Version 1.0. Effective Date: March 19th 2019
1. Who We Are and What this Policy is
Hereafter commonly referred to as “Ataya & Partners,” “A&P” “we,” “us” and “our” etc.
We are a management consulting company in the domains of IT and digital management and governance, cybersecurity and data protection.
We provide a variety of management consulting, education, certification, forensic and other value added services in these domains, to our clients and other parties (collectively, our “Services”). For additional information on our Services please visit https://www.atayapartnerscom.
We may collect personal information in the course of our business, including through your use of our Site, when you contact us or request information from us, when you engage our Services or as a result of your relationship with one or more of our staff and clients. When we require personal information from you in order to fulfill a statutory or contractual requirement, or where such information is necessary to enter into a contract or is otherwise an obligation, we will inform you and indicate the consequences of failing to do so.
Our Data Protection Office can be contacted at firstname.lastname@example.org or via mail at Ataya and Partners SPRL/BVBA, f.a.o. Data Protection Office, Avenue Louise 479/58, 1050 Brussels, Belgium.
2. Personal data we collect and/or process
Registrations, subscriptions and forms
If you register with us via the Site, sign up to receive news and information from us, or communicate with us through or related to the Site (e.g. when you fill out a ‘Contact Us’ form, sign up for our mailing lists), register for events we host or sponsor, submit information as part of certain online services, post comments on our blogs, or otherwise provide us information through the Sites, we may collect the following personal information:
- Your name, job title and company.
- Contact information for you, including the company you work for, email address and phone number.
- Demographic information, such as your address, preferences and interests.
- Other information relevant to the provision of Services or to your request or inquiry (such as contact preferences and interests, business affiliations).
- For events, it may include dietary restrictions, requested accommodations and other event-related preferences.
From individuals who are clients and prospective clients, or are representatives of clients and prospective clients, we may collect the following personal information:
- Your name, the named A&P client, the name of the company you work for (if different) and your job title.
- Contact information for you, the named A&P client, and the company you work for (if different), including address, phone number and email address.
- Payment information (including bank account and wire details), billing instructions and preferences (including to whom to direct invoices). Relevant information so that we can perform conflicts of interest checks.
- Relevant information as required by regulatory Know Your Client and/or Anti Money Laundering regulations and as part of our client intake procedures. This may possibly include evidence of source of funds, at the outset of and possibly from time to time throughout our relationship with clients, which we may request and/or obtain from third party sources. The sources for such verification may include documentation, which we request from the client or prospective client or through the use of online or public sources or both.
- Information you provide to us for the purposes of attending meetings and events, including dietary requirements, which may reveal information about your health or religious beliefs.
- Information that you provide to us as part of the provision of Services to you, which depends on the nature of your engagement with A&P.
- Other information relevant to the provision of Services.
Related parties and client representatives
A&P is primarily engaged by corporate entities and clients (ie, legal entities), and those legal entities are not data subjects (ie, natural persons to whom personal information relates).
However, as part of our engagement with these clients, we may receive personal information about individuals. For example, we may receive names, contact details and other information relating to:
- Officers, representatives and/or personnel of our corporate clients or prospective clients, as well as their affiliated and related entities.
- Adverse parties in a matter or potential matter, such as claimants, plaintiffs, defendants, public representatives, public servants, experts and other entities.
- Vendors and suppliers of our clients or prospective clients.
- Current and former consultants and other professional advisors or suppliers of our clients or prospective clients.
- Government and/or law enforcement entities and their representatives.
- If you are an individual whose personal information is processed by us as a result of providing the Services to others (including individual clients and corporate clients or supplier, contractor or representative of this supplier or contractor), we will process a variety of different personal information depending on the Services provided.
We might also need to process personal information in relation to other third parties instructed either by our own clients or other persons or companies involved in providing the Services to our client (eg, other contractors, experts etc.).
These examples are non-exhaustive, which is reflective of the varied nature of the personal information we process as part of a professional management consulting company providing Services in our domains.
For clients and prospects, we also collect information to enable us to market our Services and to organize events, which may be of interest to you. For this purpose, we collect:
- Name and contact details.
- Other business information, such as job title and the company you work for.
- Areas or topics that interest you.
- Additional information may be collected, such as events you attend and if you provide it to us, dietary preferences which may indicate data about your health or religious beliefs.
