1. Purpose of this Privacy Notice
The Risk Advisory Group Ltd (Risk Advisory) is committed to protecting the privacy and security of your Personal Data. We want you to be confident that your Personal Data is kept safe and secure, and never misused.
This Privacy Notice (Notice) applies as between you, the User of this Web Site and Risk Advisory, the owner and provider of this Web Site, and the controller of your Personal Data under Data Protection Laws. This Notice applies to our use of any and all Personal Data collected by us in relation to your use of the Web Site and any Services or Systems therein. It also covers situations where we collect your Personal Data outside of your interactions with the Web Site.
2. Who we are
Risk Advisory is a leading global risk management company operating through a number of separately constituted legal entities which provide risk management and other client consultancy services in accordance with the relevant laws of the jurisdictions in which they respectively operate.
Details of the different Risk Advisory group entities that provide the Services to clients can be found here. Depending on the Risk Advisory entity with which you contract to provide Services, the other listed entities may also be controllers responsible for processing your Personal Data in relation to the Services. Data protection laws vary among countries, with some providing more protection than others. Regardless of where your Personal Data is processed, we apply the same protections described in this Notice.
Risk Advisory is the controller responsible for the operation of this Web Site. This Notice explains what we will do with your Personal Data when Risk Advisory is a controller; how we collect and process your Personal Data, who we share it with and also sets out your rights in respect of our processing of your Personal Data.
For some of the processing activities we carry out Risk Advisory is a processor such as Personal Data processed via the LUMA application. This means that we process Personal Data on behalf of and in accordance with the instructions of our clients. This privacy notice does not address processing we carry out as processors. If you contact us in respect of processing activities where we act as processors, we will direct you to the client who has the responsibility for your Personal Data as controller.
3. Definitions and Interpretation
In this Notice the following terms shall have the following meanings:
|“Account”||means collectively the Personal Data, payment information and credentials used by Users to access material and/or any communications System on the Web Site;|
|“Cookie”||means a small text file placed on your computer by Risk Advisory when you visit certain parts of this Web Site. This allows us to identify recurring visitors and to analyse their browsing habits within the Web Site. Where e-commerce facilities are provided, Cookies may be used to store your shopping basket. Further details are contained in Schedules 1 and 2 of our Cookie Notice;|
|“Data”||means collectively all information that you submit to the Web Site or which we collect about you through, or as a result of your visit to, the Web Site or when you contact us by some other means such as phone or email. This includes, but is not limited to, Account details and information submitted using any of our Services or Systems;|
|“Data Protection Laws”||means the UK General Data Protection Regulation ("UK GDPR") and any applicable implementation of the UK GDPR, the Data Protection Act 2018, Privacy and Electronic Communications Regulations and any other applicable local privacy laws in jurisdictions we operate in, as any of the same may be amended, superseded or replaced from time to time;|
|means any Data relating to an identified or identifiable natural person;|
|“Service”||means collectively any facilities, tools, services, products or information, including those made available online, that Risk Advisory provides either now or in the future;|
|“System”||means any online communications infrastructure that Risk Advisory makes available through the Web Site either now or in the future. This includes, but is not limited to, web-based email, message boards, live chat facilities and email links;|
|“User” / “Users”||means any third party that accesses the Web Site and is not employed by Risk Advisory and acting in the course of their employment or subjects of any analysis; and|
|“Web Site”||means the website that you are currently using (www.riskadvisory.com) and any sub-domains of this site (e.g. subdomain.www.riskadvisory.com) unless expressly excluded by their own terms and conditions.|
4. Data Collected
We may collect Personal Data from you or third parties in the course of our business, including through your use of our Web Site, when you contact or request information from us, when you engage our services or as a result of your relationship with one or more of our staff or clients.
We will collect and process Data about you in the following ways:
Information you provide to us such as when you create an account on the Web Site, sign up to a mailing list, apply for a job vacancy, sign up for an event, use the Services and Systems, get in touch with us by phone, email or otherwise or give us feedback.
Information we collect about you and how you use the Web Site and any Systems and Services using tracking tools like Cookies and other similar technologies stored on your computer, mobile or other device. For more information on this, please see our Cookie Notice.
Information we receive from other sources. We may receive information about you from event partners if you sign up to an event we are involved in and the registration is through the partner's site. We may also receive information about you from our clients or from information publicly available via web searches. We also work closely with third parties (including, for example, business partners, sub-contractors in technical, payment and delivery services, advertising networks, analytics providers, search information providers and credit reference agencies) and may receive information about you from them.
