This is the Privacy Policy for the Old Mill group of companies, which includes Old Mill Accountancy Limited, Old Mill Financial Planning Limited, Old Mill Audit Limited, Old Mill Trust Corporation Limited, Old Mill Jackson Limited, Brook Financial Management Limited and Quro Financial Solutions Ltd (“Old Mill“, “we“, “us“, “our“).
At Old Mill we take our obligations in respect of data privacy seriously and recognise that it is important for you to understand how we make use of personal data.
Please read this privacy policy carefully as it contains important information about how we use personal data that you provide to us or we collect from you when operating our business, for example, when you visit the Old Mill website (this/our “Site“).
It also explains the ways in which we will protect your personal data and sets out your rights in respect of personal data that we process about you.
For the purpose of applicable data protection laws, the “data controller” (in other words, the organisation that determines how and for what purposes your personal data is used) will be the Old Mill entity which you have engaged to provide services to you, and which you have provided your personal data to. Please note, depending on the services that you ask us to provide, you may engage more than one Old Mill entity to provide you with services, in which case there will be multiple data controllers of your data. We will always make this clear to you as part of our client engagement process.
This privacy policy details how we process personal data that we are a data controller of.
You may provide personal data to us in a number of ways, including when:
The personal data you give us may include but is not limited to:
When you visit our site we may collect, generate, store and use certain personal data about you. In some cases we will use cookies to do this, for further information about the cookies we use and how to opt out of such cookies please see our Cookie Policy.
We may also collect personal data about you if you visit our offices.
The personal data we collect about you may include but is not limited to:
We may occasionally receive personal data about you from other sources, for example, a family member may provide us with your personal data in relation to the services that we are providing to them (for example, if you are a named beneficiary of a life assurance product).
We always ask that if you are providing us with the personal data of someone else (for example another family member) that you notify them in advance that their personal data is being shared with us to allow us to provide services to you and you are responsible for directing them to this privacy policy.
Whenever we process your personal data as a data controller, we are required to identify and maintain a valid “lawful basis” (i.e. a legally compliant justification) for the processing. Typically, we will rely on the fact that our processing of your personal data is necessary:
To help you to understand specifically what we do with your personal data and why we do it, we have described the various relevant lawful bases that we rely on in the table below. Where we rely on our legitimate interests, we will always make sure that we assess these interests against your right to privacy before carrying out such processing and, if your rights outweigh our legitimate interests, we will not process your personal data for that purpose.
In some circumstances we will record telephone calls between you and us which may lead to us providing advice or executing a financial transaction on your behalf. We may use these recordings, or transcripts of them to check your instructions, to improve our services, for training and quality purposes, to help us investigate a complaint or to comply with our regulatory and legal obligations.
The personal data that you provide to us may include certain special categories of information that are treated in law as being particularly sensitive (e.g. information related to your health).
We may require you to provide this sensitive personal data in order to provide you with the services you require from us (e.g. we would not be able to provide you with advice regarding life assurance without understanding whether there are any medical conditions which need to be taken into consideration).
Wherever we process sensitive personal data we will, in accordance with legal obligations, ensure that such information is provided with additional safeguards to protect it.
If for any reason you failed to provide personal data which we require we may not be able to provide you with the services that you require from us.
We will only use your personal data for the purposes for which we collected it. If we need to use your personal data for a purpose other than that for which it was collected, we will prior to that further processing, provide you with information about the new purpose, we will explain our legal justification for doing so and we will provide you with any relevant further information. We may also issue a new privacy policy to you.
Like most businesses, we work with third-party product and service providers on your behalf to provide (or to provide you with a quote to provide) the products or the services that you have requested from us (e.g. pension providers and cloud accounting software). Some of these trusted suppliers will process your personal data on our behalf and provide services to us to enable us to manage your account.
