Privacy FAQ


What is GDPR?

The General Data Protection Regulation (GDPR) is a new, Europe-wide law that replaces the Data Protection Act 1998 in the UK. It is part of a wider reform to the data protection landscape that includes the Data Protection Bill. The GDPR sets out requirements for how organisations such as ourselves, will need to handle personal data from 25 May, 2018.


What does the GDPR mean to me?

The GDPR requires personal data to be processed in a manner that ensures its security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. It requires that appropriate technical or organisational measures are used. You can find more guidance in the security section of our guide to the GDPR. This gives individuals much more control and rights regarding how their data is obtained, used and shared.


What information does the GDPR apply to?

The GDPR applies to all ‘personal data’, which means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. Your data may be used to:

  • To verify your identity, establish and manage your account
  • To provide you with products and services, or information about our products and services, and to review your ongoing needs
  • To help us improve our products and services, including customer services, and develop and market new products and services
  • To investigate or settle enquiries or disputes
  • To comply with applicable law, court order, other judicial process, or the requirements of any applicable regulatory authorities
  • Data analysis
  • Internal business purposes and record keeping
  • Security

Privacy Policy

Our Privacy and Security Policy applies to all organisations within the Capital Index group of companies and has been updated to incorporate all elements of the GDPR. It details the information we hold on your personal information and how it is stored and used.

Further details on all of the above can found in our Privacy Statement and Privacy Policy

What rights do clients have under the GDPR?

Under GDPR, individuals have rights. These are:

  1. Right to be informed
  2. Right of access
  3. Right to rectification
  4. Right to erasure
  5. Right to restrict processing
  6. Right to data portability
  7. Right to object
  8. Rights related to automated decision making including profiling

Further details about your rights can be found here.


1. Right to be informed.

You have the right to be informed about the collection and use of your Personal Data. We have documented all uses of your Data in our Privacy Statement. Further details can be found here.


2. Right of access.

You have a right to request a copy of the personal information that we hold about you. You may do so verbally or in writing. We will validate your identity and request such other relevant information that will reasonably assist us in fulfilling your request. We will act within one calendar month of request, unless the request is complex, in which case we may notify you that an extension of up to 2 calendar months is necessary. A fee will not be charged for the first request but a reasonable fee to cover administrative cost of providing further copies will be charged. Further details can be found here.


3. Right to rectification

You can request us to rectify and correct any Personal Data that we are processing about you which is incorrect. We will act within one calendar month of request. We will independently verify your identity before any information is changed. Further details can be found here.


4. Right to erasure.

You can request us to erase your Personal Data where there is no compelling reason to continue processing. This right only applies in certain circumstances, it is not a guaranteed or absolute right (for example, we may be required to retain your data for legal and regulatory purposes which will take precedent). Further details can be found here.


5. Right to restrict processing.

You have the right, in certain circumstances, to request that we suspend our processing of your Personal Data. Where we suspend our processing of your Personal Data we will still be permitted to store your Personal Data, but any other processing of this information will require your consent, subject to certain exemptions. Further details can be found here.


6. Right to data portability.

You may request that we provide your personal information from one IT environment to another in a safe and secure way. We have one month to provide you with this information from the date of your request. There is no fee for this. Further details can be found here.


7. Right to object.

You have the right to object to our use of your Personal Data which is processed on the basis of our legitimate interests. However, we may continue to process your Personal Data, despite your objection, where there are compelling legitimate grounds to do so or we need to process your Personal Data in connection with any legal claims. Further details can be found here.


8. Rights related to automated decision making including profiling.

You have the right not to be subject to a decision which is based solely on automated processing (without human involvement) where that decision produces a legal effect or otherwise significantly affects you. This right means you can request that we involve one of our employees or representatives in the decision-making process. We are satisfied that we do not make automated decisions of this nature. Further details can be found here.


Can we refuse to comply with a request for access?

If the request is unfounded or excessive, Capital Index has the right to refuse the request or charge a reasonable fee to deal with the request. Further details can be found here.


Can we refuse to comply with a request for erasure?

As a regulated company, our financial regulatory, and legal, obligations override the new GDPR in most circumstances. We have a regulatory "record keeping" requirement to follow and adhere to. However, if you make an erasure request that falls outside of our regulatory requirements, we will be able to action your request. Further details can be found here.


Can we refuse to comply with a request for restriction?

We can refuse to comply with a request for restriction if the request is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature. If we consider that a request is manifestly unfounded or excessive we can:

1. request a "reasonable fee" to deal with the request; or

2. refuse to deal with the request.

In either case we will need to justify our decision. If we decide to charge a fee, we will contact the individual promptly and inform them. We do not need to comply with the request until we have received the fee. Further details can be found here.


Where can I find more information on GDPR?

The Information Commissioner's Office (ICO) is the UK's independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

More information on the ICO and GDPR can be found here. You can also read our full Privacy Policy here.



Spread betting and CFD trading are high risk and may not be suitable for everyone. Losses can exceed your deposits