WDM International (the “Firm”, “we”, “us”) is committed to protecting and respecting your privacy. This Privacy Policy sets out the basis on which any personal data that is provided to us by you or by others, will be processed by us. We will only use personal data for the purposes described in this privacy statement or as stated at the point of collection.
We are a data controller under the applicable data protection law, which includes the Data Protection Act CAP. 586 and the General Data Protection Regulation (Regulation (EU) 2016/679) as appropriate.
1. Our lawful basis for processing
We rely on several lawful bases of processing when we collect and use personal data to operate our business and provide services to our clients. These include:
- Legal obligations – in order to comply with the legal and regulatory obligations we are subject to as a provider of regulated services and as a commercial business.
- Contract – in order to perform contractual obligations we have with our clients or to take steps to enter into a contract with our clients.
- Consent – where an individual has freely given consent at the time their personal data was provided to us.
- Legitimate interests – the legitimate interests can be ours, our clients or other third parties (eg to provide our services, to develop or protect our business, or to keep people informed about relevant products and services) and we always balance the rights of individuals with ours’ and others’ legitimate interests.
2. Business contacts
Information we collect about you and how we use such information
Business contacts are existing and prospective clients and/or individuals associated with them.
Typically, we will collect the personal data from interactions between WDM employees and business contacts. This personal data will usually include name of contact, employer name, contact job title, phone, email and other business contact details.
Personal data relating to business contacts will be accessible to our people and may be used for the purpose of administering, managing and developing our businesses and services, including providing information about us and the services we provide.
Unless we have the consent of the individual, we do not release any personal data to third parties for the purpose of allowing them to market their products and services.
How long we keep your information for
Personal data will be retained on our internal database for as long as it is necessary for the purposes set out above (i.e. for as long as we have, or need to keep a record of, a relationship with a business contact).
3. Clients (and individuals associated with them)
Information we collect about you and how we use such information
We only ask our clients to share personal data with us where it is necessary in order to provide our services or other agreed purposes. We rely on our clients providing any necessary information to the individuals whose data is shared with us regarding its use.
In providing a range of services to our clients, we may need to process many categories of personal data about them (in case of clients who are private individuals) or individuals associated with them (in case of corporate clients these would typically entail employees, directors, senior management, trustees, members and their beneficiaries, professional advisors, suppliers). The categories of personal data may include personal identification and contact details, employment related information or financial data.
Generally for our services we do not expect our clients to share special categories of personal data (defined as race or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health, genetic data, biometric data, sex life or sexual orientation) and criminal records. Where this is the case we rely on our clients having gained the explicit consent of the individuals concerned, it being a legal obligation or other lawful basis.
Typically, we will collect personal data directly from our clients or from a third party acting on the instructions of the relevant client (e.g. professional advisors or former service providers).
We use personal data for the following purposes:
- Providing professional services: We provide a diverse range of professional services and many of these services require us to process personal data in order to provide advice and deliverables. For example, we will review payroll data as part of an audit.
- Administering, managing and developing our businesses and services: We process personal data in order to run our business effectively, including managing our client relationships, developing our businesses and services, hosting events, and to manage and administer our website, IT systems and applications.
- Security, quality and risk management activities: We have security measures in place to safeguard our and our clients’ information (including personal data), which involve detecting, investigating and resolving security threats. Personal data may be processed as part of the security monitoring that we undertake. We monitor the services provided to clients for quality purposes, which may involve processing personal data stored on the relevant client file.
As part of our client onboarding procedures, we process personal data obtained from publicly available sources (eg sanctions lists, criminal convictions and internet searches) to identify any risks relating to organisations and associated individuals that may prevent us from working with a client or providing a particular service.
- Providing our clients with information about us and our range of services: With consent or otherwise in accordance with applicable law, we use client contact details to provide information about us, our services and activities, including events that may be of interest.
