The following companies will act as data controller (or joint data controller as the case may be) where you purchase a product or service from them:
- Wellesley Finance PLC (08331511), in respect of bonds issued by it from time to time include, without limitation, the Property Mini Bond and the Unsecured Mini Bond as well as operating the wellesleyfinance.co.uk website.
- Wellesley Secured Finance PLC (10565816), which issues The Wellesley Property Bond pursuant to a base prospectus approved by the Central Bank of Ireland under its £500,000,000 Secured Note Programme which is listed on the Irish Stock Exchange.
The “Wellesley Group" companies who may additionally receive personal data include:
- Wellesley Security Trustees Limited (08738060)
- Wellesley Group Limited (9811856); and
- Wellesley Group Investors Limited (08478238).
All of the above companies have their registered office address at 6th Floor St Albans House, 57/59 Haymarket, London, SW1Y 4QX, except for Wellesley Secured Finance PLC whose registered office address is at 35 Great St. Helen’s, London, EC3A 6AP.
If you want to contact us you can email firstname.lastname@example.org or write to the relevant data controller’s postal address. Wellesley have appointed Samuel Uwaezuoke as their data protection officer. You can email him directly at email@example.com (marked for his attention).
2. WHAT IS THIS POLICY FOR?
This policy has been prepared to meet the requirements of the EU General Data Protection Regulation, the UK’s Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003. It explains why we process your personal data, what we do with your personal data, how we look after your personal data and what your rights are over your personal data.
It is important that you read this policy together with any other privacy notice or fair processing notice we may provide at the point of collecting or processing your personal data. This policy supplements those notices and is not intended to override them. Please read it in conjunction with the Terms of Website Use: https://www.wellesley.co.uk/website-terms-of-use and any other documents referred to in it (“Terms“).
Our site, products and our services are not intended for use by children and we do not knowingly process personal data relating to children.
3. WHAT PERSONAL DATA DO WE COLLECT?
When we refer to “personal data" we mean information about an individual from which that person can be identified. This does not include data where the individual’s identity has been removed.
We may collect, use, store and transfer the following types of data:
|Contact Data||Full name, postal address, email address and contact telephone numbers.|
|ID Verification Data||Details of and/or copies of your passport, drivers licence, firearms licence, utility bill, home phone bill, bank statement, credit card statement, signature.|
|Transaction Data||The payments you make to us, details of the bank account they were sent from, your account balance, interest and workings, the products you purchased from us, estimated net worth (if provided).|
|Account Data||Your username and password and your security questions and answers (if you have an account with us).|
|Marketing and Communications Data||Your preferences in receiving marketing as well as your preferred form of communication.|
|Technical Data||Information about how you use our site (e.g. URL), your internet protocol (IP) address, operating system and platform, browser type and version, time zone setting, location data, information on how long you visit each page, cookie data and other identifying information required for your device to communicate with our site.|
We will not necessarily collect all of the above data about you. For example, if you are merely visiting our site then we will usually just collect Technical data about you and your device. If you decide to sign up for newsletters and offers then we will collect Contact, Marketing and Communications data from you. Where you decide to become an investor then we would need to collect the above as well as ID Verification, Transaction and Account data.
The above data may not always be considered personal data. For example, much of the Technical data we collect is aggregated data, and it is not usually classified as personal data because it does not reveal your identity to us. If we link aggregated data to your personal information it will be treated as personal data in line with this policy.
We do not process any “special categories" of personal data about you (i.e. information about your race, ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data).
We try to be sure that the personal data we hold about you is accurate, and so please get in touch with us if your personal data changes so we can update our records. You can contact us using the details at the beginning of this policy.
HOW WE COLLECT YOUR DATA
We collect personal data about you from a number of different sources depending on who you are and what personal data it is. For example, we collect personal data:
- From you directly: when you submit an application form to us; purchase products or services from us or the Wellesley Group; and correspond with us by post, phone, email, through social media, or otherwise.
- From third parties: such as information you have asked us to collect on your behalf; providers of payment services where you make payments to us; and the Share Centre if you purchase a Wellesley Group product via them.
