For the purposes of Data Protection Legislation, Gravis is a controller of personal data.
1. What information we collect about you
The personal data we collect, record and process may include:
Information you provide to us
This is likely to be determined by the nature of our relationship with you but may include:
In certain circumstances, we also collect and process what are known as ‘special categories’ of personal data (as defined by Data Protection Legislation). Money laundering, sanctions, financial crime and fraud prevention checks sometimes result in Gravis obtaining information about actual or alleged criminal convictions and offences.
Information we collect
This will include information that we generate about you during our relationship with you and may include internal files which we produce as a record of our relationship with our clients or prospective clients and any personal data you provide during correspondence with us which we may need for our business purposes or to comply with our legal obligations.
Information we obtain from other sources
In certain circumstances we process personal data provided from other sources including:
You are not obliged to provide us with your personal data where it is requested but we may be unable to proceed with your business relationship with Gravis if you do not do so.
2. How we use your information
Our primary purpose in collecting your personal information is to enable us to carry out our investment management business.
Additionally, we use your information for the following specific purposes:
3. Legal grounds for using your personal information
Data Protection Legislation permits us to process your personal data in the way that we do because the processing is:
To the extent that we process any special categories of data relating to you for any of the purposes outlined above, we will do so because either: (i) you have given us your explicit consent to process that personal data; (ii) you have made the data manifestly public; or (iii) the processing is necessary for the establishment, exercise or defence of legal claims.
Where such processing is being carried out on the basis that it is necessary to pursue our legitimate interests, such legitimate interests do not override your interests, fundamental rights or freedoms.
4. Providing your information to third parties
Where we share information with third parties we will ensure we do so in compliance with Data Protection Legislation.
Gravis does not provide information to third parties for their own marketing purposes.
5. Transferring data outside of the EEA
Personal data may be transferred to, and stored at, a destination outside the European Economic Area (“EEA”) or to countries not regarded by the European Commission as providing an adequate level of data protection. If we, or our permitted third parties, transfer personal information in this manner we will ensure that the transfer is subject to appropriate safeguards in accordance with Data Protection Legislation.
This may be done in the following ways:
• the country to which we send your personal data might be approved by the European Commission as offering an adequate level of protection for Personal Data;
• the recipient might have signed up to a contract based on “model contractual clauses” approved by the European Commission, obliging it to protect your personal data;
• where the recipient is located in the US, it might be a certified member of the EU-US Privacy Shield scheme; or
• in other circumstances the law may permit us to otherwise transfer your personal data outside the EEA.
6. Automated processing
Gravis does not carry out automated decision-making or profiling.
7. Your rights
At any time, you have the right:
• to request access to or a copy of any personal data which we hold about you;
• to rectification of your personal data, if you consider that it is inaccurate;
• to ask us to delete your personal data (“the right to be forgotten”), if you consider that there is no good reason for us to continue to process it;
• to withdraw consent to our processing of your personal data (to the extent such processing is based on previously obtained consent);
• to restrict processing of your personal data;
• to data portability (request the transfer of your personal information to another party) in certain circumstances;
• to object to your personal data being processed in certain circumstances; and
• not to be subject to a decision based on automated processing, including profiling.
Any request for access to or a copy of your personal data must be in writing and we will endeavour to respond within a reasonable period and in any event within one month in compliance with Data Protection Legislation. We will comply with our legal obligations as regards your rights as a data subject.
We will correct any incorrect or incomplete information and will stop processing your personal data, or erase it, where there is no legal reason for us to continue to hold or use that information.
We aim to ensure that the information we hold about you is accurate at all times. To assist us in ensuring that your information is up to date, do let us know if any of your personal details change.
8. How long we keep your information
We will only keep the information we collect about you for as long as is necessary to carry out the purpose (as further described above) for which it was collected, including for the purpose of satisfying any legal, accounting or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your data and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances, we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
9. How we protect your information
We ensure there are appropriate technical, physical, electronic and administrative safeguards in place to protect your personal details from unauthorised access.
The Compliance Officer
Gravis Capital Management Ltd
24 Savile Row
You may also use these contact details if you wish to make a complaint to us relating to your privacy.
If you have any concerns about our use of your information, you also have the right to make a complaint to your local supervisory authority. In the UK, the Information Commissioner’s Office (“ICO”) is the supervisory authority for data protection issues. Further information can be found at www.ico.org.uk.