This section of the Privacy Notice applies regardless of whether we are acting as a Data Controller or a Data Processor.  

We are committed to handling personal data responsibly and lawfully, in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 and other applicable legislation such as the Privacy and Electronic Communications Regulations (PECR).

Personal Data Collection

To see what personal data we collect, please refer to the relevant section, as this varies between the two categories

Purposes of Processing & Legal Basis

This explains how and why we process your data and is different for the two categories

Data Sharing

Sharing Personal Data

ExcluServ will only use personal data for the intended purpose and service delivery.

It might be necessary to share this information with carefully selected third parties where they facilitate this service delivery, but only in cases where this is required, and limited to that purpose.

ExcluServ will never otherwise share your information with a third party, unless we have your express consent.

There are a limited number of instances where we are legally required to do so (such as with HMRC) to comply with legislation and processes. Where that disclosure is required, we will inform you, unless we are prevented from doing so by law.

Other systems

ExcluServ uses trusted third-party service providers for the processing and storage of personal information. These providers each have their own privacy policies to support compliance with GDPR and data transfer requirements. ExcluServ is not responsible for, and cannot control, the privacy policies or practices of any third-party SaaS provider.

International Data Transfer

This section is common to both categories.

Where we transfer personal data outside the UK or EEA, such transfers will be protected by an appropriate safeguard. This may be an adequacy regulation, the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or other valid, lawful transfer mechanisms.

South Africa Data Transfers

ExcluServ works closely with another company in the ExcluGroup of companies that are based in the Republic of South Africa, and with its network of trusted associates.

Personal data is routinely shared with them, and therefore transferred outside of the UK/EU.

To safeguard your personal data, ExcluServ has in place strong controls and measures that include:

1. 1. Data Processing Agreement (1): between Data Controller & ExcluServ

1. 1. Data Processing Agreement (2): between ExcluServ UK & parties in SA

1. 1. International Data Transfer Agreement between ExcluServ UK & parties in SA

1. 1. Shared systems and procedures, for the whole group, that are hosted and held in the UK

1. 1. Data Transfer Risk Assessment

Other systems hosted outside of the UK/EU

ExcluServ (and our clients) work with some Software as a Service (SaaS) solutions that might in part process data outside of the UK.

Where that is the case, ExcluServ work with that provider to deliver a GDPR compliant solution, ideally setting up UK/EU based data storage solutions. 

Protection of Personal Data

This section is common to both categories and relates to the measures that are taken to ensure the protection of personal data.

ExcluServ will take all reasonable technical and organisational precautions to prevent the loss, misuse or alteration of your personal information. This includes but is not limited to, data encryption, data access controls, strong operational procedures, password protection with MFA for key systems, security monitoring and incident management.   

Data Retention

This section is common to both categories. Any personal information we hold will only be kept for as long as it is required to provide the requested service.

Where appropriate, the data will be moved so that it is only on the Data Controller’s own systems. It will then be the responsibility of the Data Controller to manage that data in accordance with GDPR.

In some cases, we have a legal obligation to keep your information for a specified amount of time, which might be longer than the intended purpose (e.g. due diligence information required to comply with laws relating to money laundering, the required period for retention of financial records).

Rights of Data Subject (Individual)

The rights of the Data Subject exist whether in one category or the other but should be exercised by the Data Subject directly with the Data Controller.

The approach for exercising these rights is therefore outlined separately in each category.

Automated decision Making

ExcluServ does not use any algorithms to make automated decisions, in relation to individuals or based on any personal data that we hold or process. This is true for both categories of processing being considered in this Privacy Notice.