Privacy Policy

Last Updated 1 December 2018

 

  1. Who we are

Trilateral Research Ltd (“we” or “us”) is a UK limited liability Company. We are registered in England and Wales under company number 8698690 and have our registered office at One Knightsbridge Green, London, SW1X 7QA.

In 2017, Trilateral Research opened an office in the Republic of Ireland as a wholly-owned Limited Company, registered under company number 616396, with registered offices in FDW House, Blackthorn Business park, Coes Road, Dundalk, Co. Louth, A91 RW26, Ireland, trading at Marine Point, 2nd Floor, Belview Port, Waterford, X91 W0XW, Ireland.

This Privacy Notice applies to both our UK and Irish entities as the data controllers of your personal data and inquiries regarding this privacy notice and data subject rights can be made via DPO@trilateralresearch.com.

 

  1. Scope of this Privacy Notice

This Privacy Notice aims at informing website visitors, our business and research partners, and other stakeholders about how we process personal data. We are committed to processing personal data responsibly, securely, and proportionally throughout our business.

 

  1. How we collect your personal data

We collect personal data both directly and indirectly from individuals including:

 

  • Directly. We obtain personal data directly from individuals in a variety of ways, including but not limited to obtaining personal data when:
    • you subscribe to our newsletter/s
    • register to attend meetings and events we host and during your attendance at such events
    • visit our offices
    • apply for open employment vacancies
    • when we are establishing a business relationship
    • when we are performing professional services pursuant to a contract
    • you participate in a form or survey for the purpose of proposal and/ or tender writing that we perform either independently or in collaboration with you

 

  • Indirectly. We obtain personal data indirectly about individuals from a variety of sources, including:
    • recruitment services and agencies who provide us with candidate data
    • our business partners
    • our research partners
    • our clients
    • public and open data sources such as public registers (e.g., Companies House), news articles and internet searches
    • social and professional networking sites (e.g., LinkedIn)
    • clients who engage us to perform professional GDPR compliance and DPO services were the transfer of personal data is necessary for us to fulfil those service contracts

 

  1. The personal data types we collect

We collect the following types of personal data about individuals, including:

General personal data types, including:

  • Contact details (e.g., name, company name, job title, work and mobile telephone numbers, work and personal email and postal address)
  • Professional information (e.g., job and career history, educational background and professional memberships, published articles, areas of professional interest)

 

Special categories of personal data, which we collect with explicit consent, including:

  • Dietary restrictions and identification documents when registering for in-person events that may reveal religious beliefs or health preferences
  • Expense forms submitted for internal reimbursement from attendance at events that include bank account information

 

  1. The lawful bases for processing your personal data

We process personal data on the following bases:

  • Consent – when you provide us with your personal data directly, for example when you subscribe to our newsletter or apply for an open vacancy with us
  • Contract – When processing is necessary to the performance of a contract with you;
  • Legal obligations – We may process personal data in order to meet any legal obligation requiring us to do so
  • Legitimate interests– We process personal data when it is necessary for us to achieve the following legitimate interests:
      • Enhancing our research and consulting service delivery for clients; and
      • Undertaking direct marketing and provide insights and speciality knowledge we believe is welcomed by our clients, research partners, subscribers and individuals who have interacted with us.

 

  1. What we do with your personal data

We process your personal data with the purpose of:

  • Providing consulting services (GDPR compliance services and DPO as a service)
  • Promoting our professional services, including research, consulting and product development) to existing and prospective clients
  • Sending invitations and providing access to guests attending our events and webinars
  • Administering, maintaining and ensuring the security of our information systems, applications and websites
  • Seeking qualified candidates, and forwarding candidate career inquiries to our Human Resource team
  • Processing online requests or queries, including responding to communications from individuals, or requests for proposals and quotations
  • Complying with legal and regulatory obligations

 

  1. How we secure your personal data when we process it

We have put appropriate technical and organisational security policies and procedures in place to protect personal data (including sensitive personal data) from loss, misuse, alteration or destruction. We aim to ensure that access to your personal data are password protected. We encrypt all data stored at our central location and data are restricted only to those who need to access it. Those individuals who have access to the data are required to maintain the confidentiality of such information. We install and regularly update all security and anti-virus software in use on all of our systems. Please be aware that the transmission of data via the Internet is not completely secure. Whilst we do our best to try to protect the security of your personal data, we cannot ensure or guarantee the security of your data transmitted to our site.

