The 100th Monkey Ltd are committed to protecting and respecting your privacy and complying with the data protection laws that apply to our business activities.
This policy relates to how we process the personal data we obtain about our website visitors, our clients’ employees and representatives, our individual customers, and anyone who contacts us as prospective clients.
It also relates to our use of any personal information you provide to us by telephone (including SMS), in written correspondence (including letter and email) and in person.
For the purposes of the data protection laws applicable in the UK, the data controller is The 100th Monkey Ltd, a private limited company registered England & Wales with company number 8033287. Our registered address is 10 Downs Park East, Bristol BS6 7QD.
Types of personal data we obtain
During our business activities, we collect and process personal data pertaining to usage, operations and business development, participant data from our sessions, and marketing and communications data.
Usage Data includes information about how you use our website, products and services. Technical Data about visitors’ devices and browsers such as the internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website.
Operations and business development data includes data relating to our client and client’s personnel and associated representatives that we obtain in connection with entering into and performing contracts for the provision of our sessions and other products and services. This includes names, business email addresses, business location addresses, telephone numbers and job titles of our clients, and other business contacts with whom we communicate to get contracts signed, process invoices and payments and make practical arrangements for the provision of our sessions and other products and services.
When people contact us by email, phone, via social media platforms or any other method of communication we process the data in those communications, including any personal data contained in the communication content, address and contact details and any metadata associated with the communication.
Business development data includes standard business contact data such as name, business email address, job title, company, company location and phone number for individuals who work for organisations that we consider might have an interest in our products and services.
We obtain website visitors’ names, company and email addresses if they choose to sign up for our marketing (newsletter and updates) via our website.
We also process data provided to us by website visitors via any of our website forms such as our ‘contact us’ forms. This includes the visitor’s name, email address, company and any free-text content completed by the visitor. The forms on our website also generate metadata associated with the submission of the form, such as the time and date of submission.
Participant data includes information relating to our delivery of face-to -face or virtual sessions. This includes: participant’s name, business email address, job title and employer name, to the extent provided to us; information arising out of surveys and interviews conducted pre-session, which may include names and job titles, demographic information, user opinions, diversity data and individual views and observations on employer/colleagues; information contained in third-party reports from previous training, which is usually aggregated or anonymised; information arising out of interactions during the session, which may include demographic information, user opinions, diversity data, individual views on employer/colleagues; data about participants’ completion of tasks/sessions; any personal data captured in an audio, photographic or video recording of the session or sections of the session put on camera for training purposes; participants’ ratings and feedback on the session, provided by participants using hard copy or online feedback forms (the participant’s IP address if completed online); participants’ names, email addresses and other information relating to their job, if and to the extent that participants choose to provide this information to us in feedback forms or by other means for the purpose of receiving follow-up and/or other emails from us.
In virtual sessions, the same data as above is collected, where provided, along with participant IP addresses and session history, which are collected automatically by digital products we use, along with session history (time spent, completion data).
If you fail to provide personal data
Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with our services). In this case, we may have to cancel all or part of a service you have with us but we will notify you if this is the case at the time.
Why and how your data will be used
The table below describes the purposes for which we use personal data in the normal course of our business, all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate. Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.
||Type of data
|To use data analytics to improve our website, products/services, marketing, customer relationships and experiences
||Website usage and technical data
||You consent when accessing our website to our legitimate interests in operating a website that promotes our business, expertise, products and services in the most engaging and convenient ways possible.
|To make suggestions and recommendations to you about goods or services that may be of interest to you, or to communicate more broadly about our services
||Business development data
||Our legitimate interests (to develop our products/services and grow our business).
|To provide our products and services, such as face to face sessions and virtual ones
||Operations and Participant data
||Our legitimate interests (to provide our products and services to business clients as our core business activity), to respond to enquiries, in order or provide a good quality service, to deal effectively with any complaints and maintain relationships with clients.
|To meet a specific training need
||Specific digital products e.g. Insights Discovery, DiSC, etc
||Performance of a contract with you. Consent is given by the individual users of these products.
|Keeping business records relating to our transactions, contracts, provision of services
||Our legitimate interests (in the effective administration of our business, and where required to comply with legal obligations we are subject to (e.g. tax records)
|Analyzing and understanding our services and feedback
||Aggregated operations and participant data
||Our legitimate interests in improving our services for the benefits of our clients. Note: this is aggregated and non-reversible to that data sets contain no personal data.
|In addition to these core purposes we may also process personal data for the following purposes:
Establishing, exercising or defending legal claims
||Our legitimate interests (in defending legal claims brought against us, enforcing claims against others and protecting and asserting our legal rights and the legal rights of others)
|Obtaining or maintaining insurance cover, managing risks or obtaining professional advice
||Our legitimate interests in protecting our business against risks
|Compliance with a legal obligation such as a statutory or regulatory obligation or an order of a court, government body or regulator
||Compliance with a legal obligation
Explanation of legal bases
We only process your data (which may include providing it to a third party) where we have identified a valid lawful basis to do so. These are as follows:
Contractual obligation – necessary to comply with our obligations to perform a contract, for example, where you have bought services from us we will use the personal data you provide to fulfil our contractual obligations.
