The MGroup Partnership – Privacy Notice
This Notice set outs the basis on which any personal data provided to us by you, or received by us from third parties, will be used by us. This includes personal data which you provide to us in the course of instructing us or otherwise doing business with us, in enquiries you submit to us, or which you provide when visiting our website at www.themgroup.co.uk (the Site).
Please read this Notice carefully and ensure that you understand our rights and responsibilities under it.
We are the data controller of personal data provided to us. We have appointed an initial point of contact for data security related issues, including any questions you may have in relation to this Notice, whom you can contact at email@example.com. In this Notice, we or us usually refers to The MGroup Partnership, registered as a data controller with the ICO under registration number Z6617957.
However, if you are dealing with The MGroup Financial Services Ltd (ICO registration number Z1908332), The MGroup Corporate Finance LLP (ICO registration number Z2871573) The MGroup Computer Solutions LLP (ICO registration number Z2253931) or The MGroup Secretarial Services Limited (ICO registration number ZA440334) then where applicable to your dealings with any of those entities we or us refers to it. All the MGroup entities have their main offices at Cranbrook House, 287-291 Banbury Road, Oxford OX2 7JQ.
Full details are set out in the relevant sections of this Notice below, but in summary:
- we generally receive personal data relating to you directly from you. For example, we will receive those data if you are a client of ours or correspond with us in relation to a matter on which we are advising, if we do business with you, or if you contact us through the Site;
- personal data may occasionally be provided to us by third parties with whom each of you and us have a relationship;
- we use your data to conduct our business, keep appropriate records and meet our legal obligations;
- we only provide your personal data to third parties for our limited business purposes or as permitted by law. We don’t share your data with third party advertisers;
- we store data for specified periods for our limited business purposes;
- you have certain rights, prescribed by law, in relation to the processing of your data, such as rights to request access, rectification or deletion of your personal data;
- Cookies are used by our website as well as Google Analytics; and
- you can contact us to enquire about any of the contents of this Notice.
This Notice provides information only in relation to personal data which we process for our own purposes as data controller. In providing some services to our clients (such as payroll services) we may process data on those clients’ behalf as their data processor.
1. Our use of personal data
In this section we have set out:
(a) the general categories of personal data that we may process;
(b) in the case of personal data that we did not obtain directly from you, the source and specific categories of those
(c) the purposes for which we may process personal data; and
(d) the legal bases of the processing. When we refer to a “legal basis”, we mean a lawful basis set out in Article 6 of the General Data Protection Regulation (GDPR) under which we conduct the relevant processing.
Personal data we obtain from you
1.2 Matter data
Where we are instructed in relation to any particular matter, we may process your personal data for the purposes of setting up that matter in our systems and performing that instruction. For example, we may process your name, contact details, date of birth and National Insurance and Unique Taxpayer Reference numbers. We may process financial information such as salary, benefits, entitlements, tax details and bank account details. We may also process personal data contained within matter-related correspondence and documents, including financial information, whether created by us or provided to us. Finally, if you are the next of kin or nominated beneficiary of one of our clients or one of our client’s employees then we may process your name and contact details where relevant to any services we provide to them (such as the administration of benefits). We call all of this matter data, and we process it for the purposes of providing our professional services and for record-keeping purposes.
1.3 Correspondence data
We may process personal data contained in or relating to any communication that you send to us, whether by letter, email, through the Site, through social media, or otherwise. All of this together is correspondence data. This may include the communication content and metadata associated with the communication, as well as any contact details you provide to us such as your name, email address, phone number, job title, address or social media username. We process correspondence data for the purposes of communicating with you and record-keeping. If you are a client of ours, or have indicated your interest in our products, services or business, then we may also process correspondence data for the purposes of addressing your enquiry and providing you with occasional news about our products and services.
1.4 Transaction data
We may process information relating to transactions, such as bank account details, contact details or transaction data in relation to payments made by us to you or by you to us (transaction data). This may include your contact details, any bank account or sort code information provided for the purposes of making payment, and the transaction details (such as POs, bills or invoices). The transaction data may be processed for the purpose of supplying or receiving and administering the relevant services and keeping proper records of those transactions, and for making and receiving payments.
1.5 Supplier data
If you are or work for a supplier to us, or if we have some other commercial relationship with you (for example, a sponsorship or referral relationship) then we may process your personal data, such as your contact details, and any personal data contained within related documents, such as your proposals or our contract with you, in each case in connection with our commercial relationship with you. We call all of this supplier data, and we process it for the purposes of administering and receiving the products and services you supply to us, or to administer our commercial relationship with you.
