Data Protection Privacy Notice
Please read this Privacy Notice carefully before providing us with any information about you or any other connected person. Where you provide information about another person, you should first obtain their consent to do so.
We have developed this Privacy Notice in accordance with the Data Protection Act 1998 and Regulation (EU) 2016/679, commonly known as the General Data Protection Regulation or GDPR. Its purpose is to advise you of the personal information we may collect, for what purpose(s), how we will use it, the lawful basis under which we may do this and your rights under the GDPR.
- The categories of data subject to the provisions of the GDPR
‘Personal data’ (Article 4 of the GDPR) by which we mean information which identifies you as an individual, or is capable of doing so.
- Contact details and person responsible for Data Protection at Longspur Capital
We have a responsibility to ensure that your personal information is processed in accordance with this Privacy Notice and the above Regulations.
If you would like to discuss anything in this Privacy Notice, please contact the Compliance Director who is the person responsible for Data Protection within the firm. You may contact her in writing at 20 North Audley Street, London W1K 6WE, by telephone on 020 3397 7422, or by email to firstname.lastname@example.org.
- The personal data we may collect and the purposes for this.
We process the following personal data on the legal basis of Legitimate Interests, and the information below sets out further details on this processing. We may obtain personal data from you and, with your authority, from credit referencing agencies, your authorised representatives and other providers of products or services to you.
To provide you with financial services, we may use the following personal data:
- Contact information, such as home address, telephone number and email address
To respond to a complaint or claim we may use the following personal data
- Personal information provided by you or third parties
- Recordings of telephone calls between us
- Letters, reports and any other correspondence between us or with third parties
To provide you with general information from or about us, we may use the following personal information:
- Contact information, such as name, home address, telephone number and email address. We will only communicate matters relating to the firm and the services we may provide to you.
To evaluate or monitor the competence of staff and suitability of services we may use the following personal data
- Personal information provided by you or third parties on your behalf
- Recordings of telephone calls between us
- Letters, reports and any other correspondence between us or with third parties on your behalf
To monitor and maintain our website, we may monitor and retain the following personal data
- All computers that are linked to the Internet have an Internet Protocol (IP) number. Our website logs your IP number when you visit it. An IP number does not provide identifiable personal information on its own but there are facilities to look up IP numbers and establish the owner so this is treated by us as personal information.
We process the following personal data on the legal basis of Legal Obligation, and the information below sets out further details on this processing.
To meet our obligations to the UK Money Laundering Regulations, we may use the following personal data
- Passport or driving license details
- Your home address
- Financial information such as occupation, income and source of wealth
- Data Sharing
We may share information with third parties where this is necessary to enable us to provide our services to you or to allow us to comply with our legal or regulatory obligations. We will not share your data with any third party for marketing purposes. The classes of third parties with whom we will share your personal data, and the reasons for this, are as follows.
- IT systems and support, paper archives, electronic records, recorded telephone calls
We outsource our IT hardware and systems support. Certain operating and record keeping systems are provided by third parties. These third parties may have access to data for support, service, backup and trouble-shooting purposes. We have agreements in place with these third parties to restrict their access to and use of this data.
Financial services regulators, Financial Ombudsman, government and law enforcement agencies
These entities have a legal right to access our records and we have a legal obligation to disclose any information we hold in certain circumstances.
Credit reference agencies, fraud prevention agencies and related service providers
In order to meet our obligations in respect of The UK Money Laundering and Proceeds of Crime Regulations we may, with your consent, use a third party electronic verification system to verify your identity. This is undertaken as part of the initial client appointment, and may be repeated at any time for the duration of the service(s) we provide to you.
We may have to share information with tax authorities, either directly with overseas authorities or via Her Majesty’s Revenue and Customs who may share that information with the appropriate tax authorities abroad.
Our professional advisers and insurers
Our appointed auditors, lawyers, accountants, other professional advisers and insurers may require access to the client information we hold in order to provide us with advice or insurance.
Your professional advisers and representatives
We may share information with your lawyers, accountants and other professional advisers if you request this. We may also share information with persons such as a Power of Attorney, Trustee, Executor or personal representative.
Analysis of traffic using our website may be undertaken by selected third parties on our behalf.
