Data Protection Policy
PURPOSE
Magna Money is committed to being transparent about how it collects and uses the personal data of our workforce, and to meeting its data protection obligations. This policy sets out Magna Money’s commitment to data protection of individual rights and obligations in relation to personal data.
This policy applies to the personal data of job applicants, employees, volunteers, interns, apprentices and former employees, referred to as HR-related personal data. This policy does not apply to the personal data of clients or other personal data processed for business purposes.
Magna Money has appointed Liam Windsor Brown as the person with responsibility for data protection compliance within the organisation and can be contacted by emailing gdpr@ magnamoney.co.uk. Questions about this policy, or requests for further information, should be directed to him who will act on behalf of Magna Money.
DEFINITIONS
“Personal data” is any information that relates to a living individual who can be identified from that information. Processing identifies any use that is made of data, including; collecting, storing, amending, disclosing or destroying it.
“Special categories of personal data” relates to information about; an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and genetic and biometric data.
“Criminal records data” means information about an individual’s criminal convictions and offences, and information relating to criminal allegations and proceedings.
DATA PROTECTION PRINCIPLES
Magna Money processes HR-related personal data in accordance with the following data protection principles:
Magna Money processes personal data lawfully, fairly and in a transparent manner.
Magna Money collects personal data only for specified, explicit and legitimate purposes.
Magna Money processes personal data only where it is adequate, relevant and limited to what is necessary for the purposes of processing.
Magna Money keeps accurate personal data and takes all reasonable steps to ensure that inaccurate personal data is rectified or deleted without delay.
Magna Money keeps personal data only for the period necessary for processing.
Magna Money adopts appropriate measures to make sure that personal data is secure, and protected against unauthorised or unlawful processing, accidental loss, destruction or damage.
Magna Money informs individuals of the reasons for processing their personal data, how it uses such data and the legal basis for processing in its privacy notices. It will not process personal data of individuals for other reasons. Where Magna Money relies on its legitimate interests as the basis for processing data, it will carry out an assessment to ensure that those interests are not overridden by the rights and freedoms of individuals.
Where Magna Money processes special categories of personal data or criminal records data to perform obligations or to exercise rights in employment law, this is done in accordance with a policy on special categories of data and criminal records data.
Magna Money will update HR-related personal data promptly if an individual advises that his/her information has changed or is inaccurate.
Personal data gathered during the employment, volunteer relationship, apprenticeship or internship is held in the individual’s personnel file (in hard copy, electronic format, or both), and on HR systems. The periods for which the organisation holds HR-related personal data are contained in its privacy notices to individuals.
Magna Money keeps a record of its processing activities in respect of HR-related personal data in accordance with the requirements of the General Data Protection Regulation (GDPR).
INDIVIDUAL RIGHTS
As a data subject, individuals have a number of rights in relation to their personal data.
SUBJECT ACCESS REQUESTS
Individuals have the right to make a subject access request. If an individual makes a subject access request, we will tell him/her:
Whether or not his/her data is processed and if so why the categories of personal data concerned and the source of the data if it is not collected from the individual.
To whom his/her data is or may be disclosed, including to recipients located outside the European Economic Area (EEA) and the safeguards that apply to such transfers.
For how long his/her personal data is stored (or how that period is decided).
His/her rights to rectification or erasure of data, or to restrict or object to processing.
His/her right to complain to the Information Commissioner if he/she thinks the organisation has failed to comply with his/her data protection rights.
Whether or not the organisation carries out automated decision-making and the logic involved in any such decision-making.
Magna Money will also provide the individual with a copy of the personal data undergoing processing. This will normally be in electronic form if the individual has made a request electronically unless he/she agrees otherwise.
To make a subject access request, the individual should send the request to gdpr@magnamoney.co.uk. In some cases, Magna Money may need to ask for proof of identification before the request can be processed. We will inform the individual if it needs to verify his/her identity and the documents it requires.
We will normally respond to a request within a period of one month from the date it is received. In some cases, such as where the organisation processes large amounts of the individual’s data, it may respond within three months of the date the request is received. We will write to the individual within one month of receiving the original request to tell him/her if this is the case.
If a subject access request is manifestly unfounded or excessive, Magna Money is not obliged to comply with it. Alternatively, we can agree to respond but will charge a fee, which will be based on the administrative cost of responding to the request. A subject access request is likely to be manifestly unfounded or excessive where it repeats a request to which the organisation has already responded. If an individual submits a request that is unfounded or excessive, we will notify him/her that this is the case and whether or not it will respond to it.
OTHER RIGHTS
Individuals have a number of other rights in relation to their personal data. They can require Magna Money to:
Rectify inaccurate data.
Stop processing or erase data that is no longer necessary for the purposes of processing.
Stop processing or erase data if the individual’s interests override Magna Money’s legitimate grounds for processing data (where the organisation relies on its legitimate interests as a reason for processing data).
Stop processing or erase data if processing is unlawful.
Stop processing data for a period if data is inaccurate or if there is a dispute about whether or not the individual’s interests override Magna Money’s legitimate grounds for processing data.
To ask us to take any of these steps, the individual should send the request to gdpr@magnamoney.co.uk.
DATA SECURITY
Magna Money takes the security of personal data very seriously. Magna Money has internal policies and controls in place to protect personal data against loss, accidental destruction, misuse or disclosure and to ensure that data is not accessed, except by employees in the proper performance of their duties. Our data is safely secured with limited access given to required staff. No individuals outside of Magna Money are given access to our systems. Where we engage third parties to process personal data on its behalf, such parties do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.
IMPACT ASSESSMENTS
Some of the processing that Magna Money carries out may result in risks to privacy. Where processing would result in a high risk to individual’s rights and freedoms, we will carry out a data protection impact assessment to determine the necessity and proportionality of processing. This will include considering the purposes for which the activity is carried out, the risks for individuals and the measures that can be put in place to mitigate those risks.
DATA BREACHES
If Magna Money discovers that there has been a breach of HR-related personal data that poses a risk to the rights and freedoms of individuals, it will report it to the Information Commissioner within 72 hours of discovery. We will record all data breaches regardless of their effect.
If the breach is likely to result in a high risk to the rights and freedoms of individuals, it will tell affected individuals that there has been a breach and provide them with information about the likely consequences and mitigation measures it has taken.
INTERNATIONAL DATA TRANSFERS
Magna Money will not transfer HR-related personal data to countries outside the EEA.
INDIVIDUAL RESPONSIBILITIES
Individuals are responsible for helping Magna Money keep their personal data up to date. Individuals should let us know if data provided to Magna Money changes, for example, if an individual moves house or changes his/her bank details.
Individuals may have access to the personal data of other individuals and of our clients in the course of their employment, volunteer period, internship or apprenticeship. Where this is the case, Magna Money relies on individuals to help meet its data protection obligations to team members and to clients.
Individuals who have access to personal data are required:
To access only data that they have authority to access and only for authorised purposes.
Not to disclose data except to individuals (whether inside or outside the organisation) who have appropriate authorisation.
To keep data secure (for example by complying with rules on access to premises, computer access, including password protection, and secure file storage and destruction).
Not to remove personal data, or devices containing which may be used to access personal data, from the organisation’s premises without adopting appropriate security measures (such as encryption or password protection) to secure the data and the device.
Not to store personal data on local drives or on personal devices that are used for work purposes.
To report data breaches of which they become aware to gdpr@magnamoney.co.uk immediately.
Failing to observe these requirements may amount to a disciplinary offence, which will be dealt with under the disciplinary procedure. Significant or deliberate breaches of this policy, such as accessing employee or customer data without authorisation or a legitimate reason to do so, may constitute gross misconduct and could lead to dismissal without notice.
TRAINING
Magna Money will provide training to all individuals about their data protection responsibilities as part of the induction process.
Individuals whose roles require regular access to personal data, or who are responsible for implementing this policy or responding to subject access requests under this policy, will receive additional training to help them understand their duties and how to comply with them.
Client Policy
The new General Data Protection Regulation (GDPR) becomes effective on 25th May 2018, and all organisations that process personal data must ensure to be compliant with the regulations and principles.
We must make sure that:
We are lawful, fair and transparent in the way that data is processed
Personal data is used for a specific purpose
We only record the data that is required
Have a duty to keep the data accurate
Data is only kept for as long as is required
All data is stored securely
This Privacy Notice will detail how we comply with the above principles as well as your rights as the data owner.
WHO ARE WE?
Magna Money offers highly tailored funding options to the business community. Our highly experienced and nation-wide “money mavens” provide the funding needed today, but work in collaboration with businesses and their goals, for years to come.
WHAT DATA DO WE COLLECT?
Personal data refers to any data that can be used to identify a natural person and we only process personal information that is required for us to carry out our business dealings for the customer.
