Data Protection Policy
& GDPR
Introduction
In the course of advising and providing our services to you, we may receive information relating to you, your directors, shareholders, beneficial owners, employees, agents, and associates. In this Policy, we refer to this information as “personal information,” which is any information relating to an identified or identifiable individual.
This Policy sets out the basis on which we will process this personal information. Please read the Policy carefully to understand our practices regarding personal information and how we will use it. It also explains your rights in relation to your personal information and how to contact us or the supervisory authority in the event you have a complaint.
About VSA Capital Limited
The data controller in respect of personal information is VSA Capital Limited, a limited company registered in England and Wales under number 02405923. Our registered office is at Park House, 16-18 Finsbury Circus, London, EC2M 7EB.
VSA Capital Limited is authorised and regulated by The Financial Conduct Authority.
References in this Policy to “VSA Capital Limited” (“VSA”)”, “we”, “our” and “us” are references to VSA Capital Limited, the UK data controller and its Affiliated Entities.
Contacting Us
We are not required to appoint a formal data protection officer under data protection laws. However, VSA Capital’s privacy manager is Marcia Manarin.
If you have any questions about this policy or your information, or to exercise any of your rights as described in this policy or under applicable data protection laws, you can contact us as follows:
Marcia Manarin
VSA Capital Limited
Park House
16-18 Finsbury Circus
London EC2M 7EB
By email: mmanarin@vsacapital.com
By telephone: +44 (0)20 3005 5003
Data Protection Principles
VSA Capital adheres to the following principles when processing your personal information:
-
Lawfulness, fairness and transparency: data must be processed lawfully, fairly and in a transparent manner.
-
Purpose limitation: data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
-
Data minimisation: data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
-
Accuracy: data must be accurate and, where necessary, kept up to date.
-
Storage limitation: data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal information are processed.
-
Integrity and confidentiality: data must be processed in a manner that ensures appropriate security of the personal information, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage by using appropriate technical or organisational measures.
Information We Collect
We collect personal information as necessary to enable us to carry out your instructions and to manage and operate our business and provide our services to you, and to comply with our legal and regulatory obligations.
The personal information that we collect in the course of advising and/or providing our services and products to you includes, but is not limited to, the following:
-
your name;
-
home and business address;
-
contact details (such as telephone numbers and email address);
-
date of birth;
-
gender;
-
marital status;
-
copies of passport, national identity card, driving licence, utility bills, bank statements and similar documents;
-
business and professional qualifications and experience;
-
immigration status and work permits;
-
information relating to the services we have been instructed to provide;
-
information that you provide us with;
-
information we obtain from our IT and communications monitoring, or from third party agencies and information providers.
This personal information is required to enable us to provide our services and products to you. If you do not provide personal information we ask for, it may delay or prevent us from providing services and products to you. In providing us with this information, you consent to us holding this information to enable us to provide services to you.
You confirm that you are authorised to provide to us the personal information which we shall process on your behalf.
Where the personal information relates to your directors, shareholders, beneficial owners, employees, agents or associates it is not reasonably practicable for us to provide to them the information set out in this Policy. Accordingly, where appropriate you are responsible for providing this information to any such person.
How Your Information is Collected
We collect most of this information from you directly, however, we also collect information from publicly accessible sources, e.g. Companies House; directly from a third party, e.g. client due diligence providers; from a third party with your consent, e.g.
-
your bank or building society, another financial institution or advisor;
-
consultants and other professionals we may engage in relation to the services; and
-
your employer and/or trade union, professional body or pension administrators;
via our website – we use cookies on our website, e.g.
-
online matter management and document management systems;
-
door entry systems and reception logs,
via telephone recordings
-
telephone conversations are recorded in accordance with FCA requirements.
Special Categories of (“Sensitive”) Personal Information
You may also supply us with, or we may receive, special categories of (or “sensitive”) personal information, which includes information relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, health or sex life, sexual orientation, genetic data or biometric data.
We process these special categories of personal information on the basis of one or more of the following:
where you have given explicit consent to the processing of the personal information for one or more specified purposes;
where the processing relates to personal information which is manifestly made public by you;
-
where the processing is necessary for the establishment, exercise or defence of legal claims;
where the processing is necessary for reasons of substantial public interest, in accordance with applicable law. Such reasons include where the processing is necessary:
-
for the purposes of the prevention or detection of an unlawful act or for preventing fraud;
-
for the provision of confidential advice.
