The General Data Protection Regulation (GDPR) is a new, Europe-wide law that replaces the Data Protection Act 1998 in the UK. It is part of a wider reform to the data protection landscape that includes the Data Protection Bill. The GDPR sets out requirements for how organisations such as ourselves, will need to handle personal data from 25 May, 2018.
The GDPR requires personal data to be processed in a manner that ensures its security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. It requires that appropriate technical or organisational measures are used. You can find more guidance in the security section of our guide to the GDPR. This gives individuals much more control and rights regarding how their data is obtained, used and shared.
The GDPR applies to all ‘personal data’, which means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. Your data may be used to:
Our Privacy and Security Policy applies to all organisations within the Capital Index group of companies and has been updated to incorporate all elements of the GDPR. It details the information we hold on your personal information and how it is stored and used.
What rights do clients have under the GDPR?
Under GDPR, individuals have rights. These are:
Further details about your rights can be found here.
You have a right to request a copy of the personal information that we hold about you. You may do so verbally or in writing. We will validate your identity and request such other relevant information that will reasonably assist us in fulfilling your request. We will act within one calendar month of request, unless the request is complex, in which case we may notify you that an extension of up to 2 calendar months is necessary. A fee will not be charged for the first request but a reasonable fee to cover administrative cost of providing further copies will be charged. Further details can be found here.
You can request us to rectify and correct any Personal Data that we are processing about you which is incorrect. We will act within one calendar month of request. We will independently verify your identity before any information is changed. Further details can be found here.
You can request us to erase your Personal Data where there is no compelling reason to continue processing. This right only applies in certain circumstances, it is not a guaranteed or absolute right (for example, we may be required to retain your data for legal and regulatory purposes which will take precedent). Further details can be found here.
You have the right, in certain circumstances, to request that we suspend our processing of your Personal Data. Where we suspend our processing of your Personal Data we will still be permitted to store your Personal Data, but any other processing of this information will require your consent, subject to certain exemptions. Further details can be found here.
You may request that we provide your personal information from one IT environment to another in a safe and secure way. We have one month to provide you with this information from the date of your request. There is no fee for this. Further details can be found here.
You have the right to object to our use of your Personal Data which is processed on the basis of our legitimate interests. However, we may continue to process your Personal Data, despite your objection, where there are compelling legitimate grounds to do so or we need to process your Personal Data in connection with any legal claims. Further details can be found here.
You have the right not to be subject to a decision which is based solely on automated processing (without human involvement) where that decision produces a legal effect or otherwise significantly affects you. This right means you can request that we involve one of our employees or representatives in the decision-making process. We are satisfied that we do not make automated decisions of this nature. Further details can be found here.
If the request is unfounded or excessive, Capital Index has the right to refuse the request or charge a reasonable fee to deal with the request. Further details can be found here.
As a regulated company, our financial regulatory, and legal, obligations override the new GDPR in most circumstances. We have a regulatory "record keeping" requirement to follow and adhere to. However, if you make an erasure request that falls outside of our regulatory requirements, we will be able to action your request. Further details can be found here.
We can refuse to comply with a request for restriction if the request is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature. If we consider that a request is manifestly unfounded or excessive we can:
1. request a "reasonable fee" to deal with the request; or
2. refuse to deal with the request.
In either case we will need to justify our decision. If we decide to charge a fee, we will contact the individual promptly and inform them. We do not need to comply with the request until we have received the fee. Further details can be found here.
The Information Commissioner's Office (ICO) is the UK's independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.