Privacy notice for shareholders and investors
Legal requirement: UK data protection law requires businesses to outline how they manage personal data to all parties whose personal data they process. This includes shareholders and investors and requires a company privacy notice to be given, in order to meet data protection law obligations.
Take privacy seriously: By providing a company privacy notice to your shareholders and investors, you are demonstrating your company's commitment to protecting their personal data and complying with data protection laws.
Don’t get privacy wrong: Failing to comply with data protection laws can have a hugely negative impact on your company:
- Damage the company’s reputation: non-compliant data protection practices can lose the hard-earned trust of your shareholders and future investors - having a privacy notice in place is an obvious way to demonstrate to potential investors in your company that you take their privacy seriously and make your business even more attractive to them;
- Huge fines: If there are non-compliances with data protection laws, your business could be exposed to multi-million-pound fines and legal action; and
- ICO investigations: If complaints are made about your data protection practices, this could ultimately lead to an ICO (the data protection regulator in the UK) investigation. This type of investigation would cause the ICO to look into your data protection practices and procedures in detail, and potentially take action where non-compliances are identified.
What does Docue’s company privacy notice include?
Content of the company privacy notice: This company privacy notice is a legal statement that indicates how your company collects and processes the personal data of shareholders/investors in your company, and the purposes and legal basis for this processing. The purposes and legal basis for processing is a particularly important thing to consider, and you will be reliant on approved purposes and legal bases to ensure your use of data is lawful.
Example: You might collect data in order to administer an investment and assess an application, or to conduct anti-money laundering checks. These people are not necessarily always employees of your company, so this notice should be made available on the relevant area of your website, or sent directly to those contacts it applies to. This is to ensure the company has complied with its obligation to make data subjects aware of its data processing activities.
What do DP laws require in a privacy notice?: UK data protection laws have strict requirements about the information that a privacy notice must set out, which include:
- Controller details - the identity and the contact details of the controller (which will be the company that the shareholders are taking shares in or that the investors are investing in);
- Data protection officer (DPO) - if you have appointed a DPO, the contact details of the DPO must be provided to data subjects via the privacy notice;
- Purpose and lawful basis - the specific purposes of the processing as well as the lawful basis for the processing must be included (and where legitimate interests are relied upon as the lawful basis, details of the specific legitimate interests);
- Data sharing - shareholders / investors should be given details of the recipients or categories of recipients of their personal data e.g. Companies House, HMRC, other group companies, software providers;
- International transfers - where applicable, you need to tell shareholders / investors that you are transferring their personal data to a country outside of the UK and EEA;
- Retention period - you must tell shareholders / investors the period for which their personal data will be stored, or if that is not possible, the criteria used to determine that period; and
- Data subject rights - a privacy notice must tell data subjects what their rights are under data protection laws. This includes the right to request access to and rectification or erasure of personal data, the right to request the restriction of processing concerning the data subject or to object to processing, the right to data portability, the right to withdraw consent at any time and the right to lodge a complaint with the ICO.
Use Docue’s template for a compliant privacy notice: You can include all of the matters listed above (plus more!) in Docue’s dynamic company privacy notice template, to produce a legally compliant privacy notice that is ready for use with your investors and shareholders. This document assumes that you are a UK-incorporated company and that English law applies.
Why should I use Docue’s company privacy notice?
Created by lawyers: Docue’s template is lawyer-made, lawyer-maintained, and has lawyer-crafted guidelines to steer you through every stage of drafting your document.
Easy to use: To create your privacy notice for shareholders and investors with confidence and speed, simply click through the intelligent tick box options and text box answers and you’ll have a comprehensive, tailored, and ready-to-use notice in no time.
Tags: company privacy notice, shareholder privacy notice, investor privacy notice, company privacy policy, shareholder personal data, investor personal data
