We are The Observatory International Ltd (“we/our/us”). We are a company incorporated in England and Wales with registered company number 05960327. Our registered office address is 12 Helmet Row, London, EC1V 3QJ. Our registered VAT number is 751 7047 36.
For the purpose of the Data Protection Act 1998, the General Data Protection Regulation (Regulation (EU) 2016/679) and any amended, updated or subsequently implemented legislation in the UK and/or EU relating to the controlling and processing personal data (“Data Protection Legislation”) we are a data controller of personal data provided by you to us through use of our Services and/or Websites (as defined below). Where we consider it appropriate (and as further described in this policy) we may also provide third party data processors with such personal data for the purposes set out in this policy.
We are registered as a data controller with the UK Information Commissioner’s Office with registration number ZA001190.
This policy sets out how, when and why we may collect, control, store, process and transfer personal data that you provide to us, or that we collect from you, when you use our services, correspond with us directly (“Services”) and/or use the www.observatoryinternational.com, and/or www.agencyperformancetracker.com Websites (“Websites”).
This policy also sets out your rights and our obligations in relation to collecting, controlling and processing such personal data.
Our main objective is for you to have absolute trust and confidence in us when we collect, control and process your personal data. The Data Protection Legislation is not intended to prevent processing of personal data, however, but to ensure that such processing is done fairly and without adverse impact on your fundamental rights and freedoms.
Any third party data processors are obliged to comply with this policy when processing personal data on our behalf. Any breach of this policy by that third party may result in disciplinary action being taken against them.
This policy is drafted in English. If there is a conflict between a translated version and the English version of these terms then, to the extent permitted under applicable law, the English version shall prevail.
Personal data is information relating to an “identified” or “identifiable” living individual. An “identifiable” individual is one who can be identified, directly or indirectly, in particular reference to an identifier such as a name, an email address, a postal address, date of birth, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
Sensitive personal data includes, but is not limited to, personal data which reveals racial or ethnic origin, and data concerning health or sex life and sexual orientation.
Further detail as to the specific types of personal data and sensitive personal data we may control and process is set out at paragraph 6, below.
For personal data to be processed lawfully by us, they must be processed on the basis of one or more of the lawful processing bases set out in the Data Protection Legislation. The lawful bases include, among other things:
As such, we do not always require consent from you in order to lawfully process your personal data. If we collect sensitive personal data, however, we will generally ask for explicit consent from you in order to process such sensitive personal data.
Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, we must, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, which are designed to implement data-protection principles in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of the Data Protection Legislation and to protect your rights as a data subject.
In order to ensure data protection by design and by default, we will:
(a) take appropriate security measures against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data.
(b) put in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. Personal data will only be transferred to a data processor if he agrees to comply with those procedures and policies, or if he puts in place adequate measures himself.
(c) maintain data security by protecting the confidentiality, integrity and availability of the personal data, defined as follows:
(i) Confidentiality means that only people who are authorised to use the data can access it.
(ii) Integrity means that personal data should be accurate and suitable for the purpose for which it is processed.
(iii) Availability means that authorised users should be able to access the data if they need it for authorised purposes.
We may collect and process various types of personal data and other information from you when you correspondence with us, when you use our Services and when you access our Websites, and when you correspond with us by phone, email, social media platforms (including, but not limited to, via LinkedIn and Twitter) or otherwise. The type of data collected, and the manner in which such data is collected, will vary depending on how you correspond with us, which Services you use and how you use our Websites, and whether or not we have a lawful basis for processing data in that way. Further details of the type of data we collect and the manner in which such data may be processed is set out below in paragraph 6 under the heading “How we collect and use Personal Data”.
Personal data will only be collected to the extent that it is required for the specific purposes set out in this privacy policy.
Personal data may be collected by us actively and passively. The specific types of personal data we may collect from you, and the manner in which such personal data may be collected, includes:
Observatory International Data and Observatory International Agency Data
Observatory International Data is data that we collect from you when you use our www.observatoryinternational.com website. As part of this, we will collect your name, email address, and any other personal data you provide to us voluntarily in messages sent to us via email (including via email to [email protected]) and via any data entry form completed by you via the website.
Observatory International Agency Data is data that we collect from you when you use our agency.observatoryinternational.com page of our website. As part of this we may collect your name, username, email address, telephone number, location and other personal data you provided to us (including passwords) when you complete and submit the relevant data capture form on the website.
We will use such personal data for the purpose of identifying you from other users of this website and/or our Services. Use of such personal data is necessary in order for us to provide Services to you in accordance with good professional standards. Such Services may include corresponding with you in respect of the Services we provide, Services we are undertaking on your or your employer’s behalf, queries and questions raised with us and sending invoices to you relating to work we are undertaking on your behalf.
We may also use such data for the purpose of sending direct marketing emails to you. Such direct marketing emails will contain information relating to products and Services offered by us which we consider to be of interest to you. You may unsubscribe from receiving such direct marketing emails at any time by following the “unsubscribe” link.