- Complying with legal, regulatory or professional obligations: As a regulated business, we are subject to various legal, regulatory and professional obligations that may require us to keep records to demonstrate that our services are provided in compliance with those obligations and those records may contain personal data.
How long we keep your information for
We retain the personal data processed by us for as long as is considered necessary for the purpose for which it was collected (including as required by applicable law or regulation).
In the absence of specific legal, regulatory or contractual requirements, our baseline retention period for records and other documentary evidence created in the provision of services is 10 years.
Personal data may be held for longer periods in order to establish, exercise or defend our legal rights.
4. Visitors to our website
Information we collect about you and how we use such information
Visitors to our websites are generally in control of the personal data shared with us. Visitors are able to send an email to us through the website. Their messages will contain the user’s name and email address, as well as any additional information the user may wish to include in the message. When a visitor provides personal data to us, we will only use it for the stated purpose at collection or any purpose obvious in the circumstances of the collection, such as making an enquiry.
We may capture limited personal data automatically via the use of cookies on our website and you can choose if you want to opt-out of cookies or not. Site analytics cookies allow us to measure and analyse how our customers use the site, to improve both its functionality and your browsing experience. By using our site, you agree to us placing these sorts of cookies on your device and accessing them when you visit the site in the future. If you want to delete any cookies that are already on your computer, the “help” section in your browser should provide instructions on how to locate the file or directory that stores cookies. Please note that by deleting or disabling future cookies, your user experience may be affected and you might not be able to take advantage of certain functions of our site.
How long we keep your information for
Personal data collected via our website will be retained by us for as long as it is necessary, which would typically be for as long as we have a relationship with the relevant individual.
5. Applicants for Vacancies
Information we collect about you and how we use such information
During the recruitment process, we ask for information about you to be able to assess your suitability for employment. We do not collect more information than we need to fulfil this purpose and will not retain it for longer than is necessary.
If you apply with us for a post, we may collect the following information on you:
- name and contact details
- your previous experiences and details of your previous jobs
- education details
- referees’ names and contact details
- answers to questions made to you during the recruitment process relevant to the role you have applied for
You are not obliged to provide this information, but your application may be affected if you don’t.
Where we use recruitment agencies, such information is also obtained from the agencies you would have applied with. We may contact your referees, using the details you provide in your application, directly to obtain references.
We might ask you to attend an interview and we may conduct an assessment on the basis of the information collected from your application and the interview. Information will be generated by you and by us and if so, this information is held by us for the recruitment exercise and perhaps after if you are selected.
If we make an offer of employment, we will ask you for additional information so that we can carry out pre-employment checks. Depending on the job requirements, you may be required to provide the following:
- proof of your identity
- proof of your qualifications
- police conduct certificate
- bank details, to process salary payments
- emergency contact details, so we know who to contact in case you have an emergency at work
- health information, to ensure you are fit to work and to cater for any special conditions
This additional information is necessary to finalise your employment and onboarding process. Further processing of your information would be required if we are to apply for a work permit.
Our recruitment team will have access to all of this information. All of the information you provide during the process will only be used for the purpose of progressing your application, or to fulfil legal or regulatory requirements if necessary.
We will not share any of the information you provide during the recruitment process with any third parties for marketing purposes or store any of your information outside of the European Economic Area (EEA). The information you provide will be held securely by us and/or our data processors whether the information is in electronic or physical format.
We will use the contact details you provide us to contact you to progress your application. We will use the other information you provide to assess your suitability for the role you have applied for.
How long we keep your information for
If you are unsuccessful following assessment for the position you have applied for, we normally keep the information about your application for a period of 12 months, in case you raise any questions about the process. We may ask if you would like us to contact you for any other vacancy that may arise during this period. If you say yes, we may contact you should any further suitable vacancies arise within that period. You may ask us to cancel this at any time.
If you are employed, we will keep your personal data in accordance with our Employee Handbook.
