Alexander James Partnership t/a AJP Finance

 

Privacy Policy

 

AJP Finance is committed to protecting and respecting your privacy.

 

AJP Finance advises on and arranges mortgages and loans for residential and commercial property.

 

This policy sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it. By visiting our websites you are accepting and consenting to the practices described in this policy.

For the purpose of the European Data Protection Regulations (‘GDPR’) and the Data Protection Act 2018 (the Act) and, the data controller is Alex Brown at AJP Finance, 11 Furness Road, London, SW6 2LQ (t 02077360916 f 02031371996 e alexbrown@ajpfinance.co.uk)

 

This Privacy Statement explains how we process your information and your rights under both DPA and GDPR.

 

Information we may collect from you

We may collect and process the following data about you:

 

  • Information you give us

    • Information about you, including name, date of birth, address, income and employment details, expenditure analysis, mortgages and credit commitments

    • Your payslips, accounts, signed forms

  • Information we collect about you

    • Employments and Income references

  • Information we receive from other sources

    •  Your credit file from credit agencies

       

      Cookies

      Our website uses cookies to distinguish you from other users of our website. This helps us to provide you with a good experience when you browse our website and also allows us to improve our site. For detailed information on the cookies we use and the purposes for which we use them see our Cookie Policy below.

       

      Uses made of the information

      We use information held about you in the following ways:

  • Information you give to us. We will use this information to arrange the best possible mortgage or loan deal we can

  • Information we collect about you. We will use this information to arrange the best possible mortgage or loan deal we can

  • Information we receive from other sources. We may combine this information with information you give to us and information we collect about you. We may us this information and the combined information for the purposes set out above (depending on the types of information we receive).

     

    Disclosure of your information

     

    We may share your information with selected third parties including:

  • Business partners (including the adviser who introduced you to us and the lenders we approach to arrange your finance), suppliers and sub-contractors for the performance of any contract we enter into with [them or] you, including without limitation any data processor we engage.

  • Analytics and search engine providers that assist us in the improvement and optimisation of our site.

     

    We may disclose your personal information to third parties:

  • In the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets.

  • If we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our Terms of Use or terms and conditions of supply and other agreements; or to protect the rights, property, or safety of AJP Finance, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.

     

    Where we store your personal data

    The data that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area ("EEA"). It may also be processed by staff operating outside the EEA who work for us or for one of our suppliers. Such staff maybe engaged in, among other things, the fulfilment of your order, the processing of your payment details and the provision of support services. By submitting your personal data, you agree to this transfer, storing or processing. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this privacy policy.

     

    All information you provide to us is stored on our secure servers. Any payment transfers will be encrypted using SSL technology. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site, you are responsible for keeping this password confidential.  We ask you not to share a password with anyone.

     

    Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site: any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try and prevent unauthorised access.

     

    Your rights

    You have the right to ask us not to process your personal data for marketing purposes. We will inform you (before collecting your data) if we intend to use your data for such purposes or if we intend to disclose your information to any third party for such purposes. You can exercise your right to prevent such processing by checking certain boxes on the forms we use to collect your data. You can also exercise the right at any time by contacting us at alexbrown@ajpfinance.co.uk.

     

    Our site may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.

     

    Your rights under Data Protection Law

    We operate under the Data Protection Act 2018 (‘DPA’) and the European General Data Protection Regulation (‘GDPR’).

     

    The DPA and GDPR apply to ‘personal data’ we process and the data protection principles set out the main responsibilities we are responsible for.

     

    We must ensure that personal data shall be:

  1. Processed lawfully, fairly and in a transparent manner

  2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes

  3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed

  4. Accurate and where necessary kept up to date

  5. Kept for no longer than is necessary for the purposes for which the personal data are processed. We operate a data retention policy that ensures we meet this obligation. We only retain personal data for the purposes for which it was collected and for a reasonable period thereafter where there is a legitimate business need or legal obligation to do so. For detail of our current retention policy contact our privacy officer at alexbrown@ajpfinance.co.uk

  6. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures

     

    We ensure lawful processing of personal data by obtaining consent; or where there is a contractual obligation to do so in providing appropriate products and services; or where processing the data is necessary for the purposes of our legitimate interests in providing appropriate products and services.

