US Privacy Statement

CFGI is strongly committed to protecting your privacy. Personal Information collected by us is used for marketing purposes and to improve your browsing experience. This policy sets out the different ways we collect Personal Information and how we use it. It also explains your rights in relation to this Personal Information and how to contact us.

UPDATED: NOVEMBER 2019

Information We Collect

Information voluntarily provided to us: for example, when you sign up to our services, subscribe to our communications, provide information to us and / or access certain resources on our website.

Information we collect automatically: when you use our services or browse our website we may collect information such as:

IP addresses: We use IP addresses to collect statistical information about the areas of the site that users are visiting, and general “traffic” data and to identify a particular user in relation to items being viewed. This information allows us to determine what is most beneficial for users, and facilitates us in continually improving the overall site for our users.

Cookies: A “cookie” is a small amount of data that is sent to a user’s browser from a web server and stored on a user’s computer, used to store and track information about the user. When you visit our site, we may use cookies containing information (such as a unique user ID) to track your usage of our site. CFGI also utilises basic cookies to enable caching of our content in your browser to help accelerate page loading performance.

Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. If you choose to decline cookies, you may not be able to fully experience the interactive features of our site.

Web beacons: We use web beacons (or clear gifs) on our website and in our emails. When we send emails, we may track behaviour such as who opened the emails and who clicked the links. This allows us to measure the performance of our email campaigns and to improve our services. Web beacons allow us to collect information about when you open the email, your IP address, your browser or email client type, and other similar details.  We tie the information gathered by clear gifs in emails to our subscribers’ Personal Information. If you would like to opt out of these emails, please see the section on “Opting Out and Unsubscribing” below.

In addition, we partner with third party ad networks to manage our advertising on other sites. Our ad network partners use cookies and web beacons to collect anonymised information about your activities on this and other websites to provide you with targeted advertising based upon your interests.  If you wish to not have this information used for the purpose of serving you targeted ads, you may opt-out by clicking here. Please note this does not opt you out of being served advertising.  You will continue to see generic ads.

Use of Personal Information

In general, we will only use the Personal Information you provide to us for the purpose for which it was provided. You may opt-out of receiving communications from us by following the instructions set forth in the “Opting Out and Unsubscribing” section below. We reserve the right to access and to disclose Personal Information to comply with applicable laws and lawful government requests, to operate our systems properly or to protect either ourselves or our users.

We may use your Personal Information to:

  • Provide our website or our services to you
  • Improve our website, your browsing experience and / or the services we provide to you
  • Send you information or marketing communications which we think may be of interest to you
  • Deliver tailored advertising
  • Respond to any communications you may send us

Retention of Personal Information

We retain Personal Information that you provide us as long as we consider it potentially useful in contacting you about the services we provide, or as needed to comply with our legal obligations, resolve disputes and enforce our agreements. We will delete this information from the servers at an earlier date if you so request, as described in “Opting Out and Unsubscribing” below.

Security

Our website has industry standard security measures in place to protect the loss, misuse, and alteration of the information under our control. While there is no such thing as “perfect security” on the Internet, we will take reasonable steps to ensure the safety of your Personal Information.

Opting Out and Unsubscribing: Reviewing, Correcting and Removing Your Personal Information

Upon request we will provide you with information about whether we hold any of your Personal Information. If you provide us with your Personal Information, you have the following rights with respect to that information:

The right to access – You have the right to request copies of your Personal Information. We may charge you a small fee for this service.

The right to rectification – You have the right to request that we correct any information you believe is inaccurate. You also have the right to request we complete the information you believe is incomplete.

The right to erasure – You have the right to request that we erase your Personal Information, under certain conditions.

The right to object to or restrict processing – You have the right to object to or request that we restrict the processing of your Personal Information, under certain conditions.

The right to data portability – You have the right to request that we transfer the Personal Information that we have collected to another organisation, or directly to you, under certain conditions.

To exercise any of these rights, please contact us at info@cfgi.com.  You can also opt out of promotional emails we send by clicking the unsubscribe link included at the bottom of the email.

Third party sites

Our website contains links to third party sites. This privacy policy applies only to our website.


UK Privacy Statement

CFGI (UK) Limited (“CFGI UK”, “we”, “our” or “us”) collects your personal data for various purposes, as detailed in this Privacy Statement. When we collect or use your data, CFGI UK is the “controller”, which means we decide how and why your personal data is processed. This Privacy Statement sets out the different ways we collect personal data and how we use it. It also explains your rights in relation to your personal data and how to contact us.

UPDATED: JUNE 2023

We publish the current version of this Privacy Statement on our website, and we may update this from time to time.

