PURPOSE OF THIS POLICY
1.1. At EQDerivatives, personal data is a key part of our business. It is never acceptable that personal data is handled in a way which is unlawful or which could cause distress or damage to the individuals to which the data relates (Individuals) or put their safety or wellbeing at risk. This applies whether Individuals are our clients, employees, contractors or others such as contacts at our suppliers and other business partners.
1.2. The privacy and rights of all Individuals with whom we engage in our business is of paramount importance to us. We are committed to safeguarding their privacy by handling personal data in accordance with the data protection and privacy laws which apply to our business including the General Data Protection Regulation (GDPR), the UK Data Protection Act 2018 and other applicable data protection and privacy laws (collectively, Data Protection Laws).
1.3. As a provider of digital news media, and as an employer, we are committed to fostering a culture of data protection throughout our organisation by complying strictly with Data Protection Laws and ensuring that all personal data for which we are responsible is handled safely, appropriately and in a manner which is expected of us. This policy, and Data Protection Laws will apply to any handling of personal data by EQDerivatives (including the mere storage of archived data).
1.4. Due to rapid developments in technology, such as social media and cloud-based computing services, existing data protection laws in the European Union (EU) became outdated as a means for protecting Individuals. A comprehensive new law, the GDPR, therefore came into effect from 25 May 2018. It requires all businesses operating in the EU (and many, including EQDerivatives Inc., based outside the EU) to comply with the strictest data protection laws in the world.
1.5. The UK, where EQDerivatives (Europe) Limited is based, has also passed its own law, the Data Protection Act 2018, which consolidates and complements the GDPR and other data protection laws, including by: (i) regulating specific aspects of processing such as sensitive data and data relating to criminal convictions and offences; and (ii) ensuring that the UK continues to provide adequate protection for personal data even if the UK leaves the EU.
1.6. The standards for handling personal data set out in this Data Protection Policy are intended to meet the stringent new standards established by the GDPR, the Data Protection Act 2018 and other applicable Data Protection Laws.
1.7. To ensure the protection of Individuals and of EQDerivatives, it is therefore very important that all of our staff understand this Data Protection Policy and our obligations under Data Protection Laws and act at all times in a way which reflects them.
2. WHO THIS POLICY APPLIES TO
2.1. This Data Protection Policy applies to all EQDerivatives directors, officers, members, employees, consultants, contractors, temporary and agency workers and other staff (EQDerivatives Staff). You must read, understand and comply with this Data Protection Policy when processing personal data (the meaning of which is explained below) on our behalf and on behalf of our clients.
2.2. This Data Protection Policy sets out what we expect from you in order for EQDerivatives to comply with Data Protection Laws. It is mandatory for you to comply with this Data Protection Policy and our related policies and to attend any training on them which we may arrange. Any breach of this Data Protection Policy or related policies may result in disciplinary action.
2.3. This Data Protection Policy is an internal document and cannot be shared with clients, suppliers, regulators or other third parties without prior authorisation from one of our Directors.
2.4. This Data Protection Policy is related to, and should be read in conjunction with, EQDerivatives’s Personal Data Breach Notification Policy and any other EQDerivatives policies relating to information security and risk management which we may implement from time to time.
3. OUR DATA PROTECTION TEAM & WHEN YOU MUST CONTACT THEM
3.1. Our Data Protection Team is currently comprised of:
(i) Peter Thompson, President
(ii) Robert McGlinchey, Director
3.2. You should contact a member of the Data Protection Team whenever you have a question about processing personal data of Individuals in the course of performing your duties or if you have any concerns that this Data Protection Policy is not being or has not been followed.
3.3. In particular, you must always contact a member of the Data Protection Team in the following circumstances:
(i) Sensitive personal data: If you are collecting and handling sensitive personal data (see sections 7.4 to 7.7 below).
(ii) Status of data: If you are unsure whether data is personal data, pseudonymised data or anonymous data (see sections 7.9 to 7.11 below).
(iii) Impact assessment: Whenever you are engaging in a significant new, or change in, processing activity which is likely to require a Data Protection Impact Assessment (see sections 7.14 to 7.16 below) or plan to use personal data for purposes others than what it was collected for.
(iv) Lawful basis for processing: If you are unsure of the lawful basis which you are relying on to process personal data (see section 9 below).
