Who are we?
All three legal entities that make up The Compliance Company are authorised data controllers and the particulars of their registration can be found on the data protection register under the following registration numbers:
Consumer Credit Compliance Limited – ZA074336
Consumer Credit Compliance Training Limited – ZA568143
The Compliance Company Core Services Limited – ZA569064
The Compliance Company Advisory Services Limited- ZA934948
The Compliance Company can be contacted by telephone, post and/or email using any of the below contact details. We also have the facility to arrange face to face meetings subject to making prior appointments.
Telephone: 01423 522 599
Address: The Compliance Company, Windsor House, Cornwall Road, Harrogate, HG1 2PW
How do we use your personal information?
As a financial services and data protection compliance consultancy, we predominantly process personal data in the course of providing services to businesses (as opposed to consumers). A good number of our clients are corporate bodies however we also work with firms that are individuals (e.g. sole traders, small unincorporated partnerships and unincorporated bodies). It is to be noted that the latter category of individuals are treated akin to consumers under data protection legislation and we endeavour to provide the intended consumer protection to this category of data subjects in the manner in which we process/handle your personal information.
Please see below details of how we use/intend to use your personal information and the legal bases that we rely upon for each use:
Where do we obtain your personal information from?
In the majority of cases, we obtain your personal information directly from you or from your firm. In some circumstances, typically to operate our direct marketing strategy, we may obtain your personal information from public sources such as the Financial Services Register and Companies House. Typically, the personal information that we collect from public sources relating to you is limited to your full name, job title, approved person/Senior Manager status, company details and business email address. We may, through our staff, representatives and/or appointees, connect with you on LinkedIn and use this platform to obtain the aforementioned information about you in order to send direct marketing communications to you by email and/or, on occasion, via LinkedIn.
What happens if you do not provide your personal information to us?
We typically require your personal information (in the above contexts) to assess your firm’s need for our services, to define the scope of our prospective/current engagement and to deliver the required consultancy service to your firm. Should you not provide us with the necessary personal information we require to enter into a service agreement with you or to adequately deliver the relevant consultancy service, we may be unable to provide our services or may be limited as to the extent to which we are able to provide consultancy support to your firm.
We also typically require the abovementioned personal information in order for us to effectively operate our appointed representative network. Should you fail to provide us with the relevant information we require to operate our appointed representative network, it is likely that we will not be able to provide our appointed representative services to your firm including potentially not being able to complete or adequately complete the pre-engagement due diligence process or our compliance monitoring activities which may result in us not entering into an appointed representative contract with your firm or terminating an existing appointed representative contract with your firm.
Who do we share your personal information with?
The three legal entities that make up The Compliance Company may share personal information with each other in certain circumstances such as where your firm engages consultancy services that are delivered by various legal entities within The Compliance Company. It is to be noted that in certain circumstances we operate a ‘Chinese wall’ between the legal entities in The Compliance Company to minimise conflict of interest risks, for example, where one legal entity provides consultancy services to a firm that operates in a sector that may potentially conflict with a client of another legal entity within The Compliance Company that operates in a competing sector.
As a compliance consultancy that specialises in FCA compliance, data protection and direct marketing compliance, we typically are engaged to make representations to regulatory authorities on behalf of our clients, for example, to the FCA or Information Commissioner’s Office. As such, we may be instructed by our client to share relevant personal data with the relevant regulatory bodies. It is to be noted that as a firm that is authorised and regulated by the Financial Conduct Authority, Consumer Credit Compliance Limited is under a legal obligation to notify the FCA about anything relating to it and its appointed representatives that the FCA would reasonably expect notice. This includes but is not limited to any rule breaches by our appointed representatives or findings that relevant individuals associated with our appointed representatives (e.g. directors, partners, sole traders etc.) no longer satisfy the fitness and propriety criteria.
We may, in limited circumstances, share personal information with our legal advisers/solicitors where required. This would typically be where necessary to establish, exercise or defend legal claims.
Do we transfer personal information outside of the EEA?
We do not typically transfer your personal information outside of the EEA. Our consultancy services typically relate to UK regulatory requirements and disclosing personal information, where instructed by our clients or where under a legal obligation to do so, to relevant UK regulatory authorities only (as opposed to any regulatory authorities outside of the EEA). We utilise Zoho CRM, Microsoft Exchange and Sharepoint (‘IT systems’) to store information which could comprise of your personal information. Our IT system providers either store our database (which may comprise of your personal information) on servers located in the United Kingdom, European Union or in the United States (i.e. Zoho Corporation Pvt. Ltd (‘Zoho’)). Zoho has in place SCCs-based Data Processing Agreements (DPAs) with us. Any data which is transferred out of EEA that is shared with Zoho is for the purpose of obtaining technical support, and Zoho access to the EU DC from our other office locations in order to conduct debugging operations. A copy of the DPAs which we have in place with Zoho are available upon request by contacting us by email to firstname.lastname@example.org.
How long do we store your personal information?
