The purpose of this Privacy Notice is to ensure that Two Financial Services (“the Company”, “we”, “us”, “our”) treat data protection requirements seriously and with consistency; collecting, handling, using and protecting (potential) employee, agent and Appointed Representative data safely, respectfully, fairly and lawfully. The privacy of our (potential) employees, agents and Appointed Representatives (“you”, “your”) is extremely important to us, and we will pay special attention to protecting this during our processing activities. We aim to be upfront with you about how we use and treat your personal data, and this Privacy Notice explains why and how we collect, share, use and protect the personal information we may gather during our interactions, and the rights that you have, as a data subject, in relation to this.
This notice is written in consideration of all applicable regulations.
This notice applies to all employees within the Company and all contractors/Appointed Representatives and their staff supplying services to the Company, regardless of their type of employment contract.
The accountability for the standards by which personal data of employees, agents and Appointed Representatives is handled sits with the Data Controller (as defined by applicable data protection laws and regulations), which is Two Financial Services Limited, supported by the Company’s Data Protection Officer. Responsibility for ensuring this Notice is circulated, implemented and maintained is that of the executive and senior management.
1.4 Organisational Structure
Ultimate responsibility for data protection lies with the Company Data Protection Officer as apportioned by the Director. The members of the Compliance Committee then review and support the impact on the Company and individual departments in managing this Notice.
1.5 Risk Assessment and Data Protection Impact Assessment
Consideration must be given to the completion of a Data Protection Impact Assessment by the Data Protection Officer for all data protection issues identified, as well the requirement to complete this on an annual basis. The Data Protection Officer and the Compliance Committee have the responsibility for identifying any actions necessary to reduce risks and ensuring these are acted upon as per the Risks and Controls policy. We expect our Appointed Representatives to inform us of any data protection issues, breaches or errors they encounter while operating under the Two Financial Services network in order that we can improve, consider all risks and take any appropriate risk mitigation action.
1.6 Reviewing This Notice
This Notice will be reviewed annually by the Data Protection Officer and the Compliance Committee, and updated where applicable. Any more frequent changes proposed/required to the included procedures or processes shall be reviewed and updated within this document for Company and regulatory control before being implemented.
The Company employs staff and external contractors who possess the skills, knowledge and expertise to carry out their functions effectively. Tailored training on the subject of GDPR Data Protection and related good practices has been provided. All managers regularly review employees’ competence and take appropriate action to ensure they remain competent for their roles.
2.1 Data Use
For the purposes of this Privacy Notice, references to data or personal information ‘use’ will cover the capturing/gathering, handling, processing, storage and safeguarding of personal data by Two Financial Services (“the Company”).
2.2 Data Subject
The data ‘subject’ refers to the individual person having their personal data or information ‘used’.
3 Data Types
Listed below are some types of personal information the Company collects, processes and uses in accordance with employee and agent Contracts of Employment, Appointed Representative Contractual Agreements, legal/regulatory obligations and the legitimate interests of the Company:
- Personal Details (e.g. name, date of birth, address, gender, contact details, copies of photographic identification)
- Job-related information (e.g. employee ID, office location, department, position etc.)
- Performance and regulatory compliance-related information (e.g. competency test results, performance ratings, call quality assessments, feedback from Company managers, outcome logs of meetings)
- Financial Information (e.g. salary, Bank Statements, Credit Reports, bank account details, pension details)
- Development-related information (e.g. training course attendance)
- Previous Employment Information (e.g. Curriculum Vitae information provided during Appointed Representative or employee application stages)
- Talent-related information (such as employee suitability as a successor to another position, willingness to relocate etc.)
Among the personal data above, we may also collect, process, handle or use sensitive personal data, for example, relating to any disabilities or other health-related issues employees, agents or Appointed Representatives may have in order that we make adjustments where possible, in compliance with applicable laws and regulations.
4 Data Use
4.1 Lawful Bases for Processing Data
Under GDPR, the Company must have a valid lawful basis in order to process personal data. There are currently six lawful bases for processing, and we are required to inform the data subjects of the bases relevant to our data use.
At present, we use Appointed Representative, employee and agent personal information under the following lawful bases:
- Contract: It is necessary to process this personal data in order to enter into or fulfil a contract;
- Legal Obligation: The Company have a legal or regulatory obligation to do so;
- Legitimate Interests: It is in the legitimate interests of the Company to do so and it is not against the rights of the data subject.
- Your Consent: To the extent that this is required by applicable data protection laws and regulations.
