In this Notice, Nestor refers to Nestor Business Consulting Ltd, (“Nestor”, “Us”, “Our” or “We” registered in England & Wales, no. 05658939, whose registered office is at Alliotts Imperial House, 15 Kingsway, London, WC2b 6UN.
At Nestor, we are committed to protecting the privacy of your personal data in accordance with Data Protection legislation. This Data Protection Notice (`Notice’) sets out the basis on which we will process your personal data.
This Notice applies whether you are, or you are acting on behalf of, a client or potential client, or you are a job applicant.
The Data Protection Legislation
As from 25th May 2018, personal data processing in the UK is subject to the EU General Data Protection Regulation (`GDPR’), as supplemented by UK legislation.
Personal data is any information that directly or indirectly identifies a living individual.
For the purposes of the GDPR, we will be the controller of any personal data that we collect from or about you in connection with the provision of our professional services, or related activities such as promoting the Group’s business or, where relevant, dealing with job applications.
Under the GDPR, data controllers are required to process personal data lawfully, fairly and in a transparent manner, and in a manner that ensures appropriate security of the personal data. Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes, and the data must be adequate, relevant and limited to what is necessary in relation to those purposes, accurate and, where necessary, kept up to date, and kept in a form which permits identification of data subjects for no longer than is necessary for those purposes. Data controllers are responsible for, and must able to demonstrate, compliance with these principles.
What personal data do we collect from or about you?
If you make an enquiry
If you contact us with an enquiry about our professional services (either through our websites or by phone, email or post), we will ask you to supply essential contact details (your name, e-mail address, phone number and, where applicable, the company or other person you represent and your job title), which we need in order to identify you and deal with your enquiry.
Depending on the nature of your enquiry, we may collect from you further details, such as the circumstances in which you are making the enquiry, the professional services that may be of interest to you or, where you are interested in a possible position with us, your CV and related information.
If you are or become a client
If you are or become a client (or the company you represent is or becomes a client), and in the course of providing our professional services, we may collect further personal data from you, depending on the nature of the services we are providing. In certain cases, the information that we collect from you may be of a sensitive nature (for instance, health related information) or may include criminal records, but we will only ask you to provide the information that is necessary and appropriate.
We may also need to ask you to provide further personal data, and may need to carry out background checks about you with credit reference agencies and fraud prevention agencies. If you do not provide us with the information we need, we will not be able to provide our professional services for you or the company or other person you represent.
If you are a professional or business contact
If you provide us (or one of our employees or other personnel) with your professional or business contact details or other relevant personal data, we will use this in order to keep in touch with you and exchange information that we believe is, or may become, relevant to our and your business or profession.
If you enquire about a job
If you submit a job application or enquire about a potential position with a Group member, or another person does so on your behalf, we will ask you (or them) to provide relevant personal information about you. Further details of the personal data that we collect, and of the basis on which we will process your personal data, will be provided by our HR Department at the time.
Why and on what basis do we process your personal data?
When you make an enquiry, we will process the personal data that you give us, or we collect from you or about you, so that we can supply you with the information that you have requested about our professional services (including information about the services that other Group members provide), on the basis that it is necessary for our legitimate interests in promoting and marketing the Group and our professional services, or in order to provide a quotation for our services.
If you are or become a client (or the company or other person you represent is or becomes a client), we will process the personal data that you give us, or we collect from you or about you, in order to perform the contract that we have with you (or the company or other person you represent).
Where we need to process special categories of data (`sensitive data’) or criminal records relating to you, we will only do so with your explicit consent or where this is necessary for the establishment, exercise.
We will also process your personal data for internal record keeping, billing and accounting, and to respond to any queries, complaints or requests for further information, and for the purposes of archiving. The basis on which we do so is that it is necessary for our performance of the contract we have with you (or the company or other person you represent), or is necessary for our legitimate interests in managing our business and improving our professional services, and to comply with our regulatory obligations.
Staying in touch
We provide additional services, such as legal updates, for our clients and our professional and business contacts. We would like to use the details on our database in order to inform you of these and the various services that the Group provides, on the basis that it is necessary for our legitimate interests in promoting and marketing our professional services
Who do we share your personal data with?
We will not use your personal data for any other purpose, or disclose it to any third party, without your consent unless we are required to do so by law, or as mentioned in this section.
Other Group members
In the course of providing our professional services, or subsequently to the provision of such services, we may have to share personal data about our clients (or about individuals representing a client) with other members of the Group for administrative or regulatory purposes, where this is necessary for the performance of our contract with you (or the company or other person you represent), or for the legitimate interests we have in managing our business and improving our professional services, or in order to comply with regulatory requirements. In some cases, this will include the establishment, exercise or defence of legal claims.
