Your privacy matters to us
We are Coeo Ltd. We help businesses to improve their decision-making and resilience through the effective use of data. Coeo is a private limited company registered in England & Wales (05901228). Our registered address is Now Building, Thames Valley Park Drive, Reading, Berkshire, England, RG6 1RB. Our Data Protection Act registration number is Z1975617.
We are the data controller for the personal data we process about our enquirers, client representatives, subscribers, client leads, job applicants, employees, contractors and website users.
We sometimes process personal data as a ‘data processor’. This is when handle personal data on behalf of our clients. In these cases, we process this information upon our clients’ written instructions under a contract (Data Processing Agreement). Any collection or use of that information is limited to the purpose of providing the service to our clients.
This privacy notice tells you what to expect when we handle personal data as a data controller.
Our privacy promise to you
Transparency
We are committed to protecting and respecting your privacy. We will always tell you what data we’re collecting about you and how we use it and will never ask for more information than we need to. We will not share your data with any third parties, unless you have consented to this; they are a trusted partner working on our behalf; or the law requires us to, and we will never sell your data.
Security
We are committed to following industry best practices to ensure your data is stored safely and securely. We are certified as ISO 27001 compliant, which means we have demonstrated to external auditors that we have appropriate technical and organisational measures in place to keep data secure.
Control
We will always give you control over the communications you receive from us and you can stop or tell us you no longer wish to receive these at any time by emailing GDPR@coeo.com
How we get your information
Most of the personal data we process is provided to us directly by you, for example when you:
- make an enquiry by email, phone or through our website
- sign up to our newsletters, blogs and promotions
- work with us as an employee or contractor
- use our website
We may also collect personal information about you indirectly, for example through:
- our clients
- public sources (e.g. websites and professional networking sites)
- recruitment agencies
- referees to support your job application (at your request)
Personal data we collect and how we handle it
Enquirers
When someone contacts us asking about our services through our website, by email or over the telephone, we collect their name, contact details and the nature of their enquiry. We collect this information for our ‘legitimate interests’ as a company to be able to respond to their enquiry and keep a record of our communications with them.
Client representatives
We collect the name and contact details of our clients and information about the service they have purchased. We need this information so we can ‘fulfil our contract’ with the client, or take steps at the request of the client, prior to entering into a contract with them. We also collect this information for our ‘legitimate interests’ in maintaining records for accounting, legal and insurance purposes. We keep this information for as long as we need to, to satisfy any contractual, legal, accounting, or reporting obligations.
Subscribers
We collect the name and contact details of people who want to subscribe to our newsletters, resources, blogs and promotions. We collect this information with the ‘consent’ of the individual when they opt-in to receive these communications. If a person unsubscribes, we remove them from our mailing list but retain their contact details in a separate database. We need to retain this information for our ‘legitimate interests’ to ensure we do not contact them again in the future. We keep subscriber data until they unsubscribe, if the email address becomes invalid or if we believe they no longer want to receive communications from us.
Visitors to our offices
When someone visits our offices, we record the visitor’s name, company they work for and the date of their visit. We collect this information for our ‘legitimate interests’ to maintain a register of who is or has been on our premises for security purposes, and for use in case of a fire or other incident.
Training delegates
We collect the name and contact details of individuals who enquire about or book onto our training sessions. We process this information to pursue our ‘legitimate interests’, ie to register the individual on the training and/or to let them know about future training events which we believe they may be interested in attending. Delegates can opt-out from receiving communications about future training events at any time by emailing GDPR@coeo.com We keep delegate contact details for as long as we believe they may be interested in receiving communications about our training events, or until they unsubscribe.
Client leads
We sometimes collect the name, job role and work contact details of employees working for potential clients, who we think would be interested in receiving information about our company’s services; this is known as ‘B2B’ or ‘business to business’ marketing. This information is only collected from public sources, such as company websites or where the employee has published their name, work profile and contact details on a networking site for professionals, (such as LinkedIn) and therefore would have a reasonable expectation that companies like us, may contact them to make introductions and market their services.
We collect this information to pursue our ‘legitimate interests’, to be able to promote and market our services to potential new clients. Contact leads can opt-out from receiving communications from us at any time, by emailing GDPR@coeo.com
Job applicants
We receive Curriculum Vitae (CVs) and application forms from people who apply for jobs with us. This will often include the individual’s name, contact details, experience, education and a personal statement to support their application. We collect this information with the person’s ‘consent’, and ongoing processing for our ‘legitimate interests’ to be able to assess the suitability of the individual and where relevant, invite them to interview.
Employees
We collect information about our employees, such as their name, date of birth, contact details, recruitment information, evidence of their right to work, outcome of their criminal record check (DBS) (where required), references, contract, bank details and other employment information. We collect this information to enable us to ‘fulfil our contract’ with the employee or to ‘take steps at the request of the employee prior to entering into a contract’ with them. For example, to ensure they are paid; make pension and tax contributions on their behalf and provide employee services and benefits to them. We also collect this information to pursue our ‘legitimate interests’, for example to recruit employees, maintain a register of our employees (past and present) for insurance, legal, tax and pension purposes and to assist in the prevention or detection of crime (including fraud).
