Griffins respects your right to privacy. We put in place security measures for your personal data and manage your personal data in accordance with applicable data privacy regulations.
The principles set out in this Data Privacy Notice apply to all instances in which Griffins receives your personal data as a Data Controller for the purposes described in this notice.
General Data Protection Regulation
The Data Protection Act 1998 (“DPA”) defines the ways in which information about living people may be legally used and handled. The main intent of the Act is to protect individuals against misuse or abuse of information about them. The DPA was first composed in 1984 and was updated in 1998. A new Data Protection Bill has been announced which will implement the General Data Protection Regulation 2016 (“GDPR”) which comes into force on 25 May 2018 and will govern the processing of personal data moving forward.
Personal data relates to a living individual (data subject) who can be identified from the data or from data and any other information which is in, or likely to come into, the possession of the data controller.
Sensitive Personal Data
GDPR provides a separate definition for “sensitive personal data”. This relates to information concerning a data subject’s racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetics, biometrics (where used for ID purposes), physical or mental health, sex life, or sexual orientation.
The GDPR rules for sensitive (special category) data do not apply to information about criminal allegations, proceedings or convictions.
A “data controller” is an organisation or a person who (either alone or jointly or in common with other persons) decides the purpose for which any personal data is to be processed and the way in which it is to be processed. For the purposes of the DPA and the GDPR the data controller is Griffins, Tavistock House South, Tavistock Square, London WC1H 9LG.
A “data processor”, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
Use, legal basis, retention periods and sharing of personal data
We use a CRM database to store personal data for the purposes of developing relationships with current and prospective clients in order to provide information about our products and services which you might be interested in.
We may collect this directly from you, or through a third party. If we send you any marketing emails, we will always provide an unsubscribe option to allow you to opt out of any further marketing emails. If you “opt-out” you will be added to our suppression list to ensure we do not accidentally send you further marketing information. You can exercise the right at any time to “opt out” of receiving marketing information from us by contacting us at firstname.lastname@example.org. We may still need to contact you for administrative or operational purposes, but we will make sure that those communications don’t include direct marketing.
We retain your details on our marketing list until you “opt-out” at which point we add you to our suppression list. We keep that suppression list indefinitely to comply with our legal obligations to ensure we don’t accidentally send you any more marketing.
We never share your name or contact details with third parties for marketing purposes.
Contact Relationship Management (CRM) Information
We use a CRM database to store personal data for the purposes of developing relationships with current and prospective clients in order to provide industry updates and event information.
We will obtain your explicit consent to collect and retain your personal data. It will be held for up to a period of 18 months from the last date of consent. We will not share your data with third parties outside of the Griffins without your prior consent.
Contract Information and Other Information
We use personal data received in the course of providing professional services in order to perform duties under a contract with you or to take steps to enter into a contract with you, or for the purposes of the legitimate interests pursued by us as a data controller.
When you enter into a contract with us (or someone does so on your behalf) there will be correspondence with us about the contract and personal data about you relating to that contract such as:
- Your name and contact details
- Your delivery address
- Your payment details
- Information to verify your identity and other information for us to carry out anti money laundering checks
You must provide this in order to enter into a contract with us (or as required under that contract), if you do not, we may not be able to carry out our contract with you.
Other correspondence or interaction (for example by email, telephone, post or via our website) between you and us, may include personal data, such as enquiries, reviews, follow-up comments or complaints lodged by or against you and disputes with you or your organisation.
We may also collect details of phone numbers used to call us and the date, time and duration of any calls. Please note that we may record calls to or from us for quality and training purposes.
Where your information relates to a contract, it is kept for a period of up to 7 years after your account is closed to enable us to deal with any enquiries or claims and as required for tax purposes. Any contract information is kept for reference purposes in our archive for as long as our business purpose requires.
If we have a business relationship with you or your organisation, we may receive personal data about you from your organisation.
The personal data we collect about you may include your contact information, details of your employment and our relationship with you. This information may be collected directly from you, or provided by your organisation. Your organisation should have informed you that your information would be provided to us, and directed you to this policy. We use this as necessary for our legitimate interests in managing our relationship with your organisation.
Information Collected At Our Premises
We use personal data as necessary for our legitimate interests in administering your visit, ensuring site security and visitor safety, and administering parking.
We may record information on your visit, including the date and time, who you are visiting, your name, employer, contact details and vehicle registration number. If you have an accident at our premises, this may include an account of your accident. Visitor information is kept for a period of up to 12 months. If you have an accident on our premises, our accident records are retained for a period of up to 3 years.
We operate CCTV at our premises which may record you and your activities. We display notices to make it clear what areas are subject to surveillance. We only release footage following a warrant or formal request from law enforcement agency, or as necessary in relation to disputes. CCTV recordings may be kept for a period of up to 35 days (unless there an incident occurs and it is necessary for us to keep recordings for longer to properly deal with it).
We will collect and hold personal data on job applicants, including information you provide to us in your application, or provided to us by recruitment agencies, as well as personal data from any referees you provide. We use this as necessary to enter into an employment contract with you, and for our legitimate interests in evaluating candidates and recording our recruitment activities, and as necessary to exercise and perform our employment law obligations and rights.