(v) Consent: If you need to rely on consent and/or need to capture explicit consent (see section 9.1 below).
(vi) Retention period: If you are unsure about the retention period for the personal data being processed (see section 8.1(5) below).
(vii) Security: If you are unsure about what security or other measures you need to implement to protect personal data (see section 10 below).
(viii) Individuals’ rights: If you need any assistance dealing with any rights invoked by an Individual (see section 11 below).
(ix) Privacy notices: If you need to draft privacy notices or fair processing notices (see section 11.4 below).
(x) Direct marketing: If you need help complying with applicable law when carrying out direct marketing activities to existing or prospective clients (see sections 11.16 to 11.17 and section 15 below).
(xi) Automated processing: If you plan to undertake any activities involving automated processing including profiling or automated decision-making (see sections 11.18 to 11.20 below).
(xii) Data sharing & data processors: If you need help with any contracts or other areas in relation to sharing personal data with third parties including our suppliers (see section 12 below).
(xiii) Transfers outside EEA: If you are unsure on what basis to transfer personal data outside the EEA (see section 13 below).
(xiv) Personal data breach: If there has been a personal data breach (see section 14 below).
4. REGULATORY BODIES, GUIDANCE & UPDATES
4.1. EQDerivatives will be regulated when it offers services (such as event registration) to individuals in the EU, or processes personal data in the context of its UK establishment, EQDerivatives (Europe) Limited.
4.2. In the UK, Data Protection Laws are enforced by the Information Commissioner’s Office (ICO), which is the governmental body responsible for providing guidance on how to comply with, and for enforcing, the current Data Protection Laws. At an EU level, the European Data Protection Board (EDPB) is responsible for issuing guidance and overseeing the implementation of the GDPR. Further information on these bodies, together with data protection guidance, can be found on their websites:
4.3. We shall endeavour to revise this Data Protection Policy as soon as reasonably practicable to reflect changes in Data Protection Laws, how they are enforced and related guidance, and shall notify you of any changes which we make.
4.4. There may, however, be times when parts of this Data Protection Policy become outdated or superseded by Data Protection Laws and the way in which they are enforced. If this happens then the current Data Protection Laws at the time should of course be followed rather than the outdated or conflicting parts of this Data Protection Policy.
5. THE IMPORTANCE OF DATA PROTECTION COMPLIANCE TO OUR BUSINESS
5.1. Any breaches of Data Protection Laws by EQDerivatives could have very serious consequences for Individuals and for us, including:
(i) Individuals could suffer emotional distress, financial damage or even have their safety put at risk.
(ii) We could be subject to investigations by the ICO, which would likely result in reputational damage and adverse media scrutiny.
(iii) We could have fines imposed on us of up to EUR 20 million (approx. £17.5 million) and may even have parts of our business operations suspended or stopped.
(iv) It could cause our clients and intermediaries to lose trust in us, which in turn could negatively impact our ability to generate future work.
(v) It could result in our clients terminating their service contracts with us and bringing claims for compensation arising from any damage they have suffered as a result (which could be significant).
5.2. Given the risks of not handling personal data in accordance with this Data Protection Policy, your non-compliance may:
(i) If you are an employee, result in disciplinary action, up to and including dismissal, in line with the relevant disciplinary procedure.
(ii) If you are a contractor, consultant or agency worker, result in the review, non-renewal or termination of the contract governing your provision of services to EQDerivatives and potentially even claims for compensation against you or your employing organisation.
5.3. In some cases (such as intentionally mishandling personal data, or data theft), a breach of Data Protection Laws can be a criminal offence, and can result in a criminal record, fine and even a prison sentence for EQDerivatives Staff who have mishandled the data.
6. PROTECTION OF PERSONAL DATA: A FUNDAMENTAL EUROPEAN RIGHT
6.1. To understand the principles set out in this Data Protection Policy, it is important to appreciate that the right to privacy is a fundamental right for all Individuals in the EU.
6.2. Reflecting this, throughout the EU there is an extensive legal regime for protecting the personal data of Individuals by:
(i) Imposing broad obligations on organisations such as ourselves which collect personal data and have control over how and why personal data is processed (these are known as data controllers).
(ii) Imposing obligations on organisations that process personal data on behalf of a data controller (these are known as data processors).
