The information that you trust us with is important, and we are committed to protecting and respecting your privacy. This Privacy Notice is intended to be read in conjunction with your Client Agreement.
When we use “Amber River C&M”, “we”, “our” or “us”, we’re referring to any one of our entities, which are listed at the end of this privacy notice. All our legal entities are registered in either Scotland or England, and all may act as data controller of your personal information.
This Privacy Notice provides information on how we as a data controller collect and process personal data relating to clients and prospective clients (and, where applicable, client’s employees, advisers, agents, family members, dependants and other related parties including co-trustees), including why we collect your personal information and under what circumstances we may disclose your personal information to others.
We may from time to time update this Privacy Notice. Please refer back to this page regularly to see any changes or updates to this Privacy Notice.
The kind of information we may hold about you
We have grouped together the various types of data we may hold about you as follows:
Identity Data may include names, title, dates of birth and pronoun preferences and personal identifiers such as your national insurance number and tax file number and images of you;
Contact Data may include addresses, telephone numbers, work and personal email addresses, emergency contact details or details of next of kin and communication preferences (such as your marketing preferences);
KYC Data may include copies of passports and/or driving licenses and utility bills, data received in connection with anti-money laundering and/or due diligence activities (including politically exposed persons and sanctions checks) and data related to any public comments about you by statutory or regulatory authorities;
Financial Data may include details of your personal financial situation such as your earnings, assets, investments, financial products, mortgages, banking activity and bank account details;
Correspondence Data may include any other data which you provide to use in correspondence, telephone calls, video calls, client surveys, feedback and/or documents;
Technical Data may include details relating to your use of our IT systems and our websites;
Special Category Data may include details of sensitive personal data or special categories of personal data about you in your capacity as our Client or potential Client, if it is necessary in the provision of our services (this includes information about your health).
Where we collect information about you from
We may collect personal data about you from a variety of sources:
- From you: when it is provided to us by you directly as a result of our services or proposed services for you (including where you complete client surveys or provide feedback to us);
- From third parties: when it is provided to us by third parties, including from an introducer or other third parties such as accountants, business partners or previous employers, former advisers, background checks and identity check providers, analytics providers, credit reference agencies and businesses that we may acquire or sell to and from our CCTV footage in our office premises; and
- From publicly available sources: such as Companies House.
We may also process personal data about individuals that are connected with you as a client (for example a family member or dependent). If you provide the Company with personal data relating to another individual, you agree to provide that person with this Privacy Notice before you share their personal data with us.
How will we use the information about you
We use your information in the following ways:
- To provide you with our services, manage relationships, respond to requests for services and provide information about other products or services that we think may be of interest.
- To collect information about you when you engage with us, including collecting special category data.
- To monitor, record, store and use any telephone, video call, email or other communication with you.
- To share personal data internally within the Amber River group of companies.
- To fulfil our regulatory compliance obligations including to prevent money laundering or other financial crimes, including to verify your identity.
- To comply with our legal, compliance, accounting and reporting obligations under applicable law (for example, to tax authorities or courts).
- To update and maintain a record of your contact information and preferences in receiving marketing data from us and to tailor the content of our website to provide you with a more personalised experience.
- To conduct and analyse marketing activities and to invite you to events and seminars and to participate in surveys.
- To conduct data analysis including usage of our websites, profiling and demographics analyses of our clients and website users, including for marketing.
- To anonymise and/or pseudonymise personal data for profiling and/or marketing purposes.
- To extract and use personal data for profiling and marketing purposes, including to identify potential clients with similar or shared characteristics to clients.
- To manage our relationship with you as our client and send service emails and details of products and services provided by other Amber River entities that may be of interest and to contact you for market or research purposes.
- To manage and/or improve services and communications, to collect customer feedback for the purpose of improving our services.
- To manage and effectively operate the financial affairs of our business and protect our rights and/or those of other Amber River entities.
- For internal corporate reporting, business administration, ensuring adequate insurance coverage for our business, ensuring the security of company facilities, research and development, and to identify and implement business efficiencies.
- To prospective and actual buyers of the business or assets or the share of any of the Amber River group companies.
- To manage security at our office premises where we use CCTV.