You must provide certain information (such as your name, contact details, professional and educational history) for us to consider your application fully. If you have not provided all of this information, we may contact you to ask for it. If you do not wish to provide this information, we may not be able to properly consider your application.
If you are successful in your application, your information will be used and kept in accordance with our internal employee privacy notice. If you currently work for us, or used to work for us, you can request a copy of this from us. If you are not successful in your application, you information will be held for up to 12 months after the hiring decision.
If you are listed as a referee by an applicant, we will hold your name, contact details, professional information about you (such as your employer and job title) and details of your relationship with the applicant. We will use this information as necessary for our legitimate interests in evaluating candidates and as necessary to exercise and perform our employment law obligations and rights. Your information will be kept alongside the applicant’s information.
If you are listed as an emergency contact by someone who works for us, we will hold your name, contact details and details of your relationship with that worker. We will use this to contact you as necessary to carry out our obligations under employment law, to protect the vital interests of that worker, and for our legitimate interests in administering our relationship with that worker. Your information will be kept until it is updated by that worker, or we no longer need to contact that worker after they have stopped working for us.
Where we consider there to be a risk that we may need to defend or bring legal claims, we may retain your personal data as necessary for our legitimate interests in ensuring that we can properly bring or defend legal claims. We may also need to share this information with our insurers or legal advisers. How long we keep this information for will depend on the nature of the claim and how long we consider there to be a risk that we will need to defend or bring a claim.
In the UK, only a licensed Insolvency Practitioner (IP) can be appointed in relation to formal insolvency procedures for individuals and corporate entities. IP’s are licensed to provide advice on, and undertake appointments in, all formal insolvency procedures.
The functions of an IP are governed by:
- The Insolvency Act 1986 (as amended)
- The Insolvency Rules 2016 (as amended)
- The Insolvency Practitioners Regulations 1990
- The Insolvency Practitioners Regulations 2005
- The Insolvency Practitioners (Amendment Regulations) 2015
- The Insolvent Companies (Report on Conduct of Directors) (England and Wales) Rules 2016
- The Insolvent Companies (Report on Conduct of Directors) (Scotland) Rules 2016
- The Small Business, Enterprise and Employment Act 2015 (as amended)
- The Deregulation Act 2015
- The Provisions of Services (Insolvency Practitioners) Regulations 2009
- The Insolvent Partnership Order 1994
- The Insolvency Amendment (EU 2015/848) Regulations 2017
- The Insolvency (Regulations (EU) 2015/848) (Miscellaneous Amendments) (Scotland) Regulations 2017
- Statements of Insolvency Practice
In carrying our duties as IP’s we collect and uses personal data in order to:
- Provide professional advice to try to prevent insolvency
- Negotiate with the creditors, and other parties, of a company or individual
- Realise the assets of an individual or company for the best possible return to creditors after marketing to a wide range of potential buyers
- Carry out all statutory duties as required by law
- Provide regular reports to creditors on the progress of insolvency procedures
- Investigating company affairs and director conduct, where necessary, and file a report to the Insolvency Service.
The personal data we control will include your name, email address, postal address, telephone number, date of birth and financial details. The precise nature of personal data we hold will be dependent upon the unique circumstances of the case, but may include (although not limited to) Griffins acting as the data controller in respect of:
- Investigations undertaken as a consequence of:
- The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017(MLR 2017)
- The Bribery Act 2010
- Proceeds of Crime Act 2002
- The Terrorism Act 2000, and related anti-terrorism legislation
- The Criminal Finance Act 2017
- Company Directors Disqualification Act 1986
- Conflict and Ethical checks
- Case file notes
- Internal meeting notes
- Diary entries
- Bank and Credit / Debit card records
- Case management reviews
- Correspondence with third parties
- Correspondence with employees
- Correspondence with shareholders
- Correspondence with former office holders (IP’s)
- Correspondence with clients / debtors / directors and other individuals
- Personal asset searches
- Land Registry searches
- Books and Records (Including Tax and VAT records)
- Debtor / Director Questionnaire
- Income Payment Agreements / Income Payment Orders
- Bankruptcy Restriction Orders
- Asset searches
- Agent Reports and Valuations
- Legal documents
- Dividend Notices
- Pension Notices
- PPI documentation
- Creditor Proxies
- Reports to creditors and members
- Meeting attendance registers
- Creditor claims and proofs of debt
- Creditor committees
- Creditor correspondence
- DVLA searches
- Mortgage records
- Insurance policies
- Medical records
- Family records
- Employment records
- Case time recording
The legal basis on which we process personal data when acting as data controller on insolvency appointments will be dependent upon the unique circumstances of the case, but will include at least one of the following:
- A legal obligation to which the Data Controller is subject;
- The performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller;
- For the purposes of the legitimate interests pursued by a Data Controller;
- The establishment, exercise or defence of legal claims.
- Processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
- Processing relates to personal data which are manifestly made public by the data subject;
- Processing is necessary for reasons of substantial public interest.
