Privacy Statement

Opening Statement

The Firm Organisation Limited (“TFO Group”) fully respects your right to privacy and we are committed to ensuring that your privacy is protected. You are entitled to the protection of your personal information. This data may relate to your name, telephone number, email address or any other information relating to you.

Please read the following privacy statement to learn more about how we collect, store, use and disclose information about you when you interact with TFO Group. This Policy applies to all your Personal Data collected by (or on behalf of) TFO Group (which includes its group companies), together referred to in this Policy as “TFO Group”, “we”, “us” and “our”.

What does this Privacy Policy cover?

This Privacy Policy covers our treatment of your personal information that marketing companies and brand ambassadors gather on our behalf when we are providing customer acquisition services on behalf of our clients (the “Services”). In the course of the provision of the Services to our clients, we (or marketing companies and brand ambassadors acting on our behalf) gather various types of information about customers, including information that identifies you as an individual (“Personal Data”) as explained in more detail below.

This website is not intended for children and we do not knowingly collect data relating to children.

Who is responsible for the processing of your Personal Data?

The entity which is responsible for the processing of your Personal Data is TFO Group whose registered office is 32 Merrion Street Dublin 2, Ireland. In most cases, the client that engages us to provide customer acquisition services will be the data controller and we will be the data processor acting on their behalf. The identity of the relevant data controller will be disclosed to our customers at the time we receive their personal data. In certain limited circumstances, we may act as a joint data controller with the client. Customers will also be informed of this if applicable at the time we receive their personal data.

Who can you contact if you have Questions or Requests?

Our Data Protection Officer will handle your questions or requests relating to this Policy or your Personal Data. For any questions or requests or complaints concerning the application of this Policy or to exercise your rights, as described in this Policy, you may contact us at the below:

Name: Olivier HAYAT

Position: Data Protection Officer (Group)

Email: DPO@tfo.group

Key Principles

We value your Personal Data entrusted to us and we are committed to processing your Personal Data in a fair, transparent and secure way. The key principles that TFO Group applies are as follows:

Lawfulness: we will only collect your Personal Data in a fair, lawful and transparent manner.
Data minimisation: we will limit the collection of your Personal Data to what is directly relevant and necessary for the purposes for which they have been collected.
Purpose limitation: we will only collect your Personal Data for specified, explicit and legitimate purposes and not process your Personal Data further in a way incompatible with those purposes.
Accuracy: we will keep your Personal Data accurate and up to date.
Data security and protection: we will implement technical and organisational measures to ensure an appropriate level of data security and protection considering, among others, the nature of your Personal Data to be protected. Such measures provide for the prevention of any unauthorised disclosure or access, accidental or unlawful destruction or accidental loss, or alteration and any other unlawful form of Processing.
Access and rectification: we will process your Personal Data in line with your legal rights.
Retention limitation: we will retain your Personal Data in a manner consistent with the applicable data protection laws and regulations and for no longer than is necessary for the purposes for which it has been collected.
Protection for international transfers: we will ensure that any of your Personal Data transferred outside the EEA is adequately protected.
Safeguards re third parties: we will ensure that Personal Data access by (and transfers to) third parties are carried out in accordance with applicable law and with suitable contractual safeguards.
Lawfulness of direct marketing and cookies: if we send you promotional materials or place cookies on your computer, we will ensure that we do so in accordance with applicable law.

What information do we collect?

We receive and store information that you provide to us, via our network of independently contracted Marketing Companies and their independently contracted Brand Ambassadors, that is necessary for the provision of our Services to our clients. We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

Identity Data including first name, maiden name, last name, username or similar identifier, marital status, title, PPS number date of birth and gender;
Contact Data including residential address, email address and telephone numbers;
Financial Data including bank account details and credit card details;
Transaction Data including details about payments to and from you and other details of products and services you have purchased from us;
Technical Data including internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website;
Usage Data including information about how you use our website, products and services; and
Marketing and Communications Data including your preferences in receiving marketing from us and our third parties and your communication preferences.

We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.

Generally, we do not process any Special Categories of Personal Data about you, this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). In some instances, you may sign contracts or documents using electronic signature tools (eIDAS) and these tools can use biometric data in the form of how you write your signature as this is unique to you. This biometric information is secured and encrypted, to the extent that we do not use it or process it and it can only be accessed if there is a dispute as to your identity.

