PRIVACY & DATA POLICY
This Site requests and collects certain personally identifiable information such as name, address, phone number and e-mail address through various means, including Site registration, surveys, games, questions, comments and communications to the Site, and postings to chat and bulletin areas, if any.
We may collect your IP (Internet Protocol) address to help diagnose problems with our server, and to administer our Site. An IP address is a number that is assigned to your computer when you use the Internet. This information does not contain any personally identifiable information about you. Your IP address is also used to help identify you during a particular session and to gather broad demographic data.
GENERAL DATA PROTECTION REGULATION (GDPR)
The Board of Cherry Godfrey has considered and adopted the following procedure across the Group’s Companies. The responsibility of updating the Board on developments within GDPR rests with the Risk Committee /Data Protection Officer.
Note, this procedure replaces any previous versions.
Cherry Godfrey officers and staff will treat all information received from clients and third parties in accordance with The GDPR Regulations.
DATA PROCESSING DEFINITION
Processing means ‘any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.’ In other words, anything we do in relation to holding or using customer information.
DATA CONTROLLER is the trading company for which the data is being collected, ie all Cherry Godfrey Group Companies.
DATA PROTECTION OFFICER is Lisa Le Page
THE PURPOSE FOR COLLECTING DATA
The prime purpose of Data collected by Cherry Godfrey is it’s use in the application, provision and management of financial product lines. The company consider that the Processing is necessary for the performance of a contract with you the “data subject” or to take steps to enter into a contract with you. Data is collected to ensure that we understand your needs and to enable us to provide you with a quality service, and in particular for the following reasons:
To establish Internal records, for the provision of our business operations and services.
To maintain records in order that both Regulatory and Legal responsibilities can be met without undue delay.
To safeguard the rights of individuals with regard to personal information which may be held, stored or processed about them.
To ensure that appropriate information is processed and retained in accordance with practices defined by the Information Commissioner.
To ensure that data will only be disclosed to appropriate parties.
We may send promotional emails about new services, special offers or other information which we think you may find relevant using the email address which you have provided.
CONSENT TO HOLD DATA
Consent must be freely given, specific, informed, unambiguous and must be verifiable.
This means that some form of record must be kept of how and when consent was given.
Individuals have a right to withdraw consent at any time.
Cherry Godfrey will ensure consent is provided by the following means:
Online Applications – the applicant will be directed to our “Terms and Conditions” information which includes a copy of the company GDPR procedure. You will then be asked to confirm your permission to continue based upon the conditions set out in the document by your completion of tick box.
On acceptance of the conditions, the data will be forwarded from your browser and processed in accordance with the type of application in question. Should you be unwilling to share the data at this point, the application will not be forwarded from your browser and you are free to discard without further interaction with Cherry Godfrey.
Clients can provide consent by one or more of the following actions:
- The completion of the acceptance section within a web form
- the completion of the acceptance section of a printed policy statement
- the provision of verbal agreement which will be documented in the relevant database
- the completion of the related transaction by payment of the premium or instalment.
YOUR RIGHTS UNDER THE LAW
THE RIGHT OF ACCESS
Individuals have the right to access all the personal data stored on them.
There will be no fee for the first copy of information. A fee may be charged if the individual asks for a copy to be sent to another interested party.
A request for personal data must be responded to within one month.
THE RIGHT TO RECTIFICATION
If individuals finds inaccuracies in their personal data they can ask to rectify it.
THE RIGHT TO ERASURE
Individuals have the right to request their personal data to be erased without undue delay.
Instance where erasure of data would be appropriate:
- If the personal data is no longer necessary in relation to the purposes for which they were collected.
Instance where erasure of data would not be appropriate:
- where the erasure of the data may be in breach of regulatory or legal obligations of the controller.
THE RIGHT TO PREVENT DIRECT MARKETING
Individuals have the right to be excluded from any direct marketing.
THE RIGHT TO DATA PORTABILITY
Individuals have the right to personal data concerning him or her which he or she has provided to a controller and transmitted to another controller. ie. To another financial services provider
CONTROLLING YOUR PERSONAL INFORMATION
You may choose to restrict the collection or use of your personal information in the following ways:
- We will only collect your data on our website contact form where you specifically agree to our terms of business.
- Cherry Godfrey utilise email and SMS marketing and credit control tools for the purposes of client communications, and where used, we always include an ability to unsubscribe your email address from any ongoing marketing communications.
- If you believe Cherry Godfrey hold any personal data about you, you are welcome to send us a written "Subject Access Request" to request details of this data. We will require you provide comprehensive proof of your identity before releasing any information.
- If you require this personal data to be Deleted / Anonymised / Archived / Updated or Altered in any other way, you should include this in your written request. Cherry Godfrey will be happy to comply where our regulatory, statutory and commercial rights and responsibilities will not be compromised.
- We are only able to respond to "Subject Access Requests" where these are received in writing and sent to our postal contact address on our Contact Page.
We will not distribute personal information to third parties unless we are explicitly required to do so to fulfill a commercial request, under IT Hosting arrangements, by law, or for accounting or regulatory purposes.
