Introduction
This document reflects the Data Protection Policy of Coleman Financial Planning.
The EU General Data Protection Regulation 2016 is effective from 25 May 2018. The Data Protection Act 2018 transposes the GDPR into Irish law. Reference must be made to the GDPR, the Data Protection and the Statutory Instrument which gives effect to the legislation. Collectively in this document references to the above will be under the single heading of GDPR.
The GDPR replaces earlier legislation and is designed to enhance the data protection rights of individuals, known as data subjects. Data protection is concerned with personal information in relation to natural persons i.e. living individuals, and so does not relate to corporate information (unless such corporate information includes personal information of individuals).
The GDPR applies to our business relationships with our customers, but applies equally to our relationships with our staff i.e. Directors, Shareholders, Management, Staff.
It is company policy of Coleman Financial Planning that all Staff, Directors, Consultants and support service providers must comply at all times with both the letter and the spirit of the GDPR and respect the customers rights to data privacy and data security at all times.
Our Data Protection Policy and Procedures will be subject to annual review.
Data Protection Principles
There are 6 fundamental principles within the GDPR, as follows:
Accountability
It is the policy of Coleman Financial Planning to adhere to the above principles at all times, and to ensure that our policies, procedures, and practices reflect the principles.
It is also the stated objective of Coleman Financial Planning to promote accountability and ensure that Data Protection is an inherent part of our business model at all times.
Definitions
In order that we can understand our obligations under GDPR it is necessary to have a context and so the following key definitions need to be understood:
Data Subject
An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Personal Data
Any information relating to an identified or identifiable natural person (‘data subject’).
Special categories of personal data
Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Data Subject Consent
Means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data.
Data Controller
The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by the European Union or Member State law, the controller or the specific criteria for its nomination may be provided for by the European Union or Member State law.
Processing
Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Data Protection Officer
Coleman Financial Planning is not required to make a formal appointment of a person to the role of Data Protection Officer. The rationale for this approach taken by Coleman Financial Planning is that the core activities of Coleman Financial Planning do not consist of processing operations which require regular and systematic processing of individuals data on a large scale or processing of sensitive/special categories of data or data relating to criminal convictions or offences.
Data Protection Principles
The following are the 6 key Data Protection Principles contained with the GDPR:
Principle 1 – Data to be processed lawfully, fairly and in a transparent manner
The requirement is to ensure that we provide information to our customers in a transparent manner so that they fully understand the reasons why data is collated and for what purposes it will be used.
The specific information which must be provided to our customers at initial point of contact is set out in our Data Privacy Notice. The key information which must be included in a Data Privacy Notice, as required under GDPR is as follows:
Principle 2 – Personal data can only be collected for specific, explicit and legitimate purposes
Data collected can only be used for the purposes for which it was provided to Coleman Financial Planning. It is therefore critical to ensure that our customers understand the specific purposes for which we intend to use their data, to ensure that it we have been explicit with our customers, and that the purposes are legitimate.
Coleman Financial Planning provides advice to clients in the areas of financial services. Therefore, information collated can only be used for such purposes. Our Terms of Business set out the range of services which we provide and how data is used. Customers are asked to provide consent for the use of their data in the provision of such services.
Principle 3 – Personal Data must be adequate, relevant and limited to what is necessary
Data collected must be adequate, relevant and limited bearing in mind the services and/or products required by our customers. Completion of a Knowing the Consumer exercise, based on the requirements of the Central Bank’s Consumer Protection Code, is considered to meet this requirement. Supplementary information may be necessary, however this will depend on the nature and complexity of the product and/or service to be provided, and the nature of the business relationship with the customer. Supplementary information e.g. information from the clients Accountants or Legal Advisors, may be necessary to enable a service to be provided. Such supplementary information can only be obtained from a third party with the customers consent.
Principle 4 – Personal Data must be accurate and kept up to date with every effort to erasure or rectify without delay
Our procedures require the completion of a Knowing the Consumer exercise. In collating data, we must engage directly with the customer and ensure that the customer fully understands the importance of providing complete and correct information. On occasion, we may have to obtain the customers consent to obtain information from a third party e.g. an insurer or professional adviser, in order to verify information provided. In our dealing with our customers we must ensure that they understand that the information obtained provided to a third party will form the basis of any advice we provide.
Data must be updated whenever a customer wishes to avail of further services e.g. annual review or policy renewal, and we must ensure this is done.
In the event that a customer advises that information which we hold is inaccurate or out of date, we must rectify our records to reflect this.
Principle 5 – Personal data must be kept in the form such that the data subject can be identified only as long as is necessary for processing.
Our Data Retention Policy sets out periods of time for which certain data will be held on our paper and or electronic files. Any data held in excess of the specified time periods set out must show the rationale for the extended retention of data.
