Henley is subject to The Data Protection (Jersey) Law 2018 and the Data Protection Authority (Jersey) Law 2018. Henley may also be subject to the EU General Data Protection Regulation ("GDPR") and the Data Protection (Bailiwick of Guernsey) Law 2017. These data protection laws give you more rights about how your information is used.
Who are Henley?
Who Does This Apply To?
- Any Individuals or companies who use, or have used our services
- Visitors to our offices, websites or social media pages
What Does Henley Do?
Henley comprises companies that advise upon Mortgages, Investments, Protection Policies and Pensions.
What Are Our Key Principals?
- We will only collect information that is needed to provide our services to you
- We will ensure that we only share your personal information fairly and in the way you expect us to
- We will let you know how we use any information we collect from you, so you can make an informed decision
- We will only hold your information for as long as we are required to do so
- We will ensure your information is kept up to date if you inform us of any changes, or amended if we have made any errors.
- We will ensure there are appropriate controls in place to protect your information
- We will ensure you know your rights and how to exercise them
Who Is Our Data Controller?
Hayley Carstairs (Director) is the appointed Data Controller (the "Data Controller") for Henley, who determines the need for personal data to be held and how it is processed. The Data Controller is also responsible for notifying the Information Commissioner of the information it holds, how it is used and purposes for which it is held.
Why Do We Hold Personal Information And Data?
We have to hold details of the individuals and companies who have requested to use our services in order that we may assist them. However, we only use these details to provide the services the person or company has requested or other closely related purposes.
This information is held in paper form, stored on an electronic data base and processed via telephone, fax and email.
What Information Do We Hold?
HOFS / HOMS hold and process personal data for the functionality of business with the industries it advises upon. Based upon the legal grounds for processing personal data.
The types of information we my hold are:
- Basic Personal Information, such as your name, address, contact details, date of birth, gender, marital status and details of any financial dependants you may have
- Financial Information, such as your employment status, income and expenditure, as well as details of any existing assets or liabilities you may have
- Product Information, such as any existing products or policies you may have in place, or those that you are seeking to arrange
- Sensitive Personal Information, such as details about your health and lifestyle, or that of your close family members. Or information about any unspent criminal convictions. We will always be clear to explain why we would require information of this sensitive nature and obtain your explicit consent
- Unique Identification Numbers, such as your social security, or tax references
- Your marketing preferences, so we know whether you would like to receive ongoing marketing communications from us
How Do We Use Your Information?
HOFS / HOMS needs to ensure activities involving the processing of personal information are undertaken under one of the six legal grounds for processing.
Article 6(1) of the GDPR sets out the conditions that must be met for the processing of personal data to be lawful. They are:
- Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
- Processing is necessary for compliance with a legal obligation to which the controller is subject.
In the event that the above 2 conditions are not met Henley will ensure one of the following conditions are met:
- The data subject has given consent to the processing of their personal data for one or more specific purposes;
- Processing is necessary in order to protect the vital interests of the data subject
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- Processing is necessary for the purposes of the legitimate interests pursued by a controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.
How Long Do We Hold Your Information (Data Retention)?
We retain personal information only for as long as necessary to carry out these functions.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal date, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Currently, if you contact our offices to seek some preliminary information or advice, we will retain the information you provide for a period of 12 months. This period is to allow you time to get back in touch, if you need any further assistance or decide to use our services.
Any records relating to mortgage business written will be retained for the duration of the contract, plus 5 additional years.
Any records relating to investment or protection business written will be retained for the duration of the contract, plus 5 additional years.
We are required to retain any records relating to pension transfer advice indefinitely.
What Happens After The Required Retention Period?
Henley will then destroy your personal data including all paper and electronic records.
How Secure Is My Information?
Henley has measures in place to ensure the security of the data we collect and that it will only be accessible by authorised staff. Any third party we work with must confirm they also adhere to GDPR and only process your personal information in line with our instructions.
Public electronic communications service providers are required by law to report any security breaches involving personal data to Henley.
