Introduction
Personal data is data which by itself or with other data available to Nobu Ltd can be used to identify you. Nobu Ltd is the data controller and this statement set out how we will use your personal data.
If you have any questions you can contact your data protection officer (DPO) in writing to the Data Protection Officer, Nobu Limited, 28 Bridle Path, Brafield on the Green, Northampton, NN7 1BP.
The types of personal data that is collected and the use we make of it
Your personal data will be used for the reasons set out below. The data will be used to manage your business as an Associate of Nobu Limited. Most of the data will be collected as part of the onboarding process of your limited company. Other items of personal data are collected due to business requirements. The personal data we collect and use may include:
| Forename(s) | Identity confirmation for client HMRC requirement for intermediaries reporting |
| Surname | Identity confirmation for client HMRC requirement for intermediaries reporting |
| Did you have a previous Surname? | Identity confirmation for client |
| Date of birth | Identity confirmation for client HMRC requirement for intermediaries reporting |
| Place of birth | Identity confirmation for client |
| Current nationality | Identity confirmation for client |
| Have you held this Nationality since birth? | Identity confirmation for client |
| Passport number | Identity confirmation for client |
| Passport date of issue | Identity confirmation for client |
| Passport expiry date | Identity confirmation for client |
| Education and employment details | Experience confirmation for client HMRC requirement for intermediaries reporting |
| Current employment status/position | Experience confirmation for client HMRC requirement for intermediaries reporting |
| Name of your company | Contractual (T&Cs/NDA) requirement HMRC requirement for intermediaries reporting |
| Company registered address | Contractual (T&Cs/NDA) requirement |
Company registration | HMRC requirement for intermediaries reporting |
Date of incorporation | Identity confirmation |
| VAT registration | HMRC requirement |
| Financial details (business rate Nobu pays your company) | Contractual requirement for business purposes |
Bank | Contractual requirement for business purposes |
| Sort code | Contractual requirement for business purposes |
| Account number | Contractual requirement for business purposes |
| Level of clearance | Clearance transfer information for client |
| Current holder of clearance and full address details | Clearance transfer information for client |
| Date you have left or are leaving the employment of the organisation that currently holds their clearance | Clearance transfer information for client |
| Reference number/Cased ID (If known) | Clearance transfer information for client |
| Issue date (if known) | Clearance transfer information for client |
| Expiry date (if known) | Clearance transfer information for client |
| Issuing Authority | Clearance transfer information for client |
| Email address | |
| Phone/mobile | |
| Position (i.e. Director) | HMRC requirement for intermediaries reporting |
| NI number | HMRC requirement for intermediaries reporting |
Providing your personal data
We only ask for data that is mandatory for the purpose of engaging your services as a director of your limited company. These are driven either by:
1. Nobu Limited (Contractual agreements and Ts&Cs, NDA, setting up payment regime, etc.
2. The client for their onboarding processes (e.g. consortium agreements, NDAs, security clearances and transfers, etc.)
3. HMRC (e.g. intermediaries reporting – regulatory compliance)
Therefore, you must provide the information to enable us to process and meet the business need. If you should choose not to provide the data requested, then you are exercising your right to not do business with Nobu Limited.
Other personal data
We do not collect biometric data
Monitoring of personal communications
Subject to applicable law, we will monitor and record your emails, text messages and other communications in relation to our dealings with you. We will do this for regulatory compliance, self-regulatory practices, crime prevention and detection, to protect the security of our communication systems and procedures, to check for obscene or profane content, for quality control.
Using your personal data – the legal basis and purpose
We will process your personal data:
1. As necessary to perform our contract with you
2. As necessary for our own legitimate interests or those of other persons or organisations.
a. For good governance
b. To monitor emails and other communications
3. As necessary to comply with legal obligations
a. When you exercise your right under data protection law and make requests
b. For compliance under legal and regulatory requirements and related disclosures
c. For establishment and defense of legal rights
d. For activities relating to the prevention, detection and investigation of crime
e. To verify your identity
f. To monitor emails and other communications
4. Based on your consent
a. When you request us to disclose any personal details we hold to other people or organisations
b. When we process any special category of personal data about yourself at your request (e.g. racial or ethnic origin, data concerning your health, etc.)
c. You are free to withdraw your consent at anytime. However, the consequence of removing your consent may be that we cannot do business together
Sharing your personal data
- Subject to applicable data protection law, we may share your data with:
- Sub-contractors and other persons who help us provide our products and services
- Companies and other persons providing services to us
- Our legal and professional advisors, including our auditors
- Fraud prevention agencies
- Government bodies and Agencies in the UK and overseas (e.g. HMRC, MoD, etc.)
- Courts, to comply with legal requirements and for the administration of justice
- In an emergency or to otherwise protect your assets
- To protect the security and integrity of our business operations
- When you restructure or sell your business or its assets or have a merger or reorganisation where it affects the legal relationship between your company and Nobu Limited
- Anyone else where we have your consent or as required by law
- We will not share your data with market research organisation
Retention periods
The following criteria is used to determine data retention periods for your personal data:
Retention in case of a query
We will retain your personal data as long as necessary to deal with your query. (e.g. if we are collecting data for the purpose of a client engagement, if the application is unsuccessful then we will delete all the data provided for the purpose of engaging with that client.
Retention in accordance with legal and regulatory requirements
We will retain your personal data after your engagement with a client or when our Associate contract between Nobu Limited and your company expires based on our legal and regulatory requirements. Date will be held for not longer than is absolutely necessary.
Your rights under applicable data protection law
Your rights are as follows (noting that these rights do not apply in all circumstances):
- The right to be informed about our processing of your personal data
- The right to have your personal data corrected if inaccurate and to have incomplete personal data completed
- The right to object to us processing your personal data
- The right to restrict processing of your personal data
- The right to have your personal data erased (the right to be forgotten)
- The right to request access to your personal data and information about how it is processed
- The right to move, copy or transfer your personal data (data portability)
- Rights in relation to automated decision making including profiling
You have the right to complain to the Information Commissioner’s Office (ICO). The ICO has enforcement powers and can investigate compliance with data protection law.
Data anonymisation and aggregation
Your personal data may be converted into statistical or aggregated data which cannot be used to identify you. This can then be used to produce statistical research and reports. The aggregated data may be shared and used in all the ways described above.