Cheshire Trafford UK Ltd Privacy Notice
HOW WE USE YOUR PERSONAL INFORMATION
At Cheshire Trafford UK Ltd (“CHESHIRE TRAFFORD”), we care about your privacy and value the trust you place in us when you share your personal information.
Accordingly, we wanted to let you know how we deal with the personal information you give us or is given to us by a third party. The aim of this Notice is to explain to you – as a Data Subject – what kind of personal information we gather on you, why and how we process it as data controller. Data protection laws will change on 25th of May 2018, with the implementation of the EU GDPR (General Data Protection Regulation). This Notice sets out your rights with regard to this new EU regulation.
Your privacy is protected by law, which says that we can use your personal information only if we have a proper reason to do so. This includes sharing it with parties external to CHESHIRE TRAFFORD. The reasons why CHESHIRE TRAFFORD may process your personal information are:
1. To fulfil a contract we have with you;
2. When it is our legal duty;
3. When it is in our legitimate interest; or
4. When you consent to it
A legitimate interest is when we have a business or commercial reason to use your information, but this must not unfairly go against your rights or freedoms. If we rely on our legitimate interest, we will tell you what that is.
From time to time, we may update this Notice and any new version will be posted on our website. We recommend you regularly review it to ensure that you are always aware of our privacy practices.
The GDPR provides the following rights for individuals, under certain circumstances, in relation to their personal information:
1. Right to be informed about the collection and use of their personal data;
2. Right to access personal information;
3. Right to rectify personal information;
4. Right to request that personal information is erased;
5. Right to restrict the use of personal information;
6. Right to data portability (in certain specific circumstances);
7. Right to object to processing of personal information;
8. Right not to be subject to a decision based solely on automated processing, including profiling;
9. Right to lodge a complaint with a supervisory authority
If you – as an individual – wish to exercise these rights, please contact our Data Protection Officer for further information at DataProtectionOfficer@Cheshire-trafford.co.uk or directly at: Cheshire Trafford UK Ltd, Capital House, Main Street, Lelley, East Yorkshire, HU12 8SN. In order to exercise your rights under data protection law, we will need to verify your identity for your security. Verifying identity is an important way of safeguarding against criminal activities including the prevention of illicit access to your information.
A summary of each right and how you can take steps to exercise it is set out further below.
Where we receive a request to exercise one of these rights, we shall provide information on the action we take on the request without undue delay and in any event within one month of receipt of the request. This may be extended by a further two months in certain circumstances, for example where requests are complex or numerous. Where we do not carry out a request, we shall inform you without delay and within one month of receipt of the request, providing our reasons for not taking the action requested.
The information will be provided free of charge, except where requests are manifestly unfounded or excessive, in particular because of their repetitive character. In these circumstances we may charge a reasonable fee or may refuse to act on the request. We will advise you of any fees prior to proceeding with a request.
1. Right to be informed about the collection and use of their personal data
Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR. CHESHIRE TRAFFORD must provide individuals with information including: our purposes for processing their personal data, our retention periods for that personal data and who it will be shared with. This is known as ‘privacy information’ as this Privacy Notice explains these factors to you.
2. Right to access personal information
Individuals have the right to confirm the following with us:
• Whether or not we process personal information about them
• Certain specified information about the processing
Individuals also have a right to access the personal information and be provided with a copy. This is commonly referred to as a Subject Access Request.
3. Right to rectification of personal information
If an individual believes that the personal information we hold on them is inaccurate, they may request that it be amended. They may also request that incomplete personal information be completed, including by providing a written confirmation
4. Right to request erasure of personal information (“right to be forgotten”)
An individual may also request the erasure of their personal information in certain circumstances, including the following (this is not an exhaustive list):
• The personal information is no longer necessary in relation to the purposes for which they were collected or otherwise processed;
• The processing was based on consent which has been withdrawn and there is no other legal basis for processing;
• The individual has exercised their right to object to the processing and there are no overriding legitimate grounds for the processing to continue.
There are certain exceptions where we may refuse a request for erasure, for example, where the personal information is required to comply with a legal obligation or for the establishment, exercise or defence of legal claims.
If an individual does request erasure of their personal information, this will potentially remove records which we hold for their benefit and they will have to contact us to provide personal information if they wish for us to hold this in future.
5. Right to restrict processing of personal information
Individuals have the right to request that we restrict processing of their personal information where one of the following applies:
• An individual contests the accuracy of the personal information. The restriction will apply until we have taken steps to verify the accuracy of the personal information;
• The processing is unlawful but an individual does not want the personal information to be erased and requests restriction instead;
• We no longer require the personal information for the purposes of processing, but it is still required by an individual in connection with a legal claim;
• An individual has exercised their right to object to the processing. The restriction will apply until we have taken steps to verify whether we have compelling legitimate grounds to continue processing.
