Find us
John Banks GroupJohn Banks Group
01284 656098
Find us

Data Protection Policy

UK Data Protection Policy for John Banks Limited

Introduction

John Banks Limited (“the Company”), a company registered in the United Kingdom under number 1831725, whose registered office is at Kempson Way, Moreton Hall, Bury St Edmunds, Suffolk, IP32 7AR, is committed to protecting the rights and privacy of individuals. The Company is registered with the Information Commissioner’s Office under Registration Number Z6845579 since 04/07/2002.

This Policy outlines the Company’s obligations and approach regarding the collection, processing, transfer, storage, and disposal of personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Scope of the Policy

This Policy applies to all personal data collected, processed, and stored by the Company. This includes data related to customers, prospective customers, employees, business contacts, and other individuals (“data subjects”). Personal data is defined as any information relating to an identified or identifiable natural person.

Data Protection Principles

The Company adheres to the following principles when processing personal data:

Lawfulness, Fairness, and Transparency: Personal data is processed lawfully, fairly, and transparently.

Purpose Limitation: Data is collected for specified, explicit, and legitimate purposes and not further processed in a way incompatible with those purposes.

Data Minimisation: Only data that is adequate, relevant, and limited to what is necessary is collected and processed.

Accuracy: Personal data is accurate and kept up to date.

Storage Limitation: Data is retained only as long as necessary for the purposes for which it is processed.

Integrity and Confidentiality: Appropriate security measures are in place to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage.

Data Subject Rights

Data subjects have the following rights under the UK GDPR:

The right to be informed.

The right of access.

The right to rectification.

The right to erasure (‘right to be forgotten’).

The right to restrict processing.

The right to data portability.

The right to object.

Rights concerning automated decision-making and profiling.

Lawful Basis for Processing

The Company processes personal data only when at least one of the following lawful bases applies:

Consent is obtained from the data subject.

Processing is necessary for the performance of a contract.

Compliance with a legal obligation.

Protection of vital interests of the data subject or another person.

Performance of a task carried out in the public interest or in the exercise of official authority.

Legitimate interests pursued by the Company or a third party.

Responsibilities

The Company’s Data Protection Officer (DPO) is Olivia Tombs. The DPO oversees compliance with this Policy and can be contacted via email at [email protected] or by writing to the registered office address.

All employees, contractors, and agents working on behalf of the Company are responsible for ensuring compliance with this Policy and must:

Handle personal data with care and discretion.

Report any data breaches immediately to the DPO.

Follow Company protocols for data processing and security.

Secure Processing

The Company ensures that all personal data is processed securely, using appropriate technical and organisational measures to protect against unauthorised or unlawful processing and accidental loss, destruction, or damage. Measures include:

Encryption of electronic data.

Secure storage of hard copies in locked cabinets.

Access controls and role-based permissions.

Regular audits of data processing activities.

Data Retention

The Company retains personal data only for as long as necessary for its intended purposes, as outlined in the Company’s Data Retention Policy. Once the retention period expires, the data is securely deleted or destroyed. Personal data that is no longer required is promptly and securely disposed of.

Keeping Data Subjects Informed

The Company provides clear and transparent information to data subjects about how their personal data is used. This includes:

The purposes for processing their data.

The lawful basis for processing.

Retention periods.

Details of their rights under data protection legislation.

Accountability

The Company maintains comprehensive records of all data processing activities and ensures compliance with data protection legislation through regular reviews and audits. The DPO is responsible for overseeing and documenting compliance efforts.

Data Protection Impact Assessments

For new projects or processes involving personal data, the Company conducts Data Protection Impact Assessments (DPIAs) to identify and mitigate risks to data subjects. DPIAs are overseen by the DPO and include:

Evaluation of risks to data subjects.

Implementation of measures to mitigate identified risks.

Erasure of Data

Data subjects have the right to request the erasure of their personal data in certain circumstances, including when the data is no longer necessary for its original purpose. The Company ensures that such requests are handled promptly and securely.

Data Portability

Data subjects can request a copy of their personal data in a structured, commonly used, and machine-readable format. Where technically feasible, data may be transferred directly to another controller at the data subject’s request.

Restriction of Data Processing

Data subjects can request restrictions on the processing of their personal data. The Company ensures that any such requests are honoUred unless there is a legitimate reason not to do so.

Personal Data Collected

The Company collects, holds, and processes personal data as follows:

Customers: Name, address, email, mobile number, date of birth (for specific purposes).

Prospects: Name, address, email, mobile number, date of birth (if applying for finance).

Employees: Name, address, email, mobile number, National Insurance number, and date of birth.

Profiling

The Company uses profiling in limited contexts, such as:

Candidate selection in the HR division.

Marketing activities where consent has been obtained.

Profiling activities are conducted with appropriate safeguards to ensure fairness and transparency.

Transfer of Personal Data

The Company may transfer personal data outside the UK or EEA only where adequate safeguards are in place, such as:

Binding corporate rules.

Standard contractual clauses.

Data subject consent.

Data Disposal

When personal data is no longer required, it is securely deleted or destroyed. This includes the shredding of physical documents and secure deletion of electronic files.

Use of Personal Data

Personal data is only used for purposes for which it was collected, such as:

Customer communications.

Marketing activities.

Compliance with legal obligations.

Storage of Data

The Company ensures secure storage of all personal data, including:

Daily encrypted backups stored offsite.

Physical records stored in locked cabinets.

Restricted access to data based on roles and responsibilities.

Data Breaches

All data breaches must be reported immediately to the DPO. Where a breach is likely to result in a risk to the rights and freedoms of individuals, the Information Commissioner’s Office (ICO) must be informed within 72 hours. If the breach poses a high risk, affected individuals will also be notified without undue delay.

Policy Review

This Policy will be reviewed periodically and updated as necessary to reflect changes in legislation, regulatory requirements, or Company practices.

John Banks Head Office, Kempson Way,
Bury St. Edmunds, Suffolk. IP32 7AR

Tel: 01284 656098
Reg. Company Number: 01831725 VAT Reg. No. GB 740 9181 35 Office of Fair Trading Licence 169742
Website driven by Autonomy, from mtc.
We accept these payment methods
MastercardMaestroVisaApple PayGoogle Pay
Complaints procedureCorporate Responsibility StatementGender Pay Gap14 day return policyInitial Disclosure DocumentData Protection PolicyData Subject Access Request PolicyModern slavery statement

John Banks Limited is an appointed representative of ITC Compliance Limited which is authorised and regulated by the Financial Conduct Authority (their registration number is 313486). Permitted activities include advising on and arranging general insurance contracts and acting as a credit broker not a lender. We can introduce you to a limited number of finance providers. We do not charge a fee for our Consumer Credit services. We do not act as a financial adviser, or fiduciary. We act in our own interest, whichever lender we introduce you to, we will typically receive commission from them based on either a fixed fee or a fixed percentage of the amount you borrow. Any and all commission amounts will be fully disclosed to you as part of your sales journey. You will be required to give your fully informed consent to our receipt of this commission. By doing this, you acknowledge that you understand our role as a credit broker, and that we will receive a financial incentive if you take out a loan from a lender that we introduce you to. All finance applications are subject to status, terms and conditions apply, UK residents only, 18s or over, Guarantees may be required.