1 Who are we?
Agenda Consulting is a research consultancy, helping not-for-profit organisations develop and sustain the highest levels of employee and volunteer engagement.
For the purposes of the General Data Protection Regulation (GDPR) (EU) 2016/679, the data controller is Agenda Consulting Ltd, registered in England, registration number 4509427.
Registered office: Belsyre Court, 57 Woodstock Road, Oxford, OX2 6HJ, UK
Our contact points are as follows
+44 (0)1865 263720
Registration Number with Information Commissioner’s Office (ICO): ZA232518
Data Protection Administrator: Catherine Wearden (contact details as above)
2 How do we obtain information about you?
We obtain information about you directly when you:
- Browse our website, place an order or register for an event online
- Contact us by email, telephone, or face to face to request information and/or communications on products and services of interest to you
- Use the Agenda Benchmarking Database (ABD), to complete an online benchmarking study
- Attend one of our events
- Give us your business card or details at an event or meeting
- Are named as the person to contact when a colleague is absent, has left your organisation or has suggested you as the most appropriate person to contact
- Enter into a contract for one of our services, such as an employee or volunteer survey, or other survey/consultancy service provided by Agenda.
3 What personal information do we collect?
If you register for an event, or place an order for our products and/or services, we may collect personally identifiable information about you such as your full name, job title, organisation name and address, email address, and telephone number. If you choose to purchase a product/service from us, we or our third-party payment processors will collect your payment information.
3.1 Third Parties
We may also receive information about you indirectly as part of a contractual arrangement with a third party e.g., Charity Finance Group. In this instance, the personal data will be sent to us by email, by CFG, from their database, and will be accessible by the Agenda team, for the purpose of setting up access for you to the Agenda Benchmarking Database (ABD) to complete the Finance Count questionnaire and for communications relating to the study. The personal data we will process for this purpose is: name, job title, organisation name and address, email address, telephone number/s. CFG send us details for the decision-maker and lead user.
4 What is the lawful basis for collecting the information and how do we use it?
We may use your information to process orders, carry out contractual obligations, send communications you have requested, or that may be of interest, seek your views on the
services we provide, and notify you of changes to our services.
We will hold your data for the duration of any contract you have entered into with us for a specific service, or in accordance with your preferences, whichever is the longer, and it will only be collected, retained, processed and/or disseminated for the minimum period necessary for each specific purpose.
The purposes of our processes are listed below, along with the lawful basis for each activity:
|To process an order for a survey, benchmarking study, event, publication||Legitimate Interest / Contractual Obligation|
|To process a booking onto, or record interest in, a webinar, free event, conference committee, steering group||Legitimate Interest / contractual Obligation|
|To provide clients with direct marketing about our research findings, client case studies, and our news and products/services||Legitimate Interest
|To provide mailing list subscribers with direct marketing about our research findings, client case studies, and our news and products/services||Consent|
|To provide access to Reflections, Agenda’s online survey platform||Legitimate Interest / Contractual Obligation|
|To provide access to Reflections for survey response analysis, and reporting for client survey projects||Legitimate Interest / Contractual Obligation|
|To provide access to the Agenda Benchmarking Database (ABD)||Legitimate Interest / Contractual Obligation|
No personal data are collected, retained, processed and/or disseminated beyond the minimum necessary for each specific purpose of the processing.
We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and explain the legal basis which allows us to do so. Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where we are obliged to do so by relevant authorities.
None of the personal data we collect from you is used in automated decision-making or profiling.
5 Your Rights
We respect your privacy rights and provide you with reasonable access to the personal data that you may have provided through your use of the services. You have the right to request from us confirmation of whether we are processing your personal data, and if so have access to that information.
We are very keen to ensure the data we hold is accurate and up to date. If any of our personal data is inaccurate, you can ask us to rectify it or delete it. Should you change organisation, we would like to keep you informed of our products and services. In considering our response we undertake to ensure your interests, fundamental rights and freedoms are properly balanced against our legitimate interests. We will also look at whether it is still necessary to process your data for the purpose it was collected.
Before we are able to provide you with any information or correct any inaccuracies we may ask you to verify your identity.
If you wish to access or amend any personal data we hold about you, or to request that we delete any information about you that we have obtained from an integrated service, you may contact us by email or phone as set out under the heading at the start of this policy document.
5.2 Accuracy of your information
You have a choice about whether or not you receive information from us and the accuracy of your information is important to us.
You may update, correct, or delete your mailing list preferences at any time by accessing your profile via any MailChimp email from us or by emailing us.
Please note that while any changes you make will be reflected in active user databases instantly or within a reasonable period of time, we may retain all information you submit for back-ups, archiving, prevention of fraud and abuse, analytics, satisfaction of legal obligations, or where we otherwise reasonably believe that we have a legitimate reason to do so.
You may decline to share certain personal data with us, in which case we may not be able to provide you with some of the features or the functionality of the service.
