Privacy & cookies

Data Privacy Notice

This Privacy Notice explains how J.M. Finn & Co Ltd (we”, “us”, “our” or “JM Finn”) uses the personal data that we collect and receive about you and how we look after that personal data.  It also provides information on how the law protects you, your privacy rights, and how you can exercise them.

We take your privacy very seriously. We use a combination of technical, organisational and physical security measures to manage and protect your personal data in accordance with data protection law. Our employees receive training to help us comply with data protection law and safeguard your privacy.

If you provide us with personal data about someone else we’ll assume that you have their permission, where required. We’ll process their personal data according to this Privacy Notice so please encourage them to read it if they want to find out more.

This Privacy Notice is the data protection notice referred to on our website, CCTV notices and supplier terms and conditions.  Where your personal data is collected in connection with a job application, or through our use of CCTV or door security at our premises, in additional to the general information set out in this notice as a whole, please note in particular the additional details specific for those uses in the Job Application and CCTV sections, as applicable.

  1. Who we are

    1. J.M Finn & Co Ltd, a company registered in England and Wales at 25 Copthall Avenue, London, EC2R 7AH with company number 05772581 is the controller of your personal data for the purposes of data protection law including the UK General Data Protection Regulation and the Data Protection Act 2018.

  2. How you can contact us

    1. If you have any questions about the information in this Privacy Notice or how we use your personal data, you can contact our Data Protection Manager at DPM@jmfinn.com or:

      Data Protection Manager
      J.M. Finn & Co. Ltd
      25 Copthall Avenue
      London
      EC2R 7AH

  3. Sources of Personal data we collect

    1. We obtain personal data directly from you, including when you:
      1. communicate with us;
      2. access and use our website; 
      3. apply for a job with us;
      4. visit our premises; or 
      5. supply us, or the business you work for supplies us, with goods or services.
    2. We may also obtain personal data from third parties, including:
      1. government and law enforcement agencies, consumer reporting, anti-fraud and other financial crime detection agencies, databases and sanctions lists;
      2. regulators who regulate how we operate, including the Financial Conduct Authority, Prudential Regulation Authority, Information Commissioner’s Office and Financial Ombudsman Service;
      3. publicly available sources including such Companies House internet searches, news articles and other media stories, online marketplaces and social media sites, apps, and networks (e.g. X formerly known as Twitter, Facebook, and Instagram), online registers, the Office for National Statistics (e.g. census data) and other data made available under the Open Government Licence;
      4. JM Finn group companies, where we already hold personal data about you, e.g. in relation to any previous interactions or relationships we have with you;
      5. your employer where you engage with us in the context of your employment; 
      6. our third-party suppliers (including background check providers); or
      7. third parties in connection with any acquisition of a business by us.

  4. Types of personal data we collect

    1. The personal data we collect, hold and process includes:
      Information provided by you or third parties, including:
      1. Authentication data: such as account log-in information, passwords, and memorable data, for the purposes of accessing our website.
      2. Contact data: such as your address, mobile and landline telephone numbers, email address.
      3. General data: such as your name, date of birth.
      4. Employment Information:  such as your job title, office location, details of your employer, business contact details and on occasion alternative contact details should we need to contact you urgently.
      5. Payment records such as invoices, expenses claimed, or any other payment records and remittances including records of VAT and other taxes.
      6. Financial details: bank details or other financial information necessary to facilitate payment for goods or services you provide including invoices and credit notes.
      7. Performance records: information as to your performance in providing goods and services.
      8. Information inferred from any of the above data.

        Information collected when you engage with us or use our services includes:
      9. Information collected from your devices: when you use our website or when you receive or respond to emails we send you, we automatically collect technical information about your browsing actions and patterns and your equipment such as your mobile device number, device type, operating system, browser, MAC address, Internet Protocol (IP) address, location and account activity obtained through our use of cookies. We collect this personal data by using cookies and other similar technologies. Please see our cookie policy on our website at www.jmfinn.com for further details. 
      10. Recordings: we record telephone calls, video conferences, and other electronic communications with our website, representatives, and call centres.

