Merit IQ

Merit IQMerit IQMerit IQ
  • Home
  • Services
  • Contact Us
  • More
    • Home
    • Services
    • Contact Us

Merit IQ

Merit IQMerit IQMerit IQ
  • Home
  • Services
  • Contact Us

Privacy Policy

  

MeritIQ is a global firm with offices located in Belfast, London and Dublin. Many of these jurisdictions have data protection laws that protect the privacy of individuals by regulating the way in which businesses process personal information. These laws require businesses to be open and transparent in their use of personal information.

MeritIQ is committed to ensuring that privacy is protected and it strictly adheres to the provisions of all relevant data protection legislation globally, including the European General Data Protection Regulation (GDPR). Merit IQ’s intention is to be fully transparent about how it collects, uses, processes and ultimately protects personal data under any applicable data protection laws, and MeritIQ has therefore updated its Privacy Policy, which sets out its global standard. The MeritIQ Privacy Policy can be viewed below.

The GDPR require businesses that contract with a data processor to ensure that their contracts or arrangements for services contains certain contractual assurances. MeritIQ will, in the provision of services to clients (with the exception of liquidation services), to the extent it processes personal data, act as “data processor” and it has therefore produced a Data Processing Addendum which provides contractual assurances to its clients. The Addendum can be viewed below.

To the extent that MeritIQ accepts applications from candidates for employment, MeritIQ acts as a controller under GDPR. To that extent it has adopted Privacy Notices, which can be accessed here.

If you have any questions about how MeritIQ holds personal information, the contents of this page, or if you would like to be removed from our database, please contact: info@meritIQ.com

MeritIQ will endeavour to respond satisfactorily to any request, query, or complaint you may have. However, if you wish to make a formal complaint, or if you simply wish to learn more about your rights, you can contact the relevant data protection regulatory authority, as follows:

Dublin:
Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28, https://www.dataprotection.ie/

United States:
No current single national authority.

Data Protection Addendum

  1. This Data Processing Addendum (the Addendum)      will apply from 30 September 2019 and will thereafter be incorporated into      all arrangements, agreements and contracts (Agreement) under which members      of the MeritIQ Group (each, and together MeritIQ) provide services, to the      extent that in doing so they act as a ‘data processor’ (as defined in      applicable Data Protection Law). Where a client of MeritIQ already has in      place a signed Data Processing Agreement or Amendment Agreement to      incorporate data processing provisions (DP Agreement), and there is any      conflict with the terms of this Addendum, the terms of the DP Agreement      will prevail.
  2. For the purpose of this Addendum:
    • Data Protection Law shall mean all       applicable data protection law, which may include, (i) with effect from       25 May 2018, the General Data Protection Regulation (Regulation (EU)       2016/679) including any amendments thereto and any applicable       consequential national data protection legislation and guidance and codes       of practice issued by any relevant European data protection supervisory       authority.
    • Entity means the person or entity that       has entered into an Agreement with MeritIQ.
    • Relevant Data Protection Authority means       the relevant independent public authority responsible for monitoring the       application of the relevant Data Protection Law.
    • MeritIQ Group means all direct and       indirect subsidiaries of MeritIQ.

