This policy explains what information we receive about you, what we use it for, and how we keep it safe.
Personal data is information that, by itself or together with other data, can be used to identify you. The EQ Foundation (‘we’, ‘EQ’) is the controller of your information. We respect the confidentiality of your personal data and are committed to handling it securely.
The types of personal data that we collect
- Information about your use of our website, including the Internal Protocol (IP) addresses used to access our website, the pages visited and how you interact with the site.
How we collect your data
We collect personal information directly from you through:
- completing forms on our website
- through the use of website cookies (some of which are installed via third party providers).
A cookie is a text-only string of information that a website transfers to your browser so that the website can remember who you are. Cookies in themselves contain no personal information: they typically consist of the name of the domain from which the cookie has come, a value (such as a unique, randomly generated number) and an expiry time (after which they are deleted automatically).
Can I disable cookies?
You have the ability to accept or decline cookies by modifying the settings in your browser. However, you may not be able to use certain tools or services if cookies are disabled.
How and why we use your data
We only ever use your data where:
- we have a legitimate business interest in doing so, which is not overridden by your right to privacy (which you have the right to object to);
- we have a legal obligation to do so;
- you have given your explicit consent for a specific purpose (which you may withdraw at any time).
Sharing your data
We treat all personal data as confidential. We only disclose details to third parties outside of the EQ group of companies subject to applicable data protection law:
We will never sell your details to someone else. Whenever we share your personal information, we will do so in line with our obligations to keep your information safe and secure.
Storing and processing your data
Your personal information will be stored on systems owned or operated by EQ or those of our specific suppliers. The majority of this information is processed in the UK and European Economic Area (EEA). However, some of your information may be processed by us or the third parties we work with outside of the EEA, including countries such as the United States.
Where your information is being processed outside of the EEA, we take additional steps to ensure that your information is protected to at least an equivalent level as would be applied by UK / EEA data privacy laws e.g. we will put in place legal agreements with our third party suppliers and do regular checks to ensure they meet these obligations.
We will only store your data for as long as is necessary for the purposes for which it was provided. What this means in practice will vary between different types of information. When determining the period for retaining your data, we take into account factors including:
- whether there are any existing obligations we may owe you or you may owe us;
- whether you require any follow-up communications;
- the likelihood for potential or actual disputes;
- legal obligation(s) under applicable law to retain data for a certain period of time; and
- guidelines issued by relevant data protection authorities.
In accordance with legal and regulatory requirements, this may mean that we retain your information for a number of years following the termination of your relationship with us.
In certain situations we may be required by the FCA to retain records indefinitely.
Keeping your data secure
Your information is protected by controls designed to minimise against loss or damage through accident, negligence or deliberate actions. Our employees also protect sensitive or confidential information when storing or transmitting information electronically and must undertake regular training on this.
If a data breach does occur we will endeavour to report this to the ICO and yourselves within 72 hours of identification of the breach.
Our security controls are aligned to industry standards and good practice; providing a control environment that effectively manages risks to the confidentiality, integrity and availability of your information.
Understanding your rights
You have several rights in relation to how we use your personal data. They are:
Right to be informed
Right of access
You have the right of access to your personal data. If you wish to receive a copy of the personal information we hold on you, you may make a data subject access request.
Right to request that your personal data be rectified
If your information is inaccurate or incomplete, you can request that it is corrected.
Right to request erasure
You can ask for your information to be deleted or removed if there is not a compelling reason for EQ to continue to have it.
Right to restrict processing
You can ask that we block or suppress the processing of your personal data for certain reasons. This means that we are still permitted to keep your information – but only to ensure we don’t use it in the future for those reasons you have restricted.
Right to data portability
You can ask for a copy of your personal information for your own purposes to use across different services. In certain circumstances, you may move, copy or transfer the personal information we hold to another company in a safe and secure way. For example, if you were moving your pension to another pension provider.
Right to object
You can object to EQ processing your personal information where: it’s based on our legitimate interests (including profiling); for direct marketing (including profiling); and if we were using it for scientific/historical research and statistics.
Rights related to automatic decision making including profiling
You have the right to ask EQ to:
- give you information about its processing of your personal information
- request human intervention or challenge a decision where processing is done solely by automated processes
- carry out regular checks to make sure that our automated decision making and profiling processes are working as they should.
Accessing your information
You have a right to obtain a copy of the personal information that we hold about you: this will be collated and distributed to you within 30 days of a formal data request being made.
If you believe that any information held is incorrect or incomplete, you should contact our Data Protection Officer at our usual address. Any information that is found to be incorrect or incomplete will be amended promptly.
If you have any questions or concerns about our use of your personal information or wish to request a copy of the personal data we hold about you please contact:
The Data Protection Officer (DPO)
100 Lower Thames Street