Privacy Policy

This policy summarises the key points about how Cohaesus collects, uses and discloses personal data and ensures compliance with the laws and regulations throughout jurisdictions where we operate.

What is personal data?

Personal data is information (including opinions) which relates to an individual and from which he or she can be identified either directly or indirectly through other data which the company has or is likely to have in its possession. These individuals are sometimes referred to as data subjects and include clients and employees.


Richard Bundock, our CEO, is the Data Protection Officer of the personal data we process and is therefore ultimately responsible for ensuring our systems, processes, suppliers and employees comply with data protection laws and regulations in relation to the information we handle. Our Data Protection Officer provides guidance and advice to the company as required.

As a company, we believe it is the responsibility of the whole team to ensure that any personal data sent or received is handled in the correct manner as outlined in our Data Security Policy and IT and Communications Policy.

All Cohaesus employees must abide by this policy and the policies mentioned above when handling personal data and must take part in any required security and data protection training. Any breach will be taken seriously and may result in disciplinary action.

Principles of data protection

The company has adopted the following principles to govern our use, collection and disclosure of personal data. These principles have been established to create a uniform standard across our offices in London, Edinburgh and our partnership in Jaipur, India taking account of the laws in the jurisdictions where we operate.

The company’s core principles provide that personal data must:

  1. be processed fairly and lawfully and to the extent required under local law with valid and informed consent;
  2. be obtained for specific and lawful purposes;
  3. be kept accurate and up to date;
  4. be adequate, relevant and not excessive in relation to the purposes for which it is used;
  5. not be kept for longer than is necessary for the purposes for which it is used;
  6. be processed in accordance with the rights of individuals;
  7. be kept secure to prevent unauthorised processing and accidental loss, damage or destruction; and
  8. not be transferred to, or accessed from, another jurisdiction where these core principles cannot be met unless it is adequately protected.

As a company the type of data we collect and process falls into one of the following categories:

