John Grant Limited – Data Protection (GDPR) (Privacy) Policy

Personal data is any information relating to an identified or identifiable living person. John Grant Limited processes personal data for numerous purposes, and the means of collection, lawful basis of processing, use, disclosure, and retention periods for each purpose may differ. 

When collecting and using personal data, our policy is to be transparent about why and how we process personal data. To find out more about our specific processing activities, please go to the relevant sections of this statement.

WHAT INFORMATION DO WE GATHER?

To be able to provide you with the best service possible, we will need to gather certain personal information from you when you contact or interact with us. We will also use this information for security, identification and verification purposes.

We will only ever collect information that helps us provide our services to you. We will keep your information for as long as is needed and only for the following purposes:

  • legitimate business activities
  • statutory or legal obligations
  • auditing and regulatory purposes
When you make an enquiry with us about any of the services we offer, we’ll ask you to provide some contact information. This may include some or all of the following:

  • full name
  • previous names
  • current home address
  • previous residential addresses
  • date of birth
  • landline and mobile phone number
  • email address
If you give personal information about someone else (such as a joint applicant), you must have their permission to do so.

Once we have gathered information from you and you subsequently make contact with us, we will use specific pieces of your information to help us identify you and verify that we are dealing with the right person.

Where we offer other products such as insurance, we will need to collect and process information that is “sensitive”. This type of information includes details about your health and any criminal convictions you have. Before we gather this type of information we will explain to you why it is required and will always store this information securely.

Throughout your relationship with us, we will hold your personal information securely in our systems. This will include any information provided by you or others (for example, if you’re making a joint application) in various ways, including (but not limited to):

  • in applications, emails and letters, during telephone calls and conversations in our offices, when registering for services, when using our website, and during fact find reviews and interviews.
 
If there is a change to any of your personal information and you notify us, we will update your records in our systems. Where we have introduced you to another organisation, we are unable to update your details with them and you will need to contact them personally to notify them of these changes.

If someone gives information about you – or you give us details about someone else – we may add it to the personal information we already hold about you or them. This will only be used in the ways we describe in this privacy notice.

When arranging a mortgage or insurance for you, we will need to ask you for your direct debit details to pass onto the lender or insurance provider so it can collect payments. Where we charge a fee for arranging a mortgage, or the mortgage we are arranging carries a cost – for example, a valuation fee – we will need to ask you for payment information such as your debit card or credit card details.

HOW DO WE USE YOUR PERSONAL INFORMATION?
We use your personal information in various ways.

We will use it to confirm that you are who you say you are when you contact us. We will use it to verify your name and address by checking your details against our databases and to check against information held by credit reference agencies and the electoral roll. We will also use the personal information we gather from you to formulate our advice and recommendations for the services we offer and to submit applications to lenders and product providers.

Before we submit any transaction to a lender or product provider, the law requires us to have verified your identity. This makes it harder for criminals to use financial systems, or to use false names and addresses to steal the identities of innocent people. Checking everyone’s identity is an important way of fighting money laundering and other criminal activities. We will therefore also ask you to provide us with documents that confirm your identity.

The law requires us to comply with a number of regulations. Where necessary, we use your personal data to allow us to fulfil our legal and regulatory requirements.

We will only share personal information with others when we are legally permitted to do so. When we share data with others, we put contractual arrangements and security mechanisms in place to protect the data and to comply with our data protection, confidentiality and security standards. We use third parties to help us run our business. To fulfil our contractual obligations, we may share your personal data with these third parties:

  • Mortgage lenders
  • Insurance providers (e.g. Life & Critical Illness insurance)
  • General insurance providers (e.g. Home insurance)
  • Estate agents (if you were introduced to us by one of our estate agent partner)
  • Mortgage Broker (if you were introduced to us by our in house mortgage broker)
  • Lexis Nexis (for identity checking)
 

Your personal data may be transferred to these authorised parties: 

Third party organisations that provide IT services and applications, administrative functions and support.

We use third parties to support us in providing our services and to help provide, run and manage our internal IT systems. For example, providers of information technology, cloud based software as a service providers, identity management, website hosting and management, data back-up, security and storage services. The servers powering and facilitating that cloud infrastructure are located in secure data centres around the world, and personal data may be stored in any one of them.

Auditors and other professional advisers.
We engage auditors and professional advisers to perform specific work that helps us meet our legal, regulatory and statutory responsibilities. Any auditors or professional advisers that we use will have contractual arrangements and security mechanisms in place to protect data and to comply with our data protection, confidentiality and security standards

Law enforcement or other government and regulatory agencies or to other third parties as required by, and in accordance with, applicable law or regulation.
We perform anti-fraud, credit and security checks using your details and receive information about you from other sources (such as credit reference agencies) which will be added to the personal information which we already hold about you.

We may use your information for fraud investigation, detection and prevention measures. We may also use your information for the investigation, detection and prevention of crime (other than fraud).

Occasionally, we may receive requests from third parties with authority to obtain disclosure of personal data, such as the police, regulatory bodies or legal advisers in connection with any alleged criminal offence, unlawful activity or suspected breach of the Terms of Use and or the breach of other terms and conditions or otherwise where required by law or where we suspect harm or potential harm to others. We will co-operate with any law enforcement authorities or court order requesting or directing us to disclose the identity or location of or any other information about anyone breaching any relevant terms and conditions or otherwise for the prevention or detection of crime or the apprehension or prosecution of offenders. We shall not be obliged to give you any further notice of this.

Third parties
Sometimes we may pass your information on to third parties who provide services to us. When we do this it is on the understanding that they care for your information as carefully as we do, keep it confidential and use it only for the agreed purposes above.

What is the legal basis for handling personal information?

Contract –
We rely upon this basis because you will provide us with your personal data as you want to use our services. This means that our use of your information is governed by contract terms. It is your choice to give us this information, however if you choose not to provide it, we may not be able to offer some or all of the services you require.

We require this information in order to understand your needs and provide you with a better service and in particular for the following reasons:

  • Internal record keeping
  • We may use the information to improve our products and services
  • We may contact you by email, phone or mail if requested by you to do so by completing an online enquiry form
  • Understanding your circumstances and requirements
  • Assessing risks
  • Formulating our advice and recommendations to you
  • Updating, consolidating and improving the accuracy of our records
  • Confirming your identity and verifying the information you provide
  • Providing and improving customer support
  • Sending you service communications
  • Responding to your enquiries and complaints
 

Legitimate interest –
We rely on this basis for processing personal data for the following benefits:

  • Helping to prevent and detect crime such as fraud and money laundering – Fraud and money laundering cost the British economy billions of pounds every year. This cost ultimately reaches the public in the form of higher prices. We can help stop this from happening by using your personal data to avoid fraud, identity theft and terrorism.
  • Complying with legal and regulatory requirements – We must comply with various legal and regulatory requirements. We are regulated by the Financial Conduct Authority and sometimes we may be required to provide information to it as part of our regulatory responsibilities.
  • Ongoing service – When the product or service that we have recommended to you expires or is due for renewal, we will contact you beforehand to notify you of this so we can start to explore the current options available to you.
  • Training our staff – To offer you the best standards of service we use the information we collect to train our staff so they can assist you better.
  • Maintaining our records and other administrative purposes – We always strive to provide the most accurate information to our customers and clients.
  • Resolving complaints and disputes – If you have a reason to make a complaint, we will use the information which you have provided and our internal records to look into things for you.
  • Improving data accuracy and completeness – When you register for our services you may give us additional information about yourself, we’ll use this to improve the accuracy and completeness of our data.
 

 

Your Rights
Under Data Protection Regulations individuals have a number of rights. These include:

  • Right to be informed – Individuals have the right to be informed about the collection and use of their personal data. We do this in our privacy policy.
  • Right of Access – Individuals have the right to access their personal data and supplementary information. Individuals have the right to obtain:
  1. Conformation that their data is being processed
  2. Access to their personal data
  3. Other supplementary information
We will not charge for initial requests to provide information but may charge a fee if requests for further copies of the same information are made. We will provide the requested information to you within 1 month of receiving your request, unless the request is complex or numerous in which case we may extend this period by up to a further 2 months.

Where a request is manifestly unfounded or excessive, particularly if it is repetitive we may charge a fee to provide the information requested or refuse to respond. In these instances we will inform you and explain our reason.

Before complying with any request we will take steps to verify the identity of the person making the request.

  • Right to rectification – Individuals have the right to request that inaccurate personal data is rectified, or completed if it is incomplete. If you make such a request, we will take steps to verify whether the data is accurate. Where we accept that the information is inaccurate we will take steps to rectify it. If we believe the information is accurate and does not require rectification we will notify you and explain our reason.
  • “Right to be forgotten” – Individuals have the right to have their personal data erased if:
  1. The personal data is no longer necessary for the purpose which it was originally collected.
  2. We rely upon legitimate interest as our basis for processing and you object to the processing of your data and there is no overriding legitimate interest to continue this processing.
  3. We have processed your data unlawfully
  4. We have to do it to comply with a legal obligation.
 

We are regulated by the FCA and are required to retain records that demonstrate the advice we provide to our customers. These records contain personal information and data that enables us to formulate our advice. We will not remove or delete any personal information or data until such time as our regulatory obligation has been fulfilled in respect of each transaction or piece of advice.

  • Right to data portability – The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. The right to data portability only applies to the data you have provided to us and where the processing is based on your consent or the performance of a contract.
  • Right to object – Individuals have the right to object to processing based on legitimate interests or the performance of a task in the public interest, direct marketing or processing for the purposes of scientific/historical research and statistics. If you exercise this right we will stop processing your personal data unless there are compelling legitimate grounds for us to continue to process, which override your interest, rights and freedoms or the processing is for the establishment, exercise or defence of a legal claims.
 

Automated decision making
Sometimes it is necessary for us to approach a lender to obtain an initial decision for a mortgage (DIP or AIP). To obtain a DIP we may process your personal information through a lender's automated decision making system which will provide an initial lending decision based on logic/algorithms programmed into it. We will always gain your consent before completing a DIP. Whilst we don’t set or determine the logic/algorithms used in the automated decision system we can put you in touch with the respective lender should you require it.

 

To exercise any of your rights you can contact us as detailed below:

In Writing:
Data Protection Officer
John Grant Limited
7 High Street
Newtownards
Co Down
BT23 4JN
Email: john@johngrantlimited.co.uk

Call: 028 91 828 100

We take privacy and your personal information very seriously. If you ever feel you need to complain about how we have handled your personal information and data you can also contact us at the above address.

If your complaint is about the administration or terms and conditions of a product sold by us but provided by a lender/insurer you may need to contact them about it. If needed we will forward details of your complaint to the party concerned as well as giving them your contact details.

If you’re still unhappy with any aspect of how we handle your personal information, you also have the right to contact the Information Commissioners Office (ICO). The ICO is the UK’s independent body set up to uphold information rights. You can contact it as follows:

Website: https://ico.org.uk

In writing: Information Commissioners Office
Wycliffe House
Water Lane
Wilmslow
SK9 5AF
Call: 0303 123 1113

 

How do we keep your personal information secure?
At John Grant Limited we understand how important it is to keep your personal information secure. We use a variety of technologies and procedures to protect your private data from being accessed, used or disclosed in any way it shouldn’t be. The security arrangements we’ve put in place include physical, organisational and technological measures and controls.
We regularly review our policies and procedures to make sure they remain relevant.

How long do we keep your personal information for?
We’ll keep your personal information securely stored for as long as we need it to provide you with the services you want from us. We also keep it to comply with our legal and regulatory obligations and to help us resolve and issues or disputes that may arise.

Depending on what information we hold and what products or services you are signed up to we may need to retain certain details for longer than others. In every case we regularly reassess whether we need to hold your personal information and securely dispose of any information that we no longer need.