Request medical assistance now
Contact us to speak to one of our support staff in the UK.
Speak to one of our representatives
Get In Touch1. Introduction, Aims and Scope
1.1. This policy applies to all Charles Taylor Group companies who operate as part of the CEGA Group. The companies making up the CEGA Group are:
1.1.1. CEGA Group Services Limited;
1.1.2. CEGA Holdings Limited;
1.1.3. CEGA Solutions Limited;
1.1.4. [CEGA GSL SPAIN S.L] ("Cega Palma")1.2. The CEGA Group companies are a group of undertakings in the definition of Article 4(19) GDPR, each of which is incorporated in England & Wales and registered with Companies House at the following address: the Minster Building, 21 Mincing Lane, London, EC3R 7AG. As a matter of UK law, each is domiciled in the United Kingdom (save for CEGA Palma, which is domiciled in Spain and established in the European Union). The CEGA Group is part of the Charles Taylor Group of companies.
1.3. As part of the Charles Taylor Group of companies, the companies in the CEGA Group are committed to conducting their businesses in a manner that protects and values each individual’s personal data, and processes said personal data fairly, lawfully, and ethically. The lawful and proper processing of personal data by Charles Taylor Group is integral to the success of its businesses, is required by law under the UK GDPR and the General Data Protection Regulation (“GDPR”) in respect of CEGA Palma. Our customers, clients, partners & employees expect the Charles Taylor Group to process personal data fairly, lawfully and ethically.1.4. Further to the various policies and processes operated by Charles Taylor Group, the CEGA Group has developed and customised its own policies around data protection to account for the specific challenges of its business, including their global scope (including territories outside of the UK and European Economic Area), the scale of their operations and the sensitive nature of the personal data they often process.
1.5. This document is the CEGA Privacy Policy. It governs the way in which the various data controllers in the CEGA Group (for which, see the CEGA Group Governance & Registration Policy), including CEGA Group itself in relation to employment, finance, human resourcing and pension matters, will comply with data protection law in the UK, and gives summary information as to the way in which CEGA Group processes personal data and how data subjects can exercise their rights in respect of personal data held by CEGA.
1.6. This Privacy Policy is one of six core CEGA Group policies, which provide the framework for the processing of personal data by CEGA Group. They should be read together, and any apparent inconsistencies will be resolved upon request by the CEGA Group Data Protection Officer. The other policies are:
1.6.1. Group Data Governance Policy;
1.6.2. CEGA Group Data Subject Rights Policy;
1.6.3. Global Document Retention Policy;
1.6.4. CEGA Group Data Incident Policy;
1.6.5. Group Data Transfer Policy; as well as
1.6.6. The CEGA Information Security Policy; and
1.6.7. all Charles Taylor Group data protection policies insofar as applicable to CEGA.1.7. The aim of these policies is to support the management of data protection across CEGA Group by providing this agreed set of standards. All CEGA Group employees and contractors in all relevant territories and businesses must familiarise themselves with the processes and procedures set out herein and comply with them at all times.
1.8. This Policy applies to all CEGA Group entities which process (whether electronically or otherwise) Personal Data (including Special Category Personal Data). Subject to the CEGA Group Data Transfer Policy (which shall take precedence in all matters of territoriality), CEGA Group shall treat data concerning any living natural person as being personal data, irrespective of their nationality, citizenship, or residence.
1.9. For operational purposes, there may be occasions where deviations to this Policy or any linked Policies are required. Where this is necessary and justified, the deviations shall be recorded by the CEGA Group Data Protection Officer in the CEGA Information Security and Data Privacy Policy and the CEGA Data Privacy Policy and, where appropriate, notified to the Information Commissioner’s Office (“ICO”).
2. Definitions
2.1. The Policy, unless indicated otherwise below, adopts the definitions contained in Article 4 of the UK GDPR (and GDPR). Specifically, this Policy relies on the below definitions. (Where this Policy refers to an Article of the GDPR, that reference shall be interpreted as a reference to the UK GDPR also).
