This Privacy Notice is intended to be read in conjunction with your Terms of Business, Terms and Conditions or Letter of Engagement with us. It sets out the way we collect and look after your personal data, in line with the General Data Protection Regulation (GDPR).
Scrutton Bland Group is a diverse group offering many services so not all examples given in the following text will apply to the service provided to you.
Data controller (“us / we / the Group”): Scrutton Bland (a partnership), including Scrutton Bland LLP, Scrutton Bland Insurance Brokers Limited and Scrutton Bland Financial Services Limited.
Data Subject (“you / your”): You and where applicable, your employees, co-trustees, colleagues, clients, pupils, advisers, agents or family members whose Personal Data we hold.
Data Processor (the Processor(s)”): Business or individual processers we may pass your personal data to, in order to fulfil our contract or proposed contract with you.
Introducer (“the Introducer(s)”): Businesses or individuals we may receive your personal data from in order to advise you.
Data Protection Partner, Paul Goddard
We collect, store and process your personal data. This personal data may be held by the Group on paper or in electronic format.
We are committed to being transparent about how we look after your personal data, to protect your privacy and security and to meet the obligations under the UK General Data Protection Regulation and Data Protection Action 2018. The purpose of this Privacy Notice is to make you aware how and why we collect and process your personal data both before, during and after our contract with you.
What types of personal data do we collect about you?
Personal data is defined as any information about an individual from which that person can be directly or indirectly identified. There are also “special categories” of personal data requiring a higher level of protection because the data is of a more sensitive nature. The special categories of personal data comprise information about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and genetic and biometric data.
We may collect, use and process or pass to Data Processors a range of personal data about you. This may include personal data related to:
- your contact details, including your name, address, telephone number and personal e-mail address, your emergency contact details/next of kin, your date of birth and your gender.
- information about your use of our IT systems, our websites, telephone numbers and e-mail.
- your preferences in receiving marketing data from us and your communication preferences
- photographs which may be taken at events and seminars.
In certain circumstances we may also collect, use and process, or pass to Data Processors, the following special categories of your personal data (as applicable):
How do we collect your personal data?
- information about your health and biometrics
- information about your racial or ethnic origin, religious or philosophical beliefs and sexual orientation
- information about criminal convictions and offences
We may collect personal data about you in a variety of ways. This may include data collected during our work, or proposed work, for you either directly from you or sometimes from an Introducer or other Data Subject such as an employer or business partner. We may also collect personal data from other external third parties, such as references from former advisers, information from background checks and identity check providers, information from credit reference agencies and information from Companies House.
Your personal data may be stored in different places, including within our IT systems and our Data Processor’s systems, on our premises and within our storage facilities.
Why and how do we use your personal data?
We will use your personal data within the Group in one or more of the following circumstances:
Why and how do we use special category personal data?
- where we need to do so to perform the contract for services we have entered into with you, or where we are preparing for such a contract or have fulfilled a contract
- where we need to comply with a legal, regulatory requirement or professional governing body obligation
- where, in respect of marketing, you have opted-in to our marketing preferences
- where it is necessary for our legitimate interests (or those of a Processer, Introducer or third party), and your interests or your fundamental rights and freedoms do not override these interests.
We will only collect and use Special Categories of personal data, when the law, regulatory requirements, professional governing bodies require us to do so or it is required to enable us to fulfil our contract with you.
We may process special categories of personal data.
We may also occasionally use your special categories of personal data, where it is needed for the establishment, exercise or defence of legal or regulatory claims or in association with insurance or anti-Money Laundering processes.
Change of purpose
We will only use your personal data for the purposes for which we collect and retain it. If we need to use your personal data for a purpose other than that for which it was collected, we will provide you with information about the new purpose prior to that further processing. You may request the legal basis which allows us to process your personal data for the new purpose at any time.
Who has access to your personal data?
