Data Protection Policy
1. POLICY OBJECTIVES
The objective of this policy is to ensure that:
- proper procedures are in place for the processing and management of personal data
- individuals are assured that their personal data is processed in accordance with the data protection principles, that their data is secure at all times and safe from unauthorised access, alteration, use or loss
- all staff understand their responsibilities when processing personal data, and that methods of handling that information are clearly understood
- there is an appointed specialist within the organisation who has specific responsibility and knowledge about data protection compliance
- data subject access requests are dealt with promptly
The General Data Protection Regulation 2018 (GDPR) sets six principals which govern how personal data is collected, held and processed by organisations. The GDPR has two aims:
- to regulate the use by those (known as data controllers) who obtain, hold and process personal data on living individuals; and
- to provide certain rights (for example, of accessing personal data) to those living individuals whose data is held.
Failure to comply with the GDPR can lead to a fine up to 4% of the group’s annual turnover, or EUR 20m, whichever is higher, for serious breaches.
NAM UK will process personal data in the normal course of our business activities and will therefore be a Data Controller. Data controllers are required to appoint a DPO who is responsible for the administration of a data protection policy and providing guidance on data protection issues. All NAM employees, contractors and temporary workers (“NAM UK staff”) must comply with any directions that the DPO may give to them and any guidelines issued from time to time regarding the processing of personal data.
In summary, the 6 Data Protection Principles are:
- Personal data shall be processed fairly, lawfully and in a transparent manner.
- Personal data shall be collected only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with those purposes.
- Personal data shall be adequate, relevant and not excessive in relation to the purpose(s) for which they are processed.
- Personal data shall be accurate and, where necessary, kept up to date.
- Personal data processed for any purpose(s) shall not be kept for longer than is necessary.
- Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, personal data.
The GDPR applies to data held on computers and hard-copy data, such as paper files, which are structured either by reference to individuals or to criteria relating to individuals where that personal data is readily accessible.
4.2 Personal Data
Personal data means any information that can identify a living individual (”data subject”) and includes:
- phone number
- date of birth
- national insurance number, etc.
4.3 Sensitive Personal Data
All references to personal data shall include sensitive personal data which is a sub-set of personal data and consists of the following information:
- racial or ethnic origin
- political opinions
- religious beliefs or other beliefs of a similar nature
- membership of a trade union
- physical or mental health
- sexual life
- the commission, or alleged commission of, any offence
- any proceedings for any offence committed or alleged to have been committed and the outcome of such proceedings
Sensitive personal data does not include financial records or other information that individuals may regard as private or confidential.
5. PURPOSES FOR WHICH PERSONAL DATA MAY BE PROCESSED
NAM UK collects personal data for two main purposes:
5.1 Personal Data about You
Personal data will be collected about you that is required for the operation of this website, but only to the extent required by law.
5.2 Personal Data Collected About Other Parties
Personal data should be processed fairly and lawfully for the intended purpose for which it is collected.
6. DISCLOSURE, SECURITY AND RETENTION OF PERSONAL DATA
6.1 Disclosure of Personal Data
Personal data may be transferred to NAM UK’s group companies, regulators, law enforcement agencies, benefit and pension providers, healthcare providers and other companies engaged in contractual or legal activities on NAM UK’s behalf.
NAM UK will not share personal data unless there is a lawful reason or obligation for doing so.
6.2 International Data Transfers
NAM UK conducts its business activities on a global basis. Personal data will only be transferred outside of the EEA where the Company is satisfied that the third party receiving the information has sufficient security measures in place to collect, handle and process the personal data securely.
NAM UK will only transfer data internationally where it has an agreement in place with the other party that states that they protect personal data in accordance with the GDPR.
6.3 Security of Personal Data
NAM UK takes appropriate technical and organisational measures to ensure the security of personal data that it processes. Only authorised and trained individuals are permitted to access personal data.
Access to certain personal data will only be granted to specified data users within NAM UK for specific and legitimate purposes.
6.4 Retention of Data
NAM UK will not keep personal data for longer than necessary to achieve the purposes for which the information was collected and will dispose of such data safely and securely.
7. DATA SUBJECT ACCESS REQUESTS
A data subject has the right under the GDPR to request access to the records held by a Company about them. Requests must be made in writing and sent to the DPO. Under the GDPR, a Company cannot charge for the provision of such information. The Company has up to 30 days to provide the personal information.