DATA TYPES HELD
Data collected and retained comes under the following categories:
Insurable risk data
Insurance claims history
Credit control notes
Conversations between clients and personnel
It is considered that each of these data categories are required to fulfil the contractual obligations of both the client and the company.
IT Hosting Platforms
Credit Reference Agencies
Payment Gateway Providers
Regulatory Authorities (including Police, Customs, FIS)
Suppliers of services
Debt Collecting, Tracing and Private Investigators
An organisation processing data on behalf of the company
CREDIT REFERENCE AGENCIES (CRA’s)
In order to process your application we will supply your personal information to credit reference agencies (CRAs) and they will give us information about you, such as about your financial history. We do this to assess creditworthiness and product suitability, check your identity, manage your account, trace and recover debts and prevent criminal activity.
We will also continue to exchange information about you with CRAs on an ongoing basis, including about your settled accounts and any debts not fully repaid on time. CRAs will share your information with other organisations. Your data will also be linked to the data of your spouse, any joint applicants or other financial associates.
The identities of the CRAs we share data with and the ways in which they use and share personal information, are explained in more detail at:
Call Credit: www.callcredit.co.uk/crain
Channel Island Data Services: www.cidsltd.com
DATA RETENTION PERIODS
Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
It should be noted that records linked to financial transaction are subject to retention rules published from time to time by regulatory authorities and under accounting standards rules. Currently the minimum retention period under these requirements is six years.
In addition, application records are required to be retained in order to ensure Anti Money Laundering / Combatting the Funding of Terrorism (AML/CFT) reporting can be maintained.
The retention period should be measured from the date of application where there is no corresponding business written or where business is written, from the date of the completion of the product.
Customer Information - 6 years after the completion of the last product provided.
Loan Application Data - 6 years after the completion of the agreement.
Insurance Application Data - 6 years after the completion of the policy.
Life/Mortgage Application Data - 6 years after the completion of the related mortgage.
Investment Business data - 10 years after the completion of the product (Jersey rule)
Application not leading to the sale of a product – 6 years.
HR Data – 6 years after the leave date of the employee.
Payroll Data – 6 years after the leave date of the employee.
Job application Data (unsuccessful candidate) – 3 months following the fulfilment of the position.
Employers Liability Insurance policy data must be retained for a minimum period of 10 years, consequently for these policy types, all data will be retained accordingly.
At the completion of the retention period, all data will be purged.
SENSITIVE PERSONAL DATA
Personal data consisting of the following information is deemed to be of a sensitive nature and Cherry Godfrey will not enquire or retain information relating to these:
(a) the racial or ethnic origin of the data subject;
(b) his/her political opinions;
(c) his/her religious beliefs or other beliefs of a similar nature;
(d) whether he/she is a member of a trade union;
(e) his/her sexual life;
Note, it is necessary in some cases to record medical history in relation to travel and medical insurance plans. Where this is the case, records will be retained in accordance with the above retention policies.
DATA RELATING TO CHILDREN
Whilst it may be necessary to collect data relating to children, ie in the case of a family travel insurance policy, information must be provided by the parent or guardian. Under no circumstance may a member of staff enter into direct dialogue with a child or minor.
For the avoidance of any doubt, in this context we treat any persons under the age of 16 years as a child.
We are committed to using our best endeavours to ensure that your information is secure. All information transferred between your browser and our website or third party applications are encrypted using HTTPS protocol, using Digital Certificates with secure TLS Cyphers. This can be verified by looking for the secure padlock symbol in the browser address bar.
In order to prevent un-authorised access or disclosure, we have put in place further physical, electronic and managerial procedures to safeguard and secure the information we collect. These policies and procedures are company confidential, to avoid exposure of this data security, so can only be made available to relevant parties legally bound by a non-disclosure agreement.
It is the responsibility of the Board of Directors of the Company to ensure that registration is maintained with the Data Protection/Information Commissioner, declaring the purposes for which the information is being held or processed, to whom it will be disclosed and the security to be applied.
It is the responsibility of all staff members to ensure that any use of personal data in the course of their work is treated in accordance with the Data Protection Principles.
CONSENT TO PROCESSING
By providing any personal information to this Site, you confirm that you fully understand and unambiguously consent to the transfer of such personal information to, and the collection and processing of such personal information in, the United Kingdom other countries or territories.
If you would like to review and/or update the information that you have provided to the Site, please send an e-mail to firstname.lastname@example.org requesting such access or change.
You may choose to have your name taken off Cherry Godfrey's e-mail marketing list by sending an e-mail to email@example.com with the subject line "Unsubscribe" or by following instructions provided in any e-mail message from Cherry Godfrey.
YOUR ACCEPTANCE OF THIS POLICY
By using this Site, you signify your acceptance of our Privacy and Data Policy. If you do not agree to this policy, please do not use our Site. We reserve the right, at our discretion, to change, modify, add, or remove portions from this policy at any time so visitors are encouraged to review this policy from time to time. Your continued use of our Site following the posting of changes to these terms means you accept these changes.