Data Protection Privacy Notice

Please read this Privacy Notice carefully before providing us with any information about you or any other connected person. Where you provide information about another person, you should first obtain their consent to do so.

We have developed this Privacy Notice in accordance with the Data Protection Act 1998 and Regulation (EU) 2016/679, commonly known as the General Data Protection Regulation or GDPR. Its purpose is to advise you of the personal information we may collect, for what purpose(s), how we will use it, the lawful basis under which we may do this and your rights under the GDPR.

1. The categories of data subject to the provisions of the GDPR

‘Personal data’ (Article 4 of the GDPR) by which we mean information which identifies you as an individual, or is capable of doing so.

‘Special categories of personal data’ (Article 9 of the GDPR) by which we mean information revealing your racial or ethnic origin, religious or philosophical beliefs, or data concerning your physical or mental health, including the provision of health care services, which reveal information about your health status.

2. Contact details and person responsible for Data Protection at Murray Asset Management

Murray Asset Management UK Limited is registered with the Information Commissioner’s Office as a Data Controller and Processor, reference No ZA153690. We have a responsibility to ensure that your personal information is processed in accordance with this Privacy Notice and the above Regulations.

If you would like to discuss anything in this Privacy Notice, please contact Lisa Hamer, Compliance Director who is the person responsible for Data Protection within the firm. You may contact her in writing at 3 Glenfinlas Street, Edinburgh EH3 6AQ, by telephone on 0131 220 8888, or by email to [email protected]

3. The personal data we may collect and the purposes for this.

We process the following personal data on the legal basis of Legitimate Interests, and the information below sets out further details on this processing. We may obtain personal data from you and, with your authority, from credit referencing agencies, your authorised representatives and other providers of products or services to you.

To provide you with financial services, we may use the following personal data

  • Contact information, such as home address, telephone number and email address
  • Individual information such as age, gender, nationality, domicile and tax identification number
  • Financial information such as income/outgoings, assets/liabilities and bank account details
  • Information concerning your physical or mental health – for which we will require your consent to do so as this is a ‘special category’ of personal data as described in part 1 above
  • We may also require information on others such as your spouse/partner or dependants where this is relevant

To respond to a complaint or claim we may use the following personal data

  • Personal information provided by you or third parties
  • Recordings of telephone calls between us
  • Letters, reports and any other correspondence between us or with third parties

To provide you with general information from or about us, we may use the following personal information:

  • Contact information, such as name, home address, telephone number and email address. We will only communicate matters relating to the firm and the services we may provide to you.

To evaluate or monitor the competence of staff and suitability of services we may use the following personal data

  • Personal information provided by you or third parties on your behalf
  • Recordings of telephone calls between us
  • Letters, reports and any other correspondence between us or with third parties on your behalf

To monitor and maintain our website, we may monitor and retain the following personal data

All computers that are linked to the Internet have an Internet Protocol (IP) number. Our website logs your IP number when you visit it. An IP number does not provide identifiable personal information on its own but there are facilities to look up IP numbers and establish the owner so this is treated by us as personal information.

We process the following personal data on the legal basis of Legal Obligation, and the information below sets out further details on this processing.

To meet our obligations to the UK Money Laundering Regulations, we may use the following personal data

  • Passport or driving license details
  • Your home address
  • Financial information such as occupation, income and source of wealth

To meet our telephone call recording regulatory obligations, we may retain the following personal data

  • Recordings of telephone calls between us
  • Recordings of telephone calls with third parties, such as product providers or brokers, in relation to the service(s) we provide to you

4. The special categories of personal data we may collect and the purposes for this.

We process any of the special categories of personal data referred to in part 1 on the legal basis of ‘Legitimate Interests with consent’, and the information below sets out further details on this processing.

To provide you with financial services we may process the following information

  • Any ‘special categories of personal data’ as described in part 1 above, which you believe to be relevant and, therefore, disclose in your application or other communications between us. This may include the following:
    • Information regarding your physical or mental health, including the provision of health care services, which reveal information about your health status

We will require your consent to receive and process special categories of personal data.

5. Data Sharing

We may share information with third parties where this is necessary to enable us to provide our services to you or to allow us to comply with our legal or regulatory obligations. We will not share your data with any third party for marketing purposes. The classes of third parties with whom we will share your personal data, and the reasons for this, are as follows.

Product providers, brokers and intermediaries

We may share your personal data where it is necessary to deliver the service we are providing, such as setting up a policy, obtaining an illustration or placing an investment deal. We disclose only the personal information that is required to deliver that service.

IT systems and support, paper archives, electronic records, recorded telephone calls

We outsource our IT hardware and systems support. Certain operating and record keeping systems are provided by third parties. These third parties may have access to data for support, service, backup and trouble-shooting purposes. We have agreements in place with these third parties to restrict their access to and use of this data.

Financial services regulators, Financial Ombudsman, government and law enforcement agencies

These entities have a legal right to access our records and we have a legal obligation to disclose any information we hold in certain circumstances.

Credit reference agencies, fraud prevention agencies and related service providers

In order to meet our obligations in respect of The UK Money Laundering and Proceeds of Crime Regulations we may, with your consent, use a third party electronic verification system to verify your identity. This is undertaken as part of the initial client appointment, and may be repeated at any time for the duration of the service(s) we provide to you.

Tax authorities

We may have to share information with tax authorities, either directly with overseas authorities or via Her Majesty’s Revenue and Customs who may share that information with the appropriate tax authorities abroad.

Our professional advisers and insurers

Our appointed auditors, lawyers, accountants, other professional advisers and insurers may require access to the client information we hold in order to provide us with advice or insurance.

Your professional advisers and representatives

We may share information with your lawyers, accountants and other professional advisers if you request this. We may also share information with persons such as a Power of Attorney, Trustee, Executor or personal representative.

Web analytics

Analysis of traffic using our website may be undertaken by selected third parties on our behalf.

Business transfers

We may transfer our records to a third party as part of a sale or transfer of some or all of the business to a regulated third party.

Data transfers outside of the EU

We may share personal data outside of the EU where it is necessary to deliver the service we are providing. Where data is shared outside of the EU, we have a regulatory obligation to only transfer to States with an ‘equivalent’ standard of data protection and to have in place a data transfer agreement to protect the security and management of the data being transferred.

6. The lawful basis upon which we process personal data and what this means

Parts 3 and 4 include the lawful basis upon which we process personal data and the following is a brief explanation of what this means.

The Lawful basis under EU directive 2014/65/EU Article 6, 1(f) Legitimate Interests means the processing is necessary, without your explicit consent, for the legitimate business interests of MAM, unless these interests are overridden by your interests or fundamental rights. Our legitimate business interests are explained in Part 2 of this privacy notice.

You have the right to object to us processing your personal data on the lawful basis of legitimate interests, but to do so may mean that we are unable to provide services to you. If you wish to object, please use the contact details in Part 1 to do so.

We process ‘information concerning health’ under Legitimate Interests as described above, but this is subject to Article 9 (a) Explicit consent because it is considered to be sensitive information. This means we will obtain your consent to do so before processing any health related information.

You have the right to withhold your consent to us processing information concerning health, but to do so may mean that we are unable to provide services to you.

The Lawful basis under EU directive 2014/65/EU Article 6, (c) Legal Obligation means the processing is necessary for compliance with a legal obligation to which MAM is subjected.

7. The retention periods for personal data

The retention period for personal data varies, depending on our regulatory obligations and complaints time barring rules.  The table below shows the various retention periods, and relates to all forms of records such as paper, electronically stored records, emails and recorded telephone calls.

Records relating to: Retention Period
Client agreements and Terms of Business The duration of the agreement plus fifteen years, unless it relates to a pension transfer, pension conversion,  pension opt-out or FSAVC in which case this will be retained indefinitely
Suitability of advice or investment management decisions (1) if relating to a pension transfer, pension conversion,  pension opt-out or FSAVC, indefinitely;

(2) if relating to anything else, fifteen years after the advice or decision

Portfolio transactional records Indefinitely
Complaints Indefinitely

 

8. Your rights as a data subject

The GDPR provides you with the following rights in relation to your personal data processed by us:

The right to be informed

You have the right to be informed how your data will be processed and of your rights.  The required information is provided in this Privacy Notice. 

The right of access

You have the right to obtain confirmation that your personal data is being processed and have access to this.   When requested by you, we must provide you with a copy of the information free of charge within one month. However, we can charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive.  We may also charge a reasonable fee to comply with requests for further copies of the same information.  Data access requests should be submitted using the contact details in Part 1 of this Privacy Notice.

The right to rectification

You are entitled to have personal data rectified if it is inaccurate or incomplete.  We must respond to a request for rectification within one month.  This can be extended by two months where the request for rectification is complex.  Data rectification requests should be submitted using the contact details in Part 1 of this Privacy Notice. 

The right to erasure

You may request the deletion or removal of your personal data where there is no compelling reason for its continued processing.  We may, however, decline the request where we have a legal or regulatory obligation to retain the data, or where it is being used in the exercise or defence of a legal claim.  In such circumstances we will write to you explaining our reasons for declining your request for the data to be erased.  Data erasure requests should be submitted using the contact details in Part 1 of this Privacy Notice. 

The right to restrict processing

You have a right to ‘block’ or suppress the processing of your personal data.  When processing is restricted, we are permitted to store the personal data, but not to further process it.  Data suppression requests should be submitted using the contact details in Part 1 of this Privacy Notice.

The right to data portability

Individuals generally have the right to data portability.  However, this only applies to personal data where the processing is based on the legal basis of consent or for the performance of a contract; and it is carried out by automated means.  This right does not apply to your personal data that we process, as this is processed on the legal basis of Legitimate Interests and processing is not carried out by automated means. 

The right to object to processing or withdraw consent

You have the right to object to your data being processed on the legal basis of Legitimate Interests and the right to object to direct marketing and data profiling.  You also have the right to withdraw consent for us to process your information concerning health.  Objections to, or withdrawal of consent for, data processing should be submitted using the contact details in Part 1 of this Privacy Notice.

The right to remedies, liabilities and penalties

You have the right to report any concerns you have about the way we have processed your personal data to the Information Commissioner’s Office.  You may do this online at https://ico.org.uk/concerns/handling or in writing to Information Commissioner’s Offices at Wycliffe House’ Water Lane’ Wilmslow, Cheshire, SK9 5AF (telephone 0303 123 1113) or 45 Melville Street, Edinburgh, EH3 7HL (telephone 0303 123 1115).

9. The GDPR Principles

The GDPR Principles apply to all entities that control or process personal data on EU citizens and form the basis for this privacy notice.  The Principles require that personal data shall be:

a) processed lawfully, fairly and in a transparent manner in relation to individuals;

b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;

c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and

f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.