Version 1.0. Effective Date: November 29th 2023
1. Who We Are and What this Policy is
Hereafter commonly referred to as “Ataya & Partners,” “A&P” “we,” “us” and “our” etc.
We are a management consulting company in the domains of IT and digital management and governance, cybersecurity and data protection.
We provide a variety of management consulting, education, certification, forensic and other value added services in these domains, to our clients and other parties (collectively, our “Services”). For additional information on our Services please visit https://www.atayapartners.com.
2. Personal data we collect and/or process
Registrations, subscriptions and forms
If you register with us via the Site, sign up to receive news and information from us, or communicate with us through or related to the Site (e.g. when you fill out a ‘Contact Us’ form, sign up for our mailing lists), register for events we host or sponsor, submit information as part of certain online services, post comments on our blogs, or otherwise provide us information through the Sites, we may collect the following personal information:
- Your name, job title and company.
- Contact information for you, including the company you work for, email address and phone number.
- Demographic information, such as your address, preferences and interests.
- Other information relevant to the provision of Services or to your request or inquiry (such as contact preferences and interests, business affiliations).
- For events, it may include dietary restrictions, requested accommodations and other event-related preferences.
From individuals who are clients and prospective clients, or are representatives of clients and prospective clients, we may collect the following personal information:
- Your name, the named A&P client, the name of the company you work for (if different) and your job title.
- Contact information for you, the named A&P client, and the company you work for (if different), including address, phone number and email address.
- Payment information (including bank account and wire details), billing instructions and preferences (including to whom to direct invoices). Relevant information so that we can perform conflicts of interest checks.
- Relevant information as required by regulatory Know Your Client and/or Anti Money Laundering regulations and as part of our client intake procedures. This may possibly include evidence of source of funds, at the outset of and possibly from time to time throughout our relationship with clients, which we may request and/or obtain from third party sources. The sources for such verification may include documentation, which we request from the client or prospective client or through the use of online or public sources or both.
- Information you provide to us for the purposes of attending meetings and events, including dietary requirements, which may reveal information about your health or religious beliefs.
- Information that you provide to us as part of the provision of Services to you, which depends on the nature of your engagement with A&P.
- Other information relevant to the provision of Services.
Related parties and client representatives
A&P is primarily engaged by corporate entities and clients (ie, legal entities), and those legal entities are not data subjects (ie, natural persons to whom personal information relates).
However, as part of our engagement with these clients, we may receive personal information about individuals. For example, we may receive names, contact details and other information relating to:
- Officers, representatives and/or personnel of our corporate clients or prospective clients, as well as their affiliated and related entities.
- Adverse parties in a matter or potential matter, such as claimants, plaintiffs, defendants, public representatives, public servants, experts and other entities.
- Vendors and suppliers of our clients or prospective clients.
- Current and former consultants and other professional advisors or suppliers of our clients or prospective clients.
- Government and/or law enforcement entities and their representatives.
- If you are an individual whose personal information is processed by us as a result of providing the Services to others (including individual clients and corporate clients or supplier, contractor or representative of this supplier or contractor), we will process a variety of different personal information depending on the Services provided.
These examples are non-exhaustive, which is reflective of the varied nature of the personal information we process as part of a professional management consulting company providing Services in our domains.
For clients and prospects, we also collect information to enable us to market our Services and to organize events, which may be of interest to you. For this purpose, we collect:
- Name and contact details.
- Other business information, such as job title and the company you work for.
- Areas or topics that interest you.
- Additional information may be collected, such as events you attend and if you provide it to us, dietary preferences which may indicate data about your health or religious beliefs.
3. Purpose and legal bases for our use of your personal data
Fulfilment of Services
We use personal information to enable us:
- to perform the Services, respond to your requests and deliver our Services,
- to provide legal advice and related Services for which you have engaged us,
- to verify your identity, and carry out requests made by you on the Site or in relation to our Services.
