Effective Date: 25 May 2018
TABLE OF CONTENTS
- WHO WE ARE
- WHAT PERSONAL INFORMATION WE COLLECT
- HOW WE USE YOUR PERSONAL INFORMATION
- CHILDREN’S PERSONAL INFORMATION
- COLLECTION OF INFORMATION THROUGH AUTOMATED SYSTEMS
- WHO WE SHARE YOUR PERSONAL INFORMATION WITH AND WHY
- HOW WE KEEP YOUR PERSONAL INFORMATION SECURE
- YOUR RIGHTS
- HOW TO CONTACT US
- At Carrick, we respect your privacy and the confidentiality of your personal information. As such, we are committed to protecting your privacy and ensuring that your personal information is collected, processed and stored appropriately, lawfully and transparently.
- Personal information refers to information about you that is personally identifiable, like your name, address (including e-mail address), or phone number, amongst others.
- For our various clients, the following data protection laws govern the way we collect, manage, store and use your personal information:
- for European Union (“EU”) and United Kingdom (“UK”) residents – the General Data Protection Regulation (“GDPR”) was introduced on 25 May 2018 and reinforces the obligations and duties of organisations processing and collecting personal data and introduces new rights for those data subjects within the European Economic Area (“EEA”) and the UK whose data is being held and/or processed;
- for our South African residents – the Protection of Personal Information Act, 4 of 2013 (“POPI”); and
- for our Mauritian residents – the Data Protection Act, 20 of 2017 (“DPA”).
- Who we are;
- What personal information we collect;
- How we use your personal information;
- Children’s personal information;
- Collection of information through automated systems;
- Who we share your information with and why;
- How we keep your information secure;
- Your rights;
- How to contact us; and
- Carrick shall always strive to ensure that personal information is:
- processed lawfully, fairly and in a transparent manner in relation to any data subject;
- collected for explicit, specified and legitimate purposes and not further processed in any manner incompatible with those purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date, with every reasonable step being taken to ensure that any inaccurate personal information is erased or rectified without delay;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data information is processed; and
- processed in accordance with the rights of data subjects.
WHO WE ARE
- The Carrick corporate group (hereinafter collectively referred to as the “Carrick Group” and individually as “Carrick”) is made up of various independent entities based around Southern Africa which provide the Services to our clients.
- As per the data protection legislations’ terminology, Carrick will be considered the “data controller” when receiving, storing and using your personal information when you make use of our Websites or in providing you with the Services, and as a “data processor” on behalf of the third-party product providers with whom you invest. However, where you make use of the services of a third-party product provider, said third party will be considered the “data controller”.
- In the above instances, Carrick would recommend that you consult the privacy policies of the above third parties for further information regarding their collection, use and processing of your personal information.
WHAT PERSONAL INFORMATION WE COLLECT
- Personal information refers to information and/or data which identify you or could be used to identify you, such as your name and contact details, your financial details and/or your employment history, inter alia.
- Carrick will only collect, use and process your personal information where we have a legal basis for doing so, which may be for one or more of the following:
- to facilitate the provision of our Services to yourself;
- to enable Carrick to operate and improve our business as a financial service provider;
- for compliance with a legal obligation; or
- where you have consented to Carrick using and/or collecting your personal information for a particular purpose.
- In order to provide you with our Services we collect certain personal information about you, such as your name, address, phone number, financial details and other information. We collect this information about you when you:
- use our Websites and secure online services;
- contact us about products and/or services;
- apply for and receive our Services;
- visit one of our financial advisers;
- enter an incentive and/or competition which we are running;
- engage with us on one of our social media platforms; and/or
- register to receive one of our newsletters.
- The type of personal information we collect will depend on the purpose for which it is collected and will include:
- information that you provide by filling in forms on our Websites, which may include personal information provided at the time of subscribing to our newsletters, applying for employment with us, participating in surveys, incentives, competitions and/or other programs, or requesting Services or any personal information we request when you report a problem with our Websites;
- information about your income, expenses, assets, liabilities, account balances, and/or financial history;
- your contact details, including your e-mail address, physical address, telephone numbers, and (where applicable) the contact details of your next of kin;
- copies of passports or other identification evidence that you provide;
- records of any correspondence between yourself and Carrick;
- records of any surveys that we may ask you to complete that we use for research purposes, although you do not have to respond to them;
- details of transactions you carry out through our Websites and of the fulfilment of our Services to you;
- your citizenship or country of residence or similar data;
- credit checks to comply with obligations to assess your creditworthiness;
- employment information; and
- any other information that you choose to provide to us or that you consent to us collecting.