  5. How and why we use your personal data

    1. The main purposes for which we use personal data are as follows:
      1. to identify you: we use identification and verification information in order to manage your account.
      2. to communicate with you and other individuals: we use contact information you provide so that we may appropriately communicate with you, provide you information about JM Finn, and answer your questions and enquiries.
      3. to manage and improve our website: we use technical data collected when you use our website to facilitate and improve the operation of our website and associated services.
      4. to undertake or improve our supplier on-boarding and management processes: we may use personal data to perform due diligence on you or your employer to determine your or their suitability as a supplier or to evaluate the performance of potential and current suppliers and communicate with you or your employer in connection with this process.
      5. to administer our business relations: we may use personal data to facilitate our business relationships including undertaking commercial agreements, administering our payment processes, maintaining our accounts and records, and otherwise managing our business relationships.
      6. for health and safety purposes: we may use information relating to any actual or potential accidents or incidents at our premises or involving our assets, equipment or staff to manage, respond to, remedy or report on them or to improve our health and safety measures or compliance.
      7. to provide training: we may use your personal data to arrange training of our employees (internally or by our suppliers) and as relevant for the training of our suppliers and commercial partners and their employees and maintaining records of the completion of any such training.
      8. to prevent, detect, and investigate fraud and other crime: we may use your personal data to carry out activities that are in the public interest, including carrying out fraud, sanctions, and anti-money laundering checks and supporting law enforcement bodies in the prevention, apprehension, detection and prosecution of crime (including use of recordings as evidence in criminal proceedings).
      9. to comply with our legal and regulatory obligations: we use your personal data (only to the extent required) to enable us to comply with our legal obligations, including sharing your personal data with our auditors, law enforcement agencies, regulators (for example, the Financial Conduct Authority, courts, or other public authorities) and to comply with anti-discrimination laws and government reporting obligations.
      10. to investigate breaches of law or our internal policies or to assist in the defence of any civil litigation: we may process your personal data to determine compliance with our internal policies, establish, exercise, enforce and defend our legal rights or those third parties, including enforcing our contacts and terms and conditions, pursuing available remedies, and limiting our damages.
      11. to maintain our records and ensure and improve data quality and accuracy: we may process your personal data in the course of maintaining and administering our internal records. This includes using your personal data to ensure that the information we hold about you is kept up to date and accurate.
      12. to manage our business and risk: we may use your personal data in connection with taking out and maintaining appropriate insurance and reinsurance and managing our operations, including carrying out internal audits, risk monitoring, quality assurance and training, financial analysis and accounting, producing management information, reporting or analytics, business continuity purposes, accounting purposes, financial planning and performing administrative activities in connection with the services, testing and changing systems, governance, business, IT and communications systems continuity and disaster recovery, document and data storage, and ensuring the quality and reliability of the products and services we provide. 
      13. to buy, sell, transfer, or dispose of any part of our business

