Revision date: 12 December 2023

1. About this Privacy Notice

We are CloudRock Group Holdings Ltd, trading as CloudRock.

We are a global digital transformation consultancy with offices in London, Lisbon, Mumbai, Sydney & New York

Our head office location is: 73 Cornhill, London, EC3V 3QQ.

Throughout this document, “we”, “us”, “our” and “ours” refers to CloudRock, which includes all of our legal entities:

CloudRock Group Holdings Ltd (UK)

CloudRock Partners Ltd (UK)

CloudRock Asia Pacific Pty Ltd (Australia)

CloudRock Partners Unipessoal Lda (Portugal)

CloudRock Partners India Pvt Limited (India)

CloudRock Partners LLC (USA)

In this notice, “Data Protection Legislation” means the EU General Data Protection Regulation 2016/679; together with all other applicable legislation relating to privacy or data protection (including the UK Data Protection Act 2018).

“Website” means the CloudRock website (www.wearecloudrock.com)

2. Our Approach to Data Protection

We value and respect your privacy. We take all reasonable steps to comply with our legal duties and ethical responsibilities to manage, protect and account for your personal information, and to inform and deliver upon your data protection rights.

This Privacy Notice explains how we will collect, handle, store and protect information about you when:

-       providing services to you or our clients;

-       you use our Website; or

-       performing any other activities that form part of the operation of our business.

 

We are both a data controller & data processor, and this Privacy Notice applies to our processing of personal data, in both our roles under Data Protection Legislation. 

3. What personal data we collect?

We may collect, record and use your personal data in physical and electronic form, and will hold, use and otherwise process that data in line with data protection Legislation and as set out in this statement.

When we provide services to you or our clients and perform due diligence checks in connection with our services (or discuss possible services we might provide), we will process personal data about you. We may also collect personal data from you when you visit our website.

We may process your data because:

-       you give it to us (for example, in a form on our Website;

-       other people give it to us (for example, your employer; or

-       it is publicly available.

When we process your data in the course of delivering services to your employer, we act as the Data Processor, and handle your personal data strictly under the explicit guidance of our client, who function as the Controllers. Our clients are responsible for complying with all relevant regulations and laws, including providing notice, disclosure, and obtaining consent before sharing personal data to use our services

We may also collect personal information if you register for our Website using a third party social network account (e.g., LinkedIn, Facebook, and Twitter). For example, our Website may allow you to login using your social network account credentials. We may collect the user name associated with that social media account and any information or content you have permitted the social media network to share with us, such as your profile picture, email address, and birthday. The information we collect may depend on the privacy settings you have with the social network site, so please review the privacy statement or policy of the applicable social network site. When you access our Website through your social network account, you are authorising us to collect and use your information in accordance with this privacy statement.

We may process personal data from you because we observe or infer that data about you from the way you interact with us or others. For example, to improve your experience of our Website and to make sure that it is working effectively. For example, we (or our service providers) may use cookies (small text files stored in a user’s browser) or Web beacons to collect personal data. More information on how we use these and other tracking technologies – and how you can control them – can be found in our cookie policy.

The personal data we process may include your:

-       name, gender, age and date of birth;

-       contact information, such as address, email, and mobile phone number;

-       country of residence;

-       lifestyle and social circumstances (for example, your hobbies);

-       family circumstances (for example, your marital status and dependents);

-       employment and education details (for example, the organisation you work for, your job title and your education details);

-       financial and tax-related information (for example your income, investments and tax residency);

-       IP address, browser type and language, your access times;

-       information in any complaints you make ;

-       details of how you use our products and services;

-       CCTV footage and other information we collect when you access our premises; and

-       details of how you like to interact with us, and other similar information relevant to our relationship.

The personal data we collect may also include so called ‘sensitive’ or ‘special categories’ of personal data, such as details about your:

-       dietary requirements (for example, when CloudRock would like to provide you with lunch during a meeting);

-       health (for example medical certificates may be stored in your HR records that your employers gives us access to); and

-       sexual orientation (for example, if we process details of your spouse or partner).

