14. Personal Data we Collect about You

If you are a client or represent a client, are a business contact or a supplier of ours, we may collect and process the following types of personal data relating to you:

• Identity Data includes first name, last name, your role/job title and position within your organisation, educational level or work experience.
• Business Contact Data includes company address, business telephone numbers and email address.
• Personal Contact Data if you choose to provide this to us.
• Correspondence between us such as website enquiries/ “Contact Us” enquiries, emails, letters, recorded telephone calls and correspondence relating to enquiries.
• Information you provide to us about you during the course of our business relationship including responses to surveys, feedback, complaints and correspondence.
• Personal Data from initiation, maintenance and execution of our business relationship including (to the extent that this is your personal data) performed and planned orders and related data such as delivery modalities or insurance coverages and information about your budget.
• Company data of our corporate clients, partners and suppliers including due diligence and “know your customer” information or other onboarding information and information relating to your needs and requirements as a customer.
• Information relating to the assertion or defence of legal claims including the prevention of misconduct, compliance checks or investigations and information regarding compliance violations or other infringements.
• Other Personal Data such as notes of our meetings, telephone calls or recordings/notes of video conferences and online meetings between us.

Special Categories of Personal Data and Criminal Offence Data

Fidum does not expect to routinely collect or process either Special Categories of Personal Data* or Criminal Offence Data relating to any of its clients, suppliers or business contacts. However, there is a remote possibility that this sort of personal data could be processed during the course of our relationship. For example, where you choose to tell us about a medical condition so that we can make reasonable adjustments for a business meeting. Or, in the course of processing information in the context of carrying out standard compliance or due diligence checks we may identify criminal offence data. Where we do process special category personal data or criminal offence data, we ensure that we have an appropriate legal basis to do so under UK data protection law and only retain the information for the minimum amount of time necessary before securely deleting it.

• Special Category Personal Data relates to information about racial or ethnic origin, trade union membership, health and medical conditions, genetics, biometric information (but only where this is used for identification purposes), political opinions, sex life, sexual orientation and religious beliefs.

15. Where We Source Your Personal Data

Most of the personal data we process you have provided directly to us. However, in a few cases, we may collect it from a third party. Your personal data is collected in the following ways including through:

• Your interactions with us: You may give us your personal data directly when you complete our online forms or correspond with us. This includes personal data you provide in the initiation or development of our business relationship and/or the execution of contracts. It may include when you register or contract with us, subscribe to our services, receive direct marketing, enter a survey or promotion, provide us with feedback or otherwise generally correspond with us.
• Third parties or publicly available sources: Depending on the circumstances, we may collect or receive personal data about you from various third parties as set out below:
• Your employer.
• Our corporate partners.
• Public sources such as Companies House (for example where we may carry out due diligence checks on individuals who hold directorships or similar roles).
• Public sources such as professional networking sites e.g. LinkedIn.

16. If You Fail To Provide Your Personal Data

Where we need to collect personal data by law or in order to process your instructions or perform a contract we have with you and you fail to provide that data when requested, we may not be able to carry out your instructions or perform the contract we have or are trying to enter into with you. In this case, we may have to cancel our engagement or contract you have with us, but we will notify you if this is the case at the time.

 17. Our Purposes and Legal Bases for Processing your Personal Data: Business Contacts, Clients and Suppliers

Fidum will only process your personal data providing data protection law permits or requires it.

When processing your personal data, data protection law requires us to have a legal reason (legal basis) for collecting and using it. The table below describes our purposes for processing your personal data and the corresponding legal bases we rely on to do so. Where we rely on the legal basis of “legitimate interests”, we have also identified what those “legitimate interests” are.