We sometimes collect ‘special category data’ about our employees, for example information about their disabilities, health and dietary needs or religious beliefs. We process this information to fulfil our contract with the employee (or in order to take steps at the request of the data subject prior to entering into a contract with them) and to carry out our obligations or exercise our or our employees’ rights in relation to employment, social security or social protection.
Contractors
We collect information about our contractors, such as their name, contact details, experience, outcome of their criminal record check (DBS) (where required), service contract and bank details. We collect this information for our ‘legitimate interests’ to be able to assess the suitability of the individual and to enable us to ‘fulfil our contract’ with them or to ‘take steps at their request prior to entering into a contract’ with them.
Website users
When you visit our website, simple Cookies are used to help you navigate around our site and tell us how well our website is performing. We collect this information in a way which does not identify anyone. We do not make any attempt to find out the identities of those visiting this website and will not associate any data gathered with any personally identifying information from any source. We collect this information for our ‘legitimate interests’ to help you use our website and keep us informed about our website’s performance. For more information, please see our Cookie Policy.
Who we share information with
We do not share your data outside of the Coeo Group, unless it is necessary for our ‘legitimate interests’, legal, contractual, regulatory or law enforcement purposes. Where we use ‘data processors’ to help us manage and store our data (cloud storage providers); promote our services (advertising/marketing companies) or help us deliver our services (contractors or specialist companies), we have Data Processing Agreements in place, to protect any personal data they may have access to on our behalf.
Our data processors only act on our instructions and are carefully selected to ensure they have robust security measures in place and comply with the UK data protection legislation when processing personal data.
Where we process your personal data as a data ‘processor’ for our clients, your personal data may be accessible to or shared with that client, to enable us to ‘fulfil our contract’ with them.
There may be times when we need to disclose personal data to other data controllers, for example:
- In the event that we sell our company or its assets
- If you provide us with your consent
- If we are under a duty to disclose your personal data, for example in response to a court order, request from law enforcement agencies or to report safeguarding concerns.
- To enforce or apply our terms and conditions and other agreements.
- To protect the rights, property, or safety of our company and its employees, our clients, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection.
We will never sell your personal data or share it in a way you would not reasonably expect.
Transfers Overseas
Coeo UK also operates Coeo Data India Private Limited (‘Coeo India’), a company located in India. Whilst we store our data in the UK or European Economic Area (‘EEA’), if you receive services from Coeo India, Coeo India will also be able to access your personal data.
Where we transfer data overseas (including to Coeo India) we only do so where we have UK International Data Transfer Agreements with the receiving organisation which ensures they process our data securely and in line with data protection laws.
How we protect your data
We take our security responsibilities very seriously and have put in place robust measures to protect our data and our clients’ personal data from accidental or unlawful access, disclosure, loss, damage or destruction.
Here are some examples of how we achieve this:
- We limit the amount of personal data we collect, and only collect what is needed to fulfil a specific purpose.
- Where it is no longer needed, we ensure personal data is put ‘beyond use’, anonymised or deleted.
- Data is held on encrypted servers in the UK and the EEA. In the event that personal data is stored outside the UK or EEA, contracts (International Data Transfer Agreements) will be in place to ensure the data is secure and protected in line with the UK GDPR.
- Access to our data and systems is on a strict need to know basis and we ensure our employees and contractors are under an obligation of confidentiality.
- Employees receive mandatory data protection training and sign up to our Data Protection Policy.
- We have robust procedures in place to manage and report personal data security breaches, in the unlikely event of a breach occurring.
- Where we use companies who process personal data on our behalf, we carry out due diligence checks on these companies and have written contracts in place (Data Processing Agreements) which require them to handle personal data in line with the UK data protection laws.
- We use up to date virus and malware protection software and we back up data regularly.
Your data protection rights
You have the following rights under the data protection laws:
Right to know
You have the right to be told how your personal data is being processed. This privacy notice tells you how we handle your personal data.
Right of access
You have the right to ask us for a copy of your personal data.
Right to rectification
You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
Right to erasure
You have the right to ask us to erase your personal data in certain circumstances.
Right to restriction of processing
You have the right to ask us to restrict the processing of your personal data in certain circumstances.
Right to object to processing
You have the right to object to us processing your personal data where we consider this is necessary for us to perform a task in the public interest. You can also object to us using your personal data for direct marketing purposes.
Right to data portability
You have the right to ask that your personal data is transferred (ported) from us to another organisation or given to you. This applies to information you have given to us where we are processing your information based on your consent or for contractual purposes and the processing is automated.
Right to complain
We work to high standards when it comes to processing your personal data. We hope you will always be happy with the way we handle your information, however if we have not met your expectations, please let us know so we can put things right. If you remain dissatisfied, you have the right to complain to the Information Commissioner’s Office. Further information about your data protection rights, can be found on the Information Commissioner’s Office website at www.ico.org
This Privacy Policy was last updated on 23rd April 2024
