Privacy Policy

Introduction

TIAA Ltd. (“TIAA”, “we”, “us”, or “our”) is strongly committed to protecting personal data. This privacy statement describes why and how we collect and use personal data and provides information about individuals’ rights. It applies to personal data provided to us by individuals themselves, others and by our third party partners. We will only use personal data provided to us for any of the purposes described in this privacy statement or as otherwise stated at the point of collection.

Personal data is any information relating to an identified or identifiable living person. TIAA processes personal data for numerous purposes, and the means of collection, lawful basis of processing, use, disclosure, and retention periods for each purpose may differ.

When collecting and using personal data, our policy is to be fair and transparent about why and how we process personal data.

Who we are

TIAA Limited (a wholly owned subsidiary of Adsure Services PLC) is a limited company registered in England.

TIAA Limited is a private limited company registered in England with the registration number 04546319. Our registered office is Artillery House, Newgate Lane, Fareham, Hampshire, PO14 1AH.

We are registered with the ICO as a data controller with the registration number Z7336825.

Given the nature of our activities, we may act in the role of data controller, joint controller or data processor.

Our lawful basis for processing

In collecting and processing personal data to conduct our business and to provide services to our clients, we rely on a number of lawful bases in order to allow us to do so.

The lawful bases for processing are set out in Article 6 of the UK GDPR; at least one of these must apply whenever we process personal data. These include:

Consent – an individual has given clear consent for us to process their personal data for a specific purpose.

Contract – processing is necessary for a contract we have with an individual or to take steps before entering into a contract with an individual.

Legal obligation – processing is necessary for us to comply with the legal and regulatory obligations that we are subject to.

Public interest – processing is necessary for us to meet obligations that are in the public interest.

Legitimate interest – a legitimate interest exists for processing which could be ours, our clients or third parties; this could be in relation to providing our services, protecting our or our clients’ business or informing others about our products and services. We will always balance the rights of individuals with our and others’ legitimate interests.

The data we collect about you

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the person’s identity has been removed (anonymous data).

We may collect, use, store and transfer different kinds of personal data about you as set out below:

Identity Data includes first name, maiden name, last name, username or similar identifier; marital status; title; date of birth; gender; and data contained in photographs, videos and CCTV images.

Contact Data includes home address and billing address (if different), email address and telephone numbers.

Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, operating system and platform and other technology on the devices you use to access this website.

Profile Data includes your username and password, your interests, preferences, feedback and survey responses.

Usage Data includes information about how you use our website, products and services.

Marketing and Communications Data includes your preferences in receiving marketing material from us and your communication preferences as well as usage information through email web beacons.

We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this policy.

We do not collect any special categories of personal data about you or any information about criminal convictions and offences via our website, other than pursuant to the terms of our recruitment privacy policy (which also describes how such data is used by us).

When and how we share personal data

We will only share personal data with others when we are legally permitted to do so. When we share data with others, we put contractual arrangements and security mechanisms in place to protect the data and to comply with our data protection, confidentiality and security standards.

Personal data held by us may be transferred to:

  • Third party organisations that provide applications/functionality, data processing or IT services to us. We use third party support to provide high level assistance for some of our key IT systems, for example, providers of IT systems, cloud-based software, identity management, website hosting and management, data analysis, data back-up, security and storage services.
  • Third party organisations that otherwise assist us in providing goods, services or information
  • Auditors, insurers and other professional advisers.
  • Law enforcement or other government and regulatory agencies or to other third parties as required by, and in accordance with, applicable law or regulation

Occasionally, we may receive requests from third parties with authority to obtain disclosure of personal data, such as to check that we are complying with applicable law and regulation, to investigate an alleged crime, to establish, exercise or defend legal rights. We will only fulfil requests for personal data where we are permitted to do so in accordance with applicable law or regulation.

Where we store data

The servers powering and facilitating any cloud infrastructure are located in secure data centres in the United Kingdom, and personal data may be stored in any one of them in a securely encrypted format.

We may need to transfer personal data outside the UK, including to countries that are not recognised by the UK Government as having an equivalent level of protection for personal data as in the UK. Where we do so, we ensure that appropriate measures are in place to comply with our obligations under data protection legislation, including entering into an International Data Transfer Agreement.

Security of data

We take the security of all the data we hold very seriously. We take all reasonable steps to safeguard the personal data that we hold and have the appropriate technical and organisational measures in place to achieve this. We have a framework of policies, procedures and training in place covering data protection, confidentiality and information security. We regularly review the measures we have in place to ensure they are appropriate and remain fit for purpose.

How long we keep personal data

We only keep personal data for as long as is necessary which will take into account:

  • the activity or service for which it is being processed;
  • any statutory, regulatory or contractual purposes; and
  • any period of time during which any investigation or litigation that might arise from any service we have provided.

We have policies and procedures in place that govern the storage, retention and disposal of data.

Individuals’ rights and how to exercise them

Individuals have certain rights over their personal data and data controllers are responsible for fulfilling these rights. Where we decide how and why personal data is processed, we act as a data controller (e.g. as an employer) or as a joint controller (e.g. in the provision of professional services). We have included further information below about the rights that individuals have.

Access to personal data

You have a right of access to a copy of your personal data held by us.

Amendment of personal data

If you inform us that any personal data that we hold is no longer accurate, we will make corrections (where appropriate) based on your updated information.

Withdrawal of consent

Where we process personal data based on consent, individuals have a right to withdraw consent at any time. We do not generally process personal data based on consent (as we can usually rely on another legal basis). To withdraw consent to our processing of your personal data please contact us or, to stop receiving an email from a TIAA marketing list, please click on the unsubscribe link in the relevant email received from us.

Other data subject rights

As well as rights of access, amendment and withdrawal of consent referred to above, individuals may have other rights in relation to the personal data we hold, such as the right to erasure/deletion, to restrict or object to our processing of personal data and the right to data portability, as well as in relation to automated decision making.

If you wish to exercise any of these rights, please contact us. We will aim to respond to any requests for information promptly and, in any event, within the legally required timeframes.

How to contact us

If you have any questions about this privacy statement or how and why we process personal data, if you want to complain about our use of personal data or exercise any of your rights, please direct your correspondence to our Data Protection Officer.

Data Protection Officer
Artillery House
Fort Fareham
Newgate Lane
Fareham
PO14 1AH
Email: dpo@tiaa.co.uk
Phone: 0845 300 3333

You also have the right to lodge a complaint with the Information Commissioner’s Office (“ICO”) (the UK data protection regulator). For further information on your rights and how to complain to the ICO, please refer to the ICO website.

Cookies

Our cookies do not contain any personal information about you and are used only to determine your browser and user preferences for our site.

We use cookies to ascertain which web pages are visited and to make our website more user friendly. This enables us to give you the best service and experience when you return to our website.

Most web browsers automatically accept cookies, but if you prefer, you can set your internet browser not to accept them. You can still use our website without cookies being enabled, however your visit to our website will be significantly enhanced if cookies are not disabled.

Information on deleting or controlling cookies is available at www.AboutCookies.org. Please note that by deleting our cookies or disabling future cookies you may not be able to access certain areas or features of our site.

Changes to this privacy statement

We recognise that transparency is an ongoing responsibility so we will keep this privacy statement under regular review.

This privacy statement was last updated on 5th September 2022.