6. Your rights
Under data protection law, you have the following rights, in relation to the way we process your personal data, although these are not absolute and in some instances, we may be unable to accept your request, in which case we will respond to you to explain why.
- Right to access personal data held by us about you.
- Right to require us to rectify your data without undue delay, in so far as it is inaccurate or incomplete.
- Right to restrict our processing of your data where you dispute the data’s accuracy; or where you have the right to require us to erase the data but you prefer that we restrict our processing instead; or where you need us to hold the data even if we no longer require it as you need to establish, exercise or defend legal claims; or where you have objected to our use of your data and we need to verify whether we have overriding legitimate grounds to use it.
- Right to require us to erase personal data held by us about you. This right will apply where we no longer need to use the personal data to achieve the purpose we collected it for; or where you withdraw your consent in line with (e) below; or where you object to the way we process your data in line with (f) below.
- Right to withdraw your consent, where we are relying on it to use your personal data.
- Right to object to our processing of personal data held by us about you where the processing of such data is necessary for the purposes of our legitimate interests, unless we are able to demonstrate, on balance, legitimate grounds for continuing to process personal data which override your rights or which are for the establishment, exercise or defence of legal claims.
- Right to receive the personal data which you had provided to us in a structured, standard and machine-readable format, and to request us to transmit this data to another organisation.
You may contact us as detailed below to exercise any of these rights. These rights are not absolute and, in some instances, we may be unable to accept a request, in which case we will respond to explain why. We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if the request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
A fee is not usually chargeable, but we may charge a reasonable fee if a request is clearly unfounded, repetitive or excessive. Alternatively, we may simply refuse to comply with a request in such circumstances.
7. Security of your personal data
We use reasonable efforts to safeguard the integrity, availability and confidentiality of all personal data that we process relating to you. We have put in place technical, physical and managerial procedures so as to ensure that your personal data is protected from unauthorised access; improper use or disclosure; unauthorised modification; unlawful destruction or accidental loss. We regularly review and, where practicable, improve upon these security measures.
All our employees and data processors, who have access to and are associated with the processing of personal data, are further obliged to respect data confidentiality.
By its very nature however, the Internet is not a secure medium and data sent via this medium can potentially be subject to unauthorised acts by third parties. Although we take appropriate precautionary measures, we cannot guarantee the privacy or confidentiality of any information processed through this medium.
Moreover, data sent via the Internet may be transmitted across international borders even where sender and receiver of information are located in the same country. Consequently, data relating to you may be transmitted via a country having a lower level of data protection. We shall accept no responsibility or liability whatsoever for the security of your data while in transit through the Internet.
8. Who we share data with
We only share personal data with others when absolutely necessary for the purposes for which we hold it and where appropriate contractual arrangements and security mechanisms are in place to protect the data and to comply with our data protection, confidentiality and security standards.
We may pass your personal data to:
- suppliers that support us and help us provide services to our clients, such as providers of cloud-based software, IT systems, recruitment, marketing and payment services
- professional advisors, auditors or insurers, where we are required by law or as reasonably required in the management of our business
- law enforcement or other government and regulatory agencies or to other third parties, where we are required by law, the courts or any legal or regulatory authority we are subject to. We will only provide personal data in these circumstances where we are permitted to do so in accordance with applicable law or regulation.
In the event that we share data with third parties outside the EEA, contractual obligations are imposed on the recipients of any data transferred in order to ensure all personal data is protected to the standard required in the EEA.
9. Third-party websites
Our website may contain links to third party websites operated by providers that are not associated with us. If you follow the link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.
10. Changes to our Privacy Policy
We will update this Privacy Policy from time to time in response to changing legal, regulatory or operational requirements. We will provide notice of any such changes in accordance with law.
11. How to contact us
Questions, comments and requests regarding this Privacy Policy are welcomed and should be addressed to: [email protected]
Furthermore, if you have any concerns regarding our processing of your personal data, you have the right to make a complaint to the Office of the Information & Data Protection Commissioner on [email protected]