CM Consulting is committed to protecting your privacy
This privacy notice will inform you as to how we look after your personal data when you interact with us directly, you visit our website (regardless of where you visit it from), or any of our promotional web pages.
The Company is committed to being transparent about how it handles your personal information, to protecting the privacy and security of your personal information and to meeting its data protection obligations under the General Data Protection Regulation (“GDPR”) and the Data Protection Act 2018. The purpose of this privacy notice is to make you aware of how and why we will collect and use your personal information. We are required under the GDPR to notify you of the information contained in this privacy notice.
This privacy notice applies to all clients or potential clients of the Company.
The Company has appointed a Data Compliance Contact to oversee compliance with this privacy notice. If you have any questions about this privacy notice or about how we handle your personal information, please contact us at
Data Protection Principals
Under the GDPR, there are six data protection principles that the Company must comply with. These provide that the personal information we hold about you must be:
- Processed lawfully, fairly and in a transparent manner.
- Collected only for legitimate purposes that have been clearly explained to you and not further processed in a way that is incompatible with those purposes.
- Adequate, relevant and limited to what is necessary in relation to those purposes.
- Accurate and, where necessary, kept up to date.
- Kept in a form which permits your identification for no longer than is necessary for those purposes.
- Processed in a way that ensures appropriate security of the data.
- The Company is responsible for, and must be able to demonstrate compliance with, these principles. This is called accountability.
What types of personal information do we collect about you?
Personal information is any information about an individual from which that person can be directly or indirectly identified.
The Company collects, uses and processes a range of personal information about you. This includes (as applicable):
- Identity Data includes first name, last name.
- Contact Data includes, operating address, email address and telephone numbers.
- Financial Data includes billing address.
- Transaction Data includes details about payments from you and other details of services you may have purchased from us.
- Technical Data includes IP addresses and other analytics information
- Marketing and Communications Data includes your preferences in receiving marketing from us and your communication preferences.
- We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.
How do we collect your personal information?
We use different methods to collect data from and about you including through:
Direct interactions. You may give us your Identity, Contact and Financial Data by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you:
- Use our services
- Subscribe to our marketing or publications
- Request information or marketing to be sent to you
- Provide a reference
- Provide feedback.
- Third parties or public available sources
- Your personal information may be stored in the Company’s IT systems, such as our candidate managements system and e-mail system.
Why and how do we use your personal information?
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
- Where we need to perform the contract we are about to enter into or have entered into with you.
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
- Where we need to comply with a legal or regulatory obligation.
- Generally, we do not rely on consent as a legal basis for processing your personal data other than in relation to sending marketing communications to you via email or text message. You have the right to withdraw consent to marketing at any time by Contacting us or utilising the unsubscribe feature in all our electronic communications.
The purposes for which we are processing, or will process, your personal information is to:
- Register you as a client
- Process and deliver service
- Create and process invoices
- Recover money owed
- Manage the working relationship
- Ask you to leave a review or take a survey
- To make suggestions and recommendations to you in connection with our services
- Receive reference information
- Please note that we may process your personal information without your consent, in compliance with these rules, where this is required or permitted by law.
What if you fail to provide personal information?
Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services). In this case, we may have to cancel a product or service you have with us, but we will notify you if this is the case at the time.
Change of purpose
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.
If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
Who has access to your personal information?
Your personal information may be shared internally within the Company and its consultants, where access to your personal information is necessary for the performance of their roles and in relation to the purpose for which the data was collected.
The Company will not share your personal information unless required to by law.
How does the Company protect your personal information?
The Company has put in place measures to protect the security of your personal information. It has internal policies, procedures and controls in place to try and prevent your personal information from being accidentally lost or destroyed, altered, disclosed or used or accessed in an unauthorised way. In addition, we limit access to your personal information to those who have a business need to know in order to perform their job duties and responsibilities.
Where your personal information is shared with third parties, we require all third parties to take appropriate technical and organisational security measures to protect your personal information and to treat it subject to a duty of confidentiality and in accordance with data protection law. We only allow them to process your personal information for specified purposes and in accordance with our written instructions and we do not allow them to use your personal information for their own purposes.
The Company also has in place procedures to deal with a suspected data security breach and we will notify the Information Commissioner’s Office (or any other applicable supervisory authority or regulator) and you of a suspected breach where we are legally required to do so.
For how long does the Company keep your personal information?
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
By law we have to keep basic information about our customers (including Contact, Identity, Financial and Transaction Data) for six years after they cease being clients for tax purposes.
In some circumstances you can ask us to delete your data: see Request erasure below for further information.
In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
Your rights in connection with your personal information
As a data subject, you have a number of statutory rights. Subject to certain conditions, and in certain circumstances, you have the right to:
- Request access to your personal information - this is usually known as making a data subject access request and it enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it
- Request rectification of your personal information - this enables you to have any inaccurate or incomplete personal information we hold about you corrected
- Request the erasure of your personal information - this enables you to ask us to delete or remove your personal information where there’s no compelling reason for its continued processing, e.g. it’s no longer necessary in relation to the purpose for which it was originally collected
- Restrict the processing of your personal information - this enables you to ask us to suspend the processing of your personal information, e.g. if you contest its accuracy and so want us to verify its accuracy
- Object to the processing of your personal information - this enables you to ask us to stop processing your personal information where we are relying on the legitimate interests of the business as our legal basis for processing and there is something relating to your particular situation which makes you decide to object to processing on this ground
- Data portability - this gives you the right to request the transfer of your personal information to another party so that you can reuse it across different services for your own purposes.
- If you wish to exercise any of these rights, please contact our Data Compliance Contact at
In the circumstances where you have provided your consent to the processing of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. This will not, however, affect the lawfulness of processing based on your consent before its withdrawal. If you wish to withdraw your consent, please contact our Data Compliance Contact. Once we have received notification that you have withdrawn your consent, we will no longer process your personal information for the purpose you originally agreed to, unless we have another legal basis for processing.
If you believe that the Company has not complied with your data protection rights, you have the right to make a complaint to the Information Commissioner’s Office (ICO) at any time. The ICO is the UK supervisory authority for data protection issues.
Transferring personal information outside the European Economic Area
The Company will not transfer your personal information to countries outside the European Economic Area.
Changes to this privacy notice
The Company reserves the right to update or amend this privacy notice at any time. We will issue you with a new privacy notice when we make significant updates or amendments. We may also notify you about the processing of your personal information in other ways.
If you have any questions about this privacy notice or how we handle your personal information, please contact our Data Compliance Contact at
Carys Mills Consulting Ltd trading as CM Consulting
Registered in England and Wales no.8220935
Registered office: 167-169 Great Portland Street, 5th Floor, London, W1W 5PF