Legal basis: This processing is necessary for our compliance with our contractual obligations with you as a Party.
We use personal information to provide and operate our Site and the Services,
- to communicate with you about your use of the Site and Services,
- to respond to your inquiries, to provide troubleshooting,
- to provide and operate our Sites,
- to provide technical support,
- to respond to your inquiries,
- to fulfill your orders and requests,
- to communicate with you,
- to bill you for our Services,
- to process and collect payments,
- to respond to complaints and inquiries,
- to provide technical support, and
- to provide other client service and support.
Legal basis: This processing is necessary for our compliance with our contractual obligations with you as a Party.
Business administration and legal compliance
We use personal information for the following business administration and legal compliance purposes:
- To perform and maintain information for the purposes of performing conflicts of interest searches.
- To enforce our legal rights.
- To investigate and/or settle inquiries or disputes.
- To comply with any applicable law, court order, other judicial process, law enforcement requests or the requirements of a regulator.
- To enforce our agreements with you.
- To protect the rights, property or safety of us or third parties, including our other clients and users of the Site or our Services.
- To process business transaction data, such as in connection with a merger, or a restructuring, or sale.
- To use as otherwise required or permitted by law, consistent with these purposes.
- When necessary to enforce, establish or defend our legal rights, or to protect the rights of third parties.
Legal basis: It is in our legitimate interest to use your personal information for this processing in order to defend our legal interests.
Marketing and promotions
We may use personal data for marketing and promotional purposes, such as to send you news and newsletters, or to otherwise contact you about products or information we think may interest you, by email and direct (postal) mail. We may also use it develop new Services and determine how to market our Services. Largely, this involves our collection and use of non-personal business information about current, former and prospective corporate clients.
We may also process your personal data to tailor content we may send or display on the Sites, including to offer location customization and personalized help and instructions, and to otherwise personalize your experiences.
Legal basis: It is in our legitimate interest to use your personal information for marketing purposes in order to develop and grow our business and Services and promote the reputation of our firm. We will, where required by applicable law, obtain your consent to send such communications.
We may use personal information in order to respond to Requests for Proposals (“RFPs”), prepare for and present pitches and other proposals, and identify potential business opportunities. We may also process limited personal information about individuals (name, current and former company, current and former title, contact information and similar information).
Legal basis: This processing is done based on our pre-contractual obligation to use your personal information in order to offer you adapted services based on your needs.
Becoming an A&P Consultant
In the event you, or one of the representatives of your company – hereafter “the Consultant” are interested in working with A&P either as employee or to join A&P, as freelancer or in another form of collaboration, you can provide us with information on your personal and professional background (“Consultant Information”) that we will, subject to our sole discretion, take into consideration or not as part of the Services.
Legal basis : A separate consent for this data collection will be required.
Client insight and analytics
We use personal information to better understand how you and others use our Services, so that we can improve our Site and Services, develop new features, tools, offerings, services and the like, and for other research and analytical purposes. We also use the information we collect to measure the effectiveness of our online content and how visitors use our Site and our Services. This allows us to learn what pages of our Site are most attractive to our visitors, which parts of our Site are the most interesting, and what kind of offers our registered users like to see. We may use this information and the insights we have derived for marketing purposes (see the marketing section above for further details), or to make decisions about events, news and information that may be of interest to clients, prospective clients, Site users and others.
Legal basis: It is in our legitimate interest to use your personal information in such a way to ensure that we provide the very best Services to our clients and others in order to develop and grow our business and Services and promote the reputation of our company.
Industry benchmarking and rankings
We may create industry surveys and reports, to assess specific industries.This involves collection and use of non-personal business information about clients and matters. However, we may also review and share limited personal information about individuals (such as referee name, title and contact) to send our reports.
Legal basis: A separate consent for this data collection will be required.
