In order to provide firms with the Turnkey Asset Management Programme, EBI have sight of personal data for the clients that are subscribed members. EBI is committed to protecting and respecting your privacy.
It is believed that the firm is a ‘data controller’. The definition of this is broadly the same as in the Data Protection Act 1998 in that the controller says how and why personal data is processed and the processor acts on the controller’s behalf.
This policy explains when and why EBI collect personal information, how it is used, the condition under which it may be disclosed to others and how it is kept secure.
EBI may amend this policy from time to time without giving any prior notification. You are responsible for regularly reviewing the policy to confirm your continued agreement with its contents. Continued use of our website following any such changes constitutes your acceptance of those amendments and your agreement to be bound by them.
Who in the firm is responsible for ensuring that adequate data protection is in place?
Employees of EBI complete training to ensure adherence to data protection regulations. Guzz Burgess, our Data Protection Officer, takes ultimate responsibility to ensure adequate procedures are in place and regularly reviews policies to ensure adherence.
Any questions regarding this policy and our privacy practices should be sent by email to firstname.lastname@example.org or in writing to Guzz Burgess, EBI Portfolios Ltd, Suite 7, Beecham House, Beecham Business Park, Northgate, Aldridge, West Midlands, WS9 8TZ. Alternatively, you can telephone 01922 472226.
What personal data does EBI hold?
EBI holds personal data of all individuals that have registered an account with us or have expressed an interest in the services we provide. EBI will also hold data relating to third parties that we currently have or previously have had commercial relationships with. This data will include names, addresses, telephone numbers, email address and general correspondence received via electronic and paper form.
Whilst EBI’s client is the financial adviser, EBI may receive data relating to the end investor. This may include names, addresses, telephone numbers, email address and investment details such as portfolio numbers, balances, transaction history, etc.
EBI will also hold data relating to staff members including names, dates-of-birth, addresses, National Insurance Numbers, identification, bank details and general correspondence.
Where has this data come from?
When an adviser registers on EBI’s website, they will be asked to provide personal data relating to themselves and their firm. Data may also be received via email, telephone and post.
EBI may be provided with data by third parties where there is a genuine need for the information.
EBI may collect its own data directly from websites and registers such as the Financial Conduct Authority (FCA) register.
Who is it shared with?
EBI may pass your information to third party service providers, agents and other associated organisations for the purpose of completing tasks and providing services to you on our behalf.
However, when EBI use third party service providers, only the personal information that is necessary to deliver the service is shared. EBI will have a contract in place that requires them to keep your information secure and not use it for their own direct marketing purposes. Please be assured that EBI will not release your information to third parties beyond the firm for them to use for their own direct marketing purposes, unless you have requested EBI to do so, or EBI are required to do so by law, for example, by a court order or for the purposes of prevention of fraud or other crimes.
EBI will not sell or rent your information to third parties.
EBI will not share your information with third parties for marketing purposes.
What do you do with the data?
The data is used for future communications and to ensure EBI can provide its services to the data subject. The data may be used to recover previous agreements and terms of each individual account holder.
EBI may use client data for Management Information purposes, account management and adherence to the terms specified within EBI agreements.
EBI may use your data to:
- Act as the basis for any service EBI provide.
- To carry out our obligations arising from any contract entered by you and EBI.
- Provide information to platforms for the purpose of arranging investment solutions.
- Provide ongoing services to you.
- Meet the regulatory obligations of the services EBI provide.
The EBI website may collect and use your personal information in order to operate and improve the services it provides. These uses include making the website or service easier to use by eliminating the need for you to repeatedly enter the same information and performing research and analysis aimed at improving our products, services and technologies.
We may also capture non-personal information, which is defined as data in a form that does not hold a direct association with any specific individual user. We may capture, use, transfer, and disclose non-personal information for any purpose.
We may collect information such as language, unique device identifier, IP address, geo-location, and the time zone where our website is used so that we can better understand usage habits and improve our products, services, and advertising. This information will always be used in an aggregated form and be used to help us provide more useful information to our users and to understand which parts of our website, products, and services are of most interest. Aggregated data is considered non-personal information.
If for any reason we do combine non-personal information with personal information the combined information will be treated as personal information for as long as it remains combined and as such be applicable to the terms describing our handling of personal information.
EBI will make appropriate contact with you to provide the agreed services. EBI will not contact you for marketing purposes by post, email, phone or text message unless you have given your prior consent. You can change your marketing preference at any time by contacting email@example.com.
What is the legal basis for holding the data?
Contractual – The client requires use of EBI’s resources and financial planning tools having created their own account via EBI’s website and confirmed agreement to EBI’s terms and conditions. EBI provides a Turnkey Asset Management Program as detailed in the Terms and Conditions.
How is data stored and how is this protected?
EBI does not retain any paper files. All paper records are scanned and stored on EBI’s internal systems. The paper records are then destroyed.
Data is stored on-site on servers we own. Access to these servers is physically restricted by a locked door. Data on these servers is available to workstations in our office, as well as to employees working outside of our office via an encrypted VPN tunnel. This data is only shared to authenticated users of our network domain.
