Griffins respects your right to privacy. We put in place security measures for your personal data and manage your personal data in accordance with applicable data privacy regulations.
The principles set out in this Data Privacy Notice apply to all instances in which Griffins receives your personal data as a Data Controller for the purposes described in this notice.
General Data Protection Regulation (GDPR)
The GDPR forms part of the data protection regime in the UK, together with the new Data Protection Act 2018 (DPA 2018). The main provisions of this apply, like the GDPR, from 25 May 2018.
The GDPR is a regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area. It also addresses the transfer of personal data outside the EU and EEA.
The legislation aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. It focus on the protection, collection and management of personal data, and it applies to all businesses who hold or otherwise process personal data of people in EU Member States.
Personal data relates to a living individual (data subject) who can be identified from the data or from data and any other information which is in, or likely to come into, the possession of the data controller.
Sensitive Personal Data
GDPR provides a separate definition for “sensitive personal data”. This relates to information concerning a data subject’s racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetics, biometrics (where used for ID purposes), physical or mental health, sex life, or sexual orientation.
The GDPR rules for sensitive (special category) data do not apply to information about criminal allegations, proceedings or convictions.
A “data controller” is an organisation or a person who (either alone or jointly or in common with other persons) decides the purpose for which any personal data is to be processed and the way in which it is to be processed. For the purposes of the DPA and the GDPR the data controller is Griffins, Tavistock House South, Tavistock Square, London WC1H 9LG.
A “data processor”, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
Use, legal basis, retention periods and sharing of personal data
We automatically collect data about visitors to our website (for example on browsing patterns) by using cookies (please also see our website cookies policy). This data is used only in an anonymous form to create a statistical report on website activity; no individual is identified.
We log your Internet Protocol (IP) address in order to receive and send information from and to you over the internet.
When you register with us, visit our website, use our services or make an enquiry, you may be asked to provide some personal data such as your name, address, telephone number and e-mail address.This personal data may be transferred to the Partnership’s Client Relationship Management (“CRM”) database (see below).
We only collect such personal data as is provided voluntarily by visitors to our website and is necessary in the circumstances. We will use your personal data only for the purpose for which it was collected and will retain the data only for the period required to deal with your request.
We will not share your data with third parties outside of the Griffins without your prior consent.
The website contains third party links to other websites over which Griffins have no control. Griffins does not accept responsibility or liability for the operation or content of such websites.
We have a telephone system that is capable of recording conversations. Like many other organisations, this is a standard practice that allows the recording of telephone calls for quality monitoring, training, compliance and security purposes.
Both incoming and outgoing calls may be recorded by Griffins Staff. Call recording facilities will only be used in the following circumstances
We do not record telephone calls routinely or without necessity. Notice that a call is being recorded may not be given if, in the opinion of the staff member recording the call, this has the potential to prejudice the reason why the recording is being made.
Personal data collected in the course of recording activities will be:
We shall ensure that the use of these recordings is fair and that we comply with the requirements of the relevant legislation. This includes:
Contact Relationship Management (CRM)
We use a CRM database to store personal data for the purposes of developing relationships with current and prospective clients. Where permitted in our legitimate interest or with your prior consent (where required by law), we use your personal data to provide you with information about events and our services by email, letter, telephone, or using our website.
If we send you any marketing emails, we will always provide an unsubscribe option to allow you to opt out of any further marketing emails. If you “opt-out” you will be added to our suppression list to ensure we do not accidentally send you further marketing information. You can exercise the right at any time to “opt out” of receiving marketing information from us by contacting us at firstname.lastname@example.org. We may still need to contact you for administrative or operational purposes, but we will make sure that those communications don’t include direct marketing.
We never share your name or contact details with third parties for marketing purposes.
Contract Information and Other Information
We use personal data received in the course of providing professional services in order to perform duties under a contract with you or to take steps to enter into a contract with you, or for the purposes of the legitimate interests pursued by us as a data controller.
When you enter into a contract with us (or someone does so on your behalf) there will be correspondence with us about the contract and personal data about you relating to that contract such as:
You must provide this in order to enter into a contract with us (or as required under that contract), if you do not, we may not be able to carry out our contract with you.