6. Right to Data Portability
Where we are relying upon the legal basis either of consent or that the processing is necessary for the performance of a contract to which an individual is a party and that personal information is processed by automatic means (e.g. electronically), an individual has the right to receive all the personal information which they have provided to us in a structured, commonly used and machine-readable format and to transmit this to another controller directly, where this is technically feasible.
7. Right to object to processing of personal information
An individual also has the right to object to processing of their personal information where the legal basis of the processing is in our legitimate interests. We will have to stop processing until we are able to verify that we have compelling legitimate grounds for processing which override the individual’s interests, rights and freedoms, or alternatively that we need to continue processing for the establishment, exercise or defence of legal claims.
8. Right not to be subject to a decision based solely on automated processing, including profiling
The GDPR states that the data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. Automated individual decision-making is a decision made by automated means without any human involvement. Examples of this include:
• An online decision to award a loan;
• A recruitment aptitude test which uses pre-programmed algorithms and criteria.
Automated individual decision-making does not have to involve profiling, although it often will do. CHESHIRE TRAFFORD does not undertake any exercises of automated processing or client profiling.
9. Right to complain to a Supervisory Authority
An individual also has a right to lodge a complaint with a supervisory authority, in particular in the Member State in the European Union where they are habitually resident, where they work or where an alleged infringement of Data Protection laws has taken place.
If you are not satisfied with our response or believe that we are not processing your personal information in accordance with the law, you can complain to the Information Commissioner’s Office (ICO) by emailing email@example.com or telephoning 0303 123 1113. Additional contact methods are detailed on their website: https://ico.org.uk/global/contact-us.
OUR PRIVACY COMMITMENTS TO YOU
We make the following privacy commitments to you:
• We will keep your data safe and private
• We will ensure that you can exercise your rights
• We will train our employees to properly manage your personal information
TYPES OF DATA WE MAY COLLECT
In general, we may collect and maintain a standard set of personal information from you. This personal information includes but is not limited to the following:
• Identification data, such as name, sex, age/date of birth, place of birth, contact details including address (private and professional), phone number (private and professional), email (private and professional);
• Your relationship to family members;
• Profession, job title and position;
• Information on your current health and health history. This information requires special protection by law – we will always explain what information we require and why it is needed when collecting this information. It will always be processed and stored securely;
• Nationality or Civil status;
• Passport information or other national identification number;
• Photograph (typically as part of identification documents such as passport);
• Tax reference identification such as National Insurance Number;
• Source of wealth relating to an investment;
• Information we collect for Know Your Client purposes. This may include information which we will process in order to determine an account holder’s or investor’s status as a ‘Politically Exposed Person’ if we have their consent or are otherwise authorised to use this information under applicable law. This may also include information about criminal convictions if we are authorised to use this information under applicable law;
• Information relating to the account holder’s or investor’s transactions;
• Account history with CHESHIRE TRAFFORD;
• Financial details relating to your relationship with CHESHIRE TRAFFORD, such as fees paid;
• Current and previous personal financial details relating to external parties, such as income, pension contributions, investments with third parties and retirement provisions;
• Contact details for third parties where you are a mutual client;
• Communications including emails, telephone calls and letters;
• Any consents which you have given us in relation to the processing of your information;
• CCTV images, which are used for building security
There are some types of personal information that we may need to collect from you to perform a certain task (such as withdrawing money) but we will endeavour to anonymise, redact or delete as soon as practicable, such as:
• Personal bank account and financial information such as account identification and number;
• Health information that relates specifically to the completion of an application for life insuarnce
We do not record telephone calls. This decision by CHESHIRE TRAFFORD increases our ability to protect your personal information but does mean that there are certain instructions that we may not be able to take from you over the phone and will instead have to be written.
HOW WE MAY COLLECT DATA
In general, we may collect and maintain a standard set of personal information from you. The source of this personal information includes but is not limited to the following:
• Personal information you give to us, typically via;
o Client ‘factfind’;
• Personal information from third parties that we work with, typically;
o Companies that introduce business to us and are part of our Approved Counterparties list;
o Details obtained from social media;
o Details from product providers that you have provided us with Letter of Authority over;
o Providers of ‘Know Your Client’ data, required for the purpose of client identification, verification and anti-money laundering checks
In certain circumstances, where a CHESHIRE TRAFFORD client does not provide personal information which is required (for example, for us to carry out anti-money laundering checks), we will not be able to provide the products and services under our contract with them or may not be able to comply with a legal obligation on us. We will make it clear if and when this situation arises and what the consequences of not providing the information will be for the client.