Most data is only passed through a workstation as it is being used, and is never directly stored on the machines being used by our staff, however some work is saved locally for various reasons. Because of this all workstations (on-site and remote) are protected by domain credentials known only to our employees. All workstations are protected by Microsoft anti-virus software. We also employ a staff policy of locking workstations upon leaving them unattended.
Our on-site servers use backup services provided by Ceejay Software Limited. We also have an additional server for Turnkey App data.
Our email communications are stored by an external service Rackspace US Inc. A copy of a member of staff’s emails will also be stored on workstations which they use, these are protected as above.
Our phone communications are provided by an external service Yay.com and the phone calls we make and receive are recorded on their servers. Backups of recorded phone calls are also stored on our servers which are protected as above.
Our web services are provided by cloud VPS providers VPSDime and DigitalOcean. Access to the servers we rent is restricted to IT staff via at least 2048-bit RSA public-private key pairs. These keys are stored via LastPass and accessible only to IT staff. Our cloud servers use backup services provided by Tarsnap Backup Inc. The security of documents stored on their service is examined and the keys required to access the backups are stored via LastPass and accessible only to IT staff.
Our cloud servers use backup services provided by Tarsnap Backup Inc. The security of documents stored on their service is examined and the keys required to access the backups are stored via LastPass and accessible only to IT staff.
Who are your strategic partners and do they have policies in place to be GDPR compliant?
|Ceejay Software Limited|
Rackspace US Inc
Tarsnap Backup Inc
Aegon Cofunds Administration
|Novia Financial Plc|
Integrated Financial Arrangements Limited
Standard Life Savings Limited
Standard Life Assurance Limited
Embark Investment Services Limited t/a Embark Platform
Seven Investment Management
Aviva Wrap UK Limited
Nucleus Financial Services Limited
Advance by Embark
La Mondiale Europartner S.A.
Pictet & Cie (Europe) S.A.
Samuel Adams (Non-executive director) appointed as part of our Board of Directors.
Do you have a process to follow in the event of receiving a data request?
Yes, EBI has a checklist to follow when receiving such requests. This will involve extracting all data within our internal servers (including our CRM system, files, emails, and email attachments) and offsite (cloud servers) systems.
Do you have a process for data erasure and can you be sure this is permanently deleted?
Yes, EBI has a process in place. All data will be stored by electronic means as we do not keep any paper records. Records will be identified in the services listed in the previous question and purged. Additionally, a log of data erasure will be kept in order to purge previously erased data in the case of a data backup being restored to one of our servers.
Do you have a process to ensure data is proactively deleted when the time limit has expired?
The firm can hold data for for as long as is required under law or by regulatory authorities. EBI has a system in place so that it can identify when the relevant regulatory document retention period has lapsed and delete any data which is not relevant i.e. no longer required.
EBI will complete periodic reviews looking at all data held and identify whether a relationship still exists with the data subject. Data which is no longer required will be erased and all other data will be reviewed to ensure it is still within the specified time limits.
How does EBI ensure that data is accurate and up-to-date?
Periodically, EBI members are asked to confirm their details via EBI’s website. Details will be displayed to members who are asked to review and submit their information and confirm no changes are to be made. Firms are also asked to alter their billing page accordingly with details of new staff members and confirm staff that have left the company.
EBI will also complete its own annual audit to ensure each member is registered with the FCA and has up-to-date authorisation.
Your rights in relation to your information
Where we collect your data directly from you, at the time when we collect data from you, we undertake to:
- Make clear to you in writing the name and contact details of the Data Controller for that Data, and of their representative.
- Let you have, where appropriate, contact details for any Data Protection Officer appointed by us.
- Make clear to you the purposes for which the data is to be processed, and the legal basis for processing.
- Inform you if the controller proposes to transfer the data to a country outside those covered by GDPR, details of the safeguards surrounding such transfer and how to obtain a copy of them.
- Inform you of the period for which we propose to hold the data, or, where this is not possible, the criteria which we will apply to data retention.
- Remind you of your rights to request access to data of which you are the data subject.
- Make clear your right to object to processing that is likely to cause or is causing damage or distress.
- Not subject you to automated decision making (including profiling) by use of your data, save as permitted by Data Processing Legislation and in accordance with appropriate measures to protect your rights and freedoms.
- You have the right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed.
- You have the right to claim compensation for damages caused by a breach of the Act.
- You have the right to complain with respect to any processing of your data and any breach of the above rights to the relevant supervisory authority, who in the case of the United Kingdom is the Information Commissioner’s Office by means of the helpline 0303 123 1113 or online form.
- You have the right to ask us to cease processing information. This means that we will be able to retain it but no longer act upon it. In the event you no longer need our services and wish to terminate your membership, we will automatically cease processing information.
Where we obtain your data other than directly from you, you will have the same or equivalent rights to those set out above.
EBI has no direct relationship with the investor (your client) but may be provided data from third parties (such as the financial adviser or platform) in this situation the investor will have the same or equivalent rights to those set out above.
