Privacy Notice
Introduction
We respect privacy and your rights to control your personal data. Our principle guidelines are simple. We will be clear about the data we collect and why. We do not and will not sell your data to Third Parties. This Privacy Notice describes why and how we collect and use your personal data and provides information about your rights. It applies to personal data provided to us, both by individuals themselves or by others. We may use personal data provided to us for any of the purposes described in this Privacy Notice, or as otherwise stated at the point of collection.
In this Privacy Notice, your information is sometimes called “personal data” or “personal information”, and is any information relating to an identified or identifiable living person. We also sometimes collectively refer to handling, collecting, protecting or storing your personal information as “processing” such personal information. We process personal data for numerous purposes, and the means of collection, lawful basis of processing, use, disclosure, and retention periods for each purpose may differ.
When collecting and using personal data, our policy is to be transparent about why and how we process personal data. To find out more about our specific processing activities, please go to the relevant sections of this Notice.
The contents of this document apply wholly to data subjects residing within the European Economic Area (EEA). Data subjects residing outside of the EEA will receive the same levels of protection of their personal data wherever practical to do so.
Who We Are
This Privacy Notice is issued by London & Colonial Services Ltd (collectively referred to as “we”, “us”, and “our” and “London & Colonial” in this Privacy Notice), and relates to one or more of its subsidiary firms that may process your personal information. For further details or to get in touch with us, please visit https://www.londoncolonial.com/contact-us/
We gather and process your personal information in accordance with this Privacy Notice and in compliance with the relevant data protection Regulation and Laws. This Notice provides you with the necessary information regarding your rights and our obligations, and explains how, why and when we process your personal data.
Please note, that this notice does not apply to London & Colonial Assurance PCC PLC (LCA), or London & Colonial (Trustee Services) Ltd (LCTS). Their privacy notice can be found at http://info.stmgroupplc.com/privacy-notice/
Information That We Collect
We process your personal information to meet our legal, statutory and contractual obligations and to provide you with our products and services. We will never collect any unnecessary personal data from you and do not process your information in any way, other than as specified in this Notice.
We may collect and use some or all of the following types of personal data about you and, in some circumstances, your spouse, civil partner, partner or dependents:
- Your full name, address and contact details;
- Your date of birth;
- Your gender;
- Your National Insurance Number;
- Your employment details;
- Details of your bank account; and
- Information about your health.
You may also need to provide us with personal data relating to other people. When you do so, you will need to check with them that they are comfortable for you to share their personal data with us, and for us to use it in accordance with this Privacy Notice.
If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you, or we may be prevented from complying with our legal obligations.
We may collect information in the below ways:
- You may provide information directly to us;
- Third Parties may provide personal information to us; and
- We may also capture certain personal data to meet our legal, statutory and contractual obligations.
How We Use Your Personal Data
We take your privacy very seriously and will never disclose, share or sell your data without your consent; unless required to do so by Law. We only retain your data for as long as is necessary and for the purpose(s) specified in this Notice. Most commonly, we will use your personal data in the following circumstances, and on the following legal basis:
- In the performance of the contract we have entered into with you; data is processed in order to service and administer your self-invested personal pension
- It is in our legitimate interest to process your personal data; we will, on occasions, process the data beyond the needs for performance of a contract or for compliance with a legal obligation. This will be completed on the understanding that it is our legitimate interest to process the data in this way. For example, using your data for risk based analysis
- When we collect and use certain special categories of personal data with your express consent; where this lawful basis is relied upon, you may withdraw your consent to us processing this data at any point
- Where we need to comply with a legal obligation; we are subject to various statutory requirements, such as the Money Laundering Regulations, the Financial Services and Markets Act 2000, MiFID, and many various tax laws, as well as being regulated by the Financial Conduct Authority and The Pensions Regulator. We therefore have a number of obligations, including identity and age checks, fraud and money laundering prevention, and fulfilling control and reporting obligations.
We may less often also need to use your information to establish, exercise or defend our legal rights.
Your Rights
You have the right to access any personal information that we process about you, and to request information about:
- What personal data we hold about you (commonly known a “data subject access request”);
- The purposes of the processing;
- The recipients to whom the personal data has/will be disclosed;
- How long we intend to store your personal data for; and
- If we did not collect the data directly from you, information about the source.