  1. MeritIQ acknowledges that in providing the      services under the Agreement MeritIQ may process personal data on behalf      of the Entity.
  2. In such circumstances, MeritIQ acknowledges      that the Entity is a data controller and MeritIQ is data processor and the      parties agree that:
    • MeritIQ processes personal data, as may be       specified in the privacy notice of the Entity, on behalf of the Entity in       the context of providing the Services under the Agreement. The       obligations and rights of the Entity shall be as set out in this       Addendum;
    • MeritIQ will only process such personal data       in accordance with the documented instructions of the Entity unless       required to do so under applicable laws to which MeritIQ is subject. In       such a case MeritIQ shall inform the Entity of that legal requirement       before processing, unless that law prohibits such information on       important grounds of public interest;
    • MeritIQ shall ensure that the persons       authorised by MeritIQ to process such personal data are bound by       appropriate confidentiality obligations;
    • MeritIQ shall implement appropriate technical       and organisational measures in such a manner that the processing will       meet the requirements of Data Protection Law and to ensure the rights of       the data subject;
    • MeritIQ shall take all measures to ensure a       level of security of processing required pursuant to Data Protection Law;
    • MeritIQ is authorised to engage       sub-processors to undertake processing on its behalf, provided that it       provides the Entity with prior notice in writing containing details of       the sub-processors that it engages and informs the Entity of any intended       changes concerning the addition or replacement of such sub-processors and       provides the Entity with a reasonable opportunity to object to such       changes. In certain circumstances the Entity may engage or contract directly       with agents, delegates or representatives of MeritIQ in which case such       agents, delegates or representatives are not considered sub-processors of       MeritIQ for the purposes of this Clause and Clause (g) below and,       instead, are considered to be processors on behalf of the Entity;
    • where any sub-processor of MeritIQ will be       processing such personal data on behalf of the Entity, MeritIQ shall       ensure that a written contract exists between MeritIQ and the       sub-processor containing clauses equivalent to those imposed on MeritIQ       in this clause. In the event that any sub-processor fails to meet its       data protection obligations, MeritIQ shall remain fully liable to the       Entity for the performance of the sub-processor’s obligations;
    • MeritIQ shall inform the Entity without undue       delay in the event of receiving a request from a data subject to exercise       their rights under Data Protection Law and provide such co-operation and       assistance as may be required to enable the Entity to deal with such       request in accordance with the provisions of Data Protection Law;
    • taking into account the nature of the       processing, MeritIQ shall assist the Entity by appropriate technical and       organisational measures, insofar as this is possible, to allow the Entity       to comply with requests from data subjects to exercise their rights under       Data Protection Law;
    • MeritIQ shall assist the Entity in ensuring       compliance with obligations in respect of security of personal data, data       protection impact assessments and prior consultation requirements under       Data Protection Law, taking into account the nature of the processing and       information available to MeritIQ;
    • when MeritIQ ceases to provide services       relating to data processing MeritIQ shall: (i) at the choice of the       Entity, delete or return all such personal data to the Entity; and (ii)       delete all existing copies of such personal data unless relevant law       requires or permits storage of the personal data;
    • MeritIQ shall: (i) make available to the       Entity all information requested that is necessary to demonstrate compliance       with the obligations laid down in this clause; and (ii) allow for and       contribute to audits, including inspections, conducted by the Entity or       another auditor mandated by the Entity, provided however that the Entity       shall be entitled, at its discretion, to accept adherence by MeritIQ to       an approved code of conduct or an approved certification mechanism to aid       demonstration by MeritIQ that they are compliant with the provisions of       this clause;
    • MeritIQ shall inform the Entity without undue       delay if, in its opinion, it receives an instruction from the Entity       which infringes Data Protection Law;
    • MeritIQ shall notify the Entity without undue       delay after becoming aware of any breach of security leading to the       accidental or unlawful destruction, loss, alteration, unauthorised       disclosure of, or access to, personal data transmitted, stored or       otherwise processed and provide the Entity with such co-operation and       assistance as may be required to mitigate against the effects of, and       comply with any reporting obligations which may apply in respect of, any       such breach; and
    • Personal data may be transferred by the       Processor outside the relevant jurisdiction, including to a jurisdiction       which is not recognised by the Relevant Data Protection Authority as providing       for an equivalent level of protection for personal data as is provided       for in the relevant jurisdiction. These jurisdictions may include the       United States of America, the United Kingdom and Asia. If and to the       extent that the Processor does so, it will ensure that appropriate       measures are in place to protect the privacy and integrity of such       personal data and in particular will comply with its obligations under       any Data Protection Law governing such transfers, which may, as       applicable, include: (a) entering into a contract governing the transfer       which contains the “standard contractual clauses” approved for this       purpose by the Relevant Data Protection Authority; (b) transferring your       personal data pursuant to binding corporate rules; or (c) a transfer       where the Relevant Data Protection Authority has decided that the       recipient ensures an adequate level of protection.

       

  1. The Entity warrants that any personal data      received by MeritIQ has been collected and then transferred to MeritIQ in      accordance with Data Protection Law.

Content

  • Introduction
  • Definitions
  • Data      Protection Principles
  • Personal Data
  • Consent
  • Legitimate      Interests
  • Transfers to      Third Parties/Service Providers
  • Disclosure of      Data
  • Transferring      Personal Data outside of the European Economic Area
  • Profiling      & Automated Decision-Making
  • Data      Protection by Design
  • Data Security,      Data Retention and Disposal
  • Data Subject      Rights
  • Law      Enforcement Requests & Disclosures
  • Notification      Process
  • Logging Issues      and Breaches
  • Data      Protection Training
  • APPENDIX I:      PRIVACY STATEMENT

  1. Introduction

1.1 Context

This Policy applies to any MeritIQ entity in the MeritIQ group of companies (each a “MeritIQ Entity” and together “MeritIQ”, the “MeritIQ Group” or the “MeritIQ Entities”). MeritIQ must comply with all applicable laws and regulations relating to the Processing of Personal Data and privacy, including the Data Protection Act 1998-2018 (as may be amended or supplemented from time to time), from 25 May 2018, the EU’s General Data Protection Regulation 2016/679 (the “GDPR”).

