Flagstaff Communications Ltd

Introduction

Flagstaff takes your privacy seriously, and is committed to protecting and respecting it. This privacy notice (“Notice”) contains important information on:

  • who we are
  • the personal data we collect and store about you
  • how and why we collect personal data
  • what we do with personal data
  • the categories of third parties with whom we share your personal data
  • international transfers
  • how long we retain your information, and how we keep it secure
  • your rights and how to exercise them
  • how to contact us
  • details of whom to contact if you have a complaint.

We ask that you read the Notice, and any other privacy or fair-processing notice provided to you on specific occasions, so that you have a clear understanding of how we interact with your personal data. Each relevant notice supplements, and does not override, the others.

Children

Please note that our website and services are not intended for children, and that we do not knowingly collect personal data relating to children.

Third-party links

Please also note that this website contains third-party links that will take you to other websites not owned or operated by us or any of our group companies. By clicking on any link, you will leave this website: you should check the privacy notices on each other website that you visit, since this Notice will no longer apply at that point.

1. Who are we?

Here are some key details about us:

Our name: Flagstaff Communications Limited (we will refer to ourselves using the word “we” and related words such as “us” and “our” in this Notice)
Place of incorporation: England and Wales (this is where we are registered)
Company number: 10514898
Registered address: Global House, 303 Ballards Lane, Finchley, United Kingdom, N12 8NP

Under data protection law, we are considered to be a “controller”. As a controller, we are responsible for, and control the processing of, your personal data. We are registered as a data controller with the Information Commissioner’s Office, which is the UK’s supervisory authority for data protection matters.

We are part of a group of companies, each of which will have its own privacy policy. This Notice is our privacy policy, and we are the ‘main establishment’ among our group of companies for the purposes of data protection law.

2. What information do we collect?

Personal data is information about a living individual from which that individual can be identified (whether by one piece of data alone or through a combination of data).

Anonymous data, from which a person’s identity has been removed, is not personal data.

In the course of our business – namely providing search-and-select services and consultancy services – we may collect the following personal data about you:

  • Identity data, such as
    • name and title
    • gende
    • date of birt
  • contact data, such as
    • e-mail address
    • home address
    • telephone and mobile numbers
  • biographical data, such as
    • institutions attended
    • academic and professional qualifications gained
    • employment history
    • any other personal information you provide
  • financial data, to the extent that they contain personal data, such as
    • bank account
    • card details
  • transactional data, such as
    • details about payments to and from you
    • details of services you have requested from us
  • technical data, such as
    • internet protocol (IP) address
    • your browser type and version
    • time-zone setting and location
    • browser plug-in types and versions
    • operating system and platform and other technology on the devices you use to access our website
  • usage data, such as
    • information about how you use our website and services
  • marketing data, such as
    • your preferences in receiving marketing and communications

Aggregated data

We collect aggregated data for statistical purposes, such as assessing the popularity of certain pages on our website and the number of people on our database. Aggregated data does not reveal your identity (either directly or indirectly), and is not considered to be personal data. To the extent that we use or combine any aggregated data so that you can be identified, we would treat the aggregated data as personal data in that situation, and would therefore use it only in accordance with this Notice.

Special categories

The phrase “special categories of personal data” denotes particularly sensitive data to which more stringent processing conditions apply. It comprises data concerning your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation, and genetic data and/or biometric data.

We do not ordinarily collect special categories of personal data, save where you volunteer information regarding your nationality.

We also do not collect information about criminal convictions or offences.

In all cases, we do not collect more data than we believe is necessary.

3. How do we collect personal data?

We obtain personal data from the following sources:

  • directly from you, for example when you
    • send us your details
    • commission our services
    • request information
    • attend an event that we hold
    • write to us
    • give us feedback.

Please contact us if the personal data you’ve given to us changes: we always want to make sure we’re using accurate data.

  • from third parties and publicly available sources, for example:
    • if you are copied on an e-mail that is sent to us, and your e-mail address identifies you
    • Google Analytics (based outside the EU)
    • public sources, such as LinkedIn, on which you may have uploaded details
    • search-information providers
    • referees whom we approach in respect of any job application
    • official public sources such as Companies House.