     

    In the majority of cases we process personal data based on your contract with us. In other cases, we process personal data only where there are legitimate grounds for so doing.

     

    To meet our Data Protection obligations, we have established comprehensive and proportionate governance measures.

     

    We ensure data protection compliance across the organisation through:

  1. Implementing appropriate technical and organisational measures including internal data protection policies, staff training, internal audits of processing activities, and reviews of internal HR policies

  2. Maintaining relevant documentation on processing activities

  3. Implementing measures that meet the principles of data protection by design and data protection by default including data minimisation, pseudonymisation, transparency, deploying the most up-to-date data security protocols and using data protection impact assessments across our organisation and in any third party arrangements

     

    Under the GDPR You have the following specific rights in respect of the personal data we process:

  1. The right to be informed about how we use personal data - This Privacy Statement explains who we are; the purposes for which we process personal data and our legitimate interests in so doing; the categories of data we process; third party disclosures; and details of any transfers of personal data outside the UK

  2. The right of access to the personal data we hold. In most cases this will be free of charge and must be provided within one month of receipt

  3. The right to rectification where data are inaccurate or incomplete. In such cases we shall make any amendments or additions within one month of your request

  4. The right to erasure of personal data, but only in very specific circumstances, typically where the personal data are no longer necessary in relation to the purpose for which it was originally collected or processed; or, in certain cases where we have relied on consent to process the data, when that consent is withdrawn and there is no other legitimate reason for continuing to process that data; or when the individual objects to the processing and there is no overriding legitimate interest for continuing the processing.

  5. The right to restrict processing, for example while we are reviewing the accuracy or completeness of data, or deciding on whether any request for erasure is valid. In such cases we shall continue to store the data, but not further process it until such time as we have resolved the issue

  6. The right to data portability which, subject to a number of qualifying conditions, allows individuals to obtain and reuse their personal data for their own purposes across different services

  7. The right to object in cases where processing is based on legitimate interests, where our requirement to process the data is overridden by the rights of the individual concerned; or for the purposes of direct marketing (including profiling); or for processing for purposes of scientific / historical research and statistics, unless this is for necessary for the performance of a public interest task

  8. Rights in relation to automated decision making and profiling

     

    Please contact our privacy officer at alexbrown@ajpfinance.co.uk for more information about the GDPR and your rights under Data Protection law.

    If you have a complaint about data protection at AJP Finance, please contact our privacy officer at alexbrown@ajpfinance.co.uk.

    Alternatively contact our supervisory authority for data protection compliance: www.ico.org.uk:

     

    Information Commissioner’s Office

    Wycliffe House

    Water Lane

    Wilmslow

    Cheshire

    SK9 5AF

     

    Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)

     

    About cookies

    Cookies are pieces of information that a website transfers to your computer’s hard disk for record-keeping purposes. Cookies can make the internet more useful by storing information about your preferences on a particular site, such as your personal preference pages.

    The use of cookies is an industry standard, and most websites use them to provide useful features for their customers. Cookies in and of themselves do not personally identify users, although they do identify a user’s computer. Most browsers are initially set to accept cookies.

    If you would prefer, you can set yours to refuse cookies. However, you may not be able to take full advantage of a website if you do so.

     

    We do not use cookies.

     

Changes to our privacy policy

Any changes we may make to our privacy policy in the future will be posted on this page and, where appropriate, notified to you by e-mail. Please check back frequently to see any updates or changes to our privacy policy.

 

Contact

Questions, comments and requests regarding this privacy policy are welcomed and should be addressed to alexbrown@ajpfinance.co.uk.

