Greenleys Merchant Bank LLP (“GMB”) is committed to protecting the privacy of any “personal data” (also referred to as personal information) it receives or obtains during the course of its business activities. GMB is a “data controller” and registered with the UK Information Commissioner’s Office with registration number ZA080489. This means that we are responsible for deciding how we hold and use personal data.
- what personal data is;
- how we collect personal data
- why we collect personal data;
- how we use personal data;
- how we protect personal data; and
- your rights in relation to the personal data we have about you.
WHAT IS PERSONAL DATA?
Personal data (also referred to as personal information) means any information about an individual from which the individual can be identified. This might include (amongst other things): the individual’s contact details, e-mail address, other address details, telephone number, date of birth, bank account details and/or passport details.
GMB is required by law to ensure that any personal data must be:
- used lawfully, fairly and in a transparent way;
- collected only for valid purposes that we have clearly explained to you;
- relevant to the purposes we have told you about and limited only to those purposes;
- accurate and kept up to date;
- kept only as long as necessary for the purposes we have told you about; and
- kept securely.
It is unlikely that GMB will obtain “sensitive personal data” (namely, data considered to be of a particularly sensitive nature – eg. details relating to an individual’s health or criminal record) from its clients, suppliers or other third parties. Such “sensitive personal data” requires higher levels of protection and GMB would require justification for collecting, storing and using this type of sensitive personal data. In the event that GMB does request or obtain such sensitive personal data, GMB would be able to process such data in limited circumstances – for example (i) with your explicit consent or (ii) where we need to carry out our legal and/or regulatory obligations (eg. for our “know your client” (KYC) and anti-money laundering (AML) compliance checks).
HOW DO WE COLLECT PERSONAL DATA?
We collect information from clients, suppliers and other third parties during the course of our business activities. Most of that information typically relates to business organisations with whom we interact and may not therefore contain personal data.
Nevertheless, it is likely that you will provide us with your own personal data if you are dealing with any of GMB’s personnel or representatives. An example of this would be if you engage GMB to provide services for you in your personal capacity (eg. as a high net worth individual) or, more likely, as a representative of a business organisation (eg. as its owner, director, officer or employee) with whom GMB interacts.
It is also possible that you will provide GMB with the personal data of other individuals either from within your business organisation (eg. your colleagues, your directors, owners) or from your own clients or business partners. When you provide GMB with any personal data of other individuals, GMB will be relying on you (and will assume) that any such personal data you give to GMB is given lawfully by you in accordance with applicable data protection and privacy law.
GMB will typically receive personal data in the following circumstances, whether electronically, in person or by post or otherwise:
- when you make contact with GMB personnel (eg. by sending an email to us);
- when you provide GMB personnel with your contact details (eg. business card);
- when you provide information in relation to our “know your client” (KYC) and/or anti-money laundering (AML) compliance checks about the identity of an organisation’s owners or officers (eg. copies of passports, recent utility bills or bank statements);
- when you engage GMB or any of GMB’s affiliates to perform services for you or your organisation; and/or
- in general correspondence with us when you provide us with information about transactions in which you wish to engage GMB’s services.
If you fail to provide certain personal data when requested, we may not be able to perform services for with you or your organisation (such as making payments to third parties), or we may be prevented from complying with our legal obligations (such as completing our “know your client” (KYC) and/or anti-money laundering (AML) compliance checks).
We also may obtain personal data about you or your organisation from other sources. For example, from information that is publically available about you or your organisation, or from your organisation’s website, other websites and/or other forms of social media. In many countries, certain information about businesses is also available to the public from regulatory authorities or government bodies (whether by way of access to their websites or by other forms of request from the particular regulatory authority). Examples of this would include personal data available from UK Companies House concerning the officers or shareholders of a company or personal data available from the UK Financial Conduct Authority (the FCA) about individuals authorised by the FCA.
Your duty to inform us of changes: It is important that the personal data we hold is accurate and current. Please keep us informed if your personal data (or if the personal data you have provided to us relating to other individuals) changes during your relationship with us.
WHY DO WE COLLECT PERSONAL DATA?
GMB uses personal data for the following purposes:
- to provide its services to its clients and other third parties;
- to comply with reporting, legal and/or regulatory requirements (eg. for the purposes of our “Know Your Client” (KYC); “Onboarding” due diligence assessments about you or your business organisation and/or anti-money laundering (AML) compliance checks);
- to carry out our obligations arising from transactions undertaken with or for you (eg. to make payments to clients, suppliers and other third parties);
- to pursue its legitimate business interests;
- for internal analysis and research in order to facilitate the provision of the services to you; and/or
- to offer you additional investment products or services (except where you have asked us not to).
Such personal data may be stored electronically or in hard copy form.
Subject to applicable laws, GMB also monitors and records telephone calls for regulatory compliance purposes.
