Data Protection Compliance Statement
The Information Publishing companies (consisting, for this purpose, of Exchange Data International Limited, African Financial & Economic Data (AFED), Share Data Limited, Chancellor Publications, FinData Portal Inc and Capital Track Limited) are committed to ensuring the security and protection of the personal data that we process, and to provide a compliant and consistent approach to data protection. We have always had robust and effective data protection policies and procedures in place which comply with existing law and abide by the data protection principles.
This statement confirms our compliance with Data Protection Legislation.
‘Data Protection Legislation’: the UK Data Protection Legislation and (for so long as and to the extent that the law of the European Union has legal effect in the UK) the General Data Protection Regulation ((EU) 2016/679) and any other directly applicable European Union regulation relating to privacy.
‘UK Data Protection Legislation’: any data protection legislation from time to time in force in the UK including the Data Protection Act 2018 or any successor legislation.
We adhere to the principles relating to processing of personal data set out in the Data Protection Legislation which require personal data to be:
- Processed lawfully, fairly and in a transparent manner (Lawfulness, Fairness and Transparency).
- Collected only for specified, explicit and legitimate purposes (Purpose Limitation).
- Adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed (Data Minimisation).
- Accurate and where necessary kept up to date (Accuracy).
- Not kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the data is processed (Storage Limitation).
- Processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage (Security, Integrity and Confidentiality).
- Not transferred to another country without appropriate safeguards being in place (Transfer Limitation).
- Made available to data Subjects and data subjects allowed to exercise certain rights in relation to their personal data (Data Subject's Rights and Requests).
We are responsible for and are able to demonstrate compliance with the data protection principles listed above (Accountability)
In order to ensure and maintain our data protection commitment throughout Exchange Data International Limited and Share Data Limited and in order to demonstrate our compliance our policies and processes include:
- Information Auditing - a group-wide information audit to identify and assess what personal data we hold, where it comes from, how and why it is processed and if and to whom it is disclosed.
- Policies & Procedures - data protection policies and procedures to meet the requirements and standards of the Data Protection Legislation, including:
- Legal Basis and conditions for processing - we have identified the legal basis for processing (and further conditions, where relevant for processing special category data and criminal offence and conviction data) and ensured that each basis is appropriate for the activity it relates to. Where applicable, we also maintain records of our processing activities.
- Privacy Notices – our Privacy Notice(s) ensure that all individuals whose personal data we process have been informed of why we need it, how it is used, what their rights are, who the personal data is disclosed to and what safeguarding measures are in place to protect their personal data.
- Processor Agreements – where we use any third-party to process personal data on our behalf, we have drafted compliant processor agreements and due diligence procedures for ensuring that they (as well as we), meet and understand their/our Data Protection Legislation obligations. These measures include reviews of the service provided, the necessity of the processing activity, the technical and organisational measures in place and compliance with the Data Protection Legislation.
- Employee awareness and training – we understand that continuous employee awareness and understanding is vital to the continued compliance with Data Protection Legislation and have involved our employees in developing our policies and processes. We have implemented employee data protection training which forms part of our induction and training programmes.
- Data Retention & Erasure – Retention policies to ensure that we meet the ‘data minimisation’ and ‘storage limitation’ principles and that personal data is stored, archived and destroyed securely.
- Data subject rights –procedures for responding to all data subject’s rights. Our procedures detail how to verify the data subject, what steps to take for processing a request, what exemptions apply and a suite of response templates to ensure that communications with data subjects are compliant, consistent and adequate; along with any exemptions, response timeframes and notification responsibilities.
- Data Breaches – breach procedures to ensure that we have safeguards and measures in place to identify, assess, investigate and report any personal data breach at the earliest possible time. Our procedures are robust and have been disseminated to all employees, making them aware of the reporting lines and steps to follow.
- Information Security & Technical and Organisational Measures
- We have robust information security policies and procedures in place to protect personal data from unauthorised access from the point of collection to the point of destruction. This includes encryption, firewalls, access controls, policies and other procedures.
- We cannot guarantee the security of information transmitted over the Internet or that through this route unauthorized persons will not obtain access to personal data. In the event of a data breach, we have put in place procedures to deal with any suspected breach and will notify you and any applicable regulator of a breach where required to do so.
- We restrict access to personal data we retain to only staff who need to access the information in the performance of their roles.
- We train our staff to ensure they protect personal data.
- Our staff are contractually obliged to maintain personal data as confidential.
We regularly evaluate and test the effectiveness of these safeguards to ensure security of our processing of personal data.
Exchange Data International Limited and African Financial & Economic Data do not transfer data outside the EEA.
There are strictly-limited circumstances when Share Data Limited will send personal data outside the EEA, to the US and Canada, and these situations will only occur when, in order to perform the services requested from us, such as the transfer of securities, where the Registrar or Transfer Agent is located in those countries, or where probate must be re-granted in those jurisdictions. There are current adequacy decisions by the European Commission, on the basis of article 45 of Regulation (EU) 2016/679, in respect of the US for U.S. companies that have signed up to the Privacy Shield framework with the U.S. Department of Commerce and also for Canada (commercial organisations). This means that those types of organisations within the US and Canada to which we transfer personal data are deemed to provide an adequate level of protection for personal information. Where transfers are made to other organisations in those countries, or to other countries where there is no adequacy decision by the European Commission we will make the transfer only if necessary for the performance of the services you have requested from us either on your own behalf or on behalf of the data subject you represent or with explicit consent of the data subject.
The Information Publishing companies have appointed a Data Protection Manager with responsibility for data protection compliance. Questions about this statement, or requests for further information, should be directed to a.woollhead @ exchange-data.com