Data Protection Policy

Data Protection Policy

Policy information

Organisation

The Data Controller is Messels Limited, a limited company registered in England and Wales (registration number 5186821) the registered office of which is at 66 Prescot Street, London E1 8NN. You can contact the data controller by writing to Messels Ltd, Office 2, Clock Barn Farm, Godalming, Surrey GU8 4AY or sending an email to tim@messels.com.

Messels have no Data Processors, in relation to personal data, i.e. any person (other than an employee of the data controller) who processes the data on behalf of the data controller. 

Policy operational date

01/05/2018 

Policy prepared by

Tim Parker, the Data Protection Officer. 

GDPR

The European General Data Protection Regulation comes into force on 25th May 2018 and is the basis of this Data Protection Policy.

Introduction

Purpose of policy

This Data Protection Policy sets out how we, Messels Limited, collect, store and use information about you when you use our website, https://messels.com and where we otherwise obtain or collect information about you.

The reasons for the policy are to comply with the law, follow good practices, protect clients, staff and other individuals and protect the company.

Types of data

We collect individual information from our company staff and individual and company information from our Appointed Representatives and consumers of our research.

Policy statement

This Data Protection Policy complies with both the law and good practice and respects individuals’ rights. The company will be open and honest with individuals whose data is held and provide training and support for staff who handle personal data, so that they can act confidently and consistently.

In the event of data breaches the Supervisory Authority (the ICO) will be notified within 72 hours. In addition, for major breaches the data subjects will be notified without delay. A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

Responsibilities

The Board / Company Directors

The Board has overall responsibility for ensuring that the organisation complies with its legal obligations.

Data Protection Officer

The Data Protection Officer is Tim Parker, CEO, Messels. His responsibilities include:

·         Briefing the Board on Data Protection responsibilities

·         Reviewing Data Protection and related policies

·         Advising other staff on Data Protection issues

·         Ensuring that Data Protection induction and training takes place

·         Notification to the ICO if required

·         Handling subject access requests

·         Approving unusual or controversial disclosures of personal data

·         Approving contracts with Data Processors

Employees

All staff should read, understand and accept any policies and procedures that relate to the personal data they may handle in the course of their work.

Types of information collected (from Appointed Representatives)

Individuals’ names

We record the names of all Approved Persons of our Appointed Representatives.

Business name, registration number and contact details

We record the names, registration numbers and contact details of our Appointed Representatives. 

Additional information at on-boarding

We collect company and personal information during the on-boarding process; this includes registration documents, company organisational arrangements, FCA Long Form As, job descriptions, C.V.s of staff and business plans.

Additional information quarterly

We collect company and personal information on a quarterly basis including management accounts, PA dealing contract notes, client contracts, research records; registers of compliance breaches, conflicts, complaints and gifts.

Additional information annually

We collect revenue and staff training records on an annual basis.

Updating

We have a regular cycle of checking, updating or discarding old data on our Appointed Representatives. 

Retention

We retain records from on-boarding and quarterly and annual reviews for as long as our contracts with Appointed Representatives remain in place and for five years after the agreements have terminated.

Information obtained from third parties (from Appointed Representatives)

Regulatory references

We obtain regulatory references for prospective Approved Persons.

Companies House

We check company registration information from Companies House for prospective Appointed Representatives.

Credit checks

Credit checks may be requested from prospective Approved Persons.

Criminal record checks

Disclosure and Barring Service checks may be requested from prospective Approved Persons.

Lawful basis for processing information

Underlying principles

The lawful basis for the personal data processed is one or more of the following, described in Article 6 (1) of the General Data Protection Regulation:

(a) Consent: the individual has given clear consent for us to process their personal data for a specific purpose.

(b) Contract: the processing is necessary for a contract we have with the individual, or because they have asked us to take specific steps before entering into a contract.

(c) Legal obligation: the processing is necessary for us to comply with the law (not including contractual obligations).

(d) Vital interests: the processing is necessary to protect someone’s life.

(e) Public task: the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.

(f) Legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.)

Data collected from our research clients is on the basis of (b) Research contracts and (f) Our legitimate interests.

