The purpose of this policy is to explain how The Hessel Group Limited collects, protects and uses personal data. We are committed to ensuring that any personal data, supplied by its customers or generated by its business activities, is collected and processed lawfully in accordance with current regulations.
What is personal data?
Personal data means any information relating to an identifiable person (you), who can be directly or indirectly identified by reference to an identifier. This definition provides for a wide range of personal identifiers to constitute personal data, including your name, identification number, location data or online identifier.
Why do Hessel collect personal data?
We collect personal data for several reasons:
Firstly, we collect and process data including personal data as a part of our normal business activities. Our lawful basis for processing data is our legitimate interest in pursuing these activities. We provide data processing and payment services to our customers and their clients and consequently we need to collect personal data about our customers and client’s employees so that we can process data and payments on their behalf. We may also use this data for some of the following purposes:
Fraud and financial crime detection and prevention including
- Anti-money laundry (AML) Watch-lists
- Know-your-customer (KYC)
- Credit checks and risk assessments
- Politically Exposed Persons (PEP)
- Terrorist financing detection and prevention
- Anti-fraud purposes – using information gathered from various sources, such as public directories and publicly available online personal or professional profiles, to check identities when purchases are deemed as potentially fraudulent
- Defending claims, e.g. sharing CCTV images for insurance purposes
Compliance with foreign law, law enforcement court and regulatory bodies requirements
- Operation of Business Conduct and Ethics Line and Reporting under the Sarbanes-Oxley Act (SOX)
- Economic sanctions and export control list screening under economic sanctions and export control laws
- Data loss prevention software and tools for compliance with data protection laws and client contractual requirements
- Compliance with requests for disclosures to law enforcement, courts and regulatory bodies, both EU and foreign
Industry watch-lists and industry self-regulatory schemes
- Industry watch-lists – non-payment, barred customers, etc.
- Relations with insurers – information to process insurance claims
- To comply with industry practices (issued by the Financial Action Task Force (FATF), Wolfsberg AML Principles, etc.)
The personal data we collect may include (but is not limited to): company name/address/size/sector, individual contact names/job titles/ telephone numbers/email addresses/bank account details.
Secondly, we collect personal data about people who work for us or people who apply to work for us. We use this data for employment purposes including
- Background checks and security vetting in recruitment and HR functions
- Office access and operations
- Disaster and emergency management tools and apps
- Internal directories, employee share-point sites, internal websites and other business cooperation and sharing tools.
- Business conduct and ethics reporting lines
- Compliance with internal policies, accountability and governance requirements and corporate investigations
- Call recording and monitoring for call centre employees’ training and development purposes
- Employee retention programs
- Workforce and headcount management, forecasts and planning
- Professional learning and development administration
- Travel administration
- Time recording and reporting
- Processing of family members’ data in the context of HR records – next of kin, emergency contact, benefits and insurance, etc.
- Additional and specific background checks required by particular clients in respect of processors’ employees having access to clients’ systems and premises
- Defending claims – sharing CCTV images from premises with insurers when required for processing, investigating or defending claims due to incidents that have occurred on our premises
- Intra-corporations hiring for internal operations
Thirdly, we collect personal data because of our commercial relationships with our suppliers and potential customers who may have an interest in our services. We may also collect financial information about our customers and end users from third parties to enable us to assess the risks in granting credit terms and contact information about organisations that we consider may be interested in our products and services.
General Corporate Operations and Due Diligence
- Sharing information with other members of the corporate group
- Back-office operations
- Monitoring physical access to offices, visitors and CCTV operations in reception and any other restricted areas
- Processing of personal data of individuals at target company or related to the transaction in M&A transactions and Corporate reorganisations
- Producing aggregate analytics reported to third party content owners, especially when it is to fulfil licensing obligations
- Business intelligence
- Managing third party relationships (vendors, suppliers, media, business partners)
- Processing identifiable data for the sole purpose of anonymising/de-identifying/re-identifying it for the purposes of using the anonymised data for other purposes (product improvement, analytics, etc.)
- Discretionary service interactions – customers are identified in order for them to receive communications relating to how they use and operate the data controllers’ product
- Personalised service and communications
- Direct marketing of the same, or similar, or related products and services; including also sharing and marketing within a unified corporate group and brand;
- Targeted advertising
- Analytics and profiling for business intelligence to create aggregate trend reports; find out how customers arrive at a website; how they use apps; the responses to a marketing campaign; what are the most effective marketing channels and messages; etc.