For Clients
Depending on your relationship with us and the services we are providing, we may collect a combination of the information detailed below (please note this list is not exhaustive):
Company address
Personal address
NI number
Date of birth
Bank account information
Personal/sales invoices
Copies of ID
Contact number
Website
Email address
Job titles
Salary details
Student loan information
Gender
Marital status
Nationality
Criminal record information
Personal Assets and liabilities
We process relevant and required information regarding your company and employees to accurately provide services to you. The types of information listed above will only be obtained if it is directly applicable to your situation and services requested from us. To enquire about any personal information we may retain about yourself, you can email us at; gdpr@magnamoney.co.uk.
For Suppliers:
To ensure smooth business running, we hold a small amount of supplier information. This information will be held identifying contact individuals within your business, including but not limited to:
Contact name
Business address
Contact number
Email address
Bank details or other preferred method for payment to compensate services rendered for a reasonable time after the transaction. This may include but is not limited to; invoices, contracts and emails regarding details of services used by Magna Money Limited.
HOW DO WE COLLECT YOUR DATA?
The data we hold is legitimately gained either through direct contact with the customer to ensure accurate and relevant information is given with full consent of the individual or company or through a 3rd party. For any 3rd parties that we use to gather information (such as lead generation) we ensure to only use GDPR compliant companies and will not hold any data that has not been scrutinised as such. This way we collect data include but are not limited to:
For Clients:
Receiving calls from yourself in relation to any services within your business.
Conducting any relevant service for your business.
Team members contacting you by means of business development activity.
Attending business networking events with clients.
When you have been identified as a reference provider.
For Suppliers:
When a purchase has been made.
Information provided on your invoice, contract or email
WHAT IS OUR LEGAL BASIS FOR PROCESSING YOUR DATA?
We hope you will agree that we have your best interests at heart when you provide your data and we will ensure your data is kept safe. GDPR states that we are required to let you know under which legal basis your data is processed. We are using Legitimate Interest as our legal basis for processing.
Legitimate Interest – Article 6(1)(f) details:
“processing is necessary for the purpose of the legitimate interest pursued by the controller or by the third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data”
For Clients:
We want to make sure that we provide you with the best possible service so we hold data on you and contacts within your business that we may need to speak to. In addition, we also log details of conversations, emails sent and received, meetings and other business communication.
For Suppliers:
In order to ensure prompt payment for services you have provided we will need to hold certain information on you and your business so that payments can be made within the required timescales.
For all the above we feel this data is necessary for our legitimate interest as Financial Services Business to provide a comprehensive service to our clients and employees.
WHY DO WE COLLECT YOUR DATA?
Our core business activity is to provide clients with financial advice and accountancy services. To accomplish this, we gather personal information regarding the contact at the business including; full name, position within business, email address, phone contact details and other information freely given by the contact.
HOW DO WE USE YOUR DATA?
For Clients:
In order to provide the best service to clients, your data may be used in one or more of the following ways:
Storing and updating your information on our client system so that we can contact you in relation to business activity.
Make contact in relation to business activity, either by email, telephone or in person.
Marketing information about events we are holding that may be of interest to you.
Marketing information in relation to the services we can provide.
Keeping records of conversations, emails and meetings to refer to if needed in relation to any dispute.
For some of the above activities your consent is required and for more information on how we get and manage your consent please refer to section 11 in this document.
WHO DO WE SHARE YOUR DATA WITH?
In some circumstances, we may need to share your details with a 3rd party for us to be able to provide you with our services. This would include:
HMRC
Companies House
Pension providers
Investors
Banks
Legal entities upon court request
Mortgage providers
Letting agencies
HOW DO WE SAFEGUARD YOUR DATA?
Your data is of the utmost importance to us and as such we ensure all relevant security is in place to keep your data safe and protected from any potential threats.
For more information on how we do this, please refer to our Data Protection Policy.
However, if you think we have not taken care of your data or if it has been misused, our contact information can be found at the end of this document
HOW LONG DO WE KEEP YOUR DATA FOR?
We retain your information as long as the information is required and pertinent. This would either fall under our legitimate business interest of an on-going business relationship or for legal obligations.
The following information has a legal requirement to be kept for a predetermined amount of time, regardless of active services retained with us:
HMRC records – 6 years
Payroll information – 7 years
Accounts information – 7 years
Pension transfer – 7 years
Final salary pension transfer – kept indefinitely
YOUR RIGHTS
GDPR provides the following rights.
