De Beers
UK Limited (a member of the Anglo American plc group) is responsible
for your personal data and we take our data protection and privacy
responsibilities seriously.
We respect your privacy and are committed to
protecting your personal data. This privacy notice will inform you as to how we
look after your personal data and tell you about your privacy rights and how
the law protects you.
1. Important information and who we are
Controller
De Beers UK Limited is registered
in England and Wales under company number 02054170 and has its registered
office at 17 Charterhouse Street, EC1N 6RA, London.
De Beers
UK Limited is part of De Beers Group. The Group is made up of
different legal entities, including:
- De Beers Jewellers
- De Beers Auction Sales Singapore PTE Ltd
- De Beers Global Sightholder Sales Pty Ltd
- De Beers Sightholder Sales South Africa
Pty Ltd
- Namibia Diamond Trading Company Pty Ltd
- De Beers UK Limited
- Forevermark Italy S.r.l.
- Forevermark Limited (UK)
- Forevermark NV
Further details
about De Beers Group can be found here. This privacy notice is issued on behalf of De
Beers Group so when we mention "Company",
"we", "us" or "our" in this privacy notice, we
are referring to the relevant company in De Beers Group
responsible for processing your data. We will let you know which entity will be
the controller of your data when you or your employer purchases a product or
service with us.
We have appointed a Data Protection
Team who are responsible for overseeing questions in relation to this privacy
notice. If you have any questions about this privacy notice, including any
requests to exercise your legal rights, please contact the Data Protection Team
using the details set out below.
Purpose of this
privacy notice
This
privacy notice aims to give you information on how we collect and process your
personal data in connection with the relationship that you, your
employer and/or our customer ("you")
have with the Company.
It
is important that you read this privacy notice together with any other notice
we may provide on specific occasions when we are collecting or processing
personal data about you so that you are fully aware of how and why we are using
your data. This privacy notice supplements the other notices and is not
intended to override them.
Contact
details
Email
address: [email protected].
Postal
address: 17 Charterhouse Street, EC1N 6RA, London
Telephone
number: +44 (0)20 7968 8888
You
have the right to make a complaint at any time to the relevant supervisory
authority for data protection issues in the jurisdiction in which you reside.
For the UK, this is the Information Commissioner's Office (www.ico.org.uk). We would, however, appreciate the chance to deal
with your concerns before you approach the supervisory authority so please
contact us in the first instance.
Changes
to the privacy notice and your duty to inform us of changes
This
version was last updated on 4 April 2019.
It is important that the personal data we hold about
you is accurate and current. Please keep us informed if your personal data
changes during your relationship with us.
2. The data we collect about you
Personal
data, or personal information, means any information about an individual from
which that person can be identified. It does not include data where the
identity has been removed (anonymous data).
We
may collect, use, store and transfer different kinds of personal data about you
which we have grouped together follows:
- Identity Data includes first name, last name, username or similar identifier, title, date of birth and gender.
- Contact Data includes email address and telephone numbers.
- Know Your
Counterpart (KYC) Data includes date of birth, country of birth,
nationality, residence, passport number, passport copy and expiry date and
information received in connection with any relevant checks. This may also include criminal record checks
where appropriate and where permitted by applicable laws. Please see further detail below.
- Transaction Data includes
details about payments to and from you and other details of products and
services you have purchased from us.
- Profile Data includes
your username and password, purchases or orders made by you.
- Marketing and Communications Data includes
your preferences in receiving marketing from us and our third parties and your
communication preferences.
We do not collect any Special
Categories of Personal Data about you (this includes details about your
race or ethnicity, religious or philosophical beliefs, sex life, sexual
orientation, political opinions, trade union membership, information about your
health and genetic and biometric data).
Personal data relating to criminal
convictions and offences will only be processed where authorised by
applicable laws. For example, a criminal record check may be carried out as
part of the KYC check.
If
you fail to provide personal data
Where we need to collect personal
data by law, or under the terms of a contract we have with you or your employer
and you fail to provide that data when requested, this may impede you and/or
your employers’ ability to comply with the Best Practice Principles (BPP) Assurance Programme. Both the BPP Assurance programme and the Supply Agreement documentation are
contractually binding and failure to comply will constitute a breach of the
Supply Agreement Requirements and will result in appropriate action being taken
by De Beers pursuant to that documentation.
3. How is your personal data collected?
We
use different methods to collect data from and about you including through:
- Direct
interactions. You may
give us your personal data by filling in forms, both online or offline, or by
corresponding with us by post, phone, email or otherwise. This includes
personal data you provide when you:
- apply for our products or services;
- complete any form relating to
pre-engagement checks;
- subscribe to our service or publications;
- request marketing to be sent to you;
- give us some feedback.
- Third parties or publicly available
sources.
We may receive personal data about you from various third parties and public
sources as set out below:
- KYC Data may be provided to us by a
colleague, by a third party or by you directly.
- Identity and Contact Data from publicly
availably sources such as Companies House or similar organisations across
different jurisdictions.
4. How we use your personal data
We
will only use your personal data when the law allows us to. Most commonly, we
will use your personal data in the following circumstances:
- Where we
need to perform the contract we are about to enter into or have entered into
with you.
- Where it
is necessary for our legitimate interests (or those of a third party) and your
interests and fundamental rights do not override those interests.
- Where we
need to comply with a legal or regulatory obligation.
Generally
we do not rely on consent as a legal basis for processing your personal data other
than in relation to sending third party direct marketing communications to you
via email. You have the right to withdraw consent to marketing at any time by contacting
us.
Purposes
for which we will use your personal data
We
have set out below, in a table format, a description of all the ways we plan to
use your personal data, and which of the legal bases we rely on to do so.
Please note:
- Legitimate Interest means
the interest of our business in conducting and managing our business to enable
us to give you the best service/product and the best and most secure
experience. We make sure we consider and balance any potential impact on you
(both positive and negative) and your rights before we process your personal
data for our legitimate interests. We do not use your personal data for
activities where our interests are overridden by the impact on you (unless we
have your consent or are otherwise required or permitted to by law). You can
obtain further information about how we assess our legitimate interests against
any potential impact on you in respect of specific activities by contacting us.
- Performance of Contract means
processing your data where it is necessary for the performance of a contract to
which you are a party or to take steps at your request before entering into
such a contract.
- Comply
with a legal or regulatory obligation means
processing your personal data where it is necessary for compliance with a legal
or regulatory obligation that we are subject to.
Note
that we may process your personal data for more than one lawful ground
depending on the specific purpose for which we are using your data. Please contact
usif you need details about the specific legal ground
we are relying on to process your personal data where more than one ground has
been set out in the table below.
Purpose/Activity |
Type of
data |
Lawful
basis for processing including basis of legitimate interest |
To
register you as a new customer
|
(a)
Identity
(b)
Contact
|
Performance
of a contract with you
|
To
comply with anti-money laundering regulations and undertake necessary
pre-engagement checks
|
(a)
Identity
(b)
Contact
(c)
KYC
|
(a)
Necessary to comply with a legal obligation
(b)
Necessary for our legitimate interests (to manage and operate our business)
|
To
manage our relationship with you which will include notifying you about
changes to our terms or privacy policy
|
(a) Identity
(b) Contact
(c) Profile
(d) Marketing and Communications
|
(a)
Performance of a contract with you
(b)
Necessary to comply with a legal obligation
(c)
Necessary for our legitimate interests (to keep our records updated)
|
To
make suggestions and recommendations to you about goods or services that may
be of interest to you
|
(a) Identity
(b) Contact
(c) Transactional
(d) Profile
(e) Marketing and Communications
|
Necessary
for our legitimate interests (to develop our products/services and grow our
business)
|
Marketing
We
strive to provide you with choices regarding certain personal data uses,
particularly around marketing and advertising:
Promotional
offers from us
We
may use your Identity, Contact, Technical, Usage and Profile Data to form a
view on what we think you may want or need, or what may be of interest to you.
This is how we decide which products, services and offers may be relevant for
you (we call this marketing).
You
will receive marketing communications from us if you have requested information
from us or purchased goods or services from us or if you provided us with your
details when you registered for a promotion and, in each case, you have not
opted out of receiving that marketing.
Third-party
marketing
We will get your express opt-in
consent before we share your personal data with any company outside the De
Beers group of Companies for other marketing purposes.
Opting
out
You
can ask us or third parties to stop sending you marketing messages at any time
by logging into the website and checking or unchecking relevant boxes to adjust
your marketing preferences or by following the opt-out links on any marketing
message sent to you or by contacting us at any time.
Where
you opt out of receiving these marketing messages, this will not apply to
personal data provided to us as a result of a product/service purchase,
warranty registration, product/service experience or other transactions.
Change
of purpose
We
will only use your personal data for the purposes for which we collected it,
unless we reasonably consider that we need to use it for another reason and
that reason is compatible with the original purpose. If you wish to get an
explanation as to how the processing for the new purpose is compatible with the
original purpose, please contact us.
If
we need to use your personal data for an unrelated purpose, we will notify you
and we will explain the legal basis which allows us to do so.
Please
note that we may process your personal data without your knowledge or consent,
in compliance with the above rules, where this is required or permitted by law.
5. Disclosures of your personal data
We
may have to share your personal data with the parties set out below for the
purposes set out in the table in paragraph 4 above.
Internal
Third Parties
- Key Account Managers,
- Finance, Commercial, Legal and Compliance
teams
and the
Executive Committee
External
Third Parties
-
Third parties who carry out anti-money
laundering and other pre-engagement checks on our behalf.
- Ness Technologies who support our platform
- Rackspace who host our platform
- SGS, who is the appointed third party
verifier of the BPP Programme
- Third parties to whom we may choose to
sell, transfer, or merge parts of our business or our assets. Alternatively, we
may seek to acquire other businesses or merge with them. If a change happens to
our business, then the new owners may use your personal data in the same way as
set out in this privacy notice.
We
require all third parties to respect the security of your personal data and to
treat it in accordance with the law. We do not allow our third-party service
providers to use your personal data for their own purposes and only permit them
to process your personal data for specified purposes and in accordance with our
instructions.
6. International transfers
We
share your personal data within the De Beers Group of Companies. This will
involve transferring your data outside the European Economic Area (EEA),
including Botswana, Canada, China, India, Israel, Namibia, Singapore, South
Africa and the UAE.
Many
of our external third parties are based outside the European Economic Area (EEA)
so their processing of your personal data will involve a transfer of data
outside the EEA. This includes India.
Whenever
we transfer your personal data out of the EEA, we ensure a similar degree of
protection is afforded to it by ensuring at least one of the following
safeguards is implemented:
- We will only transfer your personal data
to countries that have been deemed to provide an adequate level of protection
for personal data by the European Commission.
- Where we use certain service providers, we
may use specific contracts approved by the European Commission which give
personal data the same protection it has in Europe.
- Where we use providers based in the US, we
may transfer data to them if they are part of the Privacy Shield which requires
them to provide similar protection to personal data shared between the Europe
and the US.
Please
contact us if you want further information on
the specific mechanism used by us when transferring your personal data out of
the EEA.
7. Data security
We
have put in place appropriate security measures to prevent your personal data
from being accidentally lost, used or accessed in an unauthorised way, altered
or disclosed. In addition, we limit access to your personal data to those
employees, agents, contractors and other third parties who have a business need
to know. They will only process your personal data on our instructions and they
are subject to a duty of confidentiality.
We
have put in place procedures to deal with any suspected personal data breach
and will notify you and any applicable regulator of a breach where we are
legally required to do so.
8. Data retention
How
long will you use my personal data for?
We
will only retain your personal data for as long as necessary to fulfil the
purposes we collected it for, including for the purposes of satisfying any
legal, accounting, or reporting requirements.
To
determine the appropriate retention period for personal data, we consider the
amount, nature, and sensitivity of the personal data, the potential risk of
harm from unauthorised use or disclosure of your personal data, the purposes
for which we process your personal data and whether we can achieve those
purposes through other means, and the applicable legal requirements.
In
some circumstances you can ask us to delete your data: see Request erasure below for further information.
In
some circumstances we may anonymise your personal data (so that it can no
longer be associated with you) for research or statistical purposes in which
case we may use this information indefinitely without further notice to you.
9. Your legal rights
Subject
to certain exemptions, and in some cases dependent upon the processing activity
we are undertaking, you have certain rights in relation to your personal data.
To
access personal data
You have a right to request that we provide you with a copy
of your personal data that we hold and you have the right to be informed of;
(a) the source of your personal data; (b) the purposes, legal basis
and methods of processing; (c) the data controller’s identity; and
(d) the entities or categories of entities to whom your personal data may
be transferred.
To
rectify / erase personal data
You have a right to request that we rectify inaccurate
personal data. We may seek to verify the accuracy of the personal data before
rectifying it.
You can also request that we erase your personal data in
limited circumstances where:
- it is no longer
needed for the purposes for which it was collected; or
- you have withdrawn
your consent (where the data processing was based on consent); or
- following a
successful right to object (see right to
object); or
- it has been
processed unlawfully; or
- to comply with a
legal obligation to which the Company is subject.
We are not required to comply with your request to erase
personal data if the processing of your personal data is necessary:
- for compliance
with a legal obligation; or
- for the
establishment, exercise or defence of legal claims.
Right
to restrict the processing of your personal data
You can ask us to restrict your personal data, but only
where:
- its accuracy is
contested, to allow us to verify its accuracy; or
- the processing
is unlawful, but you do not want it erased; or
- it is no longer
needed for the purposes for which it was collected, but we still need it to
establish, exercise or defend legal claims; or
- you have
exercised the right to object, and verification of overriding grounds is
pending.
We can continue to use your personal data following a
request for restriction, where:
- we have your
consent; or
- to establish,
exercise or defend legal claims; or
- to protect the
rights of another natural or legal person.
Right
to transfer your personal data
You can ask us to provide your personal data to you in a
structured, commonly used, machine‑readable format, or you can ask to have it
transferred directly to another data controller, but in each case only where:
- the processing
is based on your consent or on the performance of a contract with you; and
- the processing
is carried out by automated means.
Right
to object to the processing of your personal data
You can object to any processing of your personal data
which has our legitimate interests as its legal basis, if you believe your
fundamental rights and freedoms outweigh our legitimate interests.
If you raise an objection, we have an opportunity to
demonstrate that we have compelling legitimate interests which override your
rights and freedoms.
Right
to object to how we use your personal data for direct marketing purposes
You can request that we change the manner in which we
contact you for marketing purposes.
You can request that we not transfer your personal data to
unaffiliated third parties for the purposes of direct marketing or any other
purposes.
Right
to obtain a copy of personal data safeguards used for transfers outside your
jurisdiction
You can ask to obtain a copy of, or reference to, the
safeguards under which your personal data is transferred outside of the
European Union.
We may redact data transfer agreements to protect
commercial terms.
Right
to lodge a complaint with your local supervisory authority
You have a right to lodge a complaint with your local supervisory authority if you have
concerns about how we are processing your personal data.
We ask that you please attempt to resolve any issues with
us first, although you have a right to contact your supervisory authority at
any time.
If you wish to access any of the above mentioned rights, we
may ask you for additional information to confirm your identity and for
security purposes, in particular before disclosing personal data to you. We
reserve the right to charge a fee where permitted by law, for instance if your
request is manifestly unfounded or excessive.
Exercising your rights
You can exercise your rights by contacting us. Subject to
legal and other permissible considerations, we will make every reasonable
effort to honour your request promptly or inform you if we require further
information in order to fulfil your request.
We may not always be able to fully address your request,
for example if it would impact the duty of confidentiality we owe to others, or
if we are legally entitled to deal with the request in a different way.
No fee usually required
You
will not have to pay a fee to access your personal data (or to exercise any of
the other rights). However, we may charge a reasonable fee if your request is
clearly unfounded, repetitive or excessive. Alternatively, we may refuse to
comply with your request in these circumstances.
What
we may need from you
We
may need to request specific information from you to help us confirm your
identity and ensure your right to access your personal data (or to exercise any
of your other rights). This is a security measure to ensure that personal data
is not disclosed to any person who has no right to receive it. We may also
contact you to ask you for further information in relation to your request to
speed up our response.
Time
limit to respond
We
try to respond to all legitimate requests within one month. Occasionally it may
take us longer than a month if your request is particularly complex or you have
made a number of requests. In this case, we will notify you and keep you
updated.