(iii) Conferring broad rights on Individuals about whom data is collected (these are known as data subjects).
EQDerivatives collects and handles personal data relating to all of our clients, EQDerivatives Staff and individual contacts at, for example, our suppliers and other organisations with whom we do business. We are therefore regulated as a data controller under Data Protection Laws in respect of our handling of such personal data.
7. KEY CONCEPTS
7.1. There are several key concepts which it is important for you to be aware of in order to understand this Data Protection Policy and to be able to act in accordance with it:
7.2. This is defined broadly to mean any information which can be used to identify an individual, taking into account various factors such as those specific to the individual’s physical, physiological, genetic, mental, economic, cultural or social identity.
7.3. Typical examples of personal data processed by EQDerivatives include:
(i) Personal contact details such as name, title, addresses, telephone numbers, and personal email addresses.
(ii) National Insurance or social security numbers, bank account details, payroll records and tax status information.
(iii) Salary, annual leave, pension and benefits information.
(iv) Recruitment information, including copies of right to work documentation, references and other information included in a CV or cover letter or as part of the application process.
(v) Employment records, including job titles, work history, working hours, training records and professional memberships.
(vi) Date of birth, gender, marital status and dependants.
(vii) Compensation history and performance information.
(viii) Information about employee health, including medical conditions, health and sickness records.
(ix) Personal data about individual end users of our services.
Sensitive personal data
7.4. Data Protection Laws impose additional obligations in relation to certain types of so-called special categories of “sensitive” data, which include any personal data which reveal or relate to an Individual’s:
(i) Racial or ethnic origin.
(ii) Political opinions.
(iii) Religious or philosophical beliefs.
(iv) Trade union membership.
(v) Genetic data.
(vi) Biometric data.
(viii) Sex life or sexual orientation.
7.5. There are also specific requirements for processing personal data relating to criminal convictions and offences.
7.6. Some of these categories of sensitive information are unlikely to apply to data held by EQDerivatives. However, others will be. For example, as an employer we may hold sensitive personal data about employees (such as health data relating to illness and absences, or accidents at work). We might also hold details of racial or ethnic origin about staff (for example, if this information is contained within a passport which we store a copy of for right to work or identification purposes).
7.7. When handling sensitive personal data, it is important to be clear about the lawful grounds for processing that you are relying on (see section 8.1 Lawfulness, Fairness & Transparency and section 9 Lawful Basis below). Where relying on explicit consent, ensure that it is GDPR compliant. Consider whether it is necessary to carry out a Data Protection Impact Assessment (see section 7.14 below). Ensure technical and organisational security measures are robust and contact a member of the Data Protection Team if you have any doubts.
7.8. This core concept is also broadly defined and covers most operations involving personal data such as collecting, recording, storing, retrieving and transmitting personal data as well as blocking, erasing or destroying it. At a day-to-day level, you should assume that anything which you are doing with personal data, whether on behalf of EQDerivatives or of our corporate clients, will be regulated as processing of it.
Anonymisation & Pseudonymisation
7.9. Data Protection Laws do not apply to personal data which has been “anonymised” permanently such that the relevant Individuals can no longer be identified.
7.10. In some cases, certain information may be temporarily removed from personal data so that the Individual is not identifiable without that removed information, for example by using a separately stored “key” to return the data to a state which allows individuals to be identified again. This type of data is known as “pseudonymised” data and it is still regulated as personal data under Data Protection Laws.
7.11. If you are not sure whether data is “personal data”, “anonymised data” or “pseudonymised data” then please consult a member of the Data Protection Team.
7.12. We must be able to demonstrate that the processing activities undertaken within EQDerivatives comply with the data processing principles (see section 8.1 Data Protection Principles below). It is therefore very important that we document our compliance with Data Protection Laws by taking the following steps:
(i) Appointing the members of our Data Protection Team to oversee our compliance with Data Protection Laws and ensuring that these members remain up to date on developments relating to Data Protection Laws.
(ii) Maintaining data processing records, and organising all of our data protection related documentation (such as agreements with third party processors), so that we are able to provide this documentation upon request by the ICO.
(iii) Implementing Privacy by Design and by Default principles in our business and undertaking Data Protection Impact Assessments where necessary (see sections 7.14 to 7.16 below).