Purpose / Use of Personal Data	Category / Type of data	Legal basis under UK GDPR
Client relationship management: including listing you as a contact, connecting you with accounts of our corporate partners, surveys and correspondence.	(a)    Identity (b)    Contact (c)     Company name if relevant (d)    Correspondence (e)     Financial information (f)      Potentially special category personal data	(a)    Legitimate Interests (Article 6(1)(f) UK GDPR). It is necessary for our legitimate business interests (and those of our corporate partners and affiliates) to develop our business, communicate, network and support our business contacts. (b)    We process special category personal data, as necessary, with your consent (Article 9(2)(a) UK GDPR).
Contractual Purposes: For the initiation, performance and execution of a contract with you or our corporate partners including to fulfil our contractual obligations, perform pre-contract due diligence and carry out necessary onboarding checks.	(a)    Identity (b)    Contact (c)     Company name of relevant (d)    Potentially financial information (e)     Potentially special category personal data	(a)    Necessary for a contract (Article 6(1)(b) UK GDPR). (b)    Necessary for our legitimate Interests (Article 6(1)(f) UK GDPR). It is in our legitimate business interests to perform necessary pre-contract due diligence to protect our business, its assets and reputation.
Customer services activities: such as responding to your correspondence, requests, queries, complaints and feedback.	(a) Identity (b) Contact (c) Company name if relevant (d) Correspondence (e) potentially special category personal data	(a)    Necessary for a contract (Article 6(1)(a) UK GDPR). (b)    Legitimate Interests (Article 6(1)(f) UK GDPR). (c)     We process special category personal data, as necessary, with your consent (Article 9(2)(a) UK GDPR).
Market analysis: including through surveys, data and statistical analysis, to better understand the markets in which we operate and for produce service and development	(a) Identity (b) Contact (c) Company name if relevant	(a)    Legitimate Interests (Article 6(1)(f) UK GDPR). Development of our business is in our legitimate interests.
Client Surveys: To enable you to partake in a prize draw, competition or complete a survey.	(a) Identity (b) Contact (c) Profile (d) Usage (e) Marketing and Communications	(a)    Performance of a contract with you (Article 6(1)(a) UK GDPR) If you take part in a competition or prize draw we may be required to process your personal data in order to fulfil a contract we have with you. (b)    Necessary for our legitimate interests (Article 6(1)(f) UK GDPR) It is in our legitimate interest to study how our contacts and supporters use our services, so we can continue to develop them and meet demand.
To administer and protect our business, employees and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data).	(a) Identity (b) Contact (c) Technical	(a)    Necessary for our legitimate interests (Article 6(1)(f) UK GDPR) It is in our legitimate interests to be able to run our business and deliver our services and this website effectively, ensure network security, prevent fraud and protect our network and systems.
Legal and Regulatory Compliance: In order to comply with our legal and regulatory compliance obligations.	(a) Identity (b) Contact (c) Technical	(a)    Necessary for our legitimate interests (Article 6(1)(f) UK GDPR). It is in our legitimate business interests for our business to ensure that it complies with all relevant regulatory and legal obligations. (b)    Legal Obligation: (Article 6(1)(c) UK GDPR). We are under a legal obligation to process personal data in certain circumstances, for example, we may have to share personal data with third party regulatory for example under Health and Safety law.
Legal Claims and Prevention of Misconduct: For asserting or defending legal claims or complaints or the prevention of misconduct, compliance violations or other infringements such as routine inspections; internal investigations; tribunals; dispute resolution.	(a) Identity (b) Contact (c) Technical (d)    Company name if relevant (e)     Correspondence (f)      Financial information (g)    Potentially, special category personal data	(a)    Necessary for our legitimate interests (Article 6(1)(f) UK GDPR). It is in our legitimate business interests for our business to ensure that it complies with all relevant regulatory and legal obligations. (b)    We process special category personal data, as necessary, either with your explicit consent (Article 9(2)(a) UK GDPR) or alternatively where it is necessary for the establishment, defence or exercise of a legal claim etc. (Article 9(2)(f) UK GDPR).
Direct Marketing: To send you relevant direct marketing communications about our services that may be of interest to you based on your Profile Data.	(a) Identity (b) Contact (c) Technical (d) Usage (e) Profile (f) Marketing and Communications	(a)    We will rely on Legitimate Interests (to carry out direct marketing, develop our products/services and grow our business). (Article 6(1)(f) UK GDPR)We will rely on Legitimate Interests to send you direct marketing communications to send you direct marketing communications via post that you have not specifically requested. (Article 6(1)(f) UK GDPR).. (b)    Consent (Article 6(1)(a) UK GDPR) We will obtain your consent to send you direct marketing communications that you have not specifically requested, via email or by telephone and where the law requires us to obtain your consent.

18. Your Legal Right To Object to Processing of Your Personal Data

Where your personal data is processed by us for the legal reason (lawful basis) of “legitimate interests”, you have the legal right to object. You can find a list of the purposes where your information is processed under the legal basis of “legitimate interests” above in the table, “Our Purposes and Legal Bases for Processing your Personal Data: Business Contacts, Clients and Suppliers”

In some cases, the right to object is absolute; this means that Fidum must comply with your objection and stop using your personal information. For example, you have the absolute right to object to your personal data being processed for the purpose of direct marketing.

In other cases, the right to object is not absolute.  This means that you have the legal right to object and Fidum must stop using your personal data unless it can demonstrate that its legitimate interest is more compelling than the impact of the processing has on you. Fidum will generally have one calendar month in which to respond to your objection.

If you want to object to your personal data being processed by Fidum for the legal reason of “legitimate interests”, please contact our Data Protection Manager using any of the contact details set out in “Contact” [https://www.fidumpm.com/contact/].

19. Who we may Share your Personal Data With

To deliver our services and comply with our legal obligations may share your personal data with the parties set out below for the purposes set out in the table Our Purposes and Legal Bases for Processing your Personal Data: If you require more detail,  please contact our Data Protection Manager.

• External Third Party Controllers: Fidum may need to share your personal data with third party organisations to be further processed by them as independent Controllers for their own independent purposes. For example, public authority regulators who need to access your personal information in order to exercise their statutory functions. For example, HMRC, the Information Commissioner’s Office, Financial Conduct Authority, the Police etc.
• External Third party professional advisors: such as legal advisors, consultants, auditors, insurers and any organisation or individual appointed by us to carry out an independent investigation.

In most cases, even though they may be providing Fidum with a service, the external third party advisor will be an independent Controller of your personal data.

• External Third party Service Providers (Processors): Processors are external service providers that have access to your personal data. Fidum remains the Controller of your personal data and in charge of it.

Where this happens, your personal data is shared securely, in compliance with data protection law and where a GDPR-compliant data processing contractual arrangement has been entered into. Processors are legally bound to only process your personal data on our instructions and to take appropriate measures to keep it secure. They may not use your personal data for their own purposes.

By way of example, your personal data is shared with the following Processors:

• Website hosting service providers such as GoDaddy.
• IT service providers such as Comis Technology Ltd (IT Support), 162-168 Regent Street, London, W1B 5TD.
• Property management software systems including Yardi Systems Limited, C9 Glyme Court Oxford Office Village, Langford Lane, Kidlington, Oxford, England, OX5 1LQ.
• Facilities management software systems providers including Trackplan Ltd, 46/47 Catherine Street, Limerick, V94 T2V3, Ireland.

• Third parties to whom we may choose to sell, transfer or merge parts of our business or our assets: Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this Privacy Notice.