Gladstone Brookes Privacy Notice


This Privacy Notice is v2.1.1 and is valid from 00:01hrs on 28th August 2020. It replaces and supersedes all other Privacy Notices associated with Gladstone Brookes.

We take your privacy very seriously. This Privacy Policy details what personal data we collect and how we shall use it.

Changes to this Privacy Notice.

We continually review our Privacy Notice and update it where necessary. We advise that you regularly check our Privacy Notice for updates. We do not wish to bother you with lots of minor amendments, but where we make significant changes to our policy, we shall contact you to inform you.

Our Name & Contact Details.

The Data Controller of your personal data is Gladstone Brookes Limited. This means that Gladstone Brookes decides how your personal data is processed and for what purposes. Our contact details are:

Gladstone Brookes47 Museum Street,Warrington,Cheshire,WA1 1LD

Data Protection Officer Contact Details.

In observance of the General Data Protection Regulation and the Data Protection Act 2018, Gladstone Brookes have chosen to establish a Data Protection Officer. Should you wish to contact our Data Protection Officer regarding a data protection matter you can do so by emailing dpo@gladstonebrookes.co.uk, or writing to:

Data Protection Officer
Gladstone Brookes
47 Museum Street,
Warrington,
Cheshire,
WA1 1LD

Personal data categories we collect

We may collect, use, store and transfer different kinds of personal data about you which we have categorised as follows:

  • Identity Data: This includes first name, maiden name, last name, marital status, title, date of birth and gender.
  • Contact Data: This includes email address and telephone numbers.
  • Financial Data: This includes bank account information and payment details.
  • Compliance Data: This includes recorded calls for quality checks and staff training. Such recordings may also be used to help us combat fraud.
  • Technical Data: This includes internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.
  • Usage Data: This includes information about how you use our website, products and services.
  • Marketing and Communications Data: This includes your preferences in receiving marketing from us and your communication preferences.
  • Aggregated Data: This includes statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.
  • Special Categories of Personal Data: This includes health and vulnerability related data that you may voluntarily share with us during the fulfilment of our services to you. We will always ask for your explicit consent to record and share Special Category Data.

For what purposes do we process personal data, and what are the lawful basis’ by which we process data?

Gladstone Brookes processes your Personal Data for the following purposes:

For What Purposes Do We Process Personal Data?
“Gladstone Brookes processes your data to…”
What is the lawful basis by which we process the data?
Direct market similar or aligned new products and services to our existing customers; Consent & Legitimate Interest
Request specific consent to share customer personal data with specific fulfilment partners so that they may direct market similar or aligned new products and services to our existing customers; Consent &Legitimate Interest
Verify the identity of individuals where necessary including for Subject Access Requests (SAR); Contract
Update clients about changes to how we process their personal data and/or new processing activities via email, telephone, SMS text, postal mail; Legal Obligation
Gather feedback for service and product improvement via email, telephone, SMS text, postal mail; Legitimate Interest
Share testimonials, case studies and feedback on our website and future marketing; Consent
Resolve complaints and/or disputes; Legitimate Interest
Request continuation of Consent prior to consent expiry; Consent
Collect payments or arrears should we have the need to do so; Legitimate Interest
Protect our organisation, staff, associates, suppliers, partners and clients; Legitimate Interest
Prevent, detect and investigate fraud; Legal Obligation
Prevent, detect and investigate crime; Legal Obligation
Comply with the law; Legal obligation
Fulfil our statutory or regulatory obligations; Legal obligation
Maintain our own accounts and records; Legal obligation
For reporting, analytics and product/service improvement (including training); Legitimate Interest
Improve and maintain data accuracy or completeness; Legitimate Interest
Track your email engagement; Legitimate Interest
Personalise your online experience; Legitimate Interest
Comply with the law; Legal Obligation
Fulfil our statutory or regulatory obligations; Legal Obligation
Maintain our own accounts and records; Legal Obligation
For reporting, analytics and product/service improvement (including training); Legitimate Interest
Improve and maintain data accuracy or completeness; Legitimate Interest
Track your email engagement; Legitimate Interest
Personalise your online experience; Legitimate Interest
Conduct market research. Legitimate Interest
Sell your personal data Legitimate Interest

What are our legitimate interests for processing your data?

