About This Document
This Privacy Notice will help you understand how we collect, use and protect your personal information. If your request is for insurance products or one of our products which carries insurance such as a regulated search you should also show this notice to anyone who may be insured under your policy. If you have any queries about this Privacy Notice or how we process your personal information, please contact the Head Office by email: The Data Protection Officer or by post:
- The Data Protection Officer
- Pali Ltd. 2-4 Croxteth Avenue
- Wallasey, Wirral
- CH44 5UL
Or the address on the ICO website for the Pali office you are dealing with.
WHO WE ARE
The organisation responsible for the processing of your personal information is Pali Ltd. 2-4 Croxteth Avenue Wallasey Wirral CH44 5UL and its franchise offices. This means that we are a ‘data controller’ and a “Data Processor” under the Data Protection Act 1998 and, General Data Protection Regulations also known as the GDPR 2018. Our registration number with the Information Commissioner’s Office is Z1728068. Each office has its own Data controller and details can be found on the ICO website.
WHAT INFORMATION WE COLLECT ABOUT YOU
Personal information you may give us when you place an order via Our Website (or other Ordering Methods) or contact our customer service team, or otherwise interact with us and provide personal data about:
- in the case of a Consumer, you personally
- in the case of a Supplier, your employees (and prospective employees and contractors), your clients, business associates and potential clients and their employees. Personal information of third parties in connection with the products or services you request or order from us, such as the information disclosed in searches of public records you undertake when you use our products or services
- in the case of a Client, you or your employees or your own client
- in the case of prospective employees and contractors, you personally.
The personal data you have provided, we have collected from you, or we have received from third parties may include:
- name, address, date of birth and gender
- contact details, including telephone numbers and email address
- employment details and home ownership
- bank account number and sort code
- credit or debit card details
- other personal information required to provide our services in specific cases
When we have a “legitimate interest” in obtaining information from third parties because we cannot obtain it from you. This may include but not be limited to, references from a previous employer, positions of water and sewage pipes and meters, planning applications, building control and other certificates, Title deeds and leases.
HOW WE COLLECT INFORMATION ABOUT YOU
We collect the personal information you provide when you:
- apply to become a customer, supplier, client or user of our products or services;
- fill in and return to us a signed client form
- use our services by logging into our system or ordering products or services from us via our website, by telephone, email or in other ways
- enter personal information into our system about you or other third parties in connection with your use of our products or services
- store details of products or services you have ordered or information and data contained in the particular products or services you have ordered – for example if you order a title search which includes personal information and we store that search information so you can retrieve it again later on
- when you contact us as a prospective employee or contractor of Pali.
Most of the personal information we hold about you is that which we collect directly from you by telephone, email, our website, written correspondence or from third parties which use our service. Not all these categories will apply in every case, for example:
- each time you ask us for a quote
- each time you place an order for yourself personally or as an employee of a client
- when you purchase our products or services
- when you register to receive information from us, such as quotes
- each time you interact with us, respond to communications or surveys, or enter competitions
- when you make enquiries or raise concerns with our customer service team
- data about the property and local area you are interested in including census data about the average household size, home ownership, employment statistics, and demographics of your area, and police crime and accident statistics (which are publicly accessible)
- electoral register data that confirms your identity and address (which is publicly accessible)
- data as to the likelihood of storms and floods in your area, and soil data
- data through Land Registry, Post Office, Ordnance Survey, Companies House, The Environment Agency or other address-based data providers
- data from local authorities, water companies, sewerage undertakers and mining companies
- domestic energy assessors, commercial energy assessors, estate agents
- when you visit Our Website, we may collect any or all of the following technical data
- device Identifiers (the internet protocol address used to connect your device to the internet, your login information, browser type and version, regional settings, operating system and platform)
- data about your use of Our Website (the full Uniform Resource Locators (URL), clickstream to, through and from Our Website (including date and time), products you viewed or searches for, time spent on certain pages or screens, interaction data (such as scrolling, clicks and mouse-overs.
