Definitions
| Company |
means 'FCS Compliance Ltd' |
| GDPR |
means the EU General Data Protection Regulation 2016, as saved
into United Kingdom law by virtue of section 3 of the United
Kingdom's European Union (Withdrawal) Act 2018, and the UK Data
Protection Act, 2018
|
| Responsible Person |
means James Golfar |
| Register of Systems |
means a register of all systems or contexts in which personal data
is processed by the Company.
|
All defined terms not defined specifically in this document have the
same meaning as in the GDPR.
1. Introduction
This Data Protection Policy sets out how the Company ("we", "our", "us")
handle your personal data. The Company respects your privacy and is
committed to protecting your personal data. This Data Protection Policy
will inform you as to how we look after your personal data as clients of
the Company and tell you about your privacy rights and how the law
protects you.
2. Data protection principles
The Company is committed to processing data in accordance with its
responsibilities under the GDPR.
As an organisation we must make sure that we:
a) are legally entitled to process the information under data protection
law ("lawful grounds");
b) are transparent with individuals about what personal data we process
and why ("transparency");
c) do not use personal data for any purpose other than for which it is
collected ("purpose limitation");
d) collect the minimum personal data needed for the purpose it is
collected ("data minimisation");
e) keep personal data accurate and up to date ("accuracy");
f) respect an individual's data subject ("data subject rights");
g) keep personal data secure both when using internally and when sharing
with third parties ("security");
h) only transfer data outside of the UK (or allow access to it from
outside of the UK) if we have put in place appropriate data transfer
arrangements ("data transfers");
i) build data protection compliance (i.e. compliance with the above
principles) by way of implementing appropriate technical and
organisational measures into any new project that involves personal data
processing or new use of personal data ("data protection by design");
and
j) can demonstrate compliance with data protection principles
("accountability").
3. General provisions
a) This policy applies to all personal data processed by the Company.
b) This policy shall be reviewed at least annually.
4. Lawful, fair and transparent processing
a. To ensure its processing of data is lawful, fair and transparent, the
Company shall maintain a Register of Systems.
b. The Register of Systems shall be reviewed at least annually.
c. Individuals have the right to access their personal data and any such
requests made to the company shall be dealt with in a timely manner.
5. Lawful purposes
a. All data processed by the Company must be done in accordance with one
of the following lawful bases as appropriate: consent, contract, legal
obligation, vital interests, public task or legitimate interests.
The lawful bases we principally rely on are the following:
b) Contract: Where we process personal data to fulfil a contractual
arrangement with the client. We will process personal data to allow
regulated firms who are clients of the Company to undertake Customer Due
Diligence and therefore comply fully with its legal obligations in
relation to the Legislation namely the Money Laundering, Terrorist
Financing and Transfer of Funds (information on the Payer) Regulation
2017.
Data will be collected from when you first request information from FCS
Compliance, book to attend training or an event, provide us with your
business card or purchase any service and become a client. When you
order services from FCS Compliance, you may be asked for further data
such as your banking details.
c) Consent: This is where we have asked you to provide explicit
permission to process your personal data.
In those circumstances where it is necessary to rely on consent we will
make sure that consent is:
i) Given affirmatively (such as ticking a box or signing a document) –
we cannot rely on ‘inaction' as a way of obtaining consent (e.g., no
pre-ticked boxes);
ii) Freely given and retractable at any time – it must be as easy to
withdraw as to give consent;
iii) Not ‘tied' or ‘bundled' i.e. conditional on accepting
services/offers; and
iv) Documented so we demonstrate we have obtained consent lawfully.
