Compliance

General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR)

Introduction

At UNINVEST INVESTMENT SOLUTIONS, herein below called as “UNINVEST”, we are committed to protecting your privacy. We’ve updated our Privacy Policy to reflect upcoming changes in data protection law.

UNINVEST has created the following Privacy Policy to let you know what information we collect when you visit our site and use our services, why we collect it and how it is used and stored. This Privacy Policy explains the data collection and use practices of the UNINVEST website; it does not apply to other online or offline UNINVEST sites, products or services. The terms “you,” “your,” and “yours” refer to the customer/purchaser utilizing the UNINVEST website. The terms “UNINVEST – CORPORATE TAX CONSULTANCY LTD”, “we,” “us,” and “our” refer to UNINVEST. The term “our website” refers to www.uninvest.co.uk. By using this website, you consent to the data practices described in this statement. We may periodically post changes to this Privacy Policy on this page. It is your responsibility to review this Privacy Policy frequently and we encourage you to visit this page often.

In accordance with our commitment to protect personal privacy, UNINVEST adheres to the principles of the EU General Data Protection Regulation.

Throughout this policy, we use the term “personal information” to describe information that can be associated with a specific person and can be used to identify that person. We do not consider personal information to include information that has been aggregated and/or anonymized so that it does not identify a specific user.

In this policy, we set out how UNINVEST collects personal data, how it uses and shares it, and the rights and choices you have in relation to the personal data held and processed by UNINVEST. It should be noted that we do not transfer personal information you provide to any third parties for their own direct marketing use.

Where applicable, we comply with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

This Privacy Policy is separate and in addition to client confidentiality obligations we may owe you. Please refer to our terms and conditions, applicable to your engagement, for further details.

We may collect Information from you when you correspond with us or engage our services. We may also collect information as a result of your relationship with one or more of our team, or otherwise in the general course of our business. In each case your data will be controlled by UNINVEST.

By continuing to use our services on or after May 25th 2018, you acknowledge our updated Privacy Policy and agree to the revised User Agreement.

If you have any questions or feedback, feel free to contact us.

Privacy Policy – what is GDPR?

GDPR or General Data Protection Regulation is the name of the Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

The aim of the GDPR is to protect privacy of individuals in the European Union and to harmonise the national legislation of the European countries.

As of 25th May 2018, the GDPR is directly applicable and fully binding for data processing and protection throughout the European Union, thus replacing the Personal Data Protection Law in effect until now.

GDPR was developed with the aim to harmonise the differences in requirements to the processing of personal data between Member States, allowing EU citizens to have better control of their own personal data, including easier access, awareness in case of identity theft, establishment of clearer rights to erasure of personal data (the “right to be forgotten”), the right to object etc.

The types of personal information we collect

We collect different personal information for different reasons – it is not our intention to collect excessive amounts of personal information, but the types of information collected may include:

  • your personal identification information and contact information, which may include: your name, passport information, convictions, politically exposed person (PEP), personal data available in the public domain, physical address, postal address, telephone numbers, email address and such other information necessary for UNINVEST to carry out its CDD and AML/CFT obligations;
  • information on relevant family members and your business relationships;
  • education, professional qualifications, and employment information; and
  • financial information, sources of wealth and your assets and bank details.

If you apply for a position with UNINVEST, we may also collect personal information relating to your past employment, professional qualifications and education, your nationality, health, criminal records and immigration/residential status. We may also gather information from third parties in the form of references and any other information that may be obtained during the recruitment process.

How we collect your personal data

Personal data is collected at different times and from different sources including but not limited to:

  • when you or your organisation contact us to consider engaging our services;
  • information gathered through our client due to diligence procedures as part of our compliance requirements with regulatory authorities;
  • through email, fax or telephone communication;
  • from third parties; and
  • when you or your organisation provides services to us or offer to do so.

