Data Privacy Notice & Procedures
This document sets out what we use personal information for and explains a living individual’s rights around how we use it.
Developed by Fusion Finance
Date *January 2018
Table of Contents
• Background
• What is Personal Data
• Requirements by Law
• What is Legitimate Interest
• Consent
• Where do we get Personal Data
• To Whom do we pass Personal Data
• How Long do we Keep Personal Data
• Living Individuals Rights
• Appendix D: Template Data Privacy Notice
• Appendix E: Template Website Privacy Notice
Background
We know a living individual’s personal data is important to them and it is important to us too. Our Privacy Notice tells a living individual what we use their personal data for and explains their rights around how we use it. Please read this Privacy Notice and procedures document to understand how and why we use a living individual’s personal data.
We use personal data to provide business services, to meet any legal and regulatory obligations, and for legitimate business reasons; advice, arrange transactions and set up plans, service our customers with advice on claims and encashments.
We pass data to the relevant product producers with whom we hold an agency appointment for the purpose of arranging those transactions and setting up plans.
If we receive personal information about someone else, we must ensure we have their permission and make them aware of our Data Privacy Notice.
What is Personal Data
Personal Data
Personal data means data relating to a living individual, who is, or can be identified from the data and includes;
• Personal details
• Family and lifestyle details
• Education and training
• Employment details
• Financial details
• Contractual details (for example, goods and services provided to a data subject)
• Online identifiers (IP addresses, cookies)
Sensitive Personal Data
Sensitive personal data is “special categories of personal data” and specifically include medical data. Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing
• Medical details
• political opinions
• religious / philosophical beliefs
• trade union membership
• data concerning health or sex life and sexual orientation
• race / ethnic origin
• genetic data
• biometric data
Automated and Manual Data
Automated Data means information that is being collected or processed by e.g. a computer, operating automatically in response to instructions given for that purpose,
Manual Data means information that is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system.
Privacy by Design states that any action the firm undertakes that involves processing personal data must be done with data protection and privacy in mind at every step. This includes internal projects, product development, software development, IT systems, and much more. In practice, this means that the IT department, or any department that processes personal data, must ensure that privacy is built in to a system during the whole life cycle of the system or process, rather than tagging security or privacy features on at the end of the process
Privacy by Default means that once a product or service has been released to the public, the strictest privacy settings should apply by default, without any manual input from the end user or data subject. In addition, any personal data provided by the data subject, to enable a product’s optimal use should only be kept for time necessary to provide the product or service. If more information than necessary to provide the service is disclosed, then “Privacy by Default” has been breached.
Requirements by Law
We must have a lawful basis to collect and use Personal Data
The Data Protection Principles require that we process all personal data lawfully, fairly and in a transparent manner. The individual’s right to be informed requires us to provide information about our lawful basis for processing their data and means we need to include these details in our privacy notice.
We must determine the lawful basis before we begin processing
The individual must be informed of the purpose for processing their data before we begin such processing. We must take care to get it right first time. The data processing should be relevant, adequate and limited to what is necessary for its purpose. If we can reasonably achieve the same purpose without the processing, then we don’t have a lawful basis.
Request to swap the original purpose
We should not seek to swap to a different lawful basis at a later date without good reason and must always consult the Compliance Officer in any such instance. Should it be deemed necessary for the lawful purpose to change, it may be possible to continue processing under the original lawful basis if the new purpose is compatible with the initial purpose (unless the original lawful basis was Consent).
Processing Special Category Data
We need to identify both a lawful basis for general processing and an additional condition for processing this type of data. In order to lawfully process special category data, identify both a lawful basis under Article 6 and a separate condition for processing special category data under Article 9. NOTE: These do not have to be linked.
The lawful bases for processing include;
• Consent: the individual has given clear consent for us to process their personal data for a specific purpose.
• Contract: the processing is necessary for a contract we have with the individual, or because they have asked us to take specific steps before entering into a contract.
• Legal Obligation: the processing is necessary for us to comply with the law Legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
The separate conditions for processing include;
• the data subject has given explicit consent to the processing of those personal data for one or more specified purposes,
• processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law
• processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
• processing is carried out in the course of its legitimate activities with appropriate safeguards
• processing relates to personal data which are manifestly made public by the data subject
• processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity
Contract
We need to collect and use personal data to provide a plan contract which can include a living individual’s;
• name
• date of birth
• contact details
• bank account details
• financial information
• health details
• employment details
• pension and salary information
Personal data needed for plan contracts is held and used to;
• Process an application
• issue a plan
• provide information about the plan
• provide customer care and service
• contact and inform of relevant actions that may need to be taken
Required By Law:
We use personal data to comply with law and regulations;
• reporting to regulators
• maintaining proper records
• Internal reporting, quality checking, compliance controls and audits to help meet our regulatory obligations.