(iv) Integrating data protection into internal documents including this Data Protection Policy, related policies and privacy notices.
(v) Regularly testing the data protection measures implemented and conducting periodic reviews and audits to assess compliance, including using results of testing to demonstrate compliance improvement efforts.
Privacy by Design and by Default
7.13. As an organisation, we are required to implement appropriate technical and organisational measures to ensure that all processing of personal data in the course of our business is designed to satisfy the data protection principles (see section 8.1 Data Protection Principles below) and that, by default, only necessary data are processed.
Data Protection Impact Assessments
7.14. Whenever you engage in processing which can be considered to be “high risk”, especially when using new technologies, then it is necessary to undertake a data protection impact assessment (DPIA). A DPIA is essentially a detailed evaluation of the potential risks posed by the proposed processing activities and determination of the appropriate measures to take to manage those risks in accordance with Data Protection Laws.
7.15. The key situations in which it is necessary for organisations to undertake a DPIA are:
(i) Large scale processing of “sensitive” data or data relating to criminal convictions and offences.
(ii) Automated processing, including profiling, and automated decision-making.
(iii) Large scale, systematic monitoring of a publicly accessible area.
7.16. If you believe that any processing activities which you are considering undertaking are, or may be, high risk then please discuss with a member of the Data Protection Team.
8. DATA PROTECTION PRINCIPLES
8.1. Whilst the GDPR is broad in scope, in summary there are six key data processing principles which all EQDerivatives Staff must comply with when processing personal data:
1. Lawfulness, Fairness and Transparency
As explained in more detail in section 9 below, there must be a lawful basis for collecting and processing the data in the first place. In our organisation, this will most often be because we need to process the data for the purpose of fulfilling our contractual or statutory obligations to our clients, EQDerivatives Staff and suppliers, or for our other legitimate interests.
In more limited circumstances, we may have a lawful ground for processing because we have obtained consent from the relevant Individual to process their data for a specific purpose (for example, this may be in relation to marketing by email). Consent will only be valid if certain conditions are met (see section 9.1(1) below).
2. Purpose Limitation
The data must be collected only for specified, explicit and legitimate purposes, and must not be further processed in any manner incompatible with those purposes.
3. Data Minimisation
Data must only be collected to the extent that it is adequate, relevant and necessary for the purposes for which the data is to be processed.
The data collected must be accurate and, where necessary, kept up to date.
5. Storage Limitation
The data must not be kept in a form which permits the identification of Individuals for longer than is necessary for the purposes for which the data is to be processed.
6. Integrity and Confidentiality
The data must be processed in a manner that ensures, through appropriate technical or organisational measures, that it will be kept secure, including protecting the data against unauthorised or unlawful processing and against accidental loss, destruction or damage.
9. LAWFUL BASIS
9.1. As explained in section 8.1(1) above, as a data controller EQDerivatives must always have a legal basis for using personal data. This will be one of the following:
(1) Consent: Where an Individual provides his or her freely given, specific, informed consent to a particular purpose, then personal data can be used for that purpose. Consent must be opt-in, and there can be no duress or imbalance in power (so consent from employees is usually not valid). The Individual must have indicated their agreement clearly either by a statement or other positive affirmative action. Silence, pre-ticked boxes or inactivity are not sufficient. If consent is obtained in a document which deals with other matters, then the consent must be kept separate from those other matters. Individuals must be easily able to withdraw consent to processing of their data at any time. Consent may need to be refreshed if (as is unlikely) we intend to process personal data for a different and incompatible purpose which was not disclosed to the Individual when they first consented.
(2) Performance of a contract with an individual: An individual’s personal data can be used by us to the extent necessary to perform a contractual obligation we owe to that individual (for example, under a contract of employment).
(3) Compliance with a legal obligation: Personal data can be used to the extent necessary to comply with a legal obligation (such as disclosing employee payroll information to HMRC).
(4) The legitimate interests of EQDerivatives or a third party: Personal data can be used to the extent necessary for our legitimate interests (or those of a third party). A legitimate interest is a real (as opposed to hypothetical) lawful interest which is sufficiently clearly articulated. However, this ground can only be relied on if the legitimate interests are not overridden by the rights and freedoms of the individuals affected.