Data Relating to Criminal Convictions & Offences
We collect and store personal information relating to criminal convictions and offences (including the alleged commission of offences) only where necessary for the purposes of:
the prevention or detection of an unlawful act and is necessary for reasons of substantial public interest;
-
providing or obtaining legal advice; or
-
establishing, exercising or defending legal rights.
How and Why We Use Your Information
Our use of your personal information is subject to your instructions, data protection laws and our professional duty of confidentiality.
We will only process your personal information if we have a legal basis for doing so, including where:
-
processing is necessary for the performance of our contractual engagement with you: this relates to all personal information we reasonably need to process to provide the services and products requested;
-
processing is necessary for compliance with a legal obligation to which we are subject: this relates to our legal obligations in relation to, for example, anti-money laundering; and
-
processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms: this relates to our processing for marketing purposes, for our management, accounting and administration purposes and for data security.
The table below further explains the purposes for which VSA Capital Limited will use your personal information (excluding sensitive personal information) and our legal basis for doing so:
Where we request personal information to identify you for compliance with anti-money laundering regulations, we shall process such information only for the purposes of preventing money laundering or terrorist financing, or as otherwise set out in this Policy or permitted by law.
Where we rely on legitimate interests as a lawful basis, we will carry out a balancing test to ensure that your interests, rights and freedoms do not override our legitimate interests. If you want further information on the balancing test we have carried out, you can request this from us by contacting us as provided in Contacting Us above.
Marketing
We also use your personal information to notify you by email, telephone, SMS or post about important developments and services or products which we think might be of interest to you, including newsletters, invitations to seminars and similar marketing.
For marketing purposes, we may disclose personal information to our Affiliated Entities or to third parties providing marketing services to us, or with whom we are conducting joint marketing exercises.
You have the right to opt out of receiving direct marketing communications from us at any time by:
-
contacting the privacy manager using the contact details set out above; or
-
using the “unsubscribe” link in emails.
Email monitoring
Email which you send to us or which we send to you may be monitored by us to ensure compliance with professional standards and our internal compliance policies. Monitoring is not continuous or routine but may be undertaken on the instruction of a partner where there are reasonable grounds for doing so.
Third party processors
Our information technology systems are operated by us but some data processing is carried out on our behalf by third parties (see section Disclosure of Personal Information). Details regarding these third-party data processors can be obtained from our privacy manager whose details are given above.
Where processing of personal information is carried out by a third-party data processor on our behalf, we endeavour to ensure that appropriate security measures are in place to prevent unauthorised access to or use of your data.
Disclosure of personal information
Personal information will be retained by us and will not be shared, transferred or otherwise disclosed to any third party, except as set out in this Policy.
If we are working with other professional advisers on your behalf, we shall assume that we may disclose your information to them, unless you instruct us otherwise.
We disclose and share personal information with the following parties:
-
with VSA Capital Limited directors, staff and consultants based in the UK;
-
with our Affiliated Entities, specifically those based in China, Africa and the EU;
-
to other professional advisers and third parties in accordance with your instructions;
-
to our professional indemnity insurers, brokers or advisers, and auditors, lawyers or risk managers who we or they may appoint;
-
third party processors, service providers, representatives and agents based in the UK that we use to make our business more efficient, including for our IT services, data storage / back-up; payroll and cloud-based cybersecurity;
-
if we, acting in good faith, consider disclosure to be required by law or the rules of any applicable governmental, regulatory or professional body;
Should we be requested by certain authorities to provide them with access to your information in connection with the work we have done, or are doing, for you, we will comply with that request only to the extent that we are bound by law to do so and, in so far as it is allowed, we will notify you of that request or provision of information.
We only allow our service providers to handle your personal information if we are satisfied, they take appropriate measures to protect your personal information. We also impose contractual obligations on service providers to ensure they can only use your personal information to provide services to us and to you.
We may also need to share some personal information with other parties, such as potential buyers of some or all of our business or during a re-structuring. Usually, information will be anonymised, but this may not always be possible. The recipient of the information will be bound by confidentiality obligations.
Your rights
Subject to certain limitations, you have rights under data protection laws in relation to your personal information.
Access to your information and updating your information
You have the right to access information which we hold about you. If you so request, we shall provide you with a copy of your personal information which we are processing (“subject access request”). We may refuse to comply with a subject access request if the request is manifestly unfounded or excessive or repetitive in nature.
You also have the right to receive your personal information in a structured and commonly used format so that it can be transferred to another data controller (“data portability“). This right only applies where your personal data is processed by us with your consent or for the performance of a contract and when processing is carried out by automated means.