We will notify you of these updates where:

  • we are making substantial changes; or
  • we are doing something with your personal data, which you might not expect based on what we have told you in this Privacy Statement.

Please read our Privacy Statement to understand our approach to processing your personal data.

Contact information

If you have a question on this Privacy Statement or how we use your personal data, please email dataprotection@CFGI.com or write to us at CFGI (UK) Limited, 1 Park Row, Leeds, LS1 5AB, United Kingdom.

How we collect your personal data

Your personal data is collected by CFGI UK in a few ways:

  • Personal data you give directly;
  • Personal data we collect from third parties;
  • Personal data we collect from the monitoring of system use.

Personal data we collect

We may collect, hold and use the following personal data from or about you. Some of these are optional or depend on CFGI UK’s obligations to its customers, employees and job applicants:

  • Contact details: this may include your email address, phone number, telephone number and home address;
  • Identity details: this may include your first name, maiden name, last name, marital status, title, date of birth and gender;
  • Health data: this may include your medical certificates, self-certification forms, records of sickness absence, medical reports and health assessments;
  • Financial data: this may include your billing address, bank account and payment card details;
  • Criminal offence data: this may include information relating to any criminal convictions or criminal charges secured or brought against you;
  • Trade union membership data: this may include data about your trade union membership;
  • Data about your use of the CFGI UK website: this may include your IP address, cookies, web beacons, browser type and version, time zone and language and notification preferences;
  • Information about how you use our IT, communication, and other systems: this may include your user account, email activity and call details;
  • Personal data provided when you apply for work with us: this may include personal data you provide in your curriculum vitae and covering letter, information provided as part of the interview process; and
  • Other personal data about yourself that you provide voluntarily (for example, when you sign up to our services, subscribe to our communications, provide information to us and/ or access certain resources on our website): this may include your interests, social media profile links, job title, emergency contact details and absence records.

Personal data we do not collect: Children’s data

CFGI UK’s website is intended for use by adults aged 18 years or over and we do not knowingly collect personal data from people under 16 years of age.

Who we share your personal data with

We use third party sub-processors and other third party service providers to provide our service and communicate with you in connection with the purposes set out in section How and why we use your personal data. We have certain safeguards in place to protect your personal data. For example, written agreements that only permit third party sub-processors to process your personal data for specified purposes and subject to certain security measures.

We routinely share personal data with:

  • Cloud-based email and data storage providers;
  • Business application software providers;
  • Payroll agencies;
  • Benefit (including pension) providers;
  • HM Revenue & Customs;
  • Computer maintenance companies;
  • Professional advisers;
  • Other affiliates (CFGI, LLC and other holding and parent companies are all affiliates);
  • Potential purchasers of the business.

We may also share anonymous aggregate usage statistics or anonymous individual data for service evaluation and improvement purposes with consultants or research organisations that we work with from time to time. This anonymous data is not itself personal data, and we take care to ensure that individuals cannot be identified (or indeed re-identified) in the data.

How and why we use your personal data

Under the UK General Data Protection Regulation 2018/679 (the “UK GDPR”) and the Data Protection Act 2018 (the “DPA 2018“) (together the “Data Protection Laws”), CFGI is allowed to use personal data only if we have a proper reason to do so. This is called our ‘lawful basis’ for processing. The four main ways that we are permitted to use your personal data are:

  • When you consent to us using your personal data;
  • When it is in our legitimate interests.

Many of these uses are mandatory – in other words, where we need to use your personal data to meet our contractual obligations to you, or to meet our legal obligations. We have provided more detail below on what personal data we use, why and which of the above categories we are relying on for each purpose.

We have determined, acting reasonably and considering the circumstances, that we are able to rely on legitimate interests as the lawful basis on which to process your personal data in certain circumstances (we have stated this below and set out our legitimate interests). We have reached this decision by carrying out a balancing exercise to make sure our legitimate interest does not override your privacy rights as an individual.

We have provided more detail below on what personal data we process, why we process your personal data and which of the above categories we are relying on for each purpose.

We may use your personal data for more than one purpose, depending on the circumstances. We have listed the primary lawful basis that we will typically rely on in the tables below. There may be situations where we rely on two lawful bases as a matter of course to achieve the same or similar purposes.