1.6 . Site usage data
We may process data about your use of the Site (Site usage data). This may include your geographical location, browser type and version, operating system, referral source, length of visit, page views and website navigation paths, as well as information about the timing, frequency and pattern of your use. This data is obtained through Google Analytics and will be aggregated and anonymised in such a way that it contains no information pertaining to any identifiable individual at all – as such it is not actually personal data but we address it in this Notice for completeness’s sake. We process Site usage data for the purpose of improving our Site.
We do not collect any personal information about Site users other than information provided by Users when completing forms on the website including but not limited to the contact and website registration form. If you register as a user of the Site you will be asked for some basic information. Please note that registration is not required for all areas of the Site, however we do encourage you to register in order to gain full access to the Site content/information and online services. There are technological and operational security systems in place that provide protection for personally identifiable information from loss or misuse.
Personal data we obtain from others
Your personal data may be provided to us by someone other than you: for example, we might be introduced to you in correspondence if you and we are both advising the same client, or if we advise your employer then they might put us in touch with you in connection with those services. Normally this data will be correspondence data, matter data or supplier data as described above and will be processed by us for the purposes described above.
Our legal basis of processing
We will process personal data only on lawful bases. In particular, we will process personal data on the following lawful bases identified in Article 6 GDPR:
(a) for the performance of a contract with you, or to take steps at your request prior to entering into a contract with you (Article 6(1)(b) GDPR). This may be our basis for processing correspondence data, matter data, supplier data and transaction data;
(b) for our legitimate interests (Article 6(1)(f) GDPR). This may be our basis for processing:
i) correspondence, supplier and matter data (as we have an interest in properly administering our business and communications and in developing our business with interested parties);
ii) transaction data (as we have an interest in making and receiving payments promptly and in recovering debts);
iii) any personal data identified in this Notice where necessary in connection with legal claims (as we have an interest in the protection and assertion of our and your legal rights and the legal rights of others); and
iv) any personal data identified in this Notice in connection with backups of any element of our IT systems or databases containing that personal data (as we have an interest in ensuring the resilience of our IT systems and the integrity and recoverability of our data).
We may also process your personal data set out above where necessary for compliance with a legal obligation to which we are subject (Article 6(c) GDPR), or in order to protect your or another individual’s vital interests (Article 6(d) GDPR).
2. Providing your personal data to others
We may disclose your personal data to our insurers and/or professional advisers as necessary for the purposes of obtaining and maintaining insurance coverage, managing risks, obtaining professional advice and managing legal disputes.
We may disclose personal data to our suppliers or subcontractors in connection with the uses described above. For example, we may disclose:
(a) any personal data in our possession to suppliers which host the servers on which our data is stored. In our case, our main supplier is Microsoft Ireland Operations Ltd (who provide Microsoft 365, and who host all our emails, and contact information); and
(b) any personal data in our possession within our group (The MGroup Partnership, The MGroup Financial Services Ltd, The MGroup Corporate Finance LLP, The MGroup Computer Solutions LLP and The MGroup Secretarial Services Limited);
(c) transaction data and other relevant personal data to third parties for the purposes of fraud protection, credit risk reduction and debt recovery.
We do not allow our third-party data processors to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions and applicable law.
We may disclose your personal data where necessary to perform our services: for example, we may disclose certain matter data to HMRC when we make filings on your instructions.
We may also disclose your personal data where necessary for compliance with a legal obligation to which we are subject, or in order to protect your or another individual’s vital interests. For example, we have a duty under the Proceeds of Crime Act 2002 to report to the National Crime Agency (NCA) if we know or suspect that money laundering has occurred.
If any part of our business or operations is sold or transferred to, or integrated with, another organisation (or if we enter into negotiations for those purposes), your personal data may be disclosed to that organisation.
3. International transfers of your personal data
In this section, we provide information about the circumstances in which your personal data may be transferred to countries outside the European Economic Area (EEA).
Some of the third parties to whom we may transfer your personal data, discussed above, may be located outside the EEA or may transfer your personal data to their own service providers located outside the EEA. If so, then we will ensure that transfers made by our appointed data processors will only be made to countries in respect of which the European Commission has made an “adequacy decision”, or otherwise will only be made with appropriate safeguards, such as the use of standard data protection clauses adopted or approved by the European Commission. You may contact us if you would like further information about these safeguards.
As mentioned, Microsoft hosts all our matter data and correspondence data and its servers are within the EEA.
We may also transfer personal data outside the EEA from time to time:
(a) with your consent;
(b) where required by your instructions (for example, if we are supporting you on a contractual negotiation where the counter-party is based outside the EEA); or
(c) if we take our mobile devices with us when travelling overseas to ensure continuity of service.
