Third Party Data Protection and Privacy Notice
|Last Approved and Effective Date:||15 December 2021|
The General Data Protection Regulation, as retained by the European Union (Withdrawal) Act 2018 (“GDPR”), and the UK Data Protection Act 2018 (collectively “The Acts”) govern the controlling and processing (or the use or holding) of personal data.
Personal data is essentially any information about specific identifiable living individuals.
GDPR and the UK Data Protection Act 2018 also gives those specific individuals certain rights and remedies in respect of that information.
The purpose of this GDPR Third Party Data Protection and Privacy Notice (“Notice”) is to supply you with the required information at the time of providing us with your personal data. This notice sets out the essentials in relation to personal information collected by Braermar, and aims to help your confidence regarding the privacy and the security of your personal information.
Please read this Privacy Notice carefully. By visiting our website or using any of our services, you indicate your agreement to our use of your personal information as set out in this Privacy Notice.
Data Protection Principles
We will comply with data protection law. This says that the personal information we hold about you must be:
- Used lawfully, fairly and in a transparent way.
- Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
- Relevant to the purposes we have told you about and limited only to those purposes.
- Accurate and kept up to date.
- Kept only as long as necessary for the purposes we have told you about.
- Kept securely.
Braemar is a “Data Controller”. This means that we are responsible for deciding how we hold and use personal information about you. We are required under data protection legislation to notify you of the information contained in this privacy notice.
Braemar PLC (“Braemar”), company number 02286034, whose registered office is at One Strand, Trafalgar Square, London, WC2N 5HR is the Data Controller and is committed to protecting the rights of individuals in line with the GDPR.
Data Protection Contact
Braemar has appointed a Data Protection Contact at a senior level with specific responsibility for day-to-day matters of data protection and to act as a contact point with the ICO.
The Data Protection Contact will act as a central point of reference for Braemar on all issues relating to data protection and should be consulted in relation to all Data Protection Impact Assessments and Data Breaches.
The Data Protection Contact will monitor Braemar’s compliance with GDPR which includes the assignment of responsibilities, awareness raising, training and audits.
Braemar has appointed Sven Porter, Group Head of Audit & Group Risk and Compliance Manager as it’s Data Protection Contact. Sven reports administratively to the Nick Stone, CFO. They can be reached at:
Sven Porter: email@example.com OR DataProtection.Contact@braemar.com
Nick Stone: firstname.lastname@example.org
Information We Collect About You
When Do We Collect Information?
We will collect information from you when you register with us, apply to use any of our services, become our client, or contact us in person, by telephone, by email or by post. We also collect information from you when you provide feedback or complete a contact form on our website.
We may collect information about you from fraud prevention agencies and other organisations when we undertake checks such as identification verification checks, as explained further below.
What Information Will We Collect and Why?
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
There are “special categories” of more sensitive personal data which require a higher level of protection. “Special categories of personal data” include information about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, dietary requirements, access requirements, criminal convictions and offences information, information provided during the course of a business relationship, health, sex life or sexual orientation and biometric data.
Braemar may collect, process and store a range of information about you. This may include:
- your name, address and contact details, including your email address, telephone number, date of birth, gender, delivery and billing address;
- professional details, including your title and career background, education, professional memberships;
- details of your bank account, taxes, payment details and insolvency records;
- information about your emergency contacts;
- information about your nationality;
- images of you captured by CCTV at our locations. Door entrances and visitor passes may record images and personal data such as name and email address;
- photographs, including those taken at Braemar events;
- usage data when you use our website or the group WiFi available at our offices (including information about how you use our website, products and services);
- marketing and communications data (such as your preferences in receiving marketing from us and your communication preferences);
- technical and location-based data (including your IP address, your login data, browser and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website); and
- profile data (including your username and password, interests, preferences, feedback and any survey responses).
We also collect information from you when you voluntarily complete customer surveys, provide feedback or complete a contact form on our website.