- Ad performance and conversion tracking after a click
- Audience measurement – measuring audiovisual audiences for specific markets
- Mapping of publicly available information of professional nature to develop database of qualified professionals/experts in relevant field for joining advisory boards, speaking engagement and otherwise engaging with the company
- B2B marketing, event planning and interaction
Most of our use of personal data is necessary to enable us to provide a service to our customers. In addition, we may use personal data to improve on the level and type of service offered to our customers. We may process personal data for the purposes of key performance indicator analysis and customer statistics.
How does Hessel obtain personal data?
We obtain personal data in several ways during the process of paying its customers and end-users vendors and reimbursing their employees. Some personal data will be given to us by our customers and their clients so that we can provide data processing and payment services to our customers and their clients. Some personal data may be obtained directly from individuals (such as bank details) to assist us in providing expenses reimbursement.
How does Hessel use personal data?
We undertake that personal data will be
- processed lawfully, fairly and in a transparent manner in relation to individuals;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be incompatible with the initial purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
How long does Hessel hold personal data?
Subject to any statutory or regulatory requirement to retain personal or other data:
We will purge your personal data from our systems as soon as we no longer need to hold the data. Typically, we will return all personal data and any transactional data that we have generated to our customers and clients at the termination of a contractual relationship. This means that we will no longer hold or have access to the data. We will purge our systems of personal data for employees who have left our employment and we will purge our systems of personal data from our suppliers and potential customers upon request.
To whom do Hessel disclose personal data?
We will only pass on your personal data within its internal departments, unless a prior agreement has been made with a customer or client to pass on your details, or unless we are required by law to pass on your personal data. Our service level agreements with our customers specify the flow of data within each agreement and list any organization to whom we will pass your personal data in the performance of our legitimate interests.
How does Hessel protect the personal data it holds?
We take customer confidentiality and security very seriously. We have implemented appropriate internal security procedures that restrict access to, and disclosure of, personal data. These procedures will be reviewed from time to time to determine whether they are being complied with and are effective. We will also actively investigate and cooperate with law enforcement agencies in the unlikely event that it receives any allegations of abuse or violation of system or network security.
You have the right to object to
- processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
- direct marketing (including profiling); and
- processing for purposes of scientific/historical research and statistics
You have the right to be informed about the data that we hold:
- The Identity and contact details of the controller and the data protection officer
- Purpose of the processing and the lawful basis for the processing
- The legitimate interests of the controller or third party
- The categories of personal data
- Any recipient or categories of recipients of the personal data
- Details of transfers to third country and safeguards
- Retention period or criteria used to determine the retention period
- The existence of each of data subject’s rights
- The right to withdraw consent at any time, where relevant
- The right to lodge a complaint with a supervisory authority
- The source the personal data originates from and whether it came from publicly accessible sources
- Whether the provision of personal data is part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data
- The existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences
You have a right of access to the personal data that we hold about you
- confirmation that your data is being processed;
- access to your personal data; and
- other supplementary information (contained in this privacy notice)
You have the right to rectification
- You are entitled to have personal data rectified if it is inaccurate or incomplete.
- If we have disclosed the personal data in question to others, we will contact each recipient and inform them of the rectification – unless this proves impossible or involves disproportionate effort. If you ask us, we will also inform the you about these recipients.
You have the right to be forgotten
- You are entitled to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
However, we may need retain your data if it is required
- to exercise the right of freedom of expression and information;
- to comply with a legal obligation for the performance of a public interest task or exercise of official authority.
- for public health purposes in the public interest;
- archiving purposes in the public interest, scientific research historical research or statistical purposes; or
- the exercise or defense of legal claims.
You have a right to ‘block’ or suppress processing of personal data
- Where you contest the accuracy of the personal data, we will restrict the processing until we have verified the accuracy of the personal data.
- Where you have objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and we are considering whether our legitimate grounds override yours.
- When processing is unlawful and you oppose erasure and requests restriction instead.
- If we no longer need the personal data but you require the data to establish, exercise or defend a legal claim
You have the right to data portability to obtain and reuse your personal data for your own purposes across different services.
- We will provide the personal data in a structured, commonly used and machine-readable form. Open formats include CSV files. Machine readable means that the information is structured so that software can extract specific elements of the data. This enables other organisations to use the data.
- The information will be provided free of charge and within one month
If you wish to contact us regarding the personal data held about you or you have any other question about our data privacy procedures you should send a letter to The Hessel Group Limited POB 139 Crowborough East Sussex TN6 1WW United Kingdom