Information Risk Management Limited (IRM) is committed to protecting and respecting your privacy.
This Privacy Notice sets to define the basis on which any personal information we collect from you, or that you provide to us, will be handled and treated by us and to explain your rights regarding the use(s) of this information.
Our Commitments to you
Your personal information is controlled by IRM, who for the purposes of data protection legislation are the data controller. This is because we (whether acting alone, or jointly with others) determine how and why your personal information is processed in the context of our legitimate business needs.
We collect personal information on the grounds of:
If we are unable to rely on either the fulfilment of a contract or our legitimate interests as set out within Data Protection Legislation to process your personal information, we will first seek to obtain your consent before processing it.
Where you have provided your consent, it can be withdrawn at any time without detriment to any current activities between our organisations. We will provide a link through which you can inform us of your intentions, alternatively you can notify us by emailing firstname.lastname@example.org or call our Head Office on 01242 225 200.
We may obtain personal information from third parties, particularly from seminars, sector conferences where we are presenting or have a business stand if this is permitted by law, as part of a legal business activity, or where you have provided your consent to this information being provided to us.
We do not buy lists, and where lists are provided to us we make every effort to verify that the provider can evidence that they have the legal authority to provide the information to us before we use it.
We may also use legal public sources to obtain or verify information about you where we have a business need and justification to do so.
In the course of our normal business operations we will collect some element of personal information every time there is interaction and communication between us.
This includes personal details such as: your name, email address, business postal address, position/title and contact details such as email address, mobile and/or telephone numbers.
Where you enter into a contract for the provision of our products and/or services we will collect payment and delivery details.
You may provide us with personal information when you complete forms on our website (www.irmsecurity.com) or when corresponding with us by phone, email or otherwise. This includes information provided to us when you:
If you download publications, white papers and other documentation made available through our website we may ask for some information to identify you and in some instances your organisation and role within it. We may ask for details pertaining to the size of the company and the industry sector in which you operated. This information enables us to understand our audience and uses of the materials we produce, or who have expressed an interest in the products and services what we have to offer. We will also ask if we may send you further similar communications about our software and services.
When you visit our website we may also collect personal information, whether you have actively provided it or are merely browsing. The information collected may include:
Where we provide technical and consultancy services to your business we will retain the personal information associated with this for the duration of the services and for six years thereafter, unless contractually agreed otherwise.
Where we undertake forensic investigations and analysis the evidence captured will be retained for seven years after our final report have been delivered to you.
Reports of Compliance (RoC) relating to assessments conducted against the Payment Card Industry Data Security Standards (PCI DSS), along with relevant evidence to support the assessments, will be retained for three years in accordance with our contractual obligations.
We also retain the following material that contains personal information:
Unless otherwise set out in this privacy notice, any other information we process about you will be retained by us until we no longer than necessary for the purpose(s) for which it was collected. We will base that decision on a number of criteria, including whether:
We will review and delete or destroy personal information on a regular basis. If we are unable, using reasonable endeavors, to delete or destroy personal information we will ensure that it is anonymised or appropriate measures are taken to put the personal information beyond use.
In addition to using your information to fulfil a contract to provide you with requested products or services, we may also use your information in the following ways (provided that, where we are required to obtain your consent to use your information, you have provided such consent):
We may share your personal information linked to the products and services we provide you with Altran Group our holding company and in specific circumstance to its subsidiaries, as defined in section 1159 of the UK Companies Act 2006.
We may disclose your personal information to third parties:
The personal information we collect from you will not normally be transferred to or stored outside the European Economic Area (“EEA”). If there are circumstances where your personal data does need to be processed outside the EEA we will make provision to notify you first and we will take reasonable endeavours’ to ensure that your data is transferred securely and handled in accordance with this privacy notice our information security policy and standards.
We capture personal information, (names, contact details, addresses, roles and functions) in our Synergi software platform. Our customers are responsible for all information entered into Synergi and also for administering who has access to their instance of the software. Our terms and conditions make it clear that this platform is not a suitable data store for significant quantities of business related personal information. IRM is responsible for the hardware this platform sits on, which is hosted with Rackspace in the UK. The data is encrypted at rest and in transit.
For business continuity purposes we backup our data, including the personal information therein, through Acronis (https://www.acronis.com/en-us/cloud/backup/).
We also use Societe Generale for our payroll services : https://www.sgebs.com/privacy-policy
We ensure that any destinations to which your personal information is transferred employ appropriate levels of protection as determined by the Data Protection Legislation. These are subject to periodic review.
Where we store and maintain your personal data we have put in place appropriate and proportionate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.
We will also ensure adequate safeguards are in place when transferring personal information to any other party, especially to countries outside the EEA where additional measures are required by National law. If you would like to know details about this please contact DP@irmsecurity.com.
We are subject to various third party, independent security assessments to ensure our governance, processes and controls applicable to our business systems and data stored therein are at the levels expected and required. If any anomalies or discrepancies were to be identified we have processes to address and rectify them in a timely way.
IRM is the data controller for the information you provide during the job application process, and where successful during your term of employment thereafter, unless stated otherwise.
Finbanal decisions regarding recruitment are made by hiring managers, senior management and members of our Human Resources and recruitment team appropriate to the role. All of the information gathered during the application process is taken into account. You have the right to ask about decisions made about your application by speaking to your contact within the Human Resources or recruitment team. You can submit your request in writing and emailing this to: email@example.com
Your personal information is protected by various Data Protection Legislation and there a number of rights (briefly explained below) which you can seek to exercise.
We will respond to legitimate and requests as quickly as possible and in any event within one month. If we require more information or need to seek clarification we will contact you directly and without undue delay.
Depending on the nature of your request we may need to verify your identity before sharing any related personal information, or taking further action on the request itself.
There are circumstances where we may still be required to retain your information in order for us to fulfil our own legal, regulatory or business obligations. If this is the case we will explain this to you when we respond to you following a question or complaint.
If your request is manifestly unfounded, excessive or repetitive we may refuse to deal with it or we may in certain circumstances charge a reasonable fee for dealing with it. We will notify you should this be the case before we proceed to resolve your request.
We do not perform automated decision-making, i.e. processing that is carried out without human intervention, on your personal information.
Our website may contain links to third party websites. IRM is not liable or responsible for your use of such other websites and you are advised to check their policies and privacy statements before you submit any personal information through them.
If you have questions, comments or concerns, or wish to make a complaint regarding how we collect or use your personal information please raise them directly with us in order that we can address them promptly. In the first instance notify your account manager (if you have one), contact our or alternatively via our Data Protection Lead through the contact information given above.
If we are unable to resolve your concerns or compliant to your satisfaction you are entitled to raise a complaint with the relevant supervisory authority in your jurisdiction. Within the UK you can contact the Information Commissioner’s Office on 0303 123 1113 or via other means as set out on their website – https://ico.org.uk/concerns/.
We will review and where necessary update this privacy notice at least annually and we will clearly indicate the date it was last updated for your reference and convenience.
If we do make material changes to the content of this Privacy Notice we will post the details of them below. We may also notify you of any material changes by e-mail where deemed necessary.
This Privacy Notice was last revised May 2018.