NAM UK will not discriminate against an individual for the amount of personal data they provide and their service will not be affected by exercising their data subject rights.
All personal data processed within NAM UK is confidential. Furthermore, all NAM UK staff are required to comply with NAM UK’s Confidentiality Policy and Procedures and Nomura Group Code of Conduct.
NAM UK staff must not, except where authorised by the DPO, obtain or disclose personal data, or procure its disclosure to anyone else, without the consent of the person or body having legal responsibility for such data.
When dealing with information about other individuals (including when writing about someone in an email or other documents) all NAM UK staff should bear in mind that all personnel, as well as clients and others, may have the right to access data relating to themselves that the Company holds. Personal data should not be collected and/or processed if the subsequent release of that information may give rise to embarrassment and/or liability on the part of the Company or any personnel, or may bring the Company’s name or that of any personnel into disrepute.
9. OTHER INFORMATION
Information about your right to object under Article 21 of the General Data Protection Regulation (GDPR)
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (f) of Article 6(1) GDPR (processing to pursue legitimate interests not overridden by the Data Subjects’ interests).
If you object, we will no longer process your personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
Objections do not have to follow any particular form and should ideally be sent via e-mail to: [email protected]
Our websites sometimes use “cookies”. Cookies do not cause any damage on your computer and contain no viruses. The purpose of cookies is to make our service more user friendly, effective and secure. A cookie is a small text file placed on your computer and saved by your browser.
The majority of the cookies we use are “session cookies”, which are automatically deleted at the end of your website visit. Other cookies remain stored on your device until you delete them. These cookies enable us to recognise your browser the next time you visit our site.
You can configure your browser so that you are informed about cookies stored on your computer and you can decide to accept them on a case-by-case basis. You can also block cookies in certain cases or generally, as well as activate the automatic deletion of cookies when you close your browser. If you deactivate cookies, this may restrict the functionality of this website.
9.2 Google Analytics
This website uses functions of web analysis service Google Analytics. The provider is Google Inc., 1600 Amphitheatre Parkway Mountain View, CA 94043, USA. Google Analytics uses “cookies”, which are text files stored on your computer and which allow an analysis of your usage of the website. The information generated by the cookie about your usage of this website will as a rule be passed on to a Google server in the US and saved there.
9.3 IP anonymization
We have activated the IP anonymization function on this website. This means that your IP address will first be truncated by Google within the Member States of the European Union or other states that are contracting parties to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be passed on to a Google server in the US and truncated there. On behalf of the operator of this website, Google will use this information to evaluate your usage of the website, compile reports on website activity and provide the website operator other services relating to the use of the website and the Internet. The IP address transmitted by your browser through Google Analytics will not be combined with other Google data.
9.4 Browser plug-in
You can prevent cookies from being saved by configuring your browser accordingly. However, we would point out that if you do this it is possible that you will not have full functionality of this website. In addition, you can prevent Google from collecting and processing the cookie data relating to your usage of the website (including your IP address) by downloading and installing the browser plug-in available at the following link: https://tools.google.com/dlpage/gaoptout?hl=en
9.5 Objection to data collection
You can prevent Google Analytics from collecting your information by clicking on the following link. An opt-out cookie will be set that prevents your data from being collected when you visit this website in the future: Disable Google Analytics
For further information on how Google Analytics handles user data, see Google’s data privacy and security policy: https://support.google.com/analytics/answer/6004245?hl=en
9.6 Demographic features in Google Analytics
This website uses the “demographic features” function of Google Analytics. It allows reports to be created that contain information about the age, gender and interests of the visitors to the site. This data originates from Google’s interest-based advertising and visitor data from third-party providers. This data cannot be assigned to a specific person. You can disable this function at any time through your Google account’s ad settings, or generally disallow collection of your data by Google Analytics, as presented in the “Objection to data collection” section.
Our website uses functions of the LinkedIn networking site. The provider is LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA. Each time you access one of our web pages containing LinkedIn functions, a connection to LinkedIn’s servers will be established. LinkedIn will be informed that you have visited our website from your IP address. If you click LinkedIn’s “Recommend Button” while you are logged into your LinkedIn account, LinkedIn will be able to link your visit to our website with your user account. Please note that as the provider of the web pages we have no knowledge of the content of the data transmitted to LinkedIn or of its use by LinkedIn.
10. USE OF THIS POLICY
This policy will be reviewed by the Company from time to time to ensure that it follows the proper practice in relation to the protection of personal data.