  6. How we use your personal data for marketing

    1. We may use personal data to send you direct marketing communications about our events, products and services that we think you’ll be interested in or to keep you informed of news and insights about JM Finn’s services and products. This may include marketing relating to products or services offered by other brands or companies within the JM Finn group as well as communications about promotions and prize draws.  We may also contact you to ask how satisfied you are with our products and services.
    2. We can only use your personal data to send you marketing communications if we have either your consent or a ‘legitimate interest’ (when we have a business or commercial reason to use your personal data). The legitimate interest we rely on must not conflict unfairly with your own interests.
    3. The personal data we hold about you is made up of what you tell us, and data we collect when you use our services, or from outside organisations we work with. We study this to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you.  This is called profiling for marketing purposes. You can contact us at any time and ask us to stop using your personal information this way.
    4. Marketing communications may be sent by email, post, telephone and push notification. You may also see display advertising on websites, mobile applications, social media, radio television or in online search results.
    5. If you would like us to stop contacting you for marketing purposes, we offer simple ways to do this. Whenever you receive direct marketing you will be told how you can unsubscribe. You can also choose “unsubscribe” on any email marketing communications we send to you.  
    6. Please note that opting out of one type of marketing, e.g. by email or telephone, doesn’t mean you will be opted out of all marketing.  Please bear this in mind when you manage your preferences. You can always contact us directly if you would like us to stop all forms of direct marketing.  If you opt out of receiving marketing we will still send you communications relating to your products and services, e.g. to tell you about any changes to them. 
    7. Promotions and prize draws We occasionally run promotions and prize draws for our customers and third parties. Our communications to you about these promotions before you enter them are marketing. If you opt out of receiving direct marketing, you will not receive communications about promotions and prize draws. We may use your personal data to select you as a winner, inform you of promotion outcomes and send prizes to your nominated address. We may use third party fulfilment partners to assist us in administering promotions, including contacting you on our behalf. In accordance with the rules of the Advertising Standards Authority, we may publish or make publicly available information that indicates that a valid award has taken place. If we do this, only your surname, country and, if applicable, your winning entry, will be published. You have the right to object to this use of your personal data.
    8. Cookies and similar technologies.  We use third-party advertising technology (such as the deployment of cookies or small text files on our website or pixels within emails) to collect information about you. This technology is used to optimise what you may see on our websites and deliver content when you are browsing elsewhere. We may also collect information about your use of other websites. We do this to help us improve our own products and services (but not to provide you with advertising based on what we believe you might be interested in).  You can tell us not to collect data while you are using our websites, customer portal or mobile apps. For further information about cookies and other technologies we use on our website and how to manage cookies, please see our Cookie Policy at www.jmfinn.com
    9. Social media and online platforms.  We share personal data with media agencies and social media and other online platforms to help us target our online marketing. Social media and other online platforms may also use personal data they hold and combine it with personal data received from us to create target audiences. These are audiences that we think would be interested in our online advertising. This may involve social media and other online platforms building a ‘lookalike’ profile of the type of person we are trying to target and providing specific adverts to those people when they browse the internet or use social media.
    10. If we use or share personal data with third parties in order to send you direct marketing, we will respect the marketing preferences you have set or notified to us. We recommend you regularly review the privacy notices and any preference settings that are available to you on our website, customer portal, apps and any online platforms and smart devices you use as they will determine how adverts and other messages are displayed and shared across those platforms.

