UPDATED: 26th October 2023
1. Our contact details
Name: Enko Capital Management LLP
Address: 1 Knightsbridge Green, London, SW1X 7QA
Phone Number:+44 (0) 20 7881 0030
a) In order to service our clients, Enko Capital Management LLP (hereinafter “ECM LLP”, “we” or us”) needs to collect personal data from our clients and/or potential clients and employees.
In light of the above, ECM LLP wants to ensure a high level of data protection as privacy is a cornerstone in gaining and maintaining the trust of our clients, employees and suppliers, thus ensuring ECM LLP’s business in the future.
The protection of personal data requires that appropriate technical and organisational measures are taken to demonstrate a high level of data protection. ECM LLP has adopted a number of internal and external data protection policies, which must be adhered to by employees of ECM LLP.
Additionally, ECM LLP will monitor, audit and document internal compliance with the data protection policies and applicable statutory data protection requirements, including the General Data Protection Regulation (“GDPR”).
ECM LLP will also take the necessary steps in order to enhance data protection compliance within the organisation. These steps include the assignment of responsibilities, raising awareness and training of staff involved in processing operations.
b) “Personal data” is any information which may be related to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified directly or indirectly, in particular by reference to an identifier such as a name, location data, phone number, age, gender, an employee, a job applicant, clients, suppliers and other business partners. This also includes special categories of personal data (sensitive personal data) and confidential information such as health information, account number, identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
c) Although, information regarding companies/businesses is not as such, personal data, please note that information relating to contacts with such companies/businesses, e.g. name, title, work email, work phone number, etc. is considered personal data.
d) ECM LLP collects and uses personal data for a variety of legitimate business purposes, for both its own and on behalf of other group entities.
e) ECM LLP collects and uses personal data for and on behalf of entities for which ECM LLP or group companies are engaged to provide investment management solutions.
f) Data held includes; establishment and management of customer and supplier relationships, completion of purchase orders, recruitment and management of all aspects of terms and conditions of employment, communication, fulfilment of legal obligations or requirements, performance of contracts, providing services to clients, etc.
g) Personal data shall always be:
i. Processed lawfully, fairly and in a transparent manner in relation to the data subject;
ii. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
iii. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
iv. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that inaccurate personal data, having regard to the purposes for which it is processed, is erased or rectified without delay;
v. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed;
vi. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
h) ECM LLP shall be responsible for and be able to demonstrate compliance with the above as part of ECM LLP’s accountability.
3. The type of personal information we collect
We currently collect and process the following information from our clients:
• Personal information which includes but is not limited to our client’s name, residential address, date of birth, e-mail address, employment details and information relating to your financial circumstances; and
We currently collect and process the following information from visitors to our website:
• Traffic pattern information relating to the visitors to our website (in aggregate form).
4. How we get the personal information and why we have it
Most of the personal information we process is provided to us directly by our current clients, prospective clients or visitors to our website for one of the following reasons:
• Looking to use our asset management services.
• Completing a client survey to be used for research and feedback purposes to improve the services and products we offer.
• Visiting our website – ECM LLP collects traffic pattern information such as information on the pages the visitors to our website access and how many users log into our platform(s) on a daily basis. This kind of information is only used in an aggregated form.
We use the information that you have given us in order to:
• Distinguish website users.
• Persist session state on the website.
Should you not wish to receive communications from Enko, please email: firstname.lastname@example.org.
Under the UK General Data Protection Regulation (UK GDPR), the lawful bases we rely on for processing this information are:
(a) Consent from the data subject for one or more specific purposes. This consent is not a precondition of service and you are able to remove your consent at any time. You can do this by contacting email@example.com
i. If the collection, registration and further processing of personal data on clients, suppliers, other business relations and employees are based on such a person’s consent to the processing of personal data for one or more specific purposes, ECM LLP shall be able to demonstrate that the data subject has consented to processing of such personal data.
ii. Consent shall be freely given, specific, informed, and unambiguous. The data subject must actively consent to the processing of personal data by a statement or by effecting a clear affirmative action.
iii. A request for consent shall be presented in a manner which is clearly distinguishable from other matters, in an intelligible and easily accessible form, using clear and plain language.
iv. To process special categories of personal data (sensitive personal data) the consent shall also be explicit.
v. The data subject is entitled to withdraw his/her consent at any time and upon such withdrawal, ECM LLP will stop collecting or processing personal data about that person unless we are obligated or entitled to do so upon another legal basis.