• We must collect certain personal information to comply with Anti-Money Laundering law (Up to date proof of identification and address)
• Customer Due Diligence (Financial Sanctions / Politically Exposed Persons (PEP’s) / searches of publicly available information)
• tax residence information and tax identification number for tax reporting
• Personal and financial information in order to complete a financial review and recommend the most suitable financial product for a customer. This involves creating new and assumed personal information, and we will check to see if a customer record already exists.
What is Legitimate Interest
We use a living individual’s personal information for our legitimate interests which we believe benefit our customers. We also receive and access information from product producers in order to provide better advice and customer care. We must maintain a record of our assessment so as to demonstrate that we have given proper consideration to the rights and freedoms of individuals involved.
• Employment data processing
• Fraud and financial crime detection and prevention (AML requirements)
• processing for the purposes of ensuring network and information security, including preventing unauthorised access to electronic communications networks and stopping damage to computer and electronic communication systems
• Compliance with law enforcement, court and regulatory requirements
• Relations with insurers – information to process insurance claims •
• To comply with industry practices (issued by the Financial Action Task Force (FATF), Wolfsberg AML Principles, etc.)
• Modelling – develop or operate financial//conduct and risk models
• Communications & marketing – Direct Marketing OR using summary information to help promote products and services.
Consent
We require consent from a living individual for us to collect and use personal data. We must explain what we need it for and how they can withdraw consent if they change their mind in the future. It must be as easy for them to withdraw their consent as it is to give it.
We must be able to demonstrate that the individual owner of that personal data gave their informed, unambiguous and proactive consent to the processing and we bear the burden of proof that consent was validly obtained. The individual shall also have the right to withdraw their consent at any time, has the right to be forgotten.
The execution of a contract or the provision of a service cannot be conditional on consent to processing or use of data that is not necessary for the execution of the contract or the provision of the service.
Where do we get Personal Data
Living Individuals provide us with their personal information directly when they contact us, complete our forms, speak with us or visit our website, our social media accounts. For more information on what personal information is collected and used on our website please see our Web Privacy.
We also get personal information from solicitors, employers, and regulators and create new personal information about data subjects based on information they have given us and through their interactions with us.
To Whom do we pass Personal Data
We pass personal information to; Who do we pass your personal data to:
We pass personal information to companies that act as service providers under contract with us and only process your personal information as instructed by us. Your personal information is transferred securely and is not used by other parties for any reason. Our main data processors are Mailchimp (trading as Mailchimp) who support the issue of our service emails.
Mailchimp are based in the United States and any personal data we share with them is done so in accordance with the EU Standard Contractual Clauses. The only information passed includes your name and/or email address. MailChimp may collect information about your devices and your interaction with emails; this information may be used to improve the content and operation of services and to facilitate related research and analysis.”
Data processors:
– Companies that act as service providers under contract with us and only process personal information as instructed by us. All personal information is transferred securely and is not used by other parties for any other reason.
The categories of services that we use other Data Processors for include;
– document management, administration, , customer services, marketing, Financial Sanctions and PEP checks to comply with Anti-Money Laundering rules and to maintain a list of identified high-risk customers, to comply with legal obligations.
Product Producers
– We pass personal information to product producers with whom we hold an agency, in order to arrange transactions agreed with our customers.
Investment Service Providers;
– We pass personal information to investment service providers where our customers want to access specialist investment services through their plan e.g. Stockbroker or Online Trading Platform.
Regulators:
– We pass personal information to Regulators and the Revenue Commissioners or as needed to comply with regulations and laws.
Other Companies:
– We pass personal information to third parties, including other companies with whom we have business arrangements, with the recorded consent of the data subject.
All personal information is processed and stored within the EU.
How Long do we Keep Personal Data
We keep and use personal information for as long as a living individual has a relationship with us.
We also hold it after this where we need to for complaints handling, for system back-ups needed for disaster recovery and for as long as we have to under regulations.
We confirm to a living individual how long we will keep personal information for when they avail of a single or specific service such as a quote or call-back on our website.
Living Individual’s Rights
Living individuals have a number of rights over their personal information which they can exercise free of charge by contacting us. We will need to verify the identity the data subject in line with our normal DP checks and we will respond within one month in line with the GDPR regulation. Any restrictions to their rights will be explained in our response.
• Right to Information
The information set out in our Privacy Notice. If we update the Privacy Notice, if we change the type of personal information we collect and / or change how we use it, we need to inform the living individual. We have controls in place to protect all personal information and minimize the risk of security breaches. However should any breaches result in a high risk for the data subject, we will inform them without delay.