Under Data Protection Legislation, MeritIQ is required to implement an appropriate data protection policy as part of the organisational and technical measures it puts in place to demonstrate compliance with applicable Data Protection Legislation.

This Policy describes how Personal Data must be collected, handled, stored, disclosed and otherwise “Processed” to meet the MeritIQ’s data protection standards and to comply with Data Protection Legislation.

MeritIQ is responsible for and shall be in a position to demonstrate compliance with this Policy. This includes ensuring that Third Parties and Service Providers who Process Personal Data on its behalf are acting in accordance with Data Protection Legislation.

1.2 Scope

This Policy applies to MeritIQ Entities where they act as a Controller of Personal Data and MeritIQ Entities acting as a Processor of Personal Data in the following scenarios:

  • in the context of the business activities of MeritIQ      Entities;
  • for the provision or offer of goods or      services to individuals (including those provided or offered      free-of-charge) by a MeritIQ Entity; and
  • in the context of Human Resources where a MeritIQ      Entity has Employee Personal Data.

This Policy applies to all Processing of Personal Data. Personal Data can be in electronic form (including electronic mail and documents created with word Processing software) or manual files that are structured in a way that allows ready access to information about individuals.

This Policy has been designed to demonstrate the minimum standard for the Processing and protection of Personal Data by all MeritIQ Entities. Where a national law imposes a requirement, which is stricter than imposed by this Policy, the requirements in national law must be followed. Furthermore, where national law imposes a requirement that is not addressed in this Policy, the relevant national law must be adhered to by the relevant MeritIQ Entity through operational procedures.

1.3 Data Protection Contact

To demonstrate MeritIQ’ commitment to Data Protection, and to enhance the effectiveness of its compliance efforts, MeritIQ Regional Compliance Teams (“Compliance Team”) will support the business in Data Protection Legislation compliance.

The Compliance Team reports has direct access to the MeritIQ Entities’ senior management teams and boards of directors (the “MeritIQ Entities Boards”) and its duties in this role will include:

  • mediation with the relevant Data Protection      Authority;
  • review of the MeritIQ Data Protection Policies      on an annual basis for compliance with relevant legislation;
  • produce Annual Board Report on the MeritIQ      Data Protection Framework;
  • annual review and ongoing oversight of the      Processors of the MeritIQ Group ensuring compliance with relevant      legislation;
  • report and escalate directly to the respective      MeritIQ Entity Boards on data protection related matters;
  • act as the point of contact for individuals      whose Personal Data is Processed by MeritIQ;
  • facilitation of data protection training and      tracking of same;
  • ensure that MeritIQ maintains a record of all      Personal Data Processing activities;
  • ensure MeritIQ Service Providers apply      appropriate technical and organisational measures when protecting Personal      Data;
  • ensure MeritIQ Service Providers apply      appropriate security measures to ensure against all unlawful forms of      Processing;
  • report to the MeritIQ Entity Boards on      measures and Processes to demonstrate that privacy has been factored into      new business line processes;
  • report to the MeritIQ Entity Boards on      oversight of MeritIQ Service Providers;
  • verify that individuals have given Consent to      receive marketing information from a MeritIQ Entity; and
  • verify that Personal Data has been deleted      where an individual has withdrawn Consent for direct marketing purposes.

     

1.4 Board Approval

This Policy shall be approved by the MeritIQ Entity Boards.

1.5 Governance, Policy Review and Ownership

This Policy will be reviewed at least annually by the Compliance Team to ensure appropriateness. Additional updates and ad-hoc reviews may be performed as and when required to ensure that any changes to the MeritIQ organisational structures/business practices are properly reflected in this Policy.

All amendments to this Policy will be co-ordinated by the Compliance Team to ensure consistency across the MeritIQ Group. All new MeritIQ Entities must adopt and adhere to this Policy.

The management team of each MeritIQ Entity must ensure that each of that MeritIQ Entity’s Employees who are responsible for the Processing of Personal Data are aware of and comply with the contents of this Policy.

