Endless respects the privacy and security of your personal data and is committed to protecting that information. This Privacy Statement provides information about the personal data we process, why we process it, how we process it and your legal rights in connection with it. It is important that you read this, together with any other privacy notice, fair processing notice or other documentation (such as terms and conditions) that we may provide on specific occasions when we are collecting or processing personal data about you, so that you are fully aware of how and why we use your data. In order to stay up to date with new laws or changes in the ways we handle data, we reserve the right to amend the terms of this Privacy Statement from time to time.
What are our responsibilities?
As a data controller we are responsible for the processing of personal data that you provide. We are required to comply with data protection laws, including the General Data Protection Regulation 2016, Data Protection Act 2018 and subsequently any national implementing laws or successor legislation (collectively referred to as the “Data Protection Legislation”).
We are committed to following the data processing principles in ensuring that personal data are:
- Processed lawfully, fairly and transparently
- Collected and processed for limited purposes with a view to minimising that data and their storage
- Accurate and processed in a manner that ensures integrity and confidentiality
- Collected and processed in a manner that allows for accountability
What is personal data?
Your personal data includes all the information we hold that identifies you or is about you, for example your name, email address, postal address or location data. In some cases this could also include opinions that we document about you or your profile.
At Endless we do not, under any circumstances, collect “special categories” of sensitive personal data about you relating to your religious or philosophical beliefs, sex life, sexual orientation, political opinions, criminal records, trade union membership, health or genetic and biometric data. We may process sensitive personal data related to your race/ethnicity only where you have explicitly consented, for example by submitting that information as part of your CV.
What is processing?
Everything we do with your personal data counts as processing it, including collecting, storing, amending, transferring and deleting it. We are therefore required to comply with the Data Protection Legislation to make sure that your information is properly protected and used appropriately.
Why do we process your personal data?
We process your personal data for different purposes depending on who you are:
If you are making or have made a general enquiry with us then we may need to process data in relation to your name, contact information and the contents of your enquiry in order to be able to respond to you.
If you currently provide or are contacting us because you are interested in providing goods or services to us then we may need to process data in relation to your identity, contact information or bank account information in order to enter into or perform a contract with you.
In order to add you to our contacts database we may process data related to your name, contact information, location, areas of practice/expertise and employment.
Once added to our database we may use your data in order to update your contact preferences, to add you to or remove you from mailing lists, to send you updates or news from Endless, to process invitations and responses for events organised by Endless, or to make contact for the purposes of establishing a business relationship with you. In addition, we may process data relating to meetings we have held with you or events you have attended.
If you have approached us regarding a potential employment opportunity, we may need to process information provided by you in your CV and covering letter, including your name, title, address, telephone number, email address, postal address, date of birth, gender, location information, employment history, qualifications and general professional experience.
In order to assess your suitability for potentially assisting us with our assessment of investment opportunities or taking a position within one of our portfolio companies we need to process data in relation to your identity, address and geographical location, contact details, the contents of your cover letter and/or CV including your qualifications, experience and employment history, as well as opinions expressed by your referees. If we conduct an interview or meeting with you then we may also process data in relation to information provided during that interview or meeting, including any assessment notes taken or opinions formed by the interviewer.
We may use your data in order to issue invitations and process responses for events and functions organised by Endless. This may include dinners or drinks events that we use for specific industry sectors or charity fundraising, as well as generally to stay in touch by updating you on Endless, our recent activities and potential future opportunities. During and following an event we might process data when taking and editing imagery which could be used in the creation of marketing or promotional materials, for use in printed and online publications, social media and press releases. In addition, after the event we may issue surveys to assist us in improving our event planning.
We may use your data to support an internal expense claim made by an employee as a result of personal money spent for business purposes. Expense claims are made via a third-party service provider who is based in the UK. Such data could include your name and company (where relevant).
To enable us to assess an investment opportunity and monitor it once made we may process data relating to individuals associated with the investment. We may also process personal data in order to comply with legal and regulatory requirements if we decide to make an investment (for example anti-money laundering regulations). This could include the personal data of employees, officers and shareholders of the corporate entities involved, as well as in some cases their immediate family members and close associates. The types of data we process in this respect could include name, address, nationality, date of birth and gender and information contained in identification documents such as passports, driving licences and utility bills. It could also include details about your employment history and salary details and, where you are a senior management team member, details about your source of wealth and investment history.
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. However, please note that we may process your personal data without your knowledge or consent in accordance with these rules.
On what basis do we process your personal data?
We may rely on different grounds to lawfully process your personal data depending on the nature of our relationship with you. We process most of your information on the grounds of our legitimate interests (i.e. promoting the effective operation and administration of our business). We may also rely on the fact that we need to process your personal data to enter into or perform a contract with you, or to comply with a legal obligation.
If none of the grounds set out above apply, we will obtain separate consent from you to the processing of your personal data. You can withdraw your consent at any time. However, this wouldn’t affect the lawfulness of any processing we carried out prior to you withdrawing your consent.
Who will receive your personal data?
