Data controller: HFMC Wealth
Phone: 0207 4004 700
Postal address: 29 St Johns Lane, London, EC1M 4NA

Data protection officer: Mark Waller
Phone: 0203 905 5930
Postal address: 29 St Johns Lane, London, EC1M 4NA


This data protection statement sets out how we currently use and intend to use your personal data.

Your personal data is data which by itself or with other data available to us can be used to identify you.

The company takes the security of your data seriously. It has internal policies and controls in place to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the proper performance of their duties. If we need to collect data from you that would be considered higher risk, for example some health information, we will always ask for explicit consent and tell you why this information is needed. It will always be kept in a restricted file that is only accessible by HR and in rare cases, other members of specialist teams such as finance or compliance.

What is a data controller?

Someone who determines the purposes for which any personal data is to be processed and the manner in which that personal data will be processed.

The types of personal data we collect and use

Whether or not you become an employee, we will use your personal data for the reasons set out in this document. We will collect most of this directly from you during the recruitment journey and the induction process (if you are a succesful candidate). For example, data might be collected via application and other data collection forms, CVs, your passport or other identity documents, or via interviews and other forms of written or online assessment.

Additionally, we may collect information about you from your immediate colleagues e.g. during peer or management reviews of performance or conduct, clients, external referees and the HR and finance departments who keep records of matters such as, but not limited to, absence and discripinary records.

The sources of personal data collected indirectly are mentioned in this statement.

The personal data we use may includes the following:

  • Full name, address (including as address history) and contact details e.g. email address and telephone number(s);
  • Date of birth;
  • Equal opportunities monitoring, including information about your ethnic origin, gender identification, sexual orientation, health, and religion or belief;
  • Information about your entitlement to work in the UK, including passport/identity card, work visas/residence permit, Home Office documentation, birth/adoption certificates and National Insurance number;
  • Marital details, dependants and/or spousal personal details;
  • Information about beneficiaries on an expression of wishes form and emergency contact information, including name and address and email/phone number;
  • Financial details (bank details, for payment of salary and company expenses);
  • Information from credit reference or fraud prevention agencies, DBS checks, electoral roll, court records of debt judgements and bankruptcies and other publicly available sources, as well as information on any financial associates you may have;
  • CVs (yours or agency generated), interview notes, questionnaire and test results;
  • Records of qualifications, professional body memberships e.g. membership number, previous employment history, skills, training and continuing professional development information;
  • References from previous employers, letters of offer and acceptance of employment and/or engagements, your employment contract/consultancy agreement, job title, salary details and terms of reference;
  • Information relating to your performance at work: performance ratings, performance development reviews, objectives/goals, personal development plans, appraisal notes, records, notes of 1:1 meetings, personal improvement plans, correspondence;
  • Vehicle registration and make, model and colour of your car; your driving license and any driving related convictions provided by DVLA, and insurance details where required;
  • Information to protect your or another individual’s vital interests (for example during a health emergency): medical records, notification of pregnant or new mothers and any details about a disability;
  • Information to ensure your health and safety at work: accident records, health, and safety assessments;
  • Your photo to use on the Company website and other corporate literature where relevant; and
  • Information to allow you access to the office building and systems: name, company email address, passwords and PINs e.g. for door access and printer usage.

Sensitive (Special) Personal Data

This is data that would be considered higher risk, for example some health information. If we need to collect this from you, we will always ask for explicit consent and tell you why this information is needed. It will always be kept in a restricted file that is only accessible by HR and the Management Committee. Please refer to the detail regarding the health information that we hold in order to protect your or another’s vital interests.

Where the company processes other special categories of data, such as information about ethnic origin, sexual orientation, health, religion or belief, age, gender or marital status, this is for the purposes of equal opportunities monitoring purposes as permitted by the Data Protection Act 2018/reasons of substantial public interest.

Spousal/partner and dependant’s personal details

We will ask for the following personal details for your next of kin (in case of emergency).  We may also ask for details on additional members of your family if and when you wish to add them to employee benefits services (PMI).  We will also request personal details when we record your nominated benificiary (the person who you would like to receive your death and/or pension benefits).

Next of KinNominated Benificiary
Relationship to youRelationship to you
Contact DetailsNational Insurance Number
Date of BirthDate Of Birth

You must have their authority to provide their personal data to us and have shared this data protection statement with them beforehand together with details of what you’ve agreed on their behalf. When you complete the application or capture forms you are consenting to us holding and processing this information.

Information to protect your or another individual’s vital interests

 For example: medical records, notification of pregnant or new mothers and details about a disability.

The above-mentioned information is held for the following reasons:

  • to ensure we comply with our legal obligations to provide reasonable workplace adjustments for personnel who are pregnant, new mothers or those with disabilities;
  • to ensure appropriate personnel (e.g. our first aiders) are aware of any medical conditions;
  • to provide emergency services with any known conditions in an emergency; and
  • to ensure management of health and safety.

Providing your personal data

We will tell you if providing some personal data is optional. In all other cases you must provide your personal data so we can process your application and induction into the business (unless you are already an employee and we already hold your details).

How we store your personal data

We store your data on our secure servers in the United Kingdom and retain it for a reasonable period or as long as the law requires. Personnel records will be kept for the duration of your engagement by the Company and records will normally be retained for up to seven years after the date the engagement terminates for legal and tax purposes. Normally, your data will only be retained for a period for longer than seven years if it is material to legal proceedings or should otherwise be reasonable and fairly retained in the Company’s interests after that period.  Any personal data related to a project, which is governed by an agreement signed as a deed, may be held for a maximum of 12 years or in the event it is material to ongoing legal proceedings it may be retained until any such matter has been concluded, subject to it being reasonable and necessary to retain specific data.

Criteria used to determine retention periods

The following criteria are used to determine data retention periods for your personal data, whether or not you become an employee:

  • Retention in case of queries. We will retain your personal data as long as necessary to deal with your queries;
  • Retention in case of claims. We will retain your personal data for as long as you might legally bring claims against us;
  • Retention in accordance with legal and regulatory requirements. We will retain your personal data after our relationship has ended based on our legal and regulatory requirements.

Monitoring of communications

Subject to applicable laws, we reserve the right to monitor and record your calls, emails, text messages, social media messages and other communications. We will do this for regulatory compliance, self-regulatory practices, crime prevention and detection, to protect the security of our communications systems and procedures, to check for obscene or profane content, for quality control and staff training, and when we need to see a record of what’s been said.

Using your personal data: the legal basis and purposes

We will process your personal data:

  1. As necessary to perform our contract with you for the duration of your service:

a) To take steps at your request prior to entering into it;

b) To decide whether to enter into it;

c) To manage and perform a contract with you whilst you are working for us, at the time when your employment ends and after you have left;

d) To update our records; and

e) To trace your whereabouts to contact you and recover debt.

2. As necessary for our own legitimate interests or those of other persons and organisations e.g.:

a) For good governance, administration, accounting, and managing and auditing of our business operations (including evaluating quality and compliance);

b) To search at credit reference agencies and for your employment records;

c) To monitor emails, calls, use of social media and other communications;

d) For market research, analysis and developing statistics;

e) For pursuing business opportunities with clients who require our services;

f) For establishing compliance and contractual obligations with clients or suppliers;

g) For protecting our reputation;

h) For determining staff training and system requirements;

i) To protect your vital interests; or

j)Any other reasonable management purpose.

3. As necessary to comply with a legal obligation, e.g.:

a) When you exercise your rights under the data protection law and make a request;

b) For compliance with legal and regulatory requirements and related disclosures;

c) For establishment and defence of legal rights;

d) For activities relating to the prevention, detection and investigation of crime;

e) To verify your identity, make credit, fraud prevention and anti-money laundering checks; and

f) To monitor emails, calls, other communications.