 

  1. Do we share personal data with third parties?

We may occasionally share personal data with trusted third parties to help us deliver efficient and quality services. When we do so, we ensure that recipients are contractually bound to safeguard the data we entrust to them before we actually share the data. We may engage with several or all of the following categories of recipients:

  • Parties that support us as we provide our services (e.g., cloud-based software services such as Dropbox, Microsoft Sharepoint)
  • Quickbooks for HR and financial accounting services
  • Our professional advisers, including lawyers, auditors and insurers
  • Payment services providers
  • Marketing services providers
  • Law enforcement or other government and regulatory agencies (e.g., HMRC) or to other third parties as required by, and in accordance with applicable law or regulation
  • Recruitment service providers
  • The European Commission when we are required by them to do so in relation to our work with them on EC funded FP7 and H2020 projects

 

  1. Do we transfer your personal data outside the European Economic Area?

We store personal data on servers located in the European Economic Area (EEA) and outside of the EEA, namely the US. We transfer personal data to reputable third-party service providers, namely Quickbooks and DropBox, situated both inside and outside the EEA. Please refer to their websites for further information about their personal data handling.  Each organisation is required to safeguard personal data in accordance with our contractual obligations and data protection legislation.

 

  1. Do we use cookies?

Our websites does use cookies. Where cookies are used, a statement will be sent to your browser explaining the use of cookies. To learn more, please refer to our cookie policy.

 

  1. Your data protection rights 

You have the following rights in relation to your personal data that we process. You can exercise your rights by emailing us at DPO@trilateralresearch.com, including:

  • Right to Withdraw Consent– You can withdraw your consent that you have previously given to one or more specified purposes to process your personal data. This will not affect the lawfulness of any processing carried out before you withdraw your consent. It may mean we are not able to provide certain products or services to you and we will advise you if this is the case.
  • Right of access– You can ask us to verify whether we are processing personal data about you, and if so, to have access to a copy of such data
  • Right to rectification and erasure– You can ask us to correct our records if you believe they contain incorrect or incomplete information about you or ask us to erase your personal data after you withdraw your consent to processing or when we no longer need it for the purpose it was originally collected
  • Right to restriction of processing– You can ask us to temporarily restrict our processing of your personal data if you contest the accuracy of your personal data, prefer to restrict its use rather than having us erase it, or need us to preserve it for you to establish, exercise, or defend a legal claim. A temporary restriction may apply while verifying whether we have overriding legitimate grounds to process it. You can ask us to inform you before we lift that temporary processing restriction
  • Right to data portability– In some circumstances, where you have provided personal data to us, you can ask us to transmit that personal data (in a structured, commonly used, and machine-readable format) directly to another company
  • Right to Object – You can object to our use of your personal data for direct marketing purposes, including profiling or where processing has taken the form of automated decision making. However, we may need to keep some minimal information (e.g., email address) to comply with your request to cease marketing to you
  • Right to make a complaint to the UK Information Commissioner’s Office (https://ico.org.uk/concerns/handling/) regarding any concerns you may have about our data handling practices.

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information or to exercise any of your other rights. This helps us to ensure that personal data is not disclosed to any person who has no right to receive it. No fee is required to make an initial request unless your request is clearly unfounded or excessive. Depending on the circumstances, we may be unable to comply with your request based on other lawful grounds.

 

  1. How long do we retain personal data?

We retain personal data to provide our services, stay in contact with you and to comply with applicable laws, regulations and professional obligations that we are subject to. Unless a different time frame applies as a result of business needs or specific legal, regulatory, or contractual requirements, we retain personal data for a period of 5 years.

Typical examples of different time frames include but are not limited to those relating to our obligation to retain data concerning European Union research projects (H2020, Action Grants, FP7, etc.) for up to 10 years after the end of the project (unless further retention is requested by auditors), and the retention period of HMRC-related data, which is 7 years.

Where the records and documentation containing personal data have been collected within the delivery of an EC project, the Commission/Agency will process it in compliance with Regulation No 45/2001 (archived for at least 5 years after the balance is paid unless there are ongoing procedures such as audits, investigations or litigations, in which case the evidence must be kept until these end, even if this is longer than five years). After the expiry of the retention period, and unless further legitimate grounds for retention arise, we will dispose of personal data in a secure manner.

 

  1. Do we link to other websites?

Our websites may contain links to other sites, including sites maintained by Trilateral Research that are not governed by this Privacy Notice. Please review the destination websites’ privacy policies before submitting personal data on those sites. Whilst we try to link only to sites that share our high standards and respect for privacy, we are not responsible for the content, security, or privacy practices employed by other sites.

 

  1. Do we change this Privacy Notice?

We regularly review this Privacy Notice and will post any updates to it on this webpage. This Privacy Notice was last updated 10 August 2018.

 

  1. Contact us

If you have any concerns as to how your data is processed, you can contact us per email or per post:

Data Protection Officer, Trilateral Research Ltd, One Knightsbridge Green, London, SW1X 7QA, United Kingdom or at DPO@trilateralresearch.com

We will respond to your queries within 30 days from when we receive them.

‘Risk Assessment Report and Methodology’

You can view the Executive Summary and Table of contents of the Project Solebay Risk Assessment Methodology Report.

Please sign up to the Solebay mailing list to download the Full Solebay project report.

Outsourced DPO

See below a list of standard requirements for this service, however we are always available to tailor our services in relation to our clients' needs.

Contact us to discuss further.

Serve as your DPO

Company name and contact details transmitted to the ICO Company name and contact details available to:
  • Management
  • Employees
  • Data subjects
Article reference: 37

Contact point for data subjects

  • Contact data accessible on the websites and privacy notices
  • Function as the main public contact point (email & post)
  • Guide your organisation on the possible sources of data access requests.
Article reference: 38(4)

Contact point for Data Protection Authorities
(e.g. ICO)

Liaise with the ICO in case of issues with data subjects and data breaches.
Article reference: 39(1)(d), 39(1)(e), 36

Ad hoc advice on difficult data protection issues

Written opinions on data protection queries, with an analysis of relevant issues or other relevant legislative elements
Article reference: 39(1)(a)

Regular newsletter to inform and advise on relevant developments and possible challenges in data protection

Newsletter containing the latest regulatory news and compliance guidance, and news concerning conferences and training opportunities
Monthly
Article reference: 39(1)(a)

Annual gap analysis

Audit and gap analysis to map new activities and data-processing practices
Virtual
Article reference: 39(1)(b)

Status discussion (via phone/skype) and report

Discussion and report
Every 6 months
Article reference: 39(1)(b)

Review of the privacy notices

Review of the privacy notices to ensure accuracy and advice on how to improve
Article reference: 39(1)(b)

Provide advice to the client organisation on how to carry on data protection impact assessments (DPIA) and to monitor their performance

We provide advice on:
  • Whether to carry out a DPIA
  • The best methodology to follow
  • Whether to carry out the DPIA in-house or to outsource it depending on the complexity
  • What safeguards (including technical and organisational measures) to apply to mitigate any risks to the rights and interests of the data subjects
  • Whether the DPIA has been correctly carried out and whether its conclusions are in compliance with the GDPR
Article reference: 39(1)(c)

Oversee the establishment and maintenance of the Record of Processing Activities

  • Contact point for the designated employee
  • Guidance on the Record, including provision of check-lists, best practices, and methodological advice
Article reference: 39

Provide guidance on data breach handling and reporting

  • Contact point for the responsible person
  • Contact point for the ICO
  • Advice on best practices for handling data breaches, including notification requirements, reporting and identification of measures to limit damage
Article reference: 33(3)(b)