Henley will ensure that all data is non-recoverable from any computer systems we may have previously used within the organisation if it is replaced.
Want to Know More about Our Websites?
When someone visits www.henleyfinancial.je or www.mortgageshop.je we use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to review activity such as the number of visitors to the various parts of the sites.
This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our websites. If we do want to collect personally identifiable information through our website, we will be up front about this. We will make it clear when we collect personal information and will explain what we intend to do with it.
Henley uses a third party service to help maintain the security and performance of our websites. To deliver this service it processes the IP addresses of visitors to the websites.
Want To Know More About Cookies?
Cookies are small text files that web servers can store on your computer's hard drive when you visit a website. They allow the server to recognise you when you revisit the website and to tailor your web browsing experience to your specific needs and interests, and help to maintain your security when you log into our secure services.
For full details please see our cookies policy via our website.
Want To Know More About Our Search Engine?
Our Search Engine is powered by the CMS and only searches data published by Henley. Searches are not logged, they are there purely for the benefit of any visitors to our webpages.
Want To Know More About Our Mortgage Shop Bulletin?
We use a third party provider (Mailchimp), to deliver our Mortgage Shop Bulletins. We gather statistics around email opening and click throughs using industry standard technologies, including clear gifs, to help us monitor and improve our e-newsletter.
What Social Media Do Henley Use?
Henley uses both Facebook and LinkedIn to post various marketing materials. If you send us a private or direct message via social media the message will be stored by the respective plaftforms for three months.
The message, and the information contained within, will not be shared with any other organisations unless requested to do so.
How Secure are the Emails Sent To And From Henley?
We use Transport Layer Security (TLS) to encrypt and protect email traffic.
If your email service does not support TLS, you should be aware that any emails we send or receive may not be protected in transit.
We will also monitor any emails sent to us, including file attachments, for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send is within the bounds of the law.
Do We Transfer Your Information Internationally?
Henley will make best endeavours to not send personal data outside of Jersey / EU / Countries with adequacy status. Any information that is to be sent to any other country will be done so as per our Policies and Procedure, which are available upon request.
What Are Your Rights?
Under certain circumstances, you have rights under data protection laws in relation to your personal data. Broadly, these include a:
- Right to access your data
- Right to rectify your data
- Right to erase your data unless obliged by another law
- Right of portability of your data
- Right to Withdraw consent at any time
- Right to make a complaint to the supervisory Body
- Right to knowledge of automated processing of data, and the logic and potential consequences
- Right to the origin of personal data if not provided by yourself.
If you wish to exercise any of the rights set out above, please contact our Data Controller.
We try to respond to all legitimate requests within four weeks. Occasionally it may take us longer than four weeks if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
How Do You Make A Complaint?
If you have a compliant about how your information has been processed, you should put full details of your complaint in writing to the Data Controller.
What is the Compliant Process?
When we receive a complaint from a person we make up a file containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint.
We will only use the personal information we collect to process the complaint and to check on the level of service we provide.
We usually have to disclose the complainant’s identity to whoever the complaint is about. This is inevitable where, for example, the accuracy of a person’s record is in dispute. If a complainant doesn’t want information identifying him or her to be disclosed, we will try to respect that. However, it may not be possible to handle a complaint on an anonymous basis.
We will keep personal information contained in complaint files in line with our retention policy. This means that information relating to a complaint will be retained for a specified number of years (please see above for our data retention policy). It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.
Similarly, where enquiries are submitted to us we will only use the information supplied to us to deal with the enquiry and any subsequent issues and to check on the level of service we provide.
When we take enforcement action against someone, we may publish the identity of the defendant in our Annual Report or elsewhere. Usually we do not, identify any complainants unless the details have already been made public.
How Can I Make A Compliant To The Supervisory Body?
If you wish to make a complaint to the supervisory body, which is the Office of Information Commissioner (OIC), you can download their form, or complete it online, on their website www.oicjersey.org
We keep our privacy notice under regular review and it was last updated May 2018
How Can You Contact Us?
Henley Financial Services
31 Broad Street