(b) The performance of a contract to which the data subject is party.
i. It will be legitimate to collect and process personal data relevant to the performance of a contract to which the data subject is part or in order to take steps at the request of the data subject prior to entering into a contract. This applies to all contractual obligations and agreements signed with ECM LLP, including the pre-contractual phase irrespective of the success of the contract negotiation or not.
(c) A legal obligation or requirement.
i. ECM LLP must comply with various legal obligations and requirements, which have basis in the UK Data Protection Act 2018. Such legal obligation, to which ECM LLP is subject, may be sufficient as a legitimate basis for the processing of personal data.
ii. Such legal obligations include obligations to collect, register and/or make available certain types of information relating to employees, clients, etc. Such legal requirements will then form the legal basis for us to process the personal data, however, it is important to note whether the provisions allowing or requiring ECM LLP to process certain personal data also set out requirements in relation to storage, disclosure and deletion.
(d) Legitimate interests pursued by ECM LLP.
i. Data will only be processed where it is necessary for the purposes of the legitimate interests pursued by ECM LLP, and these interests or fundamental rights are not overridden by the interests of the data subject. ECM LLP will, when deciding to process data ensure that the legitimate interests do not override the rights and freedoms of the individual and that the processing would not cause unwarranted harm. For instance, it is a legitimate interest of ECM LLP to process personal data on potential client in order to expand the business and develop new business relations. The data subject must be given information on the specific legitimate interest if a processing is based on this provision, cf. section 5.a below.
5. How we store personal information
a) ECM LLP as a Data Controller:
i. ECM LLP will be considered a data controller to the extent that we decide by which means the data subject’s personal data shall be processed e.g. when a data subject signs an agreement with ECM LLP.
b) Use of data processors:
i. An external data processor is a company, which processes personal data on behalf of ECM LLP and in accordance with ECM LLP’s instructions e.g. in relation to HR systems, third party IT providers, etc. ECM LLP will ensure that said company, as a minimum, applies the same degree of data protection as ECM LLP. If this cannot be guaranteed, ECM LLP will choose another data processor.
c) Data Processing Agreements
i. Prior to the transfer of personal data to the data processor, ECM LLP shall enter into a written data processing agreement with the data processor. The data processing agreement ensures that ECM LLP controls the processing of personal data, which takes place outside ECM LLP, for which ECM LLP is responsible.
ii. If the data processor/sub-data processor is located outside the EU/EEA, the conditions of clause 5. (d)(iv) below will apply.
d) Disclosure of data
i. Before disclosing personal data to others, it is the responsibility of ECM LLP to consider whether the recipient is employed by us or not. Furthermore, we may only share Personal data within ECM LLP, if we have a legitimate business purpose in the disclosure. ii. It is ECM LLP’s responsibility to ensure that the recipient has a legitimate purpose for receiving the personal data and to ensure that sharing of personal data is restricted and kept to a minimum.
iii. ECM LLP must show caution before sharing personal data with persons, data subjects or entities outside of ECM LLP. Personal data shall only be disclosed to third parties acting as individual data controllers if a legitimate purpose for such transfer exists. If the recipient is acting as a data processor, please refer to clause 5.(b) above.
iv. If the third-party recipient is located outside the EU/EEA in a country not ensuring and adequate level of data protection, the transfer can only be completed if a transfer agreement has been entered into between ECM LLP and the third party. The transfer agreement shall be based on the International Data Transfer Agreement (2022) and the International Data Transfer Addendum to the European Commission’s standard contractual clauses for international data transfers (2022).
v. Information collected may be disclosed to law enforcement agencies and other relevant organisations for crime detection and prevention purposes.
vi. Where applicable, ECM LLP may exchange information or share the client’s personal data with brokers who the client may have an agreement with and where the client has consented to the disclosure of that information.
e) ECM LLP shall, as data controller, maintain records of processing activities under ECM LLP’s responsibility. The records shall contain the following information:
i. The name and contact details of the data subject; ii. the purposes of the processing;
iii. a description of the categories of data subjects and of the categories of personal data;
iv. the recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organisations;
v. where applicable, transfers of personal data to a third country, including the identification of that third country and, if relevant, the documentation of suitable safeguards;
vi. where possible, a general description of the applied technical and organisational security measures.
vii. ECM LLP shall make the records listed in this clause available to the relevant data protection authorities upon request.
i. A cookie is a small data file that most major websites write onto the visitor’s hard disk for record keeping purposes when the website is visited.
ii. Cookies are used by ECM LLP to persist a user’s session on the website and distinguish each user (data only in aggregated form).
