1. Wentworth Surety Limited (We/us): (company registered number E&W 4021657) trades as travelbonding.co.uk and/or acetravelbonding.uk and acetravelbonding.co.uk and is authorised and regulated by the Financial Conduct Authority (FCA). Our registration number is 307080. We are registered with the Information Commissioner’s Office (ICO) who enforce the Data Protection Act (DPA) and General Data Protection Regulation (GDPR). Our registration number is ZA050533. We trade from Grangehurst, Butlers Dene Road, CATERHAM, CR3 7HX, and our company registered office is as trading address.
2. Personal Data that we Collect: We act as a surety bond broker, only for commercial customers, and not consumers (being natural persons who are acting for purposes which are outside their trade or profession). In order to communicate quotations for providing new bonds, or variations or renewals of existing bonds, for our commercial customers, we will have collected and stored electronically and/or in hard copy format some personal data, principally the name and physical address, together with the e-mail address and telephone numbers of the commercial customer’s designated contact person for surety bonding matters, but also the data acquired via our Application for a Travel Bond form.
Where a bond is subject to a personal guarantee, we will have collected personal data regarding the assets and nett worth of the commercial customer’s principal(s), who may be distinct from the designated contact person for surety bonding matters.
3. Personal data that we Share: In order to obtain quotations for bonding from obligors, it will have been necessary for us to share your and/or the principal(s’) personal data with them, in order for them to make an assessment as to whether to offer to provide or renew the commercial customer’s bond, and at what price.
4. Opting In or Opting Out of Receiving Communications from Us: If you are a client of ours dating to before the coming into force of the GDPR, by selecting us to act as your broker we have deemed that you have opted in to receiving communications from us concerning your bonding programme. If we are incorrect, and you do not wish to receive any further communication from us, please inform our Data Controller, by e-mail, on email@example.com. In this eventuality, we would not be able to communicate to you terms for any new bonds or renewal terms for any existing bonds.
If you appointed us as your broker, or if you renewed your annual bond through us, subsequent to the coming into force of the GDPR, you will have been asked to specifically opt in to receiving communications from us. Thus all clients, existing and new, will have specifically opted in to receive communications from us within twelve months of the implementation of the GPDR.
5. Data Processing Rights to Individuals Under The Data Protection Act (DPA) as modified by The General Data Protection Regulation (GDPR):
The Right to be Informed
We are obliged to provide “fair processing information’”, typically through a privacy notice. It emphasises the need for transparency over how we use your personal data. The information supplied about the processing of personal data must be:
concise, transparent, intelligible and easily accessible;
written in clear and plain language; and
free of charge.
The Right of Access: Under the GDPR, you will have the right to obtain:
confirmation that your data is being processed;
access to your personal data; and
other supplementary information – this largely corresponds to the information that should be provided in a privacy notice. These are similar to existing subject access rights under the DPA.
The GDPR clarifies that the reason for allowing you to access your personal data is so that you are aware of and can verify the lawfulness of the processing.
The Right to Rectification: You are entitled to have personal data rectified if it is inaccurate or incomplete.
Where personal data is disclosed to third parties (typically obligors), as discloser we must inform them of the rectification where possible. We must also inform you about the third parties to whom the data has been disclosed, where appropriate.
The Right to Erasure: The right to erasure is also known as “the right to be forgotten”. The broad principle is to enable you to request the deletion or removal of personal data where there is no compelling reason for its continued processing. The right to erasure does not provide an absolute “right to be forgotten”. You have a right to have personal data erased and to prevent processing in specific circumstances:
Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
Where you withdraw consent.
When you object to the processing and there is no overriding legitimate interest for continuing the processing.
The personal data was unlawfully processed (ie otherwise in breach of the GDPR).
The personal data has to be erased in order to comply with a legal obligation.
The GDPR reinforces the right to erasure by clarifying that organisations in the online environment who make personal data public should inform other organisations who process the personal data to erase links to, copies or replication of the personal data in question.
The Right to Restrict Processing: Under the DPA, you have a right to “block” or suppress processing of personal data. The restriction of processing under the GDPR is similar. When processing is restricted, we are permitted to store the personal data, but not further process it. We can retain just enough information about you to ensure that the restriction is respected in future.
The Right to Data Portability: The right to data portability allows you to obtain and reuse your personal data for your own purposes across different services. It allows you to move, copy or transfer your personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability. The right to data portability only applies:
to personal data you have provided to our Data Controller;
where the processing is based on your consent or for the performance of a contract; and
when processing is carried out by automated means
The Right to Object: You have the right to object to:
processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
direct marketing (including profiling); and
processing for purposes of scientific/historical research and statistics.
Rights in Relation to Automated Decision Making and Profiling: The GDPR provides safeguards for you against the risk that a potentially damaging decision is taken without human intervention. These rights work in a similar way to existing rights under the DPA.
If you wish to seek clarification as to how we collect and/or process your personal data or, exercise any of your rights under the Data Protection Act or the General Data Protection Regulation, please contact our Data Controller by e-mail on firstname.lastname@example.org