Our PurposeLawful basis and applicable UK GDPR reference
To provide our website or our services to youIt is in our legitimate interests to process your personal data in connection with this purpose (UK GDPR Article 6(1)(f)).   Where it is not in our legitimate interests, we will obtain your explicit consent (UK GDPR Article 6(1)(a)).  
To improve our website, your browsing experience and / or the services we provide to you  It is in our legitimate interests to process your personal data in connection with this purpose (UK GDPR Article 6(1)(f)).   Where it is not in our legitimate interests, we will obtain your explicit consent (UK GDPR Article 6(1)(a)).  
To send you marketing communications which we think may be of interest to you   This may include where you sign up to our CFGI UK newsletter or contact us for a Request for Proposal.  It is in our legitimate interests to process your personal data in connection with this purpose (UK GDPR Article 6(1)(f)).   Where it is not in our legitimate interests or consent is required under the direct marketing rules, we will obtain your explicit consent (UK GDPR Article 6(1)(a)).  
To provide you with service communications   This may include where we inform you of changes to our terms or policies, our services or other important notices.It is in our legitimate interests to process your personal data in connection with this purpose (UK GDPR Article 6(1)(f)).   Where it is not in our legitimate interests to do so, we will obtain your explicit consent (UK GDPR Article 6(1)(a)).  
To conduct our businessThe lawful basis for processing your personal data, including your health data, for this purpose is to fulfil our contractual commitments to you (UK GDPR Article 6(1)(b)).   Where the above does not apply, it is in our legitimate interests to process your personal data in connection with this purpose (UK GDPR Article 6(1)(f)).   We will obtain your explicit consent (UK GDPR Article 6(1)(a)) should neither of the above-mentioned lawful bases apply.  
To perform our responsibilities as employer and administer the employment relationship (during the application process and after the employment)The lawful basis for processing your personal data, including your health data and trade union membership data, for this purpose is to meet our legal obligations (UK GDPR Article 6(1)(f)).   Where the above does not apply, the lawful basis for processing your personal data, including your health data and trade union membership data, will be to fulfil our contractual commitments to you (UK GDPR Article 6(1)(b)).   Where the above bases do not apply, it is in our legitimate interests to process your personal data in connection with this purpose (UK GDPR Article 6(1)(f)).   Where the above bases do not apply, the lawful basis for processing your personal data, including your health data and trade union membership data, will be by obtaining your explicit consent (UK GDPR Article 6(1)(a)).   Where we process special category data, the following exemptions apply: Your explicit consent (UK GDPR Article 9(2)(a))It is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment (UK GDPR Article 9(2)(b) and Schedule 1, Part 1, Paragraph 1 of the DPA 2018)For reasons of substantial public interest (UK GDPR Article 9(2)(g)) and Schedule 1, Part 1, Paragraph 8 of the DPA 2018).  
To conduct checks to identify our clients and verify their identity to comply with legal and regulatory obligations  The lawful basis for processing your personal data for this purpose is to meet our legal obligations (UK GDPR Article 6(1)(f)).   Where the above does not apply, the lawful basis for processing your personal data is when it is in our legitimate interests (UK GDPR Article 6(1)(f)).   Where we process special category data, the following exemptions apply: Your explicit consent (UK GDPR Article 9(2)(a))It is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment (UK GDPR Article 9(2)(b) and Schedule 1, Part 1, Paragraph 1 of the DPA 2018)For reasons of substantial public interest (UK GDPR Article 9(2)(g)) and Schedule 1, Part 1, Paragraph 10 of the DPA 2018).  
To ensure compliance with CFGI UK’s policies and detect any unauthorised use of CFGI UK’s IT infrastructure and systems  The lawful basis for processing your personal data for this purpose is when it is to meet our legal obligations (UK GDPR Article 6(1)(f)).   Where the above does not apply, the lawful basis for processing your personal data, including your health data, will be to fulfil our contractual commitments to you (UK GDPR Article 6(1)(b)).   Where neither of the above bases apply, the lawful basis for processing your personal data is when it is in our legitimate interests (UK GDPR Article 6(1)(f)).  

Links to other websites

You should also be aware that where you link to another website from CFGI UK, CFGI UK has no control over that website. Accordingly, CFGI UK cannot guarantee that the controller of that website will respect your privacy in the same manner as CFGI UK.

Data security and storage

In order to prevent unauthorised access or disclosure, we have put in place suitable policies and procedures to safeguard and secure the information we process.

All CFGI UK employees are contractually bound to respect the confidentiality of any personal data held by CFGI UK.

Retention of personal data

We shall retain personal data in accordance with our Information Security Policy. In summary:

  • We use Microsoft 365 for email and file storage.
  • We are not required to retain any client work product given the nature of our services. Our work output is immediately owned by the client upon delivery and payment. Client information is retained in accordance with a non-disclosure agreement (“NDA“) or engagement letter. We will dispose of client information if requested by a client if it is in accordance with the NDA, engagement letter and regulatory requirements.
  • We have policies in place to ensure that documents that we do retain are disposed in accordance with applicable laws.

