Below you will find an overview about the information we collect, when we collect it and how it is used and shared, and your choices regarding this information.
If you would like to ask for information about our Data Protection Policy, you can contact us at firstname.lastname@example.org
Risk is the “data controller” of the personal information we hold for the purposes of the General Data Protection Regulation (the GDPR) (which applies across the EU including the UK) and any Data Protection Laws which supplement GDPR, or any other local laws and regulation that might apply in non-EU jurisdictions.
We collect, use and share data primarily in the framework of our business, always in compliance with our duties as per the enforceable legislation. When we collect and use your personal information (including special category data), we ensure we look after it properly and use it in accordance with the privacy principles set out below, keep it safe and will never sell it.
1. FAIR AND LAWFUL PROCESSING: Personal information you provide is processed fairly, lawfully and in a transparent manner in accordance with the six circumstances set out by GDPR as a lawful basis of processing personal data:
- Explicit consent obtained from the data subject;
- Processing is necessary for the performance of a contract with the data subject or to take steps to enter a contract;
- Processing is necessary for compliance with a legal obligation;
- Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.
2. COLLECTED FOR SPECIFIC, EXPLICIT AND LEGITIMATE PURPOSES: Personal information you provide is collected for a specific purpose, is not processed in a way which is incompatible with such purpose, can only be used for that purpose and the use must be consistent with those set out in any privacy or consent notice used to obtain the data.
3. ADEQUATE, RELEVANT AND NOT EXCESSIVE FOR THE PURPOSE: Your personal information is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed. Data should be destroyed or rendered anonymous at the point at which it no longer serves a relevant purpose.
4. ACCURATE AND KEPT UP TO DATE WITH EVERY EFFORT TO ERASE OR RECTIFY WITHOUT DELAY: Your personal information is kept accurate and, where necessary kept up to date. No data should be held unless it is reasonable to assume that it is accurate. Data should be erased or corrected as soon as it has been identified to be inaccurate.
5. NOT KEPT LONGER THAN NECESSARY FOR THE PURPOSE OF PROCESSING: Your personal information is kept no longer than is necessary for the purposes for which the personal information is processed. Risk will take all reasonable steps to destroy, or erase from our systems, all data which is no longer required.
6. PROCESSED IN LINE WITH DATA SUBJECTS’ RIGHTS: Your personal information is processed in accordance with your rights. Risk will process all personal data in line with the data subjects’ rights, set per GDPR, in particular:
- Right to be informed;
- Right of access;
- Right to rectification;
- Right to erasure;
- Right to restrict processing of their data for direct marketing purposes;
- Right to data portability;
- Right to object;
- Rights in relation to automated decision making and profiling;
- Right to withdraw consent; and
- Right to lodge a complaint.
Please refer to “Your Rights” section for detailed explanation of each Right and Risk’s duties as Data Controller.
7. PROCESSED IN A MANNER THAT ENSURES THE APPROPRIATE SECURITY AND CONFIDENTIALITY: We will take appropriate steps to keep your personal information secure.
8. NOT TRANSFERRED TO PEOPLE OR ORGANISATIONS SITUATED IN COUNTRIES WITHOUT ADEQUATE PROTECTION: Risk does not sell your personal information and we also do not permit the selling of customer data by any companies who provide a service to us. We will only transfer your personal information to another country or an international organisation outside the European Economic Area where we have taken the required steps to ensure that your personal information is protected. Such steps may include placing the party we are transferring information to under contractual obligations to protect it to adequate standards.
What personal information do we collect?
The personal information that we collect will depend on our relationship with you. Please note, in certain circumstances we may request and/or receive “sensitive” personal information about you. We might also collect personal information, such as your contact details.
Personal information is defined in the GDPR as any information relating to an identified or identifiable natural person. It can include obvious data like your name but also identification numbers, online identifiers and/or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
Sensitive personal information or special category data includes data revealing race or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic data, biometric data, data concerning health or data concerning a person’s sex life or sexual orientation.
How do we collect your personal information?
We collect personal information directly from you via cookies, or during our telephone calls with you (which may be recorded). Please be aware that this is not an exhaustive list.
We also collect your personal information by asking other different sources or organizations to share with us.
We may also use data to improve our level of service. Where we do this, we do it to help inform us how to improve the way we work since both we and those we deal with have an interest in us doing so.
How long we keep information
We will only keep your personal information for as long as reasonably necessary to fulfil the relevant purposes of our business and in order to comply with our legal and regulatory obligations, in accordance with our Data Protection Policy.
