Privacy Notice
General
This Privacy Notice sets out how I obtain and use personal data about you before and after your relationship with me, in accordance with the Data Protection (Bailiwick of Guernsey) Law, 2017 (“the Guernsey DP Law”) and in accordance with the European Union General Data Protection Regulation (2016/679) (“GDPR”).
I am a “data controller”. This means that I am responsible for deciding how I hold and use your personal data. I am required under the data protection legislation detailed above to notify you of the information contained in this privacy notice.
This notice applies to clients, investors, shareholders, limited partners, beneficiaries and other trust or foundation parties, service providers, business referrers, intermediaries and other contacts of mine in my capacity as a Licensed Personal Fiduciary (whether current, prospective, declined, exited or former) and users of my website. I may update this Notice at any time, as required.
Any questions in relation to this Privacy Notice or requests in respect of personal data should be directed to me in the first instance.
Who I Am
I am a Licensed Personal Fiduciary, regulated by the Guernsey Financial Services Commission. My primary relationship with you will be confirmed in either an engagement letter or other written agreement in relation to any client relationship.
The data I obtain, store and use
I process data in order to provide personal fiduciary services. The types of data I may collect and process include:
- Contact details (including names, postal and email addresses, telephone numbers and website URL).
- Information required for me to meet legal and regulatory requirements in particular in respect of anti-money laundering legislation, including identification data (date and place of birth, nationality, identity number, copies of your passport or other identification document) and information regarding source of funds and source of wealth.
- Information required for meet my reporting obligations for example: tax reporting including tax status, tax number, tax residency and financial information.
- Information required for me to provide the services including financial information to process payments, background information including employment details and details of dependents.
- Any other information you may provide to me.
I may also collect, store and use Special Category Data including:
- Information about your race or ethnicity, religious beliefs, sexual orientation and political opinions.
- Information about your health, including any medical condition, health and sickness records.
- Data relating to a person’s criminal record or alleged criminal activity.
Special Category Data requires a higher level of protection and will only be processed where I have received explicit consent or the processing is necessary for compliance with a legal obligation.
Purposes of processing
I use data, including personal data, for the following purposes. This table also confirms the lawful basis I am relying on in each case:
| Purpose | Lawful Basis for Processing |
|---|---|
| To provide personal fiduciary services. | The processing is necessary for the conclusion or performance of a contract. The legitimate interests of my clients and their underlying and connected persons. |
| To administer any contract I have entered into with you or where you are a party related to an entity for which I am contracted to provide services. | To fulfil the contract we have entered into. |
| Making arrangements for the termination of our business relationship. | The processing is necessary for the conclusion of our contract. |
| To manage my client, intermediary and other business relationships. | My legitimate interests to seek to ensure that my business is conducted efficiently and with a view to enhancing business services. |
| To obtain legal and/or tax advice or representation. | The processing is necessary for the conclusion or performance of a contract, or the legitimate interests of myself and my clients to ensure that I am able to engage relevant tax or legal advisers and/or representation. |
| To ensure the security of my systems and staff and prevent fraud. | My legitimate interest in protecting my systems and staff from being misused or the victim of criminal activity. |
| To meet all legal and regulatory obligations applicable to me including in respect of managing conflicts of interest. | The processing is necessary for compliance with a legal obligation or regulatory obligation to which I am subject. For example: relevant anti-money laundering and countering the financing of terrorism legislation. |
The data sought will vary and the purposes for processing will overlap depending on the type of services provided.
Change of purpose
I will only use your personal data for the purposes for which I collected it, unless I reasonably consider that I need to use it for another reason and that reason is compatible with the original purpose. If I need to use your personal data for an unrelated purpose, I will notify you and I will explain the legal basis which allows me to do so.
Please note: I may process your personal data without your knowledge or consent where this is required or permitted by law.
Failure to provide personal data
If you fail to provide certain personal information and data when requested, I may not be able to fulfil the contract I have entered into for you, or on your behalf, or provide the services requested or I may be prevented from complying with my legal obligations.
Sources of personal data
The sources of data may include clients, data subjects directly, introducers, intermediaries, advisers, third parties connected to the data subject (for example: family member, employer or another service provider who provides services to the data subject) or open-source material.
I collect personal data via the completion of forms provided to you and completed by you, from documents provided including due diligence documents, from correspondence including email, from meetings and telephone conversations.
I will collect personal data throughout the course of our business relationship or while I provide services to clients connected to you.
Recipients of personal data
I share information with third parties including third party service providers where required by law, where it is necessary to administer our business relationship, where it is necessary for me to provide the services to you or where I have another legitimate interest in doing so.
The following are potential recipients of personal data (in each case including respective employees, director and officers):
- Sub-contractors, agents, consultants or service providers such as insurance brokers, compliance, IT firms or other professional advisers of myself or my clients and their clients and associated parties.
