General Data Protection
Please read this policy carefully to understand our practices regarding your personal data and how we treat it. This policy tells you about two things. First, it is a privacy notice and tells you what to expect when we collect personal Information from you. Second, it describes some of the risks that you should consider when you communicate with us electronically and the terms on which we do so.
Affirmative Investment Management Partners Limited is a company registered in England and Wales with company number 09077671. Affirmative Investment Management Partners Limited is authorised and regulated by the Financial Conduct Authority (‘FCA’) with Firm Reference Number 658030.
For the purposes of the General Data Protection Regulation (‘GDPR’), Affirmative Investment Management Partners Limited will be the ‘controller’ of the personal data you provide. Please read the following information carefully in order to understand the Firm’s practices in relation to new legislation and the treatment of your personal data.
Should you have any questions, concerns or complaints about the practices contained within this document or how the Firm has handled your data, please email: firstname.lastname@example.org. Alternatively, you may write to: Affirmative Investment Management, 7 Birchin Lane, London EC3V 9BW, UK.
GDPR - EU 2016/679 came into force on 25 May 2018 and replaces the Data Protection Directive (95/46/EC) which was transposed into UK law by way of the Data Protection Act 1998 (‘DPA’).
The GDPR applies to all firms that process personal data and, as a European Regulation, is directly binding upon Affirmative Investment Management Partners Limited (‘AIM’).
Although AIM has previously been subject to, and has complied with, the data protection requirements arising under the DPA, the GDPR sets higher requirements on the obligations of firms and the processing of personal data.
This policy also contains the following Annexes:
Annex II: Lawfulness of processing
Applicability to AIM
In the course of providing products/services, AIM may process details considered personal information. Some of this data may be required to satisfy legal obligations (eg to comply with money laundering regulations) whereas other information may be required for the provision of services to you. As set out in Annex I, personal data is any information relating to an identified or identifiable natural person, ie one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, a file reference, etc.
Processing includes, but is not limited to, collecting, storing and using personal data. For the purposes of the GDPR, AIM will be primarily a ‘data controller’ but will also process personal data.
The data collected will vary depending on the service the Firm provides to you, or you provide to the Firm, but typically includes:
- Personal information such as your name, date of birth, passport number, driving licence number or national insurance number;
- Contact information, including your address, telephone number and email address.
This document sets out AIM’s policy for adherence to the GDPR and expected behaviours and applies to all of AIM’s employees and outsourced service providers when personal data is processed. Unless specified to the contrary, any reference to AIM processing data can also be read to refer to third parties that process data on behalf of AIM.
Personal data can be collected, in a fair and transparent manner, by AIM in respect of:
- Staff for the purposes of eg maintaining employment and sickness records, payroll, etc;
- Clients/investors (either actual or proposed);
- Firms providing services to AIM;
- For the Firm to comply with its legal and regulatory obligations.
AIM will only collect personal data where it is necessary and it will be processed in a manner that ensures appropriate security and in accordance with the ‘lawfulness of processing’ (‘legal basis’) obligations under the GDPR (see Annex II). Generally, personal data relating to clients/investors and the Firm’s employees will be for the purposes of ‘legitimate interests’. However, each case will be considered and determined in line with the ‘lawfulness of processing’ requirements. Where deemed appropriate, eg for marketing purposes, then freely given specific consent will be requested (see Annex II).
For these purposes ‘freely given’ means that the individual has made a positive decision to consent to the processing of their personal data. As such, a pre-ticked box or a general statement etc that consent is assumed will not be deemed to be freely given.
Where the provision of a service is conditional on consent being given to the processing of personal data that is not necessary for the provision of that service, eg a requirement to consent to the receipt of marketing material, then this will not be deemed to be freely given.
AIM will take all reasonable steps to ensure that personal data is accurate and, where necessary, kept up-to-date. It will be retained no longer than is necessary for the purposes for which it was collected, subject to any legal or regulatory obligations imposed upon AIM, such as record retention requirements as mandated by the Financial Conduct Authority.
As a regulated entity, the Firm is required to maintain its books and records for a prescribed period: five years from either the ceasing of a business relationship or, in the case of non-clients, from the making of a record and, in some instances where specifically requested to do so by the Financial Conduct Authority, for seven years. As such, information that falls within the scope of either of these requirements is retained in line with the mandated timeframe.
Informing data subjects
When personal data is collected directly from the data subject then that individual will be provided with the information required under the GDPR at the time the personal data are collected. This includes, but is not limited to, the purposes of the processing, the legal basis for the processing and whether there is an intention to transfer personal data outside the EU (‘third-country’) (see Annex III).
Where personal data is collected from someone other than the data subject then the latter will be informed of this in accordance with GDPR requirements.
Limitation of data collected and purpose
The collection of personal data by AIM will be limited to that necessary for:
- Providing services, including administration services, to clients/investors;
- The general day-to-day running of AIM;
- Marketing, including newsletters.
Special categories of data (‘sensitive data’)
The GDPR imposes further requirements on the processing of sensitive data. Such personal data includes eg that revealing ethnic origin, political opinions, criminal convictions and offences, etc. AIM neither collects nor processes such personal data.
Storage of personal data
AIM has comprehensive policies and procedures in place to ensure your personal data is kept safe and secure, with these including:
- Data encryption;
- Intrusion detection;
- 24/7 physical protection of the facilities where your data is stored (ie Microsoft’s UK data centres);
- Background checks for personnel who access physical facilities; and
- Security procedures across all service operations.
AIM makes use of services provided by various third parties (‘outsourcing’).
Due diligence on these providers has been undertaken by AIM to ensure they are able to meet the standards expected by AIM. Some of these entities will be involved in the transfer of, and the processing of, personal data on behalf of the Firm and, as such, will be ‘data processors’.
For such firms, the due diligence performed by AIM will include a review of the procedures and processes developed to ensure compliance with the GDPR and the security of personal data processed. In addition, processing of personal data will be governed by a contract whose terms are in accordance with that specified in GDPR.
The Firm will only utilise a third-country service provider for the processing of personal data where this is strictly necessary to facilitate our services to you. In such cases, the data subject will be notified when the data are collected (see ‘Informing data subjects’ above) and we will ensure service providers are fully compliant with GDPR ahead of transferring any personal data.
Transfers to a third-country are only permissible in limited situations, including:
- Where the European Commission has determined that third-country offers equivalent protection for personal data (‘adequacy decision’);
- Where appropriate safeguards are in place such as contractual clauses authorised by the supervisory authority;
- Where the transfers will be subject to binding corporate rules (only relevant between members within a group of undertakings or engaged in a joint economic activity);
- Where the individual has explicitly consented to the proposed transfer after being made aware of the potential risks;
- Where the transfer is necessary for the performance, or conclusion, of a contract.
Rights of data subjects
The GDPR provides data subjects with the following rights:
- An individual has the right to confirmation of whether their personal data is being processed and, if such is the case, its purpose and envisaged storage period (‘right of access’);
- An individual has the right to require “without undue delay” rectification of inaccurate personal data (‘right to rectification’);
- An individual has the right to be forgotten, subject to the limited circumstances set out in GDPR, including when consent is withdrawn (‘right to erasure’);
- An individual has the right to restrict processing of personal data in certain circumstances, including where the accuracy of the data is contested by the individual (‘right to restriction of processing’);
- An individual has the right to receive personal data concerning the individual and the right to have it transmitted to another data controller (‘right to data portability’);
- An individual can object to the processing of personal data which is being processed on the basis of ‘legitimate interest’ unless the controller demonstrates compelling legitimate grounds. Where the processing is for direct marketing purposes then the controller must desist from any further processing for these purposes (‘right to object’);
- An individual has the right not to be subject to a decision based solely upon automated processing or profiling.
Not all of the above rights will be applicable to AIM’s business model, eg ‘profiling’ and nor are they absolute – for example, the right to be forgotten will not apply to the extent that the processing is in compliance with a legal obligation. AIM will consider any such requests from data subjects on a case-by-case basis.
Communication with data subjects
Information provided to data subjects, whether as a result of the exercise of a data subject’s rights or when informing the individual that their personal data is being collected and its purpose, will be free of charge. However, where such requests are excessive or manifestly unfounded then AIM reserves the right to charge a reasonable fee.
Data Protection Officer
The appointment of a ‘Data Protection Officer’ (DPO) is required for those firms that process large amounts of sensitive data or that undertake regular and systematic monitoring of data subjects. As such, this obligation does not apply to AIM.
The Firm has appointed Michelle Smith to:
- Implement GDPR;
- Oversee the Firm’s continuing compliance with GDPR;
- Act as the focal point for the notification of any personal data breaches; and
- Act as the Firm’s contact person with the ICO.
Personal Data: The Role of AIM’s Employees
Although this Policy is based upon the Firm’s responsibilities under GDPR, all members of staff have a role to play in ensuring that AIM complies with these responsibilities.
Whilst the GDPR provides for the imposition of administrative fines for breaches of its obligations of up to €20m (or 4% of worldwide total turnover if higher) it is also, under UK law, an offence for a person to obtain, disclose or retain personal data without the consent of the controller.
Personal Data: Breaches
Any personal data breach(es) must be immediately notified to Michelle Smith or, in their absence, Duncan Tennant. Where possible, such notifications should include:
- The nature of the breach including categories and approximate number of data subjects concerned and data records concerned;
- A description of the likely consequences of the personal data breach;
- A description of any measures taken, or proposed, to address the data breach and to mitigate its possible adverse effects.