  1. personal data relating to our employees and obtained during the recruitment process;
  2. participants in our events and other promotional activities;
  3. personal data obtained and used in relation to providing digital services during the course of an engagement.
Personal data relating to our employees and obtained during the recruitment process
Types of Data
  • Personal data such as name, address, contact details, education and employment history;
  • background checks (financial and criminal), ID and right to work status;
  • information relating to next of kin, and dependants;
  • financial information including bank details and identifiers (for example, National Insurance numbers);
  • we may process information revealing sensitive information such as health details, racial origin, religious beliefs and information about offences/ alleged offences.
  • Personal data will be collected from a number of sources including your application form/CV;
  • providers of background checks (eg Onfido) and referees;
  • providers of occupational health services;
  • notes and records kept throughout your employment including absences, expenses claims, questionnaires, performance reviews and details of any grievances/disciplinary action.
  • Personal data will be used for:
    • human resources administration;
    • assessing suitability, eligibility and/or fitness to work;
    • learning and development;
    • to ensure the firm’s information and offices are secure;
    • management purposes (including where necessary disciplinary purposes).
  • Photographs, education and career information may be used in marketing and promotional material for the firm including our website and marketing material.
  • Your personal data:
    • will not be transferred to our partners, or to service providers who support the operation of our business;
    • may be stored within the Cohaesus information systems and within third party software applications and services which have been procured to support the operation of the HR function (eg Workable);
    • may be transferred to other third parties such as our insurers, legal and other professional advisors, regulators, administrators and government departments, who may be acting as data controller (eg; NEST Pensions).
Data retention
  • Your personal data will be stored for the following time periods:
    • Data gathered prior to employment for recruitment purposes: 2 years from original application.
    • Data gathered from employment commencement date: continuous whilst employed.
    • Data stored once employment has terminated: 2 years from date of termination.
  • If you require data to be deleted from our systems before these time periods have lapsed, then you must request this in writing.
Participants in our events and other promotional activities
Types of Data
  • Information such as name and business information (email address, job title, who you work for).
  • Additional information may be processed where it is provided by you, for example in correspondence, in connection with an event or in letting us know what areas you are interested in and when you wish to be contacted by us. This may include access or dietary requirements which may reveal information about your health or religious beliefs.
  • Our websites may also collect your device’s unique identifier, such as an IP address.
  • Information is collected via EventBrite, via forms on our website or via email/call only.
  • Personal data will be used to:
    • complete any request you may make;
    • contact you with communications event or marketing updates in line with your preferences.
  • Personal data:
    • will not be transferred to our partners, or to service providers who support the operation of our business;
    • which is shared with service providers will be limited to that which is required for providing the service and will be adequately protected;
    • will not be given to other third parties, apart from in limited circumstances such as, where we run a joint event and you book onto it.
Data retention
  • We do retain data collected via our promotion activities for 1 year since the last interaction with you.
  • You may request the removal of your information at anytime.
Personal data obtained and used in relation to providing digital services during the course of an engagement
Types of Data
  • Information processed for relationship management and service opening procedures such as name, business information and identification documentation.
  • We do not encourage the use of personal email addresses and will insist that our clients only provide work alias during the course of an engagement.
  • Additional personal data may be collected for a specific digital delivery but must be encrypted in transit.
  • Relationship management and service opening information is collected from you directly and further information (e.g. to verify your identity) may be collected from third parties, such as publicly available sources.
Third Party Processors
  • Our carefully selected partners and service providers may process personal information about you on our behalf as described below:
  • Digital Marketing Service Providers
    We periodically appoint digital marketing agents to conduct marketing activity on our behalf, such activity may result in the compliant processing of personal information. Our appointed data processors include:
    (i) Prospect Global Ltd (trading as SoPro) Reg. UK Co. 09648733. You can contact SoPro and view their privacy policy here: http://sopro.io. SoPro are registered with the ICO Reg: Z123456 their Data Protection Officer can be emailed at: dpo@sopro.io.
  • Relationship management and service opening data is used for providing digital services administration, commercial purposes (eg creditworthiness) and as required by law (eg anti money laundering).
  • All other personal data will be used for the purposes of providing digital services and to comply with our statutory/ regulatory obligations.
  • In relation to our digital services we will monitor and record information relating to use of the services. This will include how and when the system is accessed and how data is uploaded.
  • Personal data:
    • will not be transferred to our partners, or to service providers who support the operation of our business unless it is required for engagement purposes (eg: data migration). In this case, all data that is transferred between Cohaesus, our clients and third party suppliers will be encrypted and deleted after use.
    • which is shared with service providers will be limited to that which is required for providing the service and will be adequately protected.
Data retention
  • Once an engagement completes we will remove all personal subject data from our systems after one month of completion/termination.

Individuals’ rights

Personal data must be processed in line with individuals’ rights, including the right to:

  1. request a copy of their personal data;
  2. request that their inaccurate personal data is corrected;
  3. request that their personal data is deleted and destroyed when causing damage or distress; and
  4. opt out of receiving electronic communications from the company.

Should you wish to make a request in line with your rights as an individual, please forward it to the Data Protection Officer.

Employees people must notify or inform the Data Protection Officer immediately if they receive a request in relation to personal data which the firm processes.

How to make a complaint

You should direct all complaints relating to how the firm has processed your personal data to the Data Protection Officer.

Employees must inform the Data Protection Officer immediately if they receive a complaint relating to how the company has processed personal data so that the company complaints procedure can be followed.


Information security is a key element of data protection. The company takes appropriate measures to secure personal data and protect it from loss or unauthorised disclosure or damage.

The company is Cyber Essentials certified and it is a requirement that all employees comply with the company’s IT & Communications policy, which is available in our central policy library.

Transfer of data between jurisdictions

As a company operating in both the UK and India, personal data may be transferred between our various offices as part of our contracted duty to deliver software and services. This might take the form of a large data migration as instructed by our client. Data of this nature will not be transferred unless encrypted and is not stored on our systems post delivery. We also use a number of suppliers in connection with the operation of our business and they may have access to the personal data we process. For example, an HR Consultant may see our personal data when providing HR support. When contracting with suppliers and/or transferring personal data between our teams and suppliers, the company takes appropriate steps to ensure that there is adequate protection in place and that the principles are adhered to.

Contact details

Data Protection Officer, Cohaesus, 35 New Broad Street, New Broad Street House, London, EC2M 1NH
Email: accounts@cohaesus.co.uk