We may also process personal data relating to ethnic or racial origin (for example, any multicultural networks you belong to), or about your political opinions (inferred from information you give us about political associations you belong to or have donated to). 

4. International Data Transfers

CloudRock is a global business which means that personal data may be transferred to, stored in, or processed at, a destination outside the United Kingdom (‘UK’) and/or the European Economic Area (‘EEA’). Whenever we transfer personal data to countries outside of the UK or EEA, we comply with all applicable legal requirements and ensure all necessary safeguards are in place to protect your personal data, including your rights and the ability to exercise those rights.

For personal data transfers from the UK or EEA to another country without an Adequacy Decision, we ensure that:

i.         an appropriate data processing agreement (including the relevant Standard Contractual Clauses) is in place, and

ii.       we have implemented appropriate technical and organizational measures.

5. Protecting your personal data

We use a range of measures to ensure we keep your personal data secure, accurate and up to date. These include:

-       education and training to relevant staff to ensure they are aware of our privacy obligations when handling personal data;

-       administrative and technical controls to restrict access to personal data to a ‘need to know’ basis;

-       technological security measures, including fire walls, encryption and anti- virus software; and

-       physical security measures, such as security passes to access our premises. 

6. Retention

We will only retain your personal data for as long as necessary to fulfil the purposes for which we collected it, including for the purposes of satisfying any regulatory, accounting, or reporting requirements or until the end of the relevant retention period set by our clients.

To determine the appropriate retention period, we act under our clients’ instructions as a Data Processor. Where we are the Data Controller, we consider the potential risk of harm from unauthorised processing or disclosure of the personal data. We also consider the purposes for which it was collected and whether we can achieve the same goal through other means.

If you want to learn more about our specific retention periods for your personal data established in our retention policy, you may contact us at dpo@cloudrock.global

Upon expiry of the applicable retention period we will securely return it to our clients if requested, however, normally we destroy your personal data in accordance with applicable laws and regulations. 

7. Your Rights

The General Data Protection Regulations and the UK Data Protection Act 2018 provide individuals within the UK and EEA various rights with respect to our use of your personal data:

Access: You have the right to request a copy of the personal data that we hold about you. There are exceptions to this right, so that access may be denied if, for example, making the information available to you would reveal personal data about another person, or if we are legally prevented from disclosing such information. You are entitled to see the personal data held about you. If you wish to do this, please contact us using the contact details provided below.

Accuracy: We aim to keep your personal data accurate, current, and complete. We encourage you to contact us by emailing us at the contact details provided below to let us know if any of your personal data is not accurate or changes, so that we can keep your personal data up-to-date.

Objecting: In certain circumstances, you also have the right to object to our processing of your personal data and to ask us to block, erase and restrict your personal data. If you would like us to stop using your personal data, please contact us by emailing us at the contact details provided below.

Porting: You have the right to request that some of your personal data is provided to you, or to another data controller, in a commonly used, machine-readable format.

Erasure: You have the right to erase your personal data when the personal data is no longer necessary for the purposes for which it was collected, or when, among other things, your personal data have been unlawfully processed.

More information is available by the UK regulator For the public : ICO

These rights may vary for those outside of the UK and EEA; please contact us for more information. 

7.1 Making a request or raising a concern to us

Please contact us at  dpo@cloudrock.global if you have any questions in regards to the protection of your personal data, or if you wish to exercise your legal rights.

If you make a request, we will let you know we have received it and inform you if we need any additional information from you such as to verify your identity.

We usually provide an outcome within one month, however if we need any extra time we will let you know and provide you with an explanation.

7.2 Raise a concern to the regulator

If you are unhappy about how we have managed your information or dissatisfied about how we have responded to your information request or compliant, you have the option to raise concerns directly with the information regulator.

Each of our office locations may be subject to one or more data protection authority; the relevant authority will depend on your location and where the processing takes place.

If you are making a complaint about our UK operations please complain to the ICO 

7.3 Revision of our privacy notice

We keep our privacy notice under regular review and thus the privacy notice may be subject to changes. The latest version can always be found at www.wearecloudrock.com/privacy-policy , and the revision date is shown at the top of the page.