3. Purpose and legal bases for our use of your personal data
Our processing of personal information is justified by a “legal basis”, that is, a specific condition. We may use personal information for the following purposes, in each case as justified by a legal basis:
Fulfilment of Services
We use personal information to enable us:
- to perform the Services, respond to your requests and deliver our Services,
- to provide legal advice and related Services for which you have engaged us,
- to verify your identity, and carry out requests made by you on the Site or in relation to our Services.
Legal basis: This processing is necessary for our compliance with our contractual obligations with you as a Party (including our professional standards and ethical duties). Also, it is in our legitimate interest or a third party’s legitimate interest to use your personal information in such a way to ensure that we provide the very best client service we can to you or others and comply with our professional and ethical duties, consistent with applicable law.
We use personal information to provide and operate our Site and the Services,
- to communicate with you about your use of the Site and Services,
- to respond to your inquiries, to provide troubleshooting,
- to provide and operate our Sites,
- to provide technical support,
- to respond to your inquiries,
- to fulfill your orders and requests,
- to communicate with you,
- to bill you for our Services,
- to process and collect payments,
- to respond to complaints and inquiries,
- to provide technical support, and
- to provide other client service and support.
Legal basis: This processing is necessary to establish, exercise or defend our contractual rights and duties. It is in our legitimate interest or a third party’s legitimate interest to use your personal information in such a way to ensure that we provide the very best client service we can to you or others and comply with our professional and ethical duties, consistent with applicable law.
Business administration and legal compliance
We use personal information for the following business administration and legal compliance purposes:
- To perform and maintain information for the purposes of performing conflicts of interest searches.
- To comply with our legal obligations (where needed, based on GDPR, ePrivacy regulation, Know Your Client, Anti-Money Laundering, Anti-Bribery, conflicts or similar obligations including, but without limitation, maintaining regulatory insurance).
- To enforce our legal rights.
- To investigate and/or settle inquiries or disputes.
- To comply with any applicable law, court order, other judicial process, law enforcement requests or the requirements of a regulator.
- To enforce our agreements with you.
- To protect the rights, property or safety of us or third parties, including our other clients and users of the Site or our Services.
- To maintain our records.
- To process business transaction data, such as in connection with a merger, or a restructuring, or sale.
- To use as otherwise required or permitted by law, consistent with these purposes.
- When necessary to enforce, establish or defend our legal rights, or to protect the rights of third parties.
- Anonymous and de-identified information to assess, improve and develop our business, products and services, and for similar research and analytics purposes.
Legal basis: Such processing either necessary to comply with the legal and contractual obligations imposed upon us or in our legitimate interest or a third party’s legitimate interest to use your personal information for these business administration and legal compliance purposes.
Marketing and promotions
We may use personal data for marketing and promotional purposes, such as to send you news and newsletters, or to otherwise contact you about products or information we think may interest you, by email and direct (postal) mail. We may also use it develop new Services and determine how to market our Services.
We may also process your personal data to tailor content we may send or display on the Sites, including to offer location customization and personalized help and instructions, and to otherwise personalize your experiences.
Legal basis: It is in our legitimate interest to use your personal information for marketing purposes in order to develop and grow our business and Services and promote the reputation of our firm. We will, where required by applicable law, obtain your consent to send such communications.
For example, when we process your personal data for direct marketing purposes, including to send you newsletters, client alerts and information we think may interest you, when this requires an opt-in consent to receive electronic marketing messages, we will only send you such messages if you opt-in to receive them.
We may use personal information in order to respond to Requests for Proposals (“RFPs”), prepare for and present pitches and other proposals, and identify potential business opportunities. Largely, this involves our collection and use of non-personal business information about current, former and prospective corporate clients. However, we may also process limited personal information about individuals (name, current and former company, current and former title, contact information and similar information).
Legal basis: This processing is done based on our legitimate interest to use your personal information in order to develop and grow our business and Services and promote the reputation of our company. We also may process this information to respond to an RFP or a specific request in anticipation of a contract with you (ie, engagement for Services).
Becoming an A&P Candidate
In the event you, or one more one of the representatives of your company – hereafter “the Candidate” are interested in working with A&P either as employee or to join A&P, as freelancer or in another form of collaboration, you can provide us with information on your personal and professional background (“Candidate Information”) that we will, subject to our sole discretion, take into consideration or not as part of the Services.
