Suppliers' Privacy Notice

"We", "us" and "our" for the purposes of this notice means FreeAgent Ltd, a member of The NatWest Group plc and a data controller for the purposes of data protection law.

This privacy notice sets out the basis on which any personal information about you will be processed by us. This privacy notice may be updated from time to time and we will communicate any changes to you.

Personal information that we collect about you

We will collect and process various types of personal information about you. This includes information that you, your employer, or the organisation with whom you are associated provide to us (by communicating with us, whether face-to-face, by phone, e-mail or otherwise).

The personal information may include:

• Personal details such as your or your directors or key principal's name, address, date of birth; and any information obtained during screening;
• Information about your company such as company name, registration number, address and company structure
• Information about the services you provide, your memberships or registrations
• Bank account details

Uses of your personal information

Your personal information may be stored and processed in the following ways and for the following purposes:

• to carry out due diligence checks, such as checks to prevent and detect crime and to comply with laws relating to money laundering, fraud, terrorist financing and bribery and corruption. This may include performing adverse media checks, screening against external databases and sanctions lists and establishing connections to politically exposed persons;
• for the day to day management of our relationship with you or the organisation with which you are associated, such as communicating with you; for performing work for or on our behalf and, where relevant, to provide you with the fees to which you are entitled;
• to enable us to enforce or defend our legal rights, including by bringing or defending legal claims that may be made by or against any member of the NatWest Group;
• for interactions with our regulators and for statutory and regulatory filings within all jurisdictions where we operate;
• for inclusion on internal and external websites, where relevant; and
• to monitor and record communications and telephone conversations between us and you. We will only undertake monitoring for preventing and detecting possible criminal activity; to ensure compliance with FreeAgent's internal policies; to comply with local laws and regulations and to check for viruses or other threats to our IT systems. We will comply with all local laws, regulations and internal policies when doing so. Those recordings may be used by us in evidence in the event of a dispute with you or the organisation with whom you are associated.

We are entitled to use your personal information in these ways because:

• It is necessary for the performance of our contract with you (for example for the provision of your services and for remuneration);
• we have legal and regulatory obligations to prevent and detect crime, money laundering, fraud, terrorist financing, bribery and corruption, and to comply with international sanctions;
• the use of your personal information is necessary for the legitimate business interests of FreeAgent, in the course of running our business, or to establish, exercise and defend our legal rights; or
• the use of your personal information is necessary for the legitimate business interests of a third party, such as your employer or the organisation with whom you are associated;
• where we process information relating to criminal convictions or offences, we will only do so to comply with relevant laws and regulations, to prevent or detect unlawful acts, to exercise or defend our legal rights or in connection with legal proceedings, or where we have obtained your explicit consent.

Disclosure of your information to third parties

We may need to share your personal information with colleagues in the NatWest Group (including our suppliers and other NatWest Group companies). We will take steps to ensure that the personal information is accessed only by employees who need to do so for the purposes described in this notice.

We may also share your personal information outside of the NatWest Group:

• with fraud prevention agencies for the purposes of confirming your identity and complying with regulatory obligations to prevent and detect crime, money laundering and fraud;
• if we sell any of our business or assets or if we are acquired by a third party, in which case we may disclose your personal information to the prospective buyer for due diligence purposes;
• courts, regulators, government bodies and similar organisations as required by law (such as the Financial Conduct Authority, Prudential Regulatory Authority, or local equivalents);
• corporate auditors and legal or other advisors; and
• to the extent required by law, for example if we are under a duty to disclose your personal information in order to comply with any legal obligation, or to establish, exercise or defend our legal rights.

Transfers of personal information outside the European Economic Area

Your personal information may be transferred outside the European Economic Area (“EEA”) and processed by us, our affiliates or suppliers outside of the EEA.

Where we transfer your personal information outside the EEA, we will ensure that it is protected in a manner that is consistent with how your personal information will be protected by us in the EEA. This can be done in a number of ways, for instance the country that we send the information to might be approved by the European Commission; or the recipient may have signed up to a contract based on “model contractual clauses” approved by the European Commission, obliging them to protect your personal information. In other circumstances the law may permit us to otherwise transfer your personal information outside the EEA.

In all cases, however, we will ensure that any transfer of your personal information is compliant with applicable data protection law.

You can obtain more details of the protection given to your personal information when it is transferred outside the EEA (including a copy of the standard information protection clauses which we have entered into with recipients of your personal information) by contacting us in accordance with the “Contacting us” section below.

Retention of personal information

Your information will be retained in line with our internal records management policies and retention schedules. Your information will typically be retained for up to 10 years, but retention periods may vary. The retention period will be determined by various criteria including the type of record in which your information is included; the purpose for which we are using it (we will need to keep the information for as long as is necessary for that purpose); and legal obligations (laws or regulation may set a minimum period for which we have to keep your personal information).

We may on exception retain your information for longer periods, particularly where we need to withhold destruction or disposal based on an order from the courts or an investigation by law enforcement agencies or our regulators. This is intended to make sure that FreeAgent will be able to produce records as evidence if they're needed.

Your rights

You have a number of legal rights in relation to the personal information that we hold about you. These rights include:

• the right to obtain information regarding the processing of your personal information and access to the personal information which we hold about you;
• where we rely on your consent, the right to withdraw your consent to our processing of your personal information at any time. Please note, however, that we may still be entitled to process your personal information if we have another legitimate reason (other than consent) for doing so;
• in some circumstances, the right to receive some personal information in a structured, commonly used and machine-readable format and/or request that we transmit that information to a third party where this is technically feasible. Please note that this right only applies to personal information which you have provided to us;
• the right to request that we rectify your personal information if it is inaccurate or incomplete;
• The right to request that we erase your personal information in certain circumstances. Please note that there may be circumstances where you ask us to erase your personal information but we are legally entitled, and in some cases obliged, to retain it;
• the right to object to, and the right to request that we restrict, our processing of your personal information in certain circumstances. Again, there may be circumstances where you object to, or ask us to restrict, our processing of your personal information but we are legally entitled to continue processing your personal information and / or to refuse that request; and
• the right to lodge a complaint with the data protection regulator (details of which are provided below) if you think that any of your rights have been infringed by us.

You can exercise your rights by contacting us using the details set out in the “Contacting us” section below. It is important to understand that in some cases, exercising your rights may mean that we are no longer able to use your services.

You can find out more information about your rights by contacting the Information Commissioner's Office, or by searching their website at https://ico.org.uk/

How we store your data

We take security and privacy seriously. We will endeavour to take all reasonable steps to keep your personal and financial data secure once it has been transferred to our systems. We adopt appropriate, industry-standard data collection, storage and processing practices and security measures to protect against unauthorised access, alteration, disclosure or destruction.

Where we utilise third parties to help provide our services, we will always ensure that, as a minimum, the security policies and confidentiality arrangements of those third parties adhere to the same requirements that we impose and expect.

We are bound by the UK's Data Protection Act 2018 (DPA 2018) and the UK General Data Protection Regulation (UK GDPR) and fully respect the rights of individuals in compliance with the EU GDPR. FreeAgent does not sell, rent or share data with any third party unless previously agreed as part of any contractual arrangement (or any legal or regulatory requirement).

However, we do utilise some third parties that help provide our services. We ensure that the security measures in place at those third parties have, at the very least, the same high-security standards that we employ.

Contacting us

If you have any queries relating to this privacy notice or FreeAgent's use of your personal or financial data, please contact us at privacy@freeagent.com. Alternatively, our office address is noted below.

Please note that phone calls to FreeAgent Support are recorded for monitoring, training and security purposes. This version was updated in October 2023