Twelve Winds is strongly committed to protecting personal data.  This privacy statement describes why and how we collect and use personal data and provides information about individuals’ rights.  It applies to personal data provided to us, both by individuals themselves or by others. We may use personal data provided to us for any of the purposes described in this privacy statement or as otherwise stated at the point of collection.

Corporate clients

Our policy is to collect only the personal data necessary for agreed purposes and we ask our clients to only share personal data with us where it is strictly needed for those purposes. Where we need to process personal data to provide professional services, we ask our clients to provide the necessary information to the data subjects regarding its use.  Our clients may use relevant sections of this privacy statement or refer data subjects to this privacy statement if they consider it appropriate to do so. The categories of personal data processed by us in relation to the services we provide are generally: personal details (e.g. name, email address, contact number, postal address); and job details (e.g. title, role).

We use personal data for the following purposes:

  • Providing professional services

We provide a diverse range of professional services. Some of our services require us to process personal data in order to provide advice and deliverables.  For example, we will review payroll data as part of an organisational structure review.

This processing of personal data by us is necessary for the purposes of the legitimate interests pursued by us in providing professional services and our client in receiving professional services as part of running their organisation and, in some cases, we have a legal obligation to provide the services in a certain way (e.g. statutory audit).  Where we process special categories of personal data, we rely on a relevant public interest condition or consent.

  • Administering, managing and developing our businesses and services

We may process personal data in order to run our business, including:

  • managing our relationship with clients and prospective clients;
  • developing our businesses and services (such as identifying client needs and improvements in service delivery);
  • analysing and evaluating the strength of interactions between us and a contact;
  • performing analytics, including producing metrics for TWC leadership, such as on trends, relationship maps, sales intelligence and progress against account business goals;
  • maintaining and using IT systems;
  • hosting or facilitating the hosting of events; and
  • administering and managing our website and systems and applications.

This processing is necessary for the purposes of the legitimate interests pursued by us to administer, manage and develop our business and services.

  • Security, quality and risk management activities

We have security measures in place to protect our and our clients’ information (including personal data), which involve detecting, investigating and resolving security threats.  Personal data may be processed as part of the security monitoring that we undertake; for example, automated scans to identify harmful emails. We monitor the services provided to clients for quality purposes, which may involve processing personal data stored on the relevant client file.  We have policies and procedures in place to monitor the quality of our services and manage risks in relation to client engagements. We collect and hold personal data as part of our client engagement and acceptance procedures. As part of those procedures we carry out searches using publicly available sources (such as internet searches and sanctions lists) to identify politically exposed persons and heightened risk individuals and organisations and check that there are no issues that would prevent us from working with a particular client (such as sanctions, criminal convictions (including in respect of company directors), conduct or other reputational issues).

This processing is necessary for the purposes of the legitimate interests pursued by us to ensure network and information security, manage risks to our business and check the quality of our services.

  • Providing our clients and prospective clients with information about us and our range of services

Unless we are asked not to, we use client and prospective client  business contact details to provide information that we think will be of interest about us and our services.  For example, industry updates and insights, other services that may be relevant and invites to events.

This processing is necessary for the purposes of the legitimate interests pursued by us to promote our business and services.

  • Complying with any requirement of law, regulation or a professional body of which we are a member

As with any provider of professional services, we are subject to legal, regulatory and professional obligations.  We need to keep certain records to demonstrate that our services are provided in compliance with those obligations and those records may contain personal data.

This processing is necessary for us to comply with a legal obligation; for example, when conducting customer due diligence checks to comply with anti-money laundering regulations and, where we do not have a legal obligation, we have a legitimate interest in processing personal data as necessary to meet our regulatory or professional obligations.

  • Developing and improving our services

We are continually looking for ways to help our clients and improve our business and services.  Where agreed with our clients, we may use information that we receive in the course of providing professional services for other lawful purposes, including analysis to better understand a particular issue, industry or sector, provide insights back to our clients, to improve our business, service delivery and offerings and to develop new technologies and offerings.  To the extent that the information we receive in the course of providing professional services contains personal data, we will de-identify the data prior to using the information for these purposes.