The Company is implementing restart plans based on the relaxing of the recent COVID-19 lock down measures as implemented by Government. The company is operating temperature checks for persons coming into the office as a mechanism to identify persons who have a fever (which is one of the symptoms of COVID-19). If you are coming to the office you will be asked to provide your explicit consent for this processing to happen.

Any information which you provide to us is not made available to any third parties without your permission and is used by TFO Group only in line with the purpose for which you provided it and in accordance with the GDPR.

How do we use the information?

We will only process your Personal Data for specified, explicit and legitimate purposes and we will not process your Personal Data further in a way that is incompatible with those purposes.

Such purposes include the operation and administration of our customer acquisition business, the improvement of our products and services, the improvement of your visit on one of our websites or portals, processing invoices for customer acquisition services, paying commissions to the sales force and the production of client KPI reports.

We may also use the information you send to us to communicate with you via email and, possibly, other means, regarding events or services we think may be of interest to you or to send you a newsletter, if you have consented to such contact. However, you will always be able to opt-out of such communications at any time (see the “How can I Exercise my Data Subject Rights” section below).

What is the legal basis for processing Personal Data?

The principal legal basis for this processing is our legitimate interest in the operation and administration of customer acquisition business as well as our legitimate interest in marketing and promoting our business. In addition, please note that in accordance with applicable data protection law, your Personal Data can be processed if:

you have given us your consent for the purposes of the Processing. For the avoidance of doubt, you will always have the right to withdraw your consent at any time;
it is necessary for the performance of a contract to which you are a party; or
it is required by law.

How do we share your Personal Data?

We may have to share your Personal Data with our clients who have commissioned the marketing or direct sales campaign in order to provide the Services. We do not share your personal information with anyone except where consent has been provided or is necessary for the execution of a contract or is required by law.

Is my Personal Data secure?

We implement security safeguards designed to protect your data. We regularly monitor our systems for possible vulnerabilities and attacks. However, we cannot guarantee the security of any information that we receive. There is no guarantee that data may not be accessed, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards despite our best efforts to prevent this.

We use appropriate technical, organisational and administrative security measures to protect any information we hold in our records from loss, misuse, and unauthorized access, disclosure, alteration and destruction.

These measures have been designed taking into account our IT infrastructure, the potential impact on your privacy and the costs involved and in accordance with current industry standards and practice.

Your Personal Data will only be processed by a third-party data processor if that data processor agrees to comply with those technical and organisational data security measures.

Maintaining data security means protecting the confidentiality, integrity and availability of your Personal Data:

Confidentiality: we will protect your Personal Data from unwanted disclosure to third parties.
Integrity: we will protect your Personal Data from being modified by unauthorised third parties.
Availability: we will ensure that authorized parties are able to access your Personal Data when needed.

Our data security procedures include: access security, backup systems, monitoring, review and maintenance, management of security incidents and continuity, etc.

How long will we use your Personal Data for?

We will only retain your Personal Data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

The retention period is determined by, whether we are acting as a data controller or as a data processor. When we act as a processor on behalf of our clients we only retain the data for as long as it is needed to execute the contract with our client. Once this client confirmed retention period has expired, the data is anonymised. To determine the appropriate retention period for Personal Data when TFO Group acts as a controller, we consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements. This retention period is decided upon after we conduct a Data Protection Impact Assessment (DPIA) to assess the data protection risks involved.

In some circumstances you can ask us to delete your data: see Right to erasure below for further information.

In some circumstances we may anonymise your Personal Data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.

Information We Automatically Collect:

When you visit our Website, we collect certain information related to your device, such as your device’s IP address, referring website, what pages your device visited, and the time that your device visited our Website.

(“IP”) address. Information collected by cookies and other similar technologies – we use various technologies to collect information which may include saving cookies to users’ computers. For further information, please see the section below headed “Cookies and other Tracking Technologies”.

Cookies and other tracking technologies.

A "cookie" is a bite-sized piece of data that is stored on your computer's hard drive. They are used by nearly all websites and do not harm your system. We use them to track your activity to help ensure you get the smoothest possible experience when visiting our website. We can use the information from cookies to ensure we present you with options tailored to your preferences on your next visit. We can also use cookies to analyse traffic and for advertising purposes.

