1. Purpose

This top-level Data Protection Policy is a key component of RiverArk Limited’s (“RiverArk”) overall data protection management framework and should be considered alongside more detailed information security documentation including, Annexures to this policy, system level security policies, security guidance and protocols or procedures. 

This Policy sets out the obligations of RiverArk regarding data protection and the rights of the individuals (in this context “data subjects”) in respect of their personal data under the UK Data Protection Act 2018, Privacy and Electronic Communications Regulations (PECR) and EU Regulation 2016/679 General Data Protection Regulation (“GDPR”). The GDPR is interpreted and regulated in the UK by the Information Commissioners Office under the UK GDPR as supplemented by the Data Protection Act 2018. 

RiverArk receives and processes confidential and sensitive information on behalf of its customers. All such information is subject to any data protection requirements, in addition to this Policy, that may have been agreed with the customers.

The procedures and principles set out herein must be always followed by the Company, its employees, agents, contractors, or other parties working on behalf of RiverArk.

References in this policy to “we,” “our” and “us” shall be a reference to the RiverArk. 

2. Responsibilities

  1. All IT support tasks and functions are exclusively outsourced to our trusted 3rd party service provider. They possess the expertise and knowledge to handle technical issues efficiently and effectively.
  2. The responsibilities related to IT support have been contractually assigned to the designated service provider. Their engagement is governed by a formal agreement to ensure adherence to the agreed-upon terms and conditions.
  3. The 3rd party service provider is authorised to perform all necessary technical activities essential for ensuring a smooth IT infrastructure. This includes troubleshooting, system maintenance, software installations, network management, and user support.
  4. Procedural Activities for RiverArk Personnel: While IT support tasks are outsourced, RiverArk personnel have distinct procedural responsibilities as indicated in the procedure itself.

3. rocedures

3.1 Identifying and recording uses of personal data.

3.1.1 Data review and register

 

  1. RiverArk will establish and maintain a Personal Data Register and data flow analysis that includes identification of:

     

    • Key business processes that utilise personal data
    • Sources of personal data
    • Categories of personal data processed, including identification of high risk and special category personal data.
    • The purpose for which each category of personal data is used, including subsequent secondary purposes over and above the initial purpose collected.
    • Potential recipients of personal data, key systems and repositories of personal data, offshore transfer, retention, and disposal requirements.
    • Whether RiverArk is acting as data controller, processor, or joint data controller.

       

  2. Regular data reviews to manage and mitigate risks will be conducted regularly through updates to the information assets register. This includes information on what data is held, where it is stored, how it is used, who is responsible and any further regulations or retention timescales that may be relevant.

3.1.2 Data Protection Impact Assessments (DPIA)

  1. The CTO shall carry out DPIA for all new projects and/or new uses of personal data which involve the use of modern technologies and the processing involved is likely to result in a high risk to the rights and freedoms of data subjects under the Data Protection Legislation.
  2. DPIAs shall be overseen by the Data Protection Compliance Manager/IT Administrator and shall address the following:
    • The type(s) of personal data that will be collected, held, and processed.
    • The purpose(s) for which personal data is to be used.
    • RiverArk’s objectives
    • How personal data is to be used.
    • The parties (internal and/or external) who are to be consulted.
    • The necessity and proportionality of the data processing with respect to the purpose(s) for which it is being processed.
    • Risks posed to data subjects.
    • Risks posed both within and to RiverArk; and
    • Proposed measures to minimise and handle identified risks.

3.1.3 Privacy by Design and Default

  1. When designing or making significant changes to systems for use within RiverArk or by its data processors, the IT Administrator shall ensure that compliance to privacy and data protection regulations is identified and managed from the start of such projects. The Data Protection Compliance Manager will be responsible for ensuring that all IT projects commence with a privacy plan.
  2. When relevant, and when it does not have a negative impact on the data subject, privacy settings will be set to the most private by default.