PURPOSE OF DATA COLLECTION
We use the personal information we collect about CHESHIRE TRAFFORD clients for the following purposes:
• Verifying identity, checking transactions for anti-money laundering purposes, assisting in the prevention of fraud, terrorist financing, bribery and corruption and assisting us to not provide services to persons who may be subject to economic or trade sanctions;
• Managing their holdings on an on-going basis (including responding to their requests) and also enabling our Approved Counterparties to provide account management services (including the ability to view the client’s account or apply for new products);
• Provision of services in line with agreed terms and conditions between the client and CHESHIRE TRAFFORD;
• Provision of services in line with agreed investment agreement between the client and CHESHIRE TRAFFORD;
• Protecting our clients holdings and data;
• Providing clients with more choices or information about products and services which may be of interest to them
We justify our processing of clients’ personal information on the following legal bases:
• Performing a legal obligation to which we are subject, which may include certain legal or regulatory disclosures;
• Fulfilling our obligations under our contracts with clients;
• Performing a task in the public interest, for example where we are carrying out our verification processes in relation to the prevention of fraud, money laundering, terrorist financing, bribery and corruption and to prevent the provision of financial and other services to persons who may be subject to economic or trade sanctions;
• Pursuing our legitimate interests. A legitimate interest will apply only where we consider that it is not overridden by a client’s interests or rights which require protection of their personal information. We have determined that our legitimate interests include the following:
o Our compliance with our legal and regulatory requirements;
o Keeping our records up to date;
o The conduct of internal audits for the legitimate purposes of managing our business;
o Obtaining professional (including legal) advice and tracking and reporting on ongoing litigation involving clients to protect our business and our brand;
o The improvement and management of our client services;
• Where we process special data (in our case information on client health), our legal bases are in line with Article 9 (2) of the GDPR. For general health information, processing is necessary for the purposes of assessment of the working capacity of the employee. For the purpose of completing application forms for life insurance, the data subject will give explicit consent to the processing of that personal data
If an account holder or investor requires further information regarding our legitimate interests as applied to their personal information, they may contact the Data Protection Officer.
We also process personal information where an account holder or investor has provided consent, such as in the case of certain marketing communications, and the use of information in determining an individual’s status as a Politically Exposed Person for Know Your Client purposes. In the event that an account holder or investor wishes to withdraw their consent they should contact the Data Protection Officer.
PROVISION OF PERSONAL DATA TO THIRD PARTIES
Your personal information will only be shared with third party organisations from our Approved Counterparties list when required (for example, for legal obligations or regulatory requirements or in respect of the products and/or services you are provided with as a client of Cheshire Trafford).
Our services are enabled by third party organisations (typically product providers) who collect and use personal information in order to provide those services to you. They are known as our ‘joint data controllers’ under data protection law. This means that they have a separate responsibility to protect your personal information and will keep you informed about how your personal information will be used.
We will disclose CHESHIRE TRAFFORD clients’ personal information to our joint data controllers who are as follows:
• Companies that introduce business to us and are from our Approved Counterparties list in order to process the data for the above mentioned purposes;
• Other third parties who we consider Approved Counterparties who work on our behalf or for the CHESHIRE TRAFFORD client who provide technical services to process transactions on behalf of CHESHIRE TRAFFORD clients or related to the administration of their investments or to service or maintain accounts, such as product providers;
• A party representing an CHESHIRE TRAFFORD client (for example, in response to legal process);
• Competent authorities such as tax authorities, courts, regulators and security or police authorities where required or requested by law or where we consider it necessary
In the usual course of our business, we may use other third party organisations, known as ‘data processors’ under data protection law, to support the essential delivery of our services. These organisations process your personal information on our behalf.
These types of organisations are:
• Providers of business services such as auditors, consultants, advocates and/or insurers (to enable us to run CHESHIRE TRAFFORD efficiently);
• Providers of records management services such as secure disposal suppliers, and IT storage providers (to enable us to secure data efficiently);
• Providers of IT systems or services (to enable us to run CHESHIRE TRAFFORD efficiently);
• Companies you ask us to share your personal information with (upon your request)
When we share your information with our third party Approved Counterparties, our contractual relationship with them prevents them from using your information for any other purpose outside of our instructions to them. They may use their own third party data processors, but are always required to meet the same legal requirements as CHESHIRE TRAFFORD is. CHESHIRE TRAFFORD UK LTD will never share or sell your information to external companies for their own marketing purposes.