A separate consent for this data collection will be required (To do so, please visitwww.atayapartners.com, and on the registration page in the “career” section, confirm by hitting “Continue”.
Providing any Candidate Information is purely voluntary on your part. Although it is generally true that, the more information you share with us, the better we are able to assess your potential suitability for an open position, we urge you not to disclose to us any Candidate Information that is likely of little or no relevance or may not even be legally considered as part of common hiring processes. This applies, in particular, to sensitive personal data.
If and to the extent you share Candidate Information with us through the Site, we might follow up with you using the contact details you may have provided in order to clarify any questions we might have or obtain complementary information from you.
In addition, we might conduct assessments of your professional profile and perform searches for information on your personal and professional life publicly available via social media services (e.g. Facebook, Google, LinkedIn, Twitter, etc.), on the Internet (so not directly obtained from you) or within data you have previously disclosed to us, provided that such information might be of importance to your qualification for a particular position. Any resulting information will be considered Candidate Information and be processed as described below together with the Candidate Information you initially provided us with through the Site.
Your Candidate Information will mainly be processed by and on behalf of A&P. However, depending on how and where the Services need to be performed in your individual case, your Candidate Information might, in addition, be processed by one or more A&P Partners Entities and consultants, as listed on our website here.
The Candidate Information Processed by A&P is (a) your contact details (name, address, phone number, email address, etc.), (b) your biographical data, (c) information on your professional education, and (d) your educational credentials, professional diplomas and certificates. In addition, it may contain (e) your employment and compensation history, (f) data on your suitability for client opportunities we compile as part of our assessments of your professional profile, (g) information on your personal and professional life publicly available via social media services (e.g. Facebook, Google, LinkedIn, Twitter, etc.) or otherwise on the Internet that might be of importance to your qualification for a particular position, and (h) sensitive personal data you might choose to disclose to us.
Please provide us with any relevant modifications and changes in your personal data.
As part of the Services, your Candidate Information may be processed for the purposes of (a) searches for potential candidates on behalf of clients that have an opening for a the Services provided by A&P, (b) assessing your suitability for client opportunities, (c) informing you of open positions potentially suitable for you, (d) introducing you to clients as a candidate, and of (e) verifying your educational credentials, professional diplomas and certificates. In addition, your Candidate Information may be processed for the purposes of (f) performing searches for information on your personal and professional life publicly available via social media services (e.g. Facebook, Google, LinkedIn, Twitter, etc.), on the Internet or within data you have previously disclosed to us, provided that such information might be of importance to your qualification for a particular management or expert position, (g) approaching you, after you have been placed with a client, as a client contact for the placement of other candidates or as a source of information about potential candidates for third-party clients, (i) ensuring that, after your placement with a client, you will not be recruited on behalf of another client unless you request consideration for other opportunities, and of (j) operating the databases your candidate Information is stored in.
At no point will your Candidate Information be matched, linked or otherwise connected with Personal Information collected through other components of the Site or Services for purposes other than providing Client Services. Your Candidate Information will be processed until you revoke your consent given when sharing Candidate Data with us through the Site. Upon the revocation of your declaration of consent, we will delete your Candidate Information.
By sharing your Candidate Information with us through this Site, you explicitly consent to the Processing of your Candidate Information, including any sensitive personal data you might choose to disclose to us, as described above. You acknowledge that you are under no obligation to provide your consent and that, if you choose to do so nonetheless, you may revoke your declaration of consent at any time with future effect by contacting us.
Client insight and analytics
We use personal information to better understand how you and others use our Services, so that we can improve our Site and Services, develop new features, tools, offerings, services and the like, and for other research and analytical purposes. We also use the information we collect to measure the effectiveness of our online content and how visitors use our Site and our Services. This allows us to learn what pages of our Site are most attractive to our visitors, which parts of our Site are the most interesting, and what kind of offers our registered users like to see. We may use this information and the insights we have derived for marketing purposes (see the marketing section above for further details), or to make decisions about events, news and information that may be of interest to clients, prospective clients, Site users and others.
Legal basis: It is in our legitimate interest to use your personal information in such a way to ensure that we provide the very best Services to our clients and others in order to develop and grow our business and Services and promote the reputation of our company.
Industry benchmarking and rankings
We may participate in industry surveys and reports, which clients use to assess management consulting firms and the management consulting industry. Largely, this involves our collection and use of non-personal business information about clients and matters.
