Privacy, Data Protection & Security Policy


This Policy sets out the obligations of Sterling Green Ltd, a company registered in the United Kingdom under number ZA167528 regarding data protection and the rights of clients (“data subjects”) in respect of their personal data under EU Regulation 2016/679 General Data Protection Regulation (“GDPR”).

The Regulation defines “personal data” as any information relating to an identified or identifiable natural person (a data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

This Policy sets out the procedures that are to be followed when dealing with personal data. The procedures and principles set out herein must be followed always by the Company, its employees, agents, contractors, or other parties working on behalf of the Company. This document also sets out guidelines for email and internet use by all employees to encourage the correct use in the business environment. Any breach of this policy or misuse of electronic communications may constitute a serious disciplinary matter and may lead to dismissal.


Article 5 of GDPR sets out the following principles with which any party handling personal data must comply:

Principal 1 – Lawful, Fair and Transparent Data Processing

The GDPR states that processing of personal data shall be lawful if at least one of the following applies:

Principal 2 – Specified, Explicit and Legitimate Purposes

The Company only collects, processes, and holds personal data for the specific purposes set out in Section 5 of this Policy (or for other purposes expressly permitted by the GDPR).

Data subjects are kept informed always of the purpose or purposes for which the Company uses their personal data.

Principal 3 – Adequate, Relevant and Limited Data Processing

The Company will only collect and process personal data for and to the extent necessary for the specific purpose or purposes of which data subjects have been informed (or will be informed)

Principal 4 – Accuracy of Data and Keeping Data up-to-date

The Company shall ensure that all personal data collected, processed, and held by it is kept accurate and up-to-date. This includes, but is not limited to, the rectification of personal data at the request of a data subject,

The accuracy of personal data shall be checked when it is collected and at annual intervals thereafter. If any personal data is found to be inaccurate or out-of-date, all reasonable steps will be taken without delay to amend or erase that data, as appropriate.

Principal 5 – Secure Processing

The Company shall ensure that all personal data collected, held, and processed is kept secure and protected against unauthorised or unlawful processing and against accidental loss, destruction, or damage.

Principal 6 – Accountability and Record Keeping

The Data Protection Officer shall be responsible for overseeing the implementation of this Policy and for monitoring compliance with this Policy, the Company’s other data protection-related policies, and with the GDPR and other applicable data protection legislation.

The Company shall keep written internal records of all personal data collection, holding, and processing, which shall incorporate the following information:


The GDPR sets out the following rights applicable to data subjects:

Right to be informed

The Company shall provide the following information:

Right of access

Data subjects may make subject access requests (“SARs”) at any time to find out more about the personal data which the Company holds about them, what it is doing with that personal data, and why.

Employees wishing to make a SAR should do using a Subject Access Request Form, sending the form to the Company’s Data Protection Officer.

All SARs received shall be handled by the Company’s Data Protection Officer within one month of receipt, however this may be extended by up to two months if the SAR is complex and/or numerous requests are made. If such additional time is required, the data subject shall be informed.

The Company does not charge a fee for the handling of normal SARs. The Company reserves the right to charge reasonable fees for additional copies of information that has already been supplied to a data subject, and for requests that are manifestly unfounded or excessive, particularly where such requests are repetitive.

Right of rectification of personal data

The Company shall rectify the personal data in question, and inform the data subject of that rectification, within one month of the data subject informing the Company of the issue. The period can be extended by up to two months in the case of complex requests. If such additional time is required, the data subject shall be informed.

If any affected personal data has been disclosed to third parties, those parties shall be informed of any rectification that must be made to that personal data.

Right to erasure of personal data

Data subjects have the right to request that the Company erases the personal data it holds about them in the following circumstances:

Unless the Company has reasonable grounds to refuse to erase personal data, all requests for erasure shall be complied with, and the data subject informed of the erasure, within one month of receipt of the data subject’s request. The period can be extended by up to two months in the case of complex requests. If such additional time is required, the data subject shall be informed.

Under our requirements with the Financial Conduct Authority and our Professional Indemnity Insurers, we are required to retain all records relating to advice given to clients for specific time periods. The right to erasure cannot be actioned in those cases.

If any personal data that is to be erased in response to a data subject’s request has been disclosed to third parties, those parties shall be informed of the erasure (unless it is impossible or would require disproportionate effort to do so).

Right to data portability

The Company processes personal data using automated means.