 

Policy Last updated: 21st May 2018

Alexander James Partnership Ltd t/a AJP Finance

Data Protection and Data Security Policy

 

Version: 1.0

April 2018

Contents

1       Purpose. 4

2       Review of Policy. 4

3       Responsibilities. 4

3.1        The Management Body. 4

3.2        Data Protection Officer (Delete if not applicable) 4

3.3        Employee Responsibilities. 5

4       Definitions. 5

4.1        Personal data. 5

4.2        Special category data /Sensitive personal data. 5

4.3        Data controller. 5

4.4        Data processor. 5

5       The Data Protection Principles. 5

5.1        Lawful basis for processing. 6

5.1.1     Consent. 6

5.1.2     Contract. 7

5.1.3     Legal obligation. 7

5.1.4     Vital interests. 7

5.1.5     Public task. 7

5.1.6     Legitimate interests. 8

5.1.7     Special category data/sensitive personal data. 8

5.1.8     Criminal offence data. 9

6       Rights of the individual/data subject. 9

6.1        Right to be informed. 9

6.2        Right of access. 10

6.3        Right to rectification. 10

6.4        Right to erasure. 10

6.5        Right to restrict processing. 11

6.6        Right to data portability. 11

6.7        Right to object. 11

6.8        Rights related to automated decision making (including profiling) 12

7       Accountability and Governance. 12

7.1        Contracts with processors (Delete if no data processors appointed) 12

7.2        Documentation/Record keeping. 12

7.3        Employee Training. 13

7.4        Data protection impact assessments (DPIA) 13

8       Data Security. 13

9       International transfers. 14

10     Cooperation with the ICO.. 15

11     Personal data breaches. 15

11.1      Notification to the ICO.. 15

11.2      Informing individuals about a breach. 16

11.3      Recording breaches. 16

12     Breaches of Data Protection and Data Security Policy. 16

13     Annex 1 – Legitimate Interests Assessment (LIA) 17

13.1      Purpose Test. 17

13.2      Necessity Test. 17

13.3      Balancing Test. 17

14     Annex 2 – Data Protection Impact Assessment (DPIA) 18

14.1      Identify the need for a DPIA.. 18

14.2      Describe the processing. 19

14.2.1       Nature of processing. 19

The nature of the processing is what the Firm plans to do with the personal data. This should include: 19

14.2.2       Scope of processing. 19

14.2.3       Context of processing. 20

14.2.4       Purpose of processing. 20

14.3      Consider consultation. 20

14.4      Assess necessity and proportionality. 20

14.5      Identify and assess risks. 21

14.6      Identify measures to mitigate risk. 21

14.7      Sign off and record outcomes. 22

14.8      Integrate outcomes into plan. 22

14.9      Keep under review.. 22

 

 

 

1        Purpose

This policy details how Alexander James Partnership Ltd (the Firm) will manage data protection and data security and ensure a consistency of approach within the Firm and adherence to the Data Protection Regulation. The Firm recognises that failure to protect personal data poses a risk to employees and clients and to the reputation and good standing of the company, as well as risking financial penalties.

Data Protection is regulated and enforced in the UK by the Information Commissioners Office (ICO) (https://ico.org.uk/)

The Firm is authorised by the Financial Conduct Authority (FCA) and complying with some of the FCA rules requires the Firm to process personal data. 

While the ICO will regulate data protection, the FCA will also consider compliance with these regulations under their rules, in particular the Senior Management Arrangements, Systems and Controls standards in the FCA handbook (https://www.handbook.fca.org.uk/handbook).

2      Review of Policy

This policy will be reviewed by the Management Body and the Data Protection Officer – Alex Brown on an ongoing basis in line with any regulatory changes but at least once a year.

3        Responsibilities

3.1      The Management Body

The Management Body will ensure that it appoints a Data Protection Officer that reports directly to the Management Body, is an expert in data protection, and is independent and adequately resourced.  The Management Body will ensure that:

  • The Data Protection Officer will be involved in all issues relating to the processing of personal data

  • The Data Protection officer will not be penalised for carrying out their duties

  • Any other tasks and duties that the Data Protection Officer performs do not result in a conflict of interests.

3.2      Data Protection Officer

The Data Protection Officer is Alex Brown and is contactable on 02077360916 and at alexbrown@ajpfinance.co.uk. The contact details of the Data Protection Officer have been published and communicated to the ICO.

The Data Protection Officer’s responsibilities include:

  • Advising the Firm and its employees who carry out data processing on their data protection obligations

  • Monitoring compliance with the data protection regulation and this policy

  • Advising on the data protection impact assessment (DPIA) and monitoring its performance

  • Cooperating with and acting as a point of contact for the ICO

  • Acting as a point of contact for data subjects concerning data protection and their rights under GDPR

    The Data Protection Officer will take into account the risks associated with any data processing undertaken, having regard to the nature, scope, context and purposes of the processing.

