The purpose of this privacy notice is to set out how we will lawfully process your personal data for the purposes of applicable data protection laws and practice. We respect your rights as a data subject and so it is crucial that we keep you informed on how we intend to use your data.
1. WHO ARE WE?
Haynes Publishing Group P.L.C. (registered number 659701) carries out processing of personal data for shareholders under the lawful processing bases of Contract, Legitimate interest, Complying with a Lawful and Regulatory obligation and Consent. We are registered with the Information Commissioner’s Office as a Data Controller under the registration number of ZA421219
We have appointed Link Asset Services (LAS) under the rules of the Companies Act to act on our behalf and manage our register of shareholders. Their role includes keeping a current record of shareholders, administering dividend payments, issuing share certificates, managing share transfers and providing other regulatory services. This means that Link Asset Services will process your personal information on our behalf.
2. WHO IS THE DATA PROTECTION OFFICER?
We have appointed a Data Protection Officer, who is the point of contact for enquiries relating to how your personal data is processed. The Data Protection Officer can be contacted at our registered address:
Group Company Secretary
3. WHY IS DATA PROCESSING NECESSARY?
We need to store personal data as we have a legitimate interest in being able to communicate with our shareholders and advise them of updated shareholder information. Under our shareholder agreement with you, which represents a legal contract, we also have obligations to pay dividend payments, provide annual reports and details of our Annual General Meeting (AGM) and inform you of voting resolutions. It is important that we (or LAS acting on our behalf) can contact you to ensure you can exercise your rights as shareholders or that we/LAS can respond to any queries that you may raise with us.
We/LAS also need to store information to verify identity to meet our compliance with legal and regulatory obligations in relation to fraud/money laundering.
We only have access to collect information that you have provided. We will not sell or rent this information to anyone. Where you have expressly consented to receive information from us (directly or from LAS on our behalf) e.g. shareholder news, you will be able to withdraw your consent to receiving this information at any time. However, withdrawing your consent to receive information will impact our ability to keep you up to date with shareholder information and AGM/voting resolutions.
Meaning of Legitimate Interest, Performance of a Contract, Compliance with Legal & Regulatory obligations and Consent.
Legitimate Interest means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most
secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract. Comply with a legal or regulatory obligation means processing your personal data where it is necessary for compliance with a legal or regulatory obligation that we are subject to. Consent is where you as an individual have expressly consented to receive information from us.
4. WHAT PERSONAL DATA DO YOU COLLECT?
The personal information we (or LAS on our behalf) will store with regard to shareholders will usually include your name, contact details, e-mail, date of birth, bank accounts details (where dividend payments are paid directly into accounts), your current shareholdings and your shareholder reference number. We may also hold copies of identification documents.
Information from our Haynes Investor Website
Our investor website is https://investor.haynes.co.uk/, if you visit our Investor website, we may collect information about your computer, including where available your IP address, operating system and browser type, for system administration and to report aggregate information. This is statistical data about our users' browsing actions and patterns and does not identify any individual.
A cookie is a small amount of data sent from our server and stored on your browser or your computer's hard drive if you agree. Cookies contain information that is transferred to your computer's hard drive.
Some of the cookies we use are essential for parts of our sites to operate and are already set. These are strictly necessary for the services that we offer and without them the website cannot operate as intended.
5. WILL WE TRANSFER YOUR DATA TO THIRD PARTIES?
We will not usually transfer your data to third parties (with the exception of LAS) Where we have a contract with you, we may also share your details with third parties that we use in order to fulfil our obligations with you such as our payments software, our bank, our accounting software provider(s) or any other IT storage and hosting services or business systems that we may or LAS may use to manage our shareholder contact information.
Some of these entities may be also be Data controllers under the Data Protections laws. However, in the first instance, you should contact the Data Protection Officer using the details in section 2, if you have any queries about how they use your personal information.