Legitimate Interest – processing of personal data is necessary for the purposes of the legitimate interests of us or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the individuals to whom the personal data relate
Consent – an individual has given consent to the processing of his or her personal data for one or more specific purposes.
Compliance with legal obligation – We may process your data where we deem it is necessary for us to do so to comply with the law.
Protection of vital interests – processing of personal data is necessary in order to protect the vital interests of any individual
Who we disclose personal data to
We will keep your information within the organisation except where disclosure is required or permitted by law or when we use third party service providers (data processors) to supply and support our services to you. We have contracts in place with our data processors. This means that they cannot do anything with your personal data unless we have instructed them to do so, or the processing is permitted by law. They will not share your personal data with any organisation apart from us. They will hold it securely and retain it for the period we instruct.
Please see below the list which sets out the categories of recipients of personal data.
|Insurers & professional advisers – e.g. lawyers, accountants, business consultants
|Individual trainers, facilitators, coaches e.g. the people delivering training and workshops
|Email, website and software providers
|Banks/Online payment providers
|Secure document disposal service
|Feedback aggregators and collectors
| Marketing agencies
We may use your personal data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you (“marketing”).
You will receive marketing communications from us if you have requested information from us, or signed up to our newsletter via the website.
We strive to provide you with choices regarding certain personal data uses, namely around marketing and advertising. In particular: opt-in consent is offered and that you can ask us or third parties to stop sending you marketing messages at any time by following the opt-out (unsubscribe) links on any marketing message sent to your or by contacting us at any time.
Your data is stored by us and our processors in the UK or the European Economic Area (EEA). However, several of our external third parties are based outside EEA. Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented. We will either:
Adequacy decision: your personal data is only transferred to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission; or
Standard Contractual Clauses (SCCs): ensure these are in place and we have received assurances that an adequate level of protection of the personal data is achieved (based on a case by case assessment of the circumstances of the transfer), including adequate technical and operational measures in place to protect the personal data.
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.
Where we have given you (or where you have chosen) a password which enables you to access certain parts of our sites, you are responsible for keeping this password confidential, and for all use made of your account with such password. We ask you not to share a password with anyone.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our sites; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
We are Cyber Essentials Plus accredited which is the UK Government standard for managing information security.
We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements.
We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
By law we have to keep basic information about our clients for six years after they cease being clients.
In some circumstances you can ask us to delete your data. If you would like to know what personal data about you is held, please contact us by emailing firstname.lastname@example.org.
We may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
Under data protection laws your rights include:
- To object to us processing your personal data for direct marketing purposes
- To withdraw any consent you may have given for our processing of your personal data (if our processing is based on your consent);
- To know what personal data we hold about you and why
- To ask us to rectify any personal data we hold about you that is inaccurate or incomplete; delete any personal data we hold about you (in certain circumstances); restrict our processing of your personal data (in certain circumstances); object to our processing of your personal data (in certain circumstances);
- require us to give you the personal data we hold about you in a format we deem suitable or as reasonably required by you
- Rights in relation to automated decision making and profiling – we do not use automatic decision making or profiling.
Exercising these rights
The availability of these rights varies depending on the legal basis we rely on for processing the relevant personal data, and some rights are qualified (rather than absolute) under applicable data protection law, which we can discuss with you following your request.
You can exercise any of the rights set out above, free of charge, by using any applicable methods set out in our communications with you, or by contacting us at email@example.com
If you agree, we will try to deal with your request informally, for example by providing you with the specific information you need over the telephone.
Please note that you may need to provide identification in order to prove who you are if you wish to invoke any of your rights as provided by the data protection laws and as summarised above. Please also note that if you submit unfounded or excessive (for example repetitive) requests to exercise any of these rights, we are permitted under the applicable data protection law to charge a reasonable fee for providing the requested information or taking the requested action, or to decline your request.
We would appreciate the opportunity to deal with your concerns in the first instance, however you also have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk).
Clicking on links to other websites
Our website may include links to third-party websites, plug-ins and applications and we may use third party apps or services to help deliver our products and services. Clicking on those links, enabling those connections, or using those third-party services may allow third parties to collect or share data about you. We do not control these third-party websites or services and are not responsible for their privacy statements or practices. When you move from our website to a third-party website using such links, or you use any of the third-party services, we encourage you to read the privacy notice of that website or service.
Changes and contact
This policy may be amended or updated from time to time and any revisions will be posted to this page, so please check back regularly.
Any questions please contact us at firstname.lastname@example.org