How will we use your personal data

UNINVEST understands that personal data is sensitive and is committed to protecting and respecting your privacy. We provide fiduciary, corporate, and other professional services to our clients and we use your personal data for these purposes. Normally the purposes for which we use your personal data will be clear when we collect data. UNINVEST will only use your personal information to:

  • perform a contract that we have with you;
  • conduct administrative or operational processes within our business;
  • comply with any legal obligation where UNINVEST is required to process your personal information – such as keeping records for tax purposes or providing information to a governmental institution, regulatory body or law enforcement agency;
  • share with third parties relevant to the services that we provide. This may include, but is not limited to, counterparties to transactions or litigation (including law firms acting for other parties), other professional service providers, tribunals or courts;
  • process and respond to requests, enquiries or complaints received from you or someone connected to you;
  • establish, exercise or defend the legal rights of UNINVEST or for the purposes of legal proceedings;
  • manage and administer your or your organisation’s business relationship with us, including processing payments, billing and collection;
  • for other legitimate business purposes; and
  • should you apply for a position with us, to review and process your application.

How we may share the information we collect

We do not share personal information with unaffiliated third parties, except as necessary for our legitimate professional and business needs, to carry out your request and /or as required or permitted by law or professional standards. This would include:

  • responding to requests from regulatory bodies or law enforcement agencies where it is necessary or prudent to comply with applicable laws or government regulations;
  • sharing with UNINVEST’ service providers, advisors or other third parties if we merge, sell, liquidate or transfer all or a portion of our assets;
  • comply with any legal obligation where UNINVEST is required to process your personal information – such as keeping records for tax purposes or providing information to a governmental institution, regulatory body or law enforcement agency;
  • sharing with other third parties as outlined in the section above; and
  • should you apply for a position with us, disclosing your personal information for the purposes of seeking references and confirmation of the details that you have provided.

Retention of personal information and security

Your personal information will be retained for as long as required:

  • for the purpose for which the personal information was collected;
  • in order to satisfy any reporting or accounting obligations; and
  • as required by data protection laws and any other applicable laws or regulatory requirements.

UNINVEST has reasonable security policies and procedures in place to protect personal information from unauthorised loss, misuse, alteration or destruction. Despite our best efforts, however, security cannot be absolutely guaranteed against all threats. To the best of our ability, access to your personal information is limited to those who have a need to know. Those individuals who have access to the data are required to maintain the confidentiality of such information. We may keep your personal data in our electronic systems and in paper files.

Access to your personal data

If you have submitted information to UNINVEST, you have the following rights:

  • to access that data and port (transfer) such personal information;
  • to rectify personal information where the information we hold about you is incorrect;
  • to restrict the use of personal information;
  • to request that personal information is erased;
  • to object to processing of personal information; and
  • submit a complaint if you have concerns about the way in which we are handling your data using the form on our Contacts page, to the Information Commissioner’s Office in the UK or the data protection authority in the EU member state of your usual place of residence.

We cannot be responsible for any loss that may arise due to us having any inaccurate, incomplete, inauthentic or otherwise deficient personal data that you or a third party have provided to us.

Inaccurate or amended information

Please let us know as soon as possible if any of your personal information changes (including your correspondence details). Failure to provide accurate information or to update information when it changes may have a detrimental impact upon our ability to provide services to you.

Changes to our Privacy Policy

This Privacy Policy was last updated on 22 May 2018. We have the right to update the contents of this Privacy Policy from time to time to reflect any changes in the way in which we process your personal data or to reflect legal requirements as these may change.

Data Protection under GDPR

Personal data is any information about an identified or identifiable person, also known as the data subject. Personal data includes information such as their:

  • Name
  • Address
  • ID card/passport number
  • Income
  • Cultural profile
  • Internet Protocol (IP) address
  • Data held by a hospital or doctor (which uniquely identifies a person for health purposes)

The GDPR sets out detailed requirements for companies and organisations on collecting, storing and managing personal data. It applies both to European organisations that process personal data of individuals in the EU, and to organisations outside the EU that target people living in the EU.

The GDPR applies if:

  • your company processes personal data and is based in the EU, regardless of where the actual data processing takes place;
  • your company is established outside the EU but processes personal data in relation to the offering of goods or services to individuals in the EU, or monitors the behavior of individuals within the EU.

The GDPR does not apply if:

  • the data subject is dead;
  • the data subject is a legal person;
  • the processing is done by a person acting for purposes which are outside his trade, business, or profession.

Who processes the personal data?