If You Fail to Provide Personal Information
In some cases, you are not obliged to provide any personal data to us, but if you have requested information or a service from us, we will not be able to provide it without certain information, such as your contact details. Before we can begin providing you with our services, we need to obtain certain information about you, so that we can verify your identity in order for us to meet our obligations under the Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 and any other applicable legislation and for the purposes of crime prevention and fraud prevention. You are obliged to provide this information and if you do not provide it, we will be unable to provide you with our services.
Cookies and Related Technologies
You can change your browser settings to set preferences regarding cookies. For example, you may be able to set your browser not to accept cookies or to notify you when a cookie is being sent. For more information about whether these settings are available, what they do, and how they work, please visit your browser or device’s settings menu. If you do not accept cookies from us, you may not be able to make use of all features of the Braemar website.
We also use other types of local storage technologies, such as local shared objects (sometimes called “Flash cookies”). Flash cookies are also stored on your device and are used to maintain information about your activities and preferences.
These local storage technologies may use parts of your device other than your browser, which means you may not be able to control their use using the browser tools and settings you use to control browser cookies. For more information about managing Flash cookies, please visit the Adobe Flash Player website. Your browser’s privacy controls may enable you to manage other types of local storage.
- to help authenticate you when you use our website;
- to remember your preferences and any registration information;
- to present and help measure and research the effectiveness of our service, advertisements, and email communications (by determining which emails you open and act upon); and
- to customise the content and advertisements provided to you through our website and on other websites you visit.
Although cookies are used to collect personal information about people visiting Braemar’s website, cookies alone will not tell us your email address or otherwise identify you personally. Most cookies collect general information, such as how you arrive at and use our website, the device you are using, your IP address, what pages you are viewing and your approximate location.
Web beacons are small pieces of code placed on web pages, videos, and in emails that can communicate information about your browser and device to a server. Beacons can be used, among other things, to count the users who visit a website or read an email, or to deliver a cookie to the browser of a user viewing a website or email.
Braemar does not make use of automated processing or decision making.
How Does Braemar Process Personal Data?
Braemar needs to process data for a variety of reasons, including in order to enter into contractual relationships and to meet its obligations under any such contracts. For example, it may need to process your data to provide you with invoices for services it has performed or to make payment for services it has received.
In some cases, Braemar needs to process data to ensure that it is complying with its legal obligations. For example, it is required to perform checks on its customers and suppliers to ensure there are no sanctions or bribery concerns.
In other cases, Braemar has a legitimate interest in processing personal data before, during and after the end of our relationship with you. Processing such data allows Braemar to:
- research, develop and improve our products and services;
- conclude and execute agreements with our customers, suppliers and business partners;
- manage our business relationships and marketing;
- manage our human resources;
- manage our shareholder relationships;
- provide information to a buyer, joint venture partner or seller in connection with an actual or potential transfer, joint venture or acquisition relating to all or part of our business;
- maintain our insurance;
- obtain advice from external advisors (including lawyers, auditors, accountants and other third parties);
- meet our obligations under applicable laws and regulations (including obligations imposed by the Financial Conduct Authority and in order to maintain its share registers);
- manage our assets internally and prepare management reports (including in relation to internal audits and investigations);
- implement proper health, safety and security measures;
- manage disputes, claims and other legal or administrative proceedings;
- maintain accurate and up to date records and contact details of parties who are current or past customers, suppliers, business partners and other third parties whom we have had dealings with and records of any outstanding contractual rights and obligations;
- protect the vital interests of an individual; and
- implement business controls.
We may also use your personal information to provide you with information about other services we offer that are similar to those that you have already engaged us to provide, or enquired about or to provide information about Braemar by way of newsletters or emails.
In such instances Braemar will only do so where we have either received consent from you or we have assessed that there is a legitimate interest for us to send you the communication. When assessing legitimate interest, we will balance our interests with your rights and will only send communications where you would reasonably expect to hear from us. You may opt out of receiving this information when we collect details or at any time by contacting us using the contact details below.
Change of Purpose
We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you to seek your consent and we will explain the legal basis which allows us to do so.
