GDPR

This privacy notice tells you what to expect when Numis collects personal information. This applies to information we collect about:

·     Clients and prospective clients

·     Contacts at firms we deal with in both a client and non-client capacity

·     People who call us

·     People who e-mail us

·     Visitors to our website

·     Job applicants and our current and former employees

 Numis may use personal data to provide services requested from us, manage accounts, make decisions, detect and prevent financial crime, for analysis and assessment, and to ensure that we comply with applicable legal and regulatory requirements. We do not pass your personal data to external marketers and would not do so without your explicit permission. 

What is Personal Data?

Under the General Data Protection Regulation, personal data is defined as:

“Any information relating to an identified or identifiable natural person”

A further level of personal data is Sensitive, or ‘special category’ personal data. The following data falls within this definition:

racial or ethnic origin
political opinions
religious or philosophical beliefs
trade union membership
genetic data
biometric data
data concerning health 
data concerning a natural person's sex life or sexual orientation. 

Outside of the HR department, Numis records and retains very little data that would constitute ‘sensitive personal data’ as it largely has very little relevance to what we do as a business.

Your Data Rights?

Under the General Data Protection Regulation every individual has the following rights:

  the right to be informed; - i.e. what data is being gathered and how it is being used and stored
  the right of access; i.e. the right to see what personal data any company has relating to you
  the right to rectification; e.g. ensuring data are accurate and up to date, and corrected if not
  the right to erasure; - often referred to as ‘the right to be forgotten’ – erasure of all data at your request
  the right to restrict processing; i.e. to limit data usage
  the right to data portability; i.e. for your data to be sent to another company on your behalf, at your request
  the right to object; and – self explanatory
  the right not to be subject to automated decision-making including profiling. Numis does not use any automated decision making processes.

Please note these rights may be superseded in some cases. For example, as a regulated firm we have a legal obligation to retain records of clients and trades. This legal obligation could mean that even if we are asked by a client to erase or restrict their personal data, we may not be able to legally do so. We may also not be able to provide all personal data held if doing so would contravene the personal data rights of a third party. Each request will be dealt with on a case by case basis.

In order to legally process personal data we need to rely on one or more of the following conditions:

(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

(d) Vital interests: the processing is necessary to protect someone’s life.

(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. 

If we have obtained your consent to process your data, you have the right to withdraw that consent, at which point we will no longer be able to process your data – if that is the only condition which we are relying upon to justify the processing.

Please note, however, that in cases where we have a legal obligation, we may need to continue to process your data regardless of consent.

Similarly, if you choose not to consent to our processing of personal data it may be the case that we would no longer be able to fulfill our contractual obligations and would have to effectively end our relationship – for example if a prospective employee declined to allow their data to be sent to a third party payroll provider, then we would not be able to make salary payment.

Visitors to our website

When someone visits http://www.numiscorp.com/x/default.html we use our third party web host E-Cube, to collect standard internet log information and details of visitor behaviour patterns. We do not use this and it is only processed in a way which does not identify anyone. We do not make, and do not allow E- Cube to make, or attempt to find out the identities of those individuals visiting our website.

Cookies

As with the above Cookies will be used to gather information about the users of the website but are not used by Numis or e-cube in any way to identify the individual users.

Clients

Numis has legal obligations under the money laundering regulations 2007 to identify and verify its customers and perform ongoing monitoring on customer data.  As part of customer identification (“KYC”) procedures Numis collects personal information and in some cases sensitive personal information, such as phone numbers, e-mail addresses and financial details, along with identification information such as date of birth, residential address and nationality.  Numis may also hold personal information (including sensitive personal information) obtained through publicly available sources such as credit agencies, media publications and company registries.

In the interests of fraud prevention and the prevention of financial crime(s) your customer identification data will be shared with third parties who perform monitoring services on behalf of Numis; these third parties are required to adhere to the same high privacy standards as Numis.

Your personal data will only be shared in accordance with data protection laws where deemed necessary and where third parties are providing services to Numis as part of our ongoing services and in order to satisfy our legal and regulatory obligations and/or provision of our ongoing services to clients. 

Numis also utilises cloud storage solutions that may in some cases mean that personal data will be stored on servers held in other countries, specifically the USA. We also have contracts in place with some data processors who work on our data in order for us to be able to fulfill our contractual obligations – specifically a firm in Sri Lanka which assists us with Singletrack software. As with all our third party data processors, they will be required to adhere to our high standards of data privacy. Under GDPR, all data processors – (i.e. external companies or individuals who process data on our behalf) have to do so under the terms of a written contract, holding the data processor to the standards of GDPR, whatever the jurisdiction they are present in – so that those who are outside of the EU still need to comply. We only have a small number of data processors based outside of the EU, and we have added an addendum to our contracts with these entities, covering GDPR responsibilities. 

People who contact us

Contact information obtained by Numis as part of business related discussions or data relating to existing client relationships may be held as part of our records for as long as deemed necessary in order to further prospective and ongoing client relationships.  Where contacted for marketing purposes these individuals will be given the opportunity to have their information removed from our records.  Otherwise information will be processed and deleted in line with our retention schedule.

Via e-mail

Any email sent to us, including any attachments, may be monitored and used by us for reasons of security and for monitoring compliance with company policy.  Email monitoring or blocking software may also be used. Please be aware that you have a responsibility to ensure that any email you send to us is within the bounds of the law.

Over the Telephone

Numis records telephone calls as part of its ongoing regulatory obligations and for monitoring and training purposes. These calls are kept for a pre-determined amount of time; however this can be extended if our regulator makes such a request.  The calls are stored securely and with limited access given to specific employees.

Job applicants, current and former Numis employees

When individuals apply to work at Numis, we will only use the information they supply to us to process their application and to monitor recruitment statistics. Where we want to disclose information to a third party, for example where we want to take up a reference or obtain a ‘disclosure’ from the Criminal Records Bureau we will not do so without informing them beforehand unless the disclosure is required by law.  These checks are facilitated by a third party who is based in the EU and we expect to adhere to the same data privacy standards as Numis.

Personal information about unsuccessful candidates will be held and destroyed in line with our retention schedule after the recruitment exercise has been completed.  Some records are held to create a pipeline of talent for future recruitment.  We may retain de-personalised statistical information about applicants to help inform our recruitment activities, but no individuals are identifiable from that data.

Once a person has taken up employment with Numis, we will compile a file relating to their employment. The information contained in this will be kept secure and will only be used for purposes directly relevant to that person’s employment. Once employment with Numis has ended, we will retain the file in accordance with the requirements of our retention schedule and then delete it.

Employees of Numis agree that their personal data will be used and shared in accordance with our internal policies and that all correspondence made on work equipment will be recorded in line with our regulatory (FCA) requirements.

Data Retention

I.e. ‘how long we keep your data’. Numis retains personal data for set periods of time. We have a data retention schedule which sets out what kind of documents need to be retained, and for how long - different departments and paperwork are subject to varying legal obligations. For example the HR department’s data is commonly governed by employment law, while the compliance department commonly pays particular attention the money laundering regulations. These documents may contain personal data – most commonly in the form of names and email addresses. Once data has reached the end of its retention schedule it is safely destroyed. Please see link for our retention schedule here.

Organisational Security

Numis is committed to keeping your personal data safe and secure. Numis’ IT department utilizes advanced software to keep out external threats. Every employee has received face to face training on GDPR, the importance of people’s personal data, and the importance of records management and archiving. Data is controlled by department, with access controls limited to those employees who require it for a purpose. Physical security measures are very strong, as to be expected for a regulated firm located within the London Stock Exchange building.

Complaints or queries

Numis tries to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.

Should you wish to exercise any of your data protection rights, please email dataprotection@numis.com setting out your concerns/request. This email address is monitored by our Data Protection Manager. 

You have the right to complain directly to the Information Commissioner’s Office (ICO) who regulate our use of data. We would hope to work with you to resolve any issues prior to this step.

https://ico.org.uk/concerns/

This privacy notice was drafted with brevity and clarity in mind. It does not provide exhaustive detail of all aspects of Numis’s collection and use of personal information. However, we are happy to provide any additional information or explanation needed.

You acknowledge and agree that:

(a) in order to administer our business we will be the controller of personal data; and

(b) pursuant to the terms of this Agreement or otherwise, we may collect, use, store or otherwise process personal data:

(i) as may be required by Applicable Law, and to adhere to our obligations under Applicable Law, including under anti-money laundering and terrorist financing legislation;

(ii) to perform our obligations under this Agreement and as you may request from time to time, including the provision of the services to you;

(iii) to manage or administer the relationship between us and you;

(iv) to inform you about other products or services of any Numis group company during the continuance of our relationship;

(v) to assign or sub-contract, or procure goods or services, or to outsource any part of the normal business functions of any Numis group company to third parties;

(vi) to monitor our services, whether provided by ourselves or a third party;

(vii) to communicate with credit reference and information agencies;

(viii) to share personal data with other Numis group companies, with our professional advisers and other affiliated or non-affiliated business partners, or the professional advisers and other affiliated or non-affiliated business partners of another Numis group company, but only where the recipient has a legitimate interest in the information disclosed to them; and

(ix) at your request or with your consent.