Old Mill Privacy Policy

1. Introduction

This is the Privacy Policy for the Old Mill group of companies, which includes Old Mill Accountancy Limited, Old Mill Financial Planning Limited, Old Mill Audit Limited, Old Mill Trust Corporation Limited, Old Mill Jackson Limited and Brook Financial Management Limited (“Old Mill“, “we“, “us“, “our“).

At Old Mill we take our obligations in respect of data privacy seriously and recognise that it is important for you to understand how we make use of personal data.

Please read this privacy policy carefully as it contains important information about how we use personal data that you provide to us or we collect from you when operating our business, for example, when you visit the Old Mill website (this/our “Site“).

It also explains the ways in which we will protect your personal data and sets out your rights in respect of personal data that we process about you.

2. Who we are

For the purpose of applicable data protection laws, the “data controller” (in other words, the organisation that determines how and for what purposes your personal data is used) will be the Old Mill entity which you have engaged to provide services to you, and which you have provided your personal data to. Please note, depending on the services that you ask us to provide, you may engage more than one Old Mill entity to provide you with services, in which case there will be multiple data controllers of your data. We will always make this clear to you as part of our client engagement process.

This privacy policy details how we process personal data that we are a data controller of.

3. Personal data we may collect from you and how we collect it 

Personal data you provide to us directly 

You may provide personal data to us in a number of ways, including when:

• visiting and browsing our Site;
• registering an account with Old Mill for our services;
• completing our “contact us” form on our Site or otherwise enquiring about our services;
• engaging with us over the phone (in some instances we will record phone calls with you);
• having an initial ‘pre-client’ meeting with us to help us understand your requirements;
• subscribing to receive any of our publications or other marketing communications;
• mentioning or interacting with us on social media (for example by following / mentioning / tagging us or by contacting us directly);
• you attend one of our events;
• providing us with feedback about the services we provide; or
• entering into a contract with us and engaging with our services.

What type of data might be included?

 The personal data you give us may include but is not limited to:

• your name;
• e-mail address;
• date of birth;
• details of income;
• phone number (including mobile number);
• employment history;
• details of family members or beneficiaries;
• job role;
• pension, investment and other financial details, including your plans for the future;
• health data (for specific services);
• your social media handle and the contents of your post (where you have tagged us or contacted us directly);
• any other information that you provide to us in our provision of services to you; and
• thoughts about our services (including feedback, survey responses, complaints and reviews).

Personal data we collect or generate about you

When you visit our Site we may collect, generate, store and use certain personal data about you. In some cases we will use cookies to do this, for further information about the cookies we use and how to opt out of such cookies please see our Cookie Policy.

We may also collect personal data about you if you visit our offices.

The personal data we collect about you may include but is not limited to:

• technical information including: the internet protocol (IP) address used to connect your computer to the internet; your login information (if registering or accessing an account with us); browser type and version; time zone setting; browser plug-in types and versions; device types; operating system; time and date of consent and platform; and any phone number used to call our client service number; and
• information about your visit to our Site including: the full Uniform Resource Locators (URL); clickstream to, through and from our Site (including date and time); products you viewed, searched for or purchased; page response times; download errors; length of visits to certain pages; page interaction information (such as scrolling, clicks, and mouse-overs); and methods used to browse our Site.

Personal data we receive from other sources

We may occasionally receive personal data about you from other sources, for example, a family member may provide us with your personal data in relation to the services that we are providing to them (for example, if you are a named beneficiary of a life assurance product).

We always ask that if you are providing us with the personal data of someone else (for example another family member) that you notify them in advance that their personal data is being shared with us to allow us to provide services to you and you are responsible for directing them to this privacy policy.

4. Why and how do we use your personal data and what is our “lawful basis” for doing so?

Whenever we process your personal data as a data controller, we are required to identify and maintain a valid “lawful basis” (i.e. a legally compliant justification) for the processing. Typically, we will rely on the fact that our processing of your personal data is necessary:

• to perform our contract with you;
• to comply with our legal obligations; and/or
• for our legitimate business interests, namely to analyse the use of our Site and our services to continually improve your experience and our business.