Monitor the data-protection-training activities and advise on their necessity

  • Inclusion of a chapter on training in the status reports
  • Provision of news and updates on relevant conferences and training courses (newsletter)
  • Provision of training materials, where appropriate
Article reference: 39(1)(b)

Email and telephone assistance

-
Article reference: -

Bespoke notifications to management on critical legislative, judicial, or policy developments that may impact your business

Email notification with explanation of the development and a preliminary overview of the impact on the organisation
Article reference: 39(1)(a)

Training seminar on the developments of data protection law and policy

-
Article reference: -

Review of the consistency of the internal documents concerning data processing practices

Cross-check of the consistency of the internal documents
Article reference: 39(1)(b)

Weekend and holidays data breach guidance

Data breach guidance during the weekends and holidays
Article reference: -

DPO Assist

See below a list of standard requirements for this service, however we are always available to tailor our services in relation to our clients' needs.

Contact us to discuss further.

Ad hoc advice on difficult data protection issues

Written opinions on data protection queries, with an analysis of relevant issues or other relevant legislative elements
Article reference: 39(1)(a)

Regular newsletter to inform and advise on relevant developments and possible challenges in data protection

Newsletter containing the latest regulatory news and compliance guidance, and news concerning conferences and training opportunities.
Monthly
Article reference: 39(1)(a)

Annual gap analysis

Audit and gap analysis to map new activities and data-processing practices
Virtual
Article reference: 39(1)(b)

Status discussion (via phone/skype) and report

Discussion and report
Annually
Article reference: 39(1)(b)

Review of the privacy notices

Review of the privacy notices to ensure accuracy and advice on how to improve.
Article reference: 39(1)(b)

Provide advice to the client organisation on how to carry on data protection impact assessments (DPIA) and to monitor their performance

We provide advice on:
  • Whether to carry out a DPIA
  • The best methodology to follow
  • Whether to carry out the DPIA in-house or to outsource it depending on the complexity
  • What safeguards (including technical and organisational measures) to apply to mitigate any risks to the rights and interests of the data subjects
  • Whether the DPIA has been correctly carried out and whether its conclusions are in compliance with the GDPR
Article reference: 39(1)(c)

Provide guidance on data breach handling and reporting

  • Contact point for the responsible person
  • Advice on best practices for handling data breaches, including notification requirements, reporting and identification of measures to limit damage
Article reference: 33(3)(b)

Monitor the data-protection-training activities and advise on their necessity

  • Inclusion of a chapter on training in the status reports
  • Provision of news and updates on relevant conferences and training courses (newsletter)
  • Provision of training materials, where appropriate
Article reference: 39(1)(b)

Email abd telephone assistance

-
Article reference: -

Bespoke notifications to the top management on critical legislative, judicial, or policy developments that may impact your business

Email notification with explanation of the development and a preliminary overview of the impact on the organisation
Article reference: 39(1)(a)

Compliance Support

See below a list of standard requirements for this service, however we are always available to tailor our services in relation to our clients' needs.

Contact us to discuss further.

Data Mapping

Map the data flows within your organisation to better understand how personal information flows between departments

Data Protection Impact Assessments

Where required by the GDPR or national law, conduct or review DPIAs using our library of good practices
Article reference: 35

Consent and Privacy Notice Requirements

Revise and improve consent and privacy notices to meet transparency and accoutnability requirements

Gap Analysis

Identify gaps in your organisation's compliance with the GDPR, national data protection legislation or sectoral legislation

Data Protection Audit

Audit your organisation's activities to assess your compliance with applicable data protection law

Data Protection-by-design and -default

Work with your technical and admin teams to operationalise Data Protection-by-design and -default, using established good practice
Article reference: 25

Training

We offer general, role-based (e.g., HR) and activity based (e.g., DPIA) training. All our training materials are designed to be accessible to non-experts and easy to use

General compliance support

Support for creating required documentation, including, but not limited to Records of Processing activities, Data retention (and deletion) schedules, Personal Data Breach procedures, Subject Access Request procedures, Training materials, Legitimate Interest Assessments, etc.)