Where data subjects have given their consent to the Company to process their personal data in such a manner, or the processing is otherwise required for the performance of a contract between the Company and the data subject, data subjects have the right, under the GDPR, to receive a copy of their personal data and to use it for other purposes (namely transmitting it to other data controllers).

To facilitate the right of data portability, the Company shall make available all applicable personal data to data subjects in the following format

Where technically feasible, if requested by a data subject, personal data shall be sent directly to the required data controller.

Right to object to personal data processing

Where a data subject objects to the Company processing their personal data based on its legitimate interests, the Company shall cease such processing immediately, unless it can be demonstrated that the Company’s legitimate grounds for such processing override the data subject’s interests, rights, and freedoms, or that the processing is necessary for the conduct of legal claims.

Where a data subject objects to the Company processing their personal data for direct marketing purposes, the Company shall cease such processing immediately.

Right in relation to auto decison making process and profiling

The Company does not use personal data in automated decision-making processes or profiling purposes.


The Company shall where applicable, carry out Data Protection Impact Assessments for all new projects and/or new uses of personal data. Data Protection Impact Assessments shall be overseen by the Data Protection Officer and shall address the following:


The following personal data is collected, held, and processed by the Company

Type Of Data Purpose of Data
Client data To fulfil the ‘know your client’ requirements of the FCA to be able to give clients advice on financial products and financial planning
Staff Data To maintain records for employment and human resource requirements as well as tax and national insurance records


The Company shall not retain any personal data for any longer than is necessary considering the purpose(s) for which that data is collected, held, and processed. When establishing and/or reviewing retention periods, the following shall be considered:

If a precise retention period cannot be fixed for a particular type of data, criteria shall be established by which the retention of the data will be determined, thereby ensuring that the data in question, and the retention of that data, can be regularly reviewed against those criteria.


The Company shall ensure that the following measures are taken with respect to all communications and other transfers involving personal data:


All electronic copies of personal data should be stored securely using passwords and data encryption. Hardcopies of personal data, along with any electronic copies stored on physical, removable media should be stored securely in a locked box, drawer, cabinet, or similar;

No personal data should be stored on any mobile device (including, but not limited to, laptops, tablets, and smartphones), whether such device belongs to the Company or otherwise without the formal written approval of the Data Controller

No personal data should be transferred to any device personally belonging to an employee and personal data may only be transferred to devices belonging to agents, contractors, or other parties working on behalf of the Company where the party in question has agreed to comply fully with this Policy and of the GDPR.

When any personal data is to be erased or otherwise disposed of for any reason (including where copies have been made and are no longer needed), it should be securely deleted/shredded, and residue disposed of


No personal data may be shared or transferred informally and if an employee, agent, sub-contractor, or other party working on behalf of the Company requires access to any personal data that they do not already have access to, such access should be formally requested from Data Protection Officer

Personal data must be handled with care always and should not be left unattended or on view to unauthorised employees, agents, sub-contractors, or other parties at any time;

If personal data is being viewed on a computer screen and the computer in question is to be left unattended for any period, the user must lock the computer and screen before leaving it; and

Where personal data held by the Company is used for marketing purposes, it shall be the responsibility of Data Protection Officer to ensure that the appropriate consent is obtained and that no data subjects have opted out, whether directly or via a third-party service


All passwords used to protect personal data should be changed regularly and should not use words or phrases that can be easily guessed or otherwise compromised. All passwords must contain a combination of uppercase and lowercase letters, numbers, and symbols and be a minimum of seven characters long.

Under no circumstances should any passwords be written down or shared between any employees, agents, contractors, or other parties working on behalf of the Company, irrespective of seniority or department. If a password is forgotten, it must be reset using the applicable method.

All software shall be kept up-to-date. The Company’s Data Protection Officer staff shallbe responsible for installing all security-related updates as soon as reasonably and practically possible. No software may be installed on any Company-owned computer or device without the prior approval of the Data Protection Officer.


All personal data breaches must be reported immediately to the Company’s Data Protection Officer.

If a personal data breach occurs and that breach is likely to result in a risk to the rights and freedoms of data subjects (e.g. financial loss, breach of confidentiality, discrimination, reputational damage, or other significant social or economic damage), the Data Protection Officer must ensure that the Information Commissioner’s Office is informed of the breach without delay, and in any event, within 72 hours after having become aware of it.

Data breach notifications shall include the following information: