Privacy Notice

This Privacy Notice aims to give you information on the personal data we collect and process in relation:

• this website (https://www.scottandco.uk.com/)
• any communication you have with us
• the services we provide to clients

Scott & Co (Scotland) LLP will normally be a data processor acting upon a written contract with our client who are the data controller. There are occasions when we are joint or sole data controller.

We always establish a lawful basis for processing where we are a data controller. This is set out in more detail in section 2.

This Privacy Notice does not extend to the use of personal data by other third-party websites that are linked from our website, whether we provide those links or whether they are shared by other users. We have no control over how your data is collected, stored or used by third parties and we recommend that you check the privacy policies of any such websites before providing any data to them.

We may collect your personal data through various means, including our website, email or other electronic correspondence, by telephone, by direct contact, of if you voluntarily submit it, and where we are otherwise required by law to collect personal data.

The way in which we process your personal data will depend on how we interact with you, whether you are a client or a customer, and the nature of the service we are providing.

The table below explains how we process personal data for the services we provide to clients as well as any other activities that involve processing personal data.

UK Data Protection legislation defines certain personal data as special category such as data relating to your ethnic origin, physical health and mental health.

If we identify potential or actual customer vulnerability, we may ask for details, we never compel a customer to provide special category data and will always ask for consent to record the personal data on our case management system.

Sometimes we receive special category data to support a particular matter. Where special category data is volunteered for a specific purpose, we deem that consent has been received for that specific purpose only.

We may share special category data with our client, as the joint data controller, or other internal departments to ensure the enforcement is managed appropriately and in line with our legal obligations.

Data security is of great importance to us and to protect your data we have put in place suitable physical, electronic, and managerial controls to safeguard and secure data collected through our website or otherwise

When using our website and related service, information may travel through third party infrastructures that are not under our control. We do not accept any responsibility or liability for third party privacy policies linked to our website.

We use high level encryption software on our IT networks to prevent access to your personal information. Unfortunately, the internet is never a completely secure environment. We cannot guarantee hackers or unauthorised personnel will not gain access to your personal information despite our best efforts.

We have put in place confidentiality clauses or confidentiality agreements (including data protection obligations) with our third-party service providers and require all third parties to respect the security of personal data and to treat in accordance with the law.

Notwithstanding the security measures implemented, it is important to remember that the transmission of data via the internet may not be completely secure and that you are advised to take suitable precautions when transmitting personal data to use via internet.

The data that we collect may be transferred to, and stored at, a destination outside the UK/European Economic Area (“the EEA”) at third party suppliers (the EEA consists of all EU member states, plus Norway, Iceland and Liechtenstein).

We will only transfer data to a recipient outside the UK/EEA where we are permitted to by law. For example:

• Where the transfer is based on standard data protection clause adopted or approved by the European Commission;
• Where the transfer is to a territory that is deemed adequate by the European Commission; or
• Where the recipient is subject to an approved certification mechanism and the personal data is subject to appropriate safeguards, of an exemption applies

We establish a lawful basis for processing where we are the data controller, and we will only keep personal data for the minimum period necessary to perform the lawful basis for processing.

We have a system of retention periods which are regularly reviewed by the Data Protection Officer. Where the information is no longer required, we will ensure it is disposed of or deleted in a secure manner.

We will only share personal data with third parties or within the Group for the specific purposes set out below and where we have confidentiality clauses and confidentiality agreements (including data protection obligations) in place:

• We may share your data with our client where they have instructed us. We will only do this where our client is data controller for the specific case.
• We may sometimes contract with third parties to supply services to you on our behalf. These may include payment processing, correspondence management, and mailing. In some cases, the third parties may require access to some or all of your data. Where any of your data is required for such a purpose, we will take all reasonable steps to ensure that your data will be handled safely, securely, and in accordance with your rights, our obligations, and the obligations of the third party under the law
• We may also disclose your personal information to third parties in the event that we expand or reduce all or part of our business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets. If our business or substantially all of its assets are acquired by a third party, personal data held by us about our customers, clients and website users will be one of the transferred assets and the new owner or newly controlling party will, use the data for the purposes for which it was originally collected by us.
• We may compile statistics about the use of our website including data on traffic, usage patterns, user numbers, sales and other information. All such data will be anonymised and will not include any personally identifying information. We may, from time to time, share such data with third parties such as prospective investors, affiliates, partners and advertisers. Data will only be shared and used within the bounds of the law.
• In certain circumstances we may be legally required to share certain data held by us, which may include your personal nformation, for example, for compliance or regulatory purposes, where we are involved in legal proceedings, or where we are complying with the requirements of legislation, a court order, or a governmental, investigative or taxation authority. We do not require any consent from you in order to share your data in such circumstances and will comply, as required, with any legally binding request that is made of us. In these circumstances we may be prevented by the police, courts, or a similar authority from pre-notification or being as transparent as with other data processing activities.
• We may share your data in pursuing a third party’s legitimate interest. This may include situations where we are required to go beyond our specific legal obligations set in laws and regulations to assist law enforcement or private stakeholders in their efforts to combat illegal activities, such as money laundering, fraud detection or prevention or misuse of services. However, the use of personal data in such circumstances will be restricted to data which is relevant to our services and necessary to identify you.
• We may use a credit reference agency to help identify customers.

