CiC’s Privacy Policies

CIC appreciates the trust you place in us when sharing your personal data.

The security of that data is very important to us. This privacy policy explains how we collect, use and look after your personal data.

We will explain what rights you have with regards to your personal data and how you can exercise those rights.

WHO WE ARE

CNLR Horizons is a limited company and trades under the name of CiC.

Corporate address: 5th Floor, 18 Mansell St, London E1 8AA

We provide a range of services to employers that support their employees in the United Kingdom and Globally. These include:

  • Wellbeing services
  • Specialist mental health support
  • Critical incident and trauma support
  • Stress and resilience support
  • Training and mediation services

COLLECTION OF PERSONAL DATA

Definitions:

For the purposes of this policy CiC is the Data Controller and:

  • A customer is the legal entity we contract with;
  • A client includes the employee, partner of an employee or family member of an employee belonging to the customer we contract with;
  • An affiliate is a contractor who delivers our counselling and support services on our behalf;
  • Third party professional services are a third party that we share your data with, in order to deliver critical services to you, e.g. GPs and other medical professionals or legal advisors;
  • Third party processors are a third party service provider who undertake data processing activities on our behalf e.g. IT support services.

We collect personal data from you for one or more of the following purposes:

  • To deliver services to you;
  • To provide you with information that you have requested or which we think may be relevant to a subject in which you have demonstrated an interest;
  • To initiate and complete commercial transactions with you (or your employer) for the purchase of products and/or services;
  • To fulfil a contract that we have entered into with you (or your employer);
  • To manage any communication between you and us.

Table 1 below provides more detail about the data that we collect for each of these purposes and the lawful basis for doing so.

LAWFUL BASIS FOR PROCESSING OF PERSONAL DATA

The table below describes the various forms of personal data we collect and the lawful basis for processing this data. We have processes in place to ensure that only those people in our organisation who need to access your data can do so. A number of data elements are collected for multiple purposes, as the table below shows. Some data may be shared with third parties and, where this happens, this is also identified below.

When we process on the lawful basis of legitimate interest, we apply the following test to determine whether it is appropriate:

  • The purpose test – is there a legitimate interest behind the processing?
  • Necessity test – is the processing necessary for that purpose?
  • Balancing test – is the legitimate interest overridden, or not, by the individual’s interests, rights or freedoms.

Table 1

Data processed Purpose for processing Lawful basis Data is shared with
Customers and potential customers:
Company name
Address
Contact first name
Contact last Name
Contact emails
Telephone numbers
To provide and manage the services the customer has requested or to enable us to communicate with them regarding the services they are interested in.
We store this data in our CRM database.
We also store this data in our accounts system for accounting purposes.
Legitimate interest: where it is in our legitimate interests to manage our customer relationship and provide a high level of service, to protect our business interests and the interests of our customers.
To carry out our contractual agreement or take steps to enter into a contract with the customer.
Where the law requires it.
Internally and may be shared with affiliate counsellors.
Customers:
Contact first name
Contact last name
Contact email
To send the customer monthly help sheets and promotion of Well-online.
We store this data in spreadsheets, our database and Mailchimp.
Legitimate interest: where it is in our legitimate interests to manage our customer relationship and provide a high level of service
To carry out our contractual obligation to send the customer help sheets.
Internally and Mailchimp.
Customers, potential customers:
Company name
Address
Contact first name
Contact last name
Contact email
Telephone numbers
To handle enquiries and complaints. We may store this data in our CRM, or email system. Legitimate interest: where it is in our legitimate interests to manage our customer relationship and provide a high level of service, to respond to enquiries and to ensure complaints are investigated promptly and satisfactorily. Internally and may be shared with affiliate counsellors if necessary.
Customer, potential customer:
Company name
Address
Contact first name
Contact last name
Contact email
Telephone numbers
To communicate with the customer/potential customer by email, phone, post or other digital methods.
For example:
– to manage customer and supplier relationships
– for the purpose of meeting contractual or regulatory requirements
– to keep the customer informed of changes or updates to their services
– to respond to an enquiry through our contact us form on our website
We keep records of communication in our CRM, or email system.
Legitimate interest: where it is in our legitimate interests to do so, to manage our customer relationship and provide a high level of service, to protect our business interests and the interests of our clients.
Where the law requires it.
Internally and may be shared with affiliate counsellors or other third-party service.
Customers:
Company name
Address
Contact first name
Contact last name
Position
Contact email
Telephone numbers
To contact the customer with marketing information and offers relating to the products and services offered by us that we think may be of interest.
We store this data in our CRM, and email system. This data may also be processed through Mailchimp.
Legitimate interest: where the customer has purchased our services or requested information about our goods and services.
Where the customer has opted-in to receiving marketing information.
In relation to direct digital marketing – under the Privacy and Electronic Communications Regulations, if the organisation is a limited company, we may send marketing communications without their consent. However, they can still opt out of receiving marketing emails from us at any time by clicking on the unsubscribe link.
Internally and with third party service providers e.g., Mailchimp.

