Data Protection Agreement

Privacy Notice

The General Data Protection Regulation (GDPR) protects the rights of individuals by setting out certain rules as to what organisations can and cannot do with information about people. A key element to this is the principle to process individuals' data lawfully and fairly. In order to meet the fairness part of this, we need to provide information on how we process personal data.

For the purpose of this document, the word process shall serve to mean all elements of the data life-cycle from generation and/or collection through processing, storage, management, analysis, sharing, and destruction.

This Fair Processing Notice satisfies this element of legislation and is designed to highlight the areas of Data Protection which may be of particular concern to prospective clients, prospective staff, prospective suppliers, and others accessing or using our pre-contractual services by way of channels including email, telephone, and our publicly accessible websites including www.hardingfinancial.co.uk, as well as clients, staff, suppliers, and others that Harding Financial Ltd has formed a contractual relationship with.

This Fair Processing Notice is designed to help those people understand how information about them will be used. It will also provide guidance on an individual's data rights and how to make a complaint to the Information Commissioner's Office (ICO), the regulator for data protection in the UK.

More widely, Harding Financial Ltd is committed to meeting the entirety of its responsibilities to current and former staff under the General Data Protection Regulation (GDPR) and other related legislation, taking these matters very seriously. We will always ensure that personal data is collected, handled, stored, shared, retained, and disposed of in a secure manner.

Legal Basis for Processing Data

The legal basis by which we will process and may have already processed data about data subjects:

When we process data about data subjects, we have to observe the requirements of the General Data Protection Regulation (GDPR).

Under the General Data Protection Regulation, our legal bases for processing information about data subjects will be that processing is necessary for one of these reasons:

• With data subjects' consent, we may process data about data subjects on a pre-contractual basis, for example, to deal with a prospective business enquiry that data subjects have made in written or verbal form. Such consent will be collected by us using the same platform and/or medium by which the data subject's enquiry was made. You may withdraw that consent at any time, and you may do so by contacting us using the details below.
• We may process data about data subjects to form and/or execute a contract, either because data subjects have asked us to take specific steps before entering into or during a contract, and/or because an executed contract otherwise sets out that we should do so.
• We may sometimes process data in the exercise of official authority vested in us or the public interest, for instance, to assist with anti-money laundering efforts.
• We may process data about data subjects to satisfy a legal obligation, for instance, an order that we may receive from a court of law that has jurisdiction over that data and/or an organisation that can provide evidence of a legal entitlement to that data.
• In rare circumstances, we may process data about data subjects for the reason that it is either in the legitimate interest of the data subject or another person for protecting their finances (for example, sharing information with fraud prevention services), or because it is in the vital interest of the data subject or another person for the purpose of protecting life (for example, sharing information with emergency services if you were to fall ill during the course of us communicating or meeting with you).

If data subjects gave Harding Financial Ltd data before May 25th, 2018 (the date on which GDPR came into effect), it is important for data subjects to remember that data subjects' personal data was already protected another way, by way of The Data Protection Act (The DPA). The DPA established a framework within which information about living individuals can be legally gathered, stored, used, and disseminated. At its core were eight Data Protection Principles, which Harding Financial Ltd and other organisations needed to abide by. These specified that personal information must be:

• Processed fairly and lawfully, and only if certain conditions are met
• Obtained for specified and lawful purposes, and not used for purposes other than those for which it was gathered
• Adequate, relevant and not excessive
• Accurate and where necessary kept up to date
• Kept for no longer than necessary
• Processed in accordance with individuals' rights
• Kept secure
• Not transferred outside the European Economic Area unless certain conditions are met

GDPR builds on these requirements and states that from 25 May 2018 information must be:

• Processed lawfully, fairly and in a transparent manner in relation to individuals
• Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes
• Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
• Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay
• Kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to the implementation of the appropriate technical and organisational measures required by the GDPR to safeguard the rights and freedoms of individuals
• Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures

GDPR also requires that:

"The controller shall be responsible for, and be able to demonstrate, compliance with the principles."

These protections apply to information in electronic form and also many types of data in paper form. Further information about the Data Protection Act and the General Data Protection Regulation is available from the Information Commissioner's Office at www.ico.org.uk.