HOW WE PROTECTS PERSONAL DATA
Pali employ a variety of physical and technical measures to keep personal data safe to prevent unauthorised access to, use or disclosure of it. Electronic data and databases are stored on secure computer systems and we control who has access to them (using both physical and electronic means). We store personal information in computer storage facilities, paper-based files and other records. We take steps to protect the personal information against loss, unauthorised access, use modification or disclosure, and against other misuse. These steps include password protection and access privileges for accessing our IT system, encryption of data stored and physical access restrictions to paper files. Some of these services, such as hosting our computer file servers, are provided by third parties in the UK and EU we endeavour to ensure that they also have adequate privacy safeguards in place through the use of contractual measures to protect personal information and data. Because transmission of information over the internet is often insecure we do not accept responsibility for the security of information you send to or receive from us over the internet, or for any unauthorised access or use of that information by others over the internet.
TRAINING OF STAFF
Our staff receive data protection training and we have a set of detailed data protection policies and procedures which personnel are required to follow when handling personal data.
We identify those members of staff who need to be involved in administering personal information and subject them to rigorous training. Staff who are not involved in the administration of personal data are also involved in training to ensure they do not inadvertently access or divulge personal data, for instance, if contacted by telephone or email with data requests.
WHAT WE USE YOUR INFORMATION FOR AND THE LEGAL BASES FOR PROCESSING
We may store and use your personal information for the purposes of:
- administering your quotes and orders for reports (as is necessary for performance of a contract between you and us and/or as is necessary for our legitimate interests)
- carrying out anti-fraud and anti-money laundering checks and verifying your identity (as is necessary for compliance with our legal obligations and/or as is necessary for our legitimate interests)
- using your payment details to process payments relating to refunds or orders we may place with you or your company
- to administer our databases for client services, marketing, credit control and financial accounting purposes
- communicating with you about your quotes or the provision of other reports or services
- administering debt recoveries, where you owe us money under a contract or otherwise (as is necessary for the performance of a contract between you and us and/or as is necessary for our legitimate interests)
- perform the services you have asked us to provide
- comply with a legal duty
- protect your vital interests
- remember your preferences (e.g. where you are a Supplier, if you ask not to receive marketing material, we’ll keep a record of this)
- for our own (or a third party’s) lawful interests, provided your rights don’t override these
Our “legitimate interests” as referred to above (and below) include our legitimate business purposes and commercial interests in operating our business in a customer-focused, efficient and sustainable manner, in accordance with all applicable legal and regulatory requirements.
For the purposes connected with providing our products and services to you, we may share your data with third parties, but we will not use or share your personal information for any other purpose without first obtaining your consent, unless required by law. In any event we will only use your personal data for the purposes for which it is collected, or purposes which are very similar.
Where you are a Supplier, and as an existing customer, we may wish to send you details regarding:
- new services, special offers and products offered by us
- details of meetings, events and seminars that may be of interest to our customers and clients our newsletters and other marketing publications. We may contact you inviting you to opt-in to receiving this information. This means that you will be given the choice as to whether you want to receive these messages and will be able to select how you want to receive them (email, telephone or post). You may opt-out of receiving direct marketing or the disclosure your personal information for the purpose of direct marketing by contacting our Data Privacy Officer
- by using any unsubscribe facility contained in email communications that you receive from us
- writing to us at the address in “Contact Us” on this website The information we hold is never marketed, rented or sold to any third parties.
CONSEQUENCES OF PROCESSING
If we, or a fraud prevention agency, determine that you pose a risk of fraud or money laundering, we may refuse to provide the products or services you have requested. We may also stop providing existing services to you. A record of any fraud or money laundering risk will be retained by us and the fraud prevention agencies. It may also result in others refusing to provide products, services, financing or employment to you. If you have any questions about our processing of your data for fraud purposes, please contact our Data Protection Officer at the details provided above.
WHO WE SHARE YOUR DATA WITH
Where relevant given the nature of the products and services provided to you, directly or through a third party, we may also share your information with the following categories of third parties:
- insurance underwriters and others who are involved with the provision of insurance services to you alongside us (as is necessary for the performance of a contract between you and us)
- third party data suppliers, as explained under “How we collect information about you” (as is necessary for our legitimate interests)
- third party service providers who support the operation of our business, such as solicitors, search agents, other search companies, anti-money laundering companies, insurance providers, water companies, local authorities, our regulating bodies and IT providers.