We have a legitimate interest in de-identifying data to help our clients, to improve our business, service delivery and offerings and to develop new PwC technologies and offerings, including by performing benchmarking and analysis.

Business contacts

We process personal data about contacts (existing and potential clients and/or individuals associated with them) using a customer relationship management system (the “CRM”).

The collection of personal data about contacts and the addition of that personal data to the CRM is initiated by a TWC user and will include name, employer name, contact title, phone, email and other business contact details. In addition, the CRM may collect data from email (sender name, recipient name, date and time) and calendar (organiser name, participant name, date and time of event) systems concerning interactions between TWC users and contacts or third parties.

Personal data relating to business contacts may be used for our legitimate interests for the following purposes:

  • Administering, managing and developing our businesses and services

We may process personal data in order to run our business, including:

  • managing our relationship with clients and prospective clients;
  • developing our businesses and services (such as identifying client needs and improvements in service delivery);
  • analysing and evaluating the strength of interactions between us and a contact;
  • performing analytics, including producing metrics for TWC leadership, such as on trends, relationship maps, sales intelligence and progress against account business goals;
  • maintaining and using IT systems;
  • hosting or facilitating the hosting of events; and
  • administering and managing our website and systems and applications.

This processing is necessary for the purposes of the legitimate interests pursued by us to administer, manage and develop our business and services.

  • Providing information about us and our range of services

Unless we are asked not to, we use client business contact details to provide information that we think will be of interest about us and our services.  For example, industry updates and insights, other services that may be relevant and invites to events.

This processing is necessary for the purposes of the legitimate interests pursued by us to administer, manage and develop our business and services.

We do not sell or otherwise release personal data contained in the CRM to third parties for the purpose of allowing them to market their products and services without consent from individuals to do so.

Employees and contractors

When you apply to work for us or you are hired as an employee or contractor, we will request data as part of the administration, management and promotion of our business activities. The data that we need depends on the nature of your relationship with us.

Most of the personal data we collect as part of our recruitment process is provided by you such as: contact details, CV, experience, education, qualifications, diversity and equal opportunities data, interview and assessment results and feedback; and offer details and bank account details if your application is successful.

We may also obtain personal data from third party sources such as: references from your named referees, results of Disclosure and Barring Service checks (depending on the role applied for), verification of information provided during the recruitment process by contacting relevant third parties (for example, previous employers, education and qualification providers) or using publicly available sources (for example, to verify your experience, education and qualifications), and information from social media sites that you are a member of about your engagement with our recruitment campaigns.

We process personal data for our legitimate interests to attract and secure the best talent to work with us including: to attract talent and market opportunities at TWC, to identify and source talent, to process and manage applications for roles at TWC, to hire and onboard talent, and to comply with our legal obligation to ensure an individual is eligible to work in the UK.

We collect and use information about race and ethnicity, religious and philosophical beliefs and health data for the following purposes: for our legitimate interest and reasons of substantial public interest, to comply with our legal obligation to make reasonable adjustments (for example, as a result of the outcome of a pre-employment medical assessment), and if your application is successful and where you provide consent, to provide information on relevant support and networks.

Visitors to our websites

Visitors to our websites are generally in control of the personal data shared with us.  We may capture limited personal data automatically via the use of cookies and analytics tools on our website.  Please see the section on Cookies below for more information.

We receive personal data, such as name, title, company address, email address, and telephone and fax numbers from website visitors; for example when you use our website forms to submit a general enquiry, join our mailing list, or sign up to attend an event.

We ask that you do not provide special categories of personal data (such as race or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; physical or mental health; genetic data; biometric data; sexual life or sexual orientation; and, criminal records) to us when using our website.