Where we have used legitimate interest as the lawful basis for processing your personal data, we may:

  • Direct market products and services to you via post, emails, telephone, SMS text and push notifications where they are similar/aligned to our current products and services, a soft opt-in exists, and it conforms with the Privacy and E-Communication Regulation;
  • Request specific consent to share customer personal data with specific fulfilment partners so that they may direct market similar or aligned new products and services to our existing customers;
  • For reporting, analytics and product/service improvement (including training);
  • Improve and maintain data accuracy or completeness;
  • Track your email engagement;
  • Personalise your online experience. This could include customising the content and/or layout of our pages for individual users, for both visitors and contributors;
  • Conduct market research. Including research on the demographics, interests and behaviour of our customers in order to help us gain a better understanding of different audiences and enable us to improve our service. This research may be carried out internally by our employees or we may ask another company to do this work for us. Data will be anonymised to protect your data rights for research purposes.
  • Sell your personal data;
  • Resolve complaints and/or disputes;

Sharing your personal data

Gladstone Brookes may choose to share your personal data internally and/or externally to the business. Where we choose to share your information, we shall do so for the following reasons:

  • Where we have your “Consent” to do so. Where we process your data under the consent lawful basis you have the right to withdraw consent. Please refer to “Your Right to Withdraw Consent” section below;
  • Where we have your “Consent” to do so. Where we process your data under the consent lawful basis you have the right to withdraw consent. Please refer to “Your Right to Withdraw Consent” section below;
  • Where necessary to fulfil the services and/or products we are “Contracted” to provide to you;
  • Where we have a “Legal Obligation” and are required by law and to law enforcement agencies, judicial bodies, government entities, tax authorities or regulating bodies around the world, this includes communicating with you to update you about our privacy notice and changes to how we process your personal data;
  • Where we have “Legitimate Interest” to do so, including;
  • For the purposes listed in the “What are our legitimate interests for processing your data?” section above.
  • For reporting, analytics and service improvement purposes across our trading styles and/or within any future group construct should Gladstone Brookes establish or become part of a group.
  • Where one of our registered trading styles and/or current associated businesses provides a product or service similar/aligned with our organisation’s aim to help clients maximise the potential of their data in a fair, lawful and transparent manner that we do not currently provide ourselves.
    • Churchill Sloan Limited
    • Financial Protections Limited
    • Money Management Team Limited
    • Synergy Financial Solutions Ltd
    • Muldoon Brittan
    • Milestone Marketing Group (marketing partner)
  • Where an external 3rd Party, with whom we are yet to have a relationship, provides a product or service that we do not currently provide ourselves, and:
    • Which we reasonably believe would be of benefit to you, and you would reasonably expect to receive
    • Is similar/aligned to our organisation and the services we provide,
    • It conforms with the Privacy and E-Communication Regulation.
  • In this case we would contact you using Legitimate Interest to request specific Consent to share your personal information.
  • Where we believe it is necessary to protect or defend our rights, property or the personal safety of our people or visitors to our premises or websites;
  • Where required for a proposed sale; reorganisation; transfer; financial arrangement; asset disposal; or any other transaction relating to our business and/or assets held by our organisation.
  • Where we outsource support functions of our organisations to trusted partners. The categories of these recipients include:
Categories Who we use Privacy Notice
Payment service providers Sage Pay, DPS https://www.sagepay.co.uk/policies/privacy-policy
Website chat support providers Drift https://www.drift.com/privacy-policy/
Web analytics service providers Google Analytics https://policies.google.com/technologies/partnersites?hl=en-US
Social Media Provider LinkedIn
Facebook
Twitter
Instagram
Facebook Ads
Microsoft – Bing
https://www.linkedin.com/legal/privacy-policy
https://en-gb.facebook.com/privacy/explanation
https://twitter.com/en/privacy
https://help.instagram.com/519522125107875
https://en-gb.facebook.com/policy.php
https://privacy.microsoft.com/en-gb/privacystatement
Customer Relationship Management System CMS – Lanted https://www.lan.co.uk/
Digital Marketing Support Jellyfish https://www.jellyfish.com/en-gb/privacy-policy
Legal support providers; Mr Finch https://www.trustmrfinch.com/privacy-policy/
Cookie Provider Cookiebot https://www.cookiebot.com/en/privacy-policy/
Human resources support providers (staff only); Mr Finch https://www.trustmrfinch.com/privacy-policy/
Data Accuracy Support Provider UK Search https://www.uksearchlimited.com/ksupload/userfiles/Privacy-Policy-and-Fair-Processing-Notice-V6-UKSL-070918.pdf
Debt collection support providers; UK Search https://www.uksearchlimited.com/ksupload/userfiles/Privacy-Policy-and-Fair-Processing-Notice-V6-UKSL-070918.pdf
IT support providers; Lantec https://www.lan.co.uk/
Call & SMS Communication Provider Connex Dialler
Text Local
https://www.connexone.co.uk/privacy-policy/
https://www.textlocal.com/legal/privacy/
Email Delivery Mailchimp
Send Grid
https://mailchimp.com/legal/privacy/
Mail scanning & support providers Managed Inc
Outprosys
Hobs
https://managedink.co.uk/wp-content/uploads/2018/07/Privacy-Policy.pdf
http://www.data-capture.co.za/privacypolicy/
https://hobsrepro.com/about-us/privacy-policy/
Call centre support providers; 3ISolutions Limited TBC
Feedback/review service providers; Survey Monkey Inc
Feefo Holdings Limited
Trust Pilot
https://www.surveymonkey.com/mp/legal/privacy-policy/
https://www.feefo.com/en-au/business/privacy-policy
https://uk.legal.trustpilot.com/end-user-privacy-terms
Credit reference agencies;Debt Collection Services;
Wilkin Chapman https://www.wilkinchapman.co.uk/pages/privacy-policy
Data Backups Iron Mountain
Lantec
https://www.ironmountain.com/utility/legal/privacy-policy
https://www.lan.co.uk/
Compliance Consultants CSS Assure
Thistle
https://www.cssassure.com/privacy-notice
https://www.thistleinitiatives.co.uk/privacy-policy/
Call Auditing Services Audit Agent / TCST https://auditagent.co.uk/privacy-policy.html
Secure Shredding Services MAW Ltd https://www.datashreddingservices.co.uk/index.html

