SYSC326 Privacy Policy

Privacy

SYSC326 may acquire sensitive information concerning your business or affairs in the course of delivering Services. We maintain strict controls over access to information and comply with obligations imposed by The Data Protection Act (DPA) 2018, as amended by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (providing alignment with requirements of the EU General Data Protection Regulation ('GDPR')).

General

This policy relates to personal data provided to SYSC326:

This policy was last updated on 12/08/2021 - Please check this page occasionally to ensure you are aware of its content.
SYSC326 is registered with the Information Commissioner's Office (Ref: ZB063950) and is the Data Controller of processing activity described below.
Jon McNally trading as SYSC326 is responsible for data protection.

Enquiries

For all data protection enquiries, including Subject Access Request ('SAR'), please contact our Data Protection Officer ('DPO'):

By post: SYSC326, Fergusson House, 124 City Road, London, EC1V 2NX.
Email: admin@sysc326.com
If you would prefer to speak to us by phone, please call 020 7060 2780

What is personal data?
Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

What does processing mean?
Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Useful links

Personal data - ICO Guidance
Data Protection Register - SYSC326
Subject Access Request - Form

Confidentiality

SYSC326 takes privacy seriously and is committed to protecting your data:

This policy explains when and why we collect personal information, how this information is used, the conditions under which it may be disclosed to others and how it is kept secure.
This is our main privacy policy. We may provide additional, specific privacy information to you if SYSC326 provides, or undertakes services for you, in which case, those specific statements may apply in those circumstances.
Information held (or processed) by SYSC326 is held (or processed) for a specific and legitimate purpose.
If we transfer information outside of the EEA, we take reasonable steps to ensure the security and privacy of your data.

Where we store personal data

Information is stored securely and usually on encrypted media:

Our data is hosted in the UK. We also utilise a backup service provided by a third party, where data is held in an encrypted format.
Occasionally information may be transferred outside the European Economic Area (EEA), to support delivery of a service you have requested.
Where a country may not have similar data protection laws to the UK we will, where possible, seek to work with service providers whose servers are located within the EEA.
If we transfer information outside of the EEA, we take steps to require reasonable security, aimed at ensuring your privacy rights are protected.
We do not routinely share personal data with other parties.

Personal data you provide

This relates to information about you (provided voluntarily), such as, via:

This website (www.sysc326.com).
Corresponding with us by email, telephone or otherwise.
Responding to any enquiry, communication or survey (e.g. as part of recruitment, vetting, personal employment/credential-checking, etc.).
Meetings or other discussions/interactions, including interviews, etc.
Also see our Legal page.

Personal data received from other sources

We might receive personal data from a third party or open source:

Third parties might include current or former employers, persons providing character references, clients and their advisors, etc.
Open-source includes media and press-reporting, public information published by regulatory bodies, public registries (e.g., Companies House, Land Registry, etc.)
Information is assessed for relevance to a particular client engagement.

Others who might receive or access personal data

We might disclose personal data to a third party, agent, or sub-contractor, where relevant and reasonable:

If necessary for the provision of a service to us, or to you on our behalf (e.g. conducting relevant research in another country).
We use a third party service provider for Basic Criminal Record Checks (for unspent convictions). For some roles this check is a mandatory compliance requirement and is only undertaken with the relevant individual's consent.
In all circumstances we only disclose information which is reasonable and necessary for an agent or other third party to provide their service.
We require information to be kept securely and not for use other than in accordance with our specific instructions.

Retention period of personal data before disposal

The following is a general guide. Details applicable to a particular client engagement may differ:

If civil or criminal proceedings are not anticipated (e.g. industrial tribunal, civil suit or criminal prosecution linked to a data subject) - Data is usually deleted 6 months after completion of service delivery.
If civil or criminal proceedings are anticipated - Data retention periods may be influenced by the timeframe for concluding proceedings.
Responding to an information request might also influence normal retention periods (e.g. Client insurers or legal advisors in asset tracing matters).
Any request to extend the retention period in a particular instance must be submitted in writing to SYSC326, with a relevant supporting rationale.

Accessing your personal information
Data protection law entitles you to ask to see a copy of the personal data that we hold about you, via a Subject Access Request ('SAR') - See above link

Who can submit a SAR
To ensure we only disclose details of data held to the Data Subject (or appointed representatve), applications must be accompanied by proof of identity and address.

Proof of identity & address
To ensure any disclosure of data is to the appropriate person, you will need to provide a copy of identification (e.g. Passport, Driving Licence,etc.) and proof of address (e.g. utility bill).

Our Specialist Focus

Anti Money Laundering
Anti Bribery & Corruption
Fraud Prevention/Response
Integrity Due Diligence
Advisory Services
Regulatory Support (e.g. s166)

Useful links

SYSC326 Home Page
FCA - Financial Crime Guide
OFSI - Sanctions Guidance
HMRC - AML Guidance
JMLSG Guidance
Law Society - AML Guidance
Frequently Asked Questions

Privacy

Useful links

Proof of identity & addressTo ensure any disclosure of data is to the appropriate person, you will need to provide a copy of identification (e.g. Passport, Driving Licence,etc.) and proof of address (e.g. utility bill).

Our Specialist Focus

Useful links

Proof of identity & address
To ensure any disclosure of data is to the appropriate person, you will need to provide a copy of identification (e.g. Passport, Driving Licence,etc.) and proof of address (e.g. utility bill).