It will be necessary for the Company to process personal information in order to enter into or uphold our side of a contract with the data subject, for example Contracts of Employment with employees and Contractual Agreements with Appointed Representatives.
Two Financial Services are required by law or regulatory bodies to process certain personal information about our employees, agents and Appointed Representatives.
For example, we will need to process employee personal data to meet our legal requirement to inform HMRC of salaries for appropriate payment of tax, for accounting purposes, for regulatory purposes or to fulfil a court order in such circumstances as to maintain an ‘attachment of earnings’.
We are obligated to process the personal data of potential and current Appointed Representatives in order to remain compliant with obligations determined by regulators such as the Financial Conduct Authority and legal requirements as laid out in United Kingdom (“UK”) legislation, such as within the Financial Services and Markets Act 2000, Prevention of Terrorism Act (1989) and Terrorism Act (2000) or the Money Laundering Regulations 2007. For example, we must process personal data to ensure prospective Appointed Representatives meet regulatory pre-appointment and ongoing Due Diligence requirements and ensure data subjects within Appointed Representative firms meet ongoing FCA compliance regulatory requirements during their contractual term with the Company.
Two Financial Services may find it necessary to process personal data of our employees, agents or Appointed Representatives in order to meet and protect the legitimate interests of the Company, however, our legitimate interests are overridden by your legitimate interests. Examples of our legitimate interest include:
- To facilitate Company communication
- For general HR administrative purposes
- Performance and payment management
- Learning and development
- Recruitment and pre-contractual suitability assessments
- Workforce planning and analytics
If a complaint is made to us, we may be required to use personal information to investigate and deal with the complaint. The Company has a regulatory obligation to handle complaints appropriately. Any data subjects unhappy about how Two Financial Services have processed their personal information should contact us in the first instance. Should the data subject remain dissatisfied with the way their complaint has been handled, they have the right to lodge a complaint with the Information Commissioner’s Office – contact details can be found on their website at https://ico.org.uk/
5 Data Sharing and Access
5.1 Other Parties
For the above stated purposes, we may disclose employee, agent or Appointed Representative personal data to the following recipients:
- Two Financial Services Limited and authorised persons working on behalf of Two Financial Services Limited
- Third party service providers (e.g. external training and development providers, Company healthcare providers, workplace pension providers, legal advisors, accountants, payroll facilitators, external recruiters, external compliance providers, IT maintenance and service providers, outsourced HR service providers, document management and postal services)
- Law enforcement or government authorities where necessary, to comply with applicable laws (e.g. the courts of the land, the police, HMRC, fraud prevention agencies)
- Regulators such as the Financial Conduct Authority
- Other parties in the event the Company is sold, merges, becomes a joint venture or similar.
- To other parties with data subject consent.
5.2 Where We May Process Personal Data
At present, Two Financial Services have no reason to share gathered information outside of the European Economic Area (EEA), but should this need change, we will ensure to only share this information with consent.
Please note that all countries, within or outside of the European Union/EEA, have different laws surrounding personal data and its protection. Should we need to transfer employee, agent or Appointed Representative personal data outside of the United Kingdom to another country, it is important to note that the laws in the country to which this data is transferred may differ. For example, the circumstances in which law enforcement can access personal data may vary from country to country, and may be less protective than in the UK. It is our goal to maintain a very high standard. If the Company is required to share personal information outside of the EU or EEA, Two Financial Services will ensure that this will be protected in the same way as if it was being used in the EEA by implementing contractual safeguards, e.g. standard contractual clauses for data transfers which are approved by the European Commission.
6 Ongoing Contact
To help us keep our employee, agent and Appointed Representative data subjects informed about their duties, responsibilities or other reasons relating to their contracts with us and their obligations to regulators and customers, Two Financial Services may make contact by letter, telephone, email, text message or online messaging platforms as agreed.
7 Protection of Personal Information
The protection and security of the personal information we use is of upmost importance to us. Two Financial Services will take as many precautions as possible to protect personal data. Some of the steps the Company take (but are not limited to) are listed below:
- Company security policies and standards
- Staff security awareness & training
- Role-based access controls to prevent unauthorised access to the information
- Encryption and anonymisation technology
- Anti-malware & anti-virus technologies
- Security monitoring
- Secure archiving and deletion
- Compliance with industry regulation and legislation
8 Rights of Data Subjects
All requests to exercise the below rights should be submitted to the Company’s Data Protection Officer using the details below.
For data protection purposes, the Company may ask for proof of identity before providing the information requested.
8.1 Access to Personal Information
Any data subjects may request access to the personal data Two Financial Services hold about them. This is often called a “Data Subject Access Request”.