2.1.1. Personal Data means:
“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”2.1.2. Special Category Personal Data means:
“personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.”2.1.3. Processing means:
“any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”
2.1.4. Data Controller means:
“the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”2.1.5. Data Processor means:
“a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”2.1.6. Data Subject means:
“an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”2.1.7. Third Party means:
“a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.”2.1.8. Consent means:
“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”2.1.9. Data Breach means:
“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”2.2 The policy also relies on the following defined terms
2.2.1 Applicable Data Protection Law means:
2.2.1.1. the Data Protection Act 2018 (“DPA2018”), and subsidiary legislation and orders made pursuant to the DPA2018;
2.2.1.2 the UK GDPR ( the GDPR as retained in the domestic law of the UK);
2.2.1.3 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (“the PEC Directive”), the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”), and any subsequent EU instrument (“the ePrivacy Regulation”) which either amends or replaces these legal instruments (for as long as it continues to apply in the UK)); and
2.2.1.4 any other domestic data protection laws as shall be in force in the UK from time to time, to give effect to the rights of citizens concerning data protection (including replacements for PECR, whether or not implementing or retaining the EU ePrivacy Regulation).
2.2.2. Applicable Guidance means guidance and/or codes of practice and/or outcomes of any enforcement action issued and/or published by the ICO, and, where relevant, the European Data Protection Board, or any successor bodies to these organisations, in relation to any Applicable Data Protection Law.2.2.3. Archiving means the removal of Data from active systems (including, but not limited to, IT systems) and placing the Data into secure storage (whether hard copy or electronic) where the Data is still capable of being accessed by arrangement.
2.2.4. Chief Information Security Officer (CISO) means the individual appointed by Charles Taylor Insuretech to supervise information security within the Group.
2.2.5. Data Champion means an individual within the individual Separate Undertaking within the Group who is responsible for managing compliance with the Applicable Data Protection Law and Applicable Guidance in that particular business unit, and assisting the Group DPO.
2.2.6. General Data Protection Regulation or GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
2.2.7. Group Data Protection Officer or Group DPO means the individual appointed by Charles Taylor Group under Article 37(2) GDPR, and designated by the Group to inform and advise the Group on the Applicable Data Protection Law and Applicable Guidance, and monitor the Group’s compliance with the Applicable Data Protection Law and Applicable Guidance.
2.2.8. Privacy Office means the Office consisting of the Group DPO, the Data Champions, and the CISO.
3. The Principles underpinning this policy
3.1. CEGA Group will at all times comply with Applicable Data Protection Law and Applicable Guidance. Insofar as they are able within the law and within the terms of contracts with external parties, CEGA Group companies will seek to make all decisions through the prism of acting in the best interests of the Data Subject.
3.2. Article 5 GDPR provides for the core principles of Applicable Data Protection Law:
3.2.1. We shall process personal data fairly, lawfully and transparently;
3.2.2. We shall only be processing for specified, explicit purposes, or collateral purposes that are not incompatible with the processing for which the data was obtained;
3.2.3. We will limit processing of personal data to what is adequate, relevant & necessary
3.2.4. We will keep personal data accurate and up-to-date;
3.2.5. When we no longer need to keep personal data in a way that identifies the data subject, we will either delete it, or render data subjects non-identifiable;
3.2.6. We will take appropriate technological and organisational measures to keep personal data secure, and protect it against accidental or malicious unlawful or unauthorised processing.3.3. In readiness for its compliance with the Applicable Data Protection Law, CEGA Group prepared a full Data Inventory which it has maintained and shall maintain on an ongoing basis. CEGA Group also conducted a Data Mapping Exercise and, separately, the Group DPO prepared a Gap Analysis which showed the extent to which CEGA Group’s current data protection policies and processes met GDPR compliance requirements. These are carried out periodically in order to achieve and maintain compliance with the GDPR.
3.4. CEGA Group (including all data co-controllers with CEGA Group) shall, pursuant to Article 24(2) GDPR, endeavour to adhere to all ICO-approved codes of conduct (pursuant to Article 40 GDPR), and shall, in the future, aim to achieve certification of compliance (pursuant to Article 42 GDPR) from a certification body approved by the ICO or other supervisory authority, when such a certification scheme is implemented.
