal information was collected and the legal and regulatory obligations on us to retain such information.
7. Who we share personal information with
7.1 We may share your details with carefully selected third parties.These may include service providers, support services and organisations that help us to market our services and third parties instructed to enable us to fulfil our contractual obligations to you and/or our clients in the course of business.
7.2 We may also disclose your information to third parties when:
you specifically request this or it is necessary to provide our services to you (e.g. when we need to instruct other professionals to provide advice which you have requested)
in the event that we sell or buy any business or assets, in which case we may disclose your personal information to the prospective seller or buyer of such business or assets
if we are under a duty to disclose or share your personal information in order to comply with any legal or regulatory obligation or to protect the rights, property or safety of our website, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
7.3 If we share your information with third parties they will process your information as either a data controller or as our data processor and this will depend on the purposes of our sharing your personal information. We will only share your personal information in compliance with the European Data Protection Legislation.
7.4 While it is unlikely, we may be required to disclose your information to comply with legal or regulatory requirements. We will use reasonable endeavours to notify you before we do this, unless we are legally restricted from doing so.
7.5 Third parties may include:
our professional advisers, auditors, insurers and our accredited body - ICAS
other professional advisors or third parties engaged in the course of the services we provide to clients
technology service providers such as data room services; cloud services; data analysis; security
email marketing and website platform providers
analytics and search engine providers that assist us in the improvement and optimisation of our website
suppliers to whom we outsource certain support services such as including IT, admin, marketing, online job sites
third parties involved in hosting or organising events or seminars
organisations providing facilities for anti-money laundering checks
any third party you ask us to share your data with.
7.6 Our website may, from time to time, contain links to and from the websites of advertisers, partners or useful resources and social media sites such as Facebook, LinkedIn and Twitter (“External Sites”). If you follow a link to any of these websites or use these services, please note that they have their own privacy policies and that we do not accept accept any responsibility or liability for these policies. You should ensure you read and check these policies before submitting any personal data to these External Sites.
7.7 We do not sell, rent or otherwise make personal information commercially available to any third party, except with your prior permission.
8. Transfer of personal information outside of the EEA
8.1 In order to provide our services we may need to transfer your personal information outside of the European Economic Area (EEA).
8.2 The level of information protection in countries outside the EEA may be less than that offered within the EEA. Where this is the case, to ensure personal information remains protected and secure in accordance with European Data Protection Legislation, we will implement at least one of the following safeguards or ensure that at least one of these conditions apply:
by transferring to a country that the European Commission has been decided provides an adequate level of protection for personal information
if transferring personal information to the US, by transferring to organisations that are part of the Privacy Shield
by using adopted or approved (by the European Commission) standard data protection clauses
the transfer is necessary for the establishment, exercise or defence of legal claims
the transfer is necessary for the conclusion or performance of a contract between us and the individual whose personal information is being transferred.
9. How we protect personal information
9.1 We have put in place appropriate security measures to prevent personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. We have put in place appropriate measures to inform our staff about how we collect, handle and keep information secure.
9.2 We have put in place measures to deal with any suspected personal information breach and will notify relevant individuals and the Information Commissioner of a breach when we are legally required to do so.
10. Legal rights of individuals
10.1 European Data Protection legislation gives individuals the following rights with regards to their personal information:
request access to their personal information (commonly known as a "data subject access request"). This enables individuals to receive a copy of the personal data we hold about them and to check that we are lawfully processing it.
request correction of the personal information that we hold about them. This enables individuals to have any incomplete or inaccurate information we hold, though we will need to verify the accuracy of the new information provided to us.
request erasure of their personal information. This enables individuals to ask us to delete or remove personal information where there is no good reason for us continuing to process it. Individuals also have the right to ask us to delete or remove their personal information where they have successfully exercised their right to object to processing (see below), where we may have processed their information unlawfully or where we are required to erase their personal information to comply with local law. Note, however, that we may not always be able to comply with a request of erasure for specific legal reasons which will be notified to the individual, if applicable, at the time of their request.
object to processing of personal information where we are relying on a legitimate interest (or that of a third party) and there is something about the individual’s particular situation which makes her/him want to object to processing on this ground as she/he feels it impacts on her/his fundamental rights and freedoms. In some cases, we may demonstrate that we have compelling legitimate grounds to process the information which overrides those rights and freedoms. Individuals also have the right to object where we are processing their personal information for direct marketing purposes.
request restriction of processing of their personal information. This enables individuals to ask us to suspend the processing of their personal information in the following scenarios:
(a) if the individual wants us to establish the information's accuracy;
(b) where our use of the information is unlawful but an individual does not want us to erase it;
(c) where the individual needs us to hold the information even if we no longer require it as she/he needs it to establish, exercise or defend legal claims; or
(d) the individual has objected to our use of their information but we need to verify whether we have overriding legitimate grounds to use it
withdraw consent at any time where we are relying on consent to process the personal information. However, this will not affect the lawfulness of any processing carried out before consent is withdrawn.
10.2 You can exercise these rights at any time by contacting us using the contact details below. We will require proof of identify before providing any personal data to prevent unauthorised access.
10.3 You will not usually have to pay a fee to access your personal information (or to exercise any of the other rights). However, in the event that an access request is unfounded, excessive or especially repetitive, we may charge a ‘reasonable fee’ for meeting that request. Alternatively, we may refuse to comply with your request in such circumstances. Similarly, we may charge a reasonable fee to comply with requests for further copies of the same information. Such a fee will be based upon the administrative costs of providing the information.
10.4 Once we have received notification that you have withdrawn your consent, we will no longer process your personal information for the purpose or purposes you originally agreed to, unless we have another lawful basis for doing so.
11. Contact details
11.1 If you have any comments or questions regarding this Policy, would like to make a request or if you would like to speak to us about the manner in which we process your personal information, please contact us at firstname.lastname@example.org, or write to us at:
Data Controller - Sprout Consulting Ltd, Hamilton House, Wells Road, Chilcompton BA3 4ET
12.1 If you consent to us contacting you, we will always aim to be respectful, relevant and appropriate. If at any time you do not think we have complied with this, please contact us straight away to let us know.
12.2 You also have the right to make a complaint to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues, at any time. For more details please visit the ICO website. We would however, appreciate the chance to deal with any concerns before you contact the ICO, and would be grateful if you contacted us in the first instance.