• Right to Restrict or Object
Living individuals can restrict or object to any unfair and unlawful collection or use of their personal information. They can object to any automated decision making that has a legal or similar significant impact for them and ask for the decision to be made by a person. They can withdraw consent and object to, for example, direct marketing.
• Right to Correct and Update
Living individuals can ask us to correct and update personal information we hold about them. In order to provide them with the best service it is important we have their correct personal information, such as contact details.
• Right to Delete and Be Forgotten
Living individuals can have their personal information deleted if it is incorrect or has been processed unfairly or unlawfully. If they have withdrawn consent they can ask for their personal information to be deleted. We will keep a record of their request so we know why their personal information was deleted. If we have provided a regulated product or service to them, we must keep their personal information for a minimum period by law (e.g. 7 years).
• Right to Portability
Living individuals can ask for a copy of all personal information that they gave us (including through their interactions with us), and which we hold in an automated format. Living individuals can receive this in a machine readable format that allows them to keep it. They may also request us to send this personal information in a machine readable format to another company. The format will depend on our ability to provide this in a secure way that protects all the personal information. We will not likely be able to use a copy of any personal information sent to us in this way from another company because we can only collect personal information that we need.
• Right to Access
Living individuals have the right to know what personal information we hold about them and to receive a copy of their personal information.
We must tell them:
– why we hold it;
– to whom we pass it to, including whether we transfer it outside the EU;
– how long we keep it for;
– where we got it from; and
This right does not allow Living individuals to access personal information about anyone else other than themselves.
Please see sections on Data Access Requests and Data Info Enquiry.
Risk and Control Review / Assessment
The firm will effectively and periodically assess any gaps in our DP Policies; ensuring any and all revisions applicable to GDPR are updated. We will review our firms framework and best practices at least annually, and make any necessary changes and/ or provisions in order to fill any identified gaps.
We will sustain Data management through the monitoring, reviews and communication specific to our firms data protection framework e.g. recording, monitoring, retention of personal information, monitoring of clear desks, regular data protection training and awareness.
We will align our processes with the Data Protection Principles for any information requests, incident handling and legal compliance e.g. complaints, subject access request, breach reporting processes.
We will routinely review and assess both Internal and external threats to the firms data security.
The timeline for each review cycle should be determined by the firm but should take account of the level of risk associated with each process, ad hoc reviews resulting from a process failure, but also any regulatory or legislative updates as and when they occur. The outcome of the review will be a decision to revise, amend, consider recommendations or reconfirm and approve the existing process document.
Training
Fusion will be doing monthly training regarding data privacy and we will monitor all procedures monthly to ensure they are adhered to.
Queries
The Compliance Officer has responsibility for coordination and compliance relating to the administration of all data protection matters, including responding to general queries and requests by Data Subjects relating to personal data as well as requests for assistance from firm employees involved in collecting, storing and processing personal information.
Any queries relating to data protection issues, including requests by individuals for access to and/or correction of any personal data held by the firm and relating to such individuals should be directed to the Compliance Officer Name at Fusion Finance Marie Davey.
In order to comply with regulations and legislation and to give clarity to staff about their role and responsibilities in relation to data protection, the firm recognises the following terms an definitions;
• Data means information in a form that can be processed. It includes both automated data and manual data.
• Automated data means any information on computer, or information recorded with the intention that it be processed by computer rather than by human intervention.
• Manual data means information that is recorded as part of a relevant filing system or with the intention that it forms part of a filing system.
• Relevant filing system means any set of information that, while not computerised, is structured by reference to individuals, or by reference to criteria relating to individuals, so that specific information relating to a particular individual is readily accessible.
• Personal data means data, including sensitive personal data, relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the firm.
• Sensitive personal data relates to specific categories of data, which are defined as data relating to a person’s medical health, racial origin; political opinions or religious or philosophical beliefs; physical or mental health; sexual life; criminal convictions or the alleged commission of an offence; trade union membership.
• Data Controller processes information about living people. The data controller must be in a position to control the contents and use of a personal data file, i.e. determine the purposes and means of the processing of personal data
• Data Processor is a body that processes personal data on behalf of a data controller
• Data Subject is an individual who is the subject of personal data (the living individual)
• Processing means performing any operation or set of operations on data, comprising;
• obtaining, assembling, organising and storing data,
• using, consulting and retrieving data,
• altering, erasing and destroying data,
• disclosing data.
While every effort is made to include words / explanations in this glossary that are relevant an contemporary, and consistent with current regulation and legislation, the list is not exhaustive and therefore if any there are any suggestions that any staff member would like added to this glossary, please notify the Compliance Officer.
