The protection and privacy of the personal data we process is of utmost importance and in our capacities as both data controller and data processor we are constantly striving to maintain and improve our commitment to data security and privacy. At Alfa, we have also committed to meeting the requirements of the industry and International Standards such as ISO 27018:2019 and ISO 27001:2013, as well as the EU's General Data Protection Regulations (EU GDPR) and the UK's General Data Protection Regulation (UK GDPR).
2. How we collect and process personal data
Alfa collects and is the data controller for:
- Information about visitors to our website
- Personal contact information of employees of companies and other third parties that we are working with
- Personal contact information of other people that we send marketing information to, collected from a variety of means
- Personal contact information of investors
- Information about job applicants
- Information that people may input into our software during a demonstration
In addition, Alfa may act as a data processor and view, store or process our clients’ end-customer data as part of the services we provide to our clients.
For each type of information we collect, we identify the lawful basis for its collection and processing, and have described these in the sections below.
- Where we say we have a legitimate interest, this means that it is in the interest of our business, in order to enable us to give you the best service. We make sure that we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests.
- Where we say we collect the data with your consent, we rely on you providing consent for us to process your information. When we ask for your consent, we will be clear about what you are consenting to and ask you to make a positive choice to opt in. You have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of our processing based on consent before its withdrawal.
2.1. Visitors to our website
When anyone visits Alfa's website we collect standard internet log information and details of visitor behaviour patterns. We do this as a legitimate interest to find out things such as the number of visitors to the various parts of the site. The information is analysed by our marketing team responsible for the development of our website.
We do not make any attempt to find out the personal identities of those visiting our website. We will not associate any data gathered from this site with any personally identifying information from any source. Where we do want to collect personally identifiable information through our website, we are explicit about this. We will make it clear when we collect personal information, and will explain what we intend to do with it. If you subscribe to marketing materials from our website, see section 2.3 below.
Information about your use of our website (including your IP address) generated by Google Analytics cookies will be transmitted to and stored by Google on servers in the United States. Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf. Google will not associate your IP address with any other data held by Google.
You can decide if you want to accept cookies by changing the settings on your computer, please see more information. However please note that if you do this you may not be able to use the full functionality of the website. By using our website, you consent to the processing of data by Google in the manner and for the purposes set out above.
We use profiling tools to understand how you engage with our website and may show you content we think will be most relevant to you, based on our understanding of your interests and preferences. Contained within our website is tracking code from Lead Forensics. Lead Forensics will track activity on the website and provide Alfa with information on the IP address of the requesting computer (this data is not anonymised), the date and duration of the user’s visit, and the web pages which the user visits. The Lead Forensics tool complies with the data protection act because it is only providing information that is readily available in the public domain. The Lead Forensics tool uses IP tracking for identifying visitors and not cookies. It does not, and cannot, provide information on WHO has visited the website. It provides information on WHAT company. More information can be found at www.leadforensics.com.
2.2. Personal contact information of employees of companies and other third parties that we are working with
Alfa collects business contact information including name, telephone and email addresses of business contacts.
Alfa collects this data with legitimate interest as part of its business operations, for instance as part of the sales process, Alfa Systems implementations projects, and interactions with suppliers and other partners. Information will be used throughout Alfa to deliver our products and services to you. We may also use this information to send you marketing information. You can opt out of this at any time by using the unsubscribe links in our email communications, or contacting us at the address below.
2.3. Personal contact information of other people that we send marketing information to
Alfa collects personal contact information including name, telephone and email addresses of business contacts. Typically these will be business contact details.
Our marketing team collects this personal contact information from our website, third party websites such as industry forums, conference attendee lists, and trade stands and business card draws, and may use this to send you information about our products and services. We will ask for your consent for this. You can opt out of this at any time by using the unsubscribe links in our email communications, or contacting us at the address below.
2.4. Personal contact information of investors
Alfa collects personal contact information, including name and email addresses, of individuals who grant us consent by subscribing to the investors section of our website. The information is retained by Alfa's marketing team who use it to provide you with relevant news items according to your preferences.
You can change your preferences or unsubscribe at any time by visiting the investor section of our website.
2.5. Job applicants, current and previous
Alfa has a legitimate interest to collect information including curriculum vitae (résumés), covering letters and other information provided as part of the application process, including data input on an application form or information provided during the interview process.
We may collect this information via our website, recruitment fairs, recruitment agencies, third party recruitment tools such as LinkedIn and hackajob, and during the application process. We will use this information only for our recruitment process.
The information you provide will be retained by our HR department and will be shared with other Alfa employees conducting interviews. Alfa will keep a history of applicants to help us manage where we receive applications from multiple sources.
At Alfa, we use a number of cloud systems to manage our recruitment process (for example Workday and G Suite). These systems are used by Alfa employees and covered by our responsibilities under this policy. We outsource the review of initial applications from graduates to Bright Network and they perform this work on Workday. Your details will not be revealed by Alfa to any other external persons or organisations unless we have your permission, or are under a legal obligation or any other duty to do so.
For successful applicants, as part of our pre-employment screening checks we will ask for additional information. Since our clients are financial institutions, this normally includes criminal background and adverse credit history checks. We will tell you more about this if you are successful.
With your consent, Alfa may also collect personal contact details for future candidates, for example from recruitment fairs and other industry events. We will use this information to keep you informed about our recruitment process and recruitment events. You can opt out of this by contacting our HR team via the careers contact details on our website.