In addition, each MeritIQ Entity will make sure all Third Parties engaged to Process Personal Data on their behalf (i.e. their Data Processors) are aware of and comply with the contents of this Policy. Assurance of such compliance, usually through the terms and conditions of their appointment, must be obtained from all Third Parties, whether companies or individuals, prior to granting them access to Personal Data controlled by MeritIQ.

1.6 Responsibility and Escalation

Considering the circumstances in which a Controller must appoint a Data Protection Officer (“DPO”) the MeritIQ Board has determined that it is not currently necessary to appoint a DPO. The MeritIQ Board shall keep this matter under review and should guidance emerge which indicates that any MeritIQ Entity, should appoint a DPO, the MeritIQ Board will re-consider the need to appoint a DPO.

This Policy is therefore owned by the MeritIQ Board, with the Compliance Team being responsible for escalation to the relevant MeritIQ Entity Boards of any data protection related matters. Where data protection issues arise, these are investigated by the European Head of Compliance and where necessary, input from the relevant MeritIQ Entity Board may be sought.

  1. Definitions:

MeritIQ Board
The Boards of Directors for MeritIQ

Employee
An individual who works part-time or full-time for MeritIQ under a contract of employment, whether oral or written, express or implied, and has recognised rights and duties. Includes temporary employees and independent contractors.

Third Party/Service Providers
An external organisation with which MeritIQ conducts business and is also authorised, under the direct authority of MeritIQ, to Process the Personal Data provided by a MeritIQ Entity.

Personal Data
Any information (including opinions and intentions) which relates to an identified or Identifiable Natural Person.

Identifiable Natural Person
Anyone living who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Data Controller
A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

MeritIQ Entity
A MeritIQ establishment, including subsidiaries and joint ventures over which MeritIQ exercise management control.

Data Subject
A natural person to whom Personal Data refers.

Process, Processed, Processing
Any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means. Operations performed may include collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Data Protection
The Process of safeguarding Personal Data from unauthorised or unlawful disclosure, access, alteration, Processing, transfer or destruction.

Data Protection Authority or DPA
An independent public authority responsible for monitoring the application of the relevant Data Protection regulation set forth in national law.

Data Processors
A natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of a Data Controller.

Consent
Any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the Processing of Personal Data relating to him or her.

Special Categories of Data
Personal Data pertaining to or revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data.

Third Country
Any country not recognised as having an adequate level of legal protection for the rights and freedoms of Data Subjects in relation to the Processing of Personal Data.

Profiling
Any form of automated Processing of Personal Data Where Personal Data is used to evaluate specific or general characteristics relating to an Identifiable Natural Person. In particular to analyse or predict certain aspects concerning that natural person’s performance at work, economic situations, health, personal preferences, interests, reliability, behaviour, location or movement.

Personal Data Breach
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.

Legitimate Interests
Processing necessary for the purposes of the legitimate interests pursued by a Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require protection of Personal Data.

  1. Data Protection Principles

When Processing Personal Data, MeritIQ must comply with the following core Data Protection principles.

A. Lawfulness, fairness and transparency

Personal Data must be Processed fairly, transparently and lawfully. An individual’s Personal Data must not be Processed unless there are lawful grounds for doing so and the Data Subject must be informed as to how and why their Personal Data is being Processed either upon or before collecting it.

B. Purpose Limitation

Personal Data must be Processed only for specified and lawful purposes. Personal Data must not be Processed in any manner which is incompatible with the specified and lawful purpose.

C. Data Minimisation

Personal Data that is Processed must be adequate, relevant and limited to the minimum data necessary for the lawful purposes for which it is Processed.

D. Accuracy

Personal Data must be accurate and, where appropriate, kept up-to-date. Any Personal Data which is incorrect must be rectified as soon as possible

E. Data Retention

Personal Data must be kept for no longer than is necessary considering the lawful purpose(s) for which it is Processed.

F. Security

Personal Data must be protected against unauthorised or unlawful Processing, including transmission, accidental loss, destruction or damage through appropriate technical and organisational measures.

  1. Personal Data

4.1 Definition of Personal Data

“Personal Data” includes any data which relates to a living individual who can be identified:

  • from that data; or
  • from that data and other piece of information      which is in the possession of MeritIQ.

Certain categories of Personal Data are particularly sensitive (“Sensitive Personal Data”) and cannot be Processed unless certain conditions are met.

It is MeritIQ policy to only hold Personal Data of a given Data Subject where we are legally or contractually required or permitted. All Personal Data will be held and Processed in accordance with the Data Protection Legislation and this Policy.