However, we may also review and share limited personal information about individuals (such as referee name, title and contact).
Legal basis: It is in our legitimate interest to use your personal information in order to develop and grow our business and Services and promote the reputation of our company. Where required, we will obtain your consent.
Prevent misconduct, abuse and misuse
Subject to our professional and ethical duties, we use personal information where we believe necessary to investigate, prevent or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person, or violations of our terms of engagement. We also use personal information to protect and secure the Site and our information systems and networks.
Legal basis: This processing is necessary to comply with legal obligations imposed upon us. It is necessary to enforce, establish or defend our legal rights, or to protect the rights of third parties. It is in our legitimate interest or a third party’s legitimate interest to use your personal information to comply with other legal obligations. In some cases, this processing will be necessary to perform a contract to which you are a party.
4. Sharing your personal data
A&P is a management consulting company that is part of a larger network of partners, contractors and affiliated companies (“A&P Partner Entity”). Any information that we collect or that you provide to us may be shared and processed by any A&P Partner Entity based in the European Union. You can find out more about the A&P partner entities and locations here (affiliation network).
We may also share personal information with a variety of the following categories of third parties as necessary, in their capacity as sub-contractor data processors:
- Our professional advisers, such as lawyers, security consultants, auditors and accountants.
- Government and/or regulatory authorities.
- Professional indemnity insurers.
- Regulators, tax authorities and/or corporate registries.
- Third parties to whom we outsource certain services, such as, without limitation, document processing and translation services, confidential / personal data encryption, anonymization, pseudonymization and disposal, IT systems or software providers, IT Support service providers, and document and information storage providers.
- Third parties engaged in connection with our Services, such as counsels, arbitrators, mediators, clerks, witnesses, court reporters, court, opposing party and their lawyers, document review platforms and experts, such as tax advisors.
- Third party service providers to assist us with client insight analytics, such as Google Analytics.
- Third party postal or courier providers who assist us in delivering our postal marketing campaigns to you, or delivering documents related to a matter.
These data processors will process personal information on our behalf and at our direction. We conduct an appropriate level of due diligence and put in place contractual documentation in relation to any sub-contractor to ensure that they process personal information appropriately and according to our legal and regulatory obligations.
Further, we may appoint external data controllers where necessary to deliver the Services (for example, but without limitation, accountants, attorneys, consultants and other third party experts including, but without limitation, other A&P Partner Entities, as well as other management consulting companies). When doing so, we will comply with our legal and regulatory obligations in relation to the personal information including, but without limitation, putting appropriate safeguards in place.
We will normally not transfer personal information to countries outside the EEA (including to other A&P Partner Entities) unless they provide an adequate level of protection for your personal data (as recognized by the thereto competent official bodies).
If in exceptional transfer to other countries is required, that will only be done after such entities have signed a data sharing agreement, based on the EU standard contractual clauses, to provide appropriate safeguards and an adequate level of protection for personal data.
Our Site uses certain cookies, pixel tags, log files, local storage objects and other tracking technologies to operate and improve our Site and our Services and to collect information about how our Site is accessed and used and about Site performance and security.
The data collected is typically when users access or use the services or visit our Site, such as an IP address, general location information, domain name, page views, a date/time stamp, browser type, device type, device ID, Internet service provider (“ISP”), referring/exit URLs, operating system, language, clickstream data, and other information about the links clicked, features used, size of files uploaded, streamed or deleted, and similar device and usage information.
Legal basis: It is necessary for us to perform our obligations in accordance with any contract or engagement that we may have with you. It is in our legitimate interest or a third party’s legitimate interest to use personal information in such a way to ensure that we provide the Services in the best way that we can.
6. Retention of personal data
In general, we will retain relevant personal information of Site visitors for at least two years from the date of our last interaction with you and in compliance with our obligations under applicable laws, or for longer if we are required to do so according to our regulatory obligations or professional indemnity obligations, or where we believe necessary to establish, defend, or protect our legal rights and interests or those of others.
We generally retain files and information regarding client engagements and matters for which we have been retained for at least seven years from the date of our last interaction with the relevant client, in compliance with our obligations under applicable laws, or for longer where required by our regulatory obligations, professional indemnity obligations, or where we believe necessary to establish, defend, or protect our legal rights and interests or those of others. We may then destroy such files without further notice or liability.