We may lawfully process such personal data for the purpose of providing the Services to you on the lawful basis that such use is necessary in order for us to provide those Services to you adequately, particularly given that we could not achieve the same purpose without using Observatory International Data in this way.
We may lawfully send direct marketing emails to you (containing information about the services we offer) on the basis that you have opted in to receive such communications from us, or on the basis that we have a legitimate business interest in sending such communications to you in order to make you aware of the services we offer and grow our business. You may opt-out of receiving such communications at any time by clicking the “unsubscribe” link contained in the direct marketing emails you receive.
How such personal data is stored:
Such personal data will be stored on secure servers located at our trading address. Such servers are located in a locked room and data stored on such servers are encrypted. Data will be stored on such servers from time of collection and throughout the duration of its storage.
Agency Performance Tracker Data
This is data that we will collect from you when you use our www.agencyperformancetracker.com website.
We will collect your name, email address, telephone number, location, job title and any other personal data you provide to us at the time of completing a survey through the www.agencyperformancetracker.com website and submitting that survey to us through that website.
We will use such personal data for the purpose of sending surveys and results to the email address provided to us.
We will also use such personal data for the purpose of identifying you from other users of the www.agencyperformancetracker.com website, and for the purpose of sending marketing emails to the email address provided which relate to the Services you have shown interest in.
We may lawfully process Agency Performance Tracker Data for the purpose of providing the Services to you on the lawful basis that such use is necessary in order for us to provide those Services to you adequately, if you have requested us to perform such Services personally. If you have not personally requested for us to perform such Services, we may lawfully process Agency Performance Tracker Data for these purposes on the basis that we have a legitimate interest in doing so.
We may also use such personal data for the purpose of us sending direct marketing emails to you (containing information about the Services we offer) on the basis that you have opted in to receive such communications from us, or on the basis that we have a legitimate business interest in sending such communications to you in order to make you aware of the services we offer and grow our business. You may opt-out of receiving such communications at any time by clicking the “unsubscribe” link contained in the direct marketing emails you receive.
How Agency Performance Tracker Data is stored:
Agency Performance Tracker Data will be stored on secure servers located in Singapore.
Alignment Comparator Data
This is data that we will collect from you when you use our Alignment Comparator™ online criteria ranking tool.
We will collect your name, email address, job title and location when you use, and/or sign up to use the Alignment Comparator™. We will use such personal data for the purpose of identifying you from other users of our Services. Such Services may include corresponding with you in respect of the Services we provide, Services we are undertaking on your behalf, queries and questions you have raised with us and sending invoices to you relating to work we are undertaking on your behalf.
We may also use Alignment Comparator Data for the purpose of sending direct marketing emails to you. Such direct marketing emails will contain information relating to products and Services offered by us which we consider to be of interest to you.
We may lawfully process Alignment Comparator Data for the purpose of providing the Services to you on the lawful basis that such use is necessary in order for us to provide those Services to you adequately, particularly given that we could not achieve the same purpose without using Alignment Comparator Data in this way.
We may also use such personal data for the purpose of us sending direct marketing emails to you (containing information about the Services we offer) on the basis that you have opted in to receive such communications from us, or on the basis that we have a legitimate business interest in sending such communications to you in order to make you aware of the services we offer and grow our business. You may opt-out of receiving such communications at any time by clicking the “unsubscribe” link contained in the direct marketing emails you receive.
How Alignment Comparator Data is stored:
Agency Performance Tracker Data will be stored on secure servers located at our trading address in the UK. Such servers are located in a locked room and in encrypted, and will be stored on such servers from time of collection and throughout the duration of its storage.
Training and Events Data:
This is personal data we collect when we provide training courses and events to you.
We will collect your name, email address, job title and the organisation for which you currently work via a written form when you attend training courses and other events we provide. We will use such personal data for the purpose of identifying you from other attendees, and is necessary in order for us to obtain and analyse feedback from you in respect of the quality and delivery of our training courses and/or events.
Why we may lawfully process Training and Events Data for these purposes
We will lawfully process Training and Events Data for such purposes on the basis that we consider ourselves to have a legitimate interest in doing so as we have lawful business interest in reviewing, analysing and improving the way in which our training courses are delivered for the benefit of our users;
How Training and Events Data is stored:
Training and Events Data will be stored on secure servers located outside of the EEA (in Singapore). There has been no adequacy decision (to date) by the European Commission relating to transfers from the EEA to Singapore. As such, we have implemented appropriate safeguards in connection with such transfers by implementing standard data protection clauses adopted by a supervisory authority and approved by the European Commission. A copy of such standard data protection clauses can be obtained from us by request to [email protected].
Website Data
This is data we may collect passively when you use our Websites.
Website Data includes, but is not limited to, your device’s location at the time of using the Websites, as well as information relating to when, where and how the Websites are used by you, and how many times the Websites are accessed by you.
