GCM Consulting Ltd, GCM Advisory Ireland Ltd, GCM Advisory Pty Ltd, GCM Consulting Ltd (UK) and SimonHaigh.com are committed to the privacy of our clients and the users of the simonhaigh.com and gcmadvisory.com websites (hereinafter the “Sites”). We take our responsibilities under, e.g. the Irish Data Protection Acts, 1988 and 2003, international equivalents and the European Union’s General Data Protection Regulation (Regulation (EU) 2016/679, hereinafter “GDPR”) seriously and we are committed to protecting your privacy when you are visiting the Sites or utilizing our services.
1. Types of Personal Data Processed. The types of personal data processed will vary depending on the data you require us to process in order to deliver to you with the requested service(s) and in accordance with our engagement terms with you. We may process ‘personal data’ as defined in Article 4(1) GDPR (we do not expect there to be a consulting situation where we would process ‘Special category Personal Data’ as defined in Article 9(1) GDPR)).
2. Categories of Data Subjects. Personal data we process for our own purposes and on your behalf may include but may not be limited to your client and prospect data, your staff data, your contractor data, your supplier data and similar data related to your business and its operations.
Categories of data subjects will, for so far as we act as a data processor, be determined by you and as contemplated by our engagement terms with you. Normally, we will only require limited aspects of your staff data for our own purposes and will advise you should it become necessary for us to process any other categories for our own purposes.
3. Legal Basis for Data Processing. Generally, it is your responsibility as the Data Controller to ensure you provide us with data for processing activities for which you have identified a legal basis for such processing. We will not accept responsibility for your providing us data without a legal basis for doing so.
Where we require personal data from you for our own purposes we normally do so on the following legal bases as defined under GDPR:
Contract entry and performance: In order to commence working with you as a client we are legally required to take certain steps, such as assuring ourselves of your identity. In order to do so we require some personal data from you. During the course of our engagement with you we require to continue processing personal data about you to enable us to deliver the service(s) to you.
4. Our legitimate interests. We may also use your personal data based on our own legitimate interests in promoting our services and developing our services and assessing our performance. Activities promoting our services may include business-to-business marketing, which you may opt-out of at any time. Opt-out may be achieved by using the unsubscribe options contained within the information you have received or by emailing our Data Protection Officer at firstname.lastname@example.org or email@example.com.
5. Legal obligations. In some instances, we may be required to provide it to third parties such as law enforcement. Where such obligations arise we will, insofar as is possible without breaching any other duty we owe to those services, advise you of our intention to process your data for their purposes. Should we ever require Special Category Personal Data from you, we will ask for your permission to process that data. If you are not willing to provide us with certain data we may be unable to deliver some or all of our services, and we will inform you of this.
6. Duration of Data Processing and Retention. We will process personal data on your behalf for so long as you instruct us to do so. At the cessation of our processing activities on your behalf it is your decision what happens to the personal data you have provided to us. We will work with you to carry out your reasonable instructions.
We only retain the Personal Data collected from a User for as long as required by the purpose for which they have been collected, unless otherwise required by law. We will retain and use information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. Once any required retention period expires, Personal Data shall be deleted. Therefore, the right to access, the right to erasure, the right to rectification and the right to data portability cannot be enforced after expiration of the retention period.
7. Use of Third-Party Service Providers (Sub-processors). As part of our service delivery it is necessary for us to use sub-processors. Our computer, communications and IT support are largely provided by parties external to GCM Consulting Ltd, GCM Advisory Ireland Ltd, GCM Advisory Pty Ltd, GCM Consulting Ltd (UK) and SimonHaigh.com. Some solutions we use are cloud based, such as Google’s GSuite for file storage and email. All sub-processors have contracted terms of service, which provide at least the same level of protection for your data as we do. Most sub-processors do not engage directly with your data and simply provide secure storage and/or communications solutions for the data we process. Unless we have otherwise expressly agreed, sub-processors are prohibited from using your personal data for their own purposes.
8. Data Transfers. GCM Consulting Ltd, GCM Advisory Ireland Ltd, GCM Advisory Pty Ltd, GCM Consulting Ltd (UK) and SimonHaigh.com utilize a number of suppliers to provide IT and other associated services for the operation of our business and delivery of services to you. In many cases, the suppliers we use will be granted access to the data we are processing to provide us with technical assistance. Such processing activities are not directly related to our principal services to you and are considered ancillary to our own internal activities.
Data may be stored on encrypted devices and transported by individuals as necessary for the delivery of our services in accordance with the terms and conditions we have agreed with you. We have put in place appropriate technical measures to ensure data remain secure irrespective of where our people deliver our services.
As part of our service delivery we process limited personal data for the purposes of, but not limited to, data storage, back up, destruction, billing, client management, conflict checking and know-how under standard contractual clauses agreement via third-party suppliers worldwide. In the event this is necessary we will ensure appropriate controls that meet GDPR standards are in place via EU standard contractual clauses or the Privacy Shield Framework to protect your data and data subject rights and freedoms.