OTHER DATA CONTROLLERS
Using your data for fraud prevention, the personal data you have provided, we have collected from you, or we have received from third parties, may be shared with fraud prevention agencies. Please contact our Data Protection Officer if you would like details of the agencies we share your data with. These often change, please contact our Data Protection Officer if you would like details of our current panel.
PROCESSING OUTSIDE OF THE EUROPEAN ECONOMIC AREA (EEA)
The personal information that we collect from you, and which is shared with some fraud prevention agencies, may be transferred to and processed in a destination outside of the EEA. It may also be processed by staff operating outside the EEA who work for one of our suppliers. In these circumstances, your personal information will only be transferred on one of the following bases:
- the country that we send the data is approved by the European Commission as providing an adequate level of protection for personal information; or
- the recipient has agreed with us standard contractual clauses approved by the European Commission, obliging the recipient to safeguard the personal information (in particular, our transfer of personal information to suppliers in India and the United States for marketing, IT development and IT testing purposes are protected in each case by the use of appropriate model clauses); or
- there exists another situation where the transfer is permitted under applicable data protection legislation (for example, where a third party recipient of personal data in the United States has registered for the EU-US Privacy Shield)
To find out more about how your personal information is protected when it is transferred outside the EEA (and if you wish to obtain a copy of the appropriate and suitable safeguards), please contact our Data Protection Officer using the details above.
HOW LONG YOUR INFORMATION IS KEPT
We will retain your personal information for a number of purposes, as necessary to allow us to carry out our business. Your information will be kept for the minimum period required consistent with performing the service you have requested or to comply with current legislation. For example, a local search may be retained until it is superseded by another search which could be some years later. Energy Performance Certificates will be required by subsequent purchasers of property up to ten years after they are produced. These data retention periods are subject to change without further notice as a result of changes to associated law or regulations. If you have any questions in relation to the retention of your personal data, please contact our Data Protection Officer at the details provided above.
Under the Data Protection Act 1998 you have the following rights:
- to obtain access to, and copies of, the personal information that we hold about you
- to require that we cease processing your personal information if the processing is causing you damage or distress
- to require us not to send you marketing communications
Under GDPR from 25 May 2018, you will also have the following rights:
- to require us to erase your personal information
- to require us to restrict or object to our data processing activities
- to receive from us the personal information we hold about you which you have provided to us, in a reasonable format specified by you, including for the purpose of you transmitting that personal information to another data controller
- to require us to correct the personal information we hold about you if it is incorrect
SUBJECT ACCESS REQUESTS
Individuals have a right to access their Personal Data held by Pali. A request for this information is commonly known as a Subject Access Request(‘SAR’).
All SARs, whether by telephone, post, email or other means must be recorded and reported to Compliance on the same day as the request is received. Compliance will contact the customer to establish the reason for the request if this is not already evident.
GDPR does not permit Pali to charge a fee to comply with a subject access request except in exceptional circumstances. Where the request is manifestly unfounded or excessive Pali may charge a “reasonable fee” for the administrative costs of complying with the request.
Pali must comply with the SAR within one month of receipt. The time to respond can be extended by a further two months if the request is complex or the organisation has received a number of requests from the individual. Pali will let the individual know within one month of receiving their request if the response time is being extended and explain why the extension is necessary.
Any information contained within relevant files/documentation, but which relates to a third party should generally be removed or redacted before disclosure is made. There are other grounds upon which Pali may decline to disclose files/documentation (for instance where they are subject to legal privilege) and advice in this regard should always be sought from Pali General Counsel or Compliance.
Once a request has been made, Personal Data can only be amended or deleted between the time of the request and the time when the information is supplied if this would have taken place regardless of the request.
Compliance will be responsible for ensuring that information is released in accordance with the relevant data protection regulations.
Please note that these rights may be limited by data protection legislation, and we may be entitled to refuse requests where exceptions apply.
You can find out more about your rights under data protection legislation from the Information Commissioner’s Office website