We respect privacy and your rights to control your personal data. Our principal guidelines are simple. We will be clear about the data we collect and why. We do not and will not sell your data to Third Parties. This Privacy Notice describes why and how we collect and use your personal data and provides information about your rights. It applies to personal data provided to us, both by individuals themselves or by others. We may use personal data provided to us for any of the purposes described in this Privacy Notice, or as otherwise stated at the point of collection.
In this Privacy Notice, your information is sometimes called “personal data” or “personal information”, and is any information relating to an identified or identifiable living person. We also sometimes collectively refer to handling, collecting, protecting or storing your personal information as “processing” such personal information. We process personal data for numerous purposes, and the means of collection, lawful basis of processing, use, disclosure, and retention periods for each purpose may differ.
When collecting and using personal data, our policy is to be transparent about why and how we process personal data. To find out more about our specific processing activities, please go to the relevant sections of this Notice.
This Privacy Notice is issued by STM Group Plc (collectively referred to as “we”, “us” and “our” in this Privacy Notice), and relates to itself and one or more of its subsidiary firms that may process your personal information. The data controllers are one or more of the Subsidiary Firms listed here depending upon which firm you have engaged with. Each subsidiary firm in the PLC is a separate legal entity. For further details, please see http://info.stmgroupplc.com/.
We gather and process your personal information in accordance with this Privacy Notice and in compliance with the relevant data protection Regulation and Laws. This Notice provides you with the necessary information regarding your rights and our obligations, and explains how, why and when we process your personal data.
We process your personal information to meet our legal, statutory and contractual obligations and to provide you with our products and services. We will never collect any unnecessary personal data from you and do not process your information in any way, other than as specified in this Notice.
We may collect and use some or all of the following types of personal data about you and, in some circumstances, your spouse, civil partner, partner or dependents:
• Your full name, address and contact details;
• Your date of birth;
• Your gender;
• Your marital (or relationship) status;
• Your National Insurance Number / Tax Identification Number;
• Your passport number;
• Details of your bank account;
• The source of your wealth;
• Information about your health.
You may also need to provide us with personal data relating to other people. When you do so, you will need to check with them that they are comfortable for you to share their personal data with us, and for us to use it in accordance with this Privacy Notice.
If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you, or we may be prevented from complying with our legal obligations.
We may collect information in the below ways:
• You may provide information directly to us;
• Third Parties may provide personal information to us; and
• We may also capture certain personal data in the public domain.
We take your privacy very seriously and will never disclose, share or sell your data without your consent; unless required to do so by Law. We only retain your data for as long as is necessary and for the purpose(s) specified in this Notice. Most commonly, we will use your personal data in the following circumstances, and on the following legal bases:
• In the performance of the contract we have entered into with you;
• Where it is in our legitimate interest to process your personal data (for example, where we use resources within the STM Group of companies to deliver business support services for reasons of efficiency);
• When we collect and use certain special categories of personal data with your express consent; and
• Where we need to comply with a legal obligation.
We may less often also need to use your information to establish, exercise or defend our legal rights or on the basis of your consent where you have subscribed to any of our mailing services.
You have the right to access any personal information that we process about you, and to request information about:
• What personal data we hold about you (commonly known a “data subject access request”);
• The purposes of the processing;
• The recipients to whom the personal data has/will be disclosed;
• How long we intend to store your personal data for; and
• If we did not collect the data directly from you, information about the source.
If you believe that we hold any incomplete or inaccurate data about you, you have the right to ask us to correct and/or complete the information and we will strive to do so as quickly as possible; unless there is a valid reason for not doing so, at which point you will be notified. Where consent is the basis for holding your information, you have the right to withdraw that consent at any time.
You also have the right to request erasure of your personal data or to restrict processing (where applicable) in accordance with the data protection laws; as well as to object to the processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object on those grounds. In addition, you have the right to data portability of your information and the right to be informed about any automated decision-making we may use, currently we do not use any automated decision-making.
If we receive a request from you to exercise any of the above rights, we may ask you to verify your identity before acting on the request. This is to ensure that your data is protected and kept secure. If your request is made by electronic means, we will respond using the commonly used electronic form unless you specifically requests otherwise. When requested, and provided that it is practical and commercially feasible to comply with the request and there is no legal or regulatory need for us to keep the information, we will delete identifying information from current operational systems.
We do not share or disclose any of your personal information without your consent, other than for the purposes specified in this Notice or where there is a legal requirement.
Examples of those we may share your personal data with are: Regulators, Tax authorities, professional advisors e.g. financial advisers, lawyers, accountants and tax advisers and other financial institutions such as banks, insurance and investment companies.
We use third-parties to provide the below services and business functions. Any processors we may use to act on our behalf will only process your data in accordance with instructions from us and comply fully with the data protection laws and any other appropriate confidentiality and security measures.
Touchstone (C.I.) Limited
Provide wealth management software and consultancy services.
Software Automation International Limited.
Providing project based services and solutions for Aurora IT’s suite of compliant cloud solutions.
MailChimp, which is owned and operated by The Rocket Science Group
Providing marketing automation.
Betley Whitehorne Image
Providing online website hosting and development
We utilise specific Information Technology services that are hosted/stored in Jersey and the USA, which means that we may transfer some information which is submitted by you to us outside the European Economic Area ("EEA") for the below purposes:
• MailChimp for marketing automation.
• Box for secure file transfers. https://www.box.com/legal/privacypolicy
• iConnect Logicalis as hosted portal providers. https://www.je.logicalis.com/
Therefore, in performing our services and when you use our website, send us an email, sign up to our newsletter, etc., your personal information may be stored on servers which are hosted in Jersey. In the case of Jersey, GDPR allows us to transfer and store your personal data as the country is declared 'adequate'; and with the USA we verify that the provider adheres to the EU-U.S. Privacy Shield Framework.
Where you have nominated third parties, such as your financial adviser or investments outside the EEA, we will share information with them in order to reach or fulfill our contract with you, however the location of these third parties may not benefit from an adequacy decision for data protection purposes.
We only ever retain personal information for as long as is necessary and we have strict review and retention policies in place to meet these obligations. To determine the retention periods, we will take into consideration what is reasonable to comply with our legal obligations and our legitimate interest in being able to properly respond to future queries/complaints.
STM Group PLC
Data Protection Officer
c/o London & Colonial
Rockwood House, 9-17 Perrymount Road,
Haywards Heath, West Sussex RH16 3TW
You also have the right to lodge a complaint with the relevant Local Supervisory Authority. For further information on your rights and how to complain to the relevant local supervisory authorities, please refer to their respective websites.
This statement is subject to regular review and may be updated from time to time. We will inform you if we make any substantial changes to how we use with your personal data.
This policy was last updated on 2 January 2019.