This privacy notice will inform you how we use your personal information. This notice covers personal information relating to you that we may collect through any medium, including specifically in relation to the professional services we provide to you, via our partners and service providers, or through our website. This notice describes how you can access and make certain choices about how we use your personal information. This is a requirement of new privacy laws under the UK General Data Protection Regulation (GDPR). This privacy notice is separate, and in addition to, any contractual confidentiality obligations we may owe you – please refer to our mutual Terms of Business for further details.
What personal information are we processing and how do we collect it?
The types of personal information which we collect and hold about you may differ depending on our relationship with you.
Data about individuals in order to provide our professional services:
We may collect and process your: personal details including your name, address, email and telephone/fax numbers, date of birth, nationality; employment details, including your employers name, your position or title and your corporate contact details; information on your financial circumstances, including your profession, income, assets and liabilities, as well as sensitive and/or criminal data where relevant; details for invoicing and billing; and KYC documentation, if and where required under relevant Anti-Money Laundering or Counter Terrorism Financing (“AML/CTF”) legislation.
We may also need to collect and process information about persons related to a client, but we will only do so when it is required in order for us to provide you with our contracted services. In such circumstances, it is your responsibility to ensure that you have permission from that third-party for us to collect their information and you remain responsible for ensuring that the third-party understands how their information is being used. You may refer to this privacy notice in explaining to third parties how their information is being used.
Data about individuals gathered through our website and for marketing purposes
Data about individuals who are our partners and service providers
We may collect and process your: contact information, including your name, address, position, email and telephone/fax numbers; financial details, including relevant details for invoicing and billing; and KYC documentation, if and where required under relevant Anti-Money Laundering or Counter Terrorism Financing (“AML/CTF”) legislation. This information will be collected from you directly.
Legal basis for processing personal data
Unless specifically stated otherwise, we use personal information in the following ways and based upon the following lawful bases:
a) In order to achieve our legitimate interests. In doing so, we ensure that: your rights and interests are considered and protected, and it has a minimal privacy impact upon you; we are able to demonstrate that we use your data in a proportionate manner and you would not likely be surprised or likely to object to our usage; we may lawfully disclose personal data to a third-parties where we can demonstrate that this disclosure is justified;
b) In order to fulfil our contractual obligations. This includes where you have asked us to do something before entering into a contract, for example to provide a quote;
c) With your explicit consent to do so. For example, to provide you with updates about our services or forthcoming events; and
d) To comply with our legal or regulatory obligations. For instance, where we are required to notify the FCA of something.
Where we contact you in order to market our services or events to you, you may at any time withdraw your consent for us to contact you. If you wish to withdraw your consent for us to send you marketing materials, please notify us at email@example.com.
How and where we store personal information
We take appropriate technical and organisational measures in order to keep your personal information safe and secure. These measures are set out in our internal policies and procedures. We may store your personal information in hard copy securely in our UK offices or electronically. In the past we have used IT ‘cloud’ storage systems which have servers located in the USA for our electronic storage and some personal data is still held on one such system, though we are phasing that out. The vast majority of data is now stored in the UK; the only exception being limited client billing data held on our IT accounting system. Where information is held outside the UK, we have contractual arrangements in place which ensure that the information is held securely and in line with the requirements of the UK GDPR.
All personal data held by Portman is deleted when it is no longer required. Where you have contracted us to provide our services to you, we will delete any personal data held 6 years after our contract with you has ended.
You should note that where you choose to transmit your personal data to us via the internet, we do not guarantee the security of the personal information transmitted and therefore any transmission is at your own risk.
Sharing personal information collected
We may share personal information with the following categories of recipients in reliance on the legal bases and purposes set-out above:
a) Relevant Regulatory Bodies e.g. the FCA in order to make applications on your behalf;
b) Our staff and any contracted consultants we may use in order to provide our services to our clients and run our business;
c) Any law enforcement, court, regulator, or other government authority in order for us to comply with a legal obligation laid down by UK or EU law.
All contractors and service providers with whom we share personal information are contractually required to ensure an adequate level of protection for your personal data at all times.
Your rights in respect of your personal information
You have a number of rights in respect of any personal information which we hold about you. However, you should note that they are not all absolute and we may not have to comply with your request in some circumstances. Your rights are:
a) To access to that information (as to which see below)
b) To request we correct your personal information
c) To request that we erase your personal information
d) To object to our processing your personal information
e) To request a restriction in the processing of your personal information
f) To request a transfer of your personal information; and
g) To withdraw your consent to our processing your information.
If you wish to exercise any of the above rights, please contact us using the details below. Please note that we will require evidence of identity prior to disclosing any personal information.
This privacy notice will be reviewed on an annual basis, but we may make changes to it at any time and may do so without expressly notifying you of these changes. However, should the legal bases or purpose(s) for processing your personal information changes then we shall expressly notify you.
How to complain
If you have any concerns about our use of your personal information, you can make a complaint to us at: firstname.lastname@example.org or Portman Compliance Consulting LLP, 19 Berkeley Street, London, W1J 8ED.
You may also complaint to the UK Information Commissioner’s Office at. The details for complaints can be found on their website at https://www.ico.org.uk.