  7. Our processing in connection with a job application and offer

    1. If you are applying for a job or other role with us, in addition to the sources of information referred to in the Sources of personal data we collect section, we may also obtain personal data from:
      1. your recruitment agent or other representatives that engage with us as part of the recruitment process including a contracting agency, partnering education institute, or other similar entity.
      2. your previous employers, referees or other relevant individuals or entities that assist us in vetting your employment application.
      3. the Disclosure and Barring Service in respect of criminal convictions.
      4. third parties who provide you or us with services including actuaries, legal advisers, accountants, auditors and professional service firms, sanctions-checking and enhanced due diligence and contact data verification / enrichment service providers.
    2. When you apply for a job with us, in addition to the information outlined at the Types of personal data we collect section, we also collect, hold and process the following information:
      1. General data: such as your date of birth, place of birth, nationality and country of residence/citizenship;
      2. Professional details: such as occupation, career history, professional or academic qualifications, the information provided on your application form, CV/resume and application letter or during any interview(s), criminal records (as necessary for vetting purposes and in accordance with applicable law) and other information provided as part of your application, including results of tests performed as part of application;
      3. Identification details: such as government issued identification numbers including your national insurance number and tax identification number, documents such as your passport, drivers licence, birth certificate, and proof of addresses, social media identifiers, immigration/visa status and any other personal data we may collect about you to comply with our regulatory obligations;
      4. Vulnerability and other sensitive and special category data: such as information about your mental and physical health, genetic or biometric data, sex life, sexual orientation, racial or ethnic origin; political opinions, religious or philosophical beliefs and trade union membership; criminal offence data, including information about criminal activity, allegations (including those unproven), investigations, proceedings, and penalties (collectively “Sensitive Personal Data”);
      5. Background checks: information obtained as a result of our investigations and screening processes including any Fraud, Anti-Money Laundering and sanctions data, background checks or credit checks performed e.g. carrying out checks of publicly available sources such as newspapers and social media sites, information obtained from checks of fraud databases and sanctions lists such as relationships/close associations with politically exposed persons;
      6. Associated third parties: information about others such as your referees (and the contents of any reference provided), your appointed agents, advisers, or attorney; and
    3. In addition to the purposes outlined at the How and why we use your personal data section, when we collect information in connection with a job application we may also use your personal data for the following purposes: 
      1. recruitment process: we use information collected in the course of your application for employment to make hiring decisions and determine your suitability and fitness for employment, this includes verifying information you provide to us, completing reference and background checks and assessing your skills and qualifications, determining your right to work in the United Kingdom and determine whether your engagement is deemed employment for the purposes of the Income Tax (Earnings and Pensions) Act 2003 communicating with you in relation to the process, determining the terms on which you work for us and generally managing the recruitment process; 
      2. employment records: if you are accepted for a role, information collected as part of the recruitment process will form part of your staff member record, if you are unsuccessful we will retain your application to consider you for other roles and for internal reporting;
      3. health information: we may use Sensitive Personal Data as to your disability status, mental or physical health in order to consider whether we need to provide appropriate accommodations during the recruitment process (and, if required, to provide those accommodations), or to assess your fitness to carry out work;
      4. diversity information: we may use Sensitive Personal Data about your race or national or ethnic origin, religious, philosophical or moral beliefs or your sexual life or sexual orientation for equal opportunity monitoring and reporting purposes; and
      5. conviction information: we may collect Sensitive Personal Data about your criminal convictions history if we would like to offer you work (conditional on checks and any other conditions, such as references, being satisfactory). We are entitled to carry out a criminal records check in order to satisfy ourselves that there is nothing in your criminal convictions history which makes you unsuitable for the role. Depending on the sensitivity or seniority of the role we may conduct either a standard or basic criminal check. 
      We also need to process your personal information to decide whether to enter into a contract of employment with you.
    4. Having received your CV, covering letter and/or your application form and the results from any test or assessment which you take, we will then process that information to decide whether you meet the basic requirements to be shortlisted for the role.  If you do, we will decide whether your application is strong enough to invite you for an interview.  If we decide to call you for an interview, we will use the information you provide to us at the interview to decide whether to offer you the work. If we decide to offer you the work, we will then take up references and carry out a criminal record and carry out any other check before confirming your appointment.
    5. If you fail to provide information when requested, which is necessary for us to consider your application (such as evidence of qualifications or work history), we will not be able to process your application successfully. For example, if we require a credit check or references for this role and you fail to provide us with relevant details, we will not be able to take your application further.
    6. Automated decision making: You will not, as part of any job application process, be subject to decisions that will have a significant impact on you based solely on automated decision-making.
    7. Updates to information: It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during the application process. 