3.1.4 Consent

  1. If the data that is collected is subject to consent by the data subject, RiverArk will obtain such consent in a clear and transparent manner. This consent can be revoked at any time. RiverArk will ensure that the revocation of consent is easy for the data subjects.
  2. Any criminal record checks must be justified by law. Criminal record checks cannot be undertaken based solely on the consent of the subject.

3.2 Collection and Processing of Personal Data

3.2.1 Fair, lawful, and transparent processing

RiverArk will ensure that. 

  1. It processes personal data only based on the legal basis (Annexure 1.5) which is recorded in the data register.
  2. It provides information to the data subjects in appropriate format which clearly communicates.
    • the purpose for which their personal data can be processed.
    • legitimate interest of RiverArk 
    • types of personal data collected.
    • information about disclosure to third parties
    • transfer of such personal data outside the EU and safeguards in place
    • rights of the data subject
    • retention period for their personal information
    • other information to make the processing fair and transparent.
  1. RiverArk shall ensure how an individual can object is clearly explained in circumstances:
    • Where the personal data is collected for marketing purposes or might be so used in future
    • Where profiling by automated means is used for marketing purposes
  1. RiverArk will also ensure that any information presented to any individual is in a format easily accessible and understood by the intended audience.

3.2.2 Processing for Specific Legitimate Purposes

  1. RiverArk will ensure any use of personal data is justified using at least one of the conditions for processing (Annexure 1.3). All staff who are responsible for processing personal data will be aware of the conditions for processing.  
  2. RiverArk will not use personal data obtained for one purpose, for any unconnected purpose unless the individual concerned has explicitly agreed to this or a relevant exemption applies.

3.2.3 Adequate, Relevant and in line with data minimisation principles

  1. RiverArk will ensure that any personal data collected is adequate for its purpose. Regular reviews of its technology and processes will be conducted to ensure that the personal data continues to be adequate for its purposes.
  2. RiverArk will ensure its systems and processes are reviewed to ensure the personal data being processed is relevant and not excessive.

3.2.4 Accuracy of Data and Keeping Data up to date

  1. RiverArk shall ensure integrity and accuracy of personal data being processed.
  2. Any request by the individual to correct their personal data is promptly acted upon.
  3. If any personal data is found to be inaccurate or out of date, all reasonable steps will be taken without delay to amend or erase that data, as appropriate.

3.2.5 Secure Processing

  1. RiverArk shall ensure that all personal data collected, held, and processed is kept secure and protected against unauthorised or unlawful processing and against accidental loss, destruction, or damage.
  2. RiverArk can get all the details from ITA solutions and other specific   descriptions of all technical and organisational measures taken by it to ensure the security of personal data.
  3. Where RiverArk shares personal data with a third party, the responsibilities of both parties about personal data will be formally documented in a written agreement or contract as appropriate. 

3.2.6 Processing in accordance with the Individual’s Rights

  1. RiverArk will ensure that personal data is collected and processed lawfully, fairly, and transparently, without adversely affecting the rights of the data subject. 
  2. RiverArk will abide by any request from an individual not to use their personal data for direct marketing purposes and notify the Data Protection Compliance Manager about any such request.
  3. RiverArk will not send direct marketing material to someone electronically (e.g., via email) unless RiverArk has an existing business relationship with them in relation to the services being marketed or a valid consent has been obtained from the subjects who are recipients of such marketing material.
  4. Please contact the Data Protection Compliance Manager for advice on direct marketing before starting any new direct marketing activity.
  5. A data subject may request that any information held on them is deleted or removed, and any third parties who process or use that data must also comply with the request. An erasure request can only be refused if an exemption applies.

3.2.7 Subject Access Requests

  1. A data subject may make a subject access request (SAR) at any time to find out more about the personal data which RiverArk holds about them. RiverArk will respond to such request within one month of receipt (this can be extended by up to two months in the case of complex and/or numerous requests, and in such cases the data subject shall be informed of the need for the extension).
  2. All subject access requests received must be forwarded to RiverArk’s Data Protection Compliance Manager.
  3. RiverArk does not charge a fee for the handling of normal SARs. RiverArk reserves the right to charge reasonable fees for additional copies of information that has already been supplied to a data subject, and for requests that are manifestly unfounded or excessive, particularly where such requests are repetitive.

