GDPR Compliance Statement

Last updated: January 2024

This page explains how emerald-amount complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We're committed to protecting your personal data and being transparent about how we handle it.

Our Commitment to Data Protection

Data protection isn't just a legal requirement for us—it's fundamental to the trust our clients place in us. When you share sensitive financial information, you need confidence that it will be handled responsibly. We've embedded data protection principles into our operations from the ground up.

Data Controller Information

emerald-amount Ltd acts as the data controller for personal information processed through our services. This means we determine how and why your data is processed and are responsible for its protection.

Contact: Data Protection Officer, emerald-amount Ltd, 45 Greenfield House, Canary Wharf, London E14 5AB

Email: [email protected]

Lawful Basis for Processing

We only process personal data when we have a valid legal basis. Depending on the context, we rely on:

Contractual Necessity

When you engage our services, we need to process personal information to fulfil our agreement with you. This includes understanding your financial situation to provide appropriate advice and implementing recommendations you've approved.

Legal Obligation

Financial services are heavily regulated. We're required to verify client identities, conduct anti-money laundering checks, maintain records for specified periods, and report certain information to regulators. These obligations override individual consent.

Legitimate Interests

Some processing supports our business operations in ways that don't override your fundamental rights. Examples include maintaining security systems, analysing service quality, and managing business relationships. We conduct balancing tests to ensure our interests don't unfairly impact you.

Consent

Where we rely on consent—for instance, for marketing communications—you can withdraw it at any time. Withdrawal doesn't affect the lawfulness of prior processing.

Your Rights Under UK GDPR

The regulation grants you specific rights regarding your personal data:

Right to Be Informed

You're entitled to clear information about how we use your data. This page, along with our Privacy Policy, fulfils that obligation. We'll also provide specific privacy notices when collecting information in particular contexts.

Right of Access

You can request a copy of the personal data we hold about you. We'll provide this within one month, free of charge for reasonable requests. For particularly complex or numerous requests, we may extend this by two months or charge a reasonable fee.

Right to Rectification

If information we hold is inaccurate or incomplete, you can ask us to correct it. We'll investigate and respond within one month.

Right to Erasure

In certain circumstances, you can request deletion of your personal data. However, this right doesn't apply where we're legally required to retain information—for example, financial records that regulators may need to review.

Right to Restrict Processing

You can ask us to limit how we use your data while disputes are resolved or if you want us to keep data that we would otherwise delete.

Right to Data Portability

Where processing is based on consent or contract and carried out automatically, you can request your data in a structured, commonly used format that allows transfer to another provider.

Right to Object

You can object to processing based on legitimate interests. We'll stop unless we can demonstrate compelling grounds that override your interests. You can always object to direct marketing, and we'll comply immediately.

Rights Related to Automated Decision-Making

You have rights concerning decisions made solely by automated means that significantly affect you. We don't currently use automated decision-making in our advisory services.

Special Category Data

Some information we process falls into special categories under GDPR—particularly health data when relevant to insurance recommendations. We process this under explicit consent or because it's necessary for insurance purposes under UK law.

Data Retention

We don't keep personal data longer than necessary. Retention periods depend on the data type and applicable regulations:

  • Client records: Minimum six years after relationship ends (regulatory requirement)
  • Transaction records: Minimum six years
  • Marketing preferences: Until withdrawn or three years of inactivity
  • Website analytics: 26 months

Data Security Measures

We implement technical and organisational measures appropriate to the sensitivity of data we handle:

  • Encryption of data in transit and at rest
  • Access controls limiting data to those who need it
  • Regular security assessments and penetration testing
  • Staff training on data protection and security awareness
  • Incident response procedures for potential breaches
  • Physical security at our premises

International Data Transfers

We primarily process data within the United Kingdom. If circumstances require transfer outside the UK, we ensure adequate protection through approved mechanisms such as Standard Contractual Clauses or adequacy decisions.

Data Breach Procedures

Despite our security measures, breaches can occur. We have procedures to detect, investigate, and assess breaches. Where a breach is likely to result in high risk to individuals' rights, we'll notify the Information Commissioner's Office within 72 hours and inform affected individuals without undue delay.

Third-Party Processors

Where we engage third parties to process data on our behalf, we ensure contractual arrangements require them to implement appropriate security measures and process data only according to our instructions. We conduct due diligence before engaging processors and monitor ongoing compliance.

Data Protection Impact Assessments

For processing activities that may result in high risk to individuals—such as handling large volumes of financial data—we conduct Data Protection Impact Assessments to identify and mitigate risks.

Exercising Your Rights

To make a request under your GDPR rights, contact our Data Protection Officer:

Email: [email protected]

Post: Data Protection Officer, emerald-amount Ltd, 45 Greenfield House, Canary Wharf, London E14 5AB

We'll verify your identity before processing requests and respond within one month. Complex requests may take up to three months total, and we'll keep you informed of progress.

Complaints

We hope to resolve any concerns directly. If you remain unsatisfied, you can lodge a complaint with the Information Commissioner's Office:

Website: ico.org.uk

Helpline: 0303 123 1113

Updates to This Statement

We review our GDPR compliance regularly and update this statement as needed. Material changes will be communicated to clients directly.

Cookie Preferences

We use cookies to improve your experience and analyse site traffic. You can customise your preferences or accept all cookies.

Cookie Settings

Necessary Cookies

Required for the website to function properly. Cannot be disabled.

Analytics Cookies

Help us understand how visitors interact with our website.

Marketing Cookies

Used to deliver relevant advertisements and track campaign effectiveness.