4.2 Processing Personal Data

Processing Personal Data includes any operation that is carried out in respect of Personal Data, including, but not limited to, collecting, storing, using, recording, disclosing, transferring or deleting Personal Data.

Personal Data collected by MeritIQ is generally collected for the purposes set out in its Privacy Notices including, but not limited to, the following:

  • to comply with legal, tax or regulatory      obligations imposed on MeritIQ under applicable law;
  • to efficiently manage its directors and its      relationship with its Service Providers;
  • to carry out statistical analysis and market      research;
  • to transfer Personal Data to third parties      such as auditors, regulatory or tax authorities and technology providers      in the context of the day to day operations of MeritIQ in the conduct of      its services provided globally; and
  • for the purposes outlined in the Employee      Privacy Notice.

4.3 Grounds for Processing Personal Data

Personal Data must only be Processed if the purpose of the Processing satisfies one of the legal bases permitted under the Data Protection Legislation.

The below details the legal bases for Processing which are most commonly relevant to MeritIQ Processing activities.

4.3.1 Legal Grounds for Processing Personal Data

The legal grounds for Processing Personal Data include:

  • where the Processing is in MeritIQ’s      Legitimate Interests or the Legitimate Interests of a third party and the      proposed Processing does not cause unwarranted infringement on the Data      Subject’s rights;
  • where the Processing is necessary for the      performance of a contract to which the Data Subject is a party, or for the      taking of steps with a view to entering into or exiting a contract at the      request of the Data Subject;
  • where the Processing is required by law or      other regulation to which the MeritIQ is subject to, for example, the      Central Bank of Ireland or another relevant regulator’s      regulations/anti-money laundering and terrorist financing legislation etc;      and
  • where the Data Subject has provided its      Consent to the Processing for the specific purpose in accordance with this      Policy.

4.3.2 Sensitive Personal Data

As detailed previously, Sensitive Personal Data is subject to stricter controls and the circumstances in which it can be Processed are significantly more limited than Personal Data.

MeritIQ will only Process Sensitive Personal Data where the Data Subject expressly Consents to such Processing or where one of the following conditions apply:

  • Processing relates to Personal Data which has      already been made public by the Data Subject;
  • Processing is necessary for the establishment,      exercise or defence of legal claims;
  • Processing is specifically authorised or      required by law;
  • Processing is necessary to protect the vital      interests of the Data Subject or of another natural person where the Data      Subject is physically or legally incapable of giving Consent; or
  • further conditions, including limitations,      based upon national law related to the Processing of genetic data,      biometric data or data concerning health.

4.4.3 Children’s Data

In general terms MeritIQ will not process any Personal Data in relation to a child or minor. Should any MeritIQ Entity ever be required to Process Personal Data relating to a child, in the first instance the relevant MeritIQ Entity must obtain guidance and approval from the Compliance Team before any Processing of a child’s Personal Data may commence. If it is deemed appropriate the MeritIQ Entity will be required to obtain parental Consent.

4.4 Processing of Personal Data relating to criminal convictions and offences

The Processing of Personal Data relating to criminal convictions and offences or related security measures may take place subject to appropriate safeguards for the rights and freedoms of Data Subjects. There are certain conditions under which this information may be inadvertently Processed including:

  • the Data Subject has given explicit Consent to      the Processing for one or more specified purposes except where applicable      law prohibits such;
  • Processing is necessary and proportionate for      the performance of a contract to which the Data Subject is a party or to      take steps at the request of the Data Subject prior to entering into a      contract;
  • Processing is:
    • necessary for the purpose of providing or       obtaining legal advice or for the purposes of, or in connection with,       legal claims, prospective legal claims, legal proceedings or prospective       legal proceedings, or
    • otherwise necessary for the purposes of       establishing, exercising or defending legal rights;
  • Processing is necessary to prevent injury or      other damage to the Data Subject or another person or loss in respect of,      or damage to, property or otherwise to protect the vital interests of the      Data Subject or another person; or
  • Processing in relation to screening of      potential employees. MeritIQ conducts background checks including checking      for any criminal convictions of senior Employees to assess the risk of      fraud or prevent fraud. Employees are notified of this in the Privacy      Notice and consent to it in the initial screening form.

4.5 Higher Risk Processing Activities

The Data Protection Legislation provides that wherever the Processing of Personal Data is likely to result in increased risk to the Data Subject, MeritIQ as a Data Controller will need to, before carrying out the Processing activity, perform an assessment of the potential impact of the intended Processing on the rights and freedoms of the Data Subject (a “Data Protection Impact Assessment” or “DPIA”).

