General Data Protection Statement
This General Data Protection Statement (Statement) provides information on how we process personal data in our dealings with you, including:
- when you visit www.jameshay.co.uk (our website) and our secure portal, James Hay Online
- how we manage your marketing preferences and any email updates you request from us
- if you visit any of our offices.
If you have a product with us, please refer to our Data Protection Statement - James Hay Products for information on how we process your personal data as part of our product with your client.
Our controller is James Hay Partnership Management Limited, who can be contacted at:
James Hay Partnership
St. Paul’s Road
03455 212 414
If you have a product with us, the controller is stated in the table at the end of the Data Protection Statement depending on which product you have with us.
The personal data we collect can be from information provided by you or any third parties you instruct on your behalf. The personal data we collect about you may include (directly or indirectly):
- Your contact details such as name, title, addresses, telephone numbers and email addresses
- Voice recordings of any telephone conversations you have with us (see further below)
- Data in relation to your preferences in receiving marketing communications from us or our third parties on our instructions
- Certain technical data, including, internet protocol (IP) address, MAC address, your login data (if you have signed up to use James Hay Online), browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website
- your marketing preferences and any survey responses you provide us
- information about how you use our website and James Hay Online
- We may collect further personal data from you if you take out a product with us – please refer to the Data Protection Statement - James Hay Products for further information.
Special categories of personal data and criminal convictions and offences data
Unless you have a product with us, we do not collect any special categories of personal data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.
Your marketing preferences
We may also ask for personal data optionally, such as in relation to us sending you direct marketing communications.
You have a right to withdraw consent at any time by letting us know. If you do this, we will no longer process your personal data for the reasons originally agreed, unless there is another lawful basis for doing so.
We also process aggregated data such as statistical data for any purpose. Aggregated data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your information about how you use our website or James Hay Online to calculate the percentage of users accessing a specific website feature. However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this Statement.
We use different methods to collect personal data including through:
- Interactions with you. You may give us your identity and contact data by filling in forms or by corresponding with us by post, phone, email, when you visit our premises or otherwise. This includes personal data you provide when you:
- Deal with us in respect of any commercial relationship you have with us directly or on behalf of any customer of our products or services
- Attend any of our offices
- Subscribe to our email updates service
- Request marketing information to be sent to you
- Provide us with information in relation to any market research, such as surveys you take part in
- Give us feedback generally.
- Third parties or publicly available sources. We may receive personal data about you from various third parties and public sources as set out below:
- Certain technical data from analytics providers, such as Google based outside the EU, and search information providers
- Certain identity and any contact data from publicly availably sources such as Companies House, the Electoral Register based inside the EU and via social media websites such as Facebook and LinkedIn (see further below).
Monitoring your communications with us
We monitor and record your communications with us in accordance with applicable laws. This includes telephone calls, emails, secure messaging on James Hay Online, letters, faxes and any social media communications with us. We do this for the purposes of complying with legal obligations, to prevent and detect crime, quality control and monitoring purposes, to protect the security of our communication systems as well as our procedures and when we need to consider a record of what has been communicated.
James Hay Online
If you sign up to use James Hay Online, we will collect personal data about you during the sign up process and in our day to day dealings with you. Such personal data will only be used for Contractual, Legal or Legitimate Interests Purposes or otherwise based on your consent.
We use social media websites, such as Facebook and LinkedIn, to interact with businesses and the public. If you choose to interact with us (including in respect of any competitions we run on social media), we may receive and store personal data from you, including the messages that you send to us in public or directly via the social media’s messaging system for proper governance and audit purposes.
We are not responsible for the security or protection of any personal data collected by social media websites. Please review the data protection statements and any policies of those websites before you use them.
Third party links
Our website may include links to third parties’ websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third party websites and are not responsible for their data protection obligations. When you leave our website, we encourage you to read the data protection statements of each website you visit.
Most commonly, we will use your personal data in the following circumstances:
- Where we need to perform the commercial contract we have entered into with you, or in order to take steps, at your request, prior to entering into the commercial contract (“Contract Purposes”)
- Where we need to comply with a legal or regulatory obligation (“Legal Purposes”)
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests (“Legitimate Interests Purposes”)
We rarely rely on consent as a legal basis for processing personal data other than in relation to, for example, sending direct marketing communications to you (where you have opted-in to receive them).
You have the right to withdraw your consent at any time by contacting us using the details in this document.
Depending on our commercial relationship with you, your personal data may be used for the following purposes (which may overlap):
- To run our commercial relationship with you including taking steps, at your request, prior to agreeing our commercial relationship with you
- To communicate with you in the day-to-day running of our commercial relationship with you
- To update our records
- To provide personal data to others where it is necessary in the running of our relationship with you and for legal and regulatory purposes and related disclosures (which may mean passing your personal data to other James Hay Group companies including shareholders, reinsurers, investments managers, investment providers and other third parties involved in the servicing of your relationship with us)
- When you contact us regarding exercising your rights under data protection laws
- We may keep your personal data after our relationship has ended in accordance with applicable laws
- For prevention, detection, investigation and reporting of crime, which may include providing your personal data to fraud prevention agencies
- To monitor your communications with us (see further below)
- For information security purposes
- To contact you about our relationship with you
- To comply with orders of the courts of competent jurisdictions, and for the establishment and defence of legal rights.
