DATA PROTECTION POLICY

This is a statement of the data protection policy adopted by Ferret Information Systems Limited (“Ferret”). Responsibility for the updating and dissemination of the policy rests with Ferret’s Information Protection Officer:

    Pauline Jenkins,
    pjenkins@ferret.co.uk,
    029 2064 3333,
    Ferret Information Systems, 4 Coopers Yard, Curran Road, Cardiff, CF10 5NB

The policy is subject to regular review to reflect the changes to the services offered by Ferret. All staff are expected to apply the policy and to seek advice when required.

The policy has been updated to take into account the impact of the General Data Protection Regulation (GDPR) which came into effect in the EU on May 25, 2018. The policy also complies with the Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003.

We regard the lawful and correct treatment of personal information by Ferret as important to the achievement of our objectives, to the success of our operations, and to maintaining confidence between those with whom we deal and ourselves. We strive to protect the privacy of personal data, and to ensure that we treat information lawfully, correctly and with respect.

Ferret operates both as a data controller, and a data processor under the terms as defined by the GDPR.

Ferret as Data Controller

Ferret acts as a data controller in respect of information held about:

• Current customers – Individuals within organisations which have a current, ongoing contract with Ferret for products or services.
• Potential customers – Individuals within organisations which:
  • have been prior customers of Ferret, or
  • have expressed interest in products and services of Ferret, or
  • by the nature of their business, we believe will have an interest in purchasing products and services of Ferret.

Information we hold

Information held may include contact information (name, title, job title, organisation, postal address, email, fax number and telephone number), and communications history pertinent to current, prior and potential contracts for Ferret products and services.

Updating communication preferences

All electronic communication from Ferret includes a link to a webpage in which any contacts may update their communication preferences, or unsubscribe fully. The link is as follows:
http://www.ferret.co.uk/support/infopref.aspx

All requests made via the communications preference page are processed as quickly as possible, and within a maximum period of one calendar month.

Communicating privacy information

All Ferret contacts are, or will be, informed about their privacy information, i.e. that their data has been collected, the purposes for processing their data, the retention period of that data and their rights in relation to that data. Confirmation is also made that data is not shared with any third party without authorisation or in accordance with a legal requirement.

For current contacts (as of 25th May 2018) information regarding privacy information will be issued as soon as possible. For new contacts, privacy information will be issued when personal data is first collected, or within one month of first contact where the data is provided by a third party.

Use of data

Personal data is processed only for the following purposes:

• to fulfil operational needs of current ongoing contracts,
• to instigate new contracts,
• to ensure correct subjects and methods of communication,
• statistical analysis, within the organisation, in order to improve business processes, or
• to comply with any legal requirements

Data quality

Data is periodically reviewed to ensure it is relevant, up to date, accurate and limited to that which is required for the stated purposes.

Individual’s rights

Ferret fully complies with an individual’s right to:

• obtain access to,
• correct,
• complete
• erase
• restrict the use of, or
• block the processing of

their stored personal data.

Such requests, whether verbally or in writing, will be responded to within one month of receipt.

Data sharing

Data will not be disclosed to any third party without authorisation or in accordance with a legal requirement.

Data security

All personal data is held securely, and locally, within the UK. Electronic information is password protected and accessible only to authorised Ferret personnel. Technical and organisational measures are reviewed regularly to safeguard personal information.

Data breaches

In the event of a data breach, individuals affected will be contacted directly without undue delay.

Data retention period

Data is stored for a period of no more than 7 years following the most recent incoming communication. Once the data retention period has been reached, records are destroyed securely.

Lawful basis for processing data

Ferret maintains and processes information only under the following lawful bases as defined within the GDPR:

• Contract: The processing is required for the maintenance of a current contract, or to put in place requirements prior to the start of a new contract.
• Consent: the individual has given clear consent to marketing communication relating to specific business categories,
• Legitimate interests: the processing is necessary for our legitimate interests. This lawful basis relates to the marketing by email to existing and previous customers, where:
  • contact information was obtained in the course of a sale, or negotiations for a sale,
  • marketing is of similar products and/or services to which interest was originally expressed, and
  • a simple opt out is available, and re-offered periodically.

Where legitimate interest is the lawful process for data processing, extra care is taken to ensure that the interests of Ferret are balanced against the individual’s interests, rights and freedoms.

Consent

Records of consent are securely maintained. Where consent has been refused, data is retained only in an isolated, encrypted electronic format for the sole purpose of crosschecking with any new data sources, to ensure that an individual is not contacted inappropriately.

Ferret as Data Processor - FintalPPC

Ferret acts as a data processor in relation to client data provided by direct customers of our FintalPPC service, who are financial advisers registered with the Financial Conduct Authority (FCA). The following policy section relates specifically to FintalPPC client data submitted by financial advisers who employ the FintalPPC service.

• Ferret will not contact clients unless expressly requested to do so by their financial adviser.
• Ferret will only source that information which is necessary to produce the requested FintalPPC report
• Ferret will securely store client’s data in order to process the required contract and thereafter data will be stored securely for no more than 7 years in line with our legal protection requirements.
• FintalPPC client data will only be used to produce the initial FintalPPC report, and any additional reports requested by the financial adviser on behalf of their client.
• Client data will not be used for marketing purposes.
• Any client data retained for more than 1 year will be stored in an encrypted electronic format.
• Client data will not be disclosed to a third party without authorisation or in accordance with a legal requirement.
• All Ferret data is stored locally, within the UK.
• In the event of a data breach, the financial adviser who submitted the client data will be contacted directly without undue delay.
• A FintalPPC client has the right to
• obtain access to,
• correct, and
• block the processing of their stored personal data.
• A FintalPPC client has a right to request that data held be erased where there is no legal requirement for it to be retained.