When we provide our services to you, we will collect personal information about you (and others) and we want to be open and transparent with you as to the types of information we collect about you, why we collect it, how we use it and who we may share it with.
The data controller of your personal information is Orchard House (IFAs) Ltd, which is a
Limited Company, registered at:
The Dutch Barn
Our Company’s Registration Number is 2986781.
We hold personal data about our employees, clients, suppliers and other individuals for a variety of business purposes.
This policy sets out how we seek to protect personal data and ensure that staff understand the rules governing their use of personal data to which they have access in the course of their work. In particular, this policy requires staff to ensure that the Data Protection Officer (DPO) be consulted before any significant new data processing activity is initiated to ensure that relevant compliance steps are addressed.
If you have any questions or concerns about our use of your personal information, you should please not hesitate to contact us using the contact details provided at the bottom of this Notice in the 'How to contact us' section.
Data Protection Principles
- We aim to keep data securely
- We aim to store accurate data
- We aim to permanently erase data that is not relevant to our trade
- Some data on you needs to be kept indefinitely. In the case of work undertaken on FSAVCs and Defined Benefit Pension arrangements we are required by the Financial Conduct Authority to retain records indefinitely, for instance and we would also want to retain certain documents in the event a need for investigation in the future
- We aim for data to be processed fairly and in a lawful manner
What type of personal information will be processed and why?
We may ask you to provide personal information by filling in hard copy forms and documents or via corresponding with you by phone, e-mail, letter or otherwise or during the course of our meetings with you.
Types of personal information
Identity details including your name and date of birth.
We may ask for copies of identity documents in which case we may collect details including your place of birth and residential address.
Why we collect it
To carry out Anti Money Laundering and financial checks that we are required by law to perform.
Additionally, we will make checks for fraud and crime prevention and detection purposes.
- We will only ever use copies of identity documents for this purpose.
- We collect and process this personal information in order to comply with our legal and regulatory requirements
Your contact details including your name, postal, and email address(es) and your phone numbers and other personal details about you including your title, job title, marital status and date of birth.
To contact you in order for us to manage, administer and provide our services to you.
- To respond to any correspondence and service-related enquiries you send to us in respect of our
- To discuss products or services for which you apply or may be interested in applying for.
- To manage any applications made for products or services.
- To communicate any updates to you including any changes to our services, the terms and conditions of any services which we have provided to you, any changes to this Notice and to our websites.
- To contact you in order to receive your feedback on our services and to participate in related surveys.
Financial information relating to you, including pension contributions and current value, salary, bank account balances, credit card balances details of investments and payment card details.
To evaluate your eligibility for products, including making credit searches with credit reference agencies and fraud searches with fraud prevention agencies.
- To enable us to advise you on your financial circumstances and the appropriateness of specific
courses of action and products.
- We collect and process this personal information for our legitimate business interests.
- To enable you to make payments for our services.
- We collect and process this personal information as is necessary for the entry into and performance of
any agreements between us (i.e. to assess whether you are eligible for products, and once an agreement has been entered into between you and us, so that we can collect payments from your
Details of your dependants (name and date of birth).
To enable us to provide you with services that you have requested that would involve, or have an impact on, your dependants (who may be adults or minors). Where those dependants are adults, please make sure that you have their permission to provide us with their personal information.
Details of contact that we have had with you such as meetings with you, fact-finding discussions and
documentation, recommendations, referrals and quotes.
Details of services you have received.
To allow us to provide a professional service to you and to contact you with information about other
services of ours that we think you may be interested in).
• We collect and process this personal information for our legitimate business interests.
Client experience and other feedback and information you provide to us.
Information about complaints and incidents.
Recordings of calls we receive or make.
- To review your feedback and experience with us so that we can improve our products and services for
you and for our other clients.
- We collect and process this personal information for our legitimate business interests.
Please see section below entitled "When we record communications" for more information.
All of the personal information described above.
- We may disclose your personal information to third parties where we are required to do so in order to
comply with applicable laws and regulatory requirements including circumstances where we are required to do so by a court Order, regulatory authority or any other third party with the lawful right to request and receive the personal information we hold about you (including law enforcement agencies and tax authorities). Our banks, auditors and insurers are also entitled to obtain specific data, although it is extremely rare that they would do so.
- We may also use your personal information where it is necessary for us to take legal advice in order to
establish our legal rights, to bring a claim against you or any related parties or to defend a claim from you or any related parties.
- We collect and process this personal information for our legitimate business interests including carrying
out our own internal business planning, compliance, training, audit and quality assurance purposes.