Please note that we may process your personal information without your knowledge or consent, where there is a legitimate compatible reason for doing so, or where this is required or permitted by law.
Who May Have Access to Your Data?
We may disclose your information to:
- Any business that is part of the Braemar group;
- Our brokers, dealers, IT providers, third party service providers and agents in order to provide and maintain the provision of the services;
- Our appointed auditors, accountants, lawyers and other professional advisers (e.g. compliance consultants), to the extent that they require access to the information in order to advise us;
- Fraud prevention agencies and other organisations to allow us to undertake the checks set out below. We will supply details of such agencies on written request;
- We may also be required to share information with auditors appointed by the providers of such products or services;
- The regulators, the Financial Conduct Authority, or any relevant regulatory authority where they are entitled to require disclosure;
- Meet applicable law, the order of a Court or market rules and codes of practice applicable to the circumstances at the time;
- Investigate or prevent fraud or activities believed to be illegal or otherwise in breach of applicable law;
- Relevant tax, payments and customs authority, who may pass this on to tax authorities in other jurisdictions. Tax regulations require us to collect information about each investor’s tax residency;
- Prospective seller or buyer of such business or assets should we sell or buy any business or assets, in which case we will disclose your personal information;
- If Braemar’s assets are acquired by a third party, in which case personal information held by it about its clients may be one of the transferred assets.
We take appropriate security measures (including physical, electronic and procedural measures) to help protect the confidentiality, integrity and availability of your personal information from unauthorised access and disclosure.
Braemar is committed to only keeping your personal data for as long as we need to in order to fulfil the relevant purpose(s) it was collected for, as set out above in this notice, and for as long as we are required or permitted to keep it by law.
We retain copies of our customer contracts in order to enable us to deal with any legal issues in addition to the information provided to us for identification verification checks, financial crime and anti-money laundering checks (as required by law) for 5 years after termination or expiry of our contract with you. We retain details of complaints for 5 years from the date of receipt.
Braemar retain copies of all above records for a maximum of 7 years.
Transferring Information Overseas
We may share your personal information with our service providers, and this may involve transferring it to countries outside the European Economic Area (EEA) whose data protection laws may not be as extensive as those which apply to us. Where we do so, we will ensure that we do this in accordance with the Acts and take appropriate measures to ensure that the level of protection which applies to your personal information processed in these countries is similar to that which applies within the EEA. Such measures may include only transferring your data to jurisdictions in respect of which there is a European Commission adequacy decision or, where this is not the case, by using model clauses which have been approved by the European Commission.
We may transfer your personal information between businesses that are legally part of the Braemar group of companies for the purposes of providing our services to you as follows:
- from our businesses based in the United Kingdom to our businesses based in countries where the European Commission has made a formal decision that such countries provide an adequate level of data protection similar to that which applies in the United Kingdom and EEA (see Appendix 1 for further information); and
- from our businesses based in the countries below to our businesses based in the United Kingdom on the basis that the United Kingdom is an authorised jurisdiction for the purposes of the relevant Acts.
- The Netherlands
- United Arab Emirates (UAE)
- United States of America (USA)
As a data subject you have the following rights (unless exemptions apply) relating to personal information held by Braemar. These rights can be exercised by contacting us using the details provided below.
As a data subject, you have the right:
- To ask us not to process your personal data for marketing purposes;
- To prevent any processing of personal data that is causing or is likely to cause unwarranted and substantial damage or distress to you or another individual;
- To request the rectification or completion of personal data which are inaccurate or incomplete;
- To restrict or object to the processing of your personal data;
- To request its erasure under certain circumstances;
- In certain circumstances, to receive your personal data, which you have provided to us, in a structured, commonly-used and machine-readable format and the right to transmit that data to another data controller without hindrance, or to have that personal data transmitted to another data controller, where technically feasible;
- To be informed about any use of your personal data to make automated decisions about you, and to obtain meaningful information about the logic involved, as well as the significance and the envisaged consequences of this processing;
- Object to the processing of your data where Braemar is relying on its legitimate interests as the legal ground for processing; and
- Ask Braemar to stop processing data for a period if data is inaccurate or if there is a dispute about whether or not your interests override Braemar ‘s legitimate grounds for processing data; and
- Request the transfer of your personal information to another party.