We may transfer our records to a third party as part of a sale or transfer of some or all of the business to a regulated third party.
Data transfers outside of the EU
We may share personal data outside of the EU where it is necessary to deliver the service we are providing. Where data is shared outside of the EU, we have a regulatory obligation to only transfer to States with an ‘equivalent’ standard of data protection and to have in place a data transfer agreement to protect the security and management of the data being transferred.
- The lawful basis upon which we process personal data and what this means
Part 3 includes the lawful basis upon which we process personal data and the following is a brief explanation of what this means.
The Lawful basis under EU directive 2014/65/EU Article 6, 1(f) Legitimate Interests means the processing is necessary, without your explicit consent, for the legitimate business interests of Longspur Capital, unless these interests are overridden by your interests or fundamental rights. Our legitimate business interests are explained in Part 2 of this privacy notice.
You have the right to object to us processing your personal data on the lawful basis of legitimate interests, but to do so may mean that we are unable to provide services to you. If you wish to object, please use the contact details in Part 1 to do so.
- The retention periods for personal data
The retention period for personal data varies, depending on our regulatory obligations and complaints time barring rules. The table below shows the various retention periods, and relates to all forms of records such as paper, electronically stored records, emails and recorded telephone calls.
Records relating to: Retention Period
- Client agreements and Terms of Business: The duration of the agreement plus fifteen years
- Transactional records: Indefinitely
- Complaints: Indefinitely
- Your rights as a data subject
The GDPR provides you with the following rights in relation to your personal data processed by us:
The right to be informed
You have the right to be informed how your data will be processed and of your rights. The required information is provided in this Privacy Notice.
The right of access
You have the right to obtain confirmation that your personal data is being processed and have access to this. When requested by you, we must provide you with a copy of the information free of charge within one month. However, we can charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive. We may also charge a reasonable fee to comply with requests for further copies of the same information. Data access requests should be submitted using the contact details in Part 1 of this Privacy Notice.
The right to rectification
You are entitled to have personal data rectified if it is inaccurate or incomplete. We must respond to a request for rectification within one month. This can be extended by two months where the request for rectification is complex. Data rectification requests should be submitted using the contact details in Part 1 of this Privacy Notice.
The right to erasure
You may request the deletion or removal of your personal data where there is no compelling reason for its continued processing. We may, however, decline the request where we have a legal or regulatory obligation to retain the data, or where it is being used in the exercise or defence of a legal claim. In such circumstances we will write to you explaining our reasons for declining your request for the data to be erased. Data erasure requests should be submitted using the contact details in Part 1 of this Privacy Notice.
The right to restrict processing
You have a right to ‘block’ or suppress the processing of your personal data. When processing is restricted, we are permitted to store the personal data, but not to further process it. Data suppression requests should be submitted using the contact details in Part 1 of this Privacy Notice.
The right to data portability
Individuals generally have the right to data portability. However, this only applies to personal data where the processing is based on the legal basis of consent or for the performance of a contract; and it is carried out by automated means. This right does not apply to your personal data that we process, as this is processed on the legal basis of Legitimate Interests and processing is not carried out by automated means.
The right to object to processing or withdraw consent
You have the right to object to your data being processed on the legal basis of Legitimate Interests and the right to object to direct marketing and data profiling. You also have the right to withdraw consent for us to process your information concerning health. Objections to, or withdrawal of consent for, data processing should be submitted using the contact details in Part 1 of this Privacy Notice.
The right to remedies, liabilities and penalties
You have the right to report any concerns you have about the way we have processed your personal data to the Information Commissioner’s Office. You may do this online at https://ico.org.uk/concerns/handling or in writing to Information Commissioner’s Offices at Wycliffe House’ Water Lane’ Wilmslow, Cheshire, SK9 5AF (telephone 0303 123 1113) or 45 Melville Street, Edinburgh, EH3 7HL (telephone 0303 123 1115).
- The GDPR Principles
The GDPR Principles apply to all entities that control or process personal data on EU citizens and form the basis for this privacy notice. The Principles require that personal data shall be:
a) processed lawfully, fairly and in a transparent manner in relation to individuals;
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.