Privacy Policy

Your Privacy Matters to Us.

Definitions

“The Company” or “The Organisation” shall mean Aldeburgh Holdings Limited and/or any of its subsidiaries. “Individual” and/or “employee” shall mean an employee of Aldeburgh Holdings Limited or any of its subsidiaries

Scope: This policy applies to all employees of Aldeburgh Holdings and any subsidiary companies.  

Personal Data

Under the UK’s General Data Protection Regulation (GDPR) personal data is defined as:“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an online identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.

By transferring data to us you acknowledge the content of this privacy policy including (where applicable) our use of sub-processors, restricted or otherwise, for data storage, service delivery, reporting or any other means.

How we use your personal information

Chiumento will collect personal information from two sources, customers (client organisations), delegates (service users).

  • If you are a customer, this privacy notice tells you how we, Chiumento Limited, will collect and use personal data supplied by you relating to data subjects you have nominated to be provided with our services (delegate).
  • If you are a delegate, this privacy notice tells you how we, Chiumento Limited, will collect and use personal data you supply relating to yourself in order to engage with our services.

What personal information do we collect from customers?

Provision of our services typically requires our customer organisations to provide personal information relating to current or departed staff, to enable a first contact to be made. This is called “referral data”, and the first contact is typically called a “conversion” (relating to the conversion of the data subject from a “referral” to a “delegate”.

Typically, we will only require the following referral data items to be transferred to us for processing;

  • Name
  • Email Address
  • Mobile Number

Any personal information transferred to Chiumento must be done legally with consent being granted by the data subject before transfer takes place.

Pre-Conversion Roles (Data Controller and Data Processor)

Chiumento Limited acknowledges the distinction between the data controller and data processor roles in accordance with the UK’s General Data Protection Regulation (GDPR).

  • Data Controller: The “Data Controller” refers to the customer or the company, including their sponsoring organization, which provides us with certain personal information for the purpose of initiating contact with individuals (“data subjects”). This personal information, known as “referral data,” is described above
  • Data Processor: Chiumento acts as the “Data Processor” with respect to the referral data. We process this data upon receiving it from you, primarily to contact the data subject and initiate the process of converting them into users of our outplacement service.

Conversion

Upon receiving referral data, we use it to contact the data subject and facilitate their conversion from a referral to a user of our outplacement service (delegate). During this conversion process, we will request the data subject to reconfirm and update all referral data, effectively creating a new set of personal information (Service Data). Chiumento becomes the Data Controller of any and all new personal information.

If, for any reason, the conversion process is not completed successfully, the original data controller retains its status as the Data Controller, and we will keep the data on record for an unspecified period during which we may retry the conversion.

Post-Conversion Roles (Data Controllers and Data Processor)

Chiumento Limited acknowledges the distinction between the data controller and data processor roles in accordance with the UK’s General Data Protection Regulation (GDPR).

  • Data Controller (Referral Data): The customer retains control of the original referral data ONLY
  • Data Controller (Service Data): Chiumento acts as the “Data Controller” as the provider of the service, and entity who collects certain personal information (delivery data) for the purpose of delivering a tailored service
  • Data Processor: Chiumento acts as the “Data Processor” with respect to the delivery data. We process this data upon receiving it from new users of the service, primarily to instruct sub-processors like CV writers or career coaches to deliver a service.

Why does Chiumento Limited need to collect and store additional personal data post conversion?

In order for us to provide data subjects with a Chiumento service on behalf of their sponsoring organisation, we need to collect personal data for correspondence purposes and detailed service provision.

In any event, we are committed to ensuring that the information we collect and use is appropriate for this purpose, and does not constitute an invasion of your privacy.

Any personal information collected directly from data subjects remains their data, and will only be transferred back to the sponsor organisation on the authorisation of the data subject.

In terms of being contacted for marketing purposes Chiumento Limited would contact you for additional consent.

Will Chiumento Limited share my personal data with anyone else?

In accordance with UK GDPR, Chiumento may (acting as a data controller and only where necessary) transfer personal information on to third-party service providers for additional data processing activity.

When any data transfer takes place, it will be done so once consent of the data subject has been granted.

For example, Associate Career Coaches and CV Writers, may be contracted to Chiumento Limited while dealing with you, where they will act as sub processors of your personal information.

Any third parties that we may share your data with are obliged to keep your details securely, and to use them only to fulfil the service they provide you on our behalf. When they no longer need your data to fulfil this service, they will dispose of the details in line with Chiumento Limited’s procedures.

If we wish to pass your sensitive personal data onto a third party, we will only do so once we have obtained your consent unless we are legally required to do otherwise.

Will Chiumento Limited transfer my data outside the UK?

Where possible, data will not be transferred to other jurisdictions. However, to provide best possible service and experience, we may (when authorised by the data subject) transfer personal information outside the UK in full compliance with UK GDPR law.

We categorise this data transfer in two ways

  1. To third countries covered by an adequacy decision (unrestricted)

Adequacy decisions provided by the UK government identify third countries where the data processing laws reflect similar levels of protection to the UK GDPR. Transfer to sub processors in these jurisdictions does not require Chiumento to carry out additional safeguards.

  1. To third countries not covered by an adequacy decision (restricted)

Where adequacy decisions have not been granted, Chiumento will carry out the necessary additional safeguarding (Transfer Risk Assessment) to ensure that data subjects are protected during the restricted transfer.

What restricted sub-processors do you currently use?

  1. Adalo, Inc. – Adalo is a platform used to power enhanced end user experiences. The platform is currently used for the JetStream Outplacement Service, and the Exit Processing Service only. Adalo are in the USA, which is not covered by an adequacy agreement from the UK government. A transfer risk assessment has been carried out on Adalo by The Chiumento GDPR Officer, and deemed to be safe due to the clarity provided in the Adalo terms, specifically related to Standard Contractual Clauses. https://app.adalo.com/signup/terms
  2. Bubble.io – Bubble is a software development platform used for some services including JetStream. Bubble are fully GDPR compliant and adhere to strict security standards. A transfer risk assessment has been carried out on Bubble by the Chiumento GDPR Officer, and deemed to be safe due to the data processing agreements, standard contractual clauses, and security compliance evidence available. Security | Bubble

How will Chiumento Limited use the personal data it collects about me?

Chiumento Limited will process (collect, store and use) the information you provide in a manner compatible with the EU’s General Data Protection Regulation (GDPR). We will endeavour to keep your information accurate and up to date, and not keep it for longer than is necessary. Chiumento Limited is required to retain information in accordance with the law, such as information needed for income tax and audit purposes. How long certain kinds of personal data should be kept may also be governed by specific business-sector requirements and agreed practices. Personal data may be held in addition to these periods depending on individual business needs.

Under what circumstances will Chiumento Limited contact me?

Our aim is not to be intrusive, and we undertake not to ask irrelevant or unnecessary questions. Moreover, the information you provide will be subject to rigorous measures and procedures to minimise the risk of unauthorised access or disclosure.

Can I find out the personal data that Chiumento holds about me as a delegate?

Chiumento Limited at your request, can confirm what information we hold about you and how it is processed. If Chiumento Limited does hold personal data about you, you can request the following information:

  • Identity and the contact details of the person or organisation that has determined how and why to process your data. In some cases, this will be a representative in the EU.
  • Contact details of the data protection officer, where applicable.
  • The purpose of the processing as well as the legal basis for processing.
  • If the processing is based on the legitimate interests of Chiumento Limited or a third party, information about those interests.
  • The categories of personal data collected, stored and processed.
  • Recipient(s) or categories of recipients that the data is/will be disclosed to.
  • If we intend to transfer the personal data to a third country or international organisation, information about how we ensure this is done securely. The UK has approved sending personal data to some countries because they meet a minimum standard of data protection. In other cases, we will ensure there are specific measures in place to secure your information.
  • How long the data will be stored.
  • Details of your rights to correct, erase, restrict or object to such processing.
  • Information about your right to withdraw consent at any time.
  • How to lodge a complaint with the supervisory authority.
  • Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether you are obliged to provide the personal data and the possible consequences of failing to provide such data.
  • The source of personal data if it wasn’t collected directly from you.
  • Any details and information of automated decision making, such as profiling, and any meaningful information about the logic involved, as well as the significance and expected consequences of such processing.

What forms of ID will I need to provide in order to access this?

Chiumento Limited accepts the following forms of ID when information on your personal data is requested: Passport, driving licence, birth certificate, utility bill (from last 3 months)

Contact the Data Protection Officer / GDPR Owner:

Duncan Hamilton
P/O Box
Carterton
OX189DU

gdpr@chiumento.co.uk
020 7224 3307

 

Last Reviewed: 07/10/2024

Phone

020 7224 3307

Email

info@chiumento.co.uk

Chat

Live chat with us now

InMail

Send a message