Prevent misconduct, abuse and misuse
Subject to our professional and ethical duties, we use personal information where we believe necessary to investigate, prevent or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person, or violations of our terms of engagement. We also use personal information to protect and secure the Site and our information systems and networks.
Legal basis: It is in our legitimate interest to use your personal information for this processing in order to prevent fraud and illegal activities.
4. Sharing your personal data
A&P is a management consulting company that is part of a larger network of partners, contractors and affiliated companies (“A&P Partner Entity”). Any information that we collect or that you provide to us may be shared and processed by any A&P Partner Entity based in the European Union. You can find out more about the A&P partner entities and locations here (affiliation network).
We may also share personal information with a variety of the following categories of third parties as necessary, in their capacity as sub-contractor data processors:
- Our professional advisers, such as lawyers, security consultants, auditors and accountants.
- Government and/or regulatory authorities.
- Professional indemnity insurers.
- Regulators, tax authorities and/or corporate registries.
- Third parties to whom we outsource certain services, such as, without limitation, document processing and translation services, confidential / personal data encryption, anonymization, pseudonymization and disposal, IT systems or software providers, IT Support service providers, and document and information storage providers.
- Third parties engaged in connection with our Services, such as counsels, arbitrators, mediators, clerks, witnesses, court reporters, court, opposing party and their lawyers, document review platforms and experts, such as tax advisors.
- Third party service providers to assist us with client insight analytics.
- Third party postal or courier providers who assist us in delivering our postal marketing campaigns to you, or delivering documents related to a matter.
These data processors will process personal information on our behalf and at our direction. We conduct an appropriate level of due diligence and put in place contractual documentation in relation to any sub-contractor to ensure that they process personal information appropriately and according to our legal and regulatory obligations.
Further, we may appoint external data controllers where necessary to deliver the Services (for example, but without limitation, accountants, attorneys, consultants and other third party experts including, but without limitation, other A&P Partner Entities, as well as other management consulting companies). When doing so, we will comply with our legal and regulatory obligations in relation to the personal information including, but without limitation, putting appropriate safeguards in place.
We will normally not transfer personal information to countries outside the EEA (including to other A&P Partner Entities) unless they provide an adequate level of protection for your personal data (as recognized by the thereto competent official bodies).
If in exceptional transfer to other countries is required, that will only be done after such entities have signed a data sharing agreement, based on the EU standard contractual clauses, to provide appropriate safeguards and an adequate level of protection for personal data. We will inform people concerned if there is any transfer of personal data outside EU.
Our Site uses certain cookies, pixel tags, log files, local storage objects and other tracking technologies to operate and improve our Site and our Services and to collect information about how our Site is accessed and used and about Site performance and security.
The data collected is typically when users access or use the services or visit our Site, such as an IP address, general location information, domain name, page views, a date/time stamp, browser type, device type, device ID, Internet service provider (“ISP”), referring/exit URLs, operating system, language, clickstream data, and other information about the links clicked, features used, size of files uploaded, streamed or deleted, and similar device and usage information.
Legal basis: It is necessary for us to perform our obligations in accordance with any contract or engagement that we may have with you. It is in our legitimate interest or a third party’s legitimate interest to use personal information in such a way to ensure that we provide the Services in the best way that we can.
6. Retention of personal data
In general, we will retain relevant personal information of Site visitors for at least two years from the date of our last interaction with you and in compliance with our obligations under applicable laws, or for longer if we are required to do so according to our regulatory obligations or professional indemnity obligations, or where we believe necessary to establish, defend, or protect our legal rights and interests or those of others.
We generally retain files and information regarding client engagements and matters for which we have been retained for at least seven years from the date of our last interaction with the relevant client, in compliance with our obligations under applicable laws, or for longer where required by our regulatory obligations, professional indemnity obligations, or where we believe necessary to establish, defend, or protect our legal rights and interests or those of others. We may then destroy such files without further notice or liability.