By asking us to act as a Data Processor on your behalf you permit us to use EU standard contractual clause agreements and/or the Privacy Shield Framework with our chosen sub-processors on your behalf. All such agreements will be in our name and you may enforce rights against the sub-processor(s) directly through us.
9. Your Data Subject Rights. Where we act as a Data Controller for your data, you may exercise several rights. You may:
○ Request access to the personal data we hold about you
○ Ask us to correct any data which are inaccurate
○ Request to have your personal data deleted
○ Put in place restrictions on our processing of your data
○ Ask us to transfer your data to another controller (data portability)
We will handle all exercise of your data subject rights in accordance with the requirements of GDPR and any national laws at the time of your request. Requests should be submitted in writing to our Data Protection Officer at firstname.lastname@example.org or email@example.com.
If you are dissatisfied with the way we have handled your personal data and we are unable to resolve the matter for you, you may take your complaint to the Information Commissioner’s Office. Further details can be found via their website at www.dataprotection.ie/docs/Home/4.htm.
Should we receive a request from you or one of your staff, clients, customer, contractors, or prospects to exercise data subject rights but we are only acting as a Data Processor, we will forward your request to you as Data Controller to process. Unless you explicitly instruct us not to, we will advise the data subject that we have passed their request to you.
10. Data Security. We have put in place reasonable controls, including policies and procedures, to protect your personally identifiable information from loss, misuse, alteration or unintentional destruction, as have our contractors, sub processors and suppliers.
Data transferred over the internet by us and through our website are protected using encryption technologies to ensure they remain secure. However, please note that no communications over the internet can be guaranteed as secure. While we take appropriate steps to protect your data we cannot guarantee that it will remain secure in transit. Once data reaches your network it is your responsibility to ensure it remains secure.
GCM-SimonHaigh Website Privacy Statement
The SimonHaigh.com and gcmadvisory.com website (hereinafter the “Sites”) are published by GCM Consulting Ltd, GCM Advisory Ireland Ltd, GCM Advisory Pty Ltd, GCM Consulting Ltd (UK) and SimonHaigh.com. By using the Sites, you signify your acceptance of this policy. If you do not agree to this policy, please do not use our Sites.
1. Personal Information That We Collect. Unless you provide us with your email address to subscribe to our newsletter or to contact us via the Contact Us form on the Sites, the Sites do not collect any personally identifiable information. If you have provided such personal information, we will process it in accordance with the terms set forth above.
The cookies provided by third parties whom we currently use include:
Google Analytics: Google Analytics is a web analysis service provided by Google Inc. (“Google”). Google utilizes the Data collected to track and examine the use of this Site, to prepare reports on its activities and share them with other Google services. Google may use the Data collected to contextualize and personalize the ads of its own advertising network.
○ Personal Data collected: Cookies and usage data.
MailChimp: MailChimp is an email address management and message sending service provided by The Rocket Science Group, LLC which we use to support our newsletter subscription services.
○ Personal Data collected: email address, first name, last name, cookies, and usage data.
These third parties serve as and shall be considered as a “Processor” and not as the “Controller” (as both such capitalized terms are defined in the European Union General Data Protection Regulation) of such User information, and we are the “Controllers” of such User Information, and are responsible for complying with all laws and regulations that may apply to the collection and control of such User Information, including all privacy and data protection laws of all relevant jurisdictions.
More Information on Cookies. You can also deactivate specific 3rd party cookies through the following page managed by the EDAA (European Interactive Digital Advertising Alliance): http://www.youronlinechoices.com.
Most Internet browsers automatically accept cookies. You can instruct your browser, by changing its settings, to stop accepting cookies or to prompt you before accepting a cookie from the websites you visit. However, some Services may not function properly if you disable cookies. You can visit http://www.aboutcookies.org for more information on how to manage and remove cookies across a number of different internet browsers.
3. Log Files. Like most websites, the Site uses log files. This information may include internet protocol (IP) addresses, browser type, internet service provider (ISP), referring/exit pages, platform type, date/time stamp, and number of clicks to analyze trends, administer the site, track user's movement in the aggregate, and gather broad demographic information for aggregate use. However, none of the information stored in our log files, including but not limited to IP addresses, is linked to personally identifiable information.
5. Hosting of information outside the European Economic Area (EEA). The Sites is hosted in the Republic of Ireland- SimonHaigh.com and Australia- GCMAdvisory.com. Users’ Personal Information may be maintained, processed and stored by our authorized affiliates and service providers in the United States of America, Australia and in Europe. If an authorized service provider holds such data outside the EEA, it does so pursuant to applicable EU law and the EU-U.S. Privacy Shield Framework.
7. Children. The Site is not intentionally designed for or directed at children 13 years of age or younger. It is our policy never to knowingly collect or maintain information about anyone under the age of 13 through our websites. If you are under 16 years of age you must obtain the consent of a parent or guardian to submit information via our site. Please ask them to review this information before you communicate with us.