  8. Our use of CCTV and monitoring of security door access

    1. We use closed circuit television (“CCTV”) in and around our premises.  CCTV captures images in real time wherever the cameras are pointed.  There are signs in place to inform you where cameras are in use. We believe that the use of CCTV has a legitimate role in helping us maintain a safe and secure environment for staff and visitors to our premises.
    2. When you visit our premises we may collect, hold and process:
      1. CCTV footage information including photos, videos, or audio recordings of you and any vehicles you use (including their registration numbers); and
      2. Door entry data: details of any security pass assigned to you and when, how often and where you entered and exited the premises.
      We do not deliberately set out to capture any special category personal data through the use of CCTV. However, cameras may incidentally record information which falls within these categories.
    3. In addition to the purposes outlined at the How and why we use your personal data section, the main purposes for which we use CCTV Footage and door entry data (which may include photos, videos and audio recordings of you, or logs of your access to the premises) are:
      1. to monitor access to and use of our premises and systems;
      2. to maintain the security of our premises, technology, assets and data, including to act as a deterrent against and detect crime and disorder, reduce the fear of crime and protect our buildings and assets from damage, disruption, vandalism and other crime; and 
      3. for health and safety reasons, including the general personal safety of our employees, other members of staff, visitors to our premises and other members of the public and to help us and the emergency services respond appropriately in the event of accident, incident or disaster.
    4. We have no planned regular or scheduled sharing of CCTV footage with any external organisation. Should this situation change, this Privacy Notice will be updated and reissued, to keep you fully aware of how we plan to use CCTV footage which you may be captured in.  CCTV footage will only be processed internally by our staff who are authorised to do so and any other departments where there is a legitimate and lawful reason for their involvement.

  9. Lawful basis for processing personal data

    1. We only ever use your personal data where we have a lawful basis for doing so.   Depending on the purpose of our processing, the lawful basis will be one of the following:
      1. Compliance with a legal obligation: Where we need to comply with a legal obligation.
      2. Consent Where you have provided your consent to the processing for one or more specific purposes.
      3. Legitimate Interests: Where it is necessary for legitimate interests pursued by us or a third party and your interests and fundamental rights do not override those interests.
      4. Performance of a contract: Where we need to perform the contract we have entered into with you.
    2. We may also use your personal information in the following situations, which are likely to be rare:
      1. Vital Interests: Where we need to protect your interests (or someone else's interests).
      2. Public Interest: Where it is needed in the public interest. 
    3. The lawful basis on which we intend to rely for main purposes for which we use personal data are as follows:

      Purpose 

      Lawful Basis for Personal Processing Personal Data 

      General purposes including use of website, suppliers, and job applicants

      Identify you

      Compliance with a legal obligation

      Legitimate Interests

      Performance of a contract

      Communicate with you and other individuals

      Compliance with a legal obligation

      Legitimate Interests

      Performance of a contract

      To manage and improve our website

        

       

      Legitimate Interests

      Complete and improve the supplier on-boarding process

      Compliance with a legal obligation

      Legitimate Interests

      Performance of a contract

      Administer our business relations

        

       

      Compliance with a legal obligation

      Legitimate Interests

      Performance of a contract

      Health and safety information

        

       

      Compliance with a legal obligation

      Legitimate Interests

      Protection of the vital interests of a natural person

      Provide training

      Compliance with a legal obligation

      Legitimate Interests

      Performance of a contract

      Prevent, detect, and investigate fraud and other crime

      Compliance with a legal obligation

      Legitimate Interests

      Public Interest

      Comply with our legal and regulatory obligations

      Compliance with a legal obligation

      Public Interest

      Investigate violations of law or breaches of internal policies

      Legitimate Interests

      Performance of a contract

      Public Interest

      Maintain our records and ensure and improve data quality and accuracy

      Compliance with a legal obligation

      Legitimate Interests

      Performance of a contract

      Manage our business and risk

      Compliance with a legal obligation

      Legitimate Interests

      Performance of a contract

      Buy, sell, transfer, or dispose of any part of our business

      Legitimate Interests

      Additional purposes in relation to Job Applicants

      Recruitment process

       

      Compliance with a legal obligation

      Legitimate Interests

      Employment records

      Compliance with a legal obligation

      Legitimate Interests

      Performance of a contract

      Health information

      Assessment of working capacity

      Compliance with a legal obligation

      Legitimate Interests

      Diversity information: 

      Compliance with a legal obligation

      Legitimate Interests

      Additional purposes in relation to CCTV footage and door entry data

      Secure our premises, technology, and data:

      Legitimate Interests

      Performance of a contract

      Public Interest

      Protection of the vital interests of a natural person

      Compliance with a legal obligation
    4. Where we rely on legitimate interests as our lawful basis the interests being relied upon will usually be to:
      1. further our business and commercial activities and objectives, or those of a third party, e.g. to obtain the relevant information to make recruitment or procurement decisions and produce management information on our performance and the performance of third parties;
        1. comply with our legal and regulatory obligations, guidelines, standards, and codes of conduct, e.g. performing background checks or the prevention, detection and investigation of financial crime or fraud;
        2. retain records for a period of time in order to ensure we have appropriate records in place in respect of any potential regulatory enquiries or any future claims that may be made against us;
        3. safeguard our business, premises and assets, shareholders, employees, visitors and customers, or those of a third party, e.g. maintaining the security of our IT network and information and enforcing claims, including debt collection; or
        4. to facilitate the purchase, sale, transfer, or disposal of any part of our business.

  10. Sensitive Personal Data

    1. We only collect and use Sensitive Personal Data where we have an additional, specific lawful basis to process such information. In general, we will not process Sensitive Personal Data about you unless it is necessary for performing or exercising obligations or rights in connection with employment. On rare occasions there may be other reasons for processing such as it is in the public interest to do so. 
    2. We usually rely upon one of the following lawful bases where we process Sensitive Personal Data:
      1. for reasons of public interest: 
        1. insurance purposes - including advising on and arranging contracts of insurance;
        2. complying, or helping someone else comply with, a regulatory requirement relating to unlawful acts and dishonesty - including regulatory requirements to carry out money laundering checks and health and safety requirements;
        3. preventing or detecting fraud, crime or unlawful acts – including investigating alleged fraud and disclosures to regulators and enforcement authorities; or
        4. equality of opportunity or treatment – including where we need to keep under review the equality of treatment of applicants with additional support needs.
      2. to protect your vital interests, or those of another person, where you are physically or legally incapable of giving consent (for example in the event of a health and safety emergency);
      3. where necessary to establish, exercise or defend a legal claim – including where we are faced with legal proceedings, we bring legal proceedings ourselves or where we are investigating legal proceedings that a third party has brought against you; or
      4. where information has been clearly or obviously made public by you.
    3. If we are unable to rely on one of the above lawful bases to process your Sensitive Personal Data for a particular purpose, we will seek your explicit consent.

  11. Who we share your personal data with

    1. We may share your personal data with our parent company (which is based in Belgium) and other JM Finn group companies and third parties in connection with the purposes above and in order to provide you with services and products, including to:
      1. service providers who:
        1. perform services that we outsource such as printing, postage, hosting our events, providing external communications, and processing inbound web enquiries;
        2. provide IT services and support and software; 
        3. provide security services; or
        4. perform data analytics and provide data services  and search engine operations that assist us with the development, improvement and optimisation of our website, services and products and measuring the effectiveness of our marketing.
      2. our insurers (either directly or through insurance brokers) or those of third parties (for example to provide CCTV footage should there be an incident involving car accidents or damage to cars parked on our premises).
      3. our professional advisers (such as our accountants, auditors, lawyers, and compliance consultancies).
      4. regulators who regulate how we operate, including the Financial Conduct Authority, Prudential Regulation Authority, HM Revenue & Customs, Information Commissioner’s Office and the Advertising Standards Authority, the police, and the courts.
      5. government agencies and regulatory bodies including the police, emergency services and courts.
      6. third parties in connection with any prospective or actual sale, restructure, merger, takeover, transfer or disposal of all or part of our of our business or product or service lines, including a transfer of any duties or rights to you under our contractual agreement with you. Any new provider will continue to use your personal data for the same purposes unless you are notified otherwise. 
    2. We also may share your personal data with your attorney (acting under a power of attorney) and third parties you have a direct contractual relationship with (such as your appointed agent or organisations you ask us to share your personal data with). In these instances the third party is likely to also be a controller of your personal data for their own purposes. We ensure that we have in place strong data sharing protocols with these third parties to govern and guide the sharing of your personal data in these circumstances.
    3. Sending data outside the UK. Our parent company and some of the organisations we share personal data with are based overseas and potentially outside of the UK and European Economic Union.  Sometimes we, or third parties acting on our behalf, may need to transfer personal data outside of the UK. We will always take steps to ensure that any transfer of personal data outside the UK is carefully managed to protect your privacy rights and ensure that adequate safeguards are in place. This may include transfers to countries that the UK considers will provide adequate levels of data protection for your personal data (such as countries in the European Economic Area) or putting contractual obligations in place with the organisation we are sending personal data to.

