At Old Mill we take our obligations in respect of data privacy seriously and recognise that it is important for you to understand how we make use of personal data.
It also explains the ways in which we will protect your personal data and sets out your rights in respect of personal data that we process about you.
2. Who we are
For the purpose of applicable data protection laws, the “data controller” (in other words, the organisation that determines how and for what purposes your personal data is used) will be the Old Mill entity which you have engaged to provide services to you, and which you have provided your personal data to. Please note, depending on the services that you ask us to provide, you may engage more than one Old Mill entity to provide you with services, in which case there will be multiple data controllers of your data. We will always make this clear to you as part of our client engagement process.
3. Personal data we may collect from you and how we collect it
Personal data you provide to us directly
You may provide personal data to us in a number of ways, including when:
What type of data might be included?
The personal data you give us may include but is not limited to:
Personal data we collect or generate about you
We may also collect personal data about you if you visit our offices.
The personal data we collect about you may include but is not limited to:
Personal data we receive from other sources
We may occasionally receive personal data about you from other sources, for example, a family member may provide us with your personal data in relation to the services that we are providing to them (for example, if you are a named beneficiary of a life assurance product).
4. Why and how do we use your personal data and what is our “lawful basis” for doing so?
Whenever we process your personal data as a data controller, we are required to identify and maintain a valid “lawful basis” (i.e. a legally compliant justification) for the processing. Typically, we will rely on the fact that our processing of your personal data is necessary:
To help you to understand specifically what we do with your personal data and why we do it, we have described the various relevant lawful bases that we rely on in the table below. Where we rely on our legitimate interests, we will always make sure that we assess these interests against your right to privacy before carrying out such processing and, if your rights outweigh our legitimate interests, we will not process your personal data for that purpose.
In some circumstances we will record telephone calls between you and us which may lead to us providing advice or executing a financial transaction on your behalf. We may use these recordings, or transcripts of them to check your instructions, to improve our services, for training and quality purposes, to help us investigate a complaint or to comply with our regulatory and legal obligations.
6. Special Category / Sensitive personal data
The personal data that you provide to us may include certain special categories of information that are treated in law as being particularly sensitive (e.g. information related to your health).
We may require you to provide this sensitive personal data in order to provide you with the services you require from us (e.g. we would not be able to provide you with advice regarding life assurance without understanding whether there are any medical conditions which need to be taken into consideration).
Wherever we process sensitive personal data we will, in accordance with legal obligations, ensure that such information is provided with additional safeguards to protect it.
7. What if you fail to provide personal data?
If for any reason you failed to provide personal data which we require we may not be able to provide you with the services that you require from us.
8. Change of purpose
9. How we share your personal data
Third party suppliers and service providers involved in our contractual relationship with you
Like most businesses, we work with third-party product and service providers on your behalf to provide (or to provide you with a quote to provide) the products or the services that you have requested from us (e.g. pension providers and cloud accounting software). Some of these trusted suppliers will process your personal data on our behalf and provide services to us to enable us to manage your account.
We maintain a list of the third-parties that we engage. A copy of this list is available upon request; if you would like a copy please email firstname.lastname@example.org.
We will always make sure that these trusted providers meet agreed standards for the protection of your personal data and they will only ever be allowed to use your personal data in order to provide us with services and not for their own commercial purposes. We require all third parties to take appropriate technical and organisational security measures to protect your personal data and to treat it subject to a duty of confidentiality and in accordance with applicable data protection law.
Other Old Mill businesses
To properly run our businesses in an efficient and compliant manner, Old Mill businesses share a lot of the same internal systems and management, therefore personal data provided to one of our businesses may be processed by another, either as part of providing you with the services you have requested (e.g. involving specialists from another business to ensure the best advice), or to manage our own business. The lawful basis for the latter will be based on our legitimate interests as a business.
Other scenarios in which we might share your personal data
We may also share your personal data:
10. How do we protect your personal data?
We take the security of your personal data very seriously and have put in place physical, technical, operational and administrative strategies, controls and measures to help protect your personal data from unauthorised access, use or disclosure as required by law and in accordance with accepted good industry practice. We will always keep these under review to make sure that the measures we have implemented remain appropriate.
In addition, we limit access to your personal data to those employees and other third parties who have a business need to know in order to perform their job duties and responsibilities. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
11. How long do we keep your personal data?
We will retain your personal data for as long as we need it in connection with our relationship with you. There may also be circumstances where we need to retain your personal data for longer than our relationship with you, for example:
Personal data which is no longer to be retained will be securely and effectively destroyed or permanently erased from our IT systems and we will also require third parties to destroy or erase such personal data where applicable.
In some circumstances we may anonymise your personal data so that it can no longer be associated with you. In this case, we may retain such information for a longer period without further notice to you.
12. Your rights in relation to your personal data
It is important that the personal data we hold about you is accurate and up to date. Please keep us informed if your personal data changes so that our records can be updated. We cannot be held responsible for any errors in your personal data if this is caused by a failure by you to notify us of the relevant change.
Data protection law grants you a number of specific rights in respect of your data in addition to the broad and general right to have your data protected. We have set out some information in respect of each of those specific rights, below:
If you want to exercise any of the rights set out above, please contact us (using the contact details set out below).
13. Where your personal data may be processed
In some cases, third parties that we engage may transfer personal data outside of the UK or EEA. Where personal data is transferred outside of the UK or EEA, we will ensure that the personal data is provided the required protection when doing so by ensuring adequate contractual safeguards for such transfer (e.g. the European Commission’s standard data protection clauses and UK IDTA Addendum), to ensure the security of your personal data is maintained when it is processed by the third party.
We may also place tracking cookies in our marketing emails as this helps us to improve our marketing activities – for example, these cookies allow us to see how many people open our emails, what time of day they open our emails and whether they click through on any of the information contained in the emails.
15. Third-party websites
Our Site may, from time to time, contain links to third-party websites. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for the ways in which personal data is processed on such websites. Please check the relevant policies before you submit any personal data to these websites.
We encourage you to contact us first if you have any queries, comments or concerns about the way we handle your personal data (our details are in the section immediately below). We will try to put things right.
However, if you are not satisfied with our handling of any request by you in relation to your rights or concerns, you also have the right to make a complaint to the Information Commissioner’s Office (“ICO“). You can contact the ICO at: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF; 0303 123 1113; or https://ico.org.uk/.