Why and How Harding Financial Ltd Processes Personal Data

Harding Financial Ltd processes personal data for a variety of reasons, including:

• To collect interest from prospective clients wishing to engage the services of Harding Financial Ltd
• To communicate marketing and operational messages to data subjects via multiple platforms including traditional letter post, email, SMS, Whatsapp, and other forms of digital and social media
• To apply for decisions in principle for financial products for prospective and contracted clients
• To administer client-related functions
• To refer data subjects to third parties who might assist them in ways that Harding Financial Ltd cannot
• To plan and account for the use of the services provided
• To produce information including statistics for relevant external agencies
• To monitor, develop, and update Harding Financial Ltd systems to ensure they continue to operate effectively and securely
• To gather feedback
• To respond to complaints and/or legal claims about our service

Harding Financial Ltd also processes personal data in relation to prospective and current staff for recruitment and administrative purposes.

Disclosure of Personal Data

Harding Financial Ltd may disclose personal data to certain outside organisations as outlined in the Fair Processing Notice.

Methods and Platforms of Data Processing

Harding Financial Ltd may process data using a variety of methods and platforms as detailed herein.

Collection of Personal Data

Harding Financial Ltd collects the following types of personal data:

• Contact information
• Identity information
• Financial information
• Employment information
• Lifestyle information
• Health information
• Data about criminal convictions or offenses
• Details of any vulnerability
• Attitude towards investment risk and capacity for loss
• Product and investment details
• Details of dependents and/or beneficiaries under a policy

Please note that if a data subject provides information about another person in order to notify Harding Financial Ltd of a beneficiary, dependent, or any other connected third party, the data subject should ensure that they have the necessary consent from the individual. Data subjects are encouraged to share this privacy notice with such individuals and contact Harding Financial Ltd if they have any concerns.

Harding Financial Ltd may also obtain personal data about data subjects from other sources in the course of providing its services.

Sensitive Data

Some of the information collected, such as ethnicity, medical information, and information about disabilities, is considered "sensitive" personal data under the Data Protection Act and the General Data Protection Regulation (GDPR). Sensitive data is subject to extra legal protection, and Harding Financial Ltd must meet additional conditions to use this data fairly and lawfully.

Sensitive data may be shared with restricted departments within Harding Financial Ltd to ensure that data subjects have access to appropriate services and support. It may also be used to monitor equality of opportunity and access to services, but will not be used to make decisions about data subjects.

For further information about sensitive personal data, please refer to Harding Financial Ltd's Data Protection Policy.

Who else has access to my data?

Harding Financial Ltd will not share data subjects' information with third parties for their own marketing purposes unless explicit consent has been provided. However, to deliver services effectively and legally, it may be necessary to send data subjects' details to third parties, including professional compliance, accountancy, or legal service providers, regulators, and product/platform providers.

Data subjects' data may also be shared with different companies/departments within the Harding Financial Ltd group for day-to-day operations. Harding Financial Ltd may process data using various systems and platforms, including third-party systems such as Mailchimp for marketing emails or Facebook for targeting messages via social media.

When sharing data with third parties, appropriate security measures will be in place, and any transfers of data outside the European Economic Area (EEA) will comply with the conditions outlined in the General Data Protection Regulation.

How long is data retained?

Data relating to contracted clients, suppliers, or staff members will be retained for as long as the individual maintains a contracted relationship with Harding Financial Ltd. After five years without a contracted relationship, personal data will be securely destroyed, except in cases where legal or regulatory requirements necessitate longer retention periods.

Rights regarding personal data

Data subjects have the following rights regarding their personal data:

• The right to be informed about data collection through a Fair Processing Notice (this notice)
• The right to request information about the personal data held by Harding Financial Ltd and obtain a copy of that information
• The right to rectify incorrect data
• The right to be forgotten when there is no legal or statutory obligation for data retention
• The right to data portability for personal data processed with consent
• The right to restrict processing
• The right to object/withdraw consent to the processing of personal data by Harding Financial Ltd
• The right to complain to the Information Commissioner's Office (ICO) if there are concerns about the handling of personal data

Data subjects can exercise their rights by contacting the Data Protection Officer at Harding Financial Ltd using the provided contact details.

How to exercise rights under GDPR

Harding Financial Ltd is the recognised 'controller' of data subjects' data. The Data Protection Officer can be contacted through the provided postal address, telephone number, or email address.

Postal Address:
Data Protection Officer
Harding Financial Ltd
The Estate Yard
East Shalford Lane
Guildford
Surrey
GU4 8AE
United Kingdom

Telephone: +44 (0) 1483 80 20 10
Email: [email protected]