MeritIQ has identified where the Processing of Personal Data takes place globally. Following this assessment MeritIQ has not identified any activities that would be considered as posing a high risk to Data Subjects.

MeritIQ has also determined that it is unlikely that any other Service Providers will be engaging in higher risk Processing activities on behalf of MeritIQ but will keep this matter under review.

4.6 Fair Processing Information

Any Process which involves the gathering of Personal Data on an individual should contain a Privacy Notice explaining among other things what the Personal Data is to be used for and to whom it may be disclosed.

Regardless of how Personal Data is obtained (whether it is obtained from the Data Subject or from a Service Provider) the Data Subject will be provided with certain information about the Processing of their Personal Data by MeritIQ. This information will be provided either before or upon collection of the Personal Data. If the Personal Data is obtained from a Service Provider, then the Privacy Notice must be provided within a reasonable time period from obtaining the Personal Data or at the time of the first communication with the Data Subject, whichever is earlier.

This information will be provided in the form of Privacy Notice (please refer to Appendix I for a GDPR specific Privacy Notice).

Where applicable, the MeritIQ Entity, shall ensure that the Privacy Notices are kept under review annually and shall be updated as necessary to reflect non-material changes. Material changes notified to a MeritIQ Entity by any Service Providers or which otherwise come to the attention of MeritIQ shall be made on an ad-hoc basis and the Compliance Team shall instruct the provision of an updated data Privacy Notice to Data Subjects as applicable.

4.7 Data Register

MeritIQ maintains an up to date Data Register of all activities it conducts that require the Processing of Personal Data, a copy of which shall be made available to the DPA upon request. The Data Register consists of the following elements:

  • categories of Data Subjects;
  • categories of Personal Data;
  • Processing activity;
  • the grounds for Processing the Personal Data;
  • in which jurisdiction the Processing is      conducted;
  • whether the Personal Data is transferred to a      third party;
  • whether the Personal Data is transferred outside      the European Economic Area; and
  • the retention period.

The Data Register is maintained by the Compliance Team.

  1. Consent

While not currently anticipated, where there is no other lawful basis for Processing Personal Data then it should not be Processed unless the Data Subject has given their Consent.

For Consent to be valid, it must satisfy the following criteria:

  • it must be limited to specific Processing      activities;
  • Data Subject must have been informed about the      Processing activities in sufficient detail so as to be able to fully      understand what they are consenting to;
  • it must be freely given which means that the      Data Subject must have a genuine free choice as to whether they give the      Consent;
  • the performance of a contract cannot be made      conditional upon the Data Subject giving their Consent to the data      Processing, unless the data Processing is required to perform the      contract; and
  • it must be given by way of an unambiguous      statement of some other clear active communication by the Data Subject, such      as signing a form. Consent cannot be inferred from silence or inactivity      such as the use of pre-selected boxes; and
  • Details of the Processing of Personal Data      must be clearly distinguished from other matters that the Data Subject is      asked to agree to.

Equally, where the Processing relates to Sensitive Personal Data and MeritIQ cannot rely on any other lawful ground for Processing such Sensitive Personal Data, the Data Subject’s explicit Consent shall be obtained, by way of a signed statement.

It is important to note that a Data Subject must be informed of their right to withdraw their Consent at any time. MeritIQ Entities shall put in place appropriate Processes to promptly action any withdrawal of Consent. Where a Data Subject wishes to exercise this right, they may contact the designated contact for this purpose via the contact details provided in the Privacy Notices.

  1. Legitimate Interests

Where a MeritIQ Entity seeks to rely on Legitimate Interests to legitimise certain Processing activities, the Compliance Team must be satisfied that those Legitimate Interests are not outweighed by the interests or fundamental rights and freedoms of the relevant Data Subject.

The MeritIQ Entity must conduct a Legitimate Interests assessment (“LIA”) when relying on Legitimate Interests as a lawful basis for Processing.

This LIA will:

  1. identify the Legitimate Interest for which MeritIQ      intends Processing the Personal Data;
  2. consider whether the Processing is necessary      for the pursuit of its objectives; and
  3. (involve the completion of a balancing test      which assesses whether or not the Data Subject’s interests override the      Legitimate Interests of MeritIQ.

Factors taken into account by the MeritIQ Entity in conducting the balancing test include:

  1. the nature of the Legitimate Interests and the      Data Subject’s reasonable expectations about what will happen to their      data;
  2. the impact of Processing on the Data Subject;      and
  3. any safeguards which are or could be put in      place in order to limit undue impact on the Data Subject.