- We collect personal information directly from you. For example, we ask for personal information at the start of our relationship (i.e. when you apply for a service) and in subsequent communications in order to check your identity. This is a legal requirement and is important to help safeguard you and ourselves against potential criminal activities.
- We may also collect, use and share aggregated information such as statistical or demographic information for any purpose. Aggregated information may be derived from your personal information but is not considered personal information in law as it does not directly or indirectly reveal your identity.
- Certain categories of personal information, such as that about race, ethnicity, religion, health, sexuality or biometric information are special categories of data requiring additional protection under data protection law and are referred to here as “sensitive personal data”. Generally, we try to limit the circumstances where we collect and process sensitive personal data however, where necessary, we shall explain what information we require and the reasons why we require it.
- When authorised by yourself, we may also collect information about you from other sources such as:
- previous employers;
- your advisers; and
- external third parties.
- To ensure fair processing, your personal information will not be retained by us for longer than is necessary in relation to the purposes for which it was originally collected. To determine the appropriate retention period for your personal information, we will consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure thereof, the purposes for which it was processed and whether the purpose can be achieved through other means as well as any applicable legal or tax requirements regarding the retention of information.
- Records of personal information may be retained for periods in excess of the aforementioned for historical, statistical or research purposes, subject to us establishing appropriate safeguards against the records being used for any other purpose and or we have de-identified (to the extent that it cannot be re-identified) such record(s).
- We will actively review the personal information we hold and securely delete and/or dispose thereof, or in some cases anonymise it, when there is no longer a legal, business or client need for it to be retained.
HOW WE USE YOUR PERSONAL INFORMATION
- At Carrick, we collect, use and process your personal information for a variety of purposes.
- To perform our Services for you and to support and maintain that relationship, which includes the following:
- assessing and processing an application for our Services;
- providing our Services to you, including the management of our relationship with you and your product providers, or any other agent (if you have one);
- carrying out our obligations arising from and exercising our rights under any agreements between yourself and Carrick;
- carrying out transactions you have requested and/or authorised;
- monitoring or recording telephone calls with you to resolve any queries or issues;
- record keeping ensuring our services operate within the law and relevant regulatory requirements; and
- providing other services (i.e. enhanced due diligence and online services).
- To comply with legal and regulatory requirements, such as the following:
- confirming your identity for regulatory purposes; and
- detecting and preventing fraud, money laundering, terrorist financing, bribery or other malpractice.
- For specific business purposes to enable us to provide you with the appropriate Services and a secure experience, which include the following:
- verifying your identity for security purposes;
- enhancing, modifying and personalising our Services for your benefit;
- providing communications which we think will be of relevance to you;
- providing you with information about other Services we offer that are similar to those that you have already taken up or enquired about;
- client satisfaction research or statistical analysis;
- responding to enquires or complaints from you relating to our Websites and/or Services;
- audit and record keeping purposes;
- to process and assess your application for employment with us;
- enhancing the security of our network and information systems;
- maintaining effective management systems including internal reporting to our parent company and other members of the Carrick Group; and
- any other way that you have specifically consented to.
- We may further process information on the basis that there is a legitimate interest, either to you or to us, of doing so. Where we process your information on this basis, we do after having considered:
- whether the same objective could be achieved through other means;
- whether processing (or not processing) might cause you harm; and
- whether you would expect us to process your data, and whether you would consider it reasonable to do so.
- You have the right to object to us processing your personal information for the business purposes listed above.
CHILDREN’S PERSONAL INFORMATION
- Our Websites and Services are not intended for use by children. We do not knowingly collect personal information from children under the age of 18 (eighteen) years. If we become aware that a child under 18 years of age has provided us with personal information, we take immediate steps to delete such personal information.
- Where we do collect, store and use personal information from children, it is only done where you, as the holder of parental responsibility over your child, have given consent or authorised such collection, use or storage in order for us to provide our Services to you, as our client, and carry out our obligations arising from and exercising our rights under any agreements between yourself and Carrick.