Legitimate Interests Purposes:
- To ensure good and proper governance, administration, auditing, management of our business and our relationship with you
- To conduct market research, analysis and to compile statistics to improve our products and services
- To conduct marketing communications, subject to applicable laws
- To monitor your communications with us (see further below)
We may ask for your consent. For example:
- For certain direct marketing communications
- For market research purposes
You are free to withdraw your consent at any time.
We will share your personal data with others, including third party service providers and other entities in the James Hay Group of companies and its parent companies, subject to applicable laws. We require third parties to respect your personal data and to treat it in accordance with the law.
When we share personal data with third parties
We will share your personal data with third parties when required by law, when performing a contract with you, when we have a legitimate interest to do so or otherwise with your consent.
Who we will share your personal data with
We may share your personal data with:
- James Hay Group companies including parent companies (IFG Group Limited and its subsidiaries)
- Third party subcontractors who help us provide our services to you, such as, IT services companies,
- Other companies involved in providing services to us
- Our professional advisers, including accountants, auditors and lawyers
- Governmental, regulatory and taxation bodies, such as the ICO, FCA and HMRC
- Fraud prevention agencies
- Market research companies for the purposes of improving our services
- Mail and print companies for the purposes of contacting you
- Any other third party permitted by law and in the following circumstances:
- To protect the security of our business
- To comply with courts of competent jurisdictions
- In an emergency situation, in order to protect your vital interests
- If we sell, merge, restructure or otherwise re-organise our business
- When dealing with third parties upon your instructions
All our UK and EU third party service providers and other entities within the James Hay Group of companies and their parent companies must comply with data protection laws. We do not permit third party processors to use your personal data for their own purposes. We require third party processors to process personal data in accordance with our instructions.
Transferring data outside the EU
We share your personal data within the James Hay Group, including its parent company IFG Group Limited and its subsidiaries.
Some of our external third parties are based outside the European Economic Area (EEA) so their processing of your personal data will involve a transfer of data outside the EEA.
Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one or more of the following is implemented:
- You have provided your explicit consent
- The country receiving personal data is deemed to provide an adequate level of protection for personal data by the European Commission
- Specific contracts approved by the European Commission are in place which give personal data the same protection it has in the EU
- Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between Europe and the US.
How we will keep your data secure
James Hay has in place appropriate measures designed to keep your data secure, preventing it from being lost, stolen, altered, used, accessed or disclosed in an unauthorised way.
These measures include:
- Limiting access of your personal data to only individuals that have a genuine need to see it
- Only allowing these individuals to use your data in accordance with your/our instructions
- Having procedures in place to deal with any suspected or confirmed breaches of our Statement.
Security of data
- James Hay Online operates from secure systems. Because you are accessing personal details, we have also added extra layers of security for your added peace of mind. It uses the latest encryption technology in an effort to ensure that information passing between your PC and our servers is secure and cannot be accessed by anyone else. The 128-bit encryption that we use is supported by the latest web browsers available from Microsoft and the Mozilla Foundation.
- We use the Secure Sockets Layer (SSL) protocol while you are logged in. If you are using Internet Explorer, this is indicated by the padlock in the bottom of your browser window. The secure areas of our website are used when you have to access personal data. The secure areas of the website can be identified by the address in the top of your browser. An encryption-enabled address will begin https:// rather than the usual http://.
- In order to access your login we require 3 pieces of information from you to verify that you are authorised to view the details. First a user ID is required, secondly a password is needed and finally a passcode. Only once all three parts of the data are confirmed as being correctly entered will we allow access to the system.
- All our online transactional services are protected by ‘firewalls’. This technology monitors and prevents any unauthorised access to our back-end systems in an effort to ensure that unauthorised users cannot access any account/personal details.
Under certain circumstances, by law you have the right to:
- Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
- Request corrections to the personal data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
- Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal data for direct marketing purposes.
- Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it.
- Request the transfer of your personal data to another party. Please contact us.
- Make a complaint to the Information Commissioner’s Office (ICO). You have a right to complain to the UK’s data protection supervisory authority – the ICO. We have provided contact details for the ICO below.
If you want to exercise your rights, please contact us using the details above.
You will not have to pay a charge to access your personal data (or to exercise any of the other rights). However, we may make a reasonable charge if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal data is not disclosed.
Please keep us informed
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
We will only retain personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Automated decision making
James Hay does not conduct automated decision making. Automated decision making is where personal data is used to make decisions without any human intervention, for example banks using credit scoring for credit card and loan applications.
The Information Commissioner’s Office
You can obtain general data protection information or exercise your right to make a complaint if you feel we have not handled your personal data correctly, by contacting the Information Commissioner’s Office at:
Information Commissioner’s Office
0303 123 1113
‘Cookies’ a small file of letters and numbers stored on your Internet browser or the hard drive of your computer.
A ‘controller’ determines the reasons for and method of processing your personal data. A controller will normally process your personal data, but may appoint another person or company to process your personal data on the controllers’ behalf.
The Financial Conduct Authority (FCA) is the regulator of the financial services industry in the UK.
Her Majesty's Revenue and Customs (HMRC) is responsible for the collection of taxes in the UK.
The Information Commissioner's Office (ICO) is the supervisory authority responsible for monitoring adherence to data protection regulations in the UK.
‘Personal data’ is information which by itself or combined with other information, can be used to identify you.
A ‘processor’ processes personal data on behalf of the controller. For James Hay, this is a company with the James Hay Group or a third party in certain instances. Where a third party processor processes personal data on your behalf, we will ensure that we comply with the law