Depending upon the types of products and services you require, we may also need to collect information from and about you which the law considers to be sensitive, such as data about your physical or mental health, which we refer to as “special category personal data”. The special category personal data that we may ask you to provide, and the reasons why we ask you to provide it, are as follows:
Types of special category personal data
Information about your physical or mental health or condition.
Why we collect it
Certain products and services that you request may require this information. Specifically, in order for us to advise you on and to submit applications for health or life insurance products and services, we will need to collect information relating to your physical and mental health in order to obtain accurate quotes and to advise on the suitability of products (as insurance premiums and eligibility for products will in part depend on your physical and mental health). We will usually collect this information in the course of meetings with you, on specific questionnaires or in the process of completing an application form for such products and services.
Information about your sex life or sexual orientation.
Information about your racial or ethnic origin.
Some providers may ask for this information in the course of your application for their products or services.
We will never ask for this information for our own purposes.
We will only process the special category personal data listed above with your explicit consent. We ask for your consent to the processing of this data at the end of this Notice. You may choose not to provide us with this consent.
However, please note that if you do not provide us with your consent to collect and process the information listed in the table above:
- we may not be able to advise you fully in respect of certain products and
services which require this information (in particular those relating to health or life insurance);
- your application may be rejected by the providers of products and services which require this information; or
- the quotes for such products and services may be higher than would be the case if this information were provided.
In some circumstances, we may receive information about you from third parties. In particular, we will receive information about you from Credit Reference Agencies and Fraud Prevention Agencies. This may include details of the products and services you have applied for, those lenders, finance and credit organisations with whom you have (and have had) an agreement with, the amounts advanced, the amount and frequency of repayments and whether you have made your repayments on time and in full. This will help us make the best possible assessment of your financial situation before we decide whether we can provide you with our services and/or recommend any specific products and services. It is in our legitimate interests to process your personal information for this purpose. We may also ask you to provide Letters of Authority to allow us to receive information about you from providers.
When we record communications
We, and persons acting on our behalf, may record and/or monitor communications (including telephone conversations over landlines and mobile phones, emails, instant messaging, chat rooms, fax and other electronic communications) between our staff and you. We only record communications between us in order to comply with our legal and regulatory requirements - as a regulated financial adviser, the law requires us to
record these communications.
We may also record and/or monitor communications for training and quality assurance purposes but will always ask for your consent before recording communications for these purposes. If you choose not to provide your consent in these circumstances, we will still be entitled to record and/or monitor communications if we are under a legal obligation to do so (but will only be able to use the recordings for those purposes).
Who might my personal information be shared with?
We may disclose your personal information to the following categories of recipients:
- to providers of financial services, insurance and investment products and services in respect of whom you request us to submit applications on your behalf and to receive updates from such providers in order for us to provide our services to you throughout the lifetime of our relationship with you;
- to our suppliers and partners in order for them to help us provide our services to you, this includes:
- our IT systems providers to assist us with providing you with an efficient, modern and professional service;
- our suppliers of audit and regulatory compliance support services who may review our records containing your personal information in order to audit and report to us on our compliance with applicable laws and regulatory requirements;
- our accountants, solicitors, insurer(s) and insurance broker(s) and any other provider of professional services to us;
- to Credit Reference Agencies and Fraud Prevention Agencies to help us with Anti-Money Laundering processes and to make the best possible assessment of your financial situation before we decide whether we can provide you with services. We are also required to provide information to such agencies so that they can update the information which they hold about you and which they may share with other organisations;
- Our Server: Specifically, your data storage for Orchard House (IFAs) Ltd’s internal use is held on a local file server at our Peppard Common offices. We have contracted in independent advisers on data protection who have stated that they find the physical security of our Peppard Common offices to be fit for purpose.
- Our CRM System: We use the services of Advisercloud, which is a UK company that provides IFAs with Client Relationship Management software. Their data is stored on servers in the UK.
- Our e-mail system: we currently employ Rackspace, a leading e-mail provider, but will shortly be migrating our e-mails to Microsoft 365 for our e-mail exchange. Rackspace states that provided certain legal mechanisms are in place, EU customers can host personal data outside of the EU. Personal data may be transferred outside of the EU and the EEA when an adequate level of protection for that data is guaranteed.
To help achieve this level of protection, Rackspace state that they are Privacy Shield certified.