We only transfer your personal data to the extent we need to. Recipients of your personal data may include:
- Service providers we use as part of our IT infrastructure
- Other third-party service providers (including identity checking services and to enable the processing of expenses claims)
- Professional advisers
- Regulatory bodies and authorities
- Other entities within our group
- Portfolio companies in which we have made an investment
- Prospective purchasers of the investments that we make
We may transfer your personal data outside of the EEA to service providers or professional advisers operating in other jurisdictions. We will only transfer data where a finding of adequacy has been made in respect of that jurisdiction, which means the EU Commission is satisfied that any data transferred will be adequately protected or where a data transfer agreement incorporates EU model clauses meaning that appropriate safeguards will govern the transfer of the data.
How do we ensure that your data is secure?
We have put in place appropriate physical, technical and organisational security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a legitimate need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality. In the unlikely event of a suspected or actual breach of personal data, we have procedures in place to address the breach as well as to notify you and any applicable regulator where we are required to do so.
How long will we keep your personal data?
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or regulatory reporting requirements. In determining the appropriate retention period for personal data we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means.
What are your rights?
You benefit from a number of rights in respect of the personal data we hold about you. We have summarised your rights below, and more information is available from the Information Commissioner’s Office website (https://ico.org.uk/for-organisations/guide-to-the-general-data-protectio...). These rights apply for the period in which we process your data.
1. Access to your data
You have the right to request confirmation that we process your personal data, as well as access to your personal data. You can also ask us to provide some additional information in relation to our processing of your personal data, although most of that information corresponds to the contents of this privacy statement.
We will provide the information free of charge unless your request is manifestly unfounded or excessive or repetitive, in which case we are entitled to charge a reasonable fee. We may also charge you if you request more than one copy of the same information.
We will provide the information you request as soon as possible and in any event within one month of receiving your request. If we need more information to comply with your request, we’ll let you know.
2. Rectification of your data
If you believe personal data we hold about you is inaccurate or incomplete, you can ask us to rectify that information. We will comply with your request within one month of receiving it, unless we don’t feel it’s appropriate in which case we’ll let you know why. We’ll also let you know if we need more time to comply with your request.
3. Right to be forgotten
In some circumstances, you have the right to ask us to delete personal data we hold about you. This right is available to you:
- where we no longer need your personal data for the purpose for which we collected it;
- where we have collected your personal data on the grounds of consent and you withdraw that consent;
- where you object to the processing and we don’t have any overriding legitimate interests to continuing processing the data;
- where we have unlawfully processed your personal data (i.e. we have failed to comply with the Data Protection Legislation); and
- where the personal data has to be deleted to comply with a legal obligation.
There are certain scenarios in which we are entitled to refuse to comply with a request. If any of those apply, we’ll let you know.
4. Right to restrict processing
In some circumstances you are entitled to ask us to suppress processing of your personal data. This means we will stop actively processing your personal data but we don’t have to delete it. This right is available to you:
- if you believe the personal data we hold isn’t accurate then we’ll cease processing it until we can verify its accuracy;
- if you have objected to us processing the data (see below) then we’ll cease processing it until we have determined whether our legitimate interests override your objection;
- if the processing is unlawful; or
- if we no longer need the data but you would like us to keep it because you need it to establish, exercise or defend a legal claim.
5. Data portability
You have the right to ask us to provide your personal data in a structured, commonly used and machine-readable format so that you are able to transmit the personal data to another data controller. This right only applies to personal data you provide to us:
- where processing is based on your consent or for performance of a contract (i.e. the right does not apply if we process your personal data on the grounds of legitimate interests); and
- where we carry out the processing by automated means.
We’ll respond to your request as soon as possible and in any event within one month from the date we receive it. If we need more time, we’ll let you know.
6. Right to object
You are entitled to object to us processing your personal data:
- if the processing is based on legitimate interests or performance of a task in the public interest or exercise of official authority;
- for direct marketing purposes (including profiling); and/or
- for the purposes of scientific or historical research and statistics.
In order to object, you must have grounds for doing so based on your particular situation. We will stop processing your data unless we can demonstrate that there are compelling legitimate grounds which override your interests, rights and freedoms or the processing is for the establishment, exercise or defence of legal claims.
Automated decision making
Automated decision making means making a decision solely by automated means without any human involvement. This would include, for example, an online credit reference check that makes a decision based on information you input without any human involvement. It would also include the use of an automated clocking-in system that automatically issues a warning if a person is late a certain number of times (without any input from HR, for example).
We don’t carry out any automated decision making using your personal data.
Your right to complain about our processing
If you think we have processed your personal data unlawfully or that we have not complied with the Data Protection Legislation, you can report your concerns to the supervisory authority in your jurisdiction. The supervisory authority in the UK is the Information Commissioner’s Office (“ICO”). You can call the ICO on 0303 123 1113 or get in touch via other means, as set out on the ICO website - https://ico.org.uk/concerns/.
Our General Counsel, Simon Hardcastle, has day to day responsibility for ensuring we comply with the Data Protection Legislation and for dealing with any requests we receive from individuals exercising their rights under the Data Protection Legislation.
If you have any questions or would like more information about the ways in which we process your data, please contact Simon Hardcastle on 0113 210 4000 or alternatively at firstname.lastname@example.org.