8.2 Right to Rectification
If the personal information Two Financial Services hold about an individual is incorrect, the ‘Right to Rectification’ enables the data subject to request that this is updates or corrected to ensure accuracy.
8.3 Right to Suspend, Limit or Stop Personal Data Processing
A data subject may wish that Two Financial Services temporarily suspend, limit the processing or entirely stop the processing of their personal information. For example, this may be appropriate if the accuracy of personal data held has been contested, for the period until this accuracy is verified.
8.4 Right of Erasure (or ‘Right to be Forgotten’)
To request the deletion of personal data if it is no longer needed. There may be occasions where despite a request to do so, Two Financial Services are unable to delete certain personal data due to our FCA regulatory or our legal obligations. Should this be the case, this will be discussed with the data subject placing the request.
8.5 Right to Data Portability
In some instances, a data subject may be able to request for their personal information to be provided to them/another company in an electronic format that can be processed electronically. In order to do so, a request will require submitting to our Data Protection Officer as below.
8.6 Legal & Regulatory Obligations
It is important that we make you aware that Two Financial Services Limited may occasionally be unable to fulfil some of these requests due to our regulatory and/or legal obligations. Should this be the case, this will be explained to you by the Data Protection Officer.
8.7 Data Protection Officer Contact Details
Data Protection Officer
Two Financial Services Limited
10 Orchard Court, Heron Road, Exeter EX2 7LL
9 Data Retention
9.1 Appointed Representative Personal Data
If an Appointed Representative application is successful and the firm join the Two Financial Services network, the personal information submitted by the firm’s Directors, and the personal data of Appointed Representatives and their employees (as mentioned above) gathered throughout the term of the Contractual Agreement (such as financial, compliance, training and performance-related personal data) may be retained for the duration of their time as a network member. Should the firm leave the Company’s network, or have an unsuccessful application, Two Financial Services will delete the personal information provided (as long as this is in line with Company legitimate interests, regulatory and legal record-keeping requirements).
9.2 Employee and Agent Personal Data
The Company may retain personal information relating to employment as required to fulfil the legitimate needs of the business and any contracts of employment, as well as legal responsibilities. This personal data may include CCTV recordings, employee performance and productivity data, Curriculum Vitae data, accident reports, identification data, pension information, details of holidays and sickness along with personal financial data in order to pay wages and meet HMRC and similar requirements). This employee/agent data may be retained where necessary for the duration of employment, following which, unless any legal requirements or legitimate interests necessitate the Company should retain, it shall be destroyed.
9.3 Telephone Calls
Two Financial Services may record any telephone calls you make to us, made by employees on our telephone system or that the Company make to you or any other third party. Calls are recorded for training, monitoring and quality purposes and to meet our legal and regulatory obligations, and may be retained for up to six years. Some telephone calls may be observed by staff for training and development purposes.
10 Role of the Data Protection Officer
- To be responsible for data protection compliance and be the point of contact for any data protection issues and breaches.
- To handle internal data protection query and breach investigations effectively and in a timely manner, completing Data Protection Impact Assessments, reporting qualifying breaches to the Information Commissioners Office and logging all breaches as required.
- To process, co-ordinate and respond to Subject Access Requests promptly and effectively.
- To maintain a Company Data Protection Register of all relevant filing systems and databases where personal information is held, including the origin of the information contained, the purpose for which the information is held and the timescales of retention.
- To ensure that no identifiable data relating to employees, agents or Appointed Representatives is retained longer than necessary once their contracts with the Company have expired/been terminated/ended or are required for legal or regulatory obligation fulfilment.
- Ensure that any employees handling personal data know where to go for further information and guidance.
- To ensure that ‘best practice’ training and guidance material produced for those handling the personal data of employees and contractors/Appointed Representatives is fit for purpose and signed off as per Company process.
- To regularly audit/carry out inspections on data protection processes and activities by way of an annual Data Protection Impact Assessment.
- To escalate any identified operational data protection risks to the Managing Director, logging these on the Risk Register and following procedures in accordance with the Risks and Controls Policy.
11 Role of Company Systems and IT Manager
- To oversee completion of an annual assessment of data security measures used by the Company to store employee, agent and Appointed Representative personal data, ensuring these processes and controls are suitable for the appropriate safeguarding of the personal data concerned.
12 Role of Director
- To ensure that adequate and secure systems and controls are in place to mitigate risk of Data Protection breach or loss.
- To put adequate measures into place to specifically address Data Protection risks relating to the personal data of (potential) employees, agents and Appointed Representatives.