2.6. Information collected during software demonstrations
With your consent, Alfa may collect and process your personal data during demonstrations of our software. The data we collect will be dependent on the demonstration. For example, as part of an end customer self-service credit application, our software might capture images of documents and your photo to verify your identity. We will clearly identify the processing that we will perform as part of any demonstration. This data might include biometric (facial recognition) data that is used to identify you, which is a special category of personal data under GDPR. To process special categories of personal data, Alfa will seek your additional consent.
We will only use this data during the software demonstration, and where possible will overwrite it with mocked data. We will not use this data for any other purpose, and will regularly purge data from our demonstration environment.
2.7. Clients' end customer data
Alfa may view, store or process the personal data that has been collected by our clients through the course of our services that we provide to our clients, for example:
- When we are implementing the Alfa Systems software for a new client, we may move and transform the data from the client’s old systems to Alfa Systems.
- When we provide application support for Alfa Systems, we might have access to the data in order to investigate an issue with the software.
- If we host the Alfa Systems software on behalf of our clients, we will have administrative access to the database.
Alfa will only store and process the data in accordance with instructions from our clients. We are not responsible for the completeness or accuracy of the data. We will not contact any of our clients’ end customers. We will not provide the data to any third parties, unless we are under a legal obligation or any other duty to do so. If we do receive a request from a regulator or other third party to share personal data, we will inform our clients before we do so, unless we are prohibited from doing so.
3. Your rights as a data subject
GDPR applies to the processing of personal data of data subjects who are in the United Kingdom or the European Union and grants them the following rights:
- Right of access to your personal data
- The right to have inaccurate personal data rectified or completed if it is incomplete
- The right to have your personal data erased in certain circumstances
- The right to restrict our processing of your data in certain circumstances
- The right to obtain and reuse your personal data for your own purposes in certain circumstances
- The right to object to our processing of your data in certain circumstances
- The right not to be subject to a decision based solely on automated processing, including profiling, which Alfa does not do.
3.1. Accessing your personal information
Any individual who wishes to access the personal information Alfa hold on him or her is able to make a Subject Access Request (SAR).
If we do hold information about you in a relevant filing system, we will:
- Give you a description of it;
- Tell you why we are holding it;
- Tell you who it could be disclosed to; and
- Let you have a copy of the information in an intelligible form.
If you wish to make a request for any personal information we may hold please contact us in writing, addressing it to:
Data Protection Officer Alfa Financial Software Ltd. Moor Place 1 Fore Street Avenue London EC2Y 9DT United Kingdom
3.2. Your right to object
Where we are using a legitimate interest to process your data, you have a right to object to our processing at any time, on grounds relating to your particular situation. In this instance, we will no longer process your data unless:
- We are able to demonstrate our compelling legitimate grounds for the processing which override your interests, rights and freedoms; or
- Your data is necessary for our establishment, exercise or defence of legal claims
Above exceptions won't be applied if the purpose of our processing is direct marketing based on legitimate interest. This means that we will stop processing your data immediately without any conditions.
You can object in writing to the Data Protection Officer. We will provide you with information on action taken on your request without undue delay and in any event within one month of receipt of your request.
3.3. Your other rights
If we do hold information about you, you can ask us to correct any mistakes by contacting the Data Protection Officer (see section 3.1 for address details). You can also ask to exercise your other rights. If we cannot comply with your request we will tell you why.
4. Complaints or queries
We take the collection and processing of personal data very seriously and encourage individuals and/or organisations to bring to our attention any aspect of our operations that they feel collects or processes personal data in an unfair, misleading or inappropriate way.
This privacy notice is written to provide clarity and ensure our key processing activities are clear and understood. It does not provide all aspects of processing and use of personal data.
For any complaints, queries or requests for information please contact us by writing to the Data Protection Officer (see section 3.1 for address details).
You also have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (https://ico.org.uk). Please read: https://ico.org.uk/make-a-complaint/your-personal-information-concerns/ for details of how to do this. We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance, as per the ICO guidance in https://ico.org.uk/your-data-matters/raising-concerns/.
5. Data locations
Alfa is a global company. We may store, process or access data outside of the local jurisdiction in which it was collected. For UK or EU citizens, this means we may transfer data outside of the UK or European Economic Area (EEA). Whenever we transfer your personal data out of the UK or EEA, we ensure a similar degree of protection is afforded to it be ensuring that at least one of the following safeguards is implemented.
- We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the UK or European Commission. For further details, see International transfers after uk exit from the EU Implementation Period and European Commission: Adequacy of the protection of personal data in non-EU countries.
- Where we use providers based in the US, we may have transferred personal data to them prior to the 16 July 2020 if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US. For further details, see European Commission: EU-US Privacy Shield.
- Where we use Alfa Financial Software Inc. which is based in the US, we may transfer data to Alfa Financial Software Inc. in accordance with Alfa's Privacy Shield Policy.
- Where we use certain service providers, we may use specific contracts approved by the UK or European Commission which give personal data the same protection it has in Europe. For further details, see Standard Contractual Clauses (SCCs) after the transition period ends, European Commission: Model contracts for the transfer of personal data to third countries and the International data transfer agreement and guidance.
Where Alfa is hosting our clients’ end customer personal data on our clients’ behalf, we will agree with them where the data will be stored. For our European clients, we will normally host it within the EEA. For our North American clients, we will normally host it within the mainland United States. For our Asia Pacific clients, a decision is taken on a case by case basis.
6. Data retention: how long we keep your personal data
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
We periodically review the data that we hold to ensure that we are not holding any information for any longer than necessary for its purpose.