Where we choose and/or have your permission to share your personal data with 3rd Parties we will, where appropriate, ensure that they have signed a contract that requires them to:

  • Abide by the requirements of all relevant data protection and privacy legislation;
  • Treat your information as carefully as we would;
  • Only use the information for the purposes it was supplied (and not for their own purposes or the purposes of any other organisation); and
  • Allow us to carry out checks to ensure they are doing all these things.

If you provide your data through a third party, we may share data with that lead provider in order to assist with the management of the services and to streamline client contact.

We may, from time to time, disclose your data to and receive from your lenders, underwriters, official receiver/insolvency practitioner and our processors, referrers, external auditors & regulator.

We may have to disclose your personal data with other third parties as set out below. These organisations or bodies will not use your information to contact you. These third parties will be subject to obligations to process your personal information in compliance with the same safeguards that we deploy.

  • HM Revenue & Customs: We’re required to disclose certain data with the HMRC.
  • Financial Conduct Authority (FCA): We’re regulated by the FCA, so we may have to disclose small amounts of data with them for auditing purposes.
  • There may be other regulators and authorities such as Solicitors and Accountants, acting as processors based in the United Kingdom who require reporting of processing activities in certain circumstances.

Selling your personal data

Gladstone Brookes may choose to sell your personal data.

You have the Right to Object to us selling your personal data at any time and can do so by informing us by telephone, post or email.

Where we choose to sell your information, we shall do so in the following circumstances:

  • Where we have your “Consent” to do so;
  • Where we have a “Legitimate Interest” to do so, including;
    • Where required for a proposed sale; reorganisation; transfer; financial arrangement; asset disposal; or any other transaction relating to our business and/or assets held by our organisation.
    • For the purposes of generating revenue for our business we may sell your data to the categories of industry listed below:
Financial Services
Mortgages Life Insurance Home & Contents Insurance Car Insurance Legal Services – Conveyancing, Wills, Trusts etc Mis-Sold Financial Products Banking
Financial Products Claims Management Pre-paid Funeral Plans Funeral Plan Private Medical Insurance Breakdown Cover and Recovery Services Travel Insurance
Other
Charities Lifestyle Mail Order Marketing services Entertainment, Gaming, Leisure Public Sector Fast Moving Commercial Goods (FMCG)
Publishing/Media Retail & Lifestyle Gambling and Lotteries Travel Cosmetic Services Health and Beauty Trace, Asset Repatriation and Debt Collection

International Personal Data Transfer – Countries & Organisations.

Gladstone Brookes may transfer personal data to countries outside of the UK and/or EEA. Specifically, we use data processors based in South Africa.

If data is transferred outside of the EEA, Gladstone Brookes will put in place Standard Contractual Clauses with the Data Controller or Data Processor which contractually obliges them to protect your information to the same standard required by the General Data Protection Regulation and Data Protection Act 2018 post 31 December 2020.