9.2. Personal data can also be used to the extent necessary to protect an individual’s vital interests (i.e. life and death situations), or by public bodies in the exercise of official duties. However, these latter grounds are unlikely to apply to EQDerivatives.
9.3. Additional restrictions apply to the use of sensitive personal data and data relating to criminal convictions and offences. Generally, we will only be able to use such information because the individual has already made it public, or else it is with his or her consent (which must be explicit consent for sensitive data) or where necessary in connection with our rights and duties as an employer. Please see section 7.4 for further information.
10.1. As a data controller, EQDerivatives must implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access (in particular where the processing involves the transmission of data over a network) and against all other unlawful forms of processing.
10.2. When handling personal data all EQDerivatives Staff must take steps to ensure that there will be no unauthorised access to the information by complying strictly with EQDerivatives’s current information management policies and procedures (and any separate instructions provided by EQDerivatives in this regard.
10.3. One of the overriding objectives of Data Protection Laws is to ensure that personal data is kept safe and secure. There is frequent aggressive enforcement action by the ICO in respect of companies which have failed to comply with this requirement, whether deliberately or inadvertently and whether caused by the data controller or by one of their suppliers.
10.4. In particular, EQDerivatives shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including as appropriate:
(i) the pseudonymisation and encryption of personal data;
(ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(iii) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
(iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing,
taking into account always the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of Individuals.
10.5. It is therefore of paramount importance that if you become aware of any incidents which could put personal data at risk, or result in Individuals being subject to distress, damage or having their safety or wellbeing put at risk, then you report this immediately in accordance with section 14 (Reporting) below.
11. RIGHTS OF INDIVIDUALS
11.1. The GDPR grants Individuals comprehensive, protective rights in respect of how their personal data is processed, the key rights being set out below.
11.2. Each case must be considered on its own merits and, as a general rule, we will have a maximum of one month in which to respond to requests from Individuals, although this may be extended by two further months in cases which are complex or involve numerous requests.
11.3. If you receive a request from an Individual, it is therefore very important that you inform a member of the Data Protection Team immediately.
Right to be informed
11.4. Individuals have the right to know about how their personal data will be used. EQDerivatives must therefore be transparent about the purposes for which it uses personal data collected about Individuals. This is normally achieved by setting out the necessary information in a “privacy notice” which may take many forms, including providing notices online (such as the privacy notice on our website) or offline.
11.5. We must provide this mandatory information irrespective of whether we collect the information directly from the Individual or indirectly from other sources, although the precise requirements differ slightly. In either case, information supplied in a privacy notice must be:
(i) Concise, transparent, intelligible and easily accessible.
(ii) Written in clear and plain language.
(iii) Free of charge.
11.6. If you are involved in preparing a privacy notice, it is therefore very important that you seek the input of a member of the Data Protection Team.
Right to access
11.7. Individuals have the right to obtain access to the personal data that EQDerivatives holds about them subject to certain exemptions. These requests are often referred to as “Subject Access Requests” or “SARs”.
Right to rectification
11.8. Individuals are entitled to request that EQDerivatives rectifies their personal data if it is inaccurate or incomplete.
Right to erasure
11.9. In certain circumstances, Individuals have the right to require that EQDerivatives erases their personal data, for example where the data is no longer necessary, consent is withdrawn, the Individual objects to processing (and we do not have a “legitimate interest” to continue it), or the data has been unlawfully processed. This is also known as the “right to be forgotten” or “RTBF”. This right is exercisable where the personal data:
(i) Is no longer necessary for the purpose(s) for which it was originally collected or processed.
(ii) Was processed on the basis of consent, which has now been withdrawn.
(iii) Is processed on the basis of EQDerivatives’s (or a third party’s) legitimate interests and the Individual objects to this. In these circumstances EQDerivatives must demonstrate an overriding legitimate interest to continue processing.
(iv) Has been processed unlawfully.
(v) Needs to be erased in order for EQDerivatives to comply with a particular legal obligation.
11.10. Unless EQDerivatives has reasonable grounds to refuse to erase personal data, all requests for erasure shall be complied with, and the Individual informed of the erasure, within one month of receipt of the Individual’s request. The period can be extended by up to two months in the case of complex requests. If such additional time is required, the Individual shall be informed.
