CLIENT AND PROSPECTIVE CLIENT DATA PROTECTION POLICY
We are committed to protecting the privacy and security of your personal data. The privacy notices below set out our privacy practices as to how the IWG group of companies may collect, use, and/or share your personal data in relation to the provision of our services. The controller of your personal data is the IWG group company that you have entered into an agreement with for the provision of our services.
1. The personal data we collect
We process limited amounts of personal data and only to the extent necessary for us to provide the services that we have agreed to provide to you.
Information you give us
If we are together with you exploring the possibility of providing services to you, or when you become our client, you may give us personal data such as email addresses, contact details and personal authentication documentation for certain services in certain jurisdictions. In addition, when we speak to you over the phone you may give us personal data during the call. Such calls may be recorded for training and quality purposes.
Information we collect via technology
We collect technical personal information about you when we correspond with you or interact with you through various means such as our websites and mobile applications. For example, we will automatically collect the following information when you visit our websites and use our mobile applications: technical information, such as the type of browser you use and the Internet protocol (IP) address used to connect your computer or mobile device to the Internet (as applicable); and information about your visit, including the full Uniform Resource Locators (URL), clickstream to, through and from our site (including date and time), traffic data and other communication data, the resources that you access and information derived from the cookies we place on your mobile device or computer. (Our cookies policy will be made available to you when you use our websites and mobile application).
Information we receive from third parties
In some cases, we will engage a third party to undertake a credit check on you and provide us with a report on your credit history.
2. What personal data is used for
We may use the personal data we hold about you for the following purposes:
- Service Administration: To administer your contractual relationship with us (including but not limited to the provision of security passes), to facilitate collections and to communicate with you and any of your nominated employees regarding your services.
- Marketing and Communications: To provide or offer you newsletters and promotions, in addition to other marketing communications but such communication will only be done in accordance with relevant legislation.
- To improve on our services, websites and mobile application or create new ones.
- To provide technical support.
- To ensure compliance with applicable legislation.
3. What happens to personal data once it is collected
We may share your personal data with other entities in our group and third party service providers engaged to provide services to us. We will only share your personal data in accordance with data protection legislation. In particular where this includes the transfer of personal data outside of the EEA we will do so only in accordance with data protection legislation and where such transfer is within our group it will be done on the basis of the standard contractual clauses prescribed by the European Commission.
The security and confidentiality of any personal data collected is maintained through its storage in our datacentre, which is both secure and has limited and controlled access through a centralised identity management system. Our Datacentre is ISO27000 certified (the ISO/IEC 27000 family of mutually supporting information security standards (also known as the ISO 27000 series) is developed and published by the International Organization for Standardization and the International Electrotechnical Commission to provide a globally recognised framework for best-practice information security management). Communication of the data between our centres and our data centre is encrypted to ensure that it is protected from capture by any third party in transit.
All data transfer with our desktop estate is protected through a number of security tools including anti-virus, content and spam filtering, website protection and browser security; all of which follow industry best practice. Email communication between us and our clients (and their personnel) is currently based upon the Microsoft 365 platform with a redundant cloud based tenant based in Europe which serves all our centres globally and which is both secure and provides control from unauthorised access.
We regularly perform penetration testing to ensure that controls are constantly improved to prevent unauthorised access to our networks and data.
5. Minimising Risk
Whilst we take necessary precautions and follow industry best practice to protect our data and that of our clients, due to the nature of cyber threats, through for example phishing and other forms of compromise attacks, risks can never be completely eliminated.
6. Retention Policy
Our general rule is that we only hold personal data for as long as necessary for us to provide the services that we have agreed to provide to you.
In some circumstances, we may retain personal data for other periods of time, for instance where we are required to do so in accordance with legal, tax and accounting requirements, or if required to do so by a legal process, legal authority, or other governmental entity having authority to make the request, for so long as required. In specific circumstances, we may also retain your personal data for longer periods of time corresponding to a statute of limitation, so that we have an accurate record of your dealings with us in the event of any complaints or challenges.
7. Your Rights
You may, subject to applicable law, have some or all of the following rights available to you in respect of your personal data:
- The right to access.
- The right to rectification.
- The right to erasure.
- The right to data portability.
- The right to object to, or restrict, or withdraw your consent for, processing.
For more information on these rights please read the relevant guidance issued by the ICO at https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/individuals-rights/.
If you would like more information about how we process your personal data, please contact your usual IWG point of contact.