3.3 Data Retention

  1. RiverArk shall not keep personal data for any longer than is necessary in light of the purposes for which that data was originally collected and processed.
  2. When the data is no longer required, all reasonable steps will be taken to erase it without delay in accordance with Data Destruction Procedures according to ITA solutions policies and in line with the level of security appropriate to the sensitivity of the personal data.
  3. RiverArk’s Data Retention Schedule will identify the retention period for personal data. Such schedule will:
    • Include any minimum retention period required by law, as well as retention period set by RiverArk
    • Include justification and basis for the retention periods. 

3.4 Transferring Data Internationally

  1. Where personal data is transferred outside the UK by RiverArk, it shall ensure that the rights of the data subjects are protected. 
  2. The Data Protection Compliance Manager shall review all new initiatives involving transfer of personal data:
    • between the UK and the EEA
    • outside the EEA
    • The review shall establish that adequate protection can be provided to such transfers.
  3. The transfer of personal data to a country outside of the EEA shall take place only:
    • If the European Commission have assessed the country or territory as providing adequate protection
    • By including within contracts specific and legally binding conditions which ensure protection of personal information and the processing
    • By complying with an approved code of conduct or approved certification mechanism along with binding and enforceable commitments on the destination organisation
    • For public bodies by complying with a legally binding and enforceable instrument or administrative arrangement

3.5 Security Issues

  1. The Information Security Policy will also ensure that. 
    • Personal data is stored and handled securely, with precautions appropriate to its confidentiality and sensitivity.
    • Special attention is paid to storage of personal data on removable media, portable devices, and third-party storage systems (e.g., Cloud storage) 
    • Electronic or manual transmission of personal data is secured by appropriate means.
  2. The Data Protection Compliance Manager will ensure that regular security assessments are routinely undertaken to establish whether existing security controls around personal data are adequate and make recommendations for improvements if necessary. 

3.5.1 Reporting Breaches

  1. All members of staff have an obligation to report actual or potential data protection compliance failures. This allows RiverArk to:
    • investigate the failure and take remedial steps if necessary.
    • maintain a register of compliance failures.
    • notify the ICO (Information Commissioner’s Office) of any compliance failures that are material either or as part of a pattern of failures.
  2. If a personal data breach occurs and that breach is likely to result in a risk to the rights and freedoms of data subjects (e.g. financial loss, breach of confidentiality, discrimination, reputational damage, or other significant social or economic damage), the Data Protection Compliance Manager must ensure that the ICO is informed of the breach without delay, and in any event, within 72 hours after having become aware of it. Such notification shall include:
    • A description of personal data involved.
    • Details of categories of personal data and approximate number of records involved.
    • Contact details of RiverArk’s Data Protection Compliance Manager (or other contact point where more information can be obtained)
    • A description of likely consequences of the breach
    • Details of the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects.
    • If a personal data breach is likely to result in a high risk to the rights and freedoms of data subjects, the Data Protection Compliance Manager must ensure that all affected data subjects are informed of the breach directly and without undue delay.

3.6 Training

  1. All staff will receive training on this Policy. New joiners will receive training as part of the induction process. Further training will be provided at least every two years or whenever there is a substantial change in the law or our policy and procedure.
  2. Training can be provided through an in-house seminar or via online learning portals or any other means which are considered reasonable for this purpose on a regular basis. Completion of training is compulsory. Or Training will be completed and documented in accordance with SOP/GEN/003 – Training Management. It will cover:
    1. The law relating to data protection.
    2. RiverArk’s data protection and related policies and procedures

3.7 Consequences of failing to comply.

  1. We take compliance with this Policy very seriously. Failure to comply puts both you and RiverArk at risk.
  2. The importance of this Policy means that failure to comply with any requirement may lead to disciplinary action under our procedures which may result in dismissal. 
  3. If you have any questions or concerns about anything in this Policy, do not hesitate to contact the Data Protection Compliance Manager.