Note: if you are ever providing another person’s details to us, please ensure you have that person’s explicit consent to do so.

  • from automated technologies such as cookies and tags when you use our website, although we do not participate in automated decision-making – for more information on automated technologies, please see our Cookie Policy

4. For what reasons do we use your personal data?

Introduction

We will only use your personal data when the law allows us to, and we will not use it more extensively than we believe is required.

Most commonly, we will use your personal data in the following circumstances:

  • to perform a contract we are about to enter into, or have entered into, with you
  • if it is necessary for our legitimate interests (or those of a third party) and these are not overridden by your own rights and interests
  • where it is necessary to comply with a legal or regulatory obligation.

Lawful bases

To process personal data, we must have a lawful basis. We always ensure that this is the case, and we set out below the lawful bases on which we most frequently rely. Note that more than one basis may apply at any given time: please contact us if you would like more information on this. Our most frequently used legal bases are as follows:

  • It is necessary for our legitimate interests being the legitimate interests pursued by us or by a third party, except where those interests are overridden by your interests or fundamental rights and freedoms.
  • Performance of a contract with you, or taking steps (at your request) prior to the performance of a contract.
  • Compliance with a legal obligation to which we are subject.

A table describing our use of personal data is set out below.

Purpose/ActivityType of dataLawful basis for processing including basis of legitimate interest
To register you as a new client or supplier(a) Identity

(b) Contact

Performance of a contract with you
To process and deliver our services, or to receive your services, including:

(a) providing our services to you, or receiving them from you

(c) managing billings

(d) collecting money owed to us, and making payments

(a) Identity

(b) Contact

(c) Biographical

(d) Financial

(e) Transactional

Performance of a contract with you

Necessary for our legitimate interests (including to recover debts due to us)

To manage our relationship with you, including:

(a) notifying you about changes to our terms or this Notice

(b) communicating with you in the ordinary course of business

(c) asking you to provide feedback or take a survey

(a) Identity

(b) Contact

(c) Marketing

Performance of a contract with you

Necessary to comply with a legal obligation

Necessary for our legitimate interests (to keep our records updated and to study how customers use our services)

To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)(a) Identity

(b) Contact

(c) Technical

Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)
Necessary to comply with a legal obligation
To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you(a) Identity

(b) Contact

(c) Usage

(d) Marketing

(e) Technical

Necessary for our legitimate interests (to study how customers use our services, to develop them, to grow our business and to inform our marketing strategy)
To use data analytics to improve our website, services, marketing, customer relationships and experiences(a) Technical

(b) Usage

Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy)
To make suggestions and recommendations to you about services that may be of interest to you(a) Identity

(b) Contact

(c) Technical

(d) Usage

(e) Marketing

Necessary for our legitimate interests (to develop our products/services and grow our business)
To comply with taxation laws and other binding obligations(a) Identity

(b) Financial

Necessary to comply with a legal obligation
To manage our business(a) Identity

(b) Contact

(c) Technical

(d) Financial

(e) Marketing

Necessary for our legitimate interests

Consent

Generally we do not rely on consent as a legal basis for processing your personal data, other than in relation to sending third-party direct marketing communications to you electronically where we are not otherwise entitled to do so, and in relation to nationality data should you supply it.

You have the right to withdraw consent to marketing at any time. This will not affect the lawfulness of processing that took place prior to the withdrawal of consent.

We will always be clear whenever we intend to process on the basis of consent, and we will process lawfully and only for the purpose for which consent was given.

Change of purpose

We will only use your personal data for the purposes for which we collected it, unless we fairly consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to receive an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.