To help you to understand specifically what we do with your personal data and why we do it, we have described the various relevant lawful bases that we rely on in the table below. Where we rely on our legitimate interests, we will always make sure that we assess these interests against your right to privacy before carrying out such processing and, if your rights outweigh our legitimate interests, we will not process your personal data for that purpose.

In some circumstances we will record telephone calls between you and us which may lead to us providing advice or executing a financial transaction on your behalf. We may use these recordings, or transcripts of them to check your instructions, to improve our services, for training and quality purposes, to help us investigate a complaint or to comply with our regulatory and legal obligations.

6. Special Category / Sensitive personal data

The personal data that you provide to us may include certain special categories of information that are treated in law as being particularly sensitive (e.g. information related to your health).

We may require you to provide this sensitive personal data in order to provide you with the services you require from us (e.g. we would not be able to provide you with advice regarding life assurance without understanding whether there are any medical conditions which need to be taken into consideration).

Wherever we process sensitive personal data we will, in accordance with legal obligations, ensure that such information is provided with additional safeguards to protect it.

7. What if you fail to provide personal data?

If for any reason you failed to provide personal data which we require we may not be able to provide you with the services that you require from us.

8. Change of purpose

We will only use your personal data for the purposes for which we collected it. If we need to use your personal data for a purpose other than that for which it was collected, we will prior to that further processing, provide you with information about the new purpose, we will explain our legal justification for doing so and we will provide you with any relevant further information. We may also issue a new privacy policy to you.

9. How we share your personal data

 Third party suppliers and service providers involved in our contractual relationship with you

Like most businesses, we work with third-party product and service providers on your behalf to provide (or to provide you with a quote to provide) the products or the services that you have requested from us (e.g. pension providers and cloud accounting software). Some of these trusted suppliers will process your personal data on our behalf and provide services to us to enable us to manage your account.

Some of these trusted suppliers will require you to enter into a contract with them directly. Please note that where you enter into a contract with a third party following a recommendation by Old Mill (e.g. pension providers and cloud accounting software), the third party will become the “data controller” of any information provided to them either by you or by us with your consent. Any personal data shared with that party will subsequently be processed in accordance with that third party’s privacy policy.

We maintain a list of the third-parties that we engage. A copy of this list is available upon request; if you would like a copy please email dataprotection@om.uk.

We will always make sure that these trusted providers meet agreed standards for the protection of your personal data and they will only ever be allowed to use your personal data in order to provide us with services and not for their own commercial purposes. We require all third parties to take appropriate technical and organisational security measures to protect your personal data and to treat it subject to a duty of confidentiality and in accordance with applicable data protection law.

Other Old Mill businesses

To properly run our businesses in an efficient and compliant manner, Old Mill businesses share a lot of the same internal systems and management, therefore personal data provided to one of our businesses may be processed by another, either as part of providing you with the services you have requested (e.g. involving specialists from another business to ensure the best advice), or to manage our own business. The lawful basis for the latter will be based on our legitimate interests as a business.

Other scenarios in which we might share your personal data

We may also share your personal data:

• with regulatory, governmental or statutory bodies that we are required (either by law or regulation) to provide personal data to upon their request (including the Financial Conduct Authority, HMRC, and the Institute of Chartered Accountants in England and Wales);
• third-party service providers who assist with our compliance with regulatory requirements, such as Anti-Money Laundering searches (for further information on these third parties, please contact us);
• in the event of any insolvency situation (e.g. administration or liquidation);
• in the event that we consider selling or buying any business or assets, to any prospective sellers or buyers of such business or assets;
• if we, or substantially all of our assets, are acquired by a third party, in which case your personal data will be one of the transferred assets; or
• to protect the rights, property or safety of our employees, workers, contractors, clients, or others. This includes exchanging your personal data with other companies and organisations (including without limitation the local police or other local law enforcement agencies) for the purposes of our employee, worker, contractor and client safety, crime prevention, fraud protection and credit risk reduction.

