2 Who Are We?
Commissum Associates Ltd. is a leading provider of information security services, which includes our affiliated companies operating under the Commissum brand.
3. Contacting Us
- By email at email@example.com
- By post at Data Protection Officer, Commissum Associates Ltd, 5 Mitchell Street, Edinburgh, EH6 7BD
It is also important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us, using the contact details above.
4. What is Personal Data?
Personal data means any information about an individual from which that person can be identified, whether directly (e.g., personally identifiable information such as your name) or indirectly (e.g., online identifiers such as IP address or cookies). It does not include data where the identifying element has been removed (anonymous data)
5. What Personal Data Do We Collect?
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:
- Identity Data includes first name, last name, title
- Contact Data organisation name and address, business email, phone numbers, and job title
- Additional Data which you may choose to share with us that you think is relevant, or specific data we may request in order to match your service to our or our client’s requirements, such as professional profile data for associates
The source of the personal data above will be either yourself, your organisation, internal company management, or publicly accessible sources. We collect data from and about you during the negotiation and fulfilment of a contract.
6. How Do We Use Your Personal Data?
The law on data protection sets out a number of different reasons for which a company may collect and process personal data. Our uses of your personal data comply with the law, and include the following lawful bases:
- To allow us to enter into and/or perform our contract with you for products or services, or for the delivery of these products or services to our clients, and enable us to comply with our legal obligations in this regard
- If the law requires us to, we may need to collect and process your data, for example to government entities for tax purposes, or where people are involved in fraud or other criminal activity affecting Commissum, we may be required to share personal data with law enforcement
- In specific situations we may require your personal data to pursue our legitimate interests in a way which might reasonably be expected as part of running our business and which does not materially impact your interests, rights or freedoms; these legitimate interests include maintenance of certifications and accreditations, IP rights protection and due diligence
7. Special Categories of Personal Data
We do not collect any special categories of personal data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any information about criminal convictions or offences.
8. If You Fail to Provide Personal Data
Where we need to collect personal data by law, or under the terms of a contract that we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have, or are trying to enter into, with you.
9. Sharing Your Personal Data
We sometimes share your personal data with trusted third parties. For example, our professional advisors such as lawyers and accountants for legal or business administration purposes, and with certifying bodies that we use to maintain industry certifications such as ISO certifications and CREST accreditation.
When we do share your data with third parties we only provide the information they need to perform the service. They may only use your data for the exact purpose we specify to them and we work closely with them to ensure your privacy is secure and respected.
10. International Transfers of Your Personal Data
We are a global business and some of our offices and service providers are located in countries outside of the European Union (EU). As a result, personal data that we collect from you may be transferred to, accessed and/or stored outside the EU in order to provide our services.
- Adequate data protection measures are in place for the destination country, as determined by the European Commission
- European Commission-approved model clauses are in place between us and any joint controller or processor
For further details, please get in touch using the information provided in the ‘Contacting Us’ section.
11. How Long Will We Keep Your Personal Data?
For example, we retain your data in relation to the contract we have with you for 10 years after we cease having a commercial relationship with your organisation.
At the end of that period, your data will either be deleted or anonymised. For example, by aggregation with other data so that it can be used in a non-identifiable way for statistical analysis and business planning
We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure, we have implemented an Information Security Management System (ISMS) that is certified to ISO 27001. In addition, we are certified to Cyber Essentials Plus.
13 Your Rights
13.1 Overview of your Rights
You have the following rights in relation to your personal data:
- Access - you have the right to obtain a copy of the personal data that we hold on you
- Rectification - where data that we hold on you is incorrect or incomplete, you have the right for this to be corrected
- Erasure - in the following circumstances you have the right to the deletion of your data
- Where it is no longer necessary for the original purpose
- Where you have previously given consent for the processing of your data and wish to withdraw it
- Where you object to the processing of your data, and we have no overriding legitimate interest to continue this processing
- You no longer wish your personal data to be used for direct marketing
- To meet a legal obligation
- Where personal data is unlawfully processed
- We have processed the personal data in relation to providing services to a child
- Restriction of processing - in the following circumstances you have the right to request us to restrict how we process your data:
- You dispute the accuracy of the personal data that we hold on you
- The processing is unlawful and you wish us to restrict processing instead of deleting your data
- We no longer need to process your data, but the data is required by you in relation to legal claims
- In relation to you raising an objection to the processing of your data
- Data portability – you have the right for your data to be transferred to another controller if we process your data by automated means as a result of your freely given consent or as part of a contract with you
- Object to processing – you may object to processing of your data where we process your data in relation to direct marketing, on the basis of our legitimate interest, where the processing is by automated means, or for scientific, historical or statistical purposes
- Automated decision-making - you have the right not to be subject to solely automated decisions about you (i.e., performed by a computer without human intervention)
- We do not conduct any automated decision-making
In all cases, use the contact details provided in the ‘Contacting Us’ section.
13.2 Further Information on Specific Rights
13.2.1 Direct Marketing
You have the right to opt-out of marketing at any time and you have a choice about how you wish to receive information from us. If you do not wish to receive direct marketing communications then you can you can change your marketing preferences at any time by getting in touch using the details in the ‘Contacting Us’ section.
You can also click on the ‘unsubscribe’ link in all marketing emails to opt-out of receiving future communications from us by email.
13.2.2 Accessing Your Personal Data
You have the right to obtain a copy of all personal data we hold on you.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights above). However, we may charge a reasonable fee if your request for access is clearly unfounded, excessive, or is a duplicate of a previous request you’ve submitted. Alternatively, we may refuse to comply with the request in such circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access the data (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal data is not disclosed to any person who has no right to receive it.
To request a copy of the personal data we hold on you, please get in touch using the details in the ‘Contacting Us’ section.
If you feel that your data has not been handled correctly, or you are unhappy with our response to any requests you have made to us regarding the use of your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues.
You can contact them by:
- Call 0303 123 1113
- Online at www.ico.org.uk/concerns
If you are based outside the UK, you have the right to lodge your complaint with the relevant data protection regulator in your country of residence. If in doubt, contact the ICO.