4. Based on your consent, e.g.:

a) When you request us to disclose your personal data to other people or organisations such as a company handling a claim or application on your behalf, or otherwise agree to disclosures;

b) When we process any special categories of personal data about you at your request e.g. your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, data concerning your health, sex life or sexual orientation.

Your rights under applicable data protection law

 As a data subject, your rights are as follows (noting that these rights don’t apply in all circumstances):

  • request access to your information and information related to our use and processing of your information;
  • request the correction or deletion of your information;
  • request that we restrict our use of your information;
  • receive information which you have provided to us in a structured, commonly used and machine-readable format (e.g. a CSV file) and the right to have that information transferred to another data controller (including a third-party data controller);
  • object to the processing of your information for certain purposes (for further information, see the section below entitled Your right to object to the processing of your information); and
  • withdraw your consent to our use of your information at any time where we rely on your consent to use or process that information. Please note that if you withdraw your consent, this will not affect the lawfulness of our use and processing of your information on the basis of your consent before the point in time when you withdraw your consent

If you would like to exercise any of these rights, please contact Mark Waller, You can make a subject access request by completing the company’s form for making a subject access request.

If you believe that the company has not complied with your data protection rights, you can complain to the Information Commissioner.

What if you do not provide personal data?

You are under no statutory or contractual obligation to provide data to the company during the recruitment process. However, if you do not provide the information, the company may not be able to process your application properly or at all. If your application is successful, it will be a condition of any job offer that you provide evidence of your right to work in the UK and satisfactory references.

You are under no obligation to provide information for equal opportunities monitoring purposes and there are no consequences for your application if you choose not to provide such information.

You are free at any time to change your mind and withdraw your consent. The consequence might be that we can’t do certain things for you.

What are the specific reasons that we may require personal data?

  • notifying individuals of potential roles or opportunities;
  • assessing and reviewing suitability for job roles;
  • making employment offers and issuing contracts of employment;
  • making offers to engage your services and issuing consultancy agreements;
  • consultation regarding changes to terms and conditions of employment or a redundancy procedure;
  • investigating grievances, disciplinary matters, or performance concerns;
  • managing leave requests, whether by reason of holiday, sickness absence, maternity, paternity, adoption of shared parental leave;
  • assessing suitability for work or promotion, managing continuing professional development and performance management;
  • organisation planning and development and workforce management;
  • investigating complaints;
  • information relating to our relationship with an individual or the party for whom the individual works including records of any meetings or discussions;
  • compliance with legal, regulatory, and statutory obligations relating to business generally, for example, tax, bribery, fraud/crime prevention legislation, right to work and co-operating with regulatory authorities such as HMRC or any other corporate governance obligations;
  • to personalise our offering, whether via our website or otherwise;
  • retaining records of our dealings and transactions and where applicable, using such records for the purposes of:
    • establishing compliance with contractual obligations with clients or suppliers;
    • administering and maintaining client records;
    • ensuring compliance with health and safety requirements;
    • protecting our reputation;
    • maintaining a back-up of our system, solely for the purpose of being able to restore the system to a particular point in the event of a system failure or security breach;
    • evaluating quality and compliance including compliance with this privacy notice.
  • determining staff training and system requirements;
  • marketing our business and/or improving our services;
  • in connection with any legal proceedings and/or as required by law;
  • as otherwise necessary to provide our IFA Services and/or to meet our obligations towards clients or suppliers;
  • the provision of broad and comprehensive IFA services;
  • protecting the vital interests of a data subject; and
  • any other reasonable and legitimate business purpose, which is not unduly prejudice to the individual’s privacy.