Where we rely on your consent to use your personal data, you have the right to withdraw that consent at any time.
Obligations to Provide Personal Data
When Braemar receives a request, we will endeavour to respond without delay and at the latest within one month of receipt. We may extend the period of compliance by a further two months where requests are complex or numerous. In such instances Braemar will inform you within one month of the receipt of the request and explain why the extension is necessary.
When Braemar receives a subject access request we will provide a copy of the information held free of charge. Braemar may charge a reasonable fee to comply with requests for further copies of the same information. This does not mean that we will charge for all subsequent access requests rather that the Braemar reserves the right to charge a fee based on the administrative cost of providing the information.
If the after reviewing a request the Data Protection Contact believes a request is manifestly unfounded or excessive, particularly if it is repetitive, then Braemar may charge a ‘reasonable fee’ which will be decided on a case by case basis. In certain circumstances Braemar may even refuse to respond to such requests.
When you contact us to exercise any of the rights above, we may ask you to provide some additional information in order to verify your identity, such as your name, your address and proof of identity.
Contact Us & Lodging a Complaint
To contact us:
Group Head of Internal Audit & Group Risk and Compliance Manager (Data Protection Contact)
If you are unsatisfied with our actions or wish to make an internal complaint, you can contact our Chief Financial Officer in writing at the address below.
Chief Financial Officer
If you believe that Braemar has not complied with your data protection rights and/or you remain dissatisfied with our actions you have the right to lodge a complaint with your Data Protection Supervisory Authority, which is The Information Commissioner’s Office (ICO) in the United Kingdom.
The ICO can be reached at the address below, via their enquiries email address, or via their website:
INFORMATION COMMISSIONER’S OFFICE
Telephone: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
Fax: 01625 524 510
ICO Website link to:
Make a Complaint
If you remain dissatisfied with our actions, you have the right to lodge a complaint with the Supervisory Authority. The Information Commissioner’s Office (ICO) can be contacted at:
Information Commissioner’s Office
Telephone: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
Fax: 01625 524 510
Appendix 1 – Transferring Personal Information Outside the Eea
As stated above in this Data Protection and Privacy Notice:
“We may share your personal information with our service providers, and this may involve transferring it to countries outside the European Economic Area (EEA) whose data protection laws may not be as extensive as those which apply to us. Where we do so, we will ensure that we do this in accordance with the Acts and take appropriate measures to ensure that the level of protection which applies to your personal information processed in these countries is similar to that which applies within the EEA. Such measures may include only transferring your data to jurisdictions in respect of which there is a European Commission adequacy decision or, where this is not the case, by using model clauses which have been approved by the European Commission.”
As of December 2021, the time of approval and publication of this version of Braemar’s Data Protection and Privacy Notice, the European Commission has made decisions confirming adequacy or equivalence of individual country data protection laws currently in place for the following countries:
- Isle of Man,
- New Zealand,
- Switzerland, and
The European Commission has made partial findings of adequacy regarding Canada as indicated below.
- The adequacy finding for Canada only covers data that is subject to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).
- Not all data is subject to PIPEDA.
If personal information is being shared with Braemar divisions or offices in countries outside the EEA, it may be best to first consult with Braemar’s DPO and/or Company Secretary.
Document History and Version Control
|Policy Owner:||Group Head of Internal Audit & Group Risk & Compliance Manager|
|Date of next review:||December 2022|
Approved and issued.
Approved and issued.
This document requires the following approvals.
|Signature||Title||Date of Approval||Version Approved|
|Audit Committee||Electronic Signature||Audit Committee||27/01/2021||
|Audit Committee||Electronic Signature||Audit Committee||15/12/2021||