Other correspondence or interaction (for example by email, telephone, post or via our website) between you and us, may include personal data, such as enquiries, reviews, follow-up comments or complaints lodged by or against you and disputes with you or your organisation.
We may also collect details of phone numbers used to call us and the date, time and duration of any calls. Please note that we may record calls to or from in line with the section on Telephone Recording.
Where your information relates to a contract, it is kept for a period of up to 7 years after your account is closed to enable us to deal with any enquiries or claims and as required for tax purposes. Any contract information is kept for reference purposes in our archive for as long as our business purpose requires.
If we have a business relationship with you or your organisation, we may receive personal data about you from your organisation.
The personal data we collect about you may include your contact information, details of your employment and our relationship with you. This information may be collected directly from you, or provided by your organisation. Your organisation should have informed you that your information would be provided to us, and directed you to this policy. We use this as necessary for our legitimate interests in managing our relationship with your organisation.
Information Collected At Our Premises
We use personal data as necessary for our legitimate interests in administering your visit, ensuring site security and visitor safety, and administering parking.
We may record information on your visit, including the date and time, who you are visiting, your name, employer, contact details and vehicle registration number. If you have an accident at our premises, this may include an account of your accident. Visitor information is kept for a period of up to 12 months. If you have an accident on our premises, our accident records are retained for a period of up to 3 years.
We operate CCTV at our premises which may record you and your activities. We display notices to make it clear what areas are subject to surveillance. We only release footage following a warrant or formal request from law enforcement agency, or as necessary in relation to disputes. CCTV recordings may be kept for a period of up to 35 days (unless there an incident occurs and it is necessary for us to keep recordings for longer to properly deal with it).
We will collect and hold personal data on job applicants, including information you provide to us in your application, or provided to us by recruitment agencies, as well as personal data from any referees you provide. We use this as necessary to enter into an employment contract with you, and for our legitimate interests in evaluating candidates and recording our recruitment activities, and as necessary to exercise and perform our employment law obligations and rights.
You must provide certain information (such as your name, contact details, professional and educational history) for us to consider your application fully. If you have not provided all of this information, we may contact you to ask for it. If you do not wish to provide this information, we may not be able to properly consider your application.
If you are successful in your application, your information will be used and kept in accordance with our internal employee privacy notice. If you currently work for us, or used to work for us, you can request a copy of this from us. If you are not successful in your application, you information will be held for up to 12 months after the hiring decision.
If you are listed as a referee by an applicant, we will hold your name, contact details, professional information about you (such as your employer and job title) and details of your relationship with the applicant. We will use this information as necessary for our legitimate interests in evaluating candidates and as necessary to exercise and perform our employment law obligations and rights. Your information will be kept alongside the applicant’s information.
If you are listed as an emergency contact by someone who works for us, we will hold your name, contact details and details of your relationship with that worker. We will use this to contact you as necessary to carry out our obligations under employment law, to protect the vital interests of that worker, and for our legitimate interests in administering our relationship with that worker. Your information will be kept until it is updated by that worker, or we no longer need to contact that worker after they have stopped working for us.
Where we consider there to be a risk that we may need to defend or bring legal claims, we may retain your personal data as necessary for our legitimate interests in ensuring that we can properly bring or defend legal claims. We may also need to share this information with our insurers or legal advisers. How long we keep this information for will depend on the nature of the claim and how long we consider there to be a risk that we will need to defend or bring a claim.
In the UK, only a licensed Insolvency Practitioner (IP) can be appointed in relation to formal insolvency procedures for individuals and corporate entities. IP’s are licensed to provide advice on, and undertake appointments in, all formal insolvency procedures.
