Privacy notice relating to our clients and business relationships
This notice will explain how we collect and process personal data about directors, shareholders, ultimate beneficial owners, members, suitable certifiers, beneficiaries and trustees of the below:
- Our clients
- Business Introducers
- Service providers, either appointed by OFL or OPAL in order to service our clients, or appointed by our clients.
- Any other individual with whom we maintain a business relationship
- Any other individual with whom any of the above maintain a business relationship and we are obliged by law or any other lawful reason to request and maintain personal data.
What is considered personal data
As per Article 4 of the GDPR, it is any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Personal data that we could source from you as part of our statutory obligations (this is the information you may be obliged -depending on our relationship- to give us by law for the business to go ahead) :
- Date and place of birth
- National id number
- Tax residency country
- Tax identification number or equivalent
- Professional id number
- Employer (current or past)
- Salary and job position (current or past)
- Bank details as proof of source of funds
- Identification documents (such as passport, driving licence, etc.) as proof of identity
- Proof of address (such as utility bills, bank statement, etc.)
- Source of wealth evidence (such as pay slips, evidence of ownership, Will, etc.)
- Proof of transactions/funds transferring
- Information of the family members (such as PEPs)
- Any other information required by any relevant legislation including but not limited to the Anti Money Laundering and Countering Financial Terrorism
Personal data that we could source from you as part of our contractual obligations as specified in Part IX b) -this is the information that you may have to provide in order for us to fulfil our obligations with you:
- Marital status
- Contact details (such as telephone number and email address)
Special Category Data.
It is the kind of data that could create significant risks to a person’s fundamental rights and freedoms. For example, by putting them at risk of unlawful discrimination.
Personal data that we could source from you as part of our contractual obligations:
- Personal health ( this just applies for members of our pension schemes)
**Please note that whenever a copy of the data subject’s passport has been provided to us, this will not be considered as part of the biometrics data as this kind of information is only covered by the definition of biometric data when processed through a specific technical means allowing the unique identification or authentication of a natural person. Neither OFL, nor OPAL will process biometrics data. The mentioned copy will just be held as part of the data subject’s file**.
Criminal offence data.
It is the type of data about criminal allegations, proceedings or convictions.
Personal data that we could source from you as part of our contractual/statutory obligations:
Personal data that we could collect from third party sources as part of our statutory obligations:
- Professional background
- Employment details
- Business relationships
- Any publicly available relevant information
How do we collect all the above information?
If you are our source of collection, we usually will gather the data through either one or more of the following:
- initial/ongoing application,
- contract for a service,
- telephone calls,
- face to face meetings and correspondence (mail or email).
If we have collected your data from 3rd party sources, we usually will gather the data through either one or more of the following:
- Public sources such as any available online information, social media,
- Professional bodies and public available databases,
- Public registers and government agencies public information
- Any other available public source.
For other personal data gathered from our web page, please click on this link: Privacy notice relating to our Website
Purposes of the processing
We will process your data based on one or more of the below purposes:
- To provide you with the relevant services as stipulated on the relevant contract
- For marketing (in some cases)
- To comply with all the relevant legislation and regulations, including but not limited to the Anti money laundering and countering financial terrorism
- To fulfil statutory requirements (such as filling of annual return)
- To verify your identity
- To develop OFL and OPAL business statistics
Lawful basis of the processing
- All the personal data mentioned in this notice is processed by OFL and OPAL under the lawful basis of ‘legal obligation’, unless it is specified differently. Under this basis, processing of your data is necessary for the compliance with the legal obligations to which OFL and OPAL are subject.
- If you are the person entering into a contract with us by 1) acting either