- From publicly available sources: such as Companies House, the Land Registry, Bankruptcy Register and the Electoral Register.
- From your device: when you access our site.
HOW WE USE YOUR PERSONAL DATA
We will only use your information where we have a lawful basis to do so. We set out below how we plan to use your personal data and the lawful basis that we rely on.
|Purpose||Types of Data Processed||Lawful Basis of Processing|
|To contact you||Contact and Account Data.||It is necessary for the performance of a contract, (or potential contract) with you.
It is necessary for our legitimate interests (for running our business, to keep our records updated, to help prevent or detect crime, to recover debts due to us and to provide you with the services you have requested).
It is necessary to comply with our legal obligations.
|To verify your identity, prevent/detect money laundering and fraud.||Contact, ID Verification, Transaction and Account Data.||It is necessary to comply with our legal obligations.
It is necessary for our legitimate interests (to help prevent and detect crime, fraud and money laundering, to verify your identity).
|To register you as a new customer||Contact, ID and Verification.||It is necessary for the performance of a contract, (or potential contract) with you.
It is necessary for our legitimate interests (to take on new customers, expand our business and monitor our growth).
|To manage our relationship with you including any account you have with us, dealing with any questions or complaints you may have.||Contact, Account, and Transaction Data.||It is necessary for the performance of a contract, (or potential contract) with you.
It is necessary for our legitimate interests (to provide you with the services you have requested, to respond to any questions or complaints, for running our business, and to keep our records updated).
|To market new products / services that we believe may be of interest to you.||Contact, Account, Transaction, Technical, Marketing and Communications data.||It is necessary for our legitimate interests (to develop and grow our business, to study how customers use our site, to inform our marketing strategy)
With your consent (where marketing is by SMS, letter or email).
|To operate our site (e.g. troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data).||Account, Technical, and Transaction Data.||It is necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud).
It is necessary to comply with our legal obligations.
|To improve the products we offer and to carry out internal training.||Technical and Transaction Data.||It is necessary for our legitimate interests (of improving our business and ensuring our staff are trained to a high standard).
It is necessary to comply with our legal obligations.
|To comply with our legal and regulatory obligations and internal corporate governance rules.||Contact, ID Verification, Transaction, Account, Technical, Marketing and Communications Data.||It is necessary for the performance of a contract, (or potential contract) with you.
It is necessary to comply with our legal obligations.
We may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. If you need details about the specific legal ground we are relying on to process your personal data then please contact us. If we need to process your personal data for a different purpose that is not compatible with the original purpose, then we will let you know. Please note that we may also process your personal data for a different purpose than listed above and without your consent where it is necessary for us to comply with our legal obligations.
HOW CAN YOU OPT OUT OF MARKETING?
We only directly market to you by SMS and email where it is legally allowed, for example where you have consented, or where you have purchased (or negotiated to purchase) a product from us and did not chose to opt out. When directly marketing to you we may use a combination of the data we hold about you to form a view on what we think you would be interested in.
We only want to market to those who actually want to hear from us. You can ask us to stop sending you marketing messages at any time by:
- Selecting the opt-out link on any marketing message sent to you; or
- Emailing firstname.lastname@example.org with your request.
If you do opt-out of marketing from us, please note that we may still need to contact you for reasons other than direct marketing (for example to carry out anti-money laundering checks or to update your regarding your investment).
WHO IS YOUR DATA SHARED WITH?
We may share your personal data with the following third parties for the purposes set out in the table above:
- Wellesley Group companies;
- Services providers including identity verification providers, anti-money laundering providers, data storage and shredding services providers.
- Financial platform providers (e.g. the Share Centre).
- Financial or payment processors where you are trying to arrange a payment to or from us.
- Other banks and financial institutions who you authorise us to deal with in order to switch your financial services (e.g. the Share Centre).
- Contractors who help us to provide you with services, such as IT, cloud, telecommunications, security, client relationship management and system administration services.
- Marketing, communications, advertising and public relations suppliers.
- Professional advisers, such as auditors, accountants and solicitors.
- Our Group Companies and ultimate shareholders.
- Your professional advisers (if you have requested and authorised us to do so).
