Group Privacy Policy

MJH Group Holdings Limited, its subsidiaries and associated businesses (“MJ Hudson” and “we”) is committed to protecting your personal data and informing you of your rights in relation to that data.

MJ Hudson is registered as a data controller under the Data Protections Act 1998. Our registration details can be found via the Information Commissioner’s Office Search Register link here.

One of our responsibilities as a data controller is to be transparent in our processing of your personal data and to tell you about the different ways in which we collect and use your personal data. MJ Hudson will process your personal data in accordance with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 and the Data Protection (Jersey) Law 2018 and Data Protection (Bailiwick of Guernsey) Law, 2017 (Applicable Local Laws) this privacy notice is issued in accordance with the GDPR Articles 13 and 14.

We may update our privacy policy at any time. The current version of our privacy policy can be found below, and we encourage you to check here regularly to review any changes.

Identity and contact details of data controller

For the purposes of the GDPR and Applicable Local Laws, MJ Hudson is the controller of your data. If you have any queries regarding this policy or complaints about our use of your data, please contact the data processing team at data-processing@mjhudson.com or at the address below and we will do our best to deal with your complaint or query as soon as possible.

MJ Hudson 8 Old Jewry, London EC2R 8DN FAO: The Data Privacy Manager

Personal data and its processing

Personal data is defined in the GDPR as information relating to a live, identifiable individual. It can also include special categories of data, which is information about your racial or ethic origin, religious or other beliefs, physical or mental health, the processing of which is subject to strict requirements. Similarly information about criminal convictions and offences is also subject to strict requirements. “processing” means any operation which we carry out using your personal data, for example obtaining, storing, transferring or deleting.

We only process data for specified purposes and if it is justified in accordance with data protection law. Details of each processing purpose and its legal basis are given within each privacy notice listed below – please consult the notice relevant to your relationship with MJ Hudson.

How long we keep your data for

Unless specific time periods are given in the relevant privacy notice, your data will be kept in line with our data retention policy.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

Your rights as a data subject

You have the following rights in relation to your personal data processed by us:

RIGHT TO BE INFORMED

  • We will ensure you have sufficient information to ensure that you’re happy about how and why we’re handling your personal data, and that you know how to enforce your rights. We will provide information in the form of privacy notices. You can read all of our privacy notices online.

RIGHT OF ACCESS / RIGHT TO DATA PORTABILITY

  • You have a right to see all the information that we hold about you. Where data is held electronically in a structured form, such as in a database, you have a right to receive that data in a common electronic format that allows you to supply that data to a third party – this is called “data portability”.

RIGHT OF RECTIFICATION

  • If we are holding data about you that is incorrect, you have the right to have it corrected.

RIGHT TO ERASURE

  • You can ask that we delete your data and where this is appropriate we will take reasonable steps to do so.

RIGHT TO RESTRICT PROCESSING

  • If you think there is a problem with the accuracy of the data we hold about you, or you are of the opinion that we are using data about you unlawfully, you can request that any current processing is suspended until a resolution is agreed.

RIGHT TO OBJECT

  • You have a right to opt out of direct marketing. You have a right to object to how we use your data if we do so on the basis of “legitimate interests” or “in the performance of a task in the public interest” or “exercise of official authority” (a privacy notice will clearly state this to you if this is the case). Unless we can show a compelling case why our use of your data is justified, we have to stop using your data in the way that you’ve objected to.

RIGHTS RELATED TO AUTOMATED DECISION MAKING INCLUDING PROFILING

  • You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making as we do not use automated decision-making.

Please email any related request to the data processing team.



Withdrawing consent

If we are relying on your consent to process your data, you may withdraw your consent at any time.

In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal data for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact the data processing team. Once we have received notification that you have withdrawn your consent, we consider your request and where applicable, will no longer process your personal data for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.

Exercising your rights, queries and complaints

For more information on your rights, if you wish to exercise any right, for any queries you may have or if you wish to make a complaint, please contact our Data Privacy Manager.

Complaint to the supervisory authority

You have a right to complain to the supervisory authority about the way in which we process your personal data.

You may lodge a complaint with any supervisory authority regarding our processing of your personal data. The relevant supervisory authorities are set out below:

United Kingdom – the Information Commissioner’s Office whose contact details can be found on their website which can be viewed here – https://ico.org.uk/

Dutch – Autoriteit Persoonsgegevens, whose contact details can be viewed here: https://autoriteitpersoonsgegevens.nl/en/contact-dutch-dpa/contact-us

Jersey – the Office of the Information Commissioner whose contact details can be found on their website which can be viewed here – https://oicjersey.org/

Guernsey – the Office of the Guernsey Data Protection Commissioner whose contact details can be found on their website which can be viewed here – https://dataci.gg/

Luxembourg – the National Commission for Data whose contact details can be found on their website which can be viewed here – https://cnpd.public.lu/en.html.

