We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.
If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
Disclosures Of Your Personal Data
We may have to share your personal data with the parties set out below for the purposes set out in the table in paragraph 4 above.
- Other companies within our group.
- Clients who have requested our Services in relation to Customers and Applicants.
- Public databases and credit reference agencies who assist in providing the Services.
- Service providers who provide payment, marketing, IT and system administration services.
- Professional advisers including lawyers, bankers, auditors and insurers based within the EU who provide consultancy, banking, legal, insurance and accounting services.
- HM Revenue & Customs, regulators and other authorities based in the United Kingdom who require reporting of processing activities in certain circumstances, especially in the prevention of money laundering and fraud.
- Ombudsmen who are responsible for dealing with complaints.
- Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
Transfers from the EU to the UK
Personal data in respect of EU residents is transferred and processed by the ID Co in the UK. Transfers to the UK take place on at least one of the following grounds:
- An interim determination of adequacy following the withdrawal of the UK from the EU.
- An adequacy decision from the European Commission that the UK offers an adequate level of protection for personal data.
- Standard contractual clauses approved by the European Commission as giving personal data similar degrees of protection.
Transfers outside of the UK and the EEA
Some of our external third party suppliers are based outside of both the UK and the European Economic Area (EEA).
Their processing of your personal data will involve a transfer of data outside the UK/EEA.
Whenever we transfer your personal data out of the UK/EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
- We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data
- Where we use certain service providers, we may use standard contractual clause designed to enforce standards of personal data protection.
- Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the EEA and the US. For further details see European Commission: EU - US Privacy Shield
EU-US Privacy Shield.
Data Privacy in the US
Within the United States The ID Co are compliant with current federal legislation and use the Privacy Shield data protection legislation to ensure US clients are of a similar standards. The ID Co are also are compliant with the California Consumer Privacy Act.
The security of your personal information is important to us. We follow best practice industry standards to protect the personal information submitted to us, both during transmission and once we receive it. Commonly referred to as “bank-level” security, this means we use the same encryption standards that you would have with your own bank. We also routinely run security audits to ensure we meet these standards at all times. On top of internal audits, working to theISO27001 standards, our security is audited by a leading CREST and CHECK certified consultancy.
When you enter sensitive information (such as bank credentials or a credit card number) you should always be encrypted using secure socket layer technology(SSL). We will always use such encryption.
In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
How long will you use my personal data for?
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. In some cases we may retain your personal data for least 7 years to meet our regulatory compliance requirements or as needed to provide to you the Services. We will retain and use your information as necessary to comply with our legal obligations, resolve disputes and enforce our agreements. If your account is deleted, all personal information will be removed from our systems except for any Transaction Data, Technical Data and records required to comply with our legal obligations, resolve disputes and enforce our agreements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
Your Legal Rights
Under certain circumstances, you have rights under data protection laws in relation to your personal data.
- Access to information: You have the right to request a copy of the information the ID Co holds about you. Ensuring accuracy of information: The IDCo wants to make sure that your personal information is accurate and up-to-date. You may ask the ID Co to correct or complete information that is inaccurate or incomplete.
- Right to erasure: You may have a right to erasure, which is more commonly known as the ‘right to be forgotten’. This means that in certain circumstances you can require the ID Co to delete personal information held about you. As a Customer, you can delete your personal data through our DirectID platform by logging in and following the prompts.
As Client or Applicant, please contact us to have your personal data deleted by us.
- Ability to restrict processing: You may also have the right to require the IDCo to restrict the ID Co’s use of your personal information in certain circumstances. This may apply, for example, where you have notified the ID Co that the information the ID Co holds about you is incorrect and you would like the ID Co to stop using such information until the ID Co has verified that it is accurate.
- Right to data portability: You may have the right to receive personal data the ID Co holds about you in a format that enables you to transfer such information to another data controller (e.g. such as another service provider).
- Review by an independent authority: You will always have the right to lodge a complaint with a supervisory body, including ICO as listed above.
- Preventing Direct Marketing. The ID Co does not sell your personal data. From time to time, the ID Co may send emails containing information about new features and other news about us. This is considered direct marketing. The IDCo will always inform you if the ID Co intends to use your personal data or if the ID Co intends to disclose your information to any third party for such purposes.
- Objecting to other uses of your information: You may also have the right to object to the ID Co’s use of your information in other circumstances. In particular, where you have consented to the ID Co’s use of your personal data, you have the right to withdraw such consent at any time.
If you would like further information on how you can exercise these rights, please email us at firstname.lastname@example.org.