As explained above, the Candidate Information will be processed and maintained in our records as long as your account is active and at the latest 24 months after the last contact, exchange of information or update of data.
Other specific retention times, as imposed by law or based on a detailed privacy assessment done by us, may apply for some of the processing of personal data. If you have any questions in this regard, please do not hesitate to contact us.
7. Confidentiality and security of your personal data
We are committed to keeping personal data secure and we have implemented appropriate information security policies, rules and technical measures to protect the personal information that we have under our control from unauthorized access, improper use or disclosure, unauthorized modification and unlawful destruction or accidental loss. Please note that no transmission over the internet is completely secure or error-free, and that the information security policies, rules and technical measures utilized and maintained by us may be subject to compromise.
All of our partners, employees, consultants, workers and data processors (i.e., those who process your personal information on our behalf, for the purposes listed above), who have access to, and are associated with the processing of personal data, are obliged to respect the confidentiality of such personal data.
8. Your rights in relation to the personal data we hold
Your right of access
If you ask us, we will confirm whether we are processing your personal information and, if necessary, provide you with a copy of that personal information (along with certain other details). If you require additional copies, we may need to charge a reasonable fee.
Your right to correction (rectification)
If the personal information we hold about you is inaccurate or incomplete, you are entitled to request to have it corrected. If you are entitled to have information corrected and if we have shared your personal information with others, we will let them know about the rectification where possible. If you ask us, we will also tell you, where possible and lawful to do so, with whom we have shared your personal information so that you can contact them directly.
Your right to erasure
You can ask us to delete or remove your personal information in some circumstances, such as where we no longer need it or if you withdraw your consent (where applicable). If you are entitled to erasure and if we have shared your personal information with others, we will let them know about the erasure where possible. If you ask us, we will also tell you, where it is possible and lawful for us to do so, with whom we have shared your personal information with so that you can contact them directly.
Your right to restrict (block) processing
You can ask us to restrict the processing of your personal information in certain circumstances, such as where you contest the accuracy of that personal information or you object to us. If you are entitled to restriction and if we have shared your personal information with others, we will let them know about the restriction where it is possible for us to do so. If you ask us, we will also tell you, where it is possible and lawful for us to do so, with whom we have shared your personal information so that you can contact them directly.
Your right to data portability
You have the right, in certain circumstances, to receive a copy of personal information we’ve obtain from you in a structured, commonly used and machine-readable format, and to reuse it elsewhere or to ask us to transfer this to a third party of your choice.
Your rights in relation to automated decision-making and profiling
You have the right not to be subject to a decision when it’s based on automatic processing, including profiling, if it produces a legal effect or similarly significantly affects you, unless such profiling is necessary for entering into, or the performance of, a contract between you and us.
Your right to withdraw consent
If we rely on your consent (or explicit consent) as our legal basis for processing your personal information, you have the right to withdraw that consent at any time.
Your right to lodge a complaint with the supervisory authority
If you have a concern about any aspect of our privacy practices, including the way we’ve handled your personal information, you can report it to the relevant supervisory authority.
9. Collection of information by third-party sites and sponsors
Our Site may contain links to other sites whose information practices may be different than ours. Visitors should consult the other sites’ privacy notices as A&P has no control over information that is submitted to or collected by these third parties.
The Site is not for use by children under the age of thirteen (13) years, and we do not knowingly collect, store, share or use the personal information of children under 13 years. If you are under the age of 13 years, please do not provide any personal information, even if prompted by the Site to do so. If you are under the age of 13 years and you believe you have provided personal information to us, please ask your parent(s) or guardian(s) to notify us and we will delete all such personal information.
11. Changes to this Policy
We may make changes to this Policy from time to time, to reflect changes in our practices. We may also make changes as required to comply with changes in applicable law or regulatory requirements. Where we materially change this Policy, we will take steps to notify you (such as by posting a notice on the Site or via email), and where required by applicable law to obtain your consent.