Where we decide how and why Personal Data is processed, we are a Controller. This is generally the role under which we process Personal Data.
Types of Personal Data
Given our role as facilitator of the Network, we may collect and process the following Personal Data of individuals at member firms:
- contact and personal details (including name, address, date of birth, employer name, copy of CV, contact title, phone, email and other business contact details);
- business activities;
- photographs if an individual is attending a Network conference or event, or chooses to upload a profile photograph;
- dietary requirements if an individual is attending a Network conference or event; and/or
- corporate contact details [and any other personal data collected via the portal] if an individual registers to join the Firm Portal which facilitates the sharing of information between member firms in the Network.
We may also collect and process the following Personal Data for our employees:
- contact and personal details (including name, address, date of birth, phone number, email and other family contact details;
- banking and financial details;
- recruitment information (including copies of right to work documentation, references and other information included in a CV or cover letter or as part of the application process);
- employment records;
- CCTV footage, photographs;
- marital status/dependants.
The only time that we may collect Sensitive Personal Data is if data subjects provide dietary requirements by reference to religion and/or health conditions, or if MSIL employees include Sensitive Personal Data in visa applications. We will only process such data for legitimate purposes and with the consent of the Data Subject. Examples of other special categories include race or ethnic origin; political opinions; philosophical beliefs; trade union membership; genetic data; biometric data; sexual life or sexual orientation; and, criminal records.
Collection of Personal Data
We will only collect such Personal Data that is necessary for us to facilitate the Network. This may occur in the following situations:
- the process of a firm applying to join the Network;
- producing the international directory of member firms and use of a search function;
- to check potential conflicts across the Network;
- audit and file review processes;
- to operate the Firm Portal;
- Network conferences and events.
- Use of Personal Data
Here we set out the basis upon which we process Personal Data. Please note that we may process Personal Data for more than one lawful basis, depending on the specific purpose for which we are using that information.
We may process Personal Data for the purposes of our own legitimate interests in the effective facilitation of the Network, and in the effective and lawful operation of our business, provided that those interests do not override the interests, rights and freedoms of a Data Subject which require the protection of that Personal Data.
Examples of such processing activities are set out above.
Compliance with a legal obligation
We are subject to legal, regulatory and professional obligations. We will process Personal Data as necessary to comply with those obligations.
We are also to keep certain records to demonstrate that our services are provided in compliance with our legal, regulatory and professional obligations.
In certain limited circumstances, such as where a Data Subject has agreed to receive marketing communications from us, we may process Personal Data by consent. Where consent is the only basis upon which Personal Data is processed the relevant Data Subject shall always have the right to withdraw their consent to processing for such specific purposes.
It is our policy to only process Personal Data by consent where there is no other lawful basis for processing.
We retain the Personal Data processed by us for as long as is considered necessary for the purpose for which it was collected (including as required by applicable law or regulation).
In the event that a member firm leaves the Network, any Personal Data that we hold relating to individuals at that firm will be deleted once those details are no longer required.
Personal Data that may be collected from member firms during our audit and file review processes will be stored for a maximum of 12 years (following three x three year audit cycles).
Our standard email retention period is 10 years.
We continually review our data retention policies, and we reserve the right to amend the above retention periods without notice.
We take the security of all the data we hold very seriously. We have a framework of policies, procedures and training in place covering data protection, confidentiality and security and regularly review the appropriateness of the measures we have in place to keep the data we hold secure.
We have put in place appropriate security measures to prevent Personal Data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.
We limit access to Personal Data to those employees, agents, contractors and other third parties who have a business need to know, and our IT systems operate on a ‘least privileged’ basis by default. Third parties will only process Personal Data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected data security breach and will notify any affected Data Subject and any applicable regulator of a suspected breach where we are legally required to do so.
In addition, we limit access to the Firm Portal to authorised representatives of member firms who are required to create a dedicated user account with secure login credentials. The Firm Portal User Terms and Conditions strictly prohibit the sharing of log in credentials.