Some of these trusted suppliers will require you to enter into a contract with them directly. Please note that where you enter into a contract with a third party following a recommendation by Old Mill (e.g. pension providers and cloud accounting software), the third party will become the “data controller” of any information provided to them either by you or by us with your consent. Any personal data shared with that party will subsequently be processed in accordance with that third party’s privacy policy.
We maintain a list of the third-parties that we engage. A copy of this list is available upon request; if you would like a copy please email dataprotection@om.uk.
We will always make sure that these trusted providers meet agreed standards for the protection of your personal data and they will only ever be allowed to use your personal data in order to provide us with services and not for their own commercial purposes. We require all third parties to take appropriate technical and organisational security measures to protect your personal data and to treat it subject to a duty of confidentiality and in accordance with applicable data protection law.
To properly run our businesses in an efficient and compliant manner, Old Mill businesses share a lot of the same internal systems and management, therefore personal data provided to one of our businesses may be processed by another, either as part of providing you with the services you have requested (e.g. involving specialists from another business to ensure the best advice), or to manage our own business. The lawful basis for the latter will be based on our legitimate interests as a business.
We may also share your personal data:
We take the security of your personal data very seriously and have put in place physical, technical, operational and administrative strategies, controls and measures to help protect your personal data from unauthorised access, use or disclosure as required by law and in accordance with accepted good industry practice. We will always keep these under review to make sure that the measures we have implemented remain appropriate.
In addition, we limit access to your personal data to those employees and other third parties who have a business need to know in order to perform their job duties and responsibilities. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We will retain your personal data for as long as we need it in connection with our relationship with you. There may also be circumstances where we need to retain your personal data for longer than our relationship with you, for example:
Personal data which is no longer to be retained will be securely and effectively destroyed or permanently erased from our IT systems and we will also require third parties to destroy or erase such personal data where applicable.
In some circumstances we may anonymise your personal data so that it can no longer be associated with you. In this case, we may retain such information for a longer period without further notice to you.
It is important that the personal data we hold about you is accurate and up to date. Please keep us informed if your personal data changes so that our records can be updated. We cannot be held responsible for any errors in your personal data if this is caused by a failure by you to notify us of the relevant change.
Data protection law grants you a number of specific rights in respect of your data in addition to the broad and general right to have your data protected. We have set out some information in respect of each of those specific rights, below:
If you want to exercise any of the rights set out above, please contact us (using the contact details set out below).
In some cases, third parties that we engage may transfer personal data outside of the UK or EEA. Where personal data is transferred outside of the UK or EEA, we will ensure that the personal data is provided the required protection when doing so by ensuring adequate contractual safeguards for such transfer (e.g. the European Commission’s standard data protection clauses and UK IDTA Addendum), to ensure the security of your personal data is maintained when it is processed by the third party.
As referenced above, our Site uses cookies to distinguish you from other users. This helps us to provide you with a good experience when you browse our Site and allows us to improve our Site and our services.
We may also place tracking cookies in our marketing emails as this helps us to improve our marketing activities – for example, these cookies allow us to see how many people open our emails, what time of day they open our emails and whether they click through on any of the information contained in the emails.
For information on how we use cookies, please see our cookie policy.
Our Site may, from time to time, contain links to third-party websites. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for the ways in which personal data is processed on such websites. Please check the relevant policies before you submit any personal data to these websites.
We reserve the right to update or amend this privacy policy at any time, including where we intend to further process your personal data for a purpose other than that for which the personal data was collected or where we intend to process new types of personal data. We will place any updates here on this page. This privacy policy was last updated on 03 October 2022.
We encourage you to contact us first if you have any queries, comments or concerns about the way we handle your personal data (our details are in the section immediately below). We will try to put things right.
However, if you are not satisfied with our handling of any request by you in relation to your rights or concerns, you also have the right to make a complaint to the Information Commissioner’s Office (“ICO“). You can contact the ICO at: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF; 0303 123 1113; or https://ico.org.uk/.
If you have any questions about this privacy policy or how we handle your personal data, please contact us by sending us an email to dataprotection@om.uk.