The time period we retain your personal information for will differ depending on the nature of the personal information and our regulatory obligations. We usually keep your information for a maximum of ten years from the end of our relationship with you. However, there may be circumstances in which we may be required to keep personal information for longer, for example, in case of dispute or legal action.
A. RIGHT TO BE INFORMED
You have the right to be informed about the collection and use of your personal data. Accordingly, at the time of collection of your personal data you shall be provided with the following information: (i) purposes for processing their personal data, (ii) retention periods for that personal data, and (iii) who it will be shared with.
B. RIGHT OF ACCESS
You are entitled to access your personal data and supplementary information to be aware of and verify the lawfulness of the processing.
Please be aware that we must verify the identity of the person making the request. If you make a formal request, your personal information will be provided to you in writing. If your request is made electronically, we would provide the information in a commonly used electronic format. If the request is made through a phone call, the caller’s identity will be checked to make sure that information is only given to a person who is entitled to it and suggest that the callers put their request in writing.
The right to obtain a copy of information or to access personal data should not adversely affect the rights and freedoms of others.
There will not usually be a charge for dealing with these requests.
C. RIGHT TO RECTIFICATION
We take reasonable steps to ensure that the personal information we hold about you is accurate and complete. However, if this is not the case, you can ask us to update or amend it by emailing us at email@example.com
D. RIGHT TO ERASURE
In certain circumstances (e.g., where the personal information we collected is no longer necessary for the original purpose or where you withdraw your consent) you have the right to ask us to erase your personal information. However, this will need to be balanced against other existing obligations we may have, for example, duty to comply with a legal obligation, or for the establishment, exercise or defense of legal claims.
E. RIGHT TO RESTRICT PROCESSING OF THEIR DATA FOR DIRECT MARKETING PURPOSES
In certain circumstances, you can limit the way we use your data. This is an alternative to requesting the erasure of your data. Where you have a particular reason for wanting the restriction (for example where you think that the personal information we hold about you may be inaccurate or where you think that we no longer need to process your personal information) you are entitled to ask us to stop using your personal information.
F. RIGHT TO DATA PORTABILITY
In certain circumstances, you have the right to ask that we transfer any personal information that you have provided to us to another third party of your choice, if this is technically feasible. Once transferred, the other party will be responsible for looking after your personal information.
There will not usually be a charge for dealing with these requests.
G. RIGHT TO OBJECT
You have the right to object to us processing your information where we are processing data in connection with our business. In such cases, we will stop processing unless we can demonstrate compelling legitimate grounds for continuing the processing which override your interests.
If you have concerns about how we are using your information and believe that this should stop, you can email us at firstname.lastname@example.org
H. RIGHTS IN RELATION TO AUTOMATED DECISION MAKING AND PROFILING.
Some of our decisions are made automatically by inputting your personal information into a system or computer and the decision is taken using automatic processes rather than our employees making those decisions. We may use automatic processes, for example, to verify your identity.
You have a right not to be subject to automated decision-making, including profiling, and can object to such automated decision-making, including profiling by emailing us at email@example.com
I. THE RIGHT TO WITHDRAW CONSENT
For certain uses of your personal information, we will ask for your consent. Where we do this, you have the right to withdraw your consent to further use of your personal information, subject to the data concerned not being essential for future processing. In these circumstances, the Subject Access and Consent Withdrawal Procedure must be followed.
J. THE RIGHT TO LODGE A COMPLAINT
You have a right to complain to the relevant data protection agency or any other relevant data protection agency which may be, from time to time, entitled to resolve such complaint, if you object to the way in which we use your personal information.
We might share your personal information with:
- Risk affiliate and associate companies: for our general business administration, efficiency and accuracy purposes or for the prevention and detection of fraud.
- Third parties (outside our Group): limited to sharing of the information necessary for the proper execution of our business. This might include disclosure of your personal information to a third party which will only be made where the third party has agreed to keep your information strictly confidential and shall only be used for the specific purpose for which we provide it to them.
We may also disclose your personal information to other third parties where:
- we are required or permitted to do so by law or by regulatory bodies or as per any court request; or
- we understand that such disclosure is required in the overriding public interest.
Any sharing will be kept strictly confidential and will only be used for the reasons described above.
Transfers of data outside the EEA (EEA Operation Specific)
In some circumstances, we are required to transfer your personal information from within the European Economic Area (EEA) to non-European Economic Area countries (referred to in the GDPR as ‘third countries’) for being necessary for the performance of your contract. Where we transfer your personal information outside of the EEA we will implement the required measures to ensure that your personal information is protected. Such measures may include entering into Standard Contractual Clauses with the party we are transferring personal information.
Changes to this notice
We keep this notice under regular review.