 

SPECIAL CATEGORY DATA

Special category data is defined under GDPR 2016 Article 9 as personal data revealing ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and processing of genetic data, biometric data for the purposes of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

The collection and processing of special category data will be dependent on your individual needs and the service being delivered.

However, this will mainly surround health but data concerning other aspects of your life may be discussed (and hence collected and processed) during the delivery of services.

We do not collect special category data related to the customer organisation.

THIRD PARTY SERVICE PROVIDERS WHO WE MAY SHARE YOUR DATA WITH OR WHO COULD POTENTIALLY HAVE ACCESS (AS DEFINED IN TABLE 1)

1. Government and law enforcement agencies:

We may be required by law to share your data with other organisations, such as government or law enforcement agencies:

  • to satisfy any applicable law, regulation, legal process, or governmental request;
  • to detect, prevent, or otherwise address fraud, security, or technical issues;
  • protect our rights, property or safety, our users and the public;
  • to prevent a crime; harm to another.

2. Professional advisors including lawyers, bankers, auditors and insurers:

This may include exchanging information with other companies and organisations for fraud protection and spam/malware prevention if required by law.

It may also include Third parties to whom we sell, transfer, or merge parts of our business or our assets. (Please note we do not sell personal information to third parties).

3. Employers and health professionals for the purposes of Safeguarding

During the delivery of services, you may disclose thoughts/feelings that give rise to a safeguarding concern. This may mean that the CiC professionals have assessed that yourself or others are at risk. In these instances, we would contact employers, line managers, health professionals or others in similar capacity to escalate our concerns. The purpose of this intervention is to prevent yourself or others coming to harm. We would normally discuss this with you before making the report but on occasion we may need to take action without doing so.

If we do share data with third parties, we always do so securely through encrypted email, and we won’t share more than we need to.

YOUR RIGHTS

UK GDPR aims to give you more control of your data. It provides:

Right to access – You have the right to request a copy of the personal data we hold about you.

We will require you to prove your identity – this is in accordance with ICO guidance to ensure that the request is from you and not someone impersonating you.

Acceptable forms of identification can be: passport, driving licence, birth certificate, utility bill (from last 3 months), current vehicle registration document or a bank statement (from last 3 months).

If you can advise of the specific information that you require, we can process your request more quickly.

We will respond to your request within 30 days of us confirming your identity. This is in line with the requirements of Data Protection Act 2018/UK GDPR.

Right to restrict processing – in certain circumstances, you can ask us to restrict our use of your personal data.

Right to rectification – you can ask us to correct inaccurate personal data we hold about you.

Right to erasure (right to be forgotten) – in certain circumstances, you can ask us to erase your personal data.

Right to data portability – you can ask us to provide you with a copy of your personal data in a commonly used electronic format so that you can transfer it to
other businesses.

Right to object to automated decision-making – in certain circumstances, you can ask us not to make automated decisions about you based on your personal data that produce significant legal effects.

Right to object to automated decision-making – in certain circumstances, you can ask us not to make automated decisions about you based on your personal data that produce significant legal effects.

Right to lodge a complaint – you can lodge a complaint with the Information Commissioners Office – ico.org.uk or contact them on: 0303 123 1113.

All queries about data rights should be made to our Data Protection Officer dpo@cicwellbeing.com.

RETENTION OF YOUR DATA

We will keep your data for as long as we have a relationship with you. Once our relationship has come to an end we will only retain your personal data for a period of time that is calculated depending on the type of personal data and the purposes for which we hold that data. We maintain a Retention of Records Schedule to communicate our record retention requirements to all relevant staff and ensure data is not retained for longer than necessary.

We only retain information that enables us to:

  • maintain business records to comply with our contractual obligations
  • comply with record retention requirements under the law/ law enforcement agencies
  • defend or bring any existing or potential legal claims
  • maintain records of anyone who does not want to receive marketing from us
  • deal with any future complaints regarding services we have delivered

HOW WE PROTECT YOUR PERSONAL DATA

We are committed to protecting your information. CiC are certified to the ISO 27001 Information Security Standard and Cyber Essential Plus. We take appropriate technical and organisational measures to guard against unauthorised or unlawful processing of your personal data and against accidental loss or destruction of, or damage to, your personal data.

The measures we use are designed to provide a level of security appropriate to the risk of processing your personal information. However, please bear in mind that IT infrastructure and the internet cannot be guaranteed to be 100% secure.

We have security measures in place and restrict access to databases only to those who need access appropriate to their job role.

All personal information and details provided as part of an enquiry, support or service request, or financial details are stored on a secure server. We do not store credit card numbers or related identifying information on any of our servers.

Digital data and hard copy data is securely disposed of when no longer required. This is conducted in line with our information security Disposal of Data Policy and procedure.

REVIEW OF THIS THIS PRIVACY POLICY

We review this policy at least annually. It was last updated on 12th September 2022.