We take your privacy very seriously. Please read this privacy policy carefully because it contains important information on who we are and how and why we collect, store, use and share your personal data. It also explains your rights in relation to your personal data and how to contact us or supervisory authorities in the event you have a complaint.
We collect, use and otherwise process certain personal data about you. When we do so we are responsible for our data processing activities in accordance with the UK General Data Protection Regulation (UK GDPR) to which we are subject.
This policy applies whenever we process your personal data, for example when you use our website, www.friendmts.com or when you interact with us in any other way (unless you are one of our employees or applying for a job with us, in which case our employee or job applicant data protection notice applies instead).
Here are some key terms used in this policy:
We, us, our
Friend MTS Limited, incorporated in England and Wales with registered number 03513618, registered office Eleven Brindley place, 2 Brunswick Square, Birmingham, B1 2LP and any companies in its group
Personal data
any information relating to an identified or identifiable individual
Process
any operation carried out on personal data, including collecting, organising, storing, retrieving, using, disclosing, transferring and deleting
Special category personal data
Personal data revealing racial or ethnic origin, political opinions, religious beliefs, philosophical beliefs or trade union membership
Genetic and biometric data (when processed to uniquely identify an individual)
Data concerning health, sex life or sexual orientation
Data subject
The individual who the personal data relates to
We may collect and use the following personal data about you:
• your name and contact information, including email address and telephone number and details of your employer
• information to check and verify your identity, e.g. your date of birth
• your gender
• location data
• billing information, transaction and payment card information
• your personal or professional interests
• your professional online presence, e.g. LinkedIn profile
• your contact history
• information from accounts you link to us, e.g. Facebook
• information about how you use our website, IT, communication and other systems
• your responses to surveys, competitions and promotions
• information included in your communications with us.
We generally collect and use this personal data to provide our technology solutions (products) and/or services, communicate with our customers, suppliers (actual, prospective and past) and other third parties and more specifically as set out below. Because our products and services are aimed at business customers, we are most likely to process your personal data if you work for one of our actual, potential or past customers, suppliers, partners or intermediaries (Business Partners) or if your own unincorporated business is a Business Partner.
We collect most of this personal data directly from you—in person, by telephone, direct messaging, text or email and/or via our website and apps. However, we may also collect information:
• from publicly accessible sources, e.g. Companies House;
• directly from third parties, such as:
– your employer
– sanctions screening providers;
– credit reference agencies; and
– due diligence providers;
• from cookies on our website—for more information on our use of cookies, please see our cookie policy.
• via our IT systems.
Consistent with data protection law, we only process your personal data to the extent we have a proper legal basis for doing so. Our legal basis for processing your personal data will be one or more of the following:
• to comply with our legal and regulatory obligations; (Legal Obligation);
• to perform a contract with you or take steps at your request before entering into a contract (Contract);
• on a case-by-case basis, where you have given specific, informed and voluntary consent (Consent); or
• for our legitimate interests or those of a third party, unless they are overridden by your interests, rights or freedoms which require your personal data to be protected (Legitimate Interest).
We might carry out an assessment when relying on legitimate interests, to balance our interests against your own.
The table in Schedule 1 sets out the purposes for which we process your personal data and the legal basis of processing that usually applies for each purpose. Where Legitimate Interest applies, the table also describes the nature of the likely interest.
In the unlikely event that we process your special category personal data, our legal basis will be one of the following:
• we have your explicit consent;
• this is necessary to protect your (or someone else’s) vital interests where you are incapable of giving consent; or
• this is necessary to establish, exercise or defend legal claims.
We routinely share personal data with:
• third parties we use to help deliver our products or services, e.g. sub-contractors, payment service providers, mailing houses and delivery companies;
• other third parties we use to help us run our business, e.g. marketing agencies or website hosts;
• third parties approved by you, e.g. social media sites you choose to link your account to or third party payment providers;
• companies within our group, such as Friend MTS (US) Inc.
• credit reference agencies;
• our insurers and brokers; and
• our bankers.
Where these service providers and other third parties act as data processors on our behalf, we only appoint them if we are satisfied they take appropriate measures to protect your personal data. We also impose contractual obligations on those service providers to ensure they can only use your personal data to provide services on our instructions.
We may also need to:
• share personal data with external auditors, e.g. in relation to accreditations and the audit of our accounts;
• disclose and exchange information with law enforcement agencies and regulatory bodies to comply with our legal and regulatory obligations;
• share personal data with other parties, such as potential buyers of some or all of our business or during a restructuring—usually, information will be anonymised, but this may not always be possible, however, the recipient of the information will be bound by confidentiality obligations.
We will keep your personal data only for so long as is necessary for the purposes of our processing or for any legally required period.
Broadly, this is for as long as we have an active relationship with you or your employer and for as long as necessary afterwards:
• to respond to any questions, complaints or claims made by you or on your behalf;
• to keep records required by law; and
• to enforce or defend our rights against any possible legal action for the applicable limitation period, typically six years after the cause of action arose.
Because the purposes and types of personal data that we process vary, different retention periods apply. These periods are set out in Schedule 2, Retention. These are maximum periods and we may delete your personal data earlier.
To deliver services to you, it is sometimes necessary for us to share your personal data outside the UK and EEA, e.g.:
• with our offices or other companies within our group located outside the UK/EEA;
• with your and our service providers located outside the UK/EEA;
• where there is a European and/or international dimension to the services we are providing to you.
Under data protection law, we can only transfer your personal data to a country outside the UK and EEA where:
• the UK government or EU Commission has decided the particular country ensures an adequate level of protection of personal data (an adequacy decision);
• there are appropriate safeguards in place, together with enforceable rights and effective legal remedies for data subjects; or
• a specific exception applies under data protection law
These are explained below.
We may transfer your personal data to certain countries, on the basis of an adequacy decision. These include:
• all European Union countries, plus Iceland, Liechtenstein and Norway (the EEA), Gibraltar; and
• Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay and certain organisations in Canada (where the data is subject to PIPEDA and the USA (where the EU-US privacy shield applies).
The countries that benefit from adequacy decisions will change from time to time. We will always seek to rely on an adequacy decision, where one exists.
Other countries to which we may transfer personal data do not have an adequacy decision. Where there is no adequacy decision, we may transfer your personal data to another country if we are satisfied the transfer complies with data protection law, appropriate safeguards are in place, and enforceable rights and effective legal remedies are available for data subjects.
The safeguards will usually include using legally approved standard data protection contracts/clauses, such as the IDTA and Addendum (see https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/ or you can contact us to obtain a copy – see ‘How to contact us’ below).
In the absence of an adequacy decision or appropriate safeguards, we may transfer personal data to a third country or international organisation where an exception applies under relevant data protection law, namely:
• you have explicitly consented to the proposed transfer after having been informed of the possible risks;
• the transfer is necessary for the performance of a contract between us or to take pre-contract measures at your request;
• the transfer is necessary for a contract in your interests, between us and another person; or
• the transfer is necessary to establish, exercise or defend legal claims
We may also transfer information for the purpose of our compelling legitimate interests, so long as they are not overridden by your interests, rights and freedoms. Specific conditions apply to such transfers, and we will provide relevant information if and when we seek to transfer your personal data on this ground.
You have the following rights, which you can exercise free of charge:
Access
The right to be provided with a copy of your personal data
Rectification
The right to require us to correct any mistakes in your personal data
Erasure (also known as the right to be forgotten)
The right to require us to delete your personal data — in certain situations
Restriction of processing
The right to require us to restrict processing of your personal data in certain circumstances, e.g. if you contest the accuracy of the data
Data portability
The right to receive the personal data you provided to us, in a structured, commonly used and machine-readable format and/or transmit that data to a third party — in certain situations
To object
The right to object:
—at any time to your personal data being processed for direct marketing (including profiling);
—in certain other situations to our continued processing of your personal data, e.g. processing carried out for the purpose of our legitimate interests.
Not to be subject to automated individual decision making
The right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you
For further information on each of those rights, including the circumstances in which they apply, please contact us (see ‘How to contact us’ below).
If you would like to exercise any of those rights, please:
• email us — see below: ‘How to contact us’; and
• provide enough information to identify yourself (e.g. your full name, address, employer and customer, supplier or product reference number) and any additional identity information we may reasonably request from you;
• let us know what right you want to exercise and the information to which your request relates.
We have appropriate security measures to prevent personal data from being accidentally lost or used or accessed unlawfully. We limit access to your personal data to those who have a genuine business need to access it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality. We continually test and improve our systems.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where legally required to do so.
Please contact us if you have any query or concern about our use of your information (see below ‘How to contact us’). We hope we will be able to resolve any issues you may have.
You also have the right to lodge a complaint with the Information Commissioner. The Information Commissioner may be contacted at https://ico.org.uk/make-a-complaint or telephone: 0303 123 1113.
This privacy notice was published on 15 November 2021 when it replaced any previous privacy policy published on our website.
You can contact us by post, email or telephone if you have any questions about this privacy policy or the information we hold about you, to exercise a right under data protection law or to make a complaint. Our contact details are shown below.