We will restrict the information as much as is possible and attempt to retain CHESHIRE TRAFFORD client data anonymity on a best endeavours basis. For example, although a product provider from our list of Approved Counterparties will have much of the personal data covered above as a joint data controller, if we are required to liaise with additional third parties (such as a transfer agent in the case of a fund transfer), we will only refer to the CHESHIRE TRAFFORD client by their reference number.
WEB-RELATED COLLECTION OF PERSONAL INFORMATION
We do not collect personal data or information from our website as it serves only to explain our services and offering and to provide our contact details. The website does not allow the user to input data.
We do not collect personal data or information from any social media sites such as Twitter, LinkedIn and Facebook.
Our website may contain links to online websites or content operated and maintained by third parties, over which we have no control. Please consult the privacy policies of these third-party sites to become familiar with their privacy practices and to learn about any choices that these companies may offer you with respect to your personal information.
Like many websites, the CHESHIRE TRAFFORD website uses ‘cookie’ technology. A cookie is a small text file which includes a unique identifier that is sent by a web server to the browser on your computer, mobile phone or any other internet enabled device when you visit an on-line site. Cookies are widely used to make websites work efficiently and to collect information about your online preferences. Our website utilises one cookie, named ‘__cfduid’. This cookie is used by the content network CloudFare to identify trusted web traffic and is an integral part of our website hosting. This cookie has no security impact on the site itself and is only used by CloudFlare for whitelisting specific users from security restrictions. It has a 12 month expiry.
We can only use your personal information to send you marketing messages if we either have your consent or a ‘legitimate interest’. As already covered, legitimate interest is when we have a business reason to use your information for marketing purposes (which will not unfairly go against your rights and freedoms). In the case of marketing, examples of legitimate interest are letting people know it is time their boiler was serviced or that they owe money on an overdue library book.
We may use your personal information to tell you about relevant products that we provide advice on or industry changes which may be relevant to your financial position. This is what we mean when we talk about ‘marketing’. We have a legitimate interest in keeping you updated on new products or services that may be of benefits to you, as this forms part of the fulfilment of our contract with you.
We will ask for your explicit consent to send you any other marketing messages. In any case, you can change your preferences by contacting us as described below.
We will not market to you based on legitimate interest if you have told us that you do not want to receive such marketing. You can ask us to stop sending you any marketing messages at any time. If you want to do so, please contact our Data Protection Officer at DataProtectionOfficer@Cheshire-trafford.co.uk or directly at: Cheshire Trafford UK Ltd, Capital House, Main Street, Lelley, East Yorkshire, HU12 8SN. Please note that if you tell us that you no longer wish to receive marketing from us, you will still receive essential service information, such as invitations for an annual review, which is a regulatory requirement imposed on financial advisors.
We will retain your personal information covered by this Notice for as long as required to perform the purposes for which the data was collected, depending on the legal basis on which that data was obtained and/or whether additional legal/regulatory obligations mandate that we retain the personal information. In general terms, this will mean that personal information will be kept for the duration of our relationship and:
• The period required by tax, company and financial services laws and regulations; and
• As long as it is necessary for individuals to be able to bring a claim against us and for us to be able to defend ourselves against any legal claims. This will generally be the length of the relationship plus the length of any applicable statutory limitation period under applicable law. CHESHIRE TRAFFORD adheres to the following retention period criteria as a minimum:
o Client information and records – at least 6 years after the date on which they are made or provided and 5 years following the end of the relationship;
o Transaction records – 5 years from the date of any particular transaction;
o Accounting information – 6 years from the accounting year end;
o Pension transfers, Pension opt-outs or Free-standing Additional Voluntary Contributions – records are kept indefinitely
In certain circumstances, data may need to be retained for a longer period of time, for example, where we are in ongoing correspondence, we are required to do so by a competent authority or there is a continuing claim or investigation.
Where a potential client is a prospect and decides that they do not wish to undertake business with CHESHIRE TRAFFORD, they will classified as NTU (Not Taken Up) and records will be retained for a minimum period of 5 years for the notification of NTU.
CONFIDENTIALITY AND SECURITY
We have implemented reasonable technical and organisational measures designed to secure personal information from accidental loss and unauthorised access, use, alteration or disclosure. Our employees are required to follow specific procedures with respect to maintaining the confidentiality of our investors’ personal information.