3.5. Under Article 29 GDPR, any processor engaged on behalf of a CEGA Group company as a controller, or a sub-processor on behalf of a CEGA Group company as a processor, shall process personal data only on the CEGA Group company’s instructions. Where the CEGA Group is a controller, and it is reasonably practicable or necessary to do so , CEGA Group will seek to ensure that the relationship between a processor and the CEGA Group company engaging them is a contractual one, compliant with Article 28 GDPR.
4. Processing personal data Fairly, Lawfully and Transparently
4.1. CEGA Group will keep and maintain a Data Inventory, listing the categories of all the Personal Data that it processes, including specifying the Special Category Personal Data.
4.2. CEGA Group will keep and maintain Fair Processing Notices (set out at Appendix A and B to this Privacy Policy) which shall be displayed publicly on all CEGA Group websites & made available to data subjects according to Applicable Data Protection Law.
4.3. CEGA Group will conduct a general Privacy Impact Assessment when developing new procedures or processes, or entering into new forms of business which involve the processing of personal data. The CEGA Group DPO shall be responsible for any prior consultation with the ICO within the meaning of Article 36 GDPR. In particular, any new reliance on automated decision-making (including profiling) under Article 22 GDPR shall be referred to the ICO for prior consultation.
4.4. CEGA Group will act in accordance with all its legal and ethical obligations in respect of personal data, including (but not limited to) Applicable Data Protection Law.
4.5. CEGA Group will give effect to Articles 12-14 GDPR and the Right to Information, in the form of the Fair Processing Notices set out above.
4.6. Any contracts in which both CEGA Group and another entity are both Data Controllers shall where possible specify the division of responsibilities in a manner that maximises the transparency of approach to data subjects, especially with respect to their Data Subject Rights. The CEGA Data Subject Rights Policy details the process by which allocation of responsibility for decision-making in relation to data subject Requests shall be made.
5. Processing personal data for Specified Purposes only
5.1. The CEGA Group DPO will maintain the Data Inventory, which shall include:
5.1.1. as against every type and category of Personal Data the lawful basis (or bases) for its processing, according to Article 6 GDPR;
5.1.2. as against every type and category of Special Category Personal Data, the exemption (or exemptions) relied upon under Article 9(2) GDPR from the prohibition in Article 9(1) GDPR;
5.1.3. as against every type and category of personal data relating to criminal convictions and the like (Article 10 GDPR), the provision of Applicable Data Protection Law which permits such processing (this type of personal data will normally only be processed if CEGA Group are advised of, or discover, fraudulent conduct);
5.1.4. a full record of any circumstances in which CEGA Group as a data controller relies on its own legitimate interests, and consideration of the extent (if at all) to which this infringes upon the principles of the Applicable Data Protection Law.
5.1.5. Where the processing of personal data is for different purposes than the original purposes for which the personal data was obtained, the CEGA Group DPO shall ensure that the new, different, purposes are recorded and rendered distinctive in the Data Inventory, and that a PIA is conducted to ensure compliance with Article 6(4) GDPR as to the compatibility of the new purposes with the original purposes.
6. Data Minimisation
6.1. CEGA Group will only process Personal Data insofar as is reasonably necessary to do so.
6.2. CEGA Group will review its Data Inventory on a periodical basis, no less than once per annum, and the CEGA Group DPO shall certify (no less than annually) that no types or categories of personal data are excessive, or inadequate, or not relevant to the purposes for which that personal data is processed.
6.3. The Group shall take such steps as are required to comply with Article 25 GDPR, including constant review of processing to ensure data protection by design and by default.
7. Data Integrity
7.1. CEGA Group shall ensure, where reasonably practicable, that all personal data it processes shall be accurate and up-to-date.
7.2. The CEGA Data Subject Rights Policy provides for the Right to Rectification, which shall be effected without undue delay on receipt of a written Request from, or on behalf of, a data subject seeking to rectify (including seeking to amplify) their Personal Data.
8. Data Retention
8.1. The Group Data Retention Policy provides details as to the period for which types and categories of personal data shall be retained, and the lawful basis for that retention.