We will share Personal Data with third parties where we are required by law, where it is necessary to administer our relationships between clients and Data Subjects, or where we have another legitimate interest in doing so.
As the Network is global, Personal Data may be transferred to member firms outside the European Union (EU) and to countries that do not have laws that provide specific protection for Personal Data. All Personal Data will be provided with adequate protection and all transfers of Personal Data outside the EU are done lawfully. Where we transfer Personal Data outside of the EU to a country not determined by the European Commission as providing an adequate level of protection for Personal Data, the transfers will be under an agreement which covers the EU requirements for the transfer of personal data outside the EU, such as the European Commission approved standard contractual clauses.
We will also share Personal Data with third-party service providers. For example, we use third parties to provide:
- our IT and cloud services, and to operate and manage these services;
- professional advisory services;
- administration services;
- marketing services;
- banking services.
All of our third-party service providers are required to take commercially reasonable and appropriate security measures to protect Personal Data. We only permit our third-party service providers to process Personal Data for specified purposes and in accordance with our instructions.
Rights and responsibilities
A Data Subject’s duty to inform us of changes
It is important that the Personal Data we hold about is accurate and current. On an annual basis we will use reasonable endeavours to contact Data Subjects to verify whether the information we hold about them is correct. However, at any time, please notify us of any changes in your personal information of which we need to be made aware by contacting us, either through your usual contact or by using one of the means set out at the end of this privacy notice.
A Data Subject’s rights in connection with Personal Data
Data Subjects may have certain rights under UK or EU law in relation to the Personal Data held by us about them. In particular, they may have a right to:
Withdrawal of consent
- request access to their Personal Data. This enables a Data Subject to receive details of the Personal Data we hold about them and to check that we are processing it lawfully;
- ask that we update the Personal Data we hold about them, or correct such Personal Data that they think is incorrect or incomplete;
- request erasure of their Personal Data. This enables a Data Subject to ask us to delete or remove Personal Data where there is no good reason for us continuing to process it. Data Subjects also have the right to ask us to delete or remove Personal Data where they have exercised their right to object to processing (see below). Please note that we may not always be able to comply with a request for deletion of Personal Data for legal reasons which will be notified, if applicable, after receiving such a request;
- object to processing of their Personal Data where we are relying on a legitimate interest (or those of a third party) and there is something about their particular situation which makes them want to object to processing on this basis. They also have the right to object where we are processing their personal information for direct marketing purposes;
- request the restriction of processing of their Personal Data. This enables a Data Subject to ask us to suspend the processing of Personal Data about them, for example if they want us to establish its accuracy or the reason for processing it;
- request the transfer of their Personal Data to them or another Controller if the processing is based on consent, carried out by automated means and this is technically feasible. Please note that, at the time of the drafting of this notice, we do not undertake any processing relevant to the exercise of this right.
Where we process Personal Data based on consent, individuals have a right to withdraw consent at any time. However, as noted above, we do not generally process Personal Data based on consent.
To withdraw consent to our processing of your Personal Data please email us at [email protected]
or, to stop receiving an email from a marketing list, please click on the unsubscribe link in the relevant email received from us.
Contacting us to exercise a right
If any individual would like to exercise the above rights please contact us by sending an email or by one of the means set out at the end of this privacy notice. We may charge for a request to access details of Personal Data, if permitted by law. If a request is clearly unfounded, repetitive or excessive we may refuse to comply with that request.
Please note that it our policy not to provide copy documents if we are contacted by Data Subject seeking access to their Personal Data. We will comply with this request in another way, usually by providing a newly created document listing the information we are required to provide under data protection law.
We may need to request specific information from those individuals who contact us to help us confirm their identity and ensure their right to access their personal data (or to exercise any of their other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact an individual to ask them for further information in relation to their request to speed up our response.
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if a request is particularly complex. In this case, we will notify the individual concerned and keep them updated.
Data Subjects also have the right to make a complaint to the ICO, the UK supervisory authority for data protection issues. For further information on individual rights and how to complain to the ICO, please refer to the ICO website.