At any time you may object to the processing of your personal data, on legitimate grounds, except if otherwise permitted by applicable law. If you have any complaints or comments about our approach to data protection, we would like to hear from you. If you believe our approach to processing personal data infringes the GDPR and ePrivacy Directive, you have the right to lodge a complaint with a supervisory authority. The authority for the UK is the Information Commissioner’s Office (ICO). You can contact them by telephone on +44 (0) 303 123 1113.
Cookies are small pieces of text sent to your web browser by a website you visit. A cookie file is stored in your web browser and allows the site or a third-party to recognize you and make your next visit easier and the site more useful to you.
There are different types of cookies:
- Session cookies
- Permanent cookies
- First-party cookies
- Third-party cookies
Visit https://www.aboutcookies.org/ to find out more.
- Monitor which areas of the site you use during your visit so that we can assess which areas of the site are of most interest and plan future development accordingly.
- Provide online services which require information to be passed from page to page during the course of their execution.
- Enable certain functions of the site, to provide analytics, to store your preferences. In addition to our own cookies, we may also use various third-parties cookies to report usage statistics of the site.
You have the opportunity to set your computer to accept all cookies, to notify you when a cookie is issued, or not to receive cookies at any time. The last of these, of course, means that we may be unable to provide to you certain personalised services.
7 Security of Data
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality. Details of these measures may be obtained from the Data Protection Administrator.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
We take data security very seriously and we are certified to Cyber Essentials – the UK Government’s cyber security standard for business.
Where we hold your data / Third party processors
7.1 Customer Relationship Management System – Salesforce
Salesforce is a cloud-based platform on which we hold personal information about our clients, including name, job title, organisation name and address, email address, telephone number/s, data protection preferences, order history, the products and services you are interested in.
Salesforce has updated its policies and procedures in accordance with GDPR requirements and information relating to its infrastructure, processing of customer data and data security can be found here.
We enter your details into Salesforce according to the lawful basis under which they have been provided (i.e., that it is in our legitimate interests as a business to hold details of those who have expressed an interest in our service, or on the basis of our contractual relationship).
Any changes which have been communicated to us are reviewed and Salesforce is updated weekly or more frequently.
7.2 Email Marketing Platform – MailChimp
MailChimp is a marketing automation platform, which we use to send you information about our products and services. The contact lists used to send messages via MailChimp are derived from Salesforce or MailChimp, and include personal data, such as your name and email address.
Each MailChimp message provides you with options: a) to unsubscribe, b) to update your contact details and preferences. Visit MailChimp to find out more about how it works, and how it treats your data.
We receive regular automated reports from MailChimp comprising:
1) List of email addresses where the message has been delivered successfully;
2) list of email addresses which have unsubscribed;
3) list of email addresses which bounced back: hard bounces (the email cannot be delivered to its destination, due to invalidity of address or an unexpected error) are automatically ‘cleaned’ from the MailChimp list, so that no more emails are sent to that address; soft bounces are recognised by the email server, but are returned to the sender because the mailbox is either full or temporarily unavailable.
We also run a separate report which contains updated preferences data.
We review updates weekly and records are amended on MailChimp and Salesforce accordingly.
7.3 On our File Server
Our files are kept in Microsoft SharePoint, accessed through the OneDrive app by authorised Agenda employees using multifactor authentication, only on devices compliant with our cyber security policy.
The data is backed up using the 365 backup service. The backups are held in Datto’s private cloud located in EMEA with built-in redundancy and geo replicated within geographical region. The host uses ZFS file storage, holds a SOC 2 Type II audited certification, and uses built-in encryption.
Our Reflections software was developed by and is supported by Alberon Limited, a UK company. In the course of providing us with maintenance and support services Alberon do have access to all personal data stored in Reflections, though in practice access is minimal and limited by our Information Security Policy to support issues only. The Reflections platform is hosted by Memset in the UK (https://www.memset.com/support/my-memset/privacy-policy/), with back-ups held by Jungle Disk in Ireland (https://www.jungledisk.com/privacy/). Jungle Disk have no access to the back up as this is encrypted to AES-256 standard and Jungle Disk do not have the encryption key.
The Reflections platform has multi factor authentication for client users logging in to the client area to review questionnaires, response tracking and results reports and dashboards.
We also use an Email Service Provider Sendinblue to send emails to invite people to respond to surveys using email address lists provided by organisations we work for. Sendinblue’s privacy notice can be seen here: How does Sendinblue comply with the GDPR? – Sendinblue
All personal data is stored in the UK or EEA.
Microsoft Outlook is a cloud-based application from Microsoft, on which we hold emails to and from Agenda. Personal information held here may include name, job title, organisation name and address, email address, and telephone number/s, as well as your data protection preferences, order history, and the products and services you are interested in. Microsoft Outlook has updated its policies and procedures in accordance with GDPR requirements and information relating to its infrastructure, processing of data and data security can be found here.