We endeavour to ensure that your personal information is accurate and up to date and you have the right to have inaccurate personal information rectified or completed if it is incomplete. We may refuse to comply with a request for rectification if the request is manifestly unfounded or excessive or repetitive.
Right to object
You have the right to object at any time to our processing of your personal information used for direct marketing purposes.
Where we process your information based on our legitimate interests
You also have the right to object, on grounds relating to your particular situation, at any time, to processing of your personal information which is based on our legitimate interests. Where you object on this ground, we shall no longer process your personal information unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
Your other rights
You also have the following rights under data protection laws to request that we rectify your personal information which is inaccurate or incomplete.
In certain circumstances, you have the right to:
-
request the erasure of your personal information (“right to be forgotten”);
-
restrict the processing of your personal information to which you have given us your consent or used for the establishment, exercise or defence of legal claims or used for the protection of the rights of others.
Please note that the above rights are not absolute, and we may be entitled to refuse requests, wholly or partly, where exceptions under applicable law apply. We may refuse a request for erasure, for example, where the processing is necessary to comply with a legal obligation or necessary for the establishment, exercise or defence of legal claims. We may refuse to comply with a request for restriction if the request is manifestly unfounded or excessive or repetitive in nature.
Exercising Your Rights
You can exercise any of your rights as described in this policy and under data protection laws by contacting the privacy manager.
Except as described in this policy or provided for under applicable data protection laws, there is no charge for the exercise of your legal rights. However, if your requests are manifestly unfounded or excessive, in particular because of their repetitive character, we may either: (a) charge a reasonable fee taking into account the administrative costs of providing the information or taking the action requested; or (b) refuse to act on the request.
Where we have reasonable doubts concerning the identity of the person making the request, we may request additional information necessary to confirm their identity.
Security of Your Information
We store your information in hard copy and in electronic format. Information may be held at our offices in the UK and China. We use industry standard technical and organisational measures to protect information from the point of collection to the point of destruction. For example:
-
Hard copy information files are restricted to authorised individuals
We use, as appropriate, project codes, encryption, firewalls, access controls, policies and other procedures to protect information from unauthorised access.
We will only transfer personal information to a third party if they agree to comply with those procedures and policies, or if they put in place adequate measures themselves.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will endeavour to protect your personal information, we cannot guarantee the security of your data transmitted over the internet.
Transferring your personal information outside of the EEA
VSA Capital Limited has offices in the UK and China. Authorised personnel may access your information in the UK and China only. To deliver services to you, it is sometimes necessary for us to transfer and store your personal information outside the European Economic Area (“EEA”) as follows:
-
with our Affiliated Entities;
-
with our service providers located outside the EEA;
-
if you are based outside the EEA;
-
where there is an international aspect to the matter which we have been instructed on.
These non-EEA countries do not have the same data protection laws as the United Kingdom and EEA. We will, however, ensure that we take appropriate or suitable safeguards in connection with any transfers of personal information to non-EEA countries by implementing standard data protection clauses adopted by the European Commission (as permitted under Article 46(2)(c) of the General Data Protection Regulations).
If you want further information on the specific mechanisms used by us when transferring your personal information out of the EEA, please contact our privacy manager using the details set out above.
Information Retention Periods
Personal information received by us will only be retained for as long as necessary to fulfil our engagement. Following the end of our engagement we will retain your information:
-
to enable us to respond to any queries, complaints or claims made by you or on your behalf; and
-
to the extent permitted for legal, regulatory, fraud and other financial crime prevention and legitimate business purposes.
After this period, when it is no longer necessary to retain your personal information, we will securely delete or anonymise it in accordance with our Data Retention Policy. Further details regarding our data retention policy can be obtained from our privacy manager whose details are given above.
Complaints
The privacy manager is Marcia Manarin (see page 1 for contact details) and to whom complaints should be addressed in the first instance.
You have the right to make a complaint at any time with a supervisory authority, in particular in the EU (or EEA) state where you work, normally live or where any alleged infringement of data protection laws occurred. The supervisory authority in the UK is the Information Commissioner’s Office (“ICO”) who can be contacted at https://ico.org.uk/ or telephone on 0303 123 1113.
Changes to this Policy
We may change this Policy from time to time. The current version will always be available from us in hard copy or on our website. We will post a prominent notice on the website to notify you of any significant changes to our privacy policy, or update you by other appropriate means.
This Policy was last updated on 20 April 2023.