8.2. In the absence of any justification under the Data Retention Policy, personal data shall be deleted without undue delay, unless paragraph 8.3 applies.
8.3. In limited circumstances, to be recorded in the Data Inventory and the CEGA Retention Policy, and approved in each case in advance by the CEGA Group DPO (who shall report all such approvals to the Board) personal data may be retained beyond the date provided for in the Data Retention Policy, but only if the data subjects are rendered non-identifiable from such data, and in such circumstances Article 11 GDPR shall apply.
9. Appropriate Technical & Organisational Measures
9.1. CEGA Group shall take all appropriate technical and organisational measures to keep Personal Data secure and processed only for the authorised purposes.
9.2. All staff (whether employees, or contractors, or others) must comply with this CEGA Group Privacy Policy and all of the policies mentioned at paragraph 1.6. CEGA Group will incorporate such obligations into all contracts of employment.
9.3. Further provisions as to this principle of Applicable Data Protection Law can be found in the CEGA Group Data Incident Policy and, where relevant, in the Information Security and Data Privacy Policy.
10. Audit and Review
10.1. This Policy shall be reviewed on an annual basis by the CEGA Group DPO.
APPENDIX A – FAIR PROCESSING NOTICE
This Fair Processing Notice tells you about processing of “personal data” by the CEGA Group (trading as Charles Taylor Assistance)1.
We may hold and process your personal data in order to provide services relating to the insurance industry. Our activities (‘the Services) include claims handling, medical screening, risk assessment, and performing contracts of insurance which can include providing medical assistance abroad. We also provide non-insurance related medical assistance including repatriation, and other services related to our core businesses. When providing the services we are usually “data processors” of your personal data, and the “data controller” is the company with whom you (or your employer or family member) has an insurance policy. Sometimes, though, we may be a joint data controller with the insurance company. If you don’t know who is the proper data controller for your personal data, then you can contact us below, and we will check for you.
We are committed to processing all personal data fairly, lawfully, and transparently. To make things simpler, Charles Taylor Assistance has nominated one data controller, CEGA Group Services Limited, to handle all requests or queries you might have about our processing of your personal data. We have, alongside a number of Charles Taylor Group entities, jointly appointed a CEGA Group Data Protection Officer (“DPO”) to oversee compliance with data protection law. Their contact details are: Emma Hancock; The Minster Building, 21 Mincing Lane, London, EC3R 7AG; +44 20 7680 5665, dpo@charlestaylor.com
You have various legal rights in your personal data including the right of: information and access to your data, including a “portable” copy of your data; erasure and rectification of your data; and rights to restrict or object to processing of your personal data. Where we rely on your consent to process your personal data you can withdraw that consent at any time. To exercise these data subject rights please contact the following email address: data.protection@cegagroup.com .
The data we generally hold and process includes names, contact details, dates of birth, insurance policies or claims in which you may have been involved. This may include special category personal data including, potentially, information about your medical history, race, ethnicity, sexual orientation, religious beliefs, trade union membership, genetic and biometric data, political opinions, and any other physical or mental health details. This personal data is held only for the purposes of performing the Services.
CEGA Group will almost always obtain your data from its clients who are insurance companies or their clients, who in turn will have obtained it from you or your employer or family member in relation to an insurance policy or employee policy. Alternatively this may have been provided to us by a company in connection with the provision of medical assistance to you.
Our lawful bases for processing personal data include:
• where you have given us your consent, we rely on that consent, including your explicit consent to process special category personal data;
• where you are party to a contract, and that contract requires your personal data to be processed;
• where we may have legal obligations that mean we have to process personal data, including anti-money laundering obligations, checking criminal convictions, checking international sanctions registers and fraud investigation and recovery.
• some aspects of processing personal data in insurance may fall within the “public interest” lawful basis.
In all circumstances, however, we also rely on our legitimate interests, and those of our insurance industry clients or other clients, to ensure that you and the other people who are named under your insurance policy are properly protected by the provision of adequate insurance against the risk of misfortune, or, if the processing is unrelated to an insurance policy, to ensure that medical evidence can be effectively provided to individuals. Where we rely on our legitimate interests, we will always balance them against the rights and freedoms of the people whose personal data we process. Where their rights override our legitimate interests we will cease to process personal data.