3.3      Employee Responsibilities

All employees, volunteers and business associates, such as Appointed Representatives, are required to read, understand and accept any policies and procedures that relate to the personal data they may handle in the course of their work.

All employees who deal with personal information are required to handle that information confidentially and sensitively.  Employees who undertake to process personal data supplied by the Firm must do so only in accordance with the Firm’s instructions.

Employee obligations in respect of the Data Protection Act form part of their contract of employment.

4        Definitions

4.1      Personal data

Personal data is any information relating to an, directly or indirectly, identified or identifiable natural person (also known as a data subject).

4.2      Special category data /Sensitive personal data

Special category or sensitive personal data refers to data relating to racial or ethnic origins, political opinions, religious or philosophical beliefs, trade union membership, health, sexual life, sexual orientation, genetic data or biometric data.

4.3      Data controller

A controller determines when, why and how to process personal data. The Firm is the controller of all personal data relating to its employees, clients and others whose personal data is used in its business for its commercial purposes.

4.4      Data processor

A processor is responsible for processing personal data on behalf of a data controller and should act only on the controller’s instructions. Processing is any activity that involves the use of personal data such as obtaining, recording, holding, amending, using, transferring, erasing or disclosing it.

The Firm is a processor of personal data.  Personal data is only processed by the Firm.

5        The Data Protection Principles

Data Protection law sets out 6 principles which define the obligations of the Firm as a processor of personal data.  These principles are as follows:-

  1. Personal data shall be processed lawfully, fairly and in a transparent manner

  2. Personal data shall be collected for specified, explicit and legitimate purposes and shall not be further processed in any manner incompatible with those purposes

  3. Personal data shall be adequate, relevant and limited to what is necessary for the purpose for which they are processed

  4. Personal data shall be accurate and, where necessary, kept up to date

  5. Personal data shall be kept in a form which permits identification of the data subjects for no longer than necessary for the purposes for which the personal data are processed

  6. Personal data shall be processed in a manner that ensures the security of personal data

    The data protection law states that the Firm shall be responsible for, and be able to demonstrate compliance with, these principles.

5.1      Lawful basis for processing

The Firm will ensure that it has a lawful basis to process personal data.  The Firm will ensure that the processing is necessary for its purpose and that there is no other reasonable way to achieve that purpose. 

The Firm will determine and document the lawful basis before beginning processing. There may be more than one lawful basis that applies to the processing and, if this is the case, the Firm will document it. The Firm will ensure that is can justify its reasoning for the lawful basis chosen.

The six lawful bases for processing personal data are:

  1. Consent – the data subject has given clear consent for the Firm to process their personal data for a specific purpose

  2. Contract – the processing is necessary for a contract the Firm has with the data subject or because they have requested that the Firm take specific steps before entering into a contract

  3. Legal obligation – the processing is necessary for the Firm to comply with the law

  4. Vital interests – the processing is necessary to protect someone’s life

  5. Public task – the processing is necessary for the Firm to perform a task in the public interest

  6. Legitimate interests – the processing is necessary for the Firm’s (or a third party’s) legitimate interests unless there is  good reason to protect the individual’s personal data which overrides those legitimate interests

    When choosing the lawful basis for processing, the Firm will consider what it is trying to achieve, can it reasonably be achieved in another way and whether or not it has a choice to process the data.

    The Firm has reviewed its lawful bases for processing in the light of the General Data Protection Regulations (GDPR) and updated them where necessary.  These have been communicated to the data subjects before 25th May 2018.

    If there is a change in circumstances or a new purpose for processing the data then the Firm will review the lawful basis and make any changes ensuring that the data subjects are informed and the change documented.

