Policy Statement                                                                                                                                      Last updated: 22 March 2023

This Privacy Policy sets out how CMC Partnership Global Ltd and its wholly owned subsidiaries ("CMC Global", "we", "us") collects, uses, stores, shares and protects personal data that users ("you") provide, or that we collect from you in the course of our business activities. We are committed to being fair and transparent with you about how we handle your personal data ensuring that your privacy is protected and appropriately managed in line with applicable data protection legislation. This Privacy Policy also describes your rights and choices regarding CMC Global's use of your personal information.

Please read this Privacy Policy carefully as it contains important information about who we are, how and why we collect, store, use and share your personal data, your rights in relation to your personal data and how to contact us.

This Privacy Policy may be updated from time to time. Please check this page to ensure you are happy with any changes we make.

Contact Details - if you have any questions or queries regarding your personal data and/or our processes, please contact our Data Protection Officer either by:

• Email: dpo@cmcpartnership.com
• Phone: +44(0)1600 740215; or
• Post: address to Data Protection Officer, CMC Partnership Global Ltd, Grace Dieu Court, Dingestow, Monmouthshire, NP25 4EB United Kingdom

1. Who we are

CMC Partnership Global Ltd is a company registered in England and Wales. Our registered office is Grace Dieu Court, Dingestow, Monmouthshire, NP25 4EB United Kingdom. Our wholly owned subsidiaries are: CMC Partnership (Asia) Pte Ltd, CMC Partnership (Schweiz) GmbH, CMC Partnership Global SA (Pty) Limited and CMC Italy S.R.L.

We collect, process, store, disclose and protect personal information (information by which an individual can be identified) to perform our business activities and to primarily provide change management consultancy, training and coaching services, together with the recruitment and selection of staff, suppliers and products required to deliver those services to you (the "Services"). Automated decision making or profiling is not carried out by CMC Global.

By providing your personal information to us you agree that this Privacy Policy will apply to how we handle your personal information, and you consent to us collecting, processing, storing and disclosing your personal information as detailed in this Privacy Policy (please see section 2 of this Privacy Policy for our lawful grounds to do so which includes consent to us using and disclosing your personal information for the purpose for which it was collected, unless you withdraw your consent).

If you do not agree with any part of this Privacy Policy you must not provide your personal information, or the personal information of third parties to us. Please note if you do not provide us with your personal information, or if you withdraw the original consent you provided under this Privacy Policy, then this may affect our ability to provide Services to you, or negatively impact the Services we provide to you.

2. Personal data and the law

Personal information has the meaning given under your local data protection law. There may be instances where your local data protection laws impose more restrictive information handling practices than the practices set out in this Privacy Policy. Where this occurs we will adjust our information handling practices in your jurisdiction to comply with these local data protection laws.

This Privacy Policy outlines our information handling practices and managing your privacy in reference to the Data Protection Act 2018 and the UK General Data Protection Regulations (UK GDPR) including any amendment, update, modification or re-enactment of such laws. We also adhere to the following data protection laws for our subsidiaries:

• CMC Italy S.R.L - General Data Protection Regulation (Regulation (EU) 2016/679)
• CMC Partnership (Asia) Pte Ltd - the Personal Data Protection Act
• CMC Partnership Global SA (Pty) Limited - the Protection of Personal Information Act 4 of 2013
• CMC Partnership (Schweiz) GmbH - the Federal Act of Data Protection

If you are based outside the UK, when we transfer your personal data to our sub-processors, we make use of the approved Standard Contractual Clauses ("SCCs") where applicable. In line with current legislative updates, we are in the process of updating from SCCs to International Data Transfer Agreements within the 2-year transition period permitted by the UK Government.

UK data protection law requires us to rely on one or more lawful grounds to process your personal information. We will only process your personal information on one of more of the following lawful grounds:

• Specific consent - you have given your consent to such processing by voluntarily providing us with your personal information. You can withdraw your consent at any time but that may preclude you from using our Services thereafter
• Performance of a contract - the processing is necessary to provide our Services to you
• Legal obligation - the processing is necessary for compliance with our legal obligations
• Legitimate interest - where it is reasonably necessary to achieve our or third parties' legitimate interests

3. CMC Global's ICO registration

CMC Global Ltd is registered as a data controller with the ICO (Registration number ZB372171).

4. Personal data we collect from you

We typically collect, process and store the following types of personal information you provide to us:

• Full name
• Email
• Postal address (if applicable)
• Phone number
• Job title

In addition to the above, we also collect, process and store the following types of personal information depending on your relationship with us:

• For in-person training - dietary requirements, special requests, health/mobility issues (if any) and/or customer service interaction notes
• For virtual training - any special requests, health issues (if any) and/or customer service interaction notes
• For job applications - CV's and applications
• For successful job applications - third party pre-employment due diligence checks, employment verification information including criminal record checks, third party references, professional or educational certifications/licenses etc. 
• For employees - date of birth, gender, any personal details, or health information that you choose to share with us, learning and development records (including certifications), identification documents, right to work verification documents, any additional information to support your employment with us, provision of benefits and third-party emergency contact details. 