Principle 6 – Processed in an appropriate manner to maintain security
Data security is imperative to ensuring the protection of our customers data. In the event of a data breach the risks to our customers can be personal, financial, reputational, and potentially involve identity theft. In addition, there is the potential damage to our business should a breach occur, particularly in the areas of the loss of trust of our customer, business reputation, financial, and regulatory sanction. We must ensure that we adhere at all times to our Information Security Policy and procedures.
Given the potential impact should our security systems be breached, we must be aware of company policy in relation to Information Security Policy, and in particular:
Rights of Data Subjects
Data subjects have enhanced rights under the GDPR. These are as set out below:
Right 1 – Right to information
A data controller must ensure a data subject is provided with, or has made available to him or her, the information provided set out below in relation to personal data relating to him or her within a reasonable period after the date on which the controller obtains a subject access request for personal data.
The information which must be supplied is as follows:
We provide the above information to our customers by way of our Data Privacy Notice – Customer Summary on our website.
Right 2 – Right of Access
An individual may request Coleman Financial Planning to provide him/her with any personal data that we may hold in relation to that individual. If a request is received we must provide the following in writing:
A controller must provide the above information to the data subject as soon as possible and in any event not later than one month after the date on which the request is made.
When making a request, the individual making the request must provide the data controller with such information as the controller may reasonably require to satisfy itself of the identity of individual and to locate any relevant personal data or information.
Where a data controller has previously complied with the request to provide information as above, the controller is not obliged to comply with subsequent identical or similar request for the same individual, unless a reasonable interval has elapsed since compliance with the last request
A data controller must take all reasonable steps to ensure that the information is provided in a concise, intelligible and easily accessible form using clear and plain language. In communication with the data subject the information may be provided in the same form as the request was made e.g. if the request is made electronically for information a response may be provided electronically.
Right 3 – Right to rectification or integration and restriction of processing
Where a data subject is of the opinion that the controller is processing personal data relating to him or her that are inaccurate, the data subject may make a request in writing to the controller for the controller to rectify the data concerned.
Where a request to rectify data is concerned, the data must be rectified as soon as possible in any event no later than one month after the date on which the request is made.
When making a request, the individual making the request must provide the data controller with such information as the controller may reasonably require to satisfy itself of the identity of the individual and locate any personal data or information.
A data controller must take all reasonable steps to ensure that the information is provided in a concise, intelligible and easily accessible form using clear and plain language. In communication with the data subject the information may be provided in the same form as the request was made e.g. if the request is made electronically for information a response maybe provided electronically.
In certain circumstances, a data controller is not required to raise certain information on record. We must also be cognisant of our legal obligations under other regulatory obligations, e.g. Central Bank, AML/CFT, FSPO.
Right 4 – Right to restriction of processing
(a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
(b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
(d) the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.
Right 5 – Notification obligation regarding rectification or erasure of personal data or restriction of processing
The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.
Right 6 – Right to data portability
4.The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.
Right 7 – Right to object
Right 8 – Automated individual decision-making, including profiling
Purposes for holding information
In order that we can provide customers with our services and advice we need to collect certain personal data. We generally use the information which they initially provide to enable us to make contact with them so that we can have a more detailed discussion in relation to advice, products, and services which are appropriate to their needs.
Types of information collected
We collect and retain two types of information:
Personal data
We will hold:
Non-personal data
Like most websites, we gather statistical and other analytical information collected on an aggregate basis of all visitors to our website. This non-personal data comprises information that cannot be used to identify or contact a customer, such as demographic information regarding, for example, user IP addresses where they have been clipped or anonymised, browser types and other anonymous statistical data involving the use of our website.
Purposes for which we hold information
Personal Data
We will process any personal data received for the purposes of contacting a customer if required in connection with a query or to respond to any communications sent to us.
We also process the data when providing the service, product, or transaction required.
Non-personal data
We use the non-personal data gathered from visitors to our website in aggregate form to get a better understanding of where it’s come from and to help better design and organiser website.
Sharing information
We must only use the information provided to us to provide customers with the range of insurance, investment, and other products which they request and/or which we believe may be in their best interest or to meet our regulatory obligations. We will therefore only circulate information to our staff, consultants, support service providers, or at the customers request to other parties, or as required in order to meet our legal obligations.
We may provide non-personal data to third parties, where such information is combined with similar information of other users of the website e.g. we might inform third parties regarding the number of unique users visit our website, the demographic breakdown of other community users of our website, or the activities that visitors to our website engage while on our website. The third parties to whom we may provide this information may include potential or actual advertisers, providers of advertising services (including websites tracking services), commercial partners, sponsors licensees, researchers, and other similar parties.
Security
Please refer to our Security Policy for further information on data security measures undertaken by Coleman Financial Planning.
Updating, verifying and deleting personal data
Where a customer informs us of any changes in personal data held we will update or delete the personal data accordingly.