EcoGen Services Limited is committed to protecting your privacy. This Privacy Statement explains our data processing practices and your options regarding the ways in which your personal data is used. If you have any requests concerning your personal information or any queries with regard to our processing please contact us at firstname.lastname@example.org.
EcoGen Services Limited
This Privacy Statement sets out the way we collect and look after your personal data, in line with the General Data Protection Regulation (GDPR).
Data controller (“us / we / the Company”): EcoGen Services Limited
Data Subject (“you / your”): You and where applicable, your employees, co-trustees, colleagues, clients, advisers, agents or family members whose Personal Data we hold.
Data Processor (“the Processor(s)”): Business or individual processors we may pass your personal data to, in order to fulfil our contract or proposed contract with you.
Introducer (“the Introducer(s)”): Businesses or individuals we may receive your personal data from in order to advise you.
Data Protection Officer: Lucy Barnes (email@example.com)
We collect, store and process your personal data. This personal data may be held by the Company on paper or in electronic format.
We are committed to being transparent about how we look after your personal data, to protect your privacy and security and to meet the obligations under the General Data Protection Regulation. The purpose of this Privacy Statement is to make you aware how and why we collect and process your personal data.
What types of personal data do we collect about you?
Personal data is defined as any information about an individual from which that person can be directly or indirectly identified. There are also “special categories” of personal data requiring a higher level of protection because the data is of a more sensitive nature. The special categories of personal data comprise information about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, or sexual orientation and genetic and biometric data.
We may collect, use and process or pass to Data Processors a range of personal data about you. This may include personal data related to:
- your contact details, including your name, address, telephone number and personal e-mail address, your emergency contact details/next of kin, your date of birth and your gender.
- information about your use of our IT systems, our websites, telephone numbers and e-mail.
- your preferences in receiving information and marketing data from us and your communication preferences.
In certain circumstances we may also collect, use and process, or pass to Data Processors, the following special categories of your personal data (as applicable):
- information about your health and biometrics
- information about your racial or ethnic origin, religious or philosophical beliefs and sexual orientation
- information about criminal convictions and offences
How do we collect your personal data?
We may collect personal data about you in a variety of ways. This may include data collected during our work, or proposed work, for you either directly from you or sometimes from an Introducer or other Data Subject such as an employer or business partner. We may also collect personal data from other external third parties, such as references from former advisers, information from background checks and identity check providers, information from credit reference agencies and information from Companies House.
Your personal data may be stored in different places, including within our IT systems and our Data Processor’s systems, on our premises and within our storage facilities.
Why and how do we use your personal data?
We will use your personal data within the Company in one or more of the following circumstances:
- where we need to do so to perform the contract for services we have entered into with you, or where we are preparing for such a contract or have fulfilled a contract
- where we need to comply with a legal, regulatory requirement or professional governing body obligation
- where, in respect of marketing, you have opted-in to our marketing preferences
- where it is necessary for our legitimate interests (or those of a Processer, Introducer or third party), and your interests or your fundamental rights and freedoms do not override these interests.
Why and how do we use special category personal data?
We will only collect and use Special Categories of personal data, when the law, regulatory requirements, professional governing bodies require us to do so or it is required to enable us to fulfil our contract with you.
We may process special categories of personal data only where we have your consent. It is entirely your choice whether to consent, and you can withdraw your consent at any time. This consent may be given through our systems, email, correspondence or other means. Verbal agreement, confirmed by a file note by us, will be accepted where this is the best reasonable option.
We may also occasionally use your special categories of personal data, where it is needed for the establishment, exercise or defence of legal or regulatory claims or in association with insurance or anti-Money Laundering processes.
Change of purpose
We will only use your personal data for the purposes for which we collect and retain it. If we need to use your personal data for a purpose other than that for which it was collected, we will provide you with information about the new purpose prior to that further processing. You may request the legal basis which allows us to process your personal data for the new purpose at any time.