During processing, personal data can pass through various different companies or organisations. Within this cycle there are two main profiles that deal with processing personal data:

  • The data controller – decides the purpose and way in which personal data is processed.
  • The data processor – holds and processes data on behalf of a data controller.

Who monitors how personal data is processed within a company?

The Data Protection Officer (DPO), who may have been designated by the company, is responsible for monitoring how personal data is processed and to inform and advise employees who process personal data about their obligations. The DPO also cooperates with the Data Protection Authority (DPA), serving as a contact point towards the DPA and individuals.

When should we appoint a data protection officer?

Our company is required to appoint a DPO when:

  • we regularly or systematically monitor individuals or process special categories of data
  • this processing is a core business activity
  • we process data on a large scale

For example, if we process personal data to target advertising through search engines based on people’s online behavior, we are required to have a DPO. If, however, we only send our clients promotional material once a year, then we will not need a DPO.

The DPO may be a staff member of your organisation or may be contracted externally on the basis of a service contact. A DPO can be an individual or part of an organisation.

Data transfer outside the EU

When personal data is transferred outside the EU, the protection offered by the GDPR should travel with the data. This means that if we export data abroad, our company must ensure one of the following measures are adhered to:

  • The non-EU country’s protections are deemed adequate by the EU.
  • Our company takes the necessary measures to provide appropriate safeguards, such as including specific clauses in the agreed contract with the non-European importer of the personal data.
  • Our company relies on specific grounds for the transfer (derogations) such as the consent of the individual.

When is data processing allowed?

EU data protection rules mean we should process data in a fair and lawful manner, for a specified and legitimate purpose and only process the data necessary to fulfil this purpose. We must ensure that we fulfil one of the following conditions to process the personal data; we:

  • have been given the consent of the individual concerned;
  • need the personal data to fulfil a contractual obligation with the individual;
  • need the personal data to satisfy a legal obligation;
  • need the personal data to protect the vital interests of the individual;
  • process personal data to carry out the task in the interest of the public;
  • are acting in your company’s legitimate interests, as long as the fundamental rights and freedoms of the individual whose data are processed are not seriously impacted. If the person’s rights override your company’s interests, then you cannot process the personal data.

Agreeing to data processing – Consent

The GDPR applies strict rules for processing data based on consent. The purpose of these rules is to ensure that the individual understands what he or she is consenting to. This means that consent should be freely given, specific, informed and unambiguous by way of a request presented in clear and plain language. Consent should be given by an affirmative act, such as checking a box online or signing a form.

When someone consents to the processing of their personal data, you can only process the data for the purposes for which consent was given. You must also give them the opportunity to withdraw their consent.

Providing transparent information

We clearly provide individuals with information on who is processing the personal data about them and why. The following should be included as a minimum:

  • who you are
  • why you are processing the personal data
  • what the legal basis is
  • who will receive the data (if applicable)

In some cases, the information we provide also states:

  • the contact information of the Data protection officer (DPO) when applicable
  • what is the legitimate interest pursued by the company when you rely on this legal ground for processing
  • the measures applied for transferring the data to a country outside the EU
  • how long the data will be stored for
  • the individual’s data protection rights (i.e., right to access, correction, erasure, restriction, objection, portability, etc.)
  • how consent can be withdrawn (when consent is the legal ground for processing)
  • whether there is a statutory or contractual obligation to provide the data
  • in the case of automated decision-making, information about the logic, significance and consequences of the decision

And one should present this information in clear and plain language.

Right to access and right to data portability

We ensure that individuals have the right to access their personal data, free of charge. If we receive such a request, we have to:

  • tell them if we are processing their personal data
  • tell them about the processing (the purpose of the processing, categories of personal data concerned, recipients of their data, etc.)
  • give them a copy of the personal data being processed (in an accessible format)

When the processing is based on consent or a contract, the individual can also ask for you to return their personal data to them or transmit it to another company. This is known as the right to data portability. You should provide the data in a commonly used and machine-readable format.

Right to correct and right to object

If an individual believes that their personal data is incorrect, incomplete or inaccurate, they have the right to have it rectified or completed without undue delay.

If this is the case, you should notify all data recipients if any of the personal data you shared with them has been changed or deleted. If any personal data you shared was incorrect, you may also have to inform anyone who has seen it that this was the case (unless this is deemed to require a disproportionate effort).