- to other financial institutions or regulatory bodies with whom information is shared for money laundering checks, credit risk reduction and other fraud and crime prevention purposes;
- to a prospective buyer (and its agents and advisers) in the event we intend to sell any part of our business or its assets or if substantially all of our assets are acquired by a third party, in which case your personal information could form part of one of the assets we sell, provided that we inform the buyer it must use your personal information only for the purposes described in this Notice. We will never rent or sell your personal information other than as part of a sale of our business;
- to any national and/or international regulatory, enforcement body, government agency or court where we believe disclosure is necessary (i) as a matter of applicable law or regulation (including where we are required by law to provide information to organisations such as HMRC), (ii) to exercise, establish or defend our legal rights, or (iii) to protect your vital interests of those of any other person; and
- to any other person with your consent to the disclosure or where we are permitted to do so by law.
Our legal basis for processing personal information
Our legal basis for collecting and using your personal information will depend on the personal information concerned and the specific context in which we collect it. In respect of the personal information and the purposes for which we may process your personal information which are set out in this Notice, we have confirmed the legal basis upon which we collect and process your personal information in the 'What type of personal information will be processed and why?' section above.
If we ask you to provide personal information to comply with a legal requirement or to perform a contract with you or with your explicit consent, we will make this clear at the relevant time and advise you whether the provision of your personal information is mandatory or not (as well as of the possible consequences if you do not provide your personal information).
Similarly, if we collect and use your personal information in reliance on our legitimate interests (or those of any third party), we will make clear to you at the relevant time what those legitimate interests are.
If you have questions about or need further information concerning the legal basis on which we collect and use your personal information, please contact us using the contact details provided under the “How to contact us” heading below/
International data transfers
To the best of our knowledge data that we hold on our clients is not stored outside of the UK. We do not transfer data to outside of the European Economic Area unless our client is abroad and specifically asks us so to do.
Your data protection rights
You have the following data protection rights:
- If you wish to access, correct, update or request deletion of your personal information, you can do so at any time by contacting us using the contact details provided under the “How to contact us” heading below;
- In addition, you can object to processing of your personal information, ask us to restrict processing of your personal information or request portability of your personal information. Again, you can exercise these rights by contacting us using the contact details provided under the “How to contact us” heading below.
- You have the right to opt-out of marketing communications we send you at any time. You can exercise this right by clicking on the “unsubscribe” or “optout” link in the marketing e-mails we send you. To opt-out of other forms of marketing (such as postal marketing or telemarketing), then please contact us using the contact details provided under the “How to contact us” heading below.
- Similarly, if we have collected and process your personal information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent. For specific information about our processing of your sensitive category personal data with your consent, please see the "Your consent to us processing your special category personal data" heading below.
- You have the right to complain to a data protection authority about our collection and use of your personal information. For more information, please contact your local data protection authority. (Contact details for data protection authorities in the European Economic Area, Switzerland and certain nonEuropean countries (including the US and Canada) are available at http://ec.europa.eu/justice/data-protection/article-29/structure/dataprotection-authorities/index_en.htm.
We respond to all requests we receive from individuals wishing to exercise their data
protection rights in accordance with applicable data protection laws
We retain personal information we collect from you where we have an ongoing legitimate need to do so, for example:
- to provide you with a product or service you have requested us to provide,
- to perform our contractual obligations to you;
- to comply with applicable legal, tax or accounting requirements;
- to defend or manage any claims or complaints between us, you and any relevant third party including taking legal advice in respect of such claims in order to establish, exercise or defend our legal rights or such claims. This would include complaints and claims which you may bring against us or which are submitted to a court, regulatory authority or ombudsman.
When we have no ongoing legitimate need to process your personal information, we will either delete or anonymise it or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
Our website gives you the opportunity to send us an e-mail by clicking on the email@example.com link.
The home page also allows you to insert your name, your telephone number and your e-mail address.
We use this information to contact you back in order to provide you with information on our products and
We do not pass this information on to any other third party and use it exclusively to contact you further to your web-based enquiry.
Please be aware that data transfer via the internet (e.g. when communicating via email) is subject to security risks. Therefore, complete protection against third-party access to transferred data cannot be ensured.
Cookies and Tracking Software
Updates to this Notice
This policy is not contractual and we may change or update this Notice in order to maintain our compliance with applicable law and regulation or following an update to our internal practices. When we update our Notice, we will take appropriate measures to inform you, consistent with the significance of the changes we make.
How to contact us
If you would like to contact us in relation to this Notice or if you have any other questions in respect of our processing of your personal information, please contact Mike Shepherd, our Data Control Lead on 01491 412513, or by e-mail to firstname.lastname@example.org.