10. How do we protect your personal data?

We take the security of your personal data very seriously and have put in place physical, technical, operational and administrative strategies, controls and measures to help protect your personal data from unauthorised access, use or disclosure as required by law and in accordance with accepted good industry practice. We will always keep these under review to make sure that the measures we have implemented remain appropriate.

In addition, we limit access to your personal data to those employees and other third parties who have a business need to know in order to perform their job duties and responsibilities. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

 11. How long do we keep your personal data?

We will retain your personal data for as long as we need it in connection with our relationship with you. There may also be circumstances where we need to retain your personal data for longer than our relationship with you, for example:

• where we have a statutory or regulatory obligation to retain the information (we are required to keep certain information for specified minimum periods, and in some cases indefinitely, depending on the services we provide); or
• to ensure our business is properly run in an efficient and compliant manner.

Personal data which is no longer to be retained will be securely and effectively destroyed or permanently erased from our IT systems and we will also require third parties to destroy or erase such personal data where applicable.

In some circumstances we may anonymise your personal data so that it can no longer be associated with you. In this case, we may retain such information for a longer period without further notice to you.

12. Your rights in relation to your personal data

It is important that the personal data we hold about you is accurate and up to date. Please keep us informed if your personal data changes so that our records can be updated. We cannot be held responsible for any errors in your personal data if this is caused by a failure by you to notify us of the relevant change.

Data protection law grants you a number of specific rights in respect of your data in addition to the broad and general right to have your data protected.  We have set out some information in respect of each of those specific rights, below:

• Right to be informed about how your personal data will be processed. This enables you to receive information about how we use your personal data. We have set this information out in this privacy policy.
• Request access to your personal data (commonly known as a “data subject access request“). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
• Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
• Request erasure of your personal data (commonly known as the “right to be forgotten“). This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
• Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal data for direct marketing purposes.
• Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it.
• Request the transfer of your personal data to another party.
• Not to be subject to a decision solely based on automated processing. We do not anticipate making decisions about you based solely on automated decision making where that decision would have a significant impact on you. If we ever make a decision about you automatically by a computer or an algorithm without human intervention you can ask us to have that decision reviewed by a human.

If you want to exercise any of the rights set out above, please contact us (using the contact details set out below).

13. Where your personal data may be processed

In some cases, third parties that we engage may transfer personal data outside of the UK or EEA. Where personal data is transferred outside of the UK or EEA, we will ensure that the personal data is provided the required protection when doing so by ensuring adequate contractual safeguards for such transfer (e.g. the European Commission’s standard data protection clauses and UK IDTA Addendum), to ensure the security of your personal data is maintained when it is processed by the third party.

14. Cookies

As referenced above, our Site uses cookies to distinguish you from other users. This helps us to provide you with a good experience when you browse our Site and allows us to improve our Site and our services.

We may also place tracking cookies in our marketing emails as this helps us to improve our marketing activities – for example, these cookies allow us to see how many people open our emails, what time of day they open our emails and whether they click through on any of the information contained in the emails.

For information on how we use cookies, please see our cookie policy.

15. Third-party websites

Our Site may, from time to time, contain links to third-party websites. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for the ways in which personal data is processed on such websites. Please check the relevant policies before you submit any personal data to these websites.

16. Changes to this privacy policy

We reserve the right to update or amend this privacy policy at any time, including where we intend to further process your personal data for a purpose other than that for which the personal data was collected or where we intend to process new types of personal data. We will place any updates here on this page. This privacy policy was last updated on 03 October 2022.

17. Complaints

We encourage you to contact us first if you have any queries, comments or concerns about the way we handle your personal data (our details are in the section immediately below). We will try to put things right.

However, if you are not satisfied with our handling of any request by you in relation to your rights or concerns, you also have the right to make a complaint to the Information Commissioner’s Office (“ICO“). You can contact the ICO at: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF; 0303 123 1113; or https://ico.org.uk/.

18. Contact

If you have any questions about this privacy policy or how we handle your personal data, please contact us by sending us an email to dataprotection@om.uk.