HOW WE USE PERSONAL DATA
Most commonly, we will use personal data in the following circumstances:
- where we need to perform the contract we have entered into with you;
- where we need to comply with a legal and/or regulatory obligation (eg. in connection with UK Financial Conduct Authority (FCA) requirements, anti-money laundering (AML) compliance checks or otherwise);
- to carry out our obligations arising from transactions undertaken with or for you (eg. to make payments to clients, suppliers and other third parties);
- for internal analysis and research in order to facilitate the provision of the services to you;
- to offer you additional investment products or services (except where you have asked us not to); and/or
- where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests;
We may also use your personal data in the following situations, which are likely to be rare:
- Where we need to protect your interests (or someone else’s interests).
- Where it is needed in the public interest or for official purposes.
Some of the above grounds for using or processing personal data will overlap and there may be several grounds which justify our use of such personal data.
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Individuals will not ordinarily be subject to decisions that will have a significant impact on them based solely on “automated decision-making” (where an electronic system uses personal data to make a decision without human intervention), unless GMB has a lawful basis for doing so and we have notified you.
Sharing personal data
When and why might GMB share personal data with other GMB affiliates?
GMB will share personal data with its affiliated GMB companies where such affiliates share common legitimate business interests, business and administrative operations and requirements due to the size of GMB’s organisation. Such business operations and activities include, inter alia:
- operational and administrative activities (eg. necessary for payment purposes);
- the production and maintenance of accounting information (whether for the purpose of management accounts, necessary account reporting and/or regulatory reporting requirements, or otherwise);
- the use (and maintenance) of a suitable and secure IT system, both in connection with the exchange of information between GMB and its affiliates and in connection with the storage or hosting of such information;
- business reorganisations or group restructuring exercises;
- the marketing of business activities (eg. the production of marketing or research material, identifying marketing opportunities and communications with clients, or potential clients, in relation to such activities); and/or
- the use of office facilities and the physical storage of information at the premises.
When and why might GMB share personal data with third parties (who are not GMB affiliates)?
Subject to applicable data protection law, we may share personal data with third parties (who are not GMB affiliates): (i) where required by law or regulatory requirement; (ii) where it is necessary to administer the working relationship with you; or (iii) where we have another legitimate interest in doing so. “Third parties” include, inter alia, third-party service providers, for example those who provide IT services and/or cloud based customer relationship management (CRM) applications to GMB and/or GMB’s affiliates.
Our third-party service providers are required to take appropriate security measures to protect the confidentiality and processing of personal data in line with our policies.
GMB may also share your personal data with other third parties, for example in the context of the possible sale or restructuring of the business.
Transferring information outside the European Economic Area (EEA)
We may transfer the personal data we collect outside the European Economic Area (the EEA consists of all Member States of the European Union, together with Iceland, Liechtenstein and Norway):
- in order to perform our contract with you; or
It is possible that certain countries to which we transfer personal data may not be deemed to provide an adequate level of protection for your personal data. You consent to such transfer of personal data to a country or territory outside the EEA.
HOW WE PROTECT PERSONAL DATA
GMB is committed to protecting the privacy of any personal data. We have put in place appropriate security measures and training to prevent personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to personal data to those GMB personnel, employees, agents, contractors and other third parties who have a business need to know.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
Third parties will only process your personal data on our instructions and where they have confirmed to GMB that they will treat the information confidential, keep it secure and process such data in compliance with applicable data protection legislation.
How long will GMB use personal data for?
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
We will retain personal data for as long as you use the services and then for up to seven years, subject to legal or applicable regulatory requirements.
WHAT ARE YOUR RIGHTS IN RELATION TO THE PERSONAL DATA?
Under certain circumstances, by law you have the right to:
- Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
- Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
- Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal data for direct marketing purposes.
- Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it.
- Request the transfer of your personal data to another party.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
Before providing you with details of the personal data we may hold (in response to you making a data subject access request), we will seek specific information from you to help us confirm your identity and ensure your right to access the information. This is another appropriate security measure to ensure that personal data is not disclosed to any person who has no right to receive it.
Right to withdraw consent
WHO TO CONTACT?
Certain organisations are required to designate a Data Protection Officer (“DPO”). Such a DPO (who can be appointed internally from within the organisation or be an external appointment) should be able to operate independently and must be professionally qualified and have expert knowledge of data protection law, data protection practices and all matters relating to data protection (including sufficient technical IT matters where applicable). Determination of whether an organisation is under a mandatory obligation to appoint a DPO is made on the basis of the organisation’s data processing activities.
GMB’s management has assessed and determined that GMB is not such an organisation, by virtue of GMB neither being: (A) a public authority or body; nor (B) an organisation whose core activities consist of: (i) the regular and systematic monitoring of data subjects on a large scale; or (ii) large scale processing of sensitive personal data and personal data relating to criminal convictions and offenses. GMB management does not consider that a DPO is currently required – even on a voluntary basis.
GMB management is satisfied that the policies and procedures it has put in place are sufficient for its business activities and the protection and processing of personal data. GMB management will continue to make an assessment of its policies and procedures on a regular basis.
• In writing to our office address:
The Compliance Officer
Greenleys Merchant Bank LLP
50 Sloane Avenue
• By Email:
You also have the right to make a complaint at any time to the UK Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues.