The DPA regulates the processing of personal data. Its definition of personal data covers all information relating to identifiable living individuals which is held on computer, in another 'automatically-processable' format or in a manual filing system which is structured so as to facilitate access to information relating to particular individuals. (Information relating to companies and other „legal‟ persons is not caught). Its definition of processing covers any conceivable activity in relation to personal data, including collection, analysis, processing in the ordinary sense of the word, storage, disclosure, international transfer and deletion.
On a day to day basis we have to process personal data in various circumstances and in relation to various categories of individual. This Policy deals specifically with personal data collected in the context of the establishment and management of our customer relationships and the execution of transactions on the instructions of our customers (Customer and/or Transaction Management).
It is important to remember that the DPA regulates processing of personal data relating to all individuals, not just relating to customers. Information relating to individual representatives of corporate customers, or to individuals (or individual representatives of corporate entity) elsewhere in a payment chain – for example, an ultimate payee or an individual representative of a payment institutions - is also protected by the DPA.
The individuals that the personal data relates to, whether customers or otherwise, these are referred to as data subjects.
The UK Information Commissioner (the Commissioner) is responsible for enforcement of the DPA and has published a range of guidance on data protection issues, all of which is available on the Commissioner's website at www.ico.gov.uk.
Our principal obligations under the DPA include:
A copy of our Policy will be supplied to each employee.
The requirements set out in this Policy are mandatory unless otherwise stated and must be followed by all our employees. It is the responsibility of each such person to acquaint themselves with the requirements of this Policy. Failure to comply with this Policy may constitute a serious disciplinary offence and could result in dismissal.
Data Protection Officer
The company Nominated Officer (MLRO) is charged as the designated data protection officer (the Data Protection Officer).
Employees with any questions about our Data Protection Policy or application in particular circumstances you should consult the Data Protection Officer.
Fair and Proportionate Processing
The DPA requires that all of our processing of personal data should be fair and lawful and should meet one of various specified conditions. In designing and implementing each procedure for Customer and/or Transaction Management involving the processing of personal data, we will take these requirements into account and ensure that they are met.
We expect that our routine processing of personal data for Customer and/or Transaction Management procedure will generally meet the most general of the available conditions, which is known as the legitimate interests condition. The „legitimate interests‟ condition will apply, and allow us to process personal data, if both:
A: the processing is necessary for the purposes of legitimate interests that we, or a person to whom we disclose the data, pursue (these may be business, compliance or other purposes); and
B: the processing is not „unwarranted‟ because it prejudices the rights, freedoms or legitimate interests of the data subjects.
Each processing operation will, therefore, be assessed to ensure that part A of this condition is met meaning that we have a legitimate business, compliance or other purpose for carrying out the processing. If part A is met, employees should then consider whether the processing will prejudice the data subjects in any way our expectation is that, provided the other rules in this Policy are followed, our ordinary processing for Customer and/or Transaction Management purposes will not prejudice data subjects' rights, freedoms or legitimate interests. If an employee considers that there is a potential for prejudice to be caused in a particular case, the prejudice should be balanced against our interests and a view taken on whether our interests outweigh the prejudice to the data subjects.
If employees are in any doubt as to whether the „legitimate interests‟ condition is met, employees should consider whether the processing can be justified on the basis that it meets any of the other statutory conditions available in the DPA.
The other conditions most likely to apply are as follows:
The DPA also prohibits the processing of excessive, irrelevant or inadequate personal data. Our systems and procedures have been designed so as not to collect personal data which are excessive or irrelevant (in particular: personal data should not be collected on a „just-in-case‟ basis) and, of course, employees should ensure that the data collected is adequate for the relevant purposes.
Personal data collected for any given purpose should not then be used for a purpose which is incompatible with that purpose – we do not expect this to be an issue in the ordinary course of Customer and/or Transaction Management, however.
We expect the general requirement that processing of personal data should be fair to be met if all the other requirements are met.
Transparency / Information-Provision
We are required under the DPA to ensure that data subjects have various information readily available to them this requirement is subject to exceptions, however, and these exceptions are of relatively wide application in the context of Customer and/or Transaction Management. In particular,
The information to be made available is
We must ensure that our customer contracts inform our individual customers of the following:
Our customer contracts also require customers to pass this information on to any individuals whose personal data they provide to us.
We take the view that we do not need to provide information to data subjects other than individual customers to justify our processing of their personal data for routine Customer and/or Transaction Management purposes. In particular:
We take the same view in relation to individual representatives of our customers – having required our customers to pass the required information on to their representatives we take the view that the effort involved in contacting the representatives directly would be disproportionate.
MT Global Ltd is authorised and regulated by the Financial Conduct Authority under Registration Number 565567.
Registered as a Limited Company in England and Wales Company No: 05623359.