Annexure 1: Legal Provisions

1.1 Personal Data

Any information relating to a data subject who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that data subject.

1.2 Data subject

A living, identified, or identifiable individual about whom RiverArk holds personal data.

1.3 The Data Protection Principles

  1. The Data Protection Legislation sets out the following principles which any party handling personal data must comply. All personal data must be:
  1. Processed lawfully, fairly, and in a transparent manner in relation to the data subject.
  2. Collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.
  3. Adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed, 
  4. Accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased, or rectified without delay.
  5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. Personal data may be stored for longer periods as far as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, subject to implementation of the appropriate technical and organisational measures required by the data protection legislation in order to safeguard the rights and freedoms of the data subject.
  6. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.

1.3 The Data Protection Principles

  1. The Data Protection Legislation sets out the following principles which any party handling personal data must comply. All personal data must be:
    • Processed lawfully, fairly, and in a transparent manner in relation to the data subject.
    • Collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.
    • Adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed, 
    • Accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased, or rectified without delay.
    • Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. Personal data may be stored for longer periods as far as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, subject to implementation of the appropriate technical and organisational measures required by the data protection legislation in order to safeguard the rights and freedoms of the data subject.
    • Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.

1.4 The Rights of Data Subjects

  1.   The Data Protection Legislation sets out the following key rights applicable to data subjects:
    • The right to be informed.
    • The right of access.
    • The right to rectification.
    • The right to erasure (also known as the ‘right to be forgotten’)
    • The right to restrict processing.
    • The right to data portability.
    • The right to object
    • Rights with respect to automated decision-making and profiling.

1.5 Legal Basis

  1.   The Data Protection Legislation seeks to ensure that personal data is processed lawfully, fairly, and transparently, without adversely affecting the rights of the data subject. The Data Protection Legislation states that processing of personal data shall be lawful if at least one of the following applies:
    • The data subject has given consent to the processing of their personal data for one or more specific purposes.
    • The processing is necessary for the performance of a contract to which the data subject is a party, or to take steps at the request of the data subject prior to entering into a contract with them.
    • The processing is necessary for compliance with a legal obligation to which the data controller is subject.
    • The processing is necessary to protect the vital interests of the data subject or of another natural person.
    • The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller; or
    • The processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party, except where such interests are overridden by the fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

1.6 Special Category Data

  1. If the personal data in question is “special category data” (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sexual life, sexual orientation, biometric, or genetic data), at least one of the following conditions must be met:
    • The data subject has given their explicit consent to the processing of such data for one or more specified purposes (unless prohibited by law).
    • The processing is necessary for the purpose of carrying out the obligations and exercising specific rights of the data controller or of the data subject in the field of employment, social security, and social protection law (if authorised by UK law).
    • The processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent.
    • The data controller is a foundation, association, or other non-profit body with a political, philosophical, religious, or trade union aim, and the processing is carried out in the course of its legitimate activities, provided that the processing relates solely to the members or former members of that body or to persons who have regular contact with it in connection with its purposes and that the personal data is not disclosed outside the body without the consent of the data subjects;
    • The processing relates to personal data which is clearly made public by the data subject.
    • The processing is necessary for the conduct of legal claims or whenever courts are acting in their judicial capacity.
    • The processing is necessary for substantial public interest reasons, with a basis in law, which shall be proportionate to the aim pursued, shall respect the essence of the right to data protection, and shall provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject.
    • The processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of an employee, for medical diagnosis, for the provision of health or social care or treatment, or the management of health or social care systems or services on the basis of UK and/or EU law or pursuant to a contract with a health professional, subject to the conditions and safeguards referred to in Article 9(3) of the GDPR;
    • The processing is necessary for public interest reasons in the area of public health, for example, protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of EU or EU Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject (in particular, professional secrecy); or
    • The processing is necessary for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Article 89(1) of the GDPR based on UK and/or EU law which shall be proportionate to the aim pursued, respect the essence of the right to data protection, and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

