As part of the company secretarial and corporate governance services provided by Indigo Independent Governance Limited (‘Indigo’, ‘we’, ‘us’ or ‘our’), we store and process personal data. We generally do this as a data processor for our clients rather than as a data controller. Generally our clients are the data controller of data collected and processed by us in providing our services.


What information do we collect?

We collect personal data of the directors, shareholders, employees, members and associates of our clients (including where we are acting on the instruction of a client in respect of another third party entity, the directors, shareholders, employees, members and associates of that third party).  We:

  • collect personal data when we are instructed or as part of an on-going contract to provide services, for example when a director is appointed or a company’s share ownership changes,
  • personal data collected may include name (including past names), home address, date of birth, nationality, identity number (e.g. passport number), contact details including email addresses, telephone numbers and service address, job title, statutory appointments, share ownership and entity membership information,
  • we may collect personal data direct from the data subject but more generally collect personal data from the companies or their advisers on whose behalf we act. We do not generally collect sensitive personal data or financial information.


How do we use personal information?

We process personal data for the following purposes:

  • providing company secretarial ad corporate governance services
  • account set up and administration
  • legal obligations (eg anti-money laundering)
  • meeting internal audit requirements.


What legal basis do we have for processing your personal data?

When collecting and processing personal data we do so on the grounds of:

  • contract – either individual contract with a client or providing services under our Standard Terms of Business,
  • legitimate interests – we are unable to provide our services and to help our clients to meet their obligations under the Companies Act 2006 and other legislation and regulations without collecting and processing personal data on their behalf,
  • legal obligation – we are required to collect certain personal data in order to satisfy our obligations under anti-money laundering regulations, for example.


When do we share personal data?

We share personal data from time to time with, for example, our clients’ other advisers:

  • personal data may be shared electronically (e.g. via email) or in paper copy. Where personal data is shared electronically, we use password protection,
  • before sharing personal data, we seek to ensure that the party (named individual) with whom we are sharing the data has a legitimate basis for collecting the relevant data. We may obtain that assurance via instruction from our clients.


Where do we store and process personal data?

All personal data is stored in the UK. Appropriate steps and notifications will be made in the event that any personal data is to be transferred outside of the UK


How do we secure personal data?

Paper documents which contain personal data are kept in locked cabinets within a locked office.  Personal data which is stored electronically is protected by password and other security arrangements (e.g. secure server).  Our staff only have access to the personal data they require in order to perform their role.  Back up measures are in place to ensure business continuity and disaster recovery.


How long do we keep your personal data for?

We retain personal data as follows:

  • personal data contained within board and general meeting minutes will be retained for a period of ten years from the date of the relevant meeting as required by the Companies Act 2006,
  • personal data contained within company registers will be retained as required by the Companies Act 2006,
  • other personal data will generally be retained for a period of six years.


Your rights in relation to personal data and how to contact us

Data subjects who wish to exercise their rights under the GDPR, for example to access personal information, request correction or deletion, restrict or object to data processing, should contact Bernadette Young, Director, Indigo Independent Governance Limited, Monometer House, Rectory Grove, Leigh On Sea, Essex SS9 2HL.  Exemptions to these rights will apply where personal data has been collected and/or processed in order to meet legal obligations under the Companies Act 2006 or other regulatory requirements, including anti-money laundering regulations.

Last updated May 2021