Switzerland – the Federal Data Protection and Information Commissioner whose contact details can be found on their website which can be viewed here – https://www.edoeb.admin.ch/edoeb/en/home/the-fdpic/contact.html

The USA – There is no single national authority. The Federal Trade Commission (FTC) has jurisdiction over most commercial entities and has authority to issue and enforce privacy regulations in specific areas and to take enforcement action to protect consumers against unfair or deceptive trade practices. The FTC’s contact details can be found on their website which can be viewed here – https://www.ftc.gov/contact

Article 28 – Where MJ Hudson is a Data Processor

Where, in relation to any personal data, MJ Hudson is the data processor under the terms of the agreement, for example, when MJ Hudson provide perception studies for clients upon their request, the data is provided by the client and used solely for the purpose of conducting the perception study on behalf of the client, the following provisions will apply.

For the purposes of Article 28.3 of the GDPR the subject matter of the processing is as follows:

  • the personal data used in the processing will be based on the agreement between MJ Hudson and the controller. For example: forename(s), surname, email address, password, IP address, client instructions.
  • the duration of the processing will be the duration of the agreement (as may be extended from time to time);
  • the nature and purpose of the processing will be limited to the agreement between the parties.

MJ Hudson shall:

  • process the personal data only in accordance with the data controllers instructions, including where relevant for transfers of personal data outside the European Economic Area (EEA) (unless required to do so by European Union, Member State and/or UK law to which MJ Hudson is subject, in which case MJ Hudson shall inform the data controller of that legal requirement before processing unless prohibited by that law);
  • ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  • take all measures required pursuant to Article 32 of the GDPR;
  • appoint sub-processors only in accordance with Article 28.2 and Article 28.4 of the GDPR;
  • taking into account the nature of the processing, assist the data controller by taking appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the data controllers obligation to respond to requests for exercising a data subject’s rights laid down in Chapter III of the GDPR;
  • taking into account the nature of the processing and the information available to MJ Hudson, assist the data controller in ensuring compliance with the data controllers obligations to:
  • keep personal data secure (Article 32 GDPR);
  • notify personal data breaches to the supervisory authority (Article 33 GDPR);
  • advise data subjects when there has been a personal data breach (Article 34 GDPR);
  • carry out data protection impact assessments (Article 35 GDPR); and
  • consult with the supervisory authority where a data protection impact assessment indicates that there is an unmitigated high risk to the processing (Article 36 GDPR);
  • upon the data controllers request, delete or return all personal data to the data controller upon termination of the agreement, save to the extent that European Union or EU member state law requires retention of the personal data;
  • make available to the data controller all information necessary to demonstrate compliance with the obligations laid down in these terms and allow for and contribute to audits, including inspections, conducted by the data controller or another auditor mandated by the data controllers
  • co-operate on request, with the Information Commissioner’s Office (or any successor body thereto or any relevant supervisory authority) in the performance of its tasks; and
  • notify the data controller without undue delay after becoming aware of a personal data breach.

We shall be liable in respect of any breach of our obligations under the agreement and/or data protection legislation with respect to the processing of personal data other than where such breach is caused by or results from an act or omission by the data controller. We shall fully and effectively indemnify the data controller for any claim brought by a data subject and/or any competent authority or body arising from any action or omission by us with respect to the processing of their personal data other than to the extent that such action or omission resulted from compliance with the data controllers instructions.

Data Security

Your personal data is securely stored. Our emails are stored on a Microsoft server within the EU. All other personal data is stored in our Jersey based servers.

MJ Hudson Spring B.V are based in the Netherlands and the limited amount of personal data that they do hold is held within secure servers based onsite. These will be integrated into the wider MJ Hudson infrastructure in due course.

Third parties will only process your personal information on our instructions and where they have agreed to treat the information confidentially and securely.

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, altered, disclosed, used or accessed without authorisation. In addition, we restrict access to personal data to those employees, agents, contractors, consultants and other third parties who have a business need to access the personal data. They will only process personal data on our instructions and they are also subject to a duty of confidentiality.

We have in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally obliged to do so.

Additional Information

This privacy policy and notices do not form, and should in no way be construed as, a contract and no contractual rights or causes of action shall arise in relation to or consequence of the content of this notice.

We keep our privacy policy under constant review and may change it from time to time to reflect our practices or to remain compliant with relevant legislation. We will notify you of any material changes to our privacy policy, which may be via a notification on our Websites. Your continued use of our services, following the posting of changes to these terms, will mean you accept these changes.

This privacy policy was last updated in December 2019. Previous versions of the privacy policy can be provided on request from the data processing team.