Boris App: Privacy Policy
Introduction
Benefits Communication Limited (“Benefits Communication”) is dedicated to protecting the confidentiality and privacy of information entrusted to us. Please read this Privacy Notice to learn about what information we hold, how we use and protect it.
This notice applies to any personal data we hold about individuals. In this notice “you” refers to any individual whose personal data we hold or process. “Personal data” means information that relates to you as an identified or identifiable person.
This notice is governed by the EU General Data Protection Regulation (the “GDPR”).
Who we are
Benefits Communication (“we” or “us”) provide an online, cloud-based solution for Advisers, their employees and their clients to hold and process personal data on behalf of you, their client. Benefits Communication is a “data processor” and processes data provided to us by third parties e.g., Advisers or Accountants who you may have authorised to hold and process data on your behalf.
Benefits Communication Limited is registered, and operates, in England & Wales: registered number 0911418.
Who can you contact for privacy questions or concerns?
If you have you have questions or comments about this Privacy Policy or how we handle personal data, please direct your correspondence to: Data Protection Manager, Benefits Communication, Apsley House, 176 Upper Richmond Road, London, SW15 2SH or email boris@benefitscommunication.co.uk. We aim to respond within 30 days from the date we receive privacy-related communications.
You may contact the UK Information Commissioner’s Office at https://ico.org.uk/concerns/handling/ to report concerns you may have about our data handling practices.
Lawful basis for processing your personal data
We may rely on the following lawful reasons when we collect and process your personal data to operate our business and provide our products and services.
To fulfil a contract we have with your Adviser;
You have provided consent to your Adviser for the processing of your data.
When it is in our legitimate interests – we may rely on legitimate interests based on our evaluation that the processing is fair, reasonable and balanced, including delivering the professional services you , your Adviser or your Accountant may have engaged us to provide; or
To comply with legal and regulatory obligations.
What information do we collect about you?
We may collect and process the following categories of personal data about you.
Financial
Your financial position, status and history.
Contact
Your name, where you live and how to contact you.
Socio-Demographic
This includes details about your work or profession, your gender, marital status, nationality and any other information you provide.
Health
This will include any health information you have provided to us or your appointed Adviser or Accountant.
Employee Benefits
Details about your employee benefits.
Family and beneficiary
Marital status, dependants, and other relationships, including names and dates of birth
National Identifier
A number or code given to you by a government to identify who you are, such as a National Insurance or social security number, or Tax Identification Number (TIN).
Technical and Geographical
When you log onto our portal, we collect information which includes your Internet Protocol (IP) address, your log-in information, your geographical location, your browser and browser plug-in type and version, and your operating system and platform.
How do we collect personal data?
Directly: This will include any information you provide when you use our cloud based Client Portal.
Indirectly: We can obtain personal data indirectly about you from a variety of sources, including the following:
Advisers – the majority of the information that we process will be provided by your Adviser. Your Adviser can provide personal data about you to us in order for us to deliver our services to them and to you;
Other third-party providers –your Adviser may have authority to gather your personal information from other third-party providers such as your pension provider which could then be passed on to us or where your authority has been provided information can be passed on an automated schedule (for example fund valuations).
What we use your personal data for
We use personal information for the purpose for which it has been provided to us, or to fulfil legal or regulatory requirements if necessary. We have a legitimate interest in holding and processing information provided to us in order to provide our services, as well as to manage our relationship with your Adviser, including providing you or your Adviser with notifications about any changes to the services we offer.
We use your IP address to diagnose problems with our server, report aggregate information, and determine the fastest route for your computer to use in connecting to our website and portal (collectively called “site”), and to administer and improve the site.
Sharing your information
We will share your personal information with third parties where required by law, where it is necessary to administer the working relationship with you or your Adviser or where we have another legitimate interest in doing so. We may share your information with certain suppliers who may assist us with the management of this Client Portal or other IT services.
Where we do supply your personal data to a third party, they will only be authorised to process it for specified purposes and not for use for their own purposes.
Security
We have put in place appropriate measures to protect the security of your information.
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to your Adviser, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions, and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
Data Retention
We will retain an individual’s personal data until their Adviser terminates their relationship with us, for so long as the purpose your Adviser has provided it for still exists, unless a longer retention period is required or permitted by law, including:
To respond to a question or complaint, or to show whether we gave you fair treatment.
To obey rules that apply to us about keeping records, generally 3-8 years.
We may also keep your data for longer than 8 years if we cannot delete it for other legal, regulatory or technical reasons.
For any category of personal data not specifically defined in this notice, and unless otherwise specified by applicable law, the required retention period for any personal data will be deemed to be 7 years from the date of receipt by us of that data.
We will only use your personal information for those purposes and will make sure that your privacy is protected at all times.
Your privacy rights
The GDPR gives you the following rights in respect of personal data we hold about you:
The right of access You have the right to see personal data that is held about you and a right to have a copy provided to you.
The right to correction If at any point you believe that the personal data we hold about you in inaccurate, you can ask to have it corrected.
The right to erasure (the ‘right to be forgotten’) You may ask us to delete or remove personal data if there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), if we may have processed your information unlawfully or if we are required to delete your personal data to comply with local law.
We may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
The right to object to processing Unless we have overriding legitimate grounds for such processing, you may object to us using your personal data if you feel your fundamental rights and freedoms are impacted.
The right to restrict processing You can request that we no longer process your personal data in certain ways, whilst not requiring us to delete the same data.
The right to data portability You can request the transfer of your personal information to another party (where technically possible).
Right to withdraw consent If we are relying on your consent as the basis on which we are processing your personal data, you have the right to withdraw your consent at any time.
If you would like to exercise any of your above rights, please contact the Data Protection Manager in writing (or email) as detailed above.
We will endeavour to comply with such requests as soon as possible but in any event we will comply within one month of receipt (unless a longer period of time to respond is reasonable by virtue of the complexity or number of your requests).
Data Breaches
If personal data we hold about you is subject to a breach or unauthorised disclosure or access, we will report this to the Information Commissioner’s Office (ICO) and our Data Protection Manager.
If a breach is likely to result in a risk to your data rights and freedoms, we will notify you as soon as possible.
Other websites
Our websites may contain links and references to other websites. Please be aware that this notice does not apply to those websites. Please review the destination websites’ privacy policies before submitting personal data on those sites. In addition, if you came to us via a third-party site, we cannot be responsible for the privacy policies and practices of the owners or operators of that third-party site.
Cookies
We use strictly necessary and functional cookies to enable you to move around the website and portal efficiently and to provide basic features e.g., cookies that enable a faster browsing experience. No tracking or performance cookies are used.
Transferring your information outside Europe
We store personal data on servers located in the European Economic Area (EEA) and transfer data to other parties within the EEA. There are certain cases where your Adviser may request, we transfer your personal data to another company in contract with them or within their group of companies that is situated outside the EEA. We carry out these requests on the understanding that your Adviser, in their capacity as the “data controller”, can provide “sufficient guarantees” that the requirements of the GDPR will be met and that your rights will be protected.
Notification of changes to the contents of this notice
We will post details of any changes to our policy to our website, to help ensure you are always aware of the information we collect, how we use it, and in what circumstances, if any, we share it with other parties.
Policy towards children
Our services are not intended for and should not be accessed by individuals under 16. Our policy is not to intentionally or knowingly collect, process, maintain or use personal information from any individual under the age of 16.