- HM Revenue & Customs, National Crime Agency, local authorities, law enforcement agencies, regulators and other authorities (both inside the UK and outside of the UK).
- The Financial Conduct Authority, Bank of England, and the Financial Ombudsman Service in relation to our regulatory obligations as a financial institution.
- Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, the new owners may use your personal data in the same way as set out in this policy.
International transfers of your personal data
We may share your personal data with (or provide access to) third parties that are based outside of the European Economic Area (EEA). Whilst most of our suppliers are based in the EEA, we do use suppliers located outside, including in the United States of America and India.
Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
- We may transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
- We may use specific contracts approved by the European Commission which give personal data the same protection it has in EEA.
- Where we use providers based in the USA we may alternatively transfer your data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data as is provided in the EEA.
Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.
HOW DO WE KEEP YOUR DATA SECURE?
As a financial institution, we take the security of your data very seriously. We have implemented a number of reasonable and necessary security measures in order to try and prevent unauthorised access. For example:
- We use entry controls in our offices to control who can access secure areas.
- We limit who can access our computer network, and certain parts of our computer network, to specific personnel.
- We put agreements in place with third parties we work with to regulate the processing, security and confidentiality of data.
- We regularly review, monitor and audit our suppliers.
If we become aware of a data breach we will notify the Information Commissioner’s Office in a timely manner. We may also notify you if we believe the breach is serious.
HOW LONG DO WE KEEP YOUR DATA FOR?
We store your personal data for different periods of time depending upon the purposes for which we collected it and we do not store your personal data for longer than is necessary to fulfil these purposes. We retain your personal data throughout our relationship with you, and usually for up to 7 years after your final investment with us has finished or you have closed your account.
Please be aware that as a financial institution, we may need to retain your personal data for longer in order to comply with our legal, regulatory and accounting obligations.
In order to determine how long we store your personal data for, we take into consideration why we need to continue to store your personal data, whether we can achieve the same result without having access to your data, and what the potential risk is if there is a data breach that affects your data.
Occasionally we may anonymise data which means that it is no longer associated with you. We do this for statistical or research purposes so we can improve the services we offer to you. We can use anonymous data indefinitely without further notice to you.
WHAT RIGHTS DO YOU HAVE?
You have the following rights over your personal data:
- To ask us for details of the personal data we hold and process about you (this is usually called a subject access request).
- To ask that any inaccurate information we hold about you is corrected.
- To ask that we delete personal data we hold about you
- To ask that we stop using your personal data for certain purposes.
- To ask that we do not make decisions about you using completely automated means.
- To withdraw your consent.
- To ask that we give you the personal data we hold about you, or (where technically feasible) that we give this personal data to a third party chosen by you, in a commonly-used machine-readable format.
These rights are not available to everyone all the time. Some are subject to exemptions, and so we may not always be able, or required, to comply with your request to exercise these rights. Further details about your rights can be found on the Information Commissioner’s website: https://ico.org.uk/global/privacy-notice/your-data-protection-rights/
To exercise any of the above rights, please contact us using the details included at the start of this policy and provide us with as much information as you can so we can respond as soon as we can. We may ask you to provide proof of identity (for example, your passport or driving licence) before we fully respond as we have to be sure we are giving the correct personal data to the correct individual.
We usually respond to data subject requests within one month, but it can take longer if your request is particularly complex or if you have made a number of requests. You will not usually have to pay a fee, but we reserve the right to charge a fee if your request if clearly unfounded, repetitive or excessive; alternatively we may refuse to comply with your request.
You also have the right to complain to the Information Commissioner’s Office, the UK supervisory authority for data protection issues. Before exercising this right, we encourage you to contact us first to resolve any complaint you may have, although this is not legally required. More details can be found here: www.ico.org.uk.
WHAT ABOUT CHANGES TO THIS POLICY?
We reserve the right to update this policy to reflect any changes to the way in which we collect, process or share your personal data, or to reflect any legal requirements. When we make any changes, we will upload the new version to our site. The new version will take effect as soon as it is uploaded.
This policy was last amended on 3 July 2018 and supersedes any earlier versions.