GDPR Compliance

Our Commitment to Data Protection

Aureate Crest is fully committed to compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. These regulations establish comprehensive protections for personal data and grant individuals significant rights over information relating to them.

As a financial advisory firm handling sensitive personal and financial information, we recognise the heightened responsibility we bear. Our GDPR compliance programme ensures we meet not only legal minimum standards but also best practices in data protection.

Lawful Basis for Processing

We process personal data only when we have a valid lawful basis. Depending on the specific processing activity, we rely on the following legal grounds:

Contractual Necessity

Much of our data processing is necessary to fulfil our contractual obligations to clients. When you engage our services, providing financial advice requires processing comprehensive information about your circumstances, goals, and financial position. Without this data, we cannot deliver the advisory services you've contracted for.

Legal Obligation

As an FCA-authorised firm, we're subject to extensive regulatory requirements. These include maintaining detailed client records, conducting suitability assessments, documenting advice processes, and producing specific reports. Processing personal data to meet these legal obligations is essential to our regulated status.

Legitimate Interests

We sometimes process data based on legitimate business interests, provided these don't override your rights and freedoms. Examples include maintaining security systems, improving our services through anonymised analytics, and managing business operations efficiently.

Consent

Where processing isn't covered by other lawful bases, we obtain explicit consent. This applies particularly to marketing communications and certain types of sensitive data. You can withdraw consent at any time without affecting other aspects of our relationship.

Special Category Data

Health information collected for protection planning purposes constitutes special category data requiring additional safeguards. We process this only with explicit consent or where necessary for insurance purposes, always applying enhanced security measures.

Data Protection Principles

Our data handling adheres to the seven key principles established by UK GDPR:

Lawfulness, Fairness, and Transparency

We process data lawfully with appropriate legal basis, fairly without detriment to individuals, and transparently by clearly explaining our practices. This policy and our Privacy Policy provide comprehensive information about how we handle your data.

Purpose Limitation

We collect personal information for specific, legitimate purposes and don't subsequently process it in ways incompatible with those original purposes. If we wish to use data for a new purpose, we'll inform you and obtain consent where required.

Data Minimisation

We collect only information adequate, relevant, and necessary for the stated purposes. While financial advice requires comprehensive data, we avoid gathering superfluous details unrelated to providing our services.

Accuracy

We take reasonable steps to ensure personal data is accurate and kept up to date. We encourage clients to notify us of any changes to their circumstances and regularly verify key information during review meetings.

Storage Limitation

Personal data is retained only as long as necessary for the purposes for which it was collected. Regulatory requirements mandate minimum retention periods, but once these expire and no other legitimate reason exists to maintain the data, we securely delete it.

Integrity and Confidentiality

We implement appropriate technical and organisational security measures to protect personal data against unauthorised access, loss, or damage. Our security framework is regularly reviewed and updated to address emerging threats.

Accountability

We take responsibility for demonstrating compliance with these principles. This includes maintaining documentation of processing activities, conducting data protection impact assessments where appropriate, and implementing policies ensuring compliance throughout our organisation.

Your Rights Under GDPR

UK GDPR grants you extensive rights regarding personal data. We're committed to facilitating exercise of these rights:

Right of Access

You have the right to obtain confirmation of whether we process your personal data and, if so, to receive a copy. We'll provide information about processing purposes, categories of data, recipients, retention periods, and your other rights. Access requests are fulfilled free of charge within one month, though complex requests may require an additional two months.

Right to Rectification

If personal data we hold is inaccurate or incomplete, you can request corrections. We'll amend our records promptly and notify relevant third parties who've received the incorrect information where appropriate.

Right to Erasure

Also known as the "right to be forgotten," this allows you to request deletion of personal data in certain circumstances. However, this right is not absolute—we may be obliged to retain information to comply with legal obligations, particularly FCA regulations requiring specific retention periods for client files.

Right to Restriction of Processing

In specific situations, you can request that we restrict how we process your data. For example, if you contest data accuracy, we'll restrict processing while we verify correctness. Restricted data remains stored but isn't otherwise processed without your consent.

Right to Data Portability

Where processing is based on consent or contract and carried out by automated means, you can request transfer of your data to another service provider in a structured, commonly used, machine-readable format. We'll facilitate portability requests where technically feasible.

Right to Object

You can object to processing based on legitimate interests or conducted for direct marketing purposes. For marketing, we'll cease processing immediately upon objection. For legitimate interest processing, we'll stop unless we demonstrate compelling grounds that override your interests.

Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing that produces legal or similarly significant effects. We don't employ fully automated decision-making in our advisory processes—human advisors review all recommendations.

Exercising Your Rights

To exercise any GDPR rights, contact us at [email protected]. Please provide sufficient information to allow us to identify you and verify your identity. This protects against fraudulent requests for personal data.

We'll respond within one month of receiving a valid request, though complex matters may require up to three months total. If we require an extension, we'll notify you within the initial month and explain the reason for the delay.

Most requests are handled free of charge. However, if a request is manifestly unfounded, excessive, or repetitive, we may charge a reasonable fee based on administrative costs or refuse the request. We'll explain our reasoning if this occurs.

Data Security Measures

We implement comprehensive security measures aligned with industry standards and the sensitivity of data we hold:

Technical Safeguards

These include encrypted data storage and transmission, secure authentication mechanisms, regular security patches and updates, firewall protection, malware detection systems, and secure backup procedures.

Organisational Safeguards

We maintain strict access controls limiting who can view personal data based on job function, comprehensive staff training on data protection obligations, confidentiality agreements with all personnel and contractors, clear policies governing data handling procedures, and regular audits of compliance.

Incident Response

Despite preventive measures, breaches can occur. We maintain an incident response plan enabling prompt detection, containment, and remediation. If a breach presents risk to your rights and freedoms, we'll notify you without undue delay. Material breaches are reported to the Information Commissioner's Office within 72 hours where required.

Data Transfers

We primarily store and process personal data within the United Kingdom. Occasionally, data may be transferred to service providers in other jurisdictions.

Any international transfers comply with UK GDPR requirements. This means transfers to countries with adequate data protection laws recognised by the UK, or implementation of appropriate safeguards such as standard contractual clauses approved by UK authorities.

We conduct due diligence on international service providers to ensure they offer adequate protection for personal data and contractually bind them to GDPR-equivalent standards.

Children's Data

Our services are directed at adults. We don't knowingly collect personal data from children under 16 without parental consent. If we become aware of having inadvertently collected such data, we'll delete it promptly.

We may hold information about children as part of a parent's financial planning, particularly regarding education fee planning or estate arrangements. This data is processed as part of the adult client relationship with appropriate safeguards.

Regular Reviews and Updates

Data protection is an ongoing commitment, not a one-time exercise. We regularly review our processing activities, security measures, and policies to ensure continued compliance with evolving regulations and best practices.

Our team receives regular training on data protection obligations, and we conduct periodic assessments of our GDPR compliance programme to identify and address any gaps.

Complaints and Supervisory Authority

If you believe we've failed to comply with GDPR or handled your personal data improperly, please contact us so we can investigate and resolve the matter.

You also have the right to lodge a complaint with the Information Commissioner's Office, the UK supervisory authority for data protection. The ICO can be contacted at:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone: 0303 123 1113
Website: ico.org.uk

We encourage you to contact us first, as we're committed to resolving concerns directly wherever possible.

Contact Information

For questions about our GDPR compliance or to exercise your data protection rights, please contact:

Aureate Crest
42 Kensington Square
London, W8 5HN
United Kingdom
Email: [email protected]