Your personal data is shared internally within the Group. We may share your personal data with third parties and Data Processors where it is necessary to administer the contract we have entered into with you, where we need to comply with a legal obligation, or where it is necessary for our legitimate interests (or those of a third party). Third parties may include IT and cloud service providers, other professional advisory firms, insurance and investment companies and HMRC.
How does the Group protect your personal data?
How long does the Group keep your personal data?
- The Group has put measures in place to protect the security of your personal data. These are internal policies, procedures and controls which are there to minimise the risk of your personal data from being accidentally lost or destroyed, altered, disclosed or used or accessed in an unauthorised way. In addition, we limit access to your personal data to those who have a clear business need. You can obtain further information about these measures from the Data Protection Partner. Where your personal data is shared with third-parties and Data Processors, we require all such third parties and Data Processors to take appropriate technical and organisational security measures to protect your personal data, and to treat it subject to a duty of confidentiality and in accordance with data protection law. We allow them to process your personal data only for specified purposes and in accordance with our written instructions. We do not allow them to use your personal data for their own marketing purposes. The Group also has procedures in place to deal with a suspected data security breach and we will notify the Information Commissioner’s Office (and/or any other applicable supervisory authority or regulator) and you of a suspected breach where we are legally required to do so.
This section of the Privacy Notice replaces any former reference in your current arrangements with us in respect of Retention of Data or Information. The Group will only retain your personal data for as long as is necessary to fulfil the purposes for which it was collected and processed.
This includes the purposes of satisfying any legal, tax, health and safety, reporting, regulatory or accounting requirements. The Group will usually hold your personal data for six years following the year in which it was initially processed, with the following exceptions:
Your rights in connection with your personal data
- personal data relating to anti-Money Laundering or proof of Identity
- personal data relating to pensions or trust deeds will be retained for an unlimited period. However we may write to you and propose that you retain this information in our place.
- Due to our own back-up arrangements, electronic data held on-premise will be retained an additional year. Where your personal data is held in an archive containing data that cannot easily be separated and may contain other data requiring to be held for a longer period, we may, at our discretion retain the full filing for longer than six years in reflection of this. For clarity, it should be noted that such personal data may be held by us or Data Processors, in electronic or paper format, on our premises or at any storage premises used by us.
- In the event that we collect your personal data but you do not become a client or you are no longer a client, we will retain your personal data for one year, or longer, where required to do so by law or regulatory needs. Personal data which is no longer to be retained will be securely and effectively destroyed or permanently erased from our IT systems as far as practicable.
It is important that the personal data we hold about you is accurate and up to date.
Please keep us informed if your personal data changes e.g. you have a new home or email address. The Group cannot be held responsible for any errors in your personal data in this regard unless you have notified the Group of the relevant change.
As a Data Subject, you have a number of statutory rights. Subject to specific conditions, and in certain circumstances, you have the right to:
- receive a copy of the personal data we hold about you
- request rectification of your personal data
- request the erasure of your personal data
- restrict the processing of your personal data
- object to the processing of your personal data
- request the transfer of your personal data to another party
Should you wish to exercise any of these rights, please write to our Data Protection Partner. In the limited circumstances where you have provided your consent to the processing of your personal data for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. If you believe that the Group has not complied with your data protection rights, you have the right to make a complaint to the Information Commissioner’s Office (ICO) at any time. The ICO is the UK supervisory authority for data protection issues. The ICO website is www.ico.org.uk
Transferring personal data outside the European Economic Area The Group may transfer your personal data to countries outside the European Economic Area (EEA). Where there is an adequacy decision by the European Commission in respect of those countries. This means that the countries to which we transfer your personal data are deemed to provide an adequate level of protection for your personal data.
Changes to this Privacy Notice
The Group reserves the right to update or amend this Privacy Notice at any time. We will publish a new Privacy Notice when we make significant updates or amendments.
Contact If you have any questions about this Privacy Notice or how we handle your personal data, please contact us: By email: firstname.lastname@example.org
By letter: Paul Goddard, Scrutton Bland, Fitzroy House, Crown Street, Ipswich IP1 3LG