We may hold the following Personal Data for the purposes set out in this Notice:
- date of birth;
- job title;
- contact information such as email addresses and telephone numbers;
- residential address;
- demographic information such as post code, preferences and interests;
- financial information such as credit / debit card numbers;
- public record information from databases such as nationality, education, corporate interests, professional history, litigation (civil and criminal), bankruptcy/credit information, watchlists;
- IP address (automatically collected);
- web browser type and version (automatically collected);
- operating system (automatically collected);
- a list of URLs starting with a referring site, your activity on this Web Site, and the site you exit to (automatically collected); and
5. Our Use and Storage of Data
We will only retain your Personal Data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. Any Personal Data you submit or which is collected via the Web Site, web searches or from third parties will be retained by Risk Advisory for as long as you use the Services and Systems provided on the Web Site and then for a period in accordance with our retention policy. For example, contact details and collected data such as IP address, web browser type and operating system collected when you visit our Web Site will generally be deleted after two years if there is no further engagement with Risk Advisory.
Unless we are obliged or permitted by law to do so, and subject to Clause 6, your Personal Data will not be disclosed to third parties. We may however share your Data within our group of companies and, where you sign up for events we run in collaboration with third party partners, it may be shared with those partners as well. Where we process Personal Data to deliver Services to our clients we will share your Personal Data with the relevant client.
All Personal Data is stored securely in accordance with the principles of the Data Protection Laws. For more details on security, see Clause 12 below.
Any or all of the above Personal Data may be required by us from time to time in order to provide you with the best possible service and experience when using our Web Site and to deliver the Services to our clients.
Specifically, Personal Data may be used by us for the following reasons:
- internal record keeping;
- provision of the Service;
- improvement of the Service;
- transmission by email of promotional materials that may be of interest to you (provided we have your consent to do so or, where applicable, you have not opted out of receiving such materials);
- contact you for market research purposes which may be done using email, telephone or mail. Such information may be used to customise or update the Web Site;
- comply with any applicable law, court order, other judicial process;
- respond to enquiries made by you on the Web Site or in relation to our Services;
- manage and investigate complaints received from you;
- business administration (in connection with a business transaction such as a merger, demerger, restructuring or sale).
6. Third Party Web Sites and Services
Risk Advisory may, from time to time, employ the services of other parties for dealing with matters that may include, but are not limited to, providers of web hosting services, customer relationship management (CRM) systems, marketing automation services, data analytics, events management, recruitment software (see Job Candidate Privacy Notice on the Careers page for more information), payment handling, search engine facilities, advertising and marketing (such as B2B lead generation and outbound automation). We may share your Personal Data with the third-party providers of such services to process the Personal Data on our behalf.
Any Personal Data used by such parties is used only to the extent required by them to perform the services that Risk Advisory requests. Any use for other purposes is strictly prohibited. Furthermore, any Personal Data that is processed by third parties must be processed within the terms of this Notice and in accordance with the Data Protection Laws.
We may also share Personal Data with a variety of the following categories of third parties as necessary:
- Our professional advisers such as lawyers and accountants.
- Government or regulatory authorities.
- Professional indemnity or other relevant insurers.
7. Changes of Business Ownership and Control
Risk Advisory may, from time to time, expand or reduce its business and this may involve the sale of certain divisions or the transfer of control of certain divisions to other parties. Personal Data provided by Users will, where it is relevant to any division so transferred, be transferred along with that division and the new owner or new controlling party will, under the terms of this Notice, be permitted to use the Personal Data for the purposes for which it was supplied by you.
8. Lawful grounds for processing your Data
Under Data Protection Laws, there are a limited number of lawful grounds for processing Personal Data, and we are required to inform you of which lawful grounds we are relying upon to process your Personal Data.
Necessary for performance of a contract: where we are using your Personal Data to provide you with access to Services, we will be processing your Personal Data on the basis that it is necessary for us to do so in order to perform a contract between us. We will not be able to provide you with requested Services if we are not provided with certain basic information about you, which will be indicated by the mandatory fields in online forms.
Legitimate Interests: for most other processing purposes, we will be relying on the "legitimate interests" ground under Data Protection Laws. This means that the processing of your Personal Data is necessary for the purpose of pursuing our legitimate interests or the legitimate interests of a third party in such a way to ensure that we provide the Service in the best way that we can. Whenever we rely on this lawful ground, we carry out an impact assessment to ensure that we balance our legitimate interests and the necessity of processing the Personal Data against your interests, rights and freedoms taking into account the particular circumstances.. The legitimate interests that we pursue are summarised in Clause 5 above.
