This privacy notice (the "Privacy Notice") provides information, for the purposes of the General Data Protection Regulation (EU) 2016/679 ("GDPR") (and, where applicable, the UK Data Protection Act, 2018 ("DPA") or other applicable national data protection laws), about how Permira processes and protects your personal data that we may receive for the purposes of developing a proof of concept suite of data analytics tools and services (the "Project").
The terms "controller", "processor", "data subject", "personal data", "process", "processes", and "processing" used in this Privacy Notice have the meanings given to them in the GDPR.
Permira is an independent 'controller' in respect of its processing of your personal data for the purposes of the Project. We are responsible for ensuring that we hold and use your personal data in compliance with the GDPR and other applicable national data protection rules.
The personal data that we collect about you
We may receive a certain amount of personal data about you from our portfolio companies, which may include account identifiers, transaction records, location information, projections of interests and future purchases as well as clickstream data relating to your use of the Golden Goose website.
To the extent practicable, the personal data received by us is pseudonymised such that we are unable to determine your name without further information, which we do not have access to as part of the scope of the Project.
We do not collect or process any special categories of personal data about you (such as details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.
For more information in relation to how a specific portfolio company may process your personal data (separately from Permira and as an independent controller), please refer to the relevant data privacy notice issued by any such respective portfolio company with which you have a relationship.
Who are the recipients of your personal data?
Save for any third party data processor engaged by us for the purposes of the Project, we will not share the personal data we process about you with any third parties.
The purpose for processing your personal data
We may process your personal data for the purpose of understanding insights into various aspects of the operations of portfolio companies. This will entail planning, building and testing various data analytics tools and services during the Project and conducting experiments and analysis to provide such insights.
These tools or services will be designed to provide our portfolio companies with advice (which may be descriptive, predictive or prescriptive) based on an aggregate analysis relying on basic heuristics, statistical modelling and machine learning analyses of the data assessed through the tools.
What is the legal basis of the processing?
When we process your personal data, we do so by relying on Article 6(1)(f) GDPR, namely the pursuit of our legitimate interest in achieving the purpose set out above. We rely on this interest only where we have concluded that, on balance, our processing does not prejudice your privacy, interests, fundamental rights or freedoms in a way that would override our legitimate interest in pursuing those purposes.
Who will your personal data be shared with?
Save for any third party data processor engaged by us for the purposes of the Project, we shall not share or transfer your personal data with any third parties. Any transfers to third party processors by Permira will be as per our obligations as a controller under the GDPR and DPA, including the requirement for them to process your personal data on Permira's documented instructions and under contract. Furthermore, we do not foresee that your personal data will be transferred to outside of the United Kingdom or European Economic Area.
In exceptional circumstances, we may share your personal data with the following parties, where reasonably necessary and in accordance with applicable data protection law for the purposes described above:
- Permira's legal or other professional advisers (including consultants used by Permira) for the purpose of getting legal or other professional advice; or
- to the extent required by EU law, UK law or the law of an applicable EU Member State, in exceptional circumstances:
- to competent regulatory, prosecuting and other governmental agencies, or litigation counterparties, in any country or territory; and
- other organisations and agencies, where we are required to disclose your personal data.
Some of these persons may process your personal data in accordance with our instructions and others will themselves be responsible for their use of your personal data.
We will never sell your personal data and in all cases, Permira will ensure that your personal data is only disclosed for the purposes set out above and in compliance with applicable data protection laws.
Retention and deletion of your personal data
We intend to keep your personal data accurate and up to date and, as a general principle, we do not retain your personal data for longer than we need it. We will delete or anonymise any information that we hold about you when it is no longer required for the purposes set out above, in particular following the completion of the "concept phase" of the Project, or where longer, such period as is required or permitted by law or regulatory obligations which apply to us. Specific information about our record retention policies is available on request. Please contact us (see below).
Automated decision-making techniques (including profiling)
Although automated decision-making techniques, such as machine learning, may be used as part of the Project, as this is a proof of concept, we do not intend to use them to make decisions and produce legal effects for you, or which may otherwise significantly affect you, based solely on automated processing of your personal data.
Permira will not use such automated decision-making processing systems in the manner stated above unless it has considered the proposed processing system in a particular case and concluded in writing that it meets the requirements of the GDPR and other applicable data protection laws.
Your rights in relation to your personal data
The GDPR and other applicable laws provide you (as the data subject) a number of absolute or qualified legal rights in relation to the processing of your personal data. These rights include:
- a right to know what personal data we process and a right of access to such personal data;
- the right to request any incomplete or inaccurate personal data to be corrected;
- the right to object to our processing of your personal data;
- the right to require us to delete your personal data in some limited circumstances;
- the right to object to our processing of some or all of your personal data on grounds relating to your particular situation which are based on legitimate interests, at any time (and require such personal data to be deleted). If you object, we shall no longer process your personal data unless we can demonstrate compelling legitimate grounds for such processing which override your interests, rights and freedoms or where it is necessary for the establishment, exercise or defence of legal claims; and
- a "data portability" right to require us to transfer your personal data to you or to a new service provider in a structured, commonly used and machine-readable format.
If you wish to exercise any of the rights referred to above, please contact us using the details set out under "Contacting Us" below.
We review and verify data protection rights requests. We apply non-discriminatory principles when we action requests relating to your data, in accordance with applicable data protection laws and principles.
We exercise particular care when receiving a request to exercise these rights on your behalf by a third party. We will ensure that the third party is correctly authorised by you to receive the requested information on your behalf.
If you wish to exercise any of these rights, please contact us (see below). You can also lodge a complaint about our processing of your personal information with the office of the UK Information Commissioner (www.ico.gov.uk) and your local data protection authority.
When exercising any of these rights, we may request specific information from you to prove your identity to our satisfaction so that we can safeguard your personal data from unauthorized access by someone impersonating you. Please note that due to the pseudonymised nature of the personal data we receive about you, it may not be possible for us to identify your personal data in the dataset in order to comply with your request.
If you would like further information on the collection, use, disclosure, transfer or processing of your personal data, or to exercise of any of the rights listed above, please address questions, comments and requests to our Data Compliance Lead at firstname.lastname@example.org.
Publication of this notice on our website
As we receive your personal information from third parties (our portfolio companies), we do not have access to your individual names or contact details. We do not have a direct relationship with you. Obtaining such information would involve a disproportionate effort on our part, particularly given that our access to such information is unlikely to be in the interests of your privacy. As such, we have made this Privacy Notice publicly available on our website as opposed to sharing it directly with you, in compliance with the exemption available to us under Article 14(5)(b) GDPR.
Changes to this policy
Any changes we make to this Privacy Notice in the future will be posted to our website (at [www.permira.com]).
This Privacy Notice was last updated on 04 december 2020.