Where Legitimate Interests are relied upon this will be notified to the Compliance Team who will review and record the basis of reliance in line with the foregoing LIA.

The MeritIQ Entity shall provide information on any balancing test conducted by it to affected Data Subjects on request. In the event that a Data Subject objects to the Processing of Personal Data by MeritIQ on grounds of Legitimate Interests, MeritIQ shall stop the Processing of such Personal Data unless, having re-conducted the balancing test, the Compliance Team is satisfied that the Data Subject’s interests should not prevail over those of MeritIQ. Furthermore, MeritIQ will carry out a new LIA if the purpose of the Processing changes or if it becomes aware of a change in the factors relating to the outcome of the LIA previously conducted.

  1. Transfers to Third Parties/Service Providers

Where a MeritIQ Entity is required to transfer Personal Data to, or allow access by, a Service Provider, it must be assured that Personal Data will be Processed legitimately and protected appropriately by the recipient.

Where a Service Provider is deemed to be a Data Controller, the MeritIQ Entity will enter into an appropriate agreement with the Data Controller to clarify each party’s responsibilities in respect to the Personal Data transferred.

Where a Service Provider is deemed to be a Data Processor, the MeritIQ Entity will enter into, an adequate Processing agreement with the Data Processor. The agreement will require the Data Processor to protect the Personal Data from further disclosure and to only Process Personal Data in compliance with MeritIQ’ instructions. In addition, the agreement will require the Data Processor to implement appropriate technical and organisational measures to protect the Personal Data as well as procedures for providing notification mechanism of Personal Data Breaches. MeritIQ has a Standard Data Processing Clause document that should be used as a baseline template, including the provisions detailed below.

When a MeritIQ Entity is outsourcing services to a Service Provider (including Cloud Computing services), it will identify whether the Service Provider will Process Personal Data on its behalf and whether the outsourcing will entail any Third Country transfers of Personal Data. In either case, it will make sure to include, adequate provisions in the agreement for such Processing and Third Country transfers.

8.1 Article 28(3) Data Processing Agreements

Each MeritIQ Entity must ensure that it enters into a written agreement with any such Data Processors which includes provisions imposing the specific obligations set down in Article 28(3) on the relevant Third Parties.

8.2 Right of Audit and Inspection

Under its agreement with the relevant Service Provider, the MeritIQ Entity shall have a contractual right to obtain all relevant information from that Service Provider which is necessary for the Service Provider to demonstrate its compliance with the data protection obligations set down in the contract. Furthermore, the MeritIQ Entity shall have the contractual right to carry out an audit or inspection of the relevant Service Provider for such purposes.

  1. Disclosure of Data

Each MeritIQ Entity will ensure that Personal Data is not disclosed to unauthorised third parties. All personnel acting on behalf of MeritIQ must exercise caution when asked to disclose any Personal Data to a third party and prior to completing any such transfer. MeritIQ Global Data Protection Procedure will document this and regular staff training ensures that each individual acting on behalf of MeritIQ understands their obligations in this regard.

Disclosure to third parties may be permitted where this is:

  • necessary to safeguard national security;
  • necessary for the prevention or detection of      crime, in the substantial public interest and where obtaining Consent from      the Data Subject would prejudice that purpose;
  • necessary for the administration of justice;
  • necessary to comply with applicable laws or      regulation; or
  • necessary to protect the vital interests of      the Data Subject, such as life and death situations, but only where their      Consent cannot be obtained.

Any instances of uncertainty regarding the sharing or transfer of Personal Data should be referred to the Compliance Team.

  1. Transferring Personal Data

10.1 Transferring outside the European Economic Area

Specific legal requirements apply to the transfer of Personal Data out of the European Economic Area (“EEA”), where transfers of data include sending data to another country or allowing that data to be accessed remotely from another country.

Personal Data must not be transferred outside the EEA unless the recipient country ensures an adequate level of protection for the rights and freedoms of Data Subjects as determined by the European Commission or alternatively one of the following safeguards have been put in place by or on behalf of MeritIQ:

  • the existence of binding corporate rules; or
  • the entry into a data transfer agreement      between the MeritIQ Entity (or a Fund Service Provider acting as its      agent) and the non-EEA recipient of the Personal Data which contains      standard contractual clauses that have been approved by the European      Commission.

