We Thistle Initiatives Limited (also referred to as “Thistle”, “we”, “us”, or “our”) are a registered company in England (Company no. 07078648). Our registered address is 2nd Floor, 4 St Paul’s Churchyard, London, EC4M 8AY.
The purpose of this notice
This notice describes how we collect, use, share, retain and safeguard personal data. This notice also sets out your individual rights and who you should contact if wishing to discuss the use of your data.
What is personal data?
Personal data is information relating to an identified or identifiable natural person. Examples include an individual’s name, age, address, date of birth, gender and contact details.
Personal data may contain information which is known as special categories of personal data. This may be information relating to an individual’s health, or racial or ethnic origin.
Personal data may also contain data relating to criminal convictions and offences.
How do we treat special categories of data and criminal record data?
For the purposes of safeguarding and processing special categories of data and criminal convictions data responsibly, this data is processed in line with relevant data protection regulations and legislation, under which we are legally required to comply with specific data processing requirements.
Personal data we collect
In order to provide you with our services, we may collect and process personal data about you and other individuals within your firm. We may also collect, in the course of providing our services to you, personal data you provide us about your clients. Where you disclose the personal data of others, you must ensure you are entitled to do so and that you have provided them with relevant privacy information.
We may collect the following categories of data:
- Personal data such as an individual’s name, address, date of birth, gender and contact details;
- Information to enable us to check and verify your identity, such as your date of birth or passport details;
- Information relating to the matter in which you are seeking our advice;
- Information to enable us to undertake credit and other financial checks on you;
- Your employment history and details, including disciplinary or regulatory sanctions, criminal convictions, and offences such as fraud if you instruct us to make certain FCA applications; and/or
- Special categories of personal data such as data relating to medical health to help identify vulnerable individuals or where you or others inform us of a medical condition;
You should be aware that if you object to the collection, sharing and use of your personal data we may be unable to provide you with our services.
How do we collect personal data?
You may provide us with personal data when signing up to or requesting information on our services, through application forms, when completing contact forms, or when you contact us via the telephone or e-mail or when writing to us directly. Our corporate clients may provide us with personal information in relation to their employees, directors, shareholders, suppliers, customers and other advisers.
We may obtain information from your other advisers where you have provided them with your consent.
We will also collect electronic personal data when you first visit our website, where we will place a small text file that is commonly known as a cookie on your computer. Cookies are used to identify website visitors and to simplify accessibility, and to monitor visitor behaviour when viewing website content, navigating our website and when using website features. We will also record your unique online electronic identifier; this is commonly known as an IP address.
Data we share
We will share or grant access to your personal data within our group of companies. The sharing of information allows us to provide you with a comprehensive range of support services, it is also necessary to allow us to administer our business.
We will also share personal data with authorised third parties. This is necessary where we are required to do so by law and where we need to administer our business. For example:
- Credit reference agencies;
- IT providers;
- Learning and Development platform providers
- National Crime Agency
- HM Revenue & Customs
Who controls your personal data?
Where we collect data directly from you, we are considered to be the controller of that data i.e. we are the data controller. Where we use third parties to process your data, these parties are known as processors of your personal data. Where there are other parties involved in managing your data, we will be a joint data controller of your personal data.
Data controllers and processors explained
A data ‘controller’ means the individual or organisation which, alone or jointly with others, determines the purposes and means of the processing of personal data.
A data ‘processor’ means the individual or organisation which processes personal data on behalf of the controller.
Why do we need your personal data?
Your personal data is used to process requests for our services, to administer our services and our business, to respond to any requests from you about the services we provide and to process complaints.
The lawful basis for processing personal data
We will process your personal data to allow us to perform our contract with you and to provide our services to you.
We have legitimate interests in using your personal data to manage our relationship, perform statistical analysis on the data we collect, for financial planning and business forecasting purposes, to handle complaints, to obtain insurance and handle claims, and to market our services.
We will also process data as required by law.
When is consent required?
In some situations, we may request your consent to process your personal data for specific purposes, or to market our services to you, to share your data or to transfer your data outside the European Economic Area. Where we require consent, your rights and what you are consenting to will be clearly communicated to you. Where you provide consent, you can withdraw this at any time by contacting our Data Privacy Representative by e-mailing email@example.com.
For how long do we need to retain your data
We will need to retain your data for contractual, legal and/or regulatory purposes and for our legitimate business interests where allowed by law. In general, we will retain your data for a period of at least six but not more than seven years after our relationship ends.
Sometimes we may need to retain your data for longer, for example if we are acting on your behalf or defending ourselves in a legal dispute or as required by law or where evidence exists that a future complaint may occur.
International transfers of personal data
We may transfer your data to third parties based outside the European Economic Area. This may be necessary for the purposes of administering our business. Such parties are not permitted to use your personal data for any other purpose than for what has been agreed with us. These parties are also required to safeguard your personal data through the use of appropriate technical and organisational data security measures and are prohibited from disclosing or sharing your data with other third parties without our prior authorisation, or unless as required by law.
Please contact our Data Privacy Representative at firstname.lastname@example.org for a list of countries and organisations your personal data is transferred to and/or for further information on the measures undertaken to safeguard your data.
Individuals are provided with legal rights governing the use of their personal data. These grant individuals the right to understand what personal data relating to them is held, for what purpose, how it is collected and used, with whom it is shared, where it is located, to object to its processing, to have the data corrected if inaccurate, to take copies of the data and to place restrictions on its processing. Individuals can also request the deletion of their personal data.
List of your rights
These rights are known as Access Rights under the Data Protection Act 2018. The following list details these rights:
- The right to be informed about the personal data being processed;
- The right of access to your personal data;
- The right to object to the processing of your personal data;
- The right to restrict the processing of your personal data;
- The right to rectification of your personal data;
- The right to erasure of your personal data;
- The right to data portability (to receive an electronic copy of your personal data);
- Rights relating to automated decision making including profiling.
Individuals can exercise their individual rights at any time. As mandated by law we will not charge a fee to process these requests, however if your request is considered to be repetitive, wholly unfounded and/or excessive, we are entitled to charge a reasonable administration fee.
In exercising your Individual Rights, you should understand that in some situations we may unable to fully meet your request, for example if you make a request for us to delete all your personal data, we may be required to retain some data for taxation, prevention of crime and for regulatory and other statutory purposes.
You should understand that when exercising your rights, a substantial public or vital interest may take precedent over any request you make. In addition, where these interests apply, we may be required by law to grant access to this data for law enforcement, legal and/or health related matters.
Protecting your data
We will take all appropriate technical, organisational and physical steps to protect the confidentiality, integrity, availability and authenticity of your data, including when sharing your data within our group of companies and with authorised third parties.
Please contact our Data Privacy Representative if you are dissatisfied with any aspect of how we process your personal data. You also have the right to complain to the UK’s data protection supervisory authority, the Information Commissioner’s Office (ICO). The ICO may be contacted via its website which is https://ico.org.uk/concerns/, by live chat or by calling their helpline on 0303 123 1113.
How to contact us
If you have any questions regarding this notice, the use of your data, your Individual Rights or you object to the processing of your personal data as described within this notice, please contact our data privacy representative by writing to the Data Privacy Representative at 2nd Floor, 4 St Paul’s Churchyard, London, EC4M 8AY or by e-mailing email@example.com or by telephoning 0207 436 0630.