5.1.1       Consent

When requesting consent, the Firm will:

  • Make the request for consent prominent and separate from its terms and conditions

  • Ask people to positively opt-in

  • Not use pre-ticked boxes or other types of default consent

  • Use clear, plain language that is easy to understand

  • Specify why it wants the data and what it will do with it

  • Give individual options to consent to different purposes and types of processing

  • Name the Firm and any other third parties who will be relying on consent

  • Tell people that they can withdraw consent at any time

  • Ensure that people can refuse consent without detriment

  • Not make consent a precondition of a service

The Firm will record when, how and from whom it obtained consent and what they were told at the time of consent.

The Firm has reviewed its existing consents in light of GDPR and obtained fresh consent where necessary.

5.1.2       Contract

When using contract as the lawful basis for processing personal data, the Firm will ensure that the processing is necessary to deliver its side of the contract and that it could not reasonably do what was required without processing the personal data.

5.1.3       Legal obligation

When using legal obligation as the lawful basis for processing personal data, the Firm will ensure that the processing is necessary to comply with a law or statutory obligation and that it could not reasonably do what was required without processing the personal data. The Firm will identify the specific legal provision or appropriate source of advice that sets out its obligation.

5.1.4       Vital interests

The Firm is unlikely to use vital interests as a lawful basis for processing personal data.

When using vital interests as the lawful basis for processing personal data, the Firm will ensure that the processing is necessary to protect someone’s life and that it could not reasonably do what was required without processing the personal data. The Firm will not use vital interests as the lawful basis if the data subject is capable of giving their consent.

5.1.5       Public task

The Firm is unlikely to use public task as a lawful basis for processing personal data.

When using public task as the lawful basis for processing personal data, the Firm will ensure that the processing is necessary to comply with a specific task in the public interest that is set out in law and that it could not reasonably do what was required without processing the personal data. The Firm will identify the specific task and identify its statutory or common law basis.

Data subject’s rights to erasure and data portability do not apply when the Firm is processing personal data on the basis of public task.

5.1.6       Legitimate interests

The Firm is aware that when it uses legitimate interests as the lawful basis for processing personal data that it takes on extra responsibility for protecting the people’s rights and interests.

The Firm will avoid using legitimate interests as the lawful basis where individuals would not reasonably expect the processing or where their interests are likely to override the Firm’s legitimate interests.

The Firm will use a legitimate interests assessment (LIA) to check whether it is appropriate to rely on legitimate interests as the lawful basis for processing personal data and will record this and the outcome to demonstrate compliance with accountability obligations.  The LIA consists of 3 parts:

  1. Purpose test – is the Firm pursuing a legitimate interest?

  2. Necessity test – is the processing necessary for that purpose?

  3. Balancing test – do the individual’s interests override the legitimate interest?

    Considerations for these 3 tests are listed in Annex 1 – Legitimate Interests Assessments.  If the LIA identifies significant risks then the Firm will consider performing a Data Protection Impact Assessment (DPIA) to assess the risks and potential mitigation in more detail.

    When the Firm uses legitimate interests as the lawful basis, the individual’s right to data portability does not apply.

5.1.7       Special category data/sensitive personal data

The Firm will ensure that it meets at least one of the following conditions before processing special category data:

  1. The data subject has given explicit consent to the processing of those personal data for a specified purpose

  2. The processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the data controller or of the data subject in the field of employment and social security and social protection law

  3. The processing is necessary to protect the vital interests of the data subject or another person where the data subject is incapable of giving consent

  4.  The processing is processing is carried out in the course of its legitimate activities with appropriate safeguards by a body, with a political, philosophical, religious or trade union aim, on condition that the processing relates solely to the members, or former members, of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects

  5. The processing relates to personal data which is clearly made public by the data subject

  6. The processing is necessary for legal claims or courts acting in their judicial capacity

  7. The processing is necessary for reasons of substantial public interest and is proportionate to the aim pursued, respectful of the right to data protection and provides measures to safeguard the fundamental rights and the interests of the data subject

  8. The processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services

  9. The processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices which provides measures to safeguard the rights and freedoms of the data subject

  10. The processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes which are proportionate to the aim pursued, respectful of the right to data protection and provides for measures to safeguard the fundamental rights and the interests of the data subject

    The Firm will record any special category conditions that are applicable to the personal data it is processing.