THE RIGHT TO BE INFORMED
You have the right to be informed about the collection and use of your personal data and you must be provided with certain information including; the purpose for processing your personal data, our retention periods for the data and who it will be shared with. All this information is provided by means of this Privacy Notice.
THE RIGHT OF ACCESS
You have the right to access your personal data and any supplementary information. This is known as a Data Subject Access Request (DSAR) and when received by our designated Data Controller, we are legally required to provide this information within one month. This information will be provided free of charge unless we feel the request is manifestly unfounded or excessive, particularly if it is repetitive. A fee may also be charged if further copies of the same information are requested.
THE RIGHT TO RECTIFICATION
You have the right to have any inaccurate personal data rectified if incomplete or incorrect. You can request this to be done verbally or in writing and we have one calendar month to respond once this has been passed to the designated Data Controller. There is no fee attached to this request however, if we feel the request is manifestly unfounded or excessive, particularly if it is repetitive – we can charge a fee or refuse the request. If either of these apply, we will provide you with our reasons for such action.
THE RIGHT TO ERASURE
This is also known as the right to be forgotten. You have the right to have your personal data erased if:
The data is no longer necessary for the reason it was originally collected or processed.
Your data has been processed for legitimate interest and you object to the processing of your data and we cannot provide an overriding legitimate interest to continue processing.
The data has been processed unlawfully (in breach of GDPR).
Data must be erased to comply with a legal obligation.
If we process your data for one of the following reasons, the right to erasure does not apply:
To exercise the right of freedom of expression and information.
To comply with a legal obligation.
For the performance of a task carried out in the public interest.
For archiving purposes in the public interest, scientific research, historical research or statistical purposes.
In the defence of a claim.
THE RIGHT TO RESTRICT PROCESSING
You have the right to restrict the processing of your data in certain circumstances. When processing is restricted we may store enough information to ensure future restriction is respected. We will stop processing data if:
You do not agree with the accuracy of your personal data.
The data has been unlawfully processed.
To establish or defend a legal claim.
You object to our legal ground for processing your data.
We can only continue to process your data when the above has been resolved and we will inform you before any restriction is lifted. If your data is restricted it can only be retained if:
You give your consent to processing.
It is in defence of a legal claim.
It is for the protection of another person.
It is for reasons of important public interest.
THE RIGHT TO DATA PORTABILITY
You have the right to transfer your details across different services. This right only applies if:
Data that has been provided to a controller by an individual.
Processing is based on consent or for the performance of a contract.
Processing is carried out by automated means.
When we receive a portability request we must respond within one month of the Data Controller being notified and no fee is applicable. We must provide the information in a structured, commonly used and machine-readable form.
THE RIGHT TO OBJECT
You can object to the processing of your data when it is processed under one of the following reasons:
Our legitimate interest.
Performance of a task in the public interest/exercise of official authority.
Direct marketing.
Processing for scientific/historical research or statistical purposes.
Within 1 month of notification of this request, we must stop processing your data unless:
We can demonstrate compelling legitimate grounds for processing which override your interest.
It is being processed for the establishment, exercise or defence of a legal claim.
If your objection relates to direct marketing we will ensure your details are either removed or adjusted, in line with your request as promptly as possible. This process can be started by either clicking “unsubscribe” on the marketing email or emailing gdpr@magnamoney.co.uk.
If your data has been shared with a third party and you request one of your “rights” listed above we will notify them and act upon the requirements of your request unless this is not possible or involves disproportionate effect.
CONSENT
As a business, and to comply with Article 6 of GDPR, we have agreed that the legal basis for processing your data will be (depending on your relationship with us) either “Legitimate Interest” or “Contract”. As well as complying to the GDPR in relation to direct marketing we must comply by The Privacy and Electronic Communications Regulations (PECR).
However, in certain circumstances, we are required to have your consent to perform certain activities. This consent can be given in the form of an opt-in or soft opt-in option.
We must ensure your consent is; freely given, you understand what you are consenting to and are able to opt-out and back in at any time.
You can opt in or out verbally during any client meeting. If you have opted in and wish to opt out you can click in the link provided in one of our marketing emails or contact us using the methods listed below.
CONTACT DETAILS
If you need to contact us for any reason regarding your data, our details are:
ADDRESS
62-66 Deansgate, Manchester, M3 2EN
CONTACT NUMBER
0333 222 444 5
EMAIL ADDRESS
Please title any post and/or email “In relation to GDPR” to ensure it is passed to the correct person. Emails or calls made to other Magna Money Limited employees outside of these methods may not promptly reach the Data Controller to issue a response.