1.7 Rules on International Transfers of Personal Data

  1.   The transfer of personal data to a country outside of the EEA shall take place only if one or more of the following applies: 
    • The transfer is to a country, territory, or one or more specific sectors in that country (or an international organisation), that the European Commission has determined ensures an adequate level of protection for personal data. 
    • The transfer is to a country (or international organisation) which provides appropriate safeguards in the form of a legally binding agreement between public authorities or bodies; binding corporate rules; standard data protection clauses adopted by the European Commission; compliance with an approved code of conduct approved by a supervisory authority (e.g. The Information Commissioner’s Office); certification under an approved certification mechanism (as provided for in the GDPR); contractual clauses agreed and authorised by the competent supervisory authority; or provisions inserted into administrative arrangements between public authorities or bodies authorised by the competent supervisory authority 
    • The transfer is made with the informed consent of the relevant data subject(s) 
    • The transfer is necessary for the performance of a contract between the data subject and the Firm (or for pre-contractual steps taken at the request of the data subject) 
    • The transfer is necessary for important public interest reasons. 
    • The transfer is necessary for the conduct of legal claims. 
    • The transfer is necessary to protect the vital interests of the data subject or other individuals where the data subject is physically or legally unable to give their consent; or 
    • The transfer is made from a register that, under UK or EU law, is intended to provide information to the public and which is open for access by the public in general or otherwise to those who can show a legitimate interest in accessing the register. 

Annexure 2 : Privacy Notice General

Purpose

This Privacy Notice (“Notice”) – together with any other privacy information we may provide on specific occasions – applies to the processing of personal data by us while providing our quality assurance services and carrying out our business operations. The Notice sets out the types of personal data we collect, explains how we collect and process that data, who it shares it with and certain rights and options that you have in this respect.

We recognise that information privacy is an ongoing responsibility, and so we will from time to time update this Privacy Notice as we undertake new personal data practices or adopt new privacy policies.

When we refer to “RiverArk” or “we” in this Notice we mean RiverArk Ltd, a company incorporated in England & Wales with registered number 7815952 and registered address at 85 Great Portland Street London W1W 7LT.

How we collect and use (process) personal information

  1. We collect and process personal data for the following categories of data subjects: 
    • Job applicants
    • Clients
    • Business contacts which include suppliers, consultants, advisors
    • Visitors to our website
    • Recipients of our marketing activities

1 Job applicants

  1. All the information you provide during the application process will only be used for the purpose of progressing your application, or to fulfil legal or regulatory requirements if necessary.
  2. We will use the contact details you provide to us to contact you to progress your application. We will use the other information you provide to assess your suitability for the role for which you have applied.
  3. We do not collect more information than we need to fulfil our stated purposes and will not retain it for longer than is necessary. 

1.1 Application Stage

  1. At the application stage, we ask you for
    • Contact details- name, address, phone number and email address.
    • Your previous experience- details of your education, work history, referees, and answers to questions relevant to the role you have applied for.
    • Financial- Previous salary/salary expectation, conflict of interest
    • Health and safety-Disability/Special needs. This information will only be used to ensure a comfortable experience during interview process. This is not mandatory information – if you do not provide it, it will not affect your application.
    • Ability to drive in the UK if relevant for the role.

1.2 Selection Stage

  1. We might ask you to complete tests, online assessments, complete a psychometric questionnaire and/or attend an interview. Information will be generated by you and by us. For example, we might take interview notes. We hold this information.
  2. We will also ask you to provide contact details of two references, their details, and their answers and/ or opinions will be retained by us. We will also conduct an ID verification and check your right to work in the UK before any offer letters are issued. 

1.3 How long is the information retained?

  1. If you are unsuccessful at any stage of the process, the information you have provided until that point will be retained for 6 months from the closure of the campaign. Information generated throughout the assessment process, for example interview notes, is retained by us for 6 months following the closure of the campaign.
  2. If you are successful in your application, we will retain your information in accordance with our Privacy Notice for Employees, Workers, and Contractors. A copy of this Notice will be provided to you with your offer letter.