5.1.8       Criminal offence data

Personal data on criminal convictions or offences can only be processed if the Firm has an official authority to do so or is processing the data in an official capacity.  The Firm has official authority to process criminal offence data.

6        Rights of the individual/data subject

The Firm recognises that the data subjects/individuals have the following rights:

  1. The right to be informed

  2. The right of access

  3. The right of rectification

  4. The right to erasure

  5. The right to restrict processing

  6. The right to data portability

  7. The right to object

  8. Rights in relation to automated decision making and profiling

6.1      Right to be informed

The Firm will provide individuals with the following privacy information:

  • The name and contact details of the Firm

  • The name and contact details of the Firm’s representative (delete if not applicable)

  • The name and contact details of the Data Protection Officer (delete if not applicable)

  • The purposes of the processing

  • The lawful basis for the processing

  • The legitimate interests for the processing (if applicable)

  • The categories of personal data obtained (if the data is obtained from a third party)

  • The recipients or categories of recipient of the personal data

  • The details of any transfers of the personal data to any third countries or international organisations

  • The retention periods of personal data

  • The rights available to individuals in respect of the processing

  • The right to withdraw consent (if applicable)

  • The right to lodge a complaint with the ICO

  • The source of personal data (if the data is obtained from a third party)

  • The details of whether individuals are under a statutory or contractual obligation to provide the personal data (Note: this is not required when the personal data is obtained from sources other than the data subject)

  • The details of any automated decision-making, including profiling (if applicable)

    The Firm will provide this information to individuals at the time they collect the data from them.  If the data is obtained from another source then the Firm will provide this information within a reasonable time and no later than a month after receiving the data.  If the Firm is planning to communicate with the individual, it will provide the privacy information when it communicates for the first time. If the Firm is disclosing the information to a third party, the Firm will provide the individual with the privacy information at the latest when the data is disclosed.

    The Firm will regularly review and update its privacy information. Any new uses of personal data will be brought to the data subject’s attention before the new processing starts.

    The Firm undertakes an information audit to find out what personal data it uses and what it does with it.

6.2      Right of access

The Firm recognises that individuals have the right to obtain: confirmation that their data is being processed, access to their personal data and the information provided in the privacy information.

The Firm will provide this information free of charge.  The Firm may charge a fee, based on the administrative costs of processing the request, for requests for further copies of the same information.

Where an individual makes a request for a copy of their information, this should be managed by the Data Protection Officer.

6.3      Right to rectification

The Firm will respond to any request for rectification of inaccurate or incomplete data within one month, or within three months if the request is complex.  If the personal data has been disclosed to third parties, the Firm will inform them of the rectification.

6.4      Right to erasure

The Firm recognises that individuals have the right erasure in certain circumstances, and will erase the data without undue delay, contacting any third parties, to whom the data has been passed, to inform them to erase the data.

The circumstances in which the right to erasure exists are as follows:

  • Where personal data is no longer necessary for the purpose for which it was originally collected or processed

  • The data subject withdraws their consent

  • When the individual objects to the processing and there is no overriding legitimate reason for continuing the processing

  • The personal data was unlawfully processed

  • The personal data has to be erased to comply with a legal obligation

    The Firm can refuse the request for erasure for the following reasons:

  • To exercise the right of freedom and information

  • To comply with a legal obligation for the performance of a public interest task or exercise of official authority

  • For public health purposes in the public interest

  • For archiving purposes in the public interest, scientific or historical research or statistical purposes

  • For the exercise or defence of legal claims

6.5      Right to restrict processing

The Firm will restrict the processing of personal data on request from an individual where one of the following applies:

  • Where an individual contests the accuracy of the personal data, the processing will be restricted until the accuracy of the data has been verified or corrected

  • Where an individual objects to the processing (where it was necessary for performance of a public interest task or legitimate interests) and the Firm is considering whether the Firm’s  legitimate grounds override those of the individual

  • When the processing was unlawful and the individual opposes erasure and request restriction instead

  • If the Firm no longer needs the personal data  but the individual needs it for a legal claim

    When the processing has been restricted, the Firm will, except for the storage of the data, only process the data with the individual’s consent.  The Firm will inform individuals before a restriction on processing is lifted.

6.6