COLLECTION OF INFORMATION THROUGH AUTOMATED SYSTEMS
- In order to provide you with a more personalized and responsive service, we need to remember and store information about how you use our Websites. This is done by means of cookies.
- A ‘cookie’ is a small text file generated by a website and saved by your web browser on your device’s hard drive. Your web browser sends these cookies back to a website on each subsequent visit so that it can recognize you and remember things like your user preferences. You can find more detailed information about cookies and how they work at http://www.aboutcookies.org/.
- You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can modify your web browser’s settings to decline cookies should you prefer to do so. However, this may prevent you from taking full advantage of a website.
- Once you agree to accept cookies, the file is added, and the cookie helps analyse web traffic or lets a website know if you have previously visited its web pages.
- We or our service providers also use analytic services to help us understand how effective our content is, what interests our users have, and to improve how our Websites work.
- In addition, we use various tracking technologies to understand more about the visitors to this Website, to count visitor numbers, to track how many individual users access this Website and how often, and to identify which web pages are being used most. This information is used for statistical purposes and to improve how this Website works and it is not our intention to use such information to personally identify any user.
- Please take note that a cookie in no way gives us access to your device or any personal information about you (such as your home address, bank details or login details), other than that which you choose to share with us.
- Personal identifiers
- Requests by your web browser to our servers for web pages and other content on our Websites are recorded.
- We record information such as your geographical location, language preference, your internet service provider and your internet protocol (IP) address. We also record information about the software you are using to browse our Websites, such as the type of device and the screen resolution.
- This information is usually anonymized, aggregated and used to assess the popularity of the webpages on our Websites and how they perform in providing content to you.
- Re-marketing involves placing a cookie on your device when you browse our Websites which results in targeted adverts for our products or services being advertised to you as you browse elsewhere around the internet.
- When we collect information directly from you we shall ask you if you wish not to receive our marketing communications. Please be aware that we do sometimes send marketing communications that promote a third party’s products and/or services (for example, those of our strategic business partners) as well as our own.
- In line with the above, we shall ask if you consent to receiving marketing communications from other members of the Carrick Group or from third parties.
- We will respect your choice as to what communications you wish to receive and how these are sent.
- If you decide you no longer wish to be sent marketing communications, you can change your mind at any time. In order to stop receiving marketing communications, please contact our Marketing department at: email@example.com.
- In addition, each marketing communication we send by e-mail will also have an “unsubscribe” option which allows you to elect to stop receiving any further marketing e-mails. You may also elect to stop receiving any further text messages by replying with the word “STOP”. We aim to action requests to stop being sent marketing communications within 10 (ten) working days of receiving such requests, however it is possible that you will receive some marketing during the period prior to such change being affected.
- Please note that if you inform us that you do not wish to be sent further marketing communications, you will still receive service communications (as described above) which are necessary, for example, to confirm amendments to the Services offered to you or in relation to your retirement planning. If you request that we stop sending you marketing communications, please note that we will still retain your personal information for the purposes of indicating that you do not wish to receive such marketing communications.
- We do not sell personal information to third parties, and we only ever allow third parties to send you marketing information where you have consented for them to do so.
WHO WE SHARE YOUR PERSONAL INFORMATION WITH AND WHY
- We share your information with trusted third parties, who perform tasks for us and help us to provide our Services to you, and with other agencies where required by law, court order or regulation. These include:
- other companies within the Carrick Group;
- your financial product provider, third-party data providers used by your financial product provider and any other party requested or authorised by yourself in relation to the Services;
- third parties who perform tasks for us to help us provide our Services to you (these third parties may be based in countries outside South Africa or the EU) or who provide information processing services for us;
- a third party to verify your identity, in line with money laundering or other requirements;
- analytics and search engine providers that assist us in the improvement and optimisation of our Websites;
- organisations, including the police and fraud prevention agencies, to prevent and detect fraud;
- for audit purposes and to meet obligations to any relevant regulatory, taxing or governmental authority;
- an appointed discretionary asset manager or custodian to meet their legal and/or regulatory requirements; and
- in connection with a merger, acquisition, consolidation, change of control, sale of all or a portion of our assets, if we undergo bankruptcy or liquidation, or in connection with any other corporate change.