Sharing of your personal data

Subject to applicable data protection law we may share your personal data with:

  • The HFMC Wealth group of companies and associated companies in which we have shareholdings;
  • Sub-contractors and other persons who help us provide products and services, for example our HR systems and benefits providers;
  • Companies and other persons providing services to us;
  • Our legal and other professional advisors, including our auditors;
  • Fraud prevention agencies, credit reference agencies, and debt collection agencies when we recruit you and periodically during your employment with HFMC Wealth;
  • Other organisations who use shared databases for income verification and affordability checks and to manage/collect arrears;
  • Government bodies and agencies in the UK and overseas e.g. HMRC who may in turn share it with relevant overseas tax authorities and with regulators (e.g. The Prudential Regulation Authority, The Financial Conduct Authority and The Information Commissioner’s Office);
  • Courts, to comply with legal requirements, and for the administration of justice;
  • In an emergency or to otherwise protect your vital interests;
  • To protect the security or integrity of our business operations;
  • When we restructure or sell our business or its assets or have a merger or re-organisation;
  • Market research organisations who help us to improve our products or services;
  • Payment systems (for the processing of payroll and expenses);
  • Anyone else where you have your consent or as required by law.

International transfers

HFMC Wealth do not ordinarily transfer data outside of the UK or EEA, but may on occassions have the need to.

However, your personal data may be transferred outside the UK and the European Economic Area. The reason for this is with the use of the internet and email data can be transferred to a computer server in such a country in the course of a transfer between parties. The Company may also have clients, suppliers, agents, offices or subsidiary countries now or in the future outside the EEA and therefore the transfer of data outside the EEA could be necessary as part of the management of the Company’s business and the performance of an individual’s contract with the Company.

While some countries have adequate protections for personal data under applicable laws, in other countries steps will be necessary to ensure appropriate safeguards apply to it.  In such circumstances the Company will conduct an appropriate risk assessment and put in place a list of safeguards to ensure the security of data. These include imposing contractual obligations of adequacy or requiring the recipient to subscribe or be certlfied with an ‘international framework’ of protection. 

Identity verification and fraud prevention checks

The personal data we have collected from you at the recruitment stage or at any stage will be shared with fraud prevention agencies who will use it to prevent fraud and money-laundering and to verify your identity. If fraud is detected, you could be refused certain services, finance or employment in future.  We may also search and use our internal records for these purposes.

Credit reference and DBS checks

As part of the recruitment process, we will perform credit and identity checks on you with one or more credit reference agencies, as well as DBS checks via the relevant authorities.

To perform a credit check, HFMC Wealth will usually ask you for a copy of a credit search that you have requested and payment will be reimbursed.

A credit search may either be:

a) a quotation search where a soft footprint is left. This has no effect on your credit score, and lenders are unable to see this;

b) a hard footprint. This footprint will be viewable by other lenders and may affect your ability to get credit elsewhere.

We will also continue to exchange information about you with credit reference agencies during your employment with HFMC Wealth. The credit reference agencies may in turn share your personal information with other organisations.  We will use this personal data as part of the Anti Money Laundering/Anti-bribery Policy.

These records remain on our HR and Compliance confidential files for the duration of your employment. At the point you are no longer employed these records will be placed in a restricted file as we are required to retain these records under legal and regulatory requirents so they can not be destroyed.

The identities of the credit reference agencies, and the ways in which they use and share personal information can be found via the Credit Reference Agency Information Notice at the following links:

Automated decision making and processing

HFMC Wealth do not currently use automated decision making or processing.

Data anonymisation and aggregation

Your personal data may be converted into statistical or aggregated data which can’t be used to identify you then used to produce statistical research and reports. This aggregated data may be shared and used in all the ways described above.

Changes to our privacy notice

We reserve the right to revise or supplement this Privacy Notice from time to time. You should bookmark and periodically review this page to ensure that you are familiar with the most current version of this Privacy Notice and so you are aware of what information we collect, how we use it and under what circumstances we disclose it. This privacy notice was last updated on 16th November 2021.

For more details on all of the above or if you have any concerns regarding how the Company controls or processes your data, you can contact Mr Mark Waller or visit our website and use the contact us option.


Phone: 0203 905 5930

Postal address: 29 St Johns Lane, London, EC1M 4NA