Data collected from our Appointed Representatives is on the basis of (a) Consent, (b) AR Agreements, (c) Legal obligations and (f) Our legitimate interests.

Withdrawing consent

Once given, consent can be withdrawn, but not retrospectively.  There may be occasions where Messels has no choice but to retain data for a certain length of time, even though consent for using it has been withdrawn.

How information is collected and stored

Web server information

We record the name, email address, postal address and telephone number of individuals filling in the form on the Contact page on the website. This information is not transferred outside the EEA and is stored on our own web server in the United Kingdom.

Cookies

We do not use cookies on our website.

Email

We collect and store emails on three personal computers and on our email server in the United Kingdom. Information is not transferred outside the EEA.

Bulk Email provider

We use a third-party provider, MailChimp, to deliver our research products. We gather statistics around email opening and clicks using industry standard technologies to help us monitor and improve our products. For more information, please see MailChimp’s privacy notice.

Hard drive and back ups

We store information on the hard drives of three computers and back it up on Dropbox, Knowhow and Google cloud-based systems.

Disclaimer

Transmission of information over the internet is not entirely secure, and if you submit any information to us over the internet (whether by email, via our website or any other means) you do so entirely at your own risk.

We cannot be responsible for any costs, expenses, loss of profits, harm to reputation, damages, liabilities or any other form of loss or damage suffered by you as a result of your decision to transmit information to us by such means.

Phone

We log all telephone calls with research clients for monitoring purposes but do not record conversations.

Paper copies

Information from compliance procedures, such as on-boarding, research handling and quarterly compliance meetings, is stored on hard copy files and kept in secure storage.

Disclosure and use of information (from research clients)

Commitment

Messels is committed to ensuring that Data Subjects are aware that their data is being processed and

  • for what purpose it is being processed
  • what types of disclosure are likely, and
  • how to exercise their rights in relation to the data

Delivering research

We retain contact details of research clients so that we can provide them with research products in accordance with the Agreements we have with them.

Disclosure and use of information (from Appointed Representatives)

Commitment

Messels is committed to ensuring that Data Subjects are aware that their data is being processed and

  • for what purpose it is being processed
  • what types of disclosure are likely, and
  • how to exercise their rights in relation to the data

For legal reasons

We retain and update information on our Appointed Representatives to ensure our legal obligations are fulfilled and that we can provide information to relevant authorities if and when required to do so.

For regulatory obligations

We retain and update information on our Appointed Representatives to ensure that our regulatory obligations are fulfilled and that we can provide information to the relevant authorities if and when required to do so.

Compliance consultant

Messels shares certain compliance information with a compliance consultant, Nigel Drury, who is required to delete all personal information about clients, once processed and in any event 6 months after receipt.

Your rights in relation to your information

Your rights in relation to information

Subject to certain limitations on certain rights, you have the following rights in relation to your information, which you can exercise by contacting the Data Protection Officer by email at tim@messels.co., in writing to: Messels Ltd, Office 2, Clock Barn Farm, Godalming, Surrey GU8 4AY or by phone on 01483 420999:

  • to request access to your information and information related to our use and processing of your information;
  • to request the correction of your information;
  • or request the erasure of personal data (right to be forgotten) providing there is no overriding legitimate grounds;
  • to request that we restrict our use of your information;
  • to receive information which you have provided to us in a structured, commonly used and machine-readable format (e.g. a CSV file) and the right to have that information transferred to another data controller;
  • to object to the processing of your information for certain purposes; and
  • to withdraw your consent to our use of your information at any time where we rely on your consent to use or process that information. Please note that if you withdraw your consent, this will not affect the lawfulness of our use and processing of your information on the basis of your consent before the point in time when you withdraw your consent.

The controller will provide information on action taken on request to the data subject without undue delay and in any event within one month of receipt of the request.

In accordance with Article 77 of the General Data Protection Regulation, you also have the right to lodge a complaint with a supervisory authority, which is the Information Commissioner’s Office (ICO), whose website is below. 

Employee training & acceptance of responsibilities

Induction

All employees of Messels and their Appointed Representatives who have access to any kind of personal data will have their responsibilities outlined during their induction procedures.

Continuing training

Data Protection issues will be covered during employee training, team meetings, supervisions, etc.