- We ensure your personal information is protected by requiring all Carrick Group companies to follow the same rules when processing your personal information. The Carrick Group transfers personal information to South Africa for processing.
- We require all third parties to respect the security of your personal information and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal information for their own purposes and only permit them to process your personal information for specified purposes and in accordance with our instructions.
- Some of our external third parties are based outside the EEA and the UK so their processing of your personal information will involve a transfer of data outside the EEA and the UK.
- The nature of our business means it is often necessary for us to send your personal information outside the EEA or the UK to fulfil our Services to yourself. This occurs because our business and the third parties with whom we share your personal information have operations in countries across the world.
- We may share non-personal, de-identified and aggregated information with third parties for several purposes, including data analytics, research, submissions, thought leadership and promotional purposes.
HOW WE KEEP YOUR PERSONAL INFORMATION SECURE
- We are committed to ensuring the confidentiality of the personal information that we hold and we continue to review our security controls and related policies and procedures to ensure that your personal information remains secure.
- When we contract with third parties, we require that they have appropriate security, privacy and confidentiality measures in place to ensure that personal information is kept secure.
- If we work with third parties in countries outside the EU, South Africa or Mauritius we ensure the third party receiving the personal data has provided adequate safeguards and agrees to treat your information with the same level of protection as we would.
- All information you provide to us is stored on our secure servers. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our Websites, you are responsible for keeping this password safe, secure and confidential.
- Although we use appropriate security measures once we have received your personal information, the transmission of data over the internet (including by e-mail) is never completely secure. As such, we endeavour to protect your personal information, we cannot guarantee the security of data transmitted to us or by us.
- You have the right to request that Carrick:
- provide you with a copy of the personal information we hold about you;
- update or correct your personal information;
- delete your personal information; and/or
- restrict the processing of your personal information where appropriate.
- In certain circumstances you also have the right to:
- object to the processing of your personal information;
- object to automated decision making and profiling; and
- data portability.
- In order to obtain a copy of the personal information about you held by Carrick, your request is required to:
- be in writing;
- contain your name and postal address;
- details of your request;
- contain a copy of your passport and/or identification document for verification of your identity;
- be signed (not electronically, e.g. by way of an e-mail signature); and
- if applying on behalf of someone else, signed authority from said person.
- Any such written requests for personal information shall be subject to the relevant laws applicable thereto.
HOW TO CONTACT US
- Physical Address:
North Bank Lane
- E-mail: firstname.lastname@example.org
- Telephone: +27 (0) 21 201 1000
Marked for the attention of: Nicholas Andrianatos - Legal & Risk Manager
- For purposes of the GDPR, POPI and the DPA, Nicholas Andrianatos shall serve as our Data Protection Officer, Information Protection Officer and nominated representative respectively.
- If you wish to raise a complaint about how we have handled your personal information, please contact our Legal & Risk Manager (above) who will investigate the matter.
- If you are not satisfied with our response to the above, you can complain to the relevant regulator for the Carrick entity to which you are a client:
- Botswana: Non-Bank Financial Institutions Regulatory Authority, Private Bag 00314, Gaborone, Botswana.
- EU residents: the Data Protection Authority in your jurisdiction can be found at: http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm.
- Kenya: Capital Markets Authority, Embankment Plaza, 3rd Floor, Longonot Road, off Kilimanjaro Avenue, Upperhill, P.O Box 74800-00200, Nairobi, Kenya.
- Malawi: Reserve Bank of Malawi, Registrar of Financial Institutions, Box 30063, Capital City, Lilongwe 3, Malawi.
- Mauritius and rest of the world:
- Chief Executive, Financial Services Commission, FSC House, 54 Cybercity Ebene, Mauritius; or
- Data Protection Office, 5th Floor, SICOM Tower, Wall Street, Ebene, Mauritius.
- South Africa:
- FAISOmbud, Sussex Office Park, Ground Floor, Block B, 473 Lynnwood Road, cnr Lynnwood Road and Sussex Avenue, Pretoria, South Africa; and
- The Information Regulator, SALU Building, 316 Thabo Sehume Street, Pretoria, South Africa.
- UK residents: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom
- Securities and Exchange Commission of Zimbabwe (SECZ), 20 York Avenue, Newlands, Harare, Zimbabwe; or
- Zimbabwe Investment Authority, 109 Rotten Row, Harare, Zimbabwe.