When you provide personal information on behalf of a third party e.g., providing emergency or referee contact details you agree that you have obtained the consent of the other person (the third party) for us to collect, use and disclose their personal information in accordance with this Privacy Policy, and that you have made the third party aware of your actions and of this Privacy Policy.

5. How we collect your personal data

You may choose to share your personal data with us by various means which may include but not be limited to making an online enquiry or by purchasing our Services through our website(s), or by attending one of our courses or workshops, visiting our website(s) through cookies, by sending us an email, by completing a survey, through a third party website for job applications, from third parties as your nominated referee, or by providing your details by letter or telephone, or by completing an internal form to support your employment or contractual status with us This may include subscribing to any of our Services; requesting newsletters, obtaining downloads, registering for events and online webinars, contacting us through social media channels, accounting and administration (business to business) or applying for an opportunity in which you may be asked to provide your full name, postal address, email and telephone numbers.

6. How we use your personal data

We use the personal data provided by you to provide our Services, fulfil your requests, improve our Services, engage in research and analysis relating to the Services we provide, personalise your experience, track usage of the Services, provide feedback to third parties that are listed on the Services, display relevant advertising, market our Services, provide customer support, contact you, for recruitment, back up our systems, allow for disaster recovery and to enhance the security of the Services.

We will store your contact data so we can provide you with information in regard to other CMC Global products and Services that you may be legitimately interested in. We may also contact you to ask you to complete surveys that we use for research purposes, although you do not have to respond to them. You have the option to unsubscribe from these communications at any time.

7. Who we share your personal data with

Where we have a legal basis to do so we may disclose some or all of your personal information to:

• Prosci, Inc. - (only applies to delivery of Prosci® training courses and workshops delivered by CMC Global) for processing and activation of your online Prosci portal providing personal access to Prosci® licensed tools and templates for as long as your license and account is active (personal data is limited to full name, email address, organisation and feedback forms). Please read their Privacy Policy.
• Teachable, Inc. - (only applies to delivery of some CMC Global training courses and workshops delivered by CMC Global) for processing and activation of your online Teachable portal providing personal access to CMC Global tools and templates for as long as your license and account is active (personal data is limited to full name, email address and organisation). Please read their Privacy Policy.
• HubSpot Inc. - our customer relationship management platform. Please read their Privacy Policy.
• Any member of our organisation, this includes employees of our global subsidiaries outlined in the above Policy Statement
• Other third-party contractors and suppliers including but not restricted to benefit providers, travel providers, IT service providers and data hosting providers, parties supporting remote working on customer sites, our banks and external business advisors, such as lawyers, accountants and auditors.

Please be assured that these sub-processors have contractual agreements in place which include data protection Standard Contractual Clauses. CMC Global's list of sub-processors is available to view here.

In the event of sale, merger, de-merger or other reorganisation of the businesses, your personal data will be shared and processed in accordance with the legitimate interests of CMC Global and the relevant third parties. In all cases data sharing will only take place when appropriate contracts, including confidentiality and/or data transfer obligations (where required) are completed with the planned recipient(s) of your data.

We will disclose your personal information if we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our terms and conditions of use, or to protect the rights, property, or safety of our companies, our customers, or others. This includes exchanging information with other companies and organisations for the purpose of fraud protection and credit risk reduction, or to comply with UK Government regulations.

8. Where your personal data is stored

The personal data that we collect from you is stored in professional datacentres within the UK, EEA and/or the United States of America (USA).

Your personal data may be transferred and stored in the USA, and managed by the following sub-processors who support us in carrying out our Services to you:

• Prosci, Inc (see section 7.  Who we share your personal data with)
• Teachable, Inc. (see section 7.  Who we share your personal data with)
• HubSpot Inc (see section 7.  Who we share your personal data with)

Employee and contractor personal data may be shared with third parties and transferred to their storage and sub-processing destinations to support customer delivery arrangements including business travel, etc. CMC Global's list of sub-processors is available to view here.

9. How long we keep your personal data

If you contact us, we may keep a record of that correspondence and we may retain details of your visits to our website(s) including, but not limited to, traffic data, location data, weblogs and other communication data and a record of the resources you access.

We may keep a record of your website preferences and interests, other information relevant to customer surveys, offers made by us and details of the transactions you complete through the website and the fulfilment of your orders.

Data is retained for a maximum of 7 years with the following exceptions

• Job applications and CV's not pursued are deleted once a position has been filled
• Staff records, identification document and right to work verification documents are maintained for the duration of your employment plus a further 7 years once your employment has ceased
• Training certification records are retained in perpetuity as verification of having completed your training.

10. Accuracy of your personal data

We make every effort to maintain the accuracy and completeness of your personal information. However, you can assist us by contacting us if there are any changes to your personal information, or if you become aware that we have inaccurate personal information relating to you. We will not be responsible for any losses arising from inaccurate, inauthentic, deficient, or incomplete personal information that you, or a person acting on your behalf, provides to us.

If you believe that any information we are holding about you is incorrect or incomplete and require it to be amended, please contact us using the contact details in our Policy Statement above.