11.11. In the event that any personal data that is to be erased in response to an Individual’s request has been disclosed to third parties, those parties shall be informed of the erasure (unless it is impossible or would require disproportionate effort to do so).
Right to restrict processing
11.12. In the following circumstances, Individuals may have the right to request that the processing of their personal data is restricted:
(i) Where an Individual contests the accuracy of the personal data, EQDerivatives should restrict the processing until we have verified the accuracy of the personal data.
(ii) Where an Individual has objected to the processing (where it was necessary for the performance of a public interest task or for the purpose of legitimate interests), and EQDerivatives is considering whether its legitimate grounds override those of the Individual.
(iii) When processing is unlawful and the Individual opposes erasure and requests restriction instead.
(iv) If EQDerivatives no longer needs the personal data but the Individual requires the data to establish, exercise or defend a legal claim.
Right to data portability
11.13. Individuals have the right, in certain circumstances, to receive personal data concerning themselves from EQDerivatives in a structured, commonly used and machine-readable format.
11.14. The purpose of this right is to allow Individuals to have their personal data transferred between IT environments in a useable form. Individuals also have the right to request, where technically feasible, that the controller transmits their personal data to another controller directly.
11.15. Please note that this right only applies to personal data which we obtain from Individuals and, using automated means, process on the basis of their consent (which in practice will be rare) or in order to perform a contract with them (which is also uncommon as our clients are principally corporate clients not individuals).
Right to object
11.16. Individuals have the right to object to:
(i) Direct marketing (including profiling).
(ii) Processing based on legitimate interests or the performance of a task in the public interest or exercise of official authority (including profiling).
(iii) Processing for purposes of scientific/historical research and statistics.
11.17. In respect of direct marketing, the requirements are particularly onerous: EQDerivatives must stop processing an Individual’s personal data for direct marketing purposes as soon as we receive an objection and there are no exemptions or grounds to refuse.
Rights related to automated decision making and profiling
11.18. The GDPR provides safeguards for Individuals against the risk that a potentially damaging decision is taken without human intervention. In practice this means that Individuals have the right, subject to certain exemptions, not to be subject to a decision when:
(i) it is based on automated processing (including profiling); and
(ii) it produces a legal effect or a similarly significant effect on the Individual.
11.19. We must also ensure that appropriate safeguards are in place when processing personal data for ‘profiling’ purposes, which covers a broad range of activities related to analysing or predicting an individual’s behaviour at work or in their private life.
11.20. This is a complex area and the input of the Data Protection Team is vital in assessing any requests made by Individuals.
12. DATA SHARING & APPOINTING DATA PROCESSORS
12.1. As a general rule, sharing of personal data with third parties is only permitted under Data Protection Laws if undertaken in accordance with certain safeguards and if appropriate contractual arrangements have been put in place.
12.2. Accordingly, personal data relating to Individuals may only be shared with other organisations if the recipient has a legitimate need to know the information and the disclosure complies with the GDPR’s requirements (including where the recipient is based outside the European Economic Area).
12.3. Generally, you may only share the personal data we hold with any third party which we appoint to process personal data on our behalf (known as a “data processor”) if you do so in a way which satisfies the stringent requirements of the GDPR and which keeps the data safe and secure.
12.4. There are a broad range of services which may be provided to us by data processors, including:
(i) suppliers of IT maintenance services and hosted-software and back-up services;
(ii) payroll processors and benefits administrators; and
(iii) document destruction services (for physical documents and electronic documents).
12.5. Even though it is sometimes not immediately obvious that a supplier may be a data processor, EQDerivatives is still legally responsible for all data processing undertaken by a supplier on our behalf. It is therefore very important that we have full visibility as to how they will provide the processing services, and keep the data safe and secure, before we enter into any contracts with them.
12.6. If you are responsible for engaging with a third party supplier which will collect, store, handle or destroy personal data on our behalf then you must consult a member of the Data Protection Team.
13. INTERNATIONAL TRANSFERS
13.1. Data Protection Laws impose strict restrictions on transferring personal data to recipients in countries outside the European Economic Area (EEA – meaning the UK, the remaining 27 EU member states, Iceland, Liechtenstein and Norway).