Sending data outside of the UK or the EEA (by us)

Your personal data may be transferred to third-party organisations, some of whom (where applicable) may be located outside of the UK or the EEA, to facilitate provision of our services. For example, this could happen if any of our servers that store your personal data are located in a country outside of the UK or the EEA, or when one of our service providers is located in a country outside of the UK or the EEA, such as South Africa or Australia. Different countries have different data protection and security laws and some of these do not offer the same level of protection as you enjoy under the Data Protection Laws.

We will have agreements with these third-party organisations which provide that they will not use your personal data for any purposes other than those we have agreed with them. We require that any third-party organisations that use your personal data on our behalf implement adequate safeguards to protect your personal data, in accordance with applicable UK and EU data protection legislation. For example, we may put contracts in place (which are approved by the UK Information Commissioner and, where applicable, the European Commission and are known as “Standard Contractual Clauses“) with those service providers, or alternatively will ensure they have signed up to, and comply with, any other approved mechanisms that may become available to us in the future. We will also carry out an appropriate risk assessment of the laws and practices of the destination country to ensure that your personal data is fully protected when in that country.

We may also share some of your personal data with other CFGI companies within the CFGI group for internal administrative purposes or to provide a service to you. This will include transfers to our affiliate, CFGI, LLC in the United States. In doing so, we will adopt necessary safeguards, such as the Standard Contractual Clauses and conducting the appropriate risk assessment referred to above.

Marketing

We wish to send you marketing communications for products and services that may be relevant to you. We may also need to send you communications that are not direct marketing communications (service communications by post, telephone or email/MMS/SMS) from time to time. Service communications relate to information that is necessary for us to convey when you are receiving products and services.

We will only contact you, or businesses associated with you, with marketing messages by email/MMS/SMS where we are permitted to do so in accordance with Data Protection Laws (i.e. where we have collected the appropriate permissions).

Where we rely on your consent, we may seek, or re-seek, your marketing consent any time that there is a change in our marketing strategy or your relationship with us, including where there is a change in law or where there is a structural change in our organisation.

From time to time, we may send you marketing messages by email/MMS/SMS relating to our own products and services without your consent where you have not opted out of receiving marketing message. Under the Data Protection Laws, we are permitted to do this in relation to existing customers or those prospective customers that have expressed an interest in our products or services, or where we are contacting you at a work email address. We will give you the chance to opt out of receiving direct marketing messages by email/MMS/SMS when we first collect your personal data and, thereafter, in every marketing message that we send (via the “unsubscribe” link at the foot of the marketing message). Where you exercise this option, we will cease to send you marketing message by email/MMS/SMS. Additionally, you have a right to object to all marketing messages whether electronic marketing or by post or telephone. Please see Your rights below. You are free to change your preferences by contacting us – please see Contact information above.

Cookies

A cookie is a file with a small amount of data which is sent to a user’s browser from a web server and stored on a user’s computer, used to store and track information about the user. When you visit our site, we may use cookies containing information (such as unique user ID) to track your usage of our site. We use the following cookies:

Strictly necessary cookies – We use this for the operation of our website.

Analytical or performance cookies – We use this to allow us to recognise and count the number of visitors and see how many visitors move around our website when they are using it.

Targeting cookies – We use this to record your visit to our website, the pages you have visited and the links you have followed.

Your rights

You have rights regarding your personal data. If you wish to exercise any of your rights outlined below, please contact us using one of the contact details mentioned in Contact information.

Right to access your personal data – You have the right to know if your personal data is being held, what categories of data are held, and to receive a copy of all data about you.

Right to change or remove your details – You have the right to correct any inaccurate data or remove data if it is not necessary for us to hold it where there is no compelling reason for its continued processing by us.

Right to restrict or object to processing – You can object to processing if it could affect your rights, freedoms or interests. For example, you have the right to object to direct marketing and automated decision-making (although we do not engage in the latter).

Right to data portability – We will provide your data in a portable format.

Right to lodge a complaint – You also have the right to lodge a complaint with a supervisory authority, although we encourage you to contact us first. Please contact our Data Protection Manager at dataprotection@CFGI.com if you believe that your personal data is not being processed in line with this Privacy Statement. If you are not satisfied with the response, you might wish to lodge a complaint with the Information Commissioner’s Office. Find out on their website how to report a concern at ico.org.uk/concerns/.

Note that if you exercise your right to remove your details, to restrict processing or to object, this may adversely affect your ability to obtain our products and services from us, or to use our website.