10.2 Transfers between MeritIQ Entities

For MeritIQ to carry out its operations effectively across its global MeritIQ Entities, there may be occasions when it is necessary to transfer Personal Data from one MeritIQ Entity to another, or to allow access to the Personal Data. Should this occur, the MeritIQ Entity sending the Personal Data remains responsible for ensuring protection for that Personal Data.

MeritIQ handles the transfer of Personal Data between MeritIQ Entities, where the Personal Data is being transferred from the European Economic Area and the location of the recipient MeritIQ Entity is a Third Country, by using the Commission approved data transfer agreements supported by detailed SLAs. These agreements impose standard clauses which govern the Processing of Data Subjects’ Personal Data and must be enforced by each approved MeritIQ Entity, and their Employees.

  1. Profiling & Automated Decision-Making

MeritIQ does not currently engage nor does it plan to engage in Profiling and Automated Decision making.

MeritIQ will only engage in Profiling and automated decision-making where it is necessary to enter into, or to perform, a contract with the Data Subject or where it is authorised by law. Where a MeritIQ Entity utilises Profiling and automated decision-making, this will be disclosed to the relevant Data Subjects.

  1. Data Protection by Design

To ensure that all Data Protection requirements are identified, considered and addressed, each MeritIQ Entity will ensure that material changes such as new systems or processes go through a DPIA before launch in collaboration with the Compliance Team. The subsequent findings of the DPIA must then be submitted to the MeritIQ Entity’s Chief Risk Officer and the Head of Compliance Europe for review and approval.

Where applicable, the Information Technology (IT) department, as part of its IT system and application design review Process, will cooperate with the MeritIQ Entity and the Compliance Team to assess the impact of any new technology uses on the security of Personal Data.

  1. Data Security, Data Retention and Disposal

Each MeritIQ Entity will adopt all necessary measures to ensure that the Personal Data it collects and Processes is complete and accurate in the first instance, and is updated to reflect the current situation of the Data Subject.

The measures adopted by MeritIQ to ensure Personal Data quality include:

  • facilitating amendments to Personal Data known      to be incorrect, inaccurate, incomplete, ambiguous, misleading or      outdated, even if the Data Subject does not request rectification;
  • keeping Personal Data only for the period      necessary to satisfy the permitted uses or applicable statutory retention      period;
  • the removal of Personal Data, if not compliant      with any of the Data Protection principles or if the Personal Data is no      longer required; and
  • restriction, rather than deletion of Personal      Data, insofar as:
    • a legal or regulatory requirement or matter       prohibits erasure;
    • erasure would impair Legitimate Interests of       the Data Subject; or
    • the Data Subject disputes that their Personal       Data is correct and it cannot be clearly ascertained whether their       information is correct or incorrect.

Personal Data must not be retained for longer than is necessary for the lawful purposes for which it is Processed. To achieve this, each category of Personal Data Processed by MeritIQ Entities shall be subject to a retention period which can be justified by reference to those lawful grounds. For this purpose, this Policy should be read in conjunction with related operational procedures and Data Classification Policy.

The length of time for which MeritIQ Entities need to retain Personal Data is set out in the MeritIQ Group Data Retention Policy. This requires all MeritIQ Entities to consider the legal and contractual requirements, both minimum and maximum, that influence the retention periods.

All Personal Data should be deleted or destroyed as soon as possible where it has been confirmed that there is no longer a need to retain it.
Personal Data must be disposed of securely in a way that protects the rights and privacy of Data Subjects and ensures the permanent erasure of the Personal Data. This might include shredding, disposal as confidential waste, or secure electronic deletion.

A Service Provider, acting as a Data Processor, will be contractually obliged to implement appropriate technical and organisational measures which seek to ensure that Personal Data is appropriately protected against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or unauthorised access.

  1. Data Subject Rights

Data Subjects are entitled to exercise certain rights in respect of their Personal Data. These are detailed within the relevant Privacy Notice and include:

  • the right to be informed at the time or before      the Personal Data is obtained as to how their Personal Data will be      Processed;
  • the right to obtain information regarding the      Processing of their Personal Data and access to the Personal Data which MeritIQ      holds about them or which is held on MeritIQ’s behalf;
  • the right to receive a copy of any Personal      Data which MeritIQ Processes about them, including the right to receive      Personal Data in a structured, commonly used electronic format and/or      request that this data is transmitted to a third party wh

Copyright © 2023 Merit IQ - All Rights Reserved.

  • Privacy Policy

This website uses cookies.

We use cookies to analyze website traffic and optimize your website experience. By accepting our use of cookies, your data will be aggregated with all other user data.

DeclineAccept