11. Your rights

Under UK data protection law, you have rights we need to make you aware of. The rights available to you depend on our reason for processing your personal information:

• Your right of access - you always have the right to ask us for copies of your personal information
• Your right to rectification -you have the right to ask us to rectify personal information you think is inaccurate or incomplete
• Your right to erasure - you have the right to ask us to erase your personal information in certain circumstances
• Your right to object to processing - you have a right to object to processing if we are able to process your information because the process forms part of our public tasks, or is in our legitimate interest
• Your right to data portability - this only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another or give it to you. This right only applies if we are processing information based on your consent or under, or in talks about entering into a contract, and the processing is automated.

You can contact us at any time by using the contact details provided in the above Privacy Statement regarding an of your rights detailed above. You can also tell us at any time to not send you marketing communications by email, by using the contact information in the Privacy Statement, or by clicking on the unsubscribe link within the marketing emails you may receive from us.

12. Protecting your personal data

We are committed to ensuring that your information is secure. We have reasonable technologic and organisational security measures in place to protect your personal information from unauthorised access, use, alteration and disclosure.  We are pleased to be Cyber Essentials certified (a UK Government backed scheme that helps to protect an organisation against a whole range of the most common cyber-attacks). Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site. Any transmission is at your own risk.

Once your personal information is received it is managed in line with recognised industry security good practice to safeguard it as best we can, but we cannot guarantee that the security measures we have in place will never be defeated or fail, or that such measures will always be sufficient or effective.

Please note:

• Your personal information will only be seen by those who have a legitimate reason for seeing it
• Your personal data may be processed by staff operating outside the UK or the EEA who work for us, or for one of our sub-processors
• Our staff may be engaged in, amongst other things, the downloading of your CV, fulfilment of your order and the provision of our Services
• By submitting your personal data, you agree to this transfer, storing and processing
• Third parties who are authorised to access, store and manage our data sets (which include your personal information records) are bound by confidentiality agreements
• Our .com website is assessed as PCI compliant
• We do not collect, access, store or process any payment information on our websites. The processing of payment transactions is carried out in a third-party secure Payment Gateway provided by Stripe.

Our websites and other communications you receive from CMC Global may contain links to other websites of interest. If you use these links, please be aware that we do not have any control over that other website and therefore we cannot be held responsible for the protection and privacy of any information which you provide whilst visiting such sites. Such sites are not governed by this Privacy Policy. Please exercise caution and look at the privacy statement applicable to the website in question.

Your interactions with any of CMC Global's social media platforms and us are governed by the privacy policy of the third-party company providing them. CMC Global uses LinkedIn, YouTube, Vimeo, Twitter and Vidyard. Please refer to their privacy policies before you utilise their services.

14. IP addresses

When you access our website, use any of our mobile applications, or open electronic correspondence or communications from us, our servers may record data regarding your device and the network you are using to connect with us, including your IP address. An IP address is a series of numbers which identify your computer, and which are generally assigned when you access the internet. We may use IP addresses for system administration, investigation of security issues, and compiling data regarding use of our website, including the completion of web-forms and downloads, and/or mobile applications.

15. Cookies - what they are and how we use them

A cookie is a small file which asks permission to be placed on your computer records. Most browsers are initially set up to accept HTTP cookies. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.

Cookies on CMC Global’s websites (www.cmcpartnership.com, www.cmcpartnership.sg, www.cmcpartnership.it and www.cmcpartnership.com/en-za) are used for a variety of different purposes, but generally speaking their use breaks down into the following categories:

• Strictly necessary cookies: these are required for the operation of the website. They include, for example, cookies that enable approved users to log into secure areas of the website.
• Analytical/performance cookies: we use Google Analytics to gain insight into how our website is used, analysing information on the most visited pages on our website, the geographical locations of our visitors, time spent on the website and the number of times a link has been clicked, amongst many other useful anonymous statistics. _gat,_gid, and_ga are enabled.
• Functionality cookies: these improve the functional performance of our website and make it easier for you to use. For example, such cookies are used to remember that you have previously visited the website and asked to remain logged in to it if you have a user account. Cookies are also used by www.cmcpartnership.com to protect the security of the site, for example by blocking multiple form submissions. In order to give the best possible browsing experience, we use session cookies to temporarily store data. Session cookies are used to keep track of your activity as you move from page to page through the website. Our session cookies do not collect any personal/traceable data about you and are automatically deleted when you close your browser
• Targeting Cookies: these record your visits to our websites, identifying the webpages you have visited and the links you have followed.

Removing and managing cookies

To ensure that you are in control of your privacy at all times, all web browsers give you the option to disable cookies. Most browsers are initially set up to accept HTTP cookies.  For more information about HTTP cookies and how to disable them the following links may be helpful, or you can use the “Help” option in your browser which should tell you how to stop accepting new cookies.

• Cookie settings in Internet Explorer
• Cookie settings in Firefox
• Cookie settings in Chrome
• Cookie settings in Safari web and iOS

16. Useful links

If you would like to find out more about privacy, cookies and their use on the internet, you may find the following links useful:

• Microsoft cookies guide
• All About Cookies
• The Information Commissioner’s Office