  12. How we protect your personal data

    1. The security and confidentiality of your personal data is extremely important to us. We have technical, organisational, and physical security measures in place to:
      1. protect your personal data from unauthorised access and improper use;
      2. secure our IT systems and safeguard personal data; and
      3. ensure we can restore your data in situations where the data is corrupted or lost in a disaster recovery situation.
    2. Where appropriate, we use encryption or other security measures which we deem appropriate to protect your personal data. We also review our security procedures periodically to consider appropriate new technology and updated methods. But, despite our reasonable efforts, no security measure can ever be perfect or impenetrable.

  13. How long we keep your personal data

    1. We keep personal data for as long as is reasonably required for the purposes explained in this Privacy Notice. We also keep records – which may include personal data – to meet legal, regulatory, tax or accounting needs. We will also retain files if we reasonably believe there is a prospect of a dispute or claim. The specific retention period for your personal data will depend on your relationship with us and the reasons we hold your personal data.
    2. When determining the period for retaining your personal data, we take into account factors including:
      1. whether there are any existing obligations we may owe you or you may owe us;
      2. whether you require any follow-up communications;
      3. the likelihood for potential or actual disputes;
      4. legal obligations under applicable law to retain data for a certain period of time; and
      5. guidelines issued by the Information Commissioner’s Office.
    3. To support us in managing how long we hold your data and our record management, we maintain a data retention policy which includes clear guidelines on data retention and deletion.

  14. If you choose not to give us your personal data

    1. We may need to collect personal data by law, or to enter into or fulfil a contract we have with you. If you choose not to give us this personal data, it may delay or prevent us from fulfilling our contract with you, or doing what we must do by law. It may also mean that we cannot provide some or all of our products and services to you and therefore have to cancel them.
    2. We sometimes ask for information that is useful, but not required by law or a contract. We will make this clear when we ask for it. You don’t have to give us these extra details and it won’t affect the products or services you have with us.

  15. Your rights

    1. You have certain legal rights regarding your personal data, which are summarised below.  We may ask you for proof of identity when you make a request to exercise any of these rights. We do this to ensure we only disclose personal data to the right individual.
    2. If you want to exercise any of these rights, please contact our Data Protection Manager at:

      J.M. Finn & Co. Ltd
      25 Copthall Avenue
      London
      EC2R 7AH
      Email: DPM@jmfinn.com
    3. We try to respond to all valid requests within one month. It may take us longer if the request is complicated or you have made several requests. We will let you know if we think a response will take longer than one month. We may also ask you to provide more detail about what you want to receive or are concerned about.
    4. We may not always be able to do what you have asked. This is because your rights will not always apply, e.g. if it would impact the duty of confidentiality we owe to others, or if the law allows or requires us to keep or use your personal data or deal with the request in a different way. We will explain to you how we are dealing with your request. In some circumstances (such as the right to erasure or withdrawal of consent), exercising a right might mean that we can no longer continue a relationship with you. If that is the case, we will tell you.
    5. You have the following rights regarding your personal data:
      1. Right to be informed
        You have the right to be provided with clear, transparent and easily understandable information about how we use your personal data and your rights. This is why we are providing you with the details in this Privacy Notice.
      2. Right of access
        You have the right to obtain a copy of the personal data that we hold about you and specified details about how we use that personal data.
      3. Right to rectification
        You have the right to ask to have your personal data corrected if you believe it is inaccurate or incomplete. We will take reasonable steps to check this for you and correct it.  If we do not agree to a correction you can request us to note your challenge to the accuracy of the personal data.
      4. Right to erasure
        You have the right to ask us to delete the personal data we hold about you, where there is no compelling reason for us to keep using it. There are exceptions, for example, if our use of your personal data is necessary for compliance with our legal obligations.
      5. Right to restrict processing
        You have the right to   ask us to restrict the use of your personal data if:
        • it is not accurate.
        • it has been used unlawfully but you don’t want us to delete it.
        • it is not relevant anymore, but you want us to keep it for use in legal claims.
        • you have already asked us to stop using your personal data but you are waiting for us to tell you if we are allowed to keep on using it.
        If we do restrict your personal data in this way, we can still store it but we will not use or share it in other ways while it is restricted.
      6. Right to portability
        You have the right to get certain personal data from us as a digital file, so you can keep and use it yourself, or give it to other organisations if you choose to.  If you request this we will provide it to you in an electronic format that can be easily re-used, or you can ask us to pass it on to other organisations for you.
      7. Right to object
        You have the right to object to us keeping or using your personal data in certain circumstances.

        Where we rely on our legitimate interests to process your personal data, you have the right to object to this. Please see the How and why we use your personal data section to read about the circumstances in which we use your personal data on the basis of consent or for our legitimate interests.
      8. Right to withdraw your consent
        You can withdraw your consent at any time.  This will only affect the way we use personal data when our reason for doing so is that we have your consent. This can be done by emailing DPM@jmfinn.com
      9. Right to make a complaint
        You can exercise your rights by contacting us as set out above in the How to contact us section. You also  have the right to make a complaint to the Information Commissioner’s Office if you are unhappy with how we have handled your personal data. Details of how to do this is set out in the How to make a complaint section.
    6. Before assessing your request, we may request additional information from you to identify you. If you do not provide the requested information and, as a result we are not in a position to identify you, we may refuse to action your request.
    7. We will generally respond to your request within one month of receipt of your request. We can extend this period by up to an additional two months if this is necessary taking into account the complexity and number of requests that you have submitted.
    8. We will not charge you for such communications or actions we take, unless:
      1. you request additional copies of your personal data undergoing processing, in which case we may charge for our reasonable administrative costs, or
      2. you submit manifestly unfounded or excessive requests, in particular because of their repetitive character, in which case we may either: (a) charge for our reasonable administrative costs; or (b) refuse to act on the request.
    9. If you are not satisfied with our response to your complaint or believe our processing of your information does not comply with data protection law, you can make a complaint to the relevant data protection authority as listed below in the How to make a complaint section.

  16. How to make a complaint

    1. We strongly believe in protecting the confidentiality and security of your personal data and strive to meet the highest standards when collecting and using it. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of personal data is unfair, misleading, or inappropriate. We would also welcome any suggestions for improving our procedures.
    2. If you want to make a complaint about how we have handled your personal data, please contact our Data Protection Manager at:

      J.M. Finn & Co. Ltd
      25 Copthall Avenue
      London
      EC2R 7AH
      Email: DPM@jmfinn.com
    3. If you are not satisfied with our response to your complaint or believe our processing of your personal data does not comply with data protection law, you can make a complaint to the Information Commissioner’s Office by:
      1. reporting a concern on their website: ico.org.uk/make-a-complaint
      2. writing to: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF; or
      3. calling: 0303 123 1113

  17. Other websites

    1. Our website may link to other websites that have their own privacy notices. We are not responsible for the content of any other website, or how they process your personal data. We recommend that you read the relevant third-party privacy notice before continuing to access or browse any other website.

  18. Changes to this Privacy Notice

    1. This Privacy Notice may be updated from time to time.  The most recent version can be found on our website at www.jmfinn.com.
    2. This Privacy Notice was last updated on 5th December 2023