If you want to check or change what types of cookies you accept, this can usually be altered within your browser settings. Please consult our Cookie Policy for more information about the type of cookies and tracking technologies that we use on this Website and why, and how to accept and reject them.

Disclosure of Personal Data

Depending on the purposes for which we collect your Personal Data, we may disclose it to the following categories of recipients, which will then process your Personal Data only for one of the following purposes:

a) Within our organisations:

Our authorised staff members;
Our affiliates and subsidiary companies;

b) Third party business partners:

The Marketing Companies and the Brand Ambassadors that conduct the customer acquisition business on our behalf.
Our clients who have commissioned us to perform the applicable marketing customer acquisition campaign.
Business partners: for example, trusted companies that may use your Personal Data to provide you with the services and/or the products you requested and/or that may provide you with marketing materials (provided that you have consented to receiving such marketing materials). Such business partners will be subject to strict confidentiality.

c) Other third parties:

when required by law or as lawfully necessary to protect TFO Group:
to comply with the law, requests from authorities, court orders, legal procedures, obligations related to the reporting and filing of information with authorities, etc.;
to verify or enforce compliance with TFO Group’s policies and agreements; and
to protect the rights, property or safety of TFO Group and/or its customers;
in connection with corporate transactions: in the context of a transfer or divestiture of all or a portion of its business, or otherwise in connection with a merger, consolidation, change in control, reorganisation or liquidation of all or part of TFO Group’s business.

Marketing Communications

If you have consented to receiving certain promotional or marketing communications from us, you can opt-out of receiving such promotional or marketing communications from us at any time, by using the unsubscribe link in the emails communications we send, click the “Exercise your Rights” link available at the bottom of our Privacy Statement, or send us a message via our website.

Profiling

Certain personal data may be used on an aggregated basis for the profiling of certain territories for the reason of territory management. The profiling that is conducted is done to assist the sales force in selecting and managing territories in which they operate. This enables us to allocate our resources in the most efficient manner for the purposes of targeting customer acquisition. We do not profile individual data subjects and data subjects are not subject to automated decision making. The envisaged consequences of such processing for the affected data subjects is minimal, only that the marketing companies and brand ambassadors that act on our behalf may be more or less likely to conduct our customer acquisition business in their territory depending on the results of the profiling.

Transfer of Data outside the EEA

All processing is conducted within the EEA.

How can I Exercise my Data Subject Rights?

Under the General Data Protection Regulation, you have the following rights:

Right to object: If we are using your data because we deem it necessary for our legitimate interests to do so, and you do not agree, you have the right to object. We will respond to your request within 30 days (although we may be allowed to extend this period in certain cases). Generally, we will only disagree with you if certain limited conditions apply.

Right to withdraw consent: Where we have obtained your consent to process your Personal Data for certain activities, or consent to market to you, you may withdraw your consent at any time.

Right to Rectification: if your Personal Data that we hold is inaccurate or incomplete, you have the right to request the rectification of your Personal Data.

Data Subject Access Requests: Just so it's clear, you have the right to ask us to confirm what information we hold about you at any time, and to provide you with copies of that information. We will respond to your request within 30 days. At this point we may comply with your request or, additionally do one of the following:

we may ask you to verify your identity, or ask for more information about your request; and
where we are legally permitted to do so, we may decline your request, but we will explain why if we do so.

Right to erasure: In certain situations (for example, where we have processed your data unlawfully), you have the right to request us to "erase" your Personal Data. We will respond to your request within 30 days (although we may be allowed to extend this period in certain cases) and will only disagree with you if certain limited conditions apply. If we do agree to your request, we will delete your data.

Right of data portability: If you wish, you have the right to transfer your data from us to another data controller. We will help with this – either by directly transferring your data for you, or by providing you with a copy in a commonly used machine-readable format.

Right to lodge a complaint with a supervisory authority: You also have the right to lodge a complaint with the Office of the Data Protection Commissioner.

If your interests or requirements change, you can unsubscribe from part or all of our marketing content (for example job role emails or TFO Group newsletters) by clicking the unsubscribe link in the email, or by sending us a request via email).

Changing this Policy

We may need to change this Privacy Statement from time to time. We will alert you to material changes by, for example, placing a notice on our websites and/or by sending you an email (if you have registered your e-mail details with us) when we are required to do so by applicable law. You are responsible for periodically reviewing this Privacy Statement.

This Privacy Statement was most recently updated on 05/05/2023