Any information collected may be used by any group company or affiliate of Brook Green Group Limited.
This Privacy Notice for each member of the BGS Group, being Brook Green Group Limited and each of its direct and indirect subsidiaries (“Company”, “we”, “us”, “our” refers to each of such companies) sets out the categories of personal data we collect from you, how we collect it, what we use it for and with whom we share it in accordance with applicable data protection law including, where relevant, the General Data Protection Regulation (EU) 2016/689 (“EU GDPR”)(as amended from time to time), the EU GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 No. 419 ("UK GDPR") and the UK Data Protection Act 2018.
By “personal data” we mean any information relating to you such as names of individual contacts at corporates; email addresses of individual contacts at corporates; telephone numbers of individual contacts at corporates, addresses, sources of wealth, country of residence, occupation, passport copies, tax identification numbers, proofs of address etc. and transaction information or online identifiers such as your IP address. Personal data does not include data where you can no longer be identified from it such as anonymised aggregate data.
The Company is a data controller. This means that we are responsible for deciding how we hold and use personal data about you. Our address is 245 Hammersmith Road London W6 8PW. Should you have any questions about this Privacy Notice you can contact us at compliance@cfp.energy.
This Privacy Notice applies to personal data about you that we collect, use and otherwise process in connection with your relationship with us. For the avoidance of doubt, this Privacy Notice is not a contract and does not itself create any legal rights or obligations.
We may provide supplemental privacy notices on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your personal data. Those supplemental notices should be read together with this Privacy Notice.
The categories of personal data about you which we may collect, store and use are set out in the table below and, in each case, we have indicated what we use your personal data for and our ‘lawful basis’ for processing it. The law specifies certain ‘lawful bases’ under which we are allowed to use your personal data. Most commonly, we will rely on one or more of the following lawful bases for processing your personal data:
Generally, we do not rely on your consent as a lawful basis for processing your personal data other than in relation to sending direct marketing communications to you via email. You have the right to withdraw consent to marketing at any time by contacting us on the details given at the beginning of this notice.
We do not sell your personal data. We do not envisage your personal data will undergo any automated decision making.
| Categories of personal data collected | What the Company uses this Personal Data for | Lawful Basis |
|
Name of individual contact at corporate; email address of individual contact at corporate; telephone number of individual contact at corporate, address, source of wealth, country of residence, occupation, passport copies, tax identification numbers etc. |
To facilitate the opening of a client account with the Company, the management and administration of a client account, including sharing such information with any interested party, including but not limited to a introducing broker or a financing bank |
Processing is necessary for the performance of a Data Subject’s contract with the Company. |
|
To carry out anti-money laundering checks and related actions in relation to the prevention of fraud, money laundering, terrorist financing, bribery, corruption, tax evasion and to prevent the provision of financial and other services to persons who may be subject to economic or trade sanctions, on an ongoing basis, in accordance with the Company’s or third party service provider’s applicable anti-money laundering procedures. |
To carry out anti-money laundering checks and related actions in relation to the prevention of fraud, money laundering, terrorist financing, bribery, corruption, tax evasion and to prevent the provision of financial and other services to persons who may be subject to economic or trade sanctions, on an ongoing basis, in accordance with the Company’s or third party service provider’s applicable anti-money laundering procedures. |
Processing is necessary for the purposes of the Company complying with legal obligations to which it is subject. |
|
To report tax information to the relevant tax authorities. |
To report tax information to the relevant tax authorities. |
Processing is necessary for the purposes of the Company complying with legal obligations to which it is subject. |
|
To monitor and record calls and electronic communications for (i) processing and verification of instructions; (ii) investigation and fraud prevention purposes; and (iii) crime detection, prevention, investigation and prosecution. |
To monitor and record calls and electronic communications for (i) processing and verification of instructions; (ii) investigation and fraud prevention purposes; and (iii) crime detection, prevention, investigation and prosecution. |
Processing is necessary for the performance of a Data Subject’s contract with the Company and for the purposes of the Company complying with legal and regulatory obligations to which it is subject. |
|
In connection with legal proceedings, such as responding to a subpoena. |
In connection with legal proceedings, such as responding to a subpoena |
Processing is necessary for the purposes of the Company complying with legal obligations to which it is subject. |
|
To provide tailored experiences and advertisements about the Company’s products and services as well as those of its affiliates. |
To provide tailored experiences and advertisements about the Company’s products and services as well as those of its affiliates. |
Processing is necessary for the purposes of the Company’s legitimate interests in providing tailored advertising and experiences and in promoting its products and services. |
|
To update and maintain the Company’s records. |
To update and maintain the Company’s records. |
Processing is necessary for the performance of a Data Subject’s contract with the Company and for the purposes of the Company complying with a legal obligation to which it is subject and for the purposes of the Company’s legitimate interests in maintaining accurate records. |
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, if we are required by law to do so or if we reasonably believe that it is necessary to protect our rights and/or to comply with judicial or regulatory proceedings, a court order or other legal process.
If you do not provide us with certain personal data when requested, we will not be able to perform all or part of the contract we have entered into with you, or we may be prevented from complying with our legal obligations. If you provide information to us about another person, you must ensure that you comply with any legal obligations that may apply to your provision of the information to us, and allow us, where necessary, to share that information with our service providers.
We will only use your personal data for the purposes for which we collected it (as identified above in the ‘What we use this personal data for’ column), unless we reasonably consider that we need to use it for another reason which is compatible with the original purpose for which you provided it to us. If we need to use your personal data for a purpose that is unrelated to the original purpose for which you provided it to us, we will notify you and we will explain the legal basis which allows us to do so.