The Firm is required to notify the ICO within 72 hours of becoming aware of a personal data breach unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.
Where it is deemed that the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons then the data subjects must also be notified “without undue delay”. Exceptions to this requirement include:
- When the data affected is eg encrypted so that the data in unintelligible to persons not authorised to access it;
- If it would involve disproportionate effort, in which case a public communication, or similar measure, will be required;
- Where subsequent measures are taken to ensure that the high risk to the rights and freedom of data subjects is no longer likely to materialise.
Michelle Smith will document and assess the breach to determine the need to alert data subjects and/or the ICO. An assessment will also be made of the need to inform the FCA as the supervisory authority for AIM’s day-to-day activities.
AIM may, from time to time, review and update this policy. The Firm will maintain the latest version of this policy on its website and will make you aware of any changes deemed to be material.
Important Information on Electronic Communications
When you receive an e-mail or other forms of electronic communication from Affirmative, please be aware the information contained in or accompanying that communication may be confidential, subject to legal privilege, or otherwise protected from disclosure and (unless it expressly states otherwise) it is intended solely for the use of the intended recipient. If you receive a communication from Affirmative and you are not the intended recipient of the communication, please delete it and destroy all copies in your possession, notify us that you have received the communication in error and note that any review or dissemination of, or the taking of any action in reliance on, any such electronic communication sent in error is expressly prohibited.
Right to request traditional delivery
If you have requested electronic delivery of any information, you have the right to request paper copies of any information that is sent to you electronically at any time after the consent noted below. No additional fees are charged for requesting paper copies after consenting to electronic delivery and, thereafter, you will receive paper copies.
Risk of interception, viruses and defects
Electronic communications may contain computer viruses or other defects, may not be accurately replicated on other systems or may be intercepted, deleted or interfered with without the knowledge of the sender or the intended recipient. Affirmative makes no warranty in relation to these matters. As a result, it may be that you are not comfortable with the risks associated with e-mail messages and other forms of electronic communication. If that is the case, please get in touch with your Affirmative contact and we will be pleased to arrange another means of communication with Affirmative.
Prohibition on publication and alteration of information
Unless you have the express written consent of Affirmative, you are not permitted to publish, transmit, or otherwise reproduce any information received from Affirmative, in whole or in part, in any format to any third party. In addition, you are not permitted to alter, obscure, or remove any copyright, trademark or any other notices that are provided to you in connection with the information. Affirmative reserves the right, at any time and from time to time, in the interests of its own editorial discretion and business judgement to add to, modify, or remove any of the information delivered to you.
Affirmative rights in respect of information
Unless there is express written agreement with Affirmative to the contrary, no information sent to you is intended to, and will not, transfer or grant any rights in or to that information and all rights not expressly so granted herein are reserved by Affirmative or, if applicable, the third party providers from whom Affirmative has obtained the information.
No warranties made as to content; responsibilities to update
Neither Affirmative nor its third party providers make any warranty, express or implied, concerning electronic communication. If you elect to receive electronic communications, that is at your sole risk. Affirmative expressly disclaims any implied warranty of satisfactory quality or fitness for a particular purpose, including any warranty as to the use or the results of the use of information with respect to its correctness, quality, accuracy, completeness, reliability, performance, timeliness, or continued availability.
Content not to be construed as a solicitation or recommendation
Unless it expressly agreed between the parties to the contrary, material provided electronically is for information purposes only without regard to the particular recipient’s investment objectives, financial situation, or means. Affirmative is not soliciting any action based upon it. Any such material is not to be construed as a recommendation, or an offer to buy or sell, or the solicitation of an offer to buy or sell any security or financial product in any jurisdiction in which such an offer or solicitation, or trading strategy would be illegal. You should neither construe any of the material contained in an electronic communication as legal, regulatory, tax, or accounting advice nor make any services provide by us the primary basis for any investment decisions made by you or your advisers.
No representations made as to other sites or links
Our electronic communications may provide links to certain Internet sites ("Sites") maintained by third parties. In this case, Affirmative is providing such links solely as a convenience to you. Accordingly, Affirmative makes no representations concerning the content of the Sites. The fact that Affirmative has provided a link to the Sites does not constitute an endorsement, authorisation, sponsorship, or affiliation by Affirmative with respect to the Sites, their owners, or their providers.
Changes to our policy
This policy provides a general overview of the ways in which we seek to protect your personal information and important information on electronic communication. Please be aware that we may request certain further confidentiality arrangements be put in place in respect of your interaction with us, especially when we believe there is a risk such information could be material price sensitive information. This policy may be changed from time to time to reflect changes in our practices concerning the collection and use of personal information. The revised policy will be effective immediately upon posting to our website.
This version of the Policy is effective 25th May 2018.
Affirmative Investment Management Partners Limited
7 Birchin Lane
+44 203 949 6900