Consent: for certain processing purposes, we may request your consent to authorise the processing. For example, if you are not a customer of Risk Advisory and have not enquired about our products or services, we may need a clear consent from you in order to send any communications to you about our products or services.
9. Your Rights
You have the right to ask us not to process your Personal Data for marketing purposes. You can exercise your right to prevent such processing by checking certain boxes on the forms we use to collect your Personal Data, by clicking on the "unsubscribe" link in any communications you receive or by contacting us at either of the addresses shown below.
Rights of Rectification, Erasure, Restriction and Portability: Subject to the limitations set out in Data Protection Laws, you have the following additional rights in relation to Personal Data we hold about you:
- the right to have inaccurate Personal Data rectified and to have incomplete Personal Data completed;
- the right to have your Personal Data erased in certain circumstances (e.g. if the Data is no longer necessary in relation to the purposes for which they were collected);
- the right to restrict our processing to limited purposes in certain circumstances (e.g. whilst a challenge to the accuracy of the Personal Data is verified);
- the right to access your Personal Data (see Clause 10 below); and
- the right to receive your Personal Data in a structured, commonly used and machine-readable format
Withdrawal of consent: to the extent that we are relying on your consent to process Personal Data, you have the right to withdraw your consent at any time.
Right to Object: Where we are processing your Personal Data on the basis of our legitimate interests (see Clause 8 above), you have the right to object at any time to our processing, and we will be obliged to stop processing your Personal Data unless there are compelling legitimate grounds for us continuing to do so, and where such grounds override your right to object. In addition, you have the right to object at any time to our use of your Personal Data for direct marketing purposes.
10. Accessing your own Data
Data Protection Laws give you the right, free of charge, to access Personal Data held by us about you, and to be provided with information about matters such as the purposes of the processing, the categories of Personal Data, third party recipients and the Data retention period.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your Personal Data (or to exercise any of your other rights). This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it.
To exercise any of the rights referred to above, please contact our Data Protection Officer using the contact information provided below in Clause 16.
11. Inform us of changes
It is important that the Personal Data we hold about you is accurate and current. Please keep us informed if your Personal Data changes during your relationship with us. You may access your Account at any time to view or amend the Personal Data. You may need to modify or update your Personal Data if your circumstances change. Additional Data as to your marketing preferences may also be stored and you may change this at any time.
Data security is of great importance to Risk Advisory and to protect your Personal Data we have put in place suitable physical, electronic and managerial procedures to safeguard and secure Personal Data collected and processed by us.
13. Transfers outside the UK
Risk Advisory may transfer your Personal Data to third-party service providers based outside the United Kingdom (UK) for the purposes of receiving third party services such as those identified in Clause 6 above (e.g. customer relationship management (CRM) systems, marketing automation services, data analytics) particularly as the servers for such service providers may be located outside the UK. If we transfer any of your Personal Data outside the UK, we shall ensure that lawful transfer mechanisms are in place in accordance with Data Protection Laws, such as standard contractual clauses.
The transmission of Personal Data between different corporate family members within the Risk Advisory Group is based on appropriate safeguards such as standard contractual clauses.
14. Links to third party websites
The Web Site contains links to other sites whose information practices may be different than ours. Visitors should consult the other sites' privacy notices as we have no control over information that is submitted to, or collected by, these third parties.
15. Changes to this Notice
The Risk Advisory Group reserves the right to change this Privacy Notice as we may deem necessary from time to time or as we may be required by law. Any changes will be immediately posted on the Web Site.
16. Our Contact and Data Protection Officer details
We have appointed a data protection officer (DPO) who is responsible for making sure that our business processes and decision making are in line with data protection laws within the UK and other jurisdictions in which we operate. Our DPO is The DPO Centre Limited.
If you have any questions about this Privacy Notice, how we handle your Personal Data or wish to exercise any of your rights, please contact the DPO at firstname.lastname@example.org or via our postal address, 3 More London Riverside, London SE1 2AQ. Please address the envelope to ‘Data Protection Officer’. You can telephone us at +44 20 7578 000.
If you have a concern about any aspect of our data protection practices, including the way we've handled your Personal Data, you can report it to the relevant supervisory authority for data protection matters.
The UK supervisory authority is the Information Commissioner’s Office (ICO). The ICO’s contact details can be found on their website: www.ico.org.uk.
18. Changes to this Notice
Risk Advisory reserves the right to change this Privacy Notice as we may deem necessary from time to time or as we may be required by law. Any changes will be immediately posted on the Web Site.