Who has access to your personal data?
Your personal data may be shared internally within the Company.
We may share your personal data with third parties and Data Processors where it is necessary to administer the contract we have entered into with you, where we need to comply with a legal obligation, or where it is necessary for our legitimate interests (or those of a third party). Third parties may include IT and cloud service providers, other professional firms, insurance and investment companies and HMRC.
How does the Company protect your personal data?
The Company has put measures in place to protect the security of your personal data. These are internal policies, procedures and controls which are there to minimise the risk of your personal data from being accidentally lost or destroyed, altered, disclosed or used or accessed in an unauthorised way. In addition, we limit access to your personal data to those who have a clear business need.
Where your personal data is shared with third-parties and Data Processors, we require all such third parties and Data Processors to take appropriate technical and organisational security measures to protect your personal data, and to treat it subject to a duty of confidentiality and in accordance with data protection law. We allow them to process your personal data only for specified purposes and in accordance with our written instructions. We do not allow them to use your personal data for their own marketing purposes.
The Company also has procedures in place to deal with a suspected data security breach and we will notify the Information Commissioner’s Office (and/or any other applicable supervisory authority or regulator) and you of a suspected breach where we are legally required to do so.
How long does the Company keep your personal data?
The Company will only retain your personal data for as long as is necessary to fulfil the purposes for which it was collected and processed. This includes the purposes of satisfying any legal, tax, health and safety, reporting, regulatory or accounting requirements.
The Company will usually hold your personal data for six years following the year in which it was initially processed, with the following exceptions:
- personal data relating to anti-Money Laundering or proof of Identity
Where your personal data is held in an archive containing data that cannot easily be separated and may contain other data requiring to be held for a longer period, we may, at our discretion retain the full filing for longer than six years in reflection of this. For clarity, it should be noted that such personal data may be held by us or Data Processors, in electronic or paper format, on our premises or at any storage premises used by us.
In the event that we collect your personal data but you do not become a client or you are no longer a client, we will retain your personal data for one year, or longer, where required to do so by law or regulatory needs.
Personal data which is no longer to be retained will be securely and effectively destroyed or permanently erased from our IT systems as far as practicable.
Your rights in connection with your personal data
It is important that the personal data we hold about you is accurate and up to date. Please keep us informed if your personal data changes. The Company cannot be held responsible for any errors in your personal data in this regard unless you have notified the Company of the relevant change.
As a Data Subject, you have a number of statutory rights. Subject to specific conditions, and in certain circumstances, you have the right to:
- receive a copy of the personal data we hold about you
- request rectification of your personal data
- request the erasure of your personal data
- restrict the processing of your personal data
- object to the processing of your personal data
- request the transfer of your personal data to another party
Should you wish to exercise any of these rights, please write to our Data Protection Officer.
In the limited circumstances where you have provided your consent to the processing of your personal data for a specific purpose, you have the right to withdraw your consent for that specific processing at any time.
If you believe that the Company has not complied with your data protection rights, you have the right to make a complaint to the Information Commissioner’s Office (ICO) at any time. The ICO is the UK supervisory authority for data protection issues. The ICO website is www.ico.org.uk
Transferring personal data outside the European Economic Area
The Company may transfer your personal data to countries outside the European Economic Area (EEA). Where there is an adequacy decision by the European Commission in respect of those countries. This means that the countries to which we transfer your personal data are deemed to provide an adequate level of protection for your personal data.
Changes to this Privacy Statement
The Company reserves the right to update or amend this Privacy Statement at any time. We will publish a new Privacy Statement when we make significant updates or amendments.
If you have any questions about this Privacy Statement or how we handle your personal data, please contact us:
By email: firstname.lastname@example.org
By telephone: 01872 248159
Data Protection Officer,
EcoGen Services Limited,
Unit 2a Century Mews,
100a Church Road,
Essex CO5 0AB