Personal Data Retention Period

Gladstone Brookes has the following data retention policies:

  • Where a Regulating Body directs a statutory retention period, we shall retain the relevant data for the statutory period. For example, your financial transactions data shall be retained for 7 years;
  • Where you have purchased, or enquired about purchasing, a Gladstone Brookes product or services, we shall retain any personal details applicable to the contract delivery for a period of 7 years (name, email, telephone, postal address) after completion of the contract. During this time, we may contact you using legitimate interest to market additional products or services.
  • Where you have downloaded free content from our site, we shall retain your contact details (name, email, mobile telephone number, company, job title) for a period of 2 years, or until you exercise your Right to Object or opt out. During this time, we may contact you using legitimate interest to market similar free content that may be of interest to you.
  • Where you have signed up to receive information emails from Gladstone Brookes, we shall retain your contact details (name, email, mobile telephone number, company, job title) for 2 years, or until you withdraw your consent.
  • Prospect contact details. Where you have enquired about one of our products or services that is designed to assist you to claim money that you are owed, enable you to save money; and/or will strengthen your financial position we shall retain your contact details for 2 years, or until you withdraw your consent, so that we may keep you informed if:
    • We expanded our portfolio of product or service offerings;
    • Where a new and/or additional PPI claim may be made that may come about due to current legal challenges, future legal challenges and/or fresh evidence of mis-selling.
    • New or emerging product or service offerings that may enable you to claim money that you are owed, will save you money or will strengthen your financial position are introduced.
  • Client contact details. Where you have completed part or all of our website “PPI Claim” webform and/or we have provided you with a product or service that is designed for you to claim money that you are eligible to claim; and/or will enable you to save money; and/or will strengthen your financial position, we shall retain your contact details for direct marketing purposes for 7 years after any associated deadline (for example the PPI deadline) or full delivery of the product/service we have provided, so that we may keep you informed:
    • If we and/or any of our trading styles or group entities expand our portfolio of product or service offerings;
    • Where a new and/or additional PPI claim may be made that may come about due to current legal challenges, future legal challenges and/or fresh evidence of mis-selling.
    • New or emerging product or service offerings that may enable you to claim money that you are owed, will save you money or will strengthen your financial position are introduced.
  • For our PPI claims service, we shall retain your contact details and relevant PPI claims data for 7 years after the PPI deadline. We retain your data for this period of time to enable us to contact you about any changes or challenges to the PPI deadline and/or the circumstance where a claim may be made that may come about due to current legal challenges, future legal challenges and/or fresh evidence of mis-selling.
  • When we no longer need this information, we will anonymise your data and/or dispose of it securely.

The rights available to individuals in respect of the processing

Unless subject to an exemption under legislation, you have the following rights with respect to your personal data:

  • Your right of access. You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process. You can read more about your Right to Access here. In most cases Gladstone Brookes will not charge for this service however we do have the right to charge an administrative cost should we feel the request is excessive (excessive means that you submit a subject access request multiple times for the same or similar information). Fees will not exceed £50. Information will be provided within 28 calendar days from the day you request it. We will take all reasonable steps to verify your identity before providing you with details of any personal information we may hold about you.
  • Your right to rectification. You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies. You can read more about your Right to Rectification here.
  • Your right to erasure. You have the right to ask us to erase your personal information in certain circumstances. You can read more about your Right to Erasure here.
  • Your right to the restriction of processing. You have the right to ask us to restrict the processing of your information in certain circumstances. You can read more about your Right to the Restriction of Processing here. You have the right to object to processing if we are able to process your information because the process forms part of our public task, or is in our legitimate interests. You can read more about your Right to Object to Processing here.
  • Your right to data portability. This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another, or give it to you. The right only applies if we are processing information based on your consent or under, or in talks about entering into a contract and the processing is automated. You can read more about your Right to Data Portability here.

If you wish to exercise any of your individual rights, you can do so by informing a member of our team or by contacting our Data Protection Officer by emailing dpo@gladstonebrookes.co.uk.

Automated decision-making, including profiling.

When using some of our services you may have the option to undertake our Digital Journey, which is an automated online experience. We have built logic and analysis into our Digital Journey that will make decisions on the validity of your case submission, but you can rest assured that throughout this process there is the facility to query the processing with us in person.

For more information on how our Digital Journey works and the automated decision making, please feel free to get in touch with our Data Protection Officer.

To restrict marketing for services that you have already expressed an interest in we may use your data to check which services you have expressed an interest in and hash the data in house in order to ensure that your personal data is not disclosed during this process.

Your Right to Lodge a Complaint with the ICO

You have the right to lodge a complaint with the UK’s Supervising Authority: The Information Commissioners Office. Prior to lodging a complaint, Gladstone Brookes would like the opportunity to address any complaint you may have.

Should you have a complaint please in the first instance contact our Data Protection Officer by emailing dpo@gladstonebrookes.co.uk or writing to:

Data Protection Officer
Gladstone Brookes
47 Museum Street,
Warrington,
Cheshire,
WA1 1LD

If your complaint has not been resolved, you can lodge a complaint with the Information Commissioners Office via email https://ico.org.uk/global/contact-us/email/ or by writing to:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire.
SK9 5AF.
Or by telephone on 0303 123 1113.

Menu