- Bankers, auditors, accountants, investment brokers, managers or advisers, legal and other professional advisers.
- Company formation agencies and registries.
- Land or property agents and registries.
- Guernsey and overseas regulators, or other government or supervisory body and tax authorities when required by law.
- Law enforcement agencies where considered necessary for me to fulfil legal obligations applicable to it.
When I engage a third party to process your personal data, I will require them to process your personal data in accordance with my instructions and protect the data against unauthorised or accidental use, access, disclosure, loss or destruction. I do not allow them to use your personal data for their own purposes. They will only be permitted to process your personal data for a specified purpose and in accordance with my instructions. Where they no longer need your personal data to fulfil the contract, they will need to transfer the data back to me and/or destroy or delete any data held by them.
Transferring data outside of Guernsey and the EU
In the event any of the third parties detailed above are outside of Guernsey, and the EU and where I am transferring personal data which would be protected under the Guernsey DP Law or GDPR, I will ensure that I meet the relevant requirements prior to carrying out such a transfer. This may include only transferring the data where I am satisfied that:
- The non-European Union country has Data Protection laws similar to the Laws in Guernsey and the European Union for example: the UK or Jersey
- The recipient has agreed through contract to protect the information to the same Data Protection standards as Guernsey and the European Union or
- I have obtained consent from the relevant data subjects to the transfer.
Data Security
I have put in place appropriate security measures to prevent your personal data from being accidentally lost, altered, disclosed, used or accessed without authorisation. In addition, I restrict access to your personal data to those employees, agents, contractors, consultants and other third parties who have a business need to access the data. They will only process your personal data on my instructions and they are subject to a duty of confidentiality.
I have in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator or a suspected breach where I am legally obliged to do so.
Data Retention
I only keep data for as long as is necessary to fulfil the purposes (as set out above) for which I collected it. Details of retention periods for different aspects of your personal data is available in my retention policy which is available on request from the Data Protection Representative. To determine the appropriate retention period for personal data, I consider the amount, nature and sensitivity of the personal data, the potential for harm from unauthorised use or disclosure of the data, the purposes for which I process the personal data and whether I can achieve those purposes through other means, and the applicable legal requirements.
Once our business relationship ends, I will retain and securely destroy your personal data in accordance with my record retention and destruction policy, applicable legislation and/or regulatory requirements.
Data subject’s rights
As a data subject you have certain rights in respect of your personal data. You have the following rights:
- Right of access – you have the right to request a copy of the personal data that I hold about you and to check that I am lawfully processing that data. You will not have to pay a fee to access your personal data (or exercise any of the other rights) unless your request is clearly unfounded or excessive in which case I may charge a reasonable fee or refuse to comply with the request.
- Right of rectification – you have the right to correct data that I hold about you which is inaccurate or incomplete.
- Right of erasure – of your personal data. This enables you to ask me to delete or remove personal data where there is no good reason for me to continue to process it.
- Right to restrict processing – this enables you to ask me to suspend the processing of your personal data for example: if you want me to establish its accuracy or the reasons for processing it.
- Right of portability – you have the right to have the data I hold about you transferred to another organisation.
- Right to object – you have the right to object to certain types of processing including direct marketing. You also have the right to ask me to delete or remove personal data where you have exercised your right to object.
- Right to object to automated processing including profiling – you have the right not to be subject to decisions based on automated processing or profiling. I do not currently undertake any automated processing or profiling.
If you wish to exercise these rights you should send the request in the first instance to me.
Status
This Privacy Notice sets out my current policy as regards the maintenance and processing of personal data. It does not form, and should in no way be construed as, a contract and no contractual rights or causes of action shall arise in relation to or consequence of the content of this Notice.
Changes to this Privacy Notice
I keep this Privacy Notice under review and any updates will appear on my website at https://personalfiduciary.com
I last updated this Privacy Notice on 30th January 2024.
Contact details
I am the Data Protection Representative and all enquiries in respect of this Privacy Notice, any complaints about the way in which your personal data is being processed, or any request to exercise any of the rights set out above should be directed to me as Data Protection Representative via email at david.piesing@personalfiduciary.com, or telephone +44 (0)7781 102083 or by post at 3 Infinity Views, Les Petites Fontaines, St. Peter Port, Guernsey GY1 1JE.
Complaints
In the event you wish to make a complaint about how your personal data is being processed or how your complaint has been handled you have the right to lodge a complaint directly with the Guernsey Data Protection Commissioner either via email enquiries@dataci.org or by post at:
The Office of the Data Protection Authority, St Martin’s House, Le Bordage, St Peter Port, Guernsey GY1 1BR.