The functions of an IP are governed by:
In carrying our duties as IP’s we collect and uses personal data in order to:
The personal data we control will include your name, email address, postal address, telephone number, date of birth and financial details. The precise nature of personal data we hold will be dependent upon the unique circumstances of the case, but may include (although not limited to) Griffins acting as the data controller in respect of:
The legal basis on which we process personal data when acting as data controller on insolvency appointments will be dependent upon the unique circumstances of the case, but will include at least one of the following:
We will keep your personal data for no longer than reasonably necessary. However, The Insolvency Practitioners Regulations 2005 (as amended) require us to preserve records until the later of:
This data is retained to show and explain:
We adopt the Insolvency Practitioners Regulations 2005 (as amended) as our policy for the retention of all personal insolvency data retained by an IP in the course of conducting their duties.
Insolvency Books and Records
The IP will seek authorisation from the Official Receiver for permission to destroy all books and records 12 months after the IP’s release from office, subject to there being no historical value, legal requirement or other specific reason to retain a document for a longer period.
An IP acting as a liquidator is not a data controller within the meaning of s 1(1) of the DPA in respect of the data processed by a company prior to its liquidation. All rights relating to the control of data belonging to, or being controlled by a company at the time it entered into liquidation remains vested in the company at and following its liquidation.
The IP will seek permission from the Official Receiver on Compulsory Liquidations to destroy all books and records 12 months after the IP’s release from office, subject to there being no historical value, legal requirement or other specific reason to retain a document for a longer period.
Where an IP is appointed as Liquidator in a Creditor Voluntary Liquidation the IP will destroy all books and records 12 months from the date of dissolution, subject to there being no historical value, legal requirement or other specific reason to retain a document for a longer period.
The powers of an IP acting as an Administrator are set out in Schedule B1 of the Insolvency Act 1986. The administrator of a company may do anything necessary or expedient for the management of the affairs, business and property of the company. Paragraph 69 of Schedule B1 states that in exercising their powers, the administrator is deemed to act as the company’s agent. An Administrator is not therefore a data controller within the meaning of s 1(1) of the DPA, in respect of the data processed by a company prior to their appointment.
Where an IP is the last administrator of a company which has been dissolved the IP will destroy all book and records 12 months from the date of dissolution, subject to there being no historical value, legal requirement or other specific reason to retain a document for a longer period.
Where an IP is appointed as a Receiver they are deemed to act as the company’s agent and are not a data controller within the meaning of s 1(1) of the DPA, in respect of the data processed by a company prior to their appointment.
All books and records will either be returned to the company’s directors or if the company is in liquidation, to its liquidator when the receiver ceases to act.
An IP acting as the supervisor of a voluntary arrangement is charged with supervising the implementation of a proposal for a composition in satisfaction of the company’s / individuals debts or a scheme of arrangement of its affairs. The terms of each particular proposal will determine the extent to which it will impose responsibilities upon them under the DPA.
How Long We Keep Your Information For?
We have set out above indications of how long we generally keep your personal data. In some circumstances, it may be necessary to keep your information for longer than that in order to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances we may anonymise your personal data so that it can no longer be associated with you, in which case we may use such information without further notice to you.
Sharing personal data
We will not share your data with third parties outside of Griffins unless we are obliged to do so, by law, or we have an appropriate legitimate interest in doing so, for example where personal data is required by an agent or solicitor who has a case related need to know the information.
All third parties with whom personal data is shared will have agreed to comply with our required data security standards, policies and procedures and put adequate security measures in place. All third party transfers will comply with applicable cross border transfer restrictions.
As well as the measures set out above in relation to sharing of your personal data, we have security measures in place designed to prevent data loss, to preserve data integrity, and to regulate access to personal data.
In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.
We have procedures in place to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where necessary.
Where we act as the Data Controller, you have the following rights with respect to your personal data:
Changes to this Data Privacy Notice
We reserve the right to change this Data Privacy Notice at any time without notice to you so please check back regularly to obtain the latest copy of this Privacy notice. We last revised this Data Privacy Notice on 22 November 2019.
This Data Privacy Notice does not override any applicable national data privacy laws and regulations in countries where Griffins operates.
To exercise all relevant rights, queries of complaints or to remove your information from our system, please contact the data privacy team at email@example.com or by telephone 020 7554 9600
You can contact the Information Commissioners Office on 0303 123 1113 or via email https://ico.org.uk/global/contact-us/email/ or at the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9 5AF.