As a general rule of thumb, we seek to only store your personal information for as long as is necessary to fulfil the purposes highlighted above in the section ‘How do we use your personal information?’ We apply ‘necessary’ in the context of our use of personal information to be six years from when your firm ceases to be our client or our appointed representative. The aforementioned is subject to you exercising your unconditional/absolute right to object to the use of your personal information for direct marketing purposes by, for example, unsubscribing to our promotional emails or otherwise notifying us that you no longer accept for us to use your personal information for direct marketing purposes. Should you not object to the use of your personal information for direct marketing purposes, we will typically continue to use your personal information for the same purpose until you notify us otherwise. Our direct marketing communications are typically aimed that you in a business capacity (as opposed to a consumer capacity) and therefore we assess that the continued use of your personal information for direct marketing purposes until and unless you advise otherwise (typically your full name, company details and company email address) is less likely to infringe your privacy rights.
We typically retain your personal information, in the context of our appointed representative service, for six years after you cease to be our appointed representative. It is to be noted that, for as long as you continue to be our appointed representative and/or a recipient of our consultancy services (including periodically, infrequently or on an ad-hoc basis), we will continue to handle your personal information for the purposes set out in the ‘How do we use your personal information?’ section above.
What are your rights in relation to your personal information?
It is to be noted that should you exercise any one of the below individual rights, the GDPR gives us up to one month to action your request (where appropriate). Should we not be able to comply with your request within the one month period, it is to be noted that the GDPR makes provision for us to extend the period by two further months depending on the complexity or number of requests you make. In such circumstances, we will inform you about any such extension within one month of receiving your request.
Right of access
Right to rectification
You have the right to request that we correct any inaccurate personal information we hold about you. It is to be noted that the right to rectification includes your entitlement to have incomplete personal data completed, including by means of providing a supplementary statement.
Right to erasure (‘right to be forgotten’)
You have the right to request that we delete your personal information from our records. This is also known as the ‘right to be forgotten’. It is to be noted that the right to be forgotten is a conditional as opposed to an absolute right. This means that we shall only be under an obligation to erase your personal information where:
- It is no longer necessary in relation to the purposes for which the said personal information was collected or otherwise used by us for us to continue handling the said personal information.
- Where you withdraw your consent for us to continue to handle any special category personal information relating to you such as health data.
- You object to us processing your personal information for direct marketing purposes (as the same is reliant on the legitimate interests lawful basis).
- We have unlawfully processed your personal information.
- There is a legal obligation upon us to erase your personal information.
It is to be noted that we are not under an obligation to erase your personal information where the handling of your personal information is necessary for us to comply with a legal obligation (including our regulatory obligations to the FCA) or where the handling of your personal information is necessary for us to establish, exercise or defend legal claims. For example, in practice, it is likely that we will be unable to erase your personal data if you have been party to an appointed representative contract with us which has ceased within the six year data retention period set out above. This is to ensure we comply with our legal obligations under the FCA’s regulatory system.
Right to restrict processing
You have the right to request that we restrict how we use your personal information. This right is applicable where:
- You contest the accuracy of the personal information that we hold about you.
- The restriction of processing for a period will enable us to verify the accuracy of the personal information we hold about you.
- The handling of your personal information is unlawful and you oppose the erasure of your personal information and instead request the restriction of its use.
- We no longer need your personal information for any purpose(s) however you require the same for the establishment, exercise or defence of legal claims.
- You object to use of your personal information for direct marketing purposes on the basis that we have a legitimate interest to do so.
- The restriction of processing will enable verification of whether our legitimate interests override your rights.
Right to object
You have the right to object to the use of your personal information at any time. It is to be noted that the right to object is conditional and only applies, in the context of our use of your personal information, to the use of your personal information for direct marketing purposes (as this is based on the legitimate interests lawful basis). It is to be noted that you have an unconditional/absolute right to object to the use of your personal information for direct marketing purposes. Where you exercise your right to object, we can no longer handle your personal information for direct marketing purposes.
Right to data portability
You have the right to obtain a copy of your personal information in a structured, commonly used and machine-readable format such as Excel or Word or request that your personal information be ported to another controller.
Right to withdraw consent
Please note that should you provide us with your consent to handle special category personal information relating to, for example, your health, you have the right, at any time, to withdraw your consent for us to use the said personal information.
How can I exercise my rights in relation to my personal information?
You can exercise any and all of your individual rights by contacting us on any of the below: Email: email@example.com Telephone: 01423 522 599 (Consumer Credit Compliance Limited), 01332650793 (Claims Management Compliance Limited) Address: The Compliance Company, Windsor House, Cornwall Road, Harrogate, HG1 2PW How do I lodge a complaint about the use of my personal information? Should you be dissatisfied with the manner in which we use your personal information, you have the right to lodge a complaint with the Information Commissioner’s Office, who are the UK’s data protection supervisory authority. You can lodge a complaint with the ICO by following this link https://ico.org.uk/concerns/ or calling the ICO on 0303 123 1113.
We encourage that, in the first instance, you submit any complaint to us and give us the opportunity to investigate and resolve the same prior to lodging a complaint with the Information Commissioner’s Office.