From time to time, we may need to disclose personal data to third parties. Sometimes, these will be companies who process on our behalf and only act upon our instructions. Sometimes, these will be individuals and companies who are needed to provide services such as: doctors, clinics and hospitals, air ambulances, taxi services, or other services which may be covered under your insurance policy or company scheme. Your information may be shared with insurance participants, including the policyholder.2
From time to time we will need to transfer your personal data outside the European Union. We will, save for exceptional circumstances, only do so:
• to a county in the European Economic Area or that the European Commission has certified as having adequate data protection law;
• under Binding Corporate Rules within our group of companies;
• with your consent, to protect your vital interests, for important reasons of public interest, to perform a contract in your interests, for the defence of legal claims.
We will always keep records of where your data has been sent outside of the EU and you can have access to these records if you wish. We will generally keep personal data for as long as we have a lawful basis (including the legitimate interest basis), or where that lawful basis comes to an end, we may retain it for six years and one year afterwards, for the purposes of litigation. Any data kept after this time will be pseudonymised so that you are no longer identifiable from such data.
There are some very limited circumstances where we, on behalf of our clients, use computer questionnaires to give you a quick decision on whether or not they can provide you with insurance cover, and in some cases to generate a quote based on your individual circumstances, including things which may involve your Special Category Personal Data (like your health data). This is a form of ‘automated decision-making’, because it compares your answers against our insurance client’s criteria, and makes a ‘decision’ about whether to provide cover and, at times, how much that might cost.
There may be some very limited circumstances where we, on behalf of our clients, use automated decision making to provide decisions in relation to dealing with, progressing and settling insurance claims.
We will not use automatic decision making without
(a) either your explicit consent; or
(b) it being necessary for entering into, or performance of, a contract between yourself and a data controller (such as ourselves or an insurance company who we are supporting) or
(c)) you being told by a data controller that a decision has been taken solely on automated processing.
However, if you are not happy with the result of an automated decision, you can request human intervention, express your own views, and/or contest the automated decision by writing to dpo@charlestaylor.com (but please put ‘Automated Decision-Making’ in the email Subject line).
Further details can be found in our privacy policies. The CEGA Privacy Policy is accessible online via [https://www.charlestaylor.com/en/claims-solutions/assistance/]. CEGA’s other data protection policies are available upon request.
APPENDIX B – EMPLOYEE FAIR PROCESSING NOTICE
CEGA Group Services Ltd Privacy Notice
CEGA Group Services Ltd ('CEGA') is committed to protecting the privacy and security of your personal information. This privacy notice describes how we coll
ect and use personal information about you during and after your working relationship with us, in accordance with the General Data Protection Regulation (GDPR). This notice applies to all employees, workers and contractors. It does not form part of your contract of employment or engagement with CEGA.
CEGA is the controller of the personal data which you provide to us. CEGA is responsible for deciding how it holds and uses personal information about you. CEGA's processing of your personal data is overseen by Charles Taylor Limited’s Data Protection Officer who can be contacted at dpo@charlestaylor.com. Alternatively you can contact tara.wright@cegagroup.com
Use of your personal data during employment
During the course of your working relationship with CEGA, we will collect, store and process your personal data.
Sources of personal data
CEGA obtains personal data from you, your manager and, in some cases, it obtains personal data – including special categories of personal data – from third parties. These include benefits providers, regulators and other external service providers. We collect additional personal information in the course of job-related activities throughout the period of your working relationship with us.