Where consent is relied upon as a lawful basis for processing data,
evidence of opt-in consent shall be kept with the personal data.
d) Where communications are sent to individuals based on their consent,
the option for the individual to revoke their consent should be clearly
available and systems should be in place to ensure such revocation is
reflected accurately in the systems.
e) Legitimate interests: Your personal data may be used to send you, by
post or by email, any FCS Compliance publications including updates and
renewal reminders. We will require you to supply an email address for
confirmation and administration purposes, however, when capturing your
email address you may also be offered the chance to opt-in to receive
other email promotional communications. If you do not ask to be sent
these communications, you will only receive email for administration
purposes.
Your data may also be used by FCS Compliance for other marketing,
advertising and promotional purposes where we will personalise and
improve your experience in doing business with us. These promotions may
advertise FCS Compliance' events, training or other services. You may
opt out of any such future usage by contacting us on +44 (0)207 924
7979.
You may at any time opt-out of any future FCS Compliance communication,
digital or non-digital, promotional or non-promotional. If you wish to
opt out of receiving postal communications, please contact us on
+44(0)207 924 7979. You may opt out of email communication, you can also
use the ‘Unsubscribe' links provided.
6. Data minimisation
a) The Company shall ensure that personal data is adequate, relevant and
limited to what is necessary in relation to the purposes for which they
are processed.
7. Data sharing with third parties
a) In order to assist with certain aspects of the CDD process e.g.
verification of documents, Politically Exposed Persons and Financial
Sanctions the Company will utilise the services of the online
verification company W2 Global Data. The Privacy Policy of this third
party can be found at:
w2globaldata.com/privacy-policy.
b) Unless obliged to do so by law, FCS Compliance will not sell, rent,
lease or otherwise share your personal data with other third parties,
unless you have provided your specific, positive and unambiguous
consent.
c) If personal data of an individual is shared with a third party or a
third party shares personal data with the Company, we will make sure
that a mechanism is in place to communicate with each other about any
requests to restrict, delete or correct personal data unless this would
be impossible or involve disproportionate effort.
8. Accuracy
a) The Company shall take reasonable steps to ensure personal data is
accurate.
b) Where necessary for the lawful basis on which data is processed,
steps shall be put in place to ensure that personal data is kept up to
date.
9. Archiving
a) To ensure that personal data is kept for no longer than necessary,
the Company has put in place an archiving policy for each area in which
personal data is processed and review this process annually.
b) The archiving policy sets out what data should/must be retained, for
how long, and why.
c) At the date of drafting this Policy any record or personal data
accumulated as a result of undertaking the CDD process on behalf of a
third party shall be destroyed within 7 days of providing the third
party with the information.
10. Security
a) The Company ensures that personal data is stored securely using
modern software that is kept-up-to-date.
b) Access to personal data shall be limited to personnel who need access
and appropriate security should be in place to avoid unauthorised
sharing of information.
c) Personal data will not be shared with anyone or any organisation
(including our service providers) unless appropriate contractual
arrangements have been put in place or the disclosure is otherwise
permitted under data protection law.
d) If personal data is collected for a particular purpose, we will
always consider whether we could achieve the same purpose with
anonymised data. If not, wherever possible personal data will be
pseudonymised (i.e. masked, hashed or otherwise concealed) and/or
encrypted. The more confidential the information the higher the security
standards will need to be to protect it.
e) When personal data is deleted this should be done safely such that
the data is irrecoverable.
f) Appropriate back-up and disaster recovery solutions shall be in
place.
11. Data transfers
As mentioned above, personal data will not be
transferred outside of the UK, unless the transfer is:
a) To a country approved by the UK (and/or to the extent relevant EU)
authorities as having adequate data protection laws to protect the
personal data; or
b) To an organisation that has entered into a data transfer agreement
with us (based on UK and/or to the extent relevant an EU supervisory
authority's approved standard contracts);
c) To an organisation that has its "binding corporate rules" for the
relevant type of data approved by the UK Information Commissioner's
Office and/or to the extent relevant the EU supervisory authority.