As explained above
The Candidate Information will be processed and maintained in our records as long as your account is active and at the latest 24 months after the last contact, exchange of information or update of data.
Other specific retention times, as imposed by law or based on a detailed privacy assessment done by us, may apply for some of the processing of personal data. If you have any questions in this regard, please do not hesitate to contact us.
7. Confidentiality and security of your personal data
We are committed to keeping personal data secure and we have implemented appropriate information security policies, rules and technical measures to protect the personal information that we have under our control from unauthorized access, improper use or disclosure, unauthorized modification and unlawful destruction or accidental loss. Please note that no transmission over the internet is completely secure or error-free, and that the information security policies, rules and technical measures utilized and maintained by us may be subject to compromise.
All of our partners, employees, consultants, workers and data processors (i.e., those who process your personal information on our behalf, for the purposes listed above), who have access to, and are associated with the processing of personal data, are obliged to respect the confidentiality of such personal data.
8. Your rights in relation to the personal data we hold
You have the following rights in relation to the personal data we hold about you:
Your right of access
If you ask us, we will confirm whether we are processing your personal information and, if necessary, provide you with a copy of that personal information (along with certain other details). If you require additional copies, we may need to charge a reasonable fee.
Your right to correction (rectification)
If the personal information we hold about you is inaccurate or incomplete, you are entitled to request to have it corrected. If you are entitled to have information corrected and if we have shared your personal information with others, we will let them know about the rectification where possible. If you ask us, we will also tell you, where possible and lawful to do so, with whom we have shared your personal information so that you can contact them directly.
Your right to erasure
You can ask us to delete or remove your personal information in some circumstances, such as where we no longer need it or if you withdraw your consent (where applicable). If you are entitled to erasure and if we have shared your personal information with others, we will let them know about the erasure where possible. If you ask us, we will also tell you, where it is possible and lawful for us to do so, with whom we have shared your personal information with so that you can contact them directly.
Your right to restrict (block) processing
You can ask us to restrict the processing of your personal information in certain circumstances, such as where you contest the accuracy of that personal information or you object to us. If you are entitled to restriction and if we have shared your personal information with others, we will let them know about the restriction where it is possible for us to do so. If you ask us, we will also tell you, where it is possible and lawful for us to do so, with whom we have shared your personal information so that you can contact them directly.
Your right to data portability
You have the right, in certain circumstances, to receive a copy of personal information we’ve obtain from you in a structured, commonly used and machine-readable format, and to reuse it elsewhere or to ask us to transfer this to a third party of your choice.
Your rights in relation to automated decision-making and profiling
You have the right not to be subject to a decision when it’s based on automatic processing, including profiling, if it produces a legal effect or similarly significantly affects you, unless such profiling is necessary for entering into, or the performance of, a contract between you and us.
Your right to withdraw consent
If we rely on your consent (or explicit consent) as our legal basis for processing your personal information, you have the right to withdraw that consent at any time.
Your right to lodge a complaint with the supervisory authority
If you have a concern about any aspect of our privacy practices, including the way we’ve handled your personal information, you can report it to the relevant supervisory authority.
In Belgium, this is the Autorité de protection des données
Rue de la Presse, 35, 1000 Bruxelles
32 (0)2 274 48 00
Please note that some of these rights may be limited where we have an overriding legitimate interest or legal obligation to continue to process the personal information, or where the personal information may be exempt from disclosure due to applicable law, the applicable rules of professional conduct, other applicable privileges or protections, or professional secrecy obligations.
9. Collection of information by third-party sites and sponsors
Our Site may contain links to other sites whose information practices may be different than ours. Visitors should consult the other sites’ privacy notices as A&P has no control over information that is submitted to or collected by these third parties.
The Site is not for use by children under the age of thirteen (13) years, and we do not knowingly collect, store, share or use the personal information of children under 13 years. If you are under the age of 13 years, please do not provide any personal information, even if prompted by the Site to do so. If you are under the age of 13 years and you believe you have provided personal information to us, please ask your parent(s) or guardian(s) to notify us and we will delete all such personal information.
11. Changes to this Policy
We may make changes to this Policy from time to time, to reflect changes in our practices. We may also make changes as required to comply with changes in applicable law or regulatory requirements. Where we materially change this Policy, we will take steps to notify you (such as by posting a notice on the Site or via email), and where required by applicable law to obtain your consent.