You may provide personal information to us when communicating or transacting with us in writing, electronically, or by phone. For instance, information may come from requests for forms, literature or prices, and your transactions with us and/or our affiliates. On occasion, such information may come from those providing services to us.
We may collect personal data about you:
We may also automatically collect certain data when you interact with our website such as technical data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies. Our cookie policy is available on request from compliance@cfp.energy.
In addition, we may receive personal data about you from third parties and public sources, such as:
We may share your personal data with third parties where this is required by law, where it is necessary to perform our contract with you, or where we have another legitimate interest in doing so.
We will need to share your personal data with:
Interested third parties, including but not limited to an introducing broker or a financing bank.We may share your personal data with other entities in our group to service your accounts and transactions, in the context of a business reorganisation or group restructuring exercise, for system maintenance support and for hosting of data.
We may share your personal data in the context of the possible sale or restructuring of the business. We may also need to share your personal data with a regulator or to otherwise comply with applicable law or judicial process. We may disclose your personal data if we are required by law to do so or if we reasonably believe that disclosure is necessary to protect our rights and/or to comply with judicial or regulatory proceedings, a court order or other legal process.
If you have previously been employed by the Company or its affiliates, we may continue to process personal data that was collected before and during your working relationship with us. This data includes contact and biographical information, financial information, compensation and benefits information, employment/personnel records (including job title, contract information, training records, renumeration, performance information), photographs, webinars and podcasts.
We may process this data because we have a legitimate interest in maintaining records, to provide you with references, to publicise our activities, and to conduct data analytics studies to review and better understand our workforce. We may also use this information to establish, exercise or defend legal claims and to comply with our regulatory and legal obligations (including in relation to applicable tax and employment law).
We may continue to process special category data, including race, ethnicity and health-related information, where necessary and permitted by applicable law, to fulfil our legal obligations or exercise rights in connection with employment, social security or social protection law; to establish, exercise or defend legal claims or where it is in the public interest to do so.
We do not share personal data with third parties following your employment, contractual relationship or partnership with us except as necessary to fulfil ongoing legal or contractual obligations.
If you visit one of our premises, we may collect personal data necessary to identify you, to create a record of your visit, for visitor pass use (if issued) and to complete necessary security checks. We may also collect your image on CCTV. We use this information to maintain physical security, protect our systems and network and to manage access to our premises.
We process personal data about visitors to our premises to comply with legal obligations and because we have a legitimate interest in maintaining the security of our network and premises.
We collect contact and related personal data when you contact us via our website, by email or by telephone. We process this information because we have a legitimate interest in responding to enquiries.
If you provide goods or services to us, we maintain contact information, information regarding the goods or services you provide to us and billing and financial information, including billing address, bank account and payment information. We use this information to manage our supplier relationships and to comply with our contractual and legal obligations. We may also use this information to establish, exercise or defend legal claims.
We use artificial intelligence (AI) technologies in limited and controlled contexts to support our services, operational efficiency, and internal processes. These tools are subject to rigorous governance, including human oversight, privacy impact assessments, and compliance with applicable data protection laws.
We do not use AI for automated decision-making that produces legal or similarly significant effects on individuals. Where AI tools process personal data, we ensure that such processing is lawful, fair, and transparent, and that appropriate safeguards are in place to protect individual rights and freedoms.
Our AI systems are reviewed regularly to ensure accuracy, accountability, and alignment with our ethical standards and legal obligations
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, accounting or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. It is anticipated that all data will generally be stored for at least 6 years.
In some circumstances we may anonymise your personal data so that it can no longer be associated with you, in which case it is no longer personal data.
Once we no longer require your personal data for the purposes we collected it for, we will securely destroy your personal data in accordance with applicable laws and regulations.
It is important that the personal data we hold about you is accurate and current. Please let us know if your personal data changes during your relationship with us.
To the extent that our processing of your personal data is subject to the EU or UK GDPR or other data protection legislation with data subject rights, you may have rights which are explained below. These rights are to:
If you want to exercise one of these rights please contact us at compliance@cfp.energy.
You also have the right to make a complaint at any time to the Information Commissioner’s Office. We would, however, appreciate the opportunity to deal with your concerns prior to any approach to the supervisory authority so please do contact us in the first instance.
While we strive to protect all information we receive from you, we cannot guarantee the security of any information you transmit to us.
You will not usually have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is manifestly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal data is not disclosed to any person who has no right to receive it.
In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal data for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact compliance@cfp.energy. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose(s) you originally agreed to unless we now have an alternative legal basis for doing so.
We are committed to protecting your personal data and have implemented appropriate technical, physical and organisational security measures to protect personal data. This includes robust business continuity and disaster recovery procedures to ensure that personal data remains protected and accessible in the unlikely event of operational disruption.
We operate a robust information security international programme and hold ISO27001:2022 certification. This certification provides a framework for integrating data privacy into our information security management system. It demonstrates our capability to address data privacy requirements effectively.
We do not keep your personal data for any longer than is necessary to fulfil the purpose for which we collected it, to comply with any legal, regulatory or reporting obligations or to assert or defend against legal claims.
We reserve the right to update this privacy notice at any time, and we will make an updated copy of such privacy notice available on our website and notify you when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal data.
This Privacy Notice was written with brevity and clarity in mind and is not an exhaustive account of all aspects of our collection and use of personal data. If you require any further information, please do not hesitate to contact compliance@cfp.energy.