When you provide personal data to us, we may use it for any of the purposes described in this privacy statement or as stated at the point of collection (or as obvious from the context of collection), including: to contact you with information about TWC’s business, services and events, and other information which may be of interest to you; to administer and manage our website, including to confirm and authenticate your identity and prevent unauthorised access to restricted areas of the site or premium content; to communicate with you in order to distribute requested materials or ask for further information; to personalise and enrich your browsing experience by displaying content that is more likely to be relevant and of interest to you; to sort and analyse user data (such as determining how many users from the same organisation have subscribed to or are using our websites); to determine the company, organisation, institution, or agency that you work for or with which you are otherwise associated; to develop our businesses and services, including aggregating data for website analytics and improvements; aggregating data to conduct benchmarking and data analysis including, for example, regarding usage of our websites; to conduct quality and risk management reviews; to understand how people use the features and functions of our websites in order to improve the user experience; and to monitor and enforce compliance with our terms, including acceptable use policies.

Cookies

We believe that our use of cookies is necessary for the smooth functioning of the website. We do not believe that they pose any threat to your personal privacy or online security and we recommend that you “allow” cookies.

  • We use cookies to make our website easier for you to use
  • We use cookies to help stop our online-forms from being used to send spam-email
  • We use cookies to monitor usage so we can spot trends and make improvements
  • We DO NOT use cookies to identify individuals (and never will)
  • We DO NOT store personal information in cookies

Google analytics

We use Google Analytics to monitor how our website is being used so we can make improvements. Our use of Google Analytics requires us to pass to Google your IP address (but no other data) – Google uses this data to prepare site usage reports for us, but Google may also share this data with other Google services. In particular, Google may use the data collected to contextualise and personalise the ads of its own advertising network. Related data:

Who has access to your data?

Your personal data will not be passed to any third parties for marketing purposes.

Generally, we will only use your personal and sensitive personal data within Twelve Winds Consulting. However, there may be circumstances, where we may need to disclose some data to third parties, for example:

  • Contracted suppliers
  • External auditors or our Regulators, for example, the ICO
  • Bank or Building Society or other financial institutions
  • Insurance Companies
  • Any disclosure required by law or regulation, for example, the prevention of financial crime and terrorism

In the event that any of your personal data is shared with third parties, we will use all reasonable endeavours to ensure that they comply with the data protection legislation and they do not use your personal data for their own purposes unless you have explicitly consented to them doing so.

Protection of your data

We have taken steps to minimise the risk of loss, misuse and unauthorised processing of your Data.

Where we transfer data to third parties to enable them to process it on our behalf, we will use all reasonable endeavours to ensure that the providers meet or exceed the relevant legal or regulatory requirements for transferring data to them and keeping it secure.

We will use all reasonable endeavours to ensure that where data is transferred to a country or international organisation outside of the UK / EEA, we will comply with the relevant legal rules governing such transfers.

Data retention

Personal data will be retained on the for as long as we have, or need to keep a record of, a relationship with a contact or their organisation.

Personal data may be held for longer periods where extended retention periods are required by law or regulation and in order to establish, exercise or defend our legal rights.

Your rights

You have certain rights in relation to your personal data, although those rights will not apply in all cases or to all data that we hold about you. For example, we may need to continue to hold and process data to establish, exercise or defend our legal rights. Your rights are as follows:

  1. The right to be informed about our processing of your personal data.
  2. The right to request access about your personal data and data about how we process it.
  3. The right to rectification of any inaccurate or incomplete data that we store and use be rectified and to have incomplete personal data completed.
  4. The right to erasure (also known as ‘the right to be forgotten’) is the right to request the deletion or removal of personal data where there is no compelling reason for us to continue processing the same.
  5. The right to restrict processing allowing you to ‘block’ or suppress processing of your personal data.  In this instance we are still permitted to store your personal data, but not further process it.
  6. The right to data portability allowing you to obtain and reuse your personal data for your own purposes across different services.
  7. The right to object to processing of your personal data.
  8. Rights in relation to automated decision making and profiling we do not use profiling or any automated decision making.

Changes to this policy

This policy is subject to change in line with our internal practices and/or applicable changes in the law. Your personal data will continue to be used and processed in a way that is consistent with the original purpose. We will notify you wherever possible and if applicable to you at the time if changes are made.

Complaints about the use of your personal data

If you wish to raise a complaint about on how we have handled your personal data, you can contact our Data Protection Officer on data.protection@twelvewinds.org.uk

If you are not satisfied with our response or believe we are not processing your personal data in accordance with the law, you can complain to the ICO here.