Website Data may also include your device’s Internet Protocol (IP) address, cookies, device type and version, the areas of the Websites you visit, the amount of time spent within particular areas of our Websites, time zone settings, the time and date of your use of the Websites and the operating system and version you use to access the Websites, information about your use of the Websites including (if applicable) the full Uniform Resource Locators (URL), clickstream to, through and from our Websites (including date and time), any products or Services you have viewed or searched for, the Websites response times, download errors, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page.
We will use Website Data for the purpose of tracking and analysing the popularity and performance of the Websites, how it is used by users and for other purposes so that we can tailor, develop and improve the Websites and performance of the Websites for the benefit of Website users and our clients.
Why we may lawfully process Website Data for these purposes
We will lawfully process Website Data for such purposes on the basis that we consider ourselves to have a legitimate interest in doing so as we have lawful business interest in developing and improving the Websites for the benefit of our users.
Where is Website Data stored?
Website Data is passively collected and stored on secure servers operated by Farnedi ITC Srl, Italy (as well as its group companies), a third party processor who will collect Website Data as and when it arises through your use of the Websites. This processor may subsequently provide the Website Data to us once they have collated and processed the Website Data.
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
By law we have to keep basic information about our customers for at least six years after they cease being customers for tax purposes.
Details of other retention periods for different aspects of your personal data are contained in our retention policy which you can request from us by contacting us [email protected].
In some circumstances you can ask us to delete your data and in some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical
Consent
In some circumstances we may require explicit consent from you in order to process your personal data for a particular purpose or purposes. We will generally only obtain consent from you if we do not have another lawful basis for doing so, for example if we do not have a legitimate interest in doing so or such processing is not contractually necessary.
We do not require consent in order to obtain and process your personal data for the purposes set out in section 6 above (“How We Collect and Use Personal Data”)
However, if we are controlling and processing your personal data on the sole basis of consent, we will ensure that such consent:
(a) is presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of the Data Protection Legislation will not be binding.
(b) can be easily withdrawn by you at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, you shall be informed accordingly. It shall be as easy to withdraw as to give consent.
(c) is freely given. When assessing whether consent is freely given, we shall take account of whether the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
(d) is lawful where we intend to collect and process personal data children. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child (and we shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology).
You may exercise your right to withdraw consent to processing at any time by contacting us via [email protected]. However, such withdrawal of consent will not retrospectively render processing prior to withdrawal of consent as unlawful.
The Right to Erasure (also known as the “Right to be Forgotten”)
You also benefit from the right to erasure. This means that you have the right to request us to erase personal data we hold about you, and that we should erase such data without undue delay, provided that you are able to demonstrate one of the following to us:
You also benefit from the right to rectify inaccurate personal data we hold which relates to you (also known as the “right to rectification”). This means that, taking into account the subject of the processing, you shall have the right to have incomplete personal data completed. You can exercise your right to rectification by contacting us via [email protected].
Data Portability
You also have the right to receive the personal data concerning you in a structured, commonly used and machine-readable format. You have the right to transmit such data to other data controllers without hindrance from us where we are processing that data on the basis of having your consent to do so, or where it is necessary for the performance of a contract, and the processing is carried out by automated means.
Subject Access Requests
You as a data subject are entitled to make a formal request for information we hold about you. We must provide you with a copy of this information, the reasons it is being processed and whether it will be given to any other organisations or people provided that you make this request in writing.
The Services we provide, and our Websites, are not marketed to (and should not be used by) anybody under the age of 16.
We do not knowingly collect personal data from children under the age of 16. In the event that we discover that a child under the age of 16 has provided us with personal data, we will delete such data from our servers unless consent is given or authorised by the holder of parental responsibility over the child.
We may have to share your personal data with the parties set out below for the purposes set out in paragraph 6.
Internal Third Parties
Other companies in our corporate group who may act as joint controllers or processors, and who may be based inside or outside the EU.
External Third Parties
Service providers who may act as processors based inside or outside the EU and who provide IT, system administration and other services.
Professional advisers who may act as processors including lawyers, bankers, auditors and insurers based inside or outside the EU who provide consultancy, banking, legal, insurance and accounting services.
HM Revenue & Customs, regulators and other authorities who may act as processors based inside or outside the EU who require reporting of processing activities in certain circumstances.
Third Parties
Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
We reserve the right to change this policy at any time. Where appropriate, we will notify you, as a data subject, of those changes by email.
We recommend that you also regularly review this privacy policy for any changes.
If you have any concerns or complaints relating to this policy, its subject matter, or the manner in which we collect, control and/or process your personal data, please do let us know by sending an email to [email protected].
You also have the right to lodge a complaint with a supervisory authority if you consider that the processing of your personal data has infringed the Data Protection Legislation. In the UK, the relevant supervisory authority is the Information Commissioner’s Office.