If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

5. Do we share your personal data?

We may provide your personal data to the following recipients for the purposes set out in this Notice:

  • Other businesses in our group, a list of which is available on request.
  • our service providers, including:
    • e-mail service providers
    • technical and support partners, such as the companies who host our website and who provide technical support and back-up services
    • suppliers with a need to receive your data
    • professional advisers, including lawyers, accountants and insurers in relation to the services they provide
  • any business or person with whom we may be involved in merger or acquisition discussions
  • HM Revenue & Customs
  • law-enforcement agencies, government or public agencies or officials, regulators, and any other person or entity that has the appropriate legal authority where we are legally required or permitted to do so, to respond to claims, or to protect our rights, interests, privacy, property or safety
  • any other parties, where we have your specific consent to do so.

In all cases, we require third parties to use your data lawfully and only for specified purposes, and to observe strict standards of security.

6. Do you have to provide personal data – and, if so, why?

To form a contract with you, or where the law requires, we will need some or all of the personal data described above so that we can perform that contract (or the steps that lead up to it): this is set out above in this Notice.

If we do not receive the data, it will not be possible for us to perform that contract, but we will inform you of this at the time.

7. For how long will we keep your personal data?

We will only retain your personal data for as long as is reasonably necessary to fulfil the purposes for which we collected it, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

8. Marketing

We may store your contact details, and carry out marketing profiling activities, for direct marketing purposes.

If you have given your consent, or if we are otherwise permitted to do so, we may contact you about our services that may be of interest to you.

You will be given the opportunity to opt out each time you are contacted, and you may also opt out at any other time. This will not affect the lawfulness of processing that took place prior to your opt-out.

We never pass your details to third parties so that they can market to you for their own purposes.

9. Do we transfer personal data outside the European Economic Area (EEA)?

We may transfer your data within our group of companies, which may involve transferring your data out of (and back into) the EEA. We have therefore entered into a group-wide contract in a form approved by the European Commission in order to give such transfers suitable protection.

Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

  • We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
  • Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection that it has in Europe.
  • Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield scheme, which requires them to provide similar protection to personal data shared between Europe and the US.

Should the United Kingdom cease to be part of the EEA, we will update this section accordingly.

Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.

10. How do we keep your personal data secure?

We have security measures in place designed to prevent data loss, to preserve data integrity, and to regulate access to the data. Only our authorised employees and third parties processing data on our behalf have access to your personal data.

All our employees who have access to your personal data are required to adhere to our privacy policy and we have in place contractual safeguards with our third-party data processors to ensure that your personal data is processed only as instructed by us.

We take all reasonable steps to keep your data safe and secure and to ensure the data is accessed only by those who have a legitimate interest to do so. Once we have received your personal data, we will use strict procedures and security features to try to prevent unauthorised access.

Please contact us using the details in section 15 below if you would like more information about this.

11. Your information rights

We would like to draw your attention to the following rights that you have under data protection law:

  • right to be informed, in a clear and transparent manner, about the collection and use of your personal data – this Notice helps us to meet our obligations in that regard
  • right of access to your personal data, and the right to request a copy of the information that we hold about you and supplementary details about that information
  • right to have inaccurate personal data that we process about you rectified: we will always be happy to correct any inaccuracies, and indeed we welcome the opportunity of doing so
  • right of erasure (also known as the “right to be forgotten”): this is a right for you to request that we remove or destroy certain personal data about you where there is no compelling reason for its retention. Please note, however, that there are limitations on this right, and in some instances we may be entitled or required not to implement your request
  • right to object to certain processing, including that related to direct marketing
  • right to restrict processing: in these circumstances, we may still retain your personal data (on a list of those who have requested a restriction of processing) but will not continue to process it
  • right of portability of your data in certain circumstances.

Please note:

  • you will be asked to provide proof of your identity to ensure we are dealing with the correct person, and we may ask you to provide further details to assist us in the provision of such information
  • we do not ordinarily charge a fee to enable you to have access to your personal data or to exercise other rights. However, in some circumstances we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances

In all cases, we will reply within the time limits set by law.

Please contact us using the details in section 15 below if you would like to know more about, or to exercise, these rights.

These rights are subject to certain limitations that exist in law. Further information about your information rights is available on the ICO’s website: https://ico.org.uk/.