An individual may also object – at any time – to the processing of their personal data for a particular use when your company processes it on the basis of your legitimate interest, or for a task in the public interest. Unless you have a legitimate interest that overrides the interest of the individual, you must stop processing the personal data.

Likewise, an individual can ask to have the processing of their personal data restricted while it is determined whether or not your legitimate interest overrides their interest. However, in the case of direct marketing, you are always obliged to stop processing the personal data if requested by the individual.

Right to erasure (right to be forgotten)

In some circumstances, an individual can ask the data controller to erase their personal data, for example if the data is no longer needed to fulfil the processing purpose. However, your company is not obliged to do so if:

  • the processing is necessary to respect the freedom of expression and information
  • you have to keep the personal data to comply with a legal obligation
  • there are other reasons of public interest to store the personal data, such as public health or scientific and historical research purposes
  • you need to store the personal data to establish a legal claim

Automated decision-making and profiling

Individuals have the right not to be subject to a decision that is based solely on automated processing. However, there are some exceptions to this rule, such as when they have given their explicit consent to the automated decision. Except where the automated decision is based on a law, our company must:

  • inform the individual about the automated decision-making
  • give the individual the right to have the automated decision reviewed by a person
  • give the individual the opportunity to contest the automated decision

Data breaches – providing proper notification

A data breach is when the personal data you are responsible for is disclosed, either accidentally or unlawfully, to unauthorised recipients or is made temporarily unavailable or is altered.

If a data breach does occur and the breach poses a risk to individual rights and freedoms, you should notify your Data Protection Authority within 72 hours after becoming aware of the breach.

Depending on whether or not the data breach poses a high risk to those affected, your company may also be required to inform all individuals affected.

Responding to requests

If our company receives a request from an individual who wants to exercise their rights, you should respond to this request without undue delay and in any case within 1 month of receiving the request. This response time may be extended by 2 months for complex or multiple requests, as long as the individual is informed about the extension. Requests should be dealt with free of charge.

If a request is rejected, then you must inform the individual of the reasons for doing so and of their right to file a complaint with the Data Protection Authority.

Impact assessments

Conducting a Data Protection Impact Assessment (DPIA) is mandatory whenever the intended processing would pose a high risk to the rights and freedoms of individuals, e.g., when new technologies are used.

There is such a high risk when:

  • automated processing and profiling mechanisms are used to evaluate individuals
  • a publicly accessible area is monitored on a large scale (e.g., CCTV)
  • special categories of data or personal data relating to criminal convictions and offences is processed on a large scale (e.g., health data)

Note: Data Protection Authorities may also consider other categories of data processing as high risk.

If the measures indicated in the DPIA fail to remove all the identified high risks, the Data Protection Authority must be consulted before the intended data processing takes place.

Keeping a record

We can prove that our company acts in accordance with the GDPR and fulfils all applicable obligations – particularly upon request or inspection from the Data Protection Authority.

One way to do this is to keep detailed records on such things as the:

  • name and contact details of your business involved in data processing
  • reason(s) for processing personal data
  • description of the categories of individuals providing personal data
  • categories of organisations receiving the personal data
  • transfer of personal data to another country or organisation
  • storage period of the personal data
  • description of security measures used when processing personal data

Our company also keeps – and regularly update – written procedures and guidelines and make them known to our employees.

If a company is an SME or smaller, it does not need to keep records of its processing activities as long as they:

  • are not done regularly
  • they do not affect the rights or freedoms of the individuals involved
  • do not deal with sensitive data or criminal records

Data protection by design and default

Data protection by design means that a company should take data protection into account at the early stages of planning a new way of processing personal data. In accordance with this principle, a data controller must take all necessary technical and organisational steps to implement the data protection principles and protect the rights of individuals. These steps could include, for example, using pseudonymisation.

Data protection by default means that a company should always make the most privacy friendly setting the default setting. For example, if two privacy settings are possible and one of the settings prevents personal data from being accessed by others, this should be used as the default setting.

Have a question?

Call + 44 203 769 3134 to talk with one of our multi-lingual team of business advisors or fill out our online form.
Contact us