2 Clients and Business Contacts 

  1. We collect personal information about our clients to provide them with our audit and consulting services. We hold the following information about customers:
    • Contact details- name, business address, business email address, business phone numbers including mobile numbers. 
    • Personal information contained in business communications.
    • Transaction data including details about services you have purchased from us.
  2. We may receive personal information from our clients about other individuals, e.g., their employees, while providing our services. Any such information provided to us is used solely for providing our services and is handled strictly as per client instructions.

3 Business Contacts

  1. If you are a supplier, service provider, advisor, or consultant, we may process the following personal data about you:
    • Contact details – name, work email address, contact numbers.
    • Professional details- the name of employer, job role, educational or professional background, any professional disqualifications
    • Verification of identity details- Passport or any other government-issued document, proof of address, professional indemnity insurance
    • Financial and Transactional details- invoices, bank account numbers for payment
    • If you have access to any of our internal platforms- username and password
  1. We use this information to enter and fulfil a contract with you, to administer and manage our relationship with you including accounting, payment processing activities. 

4 Visitors to our Website 

  1. When you visit our website, we use third-party services (‘cookies’) to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to various parts of the website. The information is only processed in a way which does not identify any individual. 
  2. When you complete the contact form on our website or use the email for enquiries, we will use the information provided by you only for the purpose of providing you with an appropriate response.

5 Marketing Data 

We hold name and contact details of individuals who have expressed interest in hearing from us about our services or have engaged with us for supply of our services in the past. All direct marketing activities to such individuals shall comply with relevant privacy and regulatory requirements.

5.1 How is your personal data collected?

  1. You may give us your personal data by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you:
    • engage us to provide services.
    • subscribe to our publications.
    • request marketing material to be sent to you.
    • complete one of our enquiry forms or
    • provide us with feedback.
  2. We may also receive personal information from third parties including other customers, partners, or third parties that we run partnerships, competitions, and events with. Any such information provided to us is used solely for providing our services and is handled strictly as per our data protection procedures.

When and how do we share your personal data

  1. We may share your personal data in the following circumstances:
    1. internally with staff members who require your information to provide our services and who have received training in data protection.
    2. our accreditation bodies where this is a requirement for delivering our services.
    3. with our professional advisors, including our legal advisors, financial advisors, insurers, accountants, auditors, or other consultants to the extent they require this information to provide their services to us.
    4. with sub-contracts, consultants or associates who are asked by RiverArk to deliver all or some of the services.
    5. with courts, law enforcement authorities, regulators, or government officials where it is legally required.
    6. with third parties providing IT support and maintenance services, marketing and client support services, data storage services, and checks for credit risk reduction and other fraud and crime prevention purposes; and other financial institutions and credit reference agencies providing services to us.
    7. any third parties with whom you require or permit us to correspond.
  1.  We do not sell personal information to anyone and only share it with third parties who are facilitating the delivery of our services and communications.

Transfers of personal data outside the EEA 

There may be occasions where we will need to share your data with entities in third countries, such as when we are using cloud software providers or outsourced contractors which enable us to provide you with the services. We verify that any data transfer outside of EEA is subject to EU adequacy requirements, Standard Contractual Clauses or other transfer tools which comply with data protection legislation.

Automated decision-making

We do not use automated decision-making in relation to your personal data. 

Security of your personal information

  1. To help protect the privacy of data and personally identifiable information you provide to us, we maintain physical, technical, and administrative safeguards. We update and test our security technology and controls on an ongoing basis. We restrict access to your personal data to those employees who need to know that information to provide benefits or services to you. In addition, we train our employees about the importance of confidentiality and maintaining the privacy and security of your information. We commit to taking appropriate disciplinary measures to enforce our employees’ privacy responsibilities.
  2. We are certified to Cyber Essentials Plus and IASME standards which demonstrates our commitment to security and privacy of your personal information.
Scroll to Top