We may also refer you to another member of the Group with your consent, in which case we will provide the other member of the Group with your contact details and other personal data about you which is relevant to the services they are to provide.
Other professionals and other bodies
In order to provide some of our professional services, we may use the input of third parties such as other lawyers and experts, or we may refer you to such third parties, with your consent or where this is necessary for the performance of our contract with you (or the company or other person you represent). This will require the disclosure to such third parties of your contact details, as well as further personal data about you which is relevant to the services they provide. We may also be required to disclose your personal data to regulators, Government departments and similar bodies in order to comply with legal obligations or to perform our contract with you (or the company or other person you represent).
Data processing services
Some of our data processing services are supplied by third party providers, who will need to have access to your data for that purpose. Such third-party suppliers will be appointed on the basis that they provide sufficient guarantees to implement appropriate technical and organisational measures so that the processing will meet the requirements of the applicable Data Protection legislation and ensure the protection of the rights of the data subjects, and will carry out processing only on our written instructions, or where we have a legitimate interest in doing so, as indicated above.
Transferring our rights and duties
We may transfer your personal data to anyone to whom we may transfer our rights and duties under the terms of our retainer with you (for instance, where we do so for the purposes of Group re-organisation and administration or if our business is merged with or we are acquired by a third party). We will do this in order to perform our contract with you (or the company or other person you represent) or where this is necessary for the legitimate interests we have in improving our business and services.
Compliance with legal obligations
We may disclose your personal data if we are required to do so in order to comply with any legal or regulatory obligation or request, or where we have a legitimate interest in doing so, such as in order to enforce or apply our contract with you, to investigate potential breaches, or to protect our property and rights or those of others. This may include exchanging information with other companies and agencies for the purposes of credit risk reduction and to comply with legislation concerning money laundering, tax evasion, crime prevention and fraud protection.
Transfers outside the EEA
In order to provide some of our professional services, we may share your personal data with one or more third party providers situated in countries outside the European Economic Area (including the USA) that do not have the same standards of Data Protection laws as the EU. We may do so with your consent, or where it is necessary for performance of the contract we have with you or for the establishment, exercise or defence of legal claims. However, we will ensure that contractual or other safeguards are in place to ensure that your personal data is adequately protected, and that enforceable rights and effective legal remedies are available for data subjects, and will inform you of the nature of these safeguards at the relevant time.
How long do we keep personal data for?
If you contact us with an enquiry about our professional services but you do not subsequently become a client (or the company or other person you represent does not do so), it is our policy to delete your personal data after eighteen months.
If you are or become a client (or the company or other person you represent is or becomes a client), we normally retain contract information (including personal data) for a minimum period after the end of the relevant contract or client relationship, or for longer where it is necessary for us to do so for compliance with regulatory or other legal obligations, or for the establishment, exercise or defence of legal claims, or where we agree with you to do so. In some cases it may be necessary for us to retain records indefinitely.
Our full data retention policy is available on request.
Personal data relating to our professional contacts will be retained for so long as is necessary, or until you indicate otherwise to us, but we will aim to update our contacts’ preferences on a periodic basis.
In certain cases, it may not be physically possible to delete certain data (for instance, where it is stored on a secure external server), in which case we will take appropriate steps to ensure that it is not available for re-use or disclosure to third parties.
Your rights as a data subject
As a data subject, you have certain legal rights (subject to certain exceptions under the Data Protection legislation) including the right:
- to access the personal data held about you and request a copy of it;
- to ask us not to process your personal data for marketing purposes;
- to withdraw at any time any consent you have given to receive marketing material from us, or in any other case where we process your personal data on the basis of a consent that you have given (and not on some other legal basis);
- to ask us to rectify inaccurate personal data about you;
- to ask for the restriction of personal data about you that is inaccurate, unlawfully processed, or no longer required;
- to ask for the transfer of your personal data in a structured, commonly used and machine-readable format where appropriate;
- to ask for the erasure of personal data about you where processing is no longer necessary, or the legitimate interests we have in processing your personal data are overridden by your interests, rights and freedoms as the data subject; and
- to make a complaint to the Information Commissioner’s Office which can be contacted by post via: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF or by telephone via 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number.
Changes to this Data Protection Notice
We may change this Data Protection Notice from time to time. In the case of any substantial change, we will notify you (where practicable) in writing or by email.
How to Contact us
If you have any questions, comments or requests about this Data Protection Notice, or would like to exercise any of the rights you have, as set out above, you can contact us via any of the following methods
Post: Nestor Business Consulting,
57 – 61 Mortimer St,
Phone: +44 (0)20 3170 6213