6. HOW LONG WILL MY PERSONAL DATA BE STORED?
Your personal data will be stored for as long as is required for processing purposes. Once you have sold your holdings, your details will be maintained for 12 years for compliance purposes, or 13 years where there is an outstanding dividend payment or entitlement. Our Data Protection Policy requires us as an organisation to regularly review personal data and look to delete it, once it is no longer required. Your rights around requesting the deletion of personal data are outlined in Section 9.
Where we are processing data based on your consent, you have the right to withdraw that consent at any time.
However, even if you ask us to delete our records, we may still need to retain some information such as copies of invoices for the statutory time limits to meet our regulatory and compliance requirements.
7. WHAT WILL YOU DO TO KEEP MY DATA SAFE?
We and LAS have appropriate security measures in place to prevent personal information from being accidentally lost or used or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality. We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
8. TRANSFER OF DATA OUTSIDE OF THE EUROPE ECONOMIC AREA (EEA)
We will not transfer your personal data outside of the EEA unless you reside outside of the EEA and we need to send information to you. LAS will also not transfer your data outside of the EEA. If we need to share your data for any other reason, we will ask for your consent prior to doing so.
9. YOUR RIGHTS
Under the General Data Protection Regulation (GDPR) you have a number of rights with regard to your personal data. These include (but are not limited to):
Right of Subject Access
You can request details of all data we hold about you by submitting a subject access request to the Data Protection Officer, at the address provided above in S2. We aim to comply with such a request from you within one month of the request being made. Where we cannot provide you with this information within one month; we shall inform you of this and provide the reasons why this cannot be achieved, at which point, we shall have a total of 3 months to comply with this request.
In the normal course of business, we shall not charge a fee for a subject access request. However, in the event that you make a subject access request that is of a manifestly unfounded, repetitive or excessive nature, we reserve the right to charge a fee of £10 per request.
Right of Rectification
In the event that your data is incorrect or incomplete; you have the right to have this rectified by us. In the event that any of your data is incorrect, please contact the Data Protection Officer at the address provided above in section 2. We shall not charge a fee for your data to be rectified or amended.
Right of Objection
You have the right to object to our processing of your data. Please note, that where we require to continue to process your data for reasons such as the defence of claims, we shall not be required to cease processing your data. In the event that you wish to object to us processing your data, please contact the Data Protection Officer at the address provided above.
Right of Restriction of Processing
If certain conditions apply, you have a right to restrict the processing of your information. This means that we can store your data but not use it. This includes when you contest it as being inaccurate (until the accuracy is proved); if you have objected to the processing (when it was necessary for legitimate interests) and we are considering whether its legitimate interests override your own; if you consider that the processing is unlawful (and if this is true) so that you can oppose erasure and request restriction instead; or we no longer need the personal data for the purposes they held it but you require one or both of them to continue to hold it to establish, make or defend legal claims.
Right of Erasure
You have the right to request that we delete your data provided that; we no longer require your data; or there is no legitimate legal basis for us to process your data; or we have unlawfully processed your data; or the data must be erased in order to comply with the law. If you have grounds to request that we delete your data (and you wish to do so) please contact the Data Protection Officer at the address provided above, however please bear in mind that erasure may not be possible if your data is required for compliance reasons. We shall not charge a fee for your data to be deleted from our databases.
If you have any queries with regard to the processing of your data; would like us to transfer your data to another service provider or would like more details about your rights, please contact the Data Protection Officer at the address provided above in section 2.
10. CAN A COMPLAINT BE MADE?
If you have any complaints about how we process your data, please contact the Data Protection Officer; at the address provided above in section 2. In the event that we are unable to resolve your complaint; you have the right to make a complaint to the Information Commissioner’s Office, if you believe that your information has been mishandled by us.
The Information Commissioner’s Office can be contacted as follows:
Information Commissioner’s Office
Tel: 0303 123 1113
This policy was last updated on May 25th 2018. Any changes to this policy will be posted on our website.