12. Data protection design and accountability
a) We will build data protection compliance into our processes and
systems from the outset of any new processing activity and during the
life cycle of the relevant data processing activity.
b) The GDPR requires us to document how we comply with our data
protection obligations (this is referred to as accountability). We do
this on an ongoing basis through our Register of Systems, during
compliance audits and/or when our data protection policies or procedures
require us to document our compliance steps.
13. Cookies
A cookie is a small piece of data that is sent from our web server to
your browser when you visit
www.fcscompliance.co.uk. It
is stored on your hard drive. There are several types of cookie that are
used to keep track of information needed by a site user as they travel
from page to page within a website.
Other types of cookie can be used to track internet activity after the
user has left a website. These are normally facilitated by organisations
external to the website being visited and are generally known as ‘third
party' cookies. These usually have a long lifetime with several months
being quite common. They are "harvested" and "refreshed" whenever the
user visits a page where the same or a similar cookie is being used.
We use cookies to offer you a better user experience, and we may also
include elements that set cookies on behalf of a third party – for
example a "Like" button from Facebook or a #Tweet# button from Twitter.
We also use Google Analytics to measure and analyse visitor information
related to our website. For that purpose, your IP address, internet
traffic data and data on your browser type and PC are collected. We will
not use any of this data to identify you personally, it is used only to
monitor and improve FCS Compliance and its website.
You can review the options available to manage cookies in your browser
and you may revoke your consent at any time via the options available in
your browser. Internet browsers normally accept cookies by default, but
it is possible to set a browser to reject cookies. If this is done it is
important not to exclude the benign and useful cookies. Choose an option
that rejects all third party and long-lived cookies. Different browsers
use different ways to disable cookies, but they are usually found under
a Tools or Options menu. You can also consult the browser's help menu.
FCS Compliance actively reviews ICO guidance to ensure ongoing
compliance with the ICO's recommendations and best practices in relation
to cookie policies. This will ensure you are able to prevent information
about your visit to our website being collected, if you wish. Further
information on cookies can be accessed here:
www.allaboutcookies.org.
14. Breach
In the event of a breach of security leading to the accidental or
unlawful destruction, loss, alteration, unauthorised disclosure of, or
access to, personal data, the Company shall promptly assess the risk to
data subject's rights and freedoms and if appropriate report this breach
to the ICO and/or the data subject (more information on the ICO
website).
FCS Compliance reserves the right to modify, alter or otherwise update
this Policy at any time. For further Terms and Conditions, please visit:
www.fcscompliance.co.uk/terms-and-conditions/.
FCS Compliance is registered with the Information Commissioners Office:
Reg no: ZA498569/
Data subject's rights
Unless subject to an exemption under the GDPR data subjects have the
following rights with respect to your personal data:
a. The right to request a copy of your personal data which we hold about
you;
b. The right to request that we correct any personal data if it is found
to be inaccurate or out of date;
c. The right to request your personal data is erased where it is no
longer necessary for us to retain such data;
d. The right to withdraw your consent to the processing at any time
where consent is relied on by us as a processing condition;
e. The right to request that we provide the data subject with his/her
personal data and where possible, to transmit that data directly to
another data controller (known as the right to data portability), where
applicable
f. The right, where there is a dispute in relation to the accuracy or
processing of your personal data, to request a restriction is placed on
further processing;
g. The right to object to the processing of your personal data (where
applicable);
h. The right to lodge a complaint with the Information Commissioner's
Office.
Contacts and further information
For questions and complaints from individuals about our processing of
their personal data or requests from individuals seeking to exercise
their data subject rights, please refer to:
The Contact Person
James Golfar
James.golfar@lonres.com
020 7924 7979
This is without prejudice to the right of individuals to make a
complaint to the Information Commissioner's Office (www.ico.org.uk) or the data protection supervisory authority in the EU country in
which you live or work where you think that we have not complied with
data protection laws.
Further information in relation to all of the above can be found on the
ICO's website: https://ico.org.uk/
END OF POLICY
Last updated 17th November 2022