If you have a privacy complaint, please contact the Data Privacy Team.

There is a two-stage complaint process which includes a right of appeal to the Data Protection Officer

1.Stage One

Please forward your complaint plus any supporting documentation either by post or email to:

Postal address: Data Privacy Team, Cambridge House. Cambridge Road, Harlow, CM20 2EQ

Email address: datarequest@marstonholdings.co.uk

The Data Privacy Team take all privacy concerns seriously and will investigate the matter thoroughly.

The Data Privacy Manager or Team Leader will respond to your complaint in writing. We aim to respond to complaints as soon as possible, but at the latest within one calendar month of receipt.

2.Stage Two

If you are unhappy with the stage one response from the Data Privacy Team you can appeal directly to the Data Protection Officer.

Please forward your appeal to dpo@marstonholdings.co.uk or alternatively write to the Data Protection Officer at the above address.

The decision of the Data Protection Officer is our final response and the end of the internal complaints process.

You have the right to raise a complaint at any time or obtain advice from the Information Commissioners Office (ICO), the UK regulator for data protection issues (www.ico.org.uk).

The ICO prefer that you exhaust our internal complaints process before you bring the matter to their attention.

We would also appreciate the chance to properly investigate the matter and report our findings back to you.

When we investigate a complaint, we may need to share personal data with the organisation you have an outstanding debt with and with other relevant bodies.

All complaints will be dealt with in strict confidence; however, we are usually required to disclose the complainant’s identity to whoever the complaint is about.

• When you submit information via our website, you may be given options to restrict our use of your data. In particular, we aim to give our clients and website users strong controls on our use of their data for direct marketing purposes (including the ability to opt-out of receiving emails from us, which you may do by unsubscribing using the links provided in our emails and at the point of providing your details).
• You may also wish to sign up to one or more of the preference services operating in the UK: The Telephone Preference Service the Corporate Telephone Preference Service and the Mailing Preference Service. These will help to prevent you receiving unsolicited marketing by phone/mail. Please note, however, that these services will not prevent you from receiving marketing communications that you have consented after signing up.

Under certain circumstances, you have the following rights under data protection laws in relation to your personal data. The rights available to you depend on our reason for processing your information and (in most cases) we have one calendar month to respond to your request:

You may access certain areas of our website without providing any data at all. However, to use features and functions available on our website you may be required to submit or allow for the collection of certain data.

You may restrict your internet browser’s use of Cookies. For more information, see section 11 and our Cookie Policy https://scottandco.uk.com/cookie-policy/

If you believe that any of your personal data we process is incorrect or incomplete, please contact us as soon as possible using the contact details at the top of this Privacy Notice. We will promptly correct or remove any information that is incorrect.

You have the right to settle or close your customer account and request that your personal information be removed from our website or other records.

Upon the closure of your account, we are not obliged to retain your information and may delete any or all of your account information without liability unless it is specifically required for legal reasons.

If you request an account closure, we may retain basic residual information about you in our backup and/or archival copies of our database. This will be deleted in accordance with our data retention policy

You have the right to ask us for copies of your personal data. This right always applies.

There are some exemptions, which means you may not always receive any or all or the information we process. If an exemption applies, we will always explain it to you

For example, you may not receive full copies of original documents because your right of access only covers personal information. Other information may be redacted. If it is important that you receive full copies of original documents, you may want to telephone our customer contact centre instead.

You can submit your Data Subject Access Request in writing to complaints@scottandco.uk.com or verbally through our Customer Contact Centre.

You have the right to ask us to rectify data you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies

You have the right to ask us to erase your personal data in certain circumstances.

If an exemption applies, we will always explain it to you. For example, we would not normally erase a live court order as we have a lawful basis for processing that does not rely on your consent.

You have the right to ask us to restrict the processing of your information in certain circumstances. If an exemption applies, we will always explain it to you.

You have the right to object to processing in certain circumstances. If an exemption applies, we will always explain it to you.

This only applies to information you have given us. You have the right to ask that we transfer the information you gave us to another organisation or third party or give it to you. The right only applies if we are processing information based on your consent or under a contract with you and the processing is automated

Our website may place and access certain first party Cookies on your computer or device. First party Cookies are those placed directly by us and are used only by us. We use Cookies to facilitate and improve your experience of our website and to provide and improve our services.

By using our website, you may also receive certain third-party Cookies on your computer or device. Third party Cookies are those placed by websites, services, and/or parties other than us. For more details, please refer to Our Cookie Policy: https://scottandco.uk.com/cookie-policy/

We have appointed a Data Protection Officer (DPO) who is responsible for this Privacy Notice. If you have any questions about this Privacy Notice, please contact the DPO in one the following ways:

Email address: dpo@marstonholdings.co.uk

Postal address: DPO, Scott & Co (Scotland) LLP, Cambridge House, Cambridge Road, Harlow CM20 2EQ

ICO registration number is ZA126202

If you would like to understand or exercise your privacy rights, please see section 8 of this Privacy Notice.

We may change this Privacy Notice as we may deem necessary from time to time, or as may be required by law. Any changes will be immediately posted on our website together with the version number and date. If the change in Privacy Policy materially impacts our data subjects, then we will also communicate with them directly.

We recommend that you check this page regularly to keep up to date. This Privacy Notice was last updated in November 2023.