Legal Counsel, Friend MTS Limited, 177 Shaftesbury Avenue London WC2H 8JR
Purpose: Providing products and/or services to or purchasing them from your business or that of your employer
Legal Basis: Contract
Purpose: Preventing and detecting fraud against you or us
Legal Basis: Legitimate Interest – to minimise fraud that could be damaging for you and/or us
Purpose: Conducting checks to identify Business Partners and verify their identity
Screening for financial and other sanctions or embargoes
Other activities necessary to comply with professional, legal and regulatory obligations that apply to our business, e.g. under health and safety law
Legal Basis: Legal Obligation
Purpose: Gathering and providing information required by or relating to audits, enquiries or investigations by regulatory bodies
Legal Basis: Legal Obligation
Purpose: Ensuring business policies are adhered to, e.g. policies covering security and internet use
Legal Basis: Legitimate Interest – to make sure we are following our own internal procedures or your procedures, so we can deliver the best service
Purpose: Operational reasons, such as improving efficiency, training and quality control
Legal Basis: Legitimate Interest – to be as efficient as we can so we can deliver the best service to you
Purpose: Ensuring the confidentiality of commercially sensitive information
Legal Basis: Legitimate Interest – to protect trade secrets and other commercially valuable information
Legal Obligation
Purpose: Statistical analysis to help us manage our business, e.g. in relation to our financial performance, customer base, product range or other efficiency measures
Legal Basis: Legitimate Interest – to be as efficient as we can so we can deliver the best service to you
Purpose: Preventing unauthorised access and modifications to systems
Legal Basis: Legitimate Interest – to prevent and detect criminal activity that could be damaging for you and/or us
Legal Obligation
Purpose: Updating and enhancing Business Partner records
Legal Basis: Contract
Legal Obligation
Legitimate Interest – making sure that we can keep in touch with our Business Partners about existing orders and new products
Purpose: Statutory returns
Legal Basis: Legal Obligation
Purpose: Ensuring safe working practices, staff administration and assessments
Legal Basis: Legal Obligation
Legitimate Interest – to make sure we are following our own internal procedures and working efficiently so we can deliver the best service to you
Purpose: Marketing our services and those of selected third parties to:
—existing and former Business Partners;
—third parties who have previously expressed an interest in our services;
—third parties with whom we have had no previous dealings.
Legal Basis: Legitimate Interest – to promote our business to existing and former Business Partners and others
Purpose: Credit reference checks via external credit reference agencies
Legal Basis: Legitimate Interest – to ensure our actual and prospective Business Partners and suppliers are solvent and likely to be able to meet their obligations
Purpose: External audits and quality checks, e.g. for ISO or Investors in People accreditation and the audit of our accounts
Legal Basis: Legitimate Interest – to maintain our accreditations so we can demonstrate we operate at the highest standards
Legal Obligation
Record: Account details
Retention period*: 7 years from end of relationship, i.e. end of contractual relationship or date of last contact (whichever is later)
Record: Sales/purchase analysis records
Retention period*: 5 years from the date of the earliest record being analysed
Record: Business Partner advice and opinions
Retention period*: 7 years from end of relationship with Business Partner
Record: Business Partner complaints
Retention period*: 7 years from end of relationship with Business Partner (including any extension to the relation while dealing with the complaint)
Record: Details of products/services not taken up
Retention period*: 5 years from end of relationship with Business Partner
Record: Voice recording
Retention period*: 6 months from date of the telephone conversation, provided that the period may be extended where there is an ongoing complaint or dispute
Record: Business Partner feedback — employee performance
Retention period*: 18 months from the date of the record
Record: Reviews by Business Partners
Retention period*: 5 years from end of relationship
Record: Records of Business Partners who have signed-up to receive non-marketing newsletters
Retention period*: Until Business Partner unsubscribes
Record: Business Partner relationship management records — of former, current and potential Business Partners
Retention period: 2 years from last active engagement with Business Partner
Record: Direct marketing information relating to a current Business Partner,
Retention period: 2 years from last active engagement
Record: Direct marketing information relating to a potential Business Partner
Retention period: 2 years from data collection
Record: Information recorded on marketing suppression lists, ie individuals who have notified as they do not wish to receive marketing communications
Retention period: 50 years from the date the marketing opt-out request was received
Record: Website cookie data for targeted advertising
Retention period: 12 months from the date the cookie or tracking code was created
Record: Management of data subject requests
Retention period: 3 years from the date the request is completed (including regulatory appeals, investigations and court action), or last contact with data subject, whichever is later
Record: Data protection complaints
Retention period: 7 years from end of relationship with Business Partner (including any extension to the relation while dealing with the complaint)
Record: Compliance records
Retention period: 7 years from the date the document is no longer active or has been superseded
*In each case the retention period stipulated relates only to the personal data contained within the record after which time such data may be anonymised, pseudonymised or deleted and is a maximum period and without prejudice to our earlier deletion of the data.
© 2024 Friend MTS Limited | All Rights Reserved