We will keep your personal data for no longer than reasonably necessary. However, The Insolvency Practitioners Regulations 2005 (as amended) require us to preserve records until the later of:
- The sixth anniversary of the date of the grant to the insolvency practitioner of his release or discharge in that case; or
- The sixth anniversary of the date on which any security or caution maintained in that case expires or otherwise ceases to have effect.
This data is retained to show and explain:
- The work the insolvency practitioner and their staff undertake in the course of the ‘administration’ of an insolvency appointment; and
- The decisions that may ‘materially affect’ the appointment.
We adopt the Insolvency Practitioners Regulations 2005 (as amended) as our policy for the retention of all personal insolvency data retained by an IP in the course of conducting their duties.
Insolvency Books and Records
- Trustee in Bankruptcy
The IP will seek authorisation from the Official Receiver for permission to destroy all books and records 12 months after the IP’s release from office, subject to there being no historical value, legal requirement or other specific reason to retain a document for a longer period.
An IP acting as a liquidator is not a data controller within the meaning of s 1(1) of the DPA in respect of the data processed by a company prior to its liquidation. All rights relating to the control of data belonging to, or being controlled by a company at the time it entered into liquidation remains vested in the company at and following its liquidation.
The IP will seek permission from the Official Receiver on Compulsory Liquidations to destroy all books and records 12 months after the IP’s release from office, subject to there being no historical value, legal requirement or other specific reason to retain a document for a longer period.
Where an IP is appointed as Liquidator in a Creditor Voluntary Liquidation the IP will destroy all books and records 12 months from the date of dissolution, subject to there being no historical value, legal requirement or other specific reason to retain a document for a longer period.
The powers of an IP acting as an Administrator are set out in Schedule B1 of the Insolvency Act 1986. The administrator of a company may do anything necessary or expedient for the management of the affairs, business and property of the company. Paragraph 69 of Schedule B1 states that in exercising their powers, the administrator is deemed to act as the company’s agent. An Administrator is not therefore a data controller within the meaning of s 1(1) of the DPA, in respect of the data processed by a company prior to their appointment.
Where an IP is the last administrator of a company which has been dissolved the IP will destroy all book and records 12 months from the date of dissolution, subject to there being no historical value, legal requirement or other specific reason to retain a document for a longer period.
- Administrative Receiver (“Receiver”)
Where an IP is appointed as a Receiver they are deemed to act as the company’s agent and are not a data controller within the meaning of s 1(1) of the DPA, in respect of the data processed by a company prior to their appointment.
All books and records will either be returned to the company’s directors or if the company is in liquidation, to its liquidator when the receiver ceases to act.
- Supervisor of voluntary arrangement
An IP acting as the supervisor of a voluntary arrangement is charged with supervising the implementation of a proposal for a composition in satisfaction of the company’s / individuals debts or a scheme of arrangement of its affairs. The terms of each particular proposal will determine the extent to which it will impose responsibilities upon them under the DPA.
How Long We Keep Your Information For?
We have set out above indications of how long we generally keep your personal data. In some circumstances, it may be necessary to keep your information for longer than that in order to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances we may anonymise your personal data so that it can no longer be associated with you, in which case we may use such information without further notice to you.
Sharing personal data
We will not share your data with third parties outside of Griffins unless we are obliged to do so, by law, or we have an appropriate legitimate interest in doing so, for example where personal data is required by an agent or solicitor who has a case related need to know the information.
All third parties with whom personal data is shared will have agreed to comply with our required data security standards, policies and procedures and put adequate security measures in place. All third party transfers will comply with applicable cross border transfer restrictions.
As well as the measures set out above in relation to sharing of your personal data, we have put in place appropriate internal security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.
In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where necessary.
Where we act as the Data Controller, you have the following rights with respect to your personal data:
- The right to be informed about the collection and use of your personal data;
- The right to access your personal data and supplementary information;
- The right to request that we corrects any personal data if it is found to be inaccurate or out of date;
- The right to request your personal data is erased where it is no longer necessary for us to retain such data;
- The right to withdraw your consent (where consent has been obtained) to the processing at any time;
- The right to data portability, allowing you to obtain and reuse your personal data for your own purposes across different services. The right of data portability only applies:
- to personal data an individual has provided to a controller;
- where the processing is based on the individual’s consent or for the performance of a contract; and
- when processing is carried out by automated means.
- The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing;
- The right to object to the processing of personal data, (where applicable);
- The right to lodge a complaint with the Information Commissioners Office
Changes to this Data Privacy Notice
We reserve the right to change this Data Privacy Notice at any time without notice to you so please check back regularly to obtain the latest copy of this Privacy notice. We last revised this Data Privacy Notice on 17 May 2018.
This Data Privacy Notice does not override any applicable national data privacy laws and regulations in countries where Griffins operates.
To exercise all relevant rights, queries of complaints or to remove your information from our system, please contact the data privacy team at email@example.com or by telephone 020 7554 9600
You can contact the Information Commissioners Office on 0303 123 1113 or via email https://ico.org.uk/global/contact-us/email/ or at the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9 5AF.