ITC Website Privacy Statement
Your personal information will be held by ITC Compliance Ltd (“ITC”) for the purpose of the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018.
ITC is the Controller of personal data relating to the individuals within its Appointed Representatives, oversight clients and/or prospective client firms, for the purposes of monitoring and meeting regulatory requirements for the Financial Conduct Authority, relationship management, marketing and business development. This statement relates to this data only.
Personal Data We Collect
ITC collects your personal data, including information provided in various ways. Some of this data is gained directly from you, including:
- Through the use of ITC’s Learning system; interactions with ITC’s proprietary compliance systems and associated platforms; through compliance audits; in emails; during recorded telephone calls and conversations; from business cards; when registering for services; when participating in surveys; and when using ITC’s websites.
Some personal data may also be gained indirectly, such as:
- Information gained through other organisations (for example Experian) in the course of providing regulatory compliance services to you.
- Information we gather from your use of, and interaction with, our website and the devices you use to access them, using technology such as cookies.
The data that we collect will depend upon our interactions with you, your regulatory status, the privacy settings and features that you choose. The personal data we collect normally includes names, job title, company, IP addresses and contact details such as phone numbers and email addresses. Depending upon your role, data may also include information on work history, criminal convictions, financial status and regulatory history.
The table below sets out further detail on the ways in which we will use your data.
| Personal data category | Example data fields | Legal basis for processing | How we collect this data |
|---|---|---|---|
| Personal identifiable information | Name, surname, job title/roles, company name, description (containing ad‑hoc information such as biographies, previous names), CF/SM functions, work history, criminal convictions, financial status and regulatory history, IP address, cookie strings. | Legal obligation: For meeting regulatory requirements as laid down by the Financial Conduct Authority. Legitimate interest: For evidential purposes to manage and maintain records of client/prospect relationships/communications. |
Directly from you: provided during our interactions, via our learning system or website forms. Indirectly: referrals from third parties or publicly available information. Passively from you: IP address and cookies provided by your device when accessing our website. |
| Contact information | Work phone number, work email address, work mobile number, department, work address, location. | Legal obligation: To meet FCA regulatory requirements. Legitimate interest: To contact you by telephone, direct marketing or individual email to arrange meetings with our experts in relation to work. |
Directly from you: provided during conversations or via website forms. Indirectly: referrals from third parties or publicly available information. |
| Audit and business development conversations | Notes of conversations, email exchanges, audit visit and follow‑up action notes, meeting notes, website enquiries relevant to oversight and business development activity. | Legal obligation: To meet FCA requirements. Legitimate interest: For evidential purposes to manage and maintain records of client/prospect relationships/communications. |
Directly from you: provided during interactions, via our learning system or website forms. Indirectly: referrals from third parties or publicly available information. |
| Digital communications interaction (website, content, pages visited and compliance systems duration, webinars and associated platforms and email) | Dates and times of forms/communications completed, downloaded, opened/clicked, referral sources, search requests, opt‑in/out of email marketing. Some of this data is obtained using cookies. | Legal obligation: To meet FCA requirements. Legitimate interest: To enhance, modify, personalise or otherwise improve our services and communications; to better understand how people interact with our website and content in order to enhance the customer experience; to determine the effectiveness of promotional campaigns to inform marketing strategy. |
Directly from you: via website forms or specific links (e.g. opt‑out). Passively from you: IP address and cookies provided by your computer when you access our website/systems. |
| Complaints management | Surveys, feedback and questionnaires (specific to the request). | Legal obligation: To meet requirements of the Financial Conduct Authority and the Financial Ombudsman Service. | Directly from you: provided when completing an information request. |
Our legal basis for processing personal data
ITC relies upon our Legal Obligation or Legitimate Interest bases for processing the personal data obtained from the practices outlined in the table above.
Legal obligation
In most cases we will process your personal data to enable us to comply with our obligations to the Financial Conduct Authority when acting as the Principal firm or as your primary compliance support function.
Legitimate interest
“Legitimate Interest” means the interests of our company in conducting and managing our business to enable us to give you the best services and experience. For example, we have an interest in making sure our services are relevant for you, so we may process your personal data to contact you by telephone with discussions tailored to your interests.
When we process your personal information for our legitimate interests, we make sure to consider the balance and any potential impact on you (both positive and negative) and your rights under the data protection regulation. Our legitimate business interests do not automatically override your interests – we will not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).
Our legitimate business interests may include some or all of the following:
- For evidential purposes to effectively manage and maintain records of our relationships/communications with you;
- For business development related activity such as contacting you by telephone or email to arrange meetings in relation to work or prospective work;
- To enhance, modify, personalise or otherwise improve our services and communications for your benefit;
- To better understand how you interact with our website and content in order to enhance your customer experience;
- To determine the effectiveness of promotional campaigns to inform marketing strategy.
Recipients of Personal Data
ITC shares your data with the following third‑party service providers. The data storage and processing systems are protected by access controls to minimise any risk to the integrity or security of your personal data, and the data is stored in servers in the UK and EU:
- AWS – Europe only zones
- Google Cloud
- Rackspace Cloud
ITC will ensure that any third‑party processor has adequate data protection measures in place that align with the requirements of the GDPR by conducting periodic due diligence. ITC will not share your data with any third‑party processor outside of the UK or EU.
Once ITC has received your information ITC is committed to ensuring it has all necessary technical and organisational controls in place to keep your information secure. In order to prevent unauthorised access or disclosure ITC has put in place suitable physical, electronic and managerial procedures to safeguard and secure the information ITC collects.
Retention period
ITC will only keep your personal data for as long as necessary for the purposes for which it was gained. Personal data will be retained for the purposes of direct marketing, relationship management and business development, or where we have another legal basis for processing (such as your consent or a contract with you). ITC will review the personal data we hold periodically to check for accuracy and relevancy and to ensure that we continue to have a legal basis for processing. If the personal data is no longer necessary, or where we no longer have the legal basis for processing, we will delete or fully anonymise the data we hold on you, in line with our GDPR Policy. If your data becomes inaccurate, we will update it accordingly.
Complaints
ITC will be more than happy to help you should you have any complaints about the processing of your personal data. Under the GDPR, you have the right to lodge a complaint with the Supervisory Authority, the Information Commissioner’s Office (ICO), who are the national authority responsible for the protection of personal data. A complaint can be made to the ICO via their website: ico.org.uk or through their helpline: 0303 123 1113.
Changes to this Privacy Statement
We reserve the right to change this statement. Changes will be published on our website www.itccompliance.co.uk/privacy-statement.php and previous versions will continue to be available upon request.
Document Change Control
| Date of Issue / Latest Update | Version No | Brief Description of Change |
|---|---|---|
| 18/11/2019 | 1.003 | Previous non‑ISO format version. Old version number. |
| 14/06/2021 | 2.0 | First issue in ISO format. |
| 17/11/2023 | 2.1 | Redraft with minor amendments. |
| 17/11/2023 | 3.0 | Third issue following minor amendment and review. |