- To prevent and investigate fraud or criminal activity, to manage and safeguard our internal IT operations, including communication systems and IT security.
Our basis for processing
Our legal basis for collecting and processing your personal information depends on the information itself, how we collect it and when we collect it. We’ll only process your information when one of the following legal bases applies:
- It’s necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into such a contract.
- It’s in our legitimate interests or the legitimate interests of others (for example, to ensure the security of our website). Our legitimate interests are to:
a. Pursue and develop our business, including business development and attracting new clients;
b. Provide our services including complaint handling;
c. Prevent fraud, money laundering, sanctions, terrorist financing, bribery, corruption and tax evasion; and
d. For internal group administration.
If we rely on our (or another person’s) legitimate interests for using your personal information, we will undertake a balancing test to ensure that our (or the other person’s) legitimate interests are not outweighed by your personal interests or fundamental rights and freedoms which require protection. - It’s in our clients’ legitimate interests in receiving our services or in receiving information about other products or services;
- We have your consent (for example you have ticked a box on a form):
a. We may use your special categories of data (such as health information) where you have provided your consent (which you may withdraw at any time after giving it, as described below).
b. We may also process your personal information in some cases for marketing purposes on the basis of your consent (which you may withdraw at any time after giving it, as described below). - To comply with our legal and regulatory obligations.
Where we need to collect personal data by law or under the terms of a contract to which you are a party and you fail to provide that data when requested, we may not be able to perform the contract or enter a contract with you. We will notify you if this is the case.
Please note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us at the following address: compliance@amberrivercm.com if you need us to confirm which of the legal bases set out above we relied upon in a specific type of processing for a particular category of personal data.
Where your consent is required
If the Company wishes to use your personal data for purposes which require your consent, you will be asked to provide this and/or we will contact you to request this. In such circumstances, we will provide you with details of the personal data that we would like to process and the reason we need to process it, so that you can carefully consider whether you wish to consent. Where you do consent and we rely on consent to process your personal data, you have the right to withdraw your consent at any time, although that will not affect the lawfulness of processing based on consent before its withdrawal. To withdraw your consent or to opt out of receiving marketing communications, please contact us at compliance@amberrivercm.com or (in relation to marketing) follow the unsubscribe instructions included in each electronic marketing communications. Once we have received notification that you have withdrawn your consent and had the opportunity to process that request, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so.
Sharing your personal data
We may share your personal data with selected third parties including:
- third party service providers (including marketing, PR and digital agencies and Google Ads) and our processors and sub-processors;
- other members of the Amber River group of companies, including for Amber River’s own business purposes and to promote the services of other members of the group, to allow us to deliver our services to you more efficiently, for quality and compliance checking purposes and/or for marketing purposes. If you have agreed to receive marketing information, you may opt out at a later date;
- third parties such as those that we engage for professional compliance, anti-money laundering verification purposes, insurance, accountancy or legal services;
- third parties (including product and platform providers) that we use to arrange financial products for you;
- third party agencies and authorities (including the tax authorities and the national crime agency) in connection with our obligations in respect of prevention of money-laundering and other financial crime; and
- prospective and actual buyers (and their advisors) in connection with the sale or the proposed sale of any of Amber River’s businesses or assets.
Where third parties are involved in processing your data as processors (on our behalf), we will have a contract in place with them to ensure that the nature and purpose of the processing is clear, that they are subject to a duty of confidence in processing your data and that they’ll only act in accordance with our written instructions.
Where we disclose your personal data to third parties, those third parties may in certain circumstances be required to process your personal data for purposes and means which they determine. For example, they may need to use your information to comply with their own legal obligations, including under anti-money laundering legislation. In those cases, the relevant service provider will be acting as a controller in respect of your personal data, and its use of your personal data will be subject to its privacy notice (which they are required by law to make available to you).
Where it’s necessary for your personal data to be forwarded to a third party we’ll use appropriate security measures designed to protect your personal data in transit. This may include encryption, password protection, courier services and other measures, as required.
Information Security
We have put measures in place designed to protect the security of your personal data that we collect and store about you. These are internal policies, procedures and controls which are designed to minimise the risk of your personal data from being accidentally lost or destroyed, altered, disclosed, used or accessed in an unauthorised way but we cannot guarantee the security of data that we collect and process, particularly over the internet.