If you believe that we hold any incomplete or inaccurate data about you, you have the right to ask us to correct and/or complete the information and we will strive to do so as quickly as possible; unless there is a valid reason for not doing so, at which point you will be notified.
You also have the right to request erasure of your personal data or to restrict processing (where applicable) in accordance with the data protection laws; as well as to object to the processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object on those grounds. In addition, you have the right to data portability of your information and the right to be informed about any automated decision-making we may use.
If we receive a request from you to exercise any of the above rights, we may ask you to verify your identity before acting on the request. This is to ensure that your data is protected and kept secure.
We will respond using the commonly used electronic form unless you specifically request otherwise, or we are required to use a specific mode of communication. If you are requesting an alternative method, there may be an additional charge for this. When requested, and provided that it is practical and commercially feasible to comply with the request and there is no legal or regulatory need for us to keep the information, we will delete identifying information from current operational systems.
Sharing and Disclosing Your Personal Information
On occasions, we will share your personal information without your consent, in line with the purposes specified in this Notice or where there is a legal requirement. There are three main groups that we are likely to share your personal data with:
- The STM Group – London & Colonial, as a subsidiary of the STM Group, will share your data with other group entities where required. In order to keep administration costs low, a number of specialist resource areas (such as legal, sales, and marketing) are shared across the group and will on occasions require data to be shared between entities for the performance of these shared services.
- External Parties – We will transfer data to external parties, such as investment platforms and Financial Adviser’s in order to fulfil our contractual obligations. We may also need to share data with the Financial Conduct Authority, and other regulators when required to do so.
- Service Providers – Data may be transferred to service providers appointed by us. London & Colonial have ensured that all service providers treat your data securely, and in compliance with the EU General Data Protection Regulation (GDPR). Service providers will only process a data subject’s information in accordance with instructions from London & Colonial as the controller.
Transfers Outside the EEA
We utilise specific Information Technology services that are hosted/stored outside the EEA. Therefore, when you use our services, the personal information you submit may be stored on servers which are hosted outside the EEA. GDPR allows us to transfer your personal data to countries declared 'adequate'; and with the USA we verify that the provider adheres to the EU-U.S. Privacy Shield Framework
In addition, there may be other instances where we are required to transfer data outside of the European Union. This will only happen so long as:
- It is necessary for carrying out your instructions (such as placing investments overseas)
- It is required by law (such as reporting to state bodies overseas)
- You have given us your consent to transfer data.
Should we be required to transfer your data outside of the EEA for any of the above reasons, it is a requirement that an appropriate contract containing the required model clauses is in place between us and the recipient of your data prior to providing them with your personal data, This will ensure that their data protection standards meet, as a minimum, the same level of protection afforded to data subjects by GDPR.
How Long We Keep Your Data
We only ever retain personal information for as long as is necessary and we have strict review and retention policies in place to meet these obligations. To determine the retention periods, we will take into consideration what is reasonably and to comply with our legal obligations. In order to comply with our legal and regulatory obligations, we have chosen to hold your data on our accessible ‘live’ systems for 12 years from the date that you cease being a client of ours.
To maintain our IT infrastructure, we hold backup data files for a further three years. These data files can only be accessed by restoring the full back up onto our systems. Should you exercise your right to be forgotten and your data is subsequently restored, we have developed processes and controls to ensure that your data is immediately removed from our live system.
Therefore your data will be held on our system for a maximum period of 15 years from the date you cease being a client of ours.
Lodging a Complaint
We only process your personal information in compliance with this Privacy Notice and in accordance with the relevant data protection laws. We hope that you won’t ever need to, but if you wish to raise a complaint regarding the processing of your personal data or are unsatisfied with how we have handled your information, please contact our Data Protection Officer in the first instance:
STM Group PLC
Data Protection Officer
c/o London & Colonial
Rockwood House, 9-17 Perrymount Road, Haywards Heath, West Sussex RH16 3TW
dataprotection.office@stmgroupplc.com
You also have the right to lodge a complaint with the relevant local supervisory authority. For further information on your rights and how to complain to the supervisory authority, please refer to their website, which can be; accessed via https://ico.org.uk/global/contact-us/.
Changes to Our Privacy Notice
This statement is subject to regular review and may be updated from time to time. We will inform you if we make any substantial changes to how we use with your personal data.
This policy was last updated on 17 June 2019.