4. Data security
We have put in place appropriate security measures to prevent your personal data from being lost, used, accessed, altered or disclosed by accident or without authorisation. In addition, we limit access to your personal data to those officers, employees and freelancers who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
5. Retaining and deleting personal data
Personal data that we process for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
We will retain and delete your personal data as follows:
(a) matter, supplier and transaction data will be retained for seven years after the end of the relevant contractual relationship.
(b) correspondence data will be retained for the period of the enquiry or chain of correspondence and then deleted after seven years;
(c) Site usage data (which is anonymised, and therefore not personal data) may be retained by us indefinitely.
We maintain system backups for disaster recovery purposes and may retain those backups for up to two years. That means that information which is deleted from our live systems may still remain in backup for up to two years.
We may retain your personal data where necessary for compliance with a legal obligation to which we are subject, or in order to protect your or another individual’s vital interests.
We may update this Notice from time to time by publishing a new version on the Site. You should check occasionally to ensure you are happy with any changes to this Notice, although we will notify you of material changes to this Notice using the contact details you have given us.
7. Your rights
We have summarized below the rights that you have under data protection law. Some of the rights are complex, and not all of the details have been included in our summaries. You can read guidance from the Information Commissioner’s Office at www.ico.gov.uk for a fuller explanation of your rights.
Your principal rights under data protection law are:
- the right to access: you have the right to confirmation as to whether or not we process your personal data and, where we do, to access to the personal data, together with additional information including details of the purposes of the processing, the categories of personal data concerned and the recipients of the personal data. Providing the rights and freedoms of others are not affected, we will supply to you a copy of your personal data. The first copy will be provided free of charge, but additional copies may be subject to a reasonable fee;
- the right to rectification: you have the right to have any inaccurate personal data about you rectified and, taking into account the purposes of the processing, to have any incomplete personal data about you completed;
- the right to erasure: in some circumstances you have the right to the erasure of your personal data. These might include if the personal data are no longer needed for the purposes for which they were processed or if the processing is for direct marketing purposes. However, there are some exclusions of the right to erasure, such as where processing is necessary for compliance with a legal obligation or in connection with legal claims;
- the right to restrict processing: in some circumstances you have the right to restrict the processing of your personal data. Where processing has been restricted, we may continue to store your personal data and will observe the restrictions on processing except in the case of processing permitted by applicable law (for example, in connection with legal claims or for reasons of public interest);
- the right to object to processing: you have the right to object to our processing of your personal data on the basis of the legitimate interests pursued by us or by a third party. If you make such an objection, we will stop processing the personal information unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or unless the processing is for legal claims. You also have the right to object to our processing of your personal data for direct marketing purposes and if you do so we will stop processing your personal data for that purpose;
- the right to data portability: if the legal basis for our processing of your personal data is consent, or the performance of a contract with you, and such processing is carried out by automated means, you have the right to receive your personal data from us in a structured, commonly used and machine-readable format. However, this right does not apply where it would adversely affect the rights and freedoms of others; and
- the right to complain to a supervisory authority: if you consider that our processing of your personal information infringes data protection laws, you have a legal right to lodge a complaint with a supervisory authority responsible for data protection. You may do so in the EU member state of your habitual residence, your place of work or the place of the alleged infringement.
8. About Cookies
A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server.
Cookies may be either “persistent” cookies or “session” cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.
Cookies do not typically contain any information that personally identifies a user, but personal information that we store about you may be linked to the information stored in and obtained from cookies.
Most browsers allow you to refuse to accept cookies and to delete cookies. The methods for doing so vary from browser to browser, and from version to version. You can obtain up-to-date information about blocking and deleting cookies via the support pages made available by your browser operator.
9. Contact Us
You can contact us:
(a) by post at Cranbrook House, 287-291 Banbury Road, Oxford OX2 7JQ;
(b) using the contact form on the Site;
(c) by telephone at +01865 552 925; or
(d) by email at firstname.lastname@example.org
10. Third Parties and Security
The Site may contain links to third party websites and refer to third party service providers and other entities. If you follow a link to any third party website or deal with any third party entity referred to on the Site, then you should note that these third parties may have their own privacy and cookie policies, and that we are not responsible for their use of any personal data which you may provide to them. You should ensure that you have read and understood any relevant policies.
Although we do our best to ensure the security of personal data provided to us (and to use only reputable service providers), any transmission of data via the Internet is by its nature insecure and we cannot guarantee the security of any personal data you provide to us.
Last updated: 25 May 2018