GDPR Policy for the Reality Check Survey

Date: 1 March 2021 © Cogital 2021 1 GDPR Policy V1.0

What is the purpose of this document?

Cogital and Andekan Inc. are committed to protecting the privacy and security of personal information that we collect in the course of conducting the "Reality Check Survey" (the "Survey").

This Policy describes how we collect and use personal information arising from the Survey, in accordance with the General Data Protection Regulation (GDPR).

Within the context of GDPR, Cogital Ltd acts as a data controller. Cogital is registered as such with the ICO Data Protection Register. Cogital has nominated Alain Waha as the Data Protection Officer (DPO).

Accepting the Survey's Terms and Conditions and taking the Survey form the "legal basis" for the processing of personal data carried out by Cogital. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. To facilitate performance of the Survey, Cogital has collected personal data from you (the data subject) and is therefore a "data controller" for the purposes of GDPR. This means that we are legally responsible for deciding how we hold and use personal information. A central objective of GDPR is increase transparency for data subjects and this Policy is designed to explain to you the categories of personal data that we hold, the types of processing activity and any external third parties that we share personal data with.

Data Protection Principles

Cogital is committed to robust data protection standards and has put procedures in place to ensure that the personal information we hold about you is:

The Kind of Information We Hold About You

Personal data, or personal information, means any information about an individual from which that person can be identified.  It does not include data where the identity has been removed (anonymous data).

Under GDPR there are "special categories" of more sensitive personal data which require a higher level of protection. Special categories of data include race or ethnic origin, sexual orientation, religious beliefs, political beliefs, biometric data, health information and criminal offence data.

Cogital may collect, store, and use the following categories of personal information about you:

We will not collect, store and use the following "special categories" of more sensitive personal information:

How is your personal information collected?

Cogital typically collects personal data directly from interaction with employees, directors, service providers, and survey respondents during the course of normal business practice. Additional information may also be collected through third parties such as Survey Engines. Throughout the period of you working for us we will collect further personal information necessary for job-related activities.

How we will use information about you

We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:

  1. Where we need to perform the contract we have entered into with you.
  2. Where we need to comply with a legal obligation.
  3. Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. In exceptional circumstances we may also need to use your personal information to protect your interests (or someone else's interests).

Situations where we will use (process) your personal information

The primary reason Cogital holds your personal information is to allow us to perform our contract with you and to enable us to discharge our legal obligations. 

Examples of the types of situations in which we will process your personal information are listed below.

Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information. Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

Information about criminal convictions
Given the nature of Cogital job roles we do not envisage that we will hold information about criminal convictions. ​

​Automated decision-making
Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. We do not envisage that any decisions will be taken about you using automated means, however we will notify you in writing if this position changes.

Data sharing
We m​​ay have to share your data with third parties, including third-party service providers and other entities associated with Cogital.  We re​​quire third parties to respect the security of your data and to treat it in accordance with the law. We may transfer your personal information outside the EU. If we do, you can expect a similar degree of prote​​ction in respect of your personal information.

​What is an external Third Party Data Processor?
Why might you share my personal information with third parties?

We may share your personal information with third parties where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so. For example, as your e​mployer we are obliged to report salary and tax contributions data to the local tax office and in specific circumstances disclose specific information to other statutory regulators.   ​

Which third-party service providers process my personal information? The following activities are carried out by third-party service providers and designated agents: payroll, pension administration, benefits provision and administration, global travel, immigration and visa services. The personal data we share on your behalf varies according to your office location. 

The following are examples of regional third party service providers that we routinely need to share staff personal data with:

How ​secure is my information with third-party service providers and other branches of Cogital?
All our third-party service providers and Cogital associated entities are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

When might you share my personal information with other entities in the group?

We will share your personal information with other entities in our group as part of our regular reporting activities on company performance, in the context of a business reorganisation or group restructuring exercise, for system maintenance support and hosting of data.

Data sec​urity

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees and other third party service providers on a need to know basis. Third parties will only process your personal information on our instructions and where they have contractually agreed to treat the information confidentially and to keep it secure.

In the event of any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.​

Data r​​etention

How long will you use my information for?
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. Details of retention periods for different aspects of your personal information are available in our Data Protection Policy which is available on request.

Please keep us informed if your personal information changes during your working relationship with us. ​

Your rights in connection with personal information
As a data subject you have the following rights in relation to your personal data:

If you want to review, verify, correct or request erasure of your personal information, please contact HR Operations.

​Data protection officer

Alain Waha is Cogital data protection officer and is responsible for all data protection compliance. If you have any questions about this Policy or how we handle your personal information, please contact Alain Waha. You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues.​

Changes to this Policy

​We reserve the right to update this Policy at any time, and we will provide you with a new Policy when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.​​​