Categories of personal data |
Purpose of processing |
Legal basis for processing |
Personal details including your name, address, gender, age, date of birth, telephone number and email address |
|
Necessary for the performance of the employment contract |
Details of marital status and dependents |
|
Necessary for the performance of the employment contract |
Next of kin and emergency contact information |
|
Necessary to comply with legal obligations and to protect the vital interests of the employee or another person |
Bank account details, payroll information and tax status information |
Paying you and operating appropriate PAYE arrangements |
Necessary for performance of employment contract |
Details of your immigration status and your right to work in the UK |
|
Compliance with legal obligation |
Current salary and salary history |
|
Necessary for performance of employment contract |
Pensions, insurance enrolment and other benefits information |
|
Necessary for performance of employment contract |
Disciplinary and grievance records |
|
Necessary for performance of employment contract and compliance with legal obligations |
Work performance information and career development planning |
|
Necessary for performance of employment contract |
Records of sickness absence, annual leave and other types of leave from work |
|
Necessary for performance of employment contract |
Recruitment information such as CV, work history and references |
|
Necessary for the legitimate interests of CEGA |
Employment records including start date, work history and working hours |
|
Necessary for the performance of the employment contract |
Training records and updated professional qualifications |
Ascertaining education, training and development requirements |
Necessary for the legitimate interests of CEGA |
Photographs |
Marketing, maintaining workplace security, internal networking |
Necessary for the legitimate interests of CEGA |
Information about your race, ethnicity, religious beliefs, sexual orientation and political opinions |
Equal opportunities monitoring |
Promoting or maintaining equal opportunities |
Information relating to your health including Fit notes, occupational health reports and other information provided by you and medical professionals on your behalf |
Managing sickness absence; ascertaining fitness to work; assessing requirements to make reasonable adjustments, making occupational health referrals |
Necessary to comply with the legal obligations under the Equality Act 2010 and in order protect your vital interests |
What we do with your data
All the personal data we collect is processed by our staff in the UK.
Who we share your data with
We share defined sets of your personal data with a limited number of third parties. Sometimes, these will be companies who process on our behalf and only act upon our instructions. Sometimes, these will be individuals and companies such as: business consultants, doctors, and lawyers and other experts. Some of these third parties include:
We may also share your data with other entities within the Charles Taylor PLC group as necessary for the purposes of the performance of your employment contract and in reliance upon our legitimate interests in ensuring that staff have appropriate levels of education and training, for business development and for ensuring security within the workplace. Where we rely on our legitimate interests, we will always balance them against the rights and freedoms of the people whose personal data we process. Where their rights override our legitimate interests we will cease to process personal data.
Retention period
We will not retain information relating to you longer than is necessary for the purpose for which it was obtained and any legal, accounting or reporting requirements related to that purpose. Details of the retention policy for HR records observed by CEGA is set out in CEGA's Information Security Policy which is available on the intranet.
Once you cease to be an employee, worker or contractor of CEGA, we will retain and securely destroy your personal information in accordance with our Document Retention Policy or applicable laws and regulations.
Employee rights
It is important that the personal information we hold about you is accurate and up to date. Please keep us informed if your personal information changes during your working relationship with us. You can do this via the self-service options in iTrent and by emailing/writing to Human Resources.
If at any point you believe the information CEGA processes on you is incorrect, you can make a request to see the information and have it corrected or deleted if appropriate. If you wish to raise a complaint on how your data has been handled, you can contact the Head of Human Resources at CEGA or Charles Taylor PLC's Data Protection Officer who will investigate the matter.
If you are not satisfied with our response or if you believe we are processing your personal data in a manner which is not in accordance with the law, you can complain to the Information Commissioner’s Office.
Transfer of data overseas
From time to time we may need to transfer your personal data outside the European Union. We will, save for exceptional circumstances, only do so:
• to a county in the European Economic Area or that the European Commission has certified as having adequate data protection law;
• under Binding Corporate Rules within our group of companies;
• to protect your vital interests, to perform a contract in your interests and for the defence of legal claims.
• we will always keep records of where your data has been sent outside of the EU and you can have access to these records if you wish.
Changes to this privacy notice
This Privacy Notice can be found on CEGA's intranet. We reserve the right to update this privacy notice at any time, and any updates will be published on the intranet. We will notify you when any substantial updates are made.
If you have any questions about this privacy notice, please contact the Data Protection Officer at
dpo@charlestaylor.com or tara.wright@cegagroup.com
If you continue on this website, you will be providing your consent to our use of cookies | For more information on this and how we use your information, please view our online privacy policy