How would EBI transfer data to another party upon the client’s request?
EBI would follow the same process for receipt of a subject access request. This would ensure we have collected all the data we hold and make it available for transfer upon the client’s authority.
How would EBI respond to an individual’s request to restrict the processing of their personal data?
EBI would ensure the client is not added to the CRM database or certain information is omitted depending upon the client’s preference.
The obtaining of personal data is on some occasions a necessity. This ensures EBI is sufficiently able to provide its products and services in accordance with the Terms and Conditions. EBI would review each case on an individual basis.
Does EBI have a documented Data Retention Policy?
EBI will comply with Data Protection Law with respect to the data and, in particular, but without limitation, will review the data on a regular and frequent basis to ensure compliance with Data Protection Law, including, but not limited to, putting into effect any deletion or correction of erroneous data requested by you. In the course of any review we will:
- Delete any data which is trivial or transitory in nature, or which in our opinion is no longer required to be retained for the purposes set out above.
- Update the data to ensure that any errors or inaccuracies in the data are corrected.
- Archive the data as set out below.
- Securely delete data once the legal basis for processing that data has come to an end.
We may retain and process your data for the following periods, and if more than one period applies to the same data, to the last such period to expire:
- We will hold agreements (including the Terms and Conditions, Investment Agreement) between you and EBI for a period of six years from the termination or expiry of your subscription as an EBI member.
- We will process data related to our investment templates which we are managing for you and your clients during the full period of the term in which we are carrying out management of those portfolios and will continue to hold such data for a period of no more than six years following us ceasing to provide services to you.
- We will hold data required to be held for the purposes of any Regulator until the end of any limitation period imposed by the Regulator, which in the case of the Financial Conduct Authority is currently six years.
- We will hold data required to be held for the purposes of any relevant third party until the end of any period required by the relevant third party.
- We will hold data held for the purposes of any legal proceedings for a period of six years following the conclusion of any proceedings, unless a longer period is required pursuant to any court rule or enactment.
Use of ‘cookies’
A cookie is a small piece of data sent from a website and stored locally in a website visitor’s web browser. Cookies were designed to be a unified and reliable mechanism for websites to remember the state of the website, or any pertinent activity the user had taken in the past. This can include accessibility preferences, logging in, shopping cart items or a record of which pages were visited by the user etc.
To make full use of the personalised features of our website, your web enabled device will need to accept cookies, as we can only provide you with the personalised features of this website by using them.
EBI’s cookies do not store any sensitive information, they simply hold the ‘key’ that once you’re logged in, is associated with this information. However, if you would prefer to disable cookies, you can switch them off by setting your bowser preferences. Turning cookies off may result in a loss of functionality when using EBI’s website.
Links to other websites
In addition, if you linked to our website from a third-party site, we cannot be responsible for the privacy policies and practices of the owner and operators of that third-party site and recommend that you check the policy of that third-party site.
What is considered to be a breach of data and what steps are followed in the event of a breach?
All data is stored on our internal servers and is not transferred to external memory devices. A breach of data could be any of the following:
- Data sent to the incorrect person.
- Externals persons / organisations gaining access to our servers / workstations.
- Paper documents not being destroyed and taken away from EBI premises.
- Employees accessing files without a genuine purpose.
- A bug in software leaking data.
In an event of a data breach, EBI would investigate the reasons behind why the breach occurred and take necessary action, whether that be disciplinary action and/or improving processes. Depending upon the severity of the breach, EBI may report the breach to the Information Commissioner’s Office (ICO). If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, EBI will inform those individuals without undue delay.
EBI will keep a record of all personal data breaches, regardless of whether EBI are required to notify the ICO.
Do all staff understand the new data protection rules, what is classified as a data breach and what to do in the event of identifying a breach?
All staff receive regular training on data protection and will have an introduction to GDPR. EBI follows a response plan for addressing any personal data breaches. The Data Protection Officer has been allocated responsibility for managing breaches. EBI staff are trained to escalate a security incident to Data Protection Officer to determine whether a breach has occurred.
There is a positive culture of data protection compliance within EBI. Staff receive training on an annual basis and understand the importance of safe guarding data. Staff demonstrate knowledge and adherence to company policy.
Has the firm passed ‘Cyber Essentials’?
Yes, EBI has passed this course. The following areas are covered within the guide:
- Secure internet connection.
- Secure devices and software.
- Control access to your data and services.
- Protect from viruses and malware.
- Keep your devices and software up to date.
Is data transferred outside of the European Economic Area (EEA)?
EBI does share data with FinaMetrica, a company based in Australia which is outside the EEA. The data provided to FinaMetrica includes adviser’s names and email addresses. Data is only shared once an adviser has given explicit authority by agreeing to the terms and conditions stated within EBI’s website. By agreeing to the terms and conditions, the adviser is requesting to become a member of FinaMetrica. Advisers that do not wish to join FinaMetrica will not have their details shared.
EBI keep this policy under regular review and may amend the policy from time to time without providing notification. You are responsible for regularly reviewing the policy to confirm your continued agreement.
This Policy was last updated September 2020.