Privacy Policy

Sequoia Circle LLP needs to gather and use certain information about individuals.

Internally, we need to gather information on our employees. Externally, we need to gather information from our clients and contractors / suppliers working on behalf of Sequoia Circle LLP.

This policy will detail how we collect personal data, how we handle it and how we store it to successfully meet the company’s data protection standards and to comply with the General Data Protection Regulations.

Why This Policy Exists

This data protection policy ensures that Sequoia Circle LLP:

  • Complies with the General Data Protection Regulation;

  • Follows good practice;

  • Protects the rights of our staff and customers;

  • Is transparent about how we store and process personal data; and

  • Protects itself from the risks of data breaches.

The General Data Protection Regulations

The General Data Protection Regulations 2018 gives details of how organisations must collect, store and handle personal data. These rules apply to data stored on both paper or by electronic means.

The General Data Protection Regulations have seven principles that every organisation must adhere to. Data must be:

  • Processed lawfully, fairly and in a transparent manner;

  • Collected for a specified, explicit and legitimate manner;

  • Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

  • Accurate and, where necessary kept up to date;

  • Kept for no longer than is necessary;

  • Processed in a manner that ensures appropriate data security; and

  • The Data Controller must be responsible for and be able to demonstrate compliance with all of the above principles.

Policy Scope

This policy applies to:

  • All staff of Sequoia Circle LLP; and

  • All contractors, suppliers and others working on behalf of Sequoia Circle LLP

We will have access to certain pieces of information provided by you that will include:

  • Names of individuals;

  • Postal addresses;

  • Email addresses;

  • Contact number(s) & other contact details;

  • Personal financial details including policy information; and

  • Personal family details.

Risks

This policy is put in place for protection from:

  • Failing to offer a choice – all individuals should be free to choose whether or not the company holds data about them;

  • Breaches of confidentiality – information being given out inappropriately or to the wrong recipient; and

  • Reputational damage – Sequoia Circle LLP could suffer reputational damage if someone outside of the business gains access to the data we hold.

Responsibilities

All members of staff at Sequoia Circle LLP have a responsibility for ensuring data is collected, stored and handled in accordance with the General Data Protection Regulations.

Staff Guidelines

Those who will have access to data will only do so for reasons of their job.

Sequoia Circle LLP will provide training to all members of staff to aid their understanding of the General Data Protection Regulations and their responsibilities.

Strong passwords must be used and they should never be shared.

Personal data should not be disclosed to unauthorised people, either within the company or externally.

All data should be regularly reviewed and updated if it is found to be out of date. If the data is no longer required, it should be disposed of.

Data Storage

Data should be safely stored.

Data stored on paper or kept electronically then printed out, should be kept in a secure place where unauthorised people cannot see it – although Sequoia Circle does have a paperless office policy.

All staff must ensure paper and printouts are not left where unauthorised people can see them.

Data printouts should be shredded and disposed of securely when no longer required.

If data is stored electronically, data should be protected by strong passwords and never shared. Where allowed, two-factor-authentication should be enforced for all users.

If data is stored on a removable media e.g a memory stick, the data should only be uploaded on an approved cloud computing services.

Data should be backed up frequently. Those backups should be tested regularly, in line with the company’s standard backup procedures.

Data should never be saved directly to laptops or other mobile devices like tablets or smart phones.

All services and computers containing data should be protected by approved security software and a firewall.

Data Usage

Sequoia Circle LLP will only hold data that they have legally obtained to use.

When working with personal data:

  • Staff will lock screens of unattended computers;

  • Staff should not share the data informally;

  • It must be encrypted before being transferred electronically; and

  • Should never be transferred outside the European Economic Area unless it is listed within the EU Commission’s list of countries of territories providing adequate protection.

Data Accuracy

The General Data Protection Regulations requires Sequoia Circle LLP to take reasonable steps to ensure data is kept accurate and up to date.

It is the responsibility of the employees to take all reasonable steps to ensure that data is kept as accurate as possible.

Data will be held in as few places as necessary.

Employees should take every opportunity to ensure data is updated.

Sequoia Circle LLP will make is easy for data subjects to update the information the company holds about them.

Data should be updated as and when inaccuracies are discovered.

Subject Access Requests (SARs)

Individuals whose data is held by Sequoia Circle LLP are entitled to:

  • Know what information the company hold on them and the reasons why;

  • How to gain access to the data;

  • Be information on how to keep it up to date; and

  • Be informed on how the company is meeting its data protection obligations.

Subject Access Requests should be made by email to the data protection officer.

The data protection officer will need to verify the identity of the individual making the request.

Individuals will not be charged for this request unless it is deemed excessive. The data protection officer will supply this to you within one month of the request being made.

Exceptions

In some circumstances, Sequoia Circle LLP will disclose personal data without prior consent. Where Sequoia Circle LLP is required by the FCA, the Financial Ombudsman Service or a court of law to provide information, we will do so with or without your consent.

Reporting a breach

Sequoia Circle LLP take personal data breaches very seriously. If we believe we have breached your personal data rights, we will contact the ICO within 72 hours. We will do everything we can to identify the breach and help minimise the consequences.

A letter will be sent with the relevant information attached, including steps we have taken and steps we recommend taking to minimise any consequences.