Additionally, we maintain physical, electronic, and procedural safeguards to protect the personal information that we process. This includes performing ongoing evaluations of our systems containing investor information and making changes when appropriate.
In the case of emails containing personal data, we will ensure that data is either redacted, password protected or encrypted. However, with regards to information transmitted via the internet, the internet is an open system and we cannot and do not guarantee or warrant the security of any information that an individual transmits to us.
INTERNATIONAL DATA SHARING
There may be occasions when the relevant approved introducing company who is the data controller will be a joint controller with Cheshire Trafford or another company from our Approved Counterparties list. Where the other company is based outside the EEA, then the data controller responsible for responding to requests to exercise your rights will be the relevant company set out at the end of this Notice. In all cases, any complaints and requests to exercise your rights should be addressed to the Data Protection Officer at DataProtectionOfficer@Cheshire-Trafford.co.uk or directly at: Cheshire Trafford UK Ltd, Capital House, Main Street, Lelley, East Yorkshire, HU12 8SN. The CHESHIRE TRAFFORD DPO will arrange for the responsible joint controller to handle the complaint or request.
We may also transfer and maintain your personal information covered by this Notice on servers or databases outside the European Economic Area (EEA).
We do not typically transfer data outside of the EEA, however we have transferred data to the following locations in the past and it is possible that we may be required to again in the future. This list in non-exhaustive: Australia, Bahamas, Bermuda, British Virgin Islands, Cayman Islands, Hong Kong, Isle of Man, Singapore, Switzerland, United Arab Emirates and the United States.
Some of these countries may not have the equivalent level of data protection laws as those in your location. If we need to transfer personal data outside the EEA, we will take steps to make sure your personal information is protected and safeguarded once it leaves the EEA, in particular, we will use the EU Data Protection Model Clauses approved by the European Commission and permitted under Article 46 of the GDPR. If you would like to obtain the details of such safeguards, you can request these from the Data Protection Officer.
In addition to sharing the information with our Approved Counterparties, we may disclose or transfer your personal information to a prospective or actual purchaser or transferee, in the event that a Cheshire Trafford company or its assets is/are merged or sold or a sale or transfer is intended.
BUSINESS CONTACT INFORMATION
We collect personal information from our business contacts, such as representatives of funds or financial products firms, including the following:
• Name, job title, profession, and contact details including email;
• Communications with our business contacts
How we use business contact information
We use personal information from our business contacts for the following purposes:
• To communicate about the services and products we utilise to gain insight for the service of our mutual clients;
• To resolve issues on behalf of our mutual clients;
• To liaise with our business contacts to arrange meetings;
• For internal analysis and research to help us improve our services;
• To communicate about the goods and services we obtain from our suppliers
We justify our processing on the following legal bases:
• Performing our obligations under our contracts with our clients;
• Pursuing our legitimate interests and those of our clients
A legitimate interest will apply only where we consider that it is not overridden by a business contact’s interests or rights which require protection of their personal information. We have determined that our legitimate interests include the following:
• The improvement and management of our services or offering;
• The promotion of our business and brand;
• The improvement of the overall performance of our business;
• Conducting internal audits for the legitimate purposes of managing our business;
If a business contact requires further information regarding our legitimate interests as applied to their personal information, they may contact the Data Protection Officer.
In certain circumstances, where a business contact does not provide personal information which is required, we will not be able to perform our obligations under the contract with them. We will make it clear if and when this situation arises and what the consequences of not providing the information will be for the business contact.
Recipients of Business Contact Data
We may disclose business contacts’ personal information as follows:
• To our Approved Counterparties in order to process the data for the above mentioned purposes;
• To custodians, dealing platforms and external third parties providing administration, transfer or asset management services and other third parties concerned with the services we provide to our clients;
• To third parties who work on our behalf to service or maintain business systems processing account information, such as suppliers of the IT systems which we use to process that information or who provide other technical services, such as printing;
• To third parties providing services to CHESHIRE TRAFFORD , such as its professional advisers (e.g. auditors and lawyers);
• To competent authorities such as tax authorities, courts, regulators and security or police authorities where required or requested by law or where we consider it necessary.
FREEDOM OF INFORMATION
CHESHIRE TRAFFORD UK LTD is not governed by the Freedom of Information Act as it is not a public authority.
HOW TO CONTACT US
If an individual wishes to exercise their individual rights, or to raise any questions, concerns or complaints concerning this Notice or on our privacy practices, they can contact us at the relevant address listed below or by email to DataProtectionOfficer@cheshire-trafford.co.uk. The individual should address the envelope as follows:
Data Protection Officer
Cheshire Trafford UK Ltd