13.2. The general rule is that the transfer of personal data to an organisation in a country outside the EEA (Destination Country) is only allowed if such Destination Country has been approved by the European Commission as providing an “adequate level of protection” for the personal data. Very few countries have received such approval.*
13.3. Even if the Destination Country is not approved, it may be possible to transfer the data lawfully by relying on alternative methods, for example:
(i) Privacy Shield: If the recipient organisation is in the US and registered as adhering to the US-EU Privacy Shield Framework.
(ii) Model Clauses: If a data transfer agreement incorporating European Commission approved “Standard Contractual Clauses” (also known as “Model Clauses”) is entered into between the organisations transferring and receiving the data.
(iii) Explicit Consent: In certain circumstances, it is possible to rely on explicit consent obtained from the relevant Individuals. This method cannot, however, be used when transferring employee data.
13.4. It is important to be aware that the concept of “transferring” personal data is very broad and is not limited to sending documents, storage devices or storage media containing personal data outside the EEA. It can also cover, for example, where you make personal data which is stored on IT servers in the EEA available to individuals outside the EEA so that they can access and use such data.
13.5. Where EQDerivatives receives personal data from its UK subsidiary, EQDerivatives (Europe) Limited, or from UK and EU clients, then an international transfer of the type described above will take place. To ensure that the transfer is compliant with Data Protection Laws, EQDerivatives has put in place the following measures:
(i) an intra-group data sharing agreement, incorporating the Model Clauses, between EQDerivatives Inc. and EQDerivatives (Europe) Limited; and
(ii) a data transfer agreements for clients, incorporating the Model Clauses, which EQDerivatives Inc. will sign upon request by the client.
14.1. All security incidents involving personal data, such as leakage or theft, must be reported immediately to a member of the Data Protection Team.
14.2. Examples of security incidents which require reporting include but are not limited to:
(i) Theft or loss of computer, external storage medium, multifunctional mobile terminal, mobile phone, or confidential documents containing personal data (for example, client documents).
(ii) Publication of personal data without the permission of the Individual.
(iii) Leakage of personal data through Internet via file-swapping software, etc.
(iv) Sending personal data to the wrong recipient in any form including by email, fax and post.
14.3. Reporting security incidents as soon as possible gives us the best possible chance to prevent or reduce both:
(i) the risk of Individuals suffering distress, damage or having their safety or wellbeing put at risk;
(ii) the risk of EQDerivatives being in breach of its contractual obligations to notify corporate clients of security incidents involving clients’ personal data; and
(iii) the risk of EQDerivatives being subject to regulatory enforcement action (including investigations, “name and shame” reports and fines), compensation claims from Individuals, and adverse publicity.
15. DIRECT MARKETING
15.1. EQDerivatives is subject to certain rules and specific privacy laws when carrying out marketing in relation to its UK establishment. For example, prior consent is generally required for electronic direct marketing (for example, by email, text or automated calls) to individuals in a personal capacity
15.2. We do not need prior consent to email corporate recipients, provided that we are contacting a corporate email address (i.e. firstname.lastname@example.org type email) for business purposes.
15.3. In the event that we do send marketing emails to individuals at a personal email address (e.g. a Gmail, Hotmail or Yahoo webmail address) or are emailing sole traders or unlimited partnerships (not LLPs) with direct marketing then consent will generally be required (unless we are able to rely on the “soft opt-in” exemption (namely, we may send marketing emails relating to our services if we have obtained the Individual’s contact details in connection with the provision (or potential provision) of services to them and we gave them an opportunity to opt out of marketing when first collecting the details)).
15.4. The right to object to direct marketing must be explicitly offered to all recipients of marketing in an intelligible manner so that it is clearly distinguishable from other information.
15.5. An objection to direct marketing must be promptly honoured. If a person opts out at any time, their details should be suppressed as soon as possible. Suppression involves retaining just enough information to ensure that marketing preferences are respected in the future.
15.6. Direct marketing is a high-risk area of data processing which is subject to frequent enforcement action by the ICO. You must consult a member of the Data Protection Team before engaging in any direct marketing activity.
16.1. EQDerivatives shall periodically train workers on the requirements to comply with the contents of this Data Protection Policy.
*The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, and Uruguay as offering adequate protection. Japan is due to receive adequacy recognition during the course of 2018, and South Korea is in the process of seeking adequacy recognition from the European Commission.
POLICY ISSUE DATE: 17 October 2018
End of Data Protection Policy