g) Personal data shall be deleted when ECM LLP no longer has a legitimate purpose for the continuous processing or storage of the personal data, or when it is no longer required to store the personal data in accordance with the applicable legal requirements.
i. The person data of any affiliates, service providers, clients or potential clients is held for a period of not less than 5 years and no longer than 8 years following the termination of any Business Relationship between the data subject and Enko.
h) Assessment of Risk
i. If ECM LLP processes personal data that is likely to result in a high risk for the persons whose personal data is being processed, a Data Protection Impact Assessment (“DPIA”) shall be carried out.
ii. A DPIA implies that ECM LLP will, taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with data protection requirements.
iii. The aforementioned technical and organisational measures shall be reviewed and updated where necessary and no later than every 6 months.
iv. Adherence to approved codes of conduct or approved certification mechanisms may be used as an element by which to demonstrate compliance with the appropriate technical and organisational measures pursuant to this clause.
i) National Requirements
i. Adherence to approved codes of conduct or approved certification mechanisms may be used as an element by which to demonstrate compliance with the appropriate technical and organisational measures pursuant to this clause.
j) Data Protection by Design and Data Protection by Default
i. New products, services, technical solutions, etc. must be developed so that they meet the principles of data protection by design and data protection by default.
ii. Data protection by design means that when designing new products or services due consideration to data protection is given.
ECM LLP will take into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing.
ECM LLP shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet data protection requirements and protect the rights of data subjects.
iii. Data protection by default requires that relevant data minimisation techniques are implemented.
ECM LLP shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which is necessary for each specific purpose of the processing is processed.
This minimisation requirement applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility.
Such measures shall ensure that by default personal data is not made accessible without careful consideration.
6. Data protection rights
Under data protection law, any person we collect personal data from has rights including:
a) Right of access
i. Any person whose personal data is processed by ECM LLP, including but not limited to, ECM LLP employees, job applicants, external suppliers, clients, potential clients, business partners, etc. has the right to request access to the personal data which ECM LLP processes or stores about him/her.
ii. If ECM LLP processes or stores personal data about the data subject, the data subject shall have the right to access the personal data and the reasons for the data to be processed in relation to the criteria set out in 5.a.
b) Right to rectification
i. The data subject shall have the right to obtain from ECM LLP without undue delay the rectification of inaccurate personal data concerning him/her.
ii. ECM LLP will endeavour to ensure that personal information held about the data subject is accurate and up to date. If the data is inaccurate or outdated ECM LLP will correct it upon the data subject’s request.
c) Right to erasure
i. The data subject shall have the right to obtain from ECM LLP the erasure of their personal data and ECM LLP shall be obligated to erase the aforementioned personal data without undue delay, unless required by law to retain any information for a prescribed period of time, for example, by financial regulators or tax authorities.
d) Right to restriction of processing
i. The data subject shall have the right to ask ECM LLP to restrict the processing of their personal information in certain circumstances.
e) Right to object to processing
i. The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time, to processing of personal data concerning him or her, which is based on a balancing on interests including profiling.
f) Right to data portability
i. The data subject has the right to ask that ECM LLP transfers their personal information to another organisation, or to them, in a structured, commonly used, and machine-readable format, if applicable.
There is no payment required for the exercise of the data protection rights listed above. Any requests received by Enko from a data subject to exercise their rights under Section 6 of this policy will be answered as soon as reasonably possible, and no later than 30 days from receipt.
Please contact us at firstname.lastname@example.org if you wish to make a request.
g) Our duty to inform
When ECM LLP collects and registers personal data, ECM LLP is obligated to inform the data subjects about:
i. The purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
ii. The categories of personal data concerned;
iii. The legitimate interests pursued by ECM LLP, if the processing is based on a balancing of interests;
iv. The recipients or categories of recipients of the personal data, if any;
v. Where applicable, the fact that ECM LLP intends to transfer personal data to a third country and the legal basis for such transfer;
vi. The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
vii. The existence of the right to request from ECM LLP access to and rectification of personal data or restriction of processing concerning the data subject to or object to processing as well as the right to data portability;
viii. Where the processing is based on the data subject’s consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
ix. The right to lodge a complaint with ECM LLP via the correct procedure or with a supervisory authority;
x. Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;
xi. The existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
This information will, in most cases, be provided via a privacy notice on ECM LLP’s home page.
7. How to make a complaint
If you have any concerns about our use of your personal information, you can make a complaint to us by following the complaints procedure stated here: https://enkocapital.com/disclosure/