Your personal data may be stored in different places, including within our IT systems and our processors’ systems, on our premises and within our storage facilities (virtual and physical).
We have procedures in place to deal with a suspected data security breach and we will notify the Information Commissioner’s Office (and/or any other applicable supervisory authority or regulator) and you of a suspected breach where we are legally required to do so.
How long do we keep hold of your information?
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
We are subject to regulatory requirements to retain certain data for specified minimum periods. In addition, we take into account our legitimate interests in providing our services, including appropriate investigations and complaints handling, As such, we will typically hold your data for five years after the end of our relationship with you as a client, and in respect of certain data for pension transfers and opt-outs, we will hold your data indefinitely, to comply with our regulatory obligations.
We reserve the right to retain data for longer than the above periods provided that this retention is in compliance with applicable data protection laws.
International Transfers
Where we transfer your personal data outside the UK or European Economic Area (“EEA”), we will ensure that it is protected in a manner that is consistent with how your personal data will be protected by us in the UK or EEA. We will only transfer your personal data outside the UK or EEA if an appropriate safeguard is in place, including for example that:
- the country or territory that we send the data to is approved by the Secretary of State or European Commission (as applicable) as offering equivalent protections to those afforded by data protection law in the UK and EEA (as applicable); or
- we have put in place specific standard contracts approved by the Secretary of State or European Commission (as applicable) which give personal data the same protection it has in the UK and EEA (as applicable).
Please contact us if you want further information on the specific safeguards we use when transferring your personal data out of the UK or EEA.
Your rights in connection with your personal data
As a data subject, you have several statutory rights. Subject to specific conditions, and in certain circumstances, you have the:
- Right to be Informed about the collection and the use of your personal data.
- Right of Access. This enables you to request a copy of the information that we hold about you and check that we are lawfully processing it (commonly known as a “data subject access request”).
- Right of Rectification. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- Right to Erasure. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
- Right to Restricting Processing. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
- Right to Data Portability. This enables you to request the transfer of your personal information to another party.
- Right to Object. This enables you to object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
- Right to Withdraw your Consent. If we are processing your personal data on the basis of your consent, you have the right to withdraw such consent at any time. Withdrawing your consent will not affect the lawfulness of processing based on consent before its withdrawal. To withdraw your consent or to opt out of receiving marketing communications, please contact us at compliance@amberrivercm.com or follow the unsubscribe instructions included in each electronic marketing communication. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
Should you wish to have any further information regarding your rights, or if you would like to exercise any of these rights, please write to us at Amber River C&M, Harbour House, 1 Shore Street, Lossiemouth, IV31 6PD and compliance@amberrivercm.com
You will not usually have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
What can you do if you are unhappy with how your personal data is processed?
You also have a right to lodge a complaint with the supervisory authority for data protection. In the UK this is the Information Commissioner’s Office (www.ico.org.uk).
We would, however, appreciate the opportunity to deal with your concerns before you approach the ICO so please contact us in the first instance.
Changes to your data
The personal data we hold about you needs to be accurate and up to date in order to comply with data protection law. Please let us know of any changes to your personal data so that we can correct our records.
Changes to our Privacy Notice
We may update this Privacy Notice from time to time and will ensure that any such changes to this policy are made available. We may also notify you from time to time about the any additional processing of your data by providing you with a supplementary privacy notice.
This Privacy Notice was last updated in March 2024.
Relevant Amber River C&M Entities
Amber River C&M is a trading style of Campbell & McConnachie Ltd and Julia Williams Financial Planning Ltd.
Data controller entities
Amber River Group Limited (Registered number 11942058)
Campbell & McConnachie Limited (Registered number SC314177)
Julia Williams Financial Planning Limited (Registered number SC730411)
Further Information
If you have any queries about this policy or your personal data, or you wish to submit an access request or raise a complaint about the way your personal data has been handled, please contact us:
By email: compliance@amberrivercm.com
By post: Amber River C&M, Harbour House, 1 Shore Street, Lossiemouth, IV31 6PD.