(created March 2018, last review May 2020)
This notice applies across all of our linked websites that we own and operate and all services we provide, including all online products, and any other apps or services we may offer (for example, events or training
The Governance Forum Ltd is known as the ‘Controller’ of the personal data you provide to us. Stewardship of your personal data is important to us and a responsibility that we take very seriously. Data is processed in accordance with the Data Protection Act 1998 and the General Data Protection Regulation (GDPR) governed by the Information Commissioners Office updated in May 2018.
To enable us to provide you with the service you have contracted us to provide, we collect basic personal data about you. We collect and associate with your account information like your name, email address, phone number, payment info, physical address and account activity.
We may need to collect additional data however we will seek your consent to collect this data only for the purpose of which it is intended. Here we describe how we collect, use and handle your information when you use our services.
Why we need your data
We may need to collect your basic personal data for the administration of the services you have requested. This may also include the data pertaining to other employees and officers of your organisation who may be involved in the process of the work we have been contracted to deliver. We will not collect any personal data from you that we do not need. Before you disclose to us the personal information of another person, you must obtain that person’s explicit consent to both the disclosure and the processing of that personal information in accordance with this policy.
What Data Do We Collect
Name and address of your organisation
Names and emails of key contact personnel
Telephone contact details
Data we collect in the process of our scope of work with you
Records of your contact and communications with us where key information is given or decisions made.
Access to your Data
All the personal data we process is processed by our staff in the UK and we have a member of staff who oversees the management of such data. Third parties who have access to your personal data do so with our express permission, your consent, and the law allows them to do so.
We have a Data Protection process in place to oversee the effective and secure processing of your personal data. More information on this framework can be found in our data protection/GDPR policy. Unfortunately, the transmission and storage of information on the internet is not completely secure. We will do our best to protect your personal data, however we cannot guarantee it’s security. Once we have received your information, we will use best-practice procedures and security features to try to prevent unauthorised access. If we do become aware of any breach of our security that may have compromised your personal data, we will use best efforts to notify you without delay.
Your data may be processed in countries other than the country you live in – such as to the United States, where our data hosting provider’s servers are located. These countries may have laws different to what you’re used to. Where we disclose personal data to a third party in another country, we ensure your personal data remains protected.
We’ll retain information for as long as we have an ongoing business need to retain it to provide you with the Service/s you contracted us to provide in accordance with our data retention policies and retention schedule. We often need to retain information to comply with our legal obligations, resolve disputes, or enforce our agreements.
There will be times when we need to share your personal data with third parties. We will only disclose your personal data to trusted third parties, for example
- third party service providers and partners who assist and enable us to deliver our products and services to you (i.e. CG First™). Their use of your information will be governed by their privacy policies and
- regulators, law enforcement bodies, government agencies, courts or other third parties where we think it’s necessary to comply with applicable European laws or regulations, or to exercise, establish or defend our legal rights. Where possible and appropriate, we will notify you of this type of disclosure
- an actual or potential buyer (and its agents and advisers) in connection with an actual or proposed purchase, merger or acquisition of any part of our business
- other people where we have your express
When you leave your details on our websites, you will receive the monthly governors blog, you can unsubscribe from this at any time. We may occasionally advise you of services which are relevant to your organisation based on our understanding of your needs, our relationship with you and the services we have previously provided to you. We will seek consent to keep in contact with you.
Email Marketing – We may email you from time to time to advise you of services which are relevant to your organisation based on our understanding of your needs and previous services. If you have registered for the governor’s blog on our mailing list you can unsubscribe at any time.
Telephone Marketing – We may call you from time to time to advise you of services which are relevant to your organisation based on our understanding of your needs and previous services.
Postal Marketing – We do not send marketing information by post in line with our environmental policy.
What are your rights under GDPR
Subject Access Request
You have the right to see the information we have on our files which relate to you personally, this is called a subject access request (SAR). To request access of the data we hold about you, please write to the Data Controller to request access. We will acknowledge your request within 7 days and usually respond with the data within 30days from receipt of your request. We can extend the period of compliance by a further two months where requests are complex or numerous. If this is the case, we will inform you within one month of the receipt of the request and explain why the extension is necessary.
The Right to Rectification
If at any point you believe the information we process on you is incorrect or incomplete you can request to have it rectified under article 16 of GDPR. This is called a notice of correction (NOC). To request rectification of data we hold about you, please write to the Data Controller detailing the information which requires rectification. We will acknowledge your request within 7 days and rectify the information within 30 days from receipt of your notification. If it will take longer than 30 days we will inform you and provide an estimated timescale which is usually a maximum of 3 months. In certain circumstances we can refuse to rectify information if the request is manifestly unfounded or excess and we will always write to you and inform you of the reasons for refusal. Please note we have the right to request your ID before rectifying information to protect the individual.
The Right To Erasure
If at any point you decide you no longer want your details retained by us you may have the right to request your details to be erased under article 17 of GDPR (certain data may be exempt from this). This is called notice of erasure (NOE). It is also commonly known as your “right to be forgotten’. The right is not absolute and only applies in certain circumstances. To request erasure of data we hold about you, please write to the Data Controller detailing the information which you would like erased. We will acknowledge your request within 7 days and erase the information within 30 days from receipt of your notification if we are able to do so and your request is valid. If it will take longer than 30 days we will inform you and provide an estimated timescale which is usually a maximum of 3 months
Right to restrict our use of your information: the right to restrict us from using your personal information or limit the way in which we can use it;
Right to data portability: the right to request that we move, copy or transfer your personal information;
Right to object: the right to object to our use of your personal information including where we use it for our legitimate interests.
We will use reasonable efforts consistent with our legal duty to provide you with your rights in accordance with data protection legislation. If you would like to raise a concern about how we are using your data please contact firstname.lastname@example.org
We do not charge an administrative fee for any of the above unless your request is excessive or manifestly unfounded. Where a fee is chargeable it will be reasonable based on the administrative resources required to carry out your request
If you are not satisfied by our actions, you can seek recourse through our internal complaints procedure. You can contact us to have the matter investigated by contacting us as follows
The Data Controller
The Governance Forum Ltd
1 Victoria Square
Telephone: 0845 505 1875
If you remain dissatisfied, you have the right to refer the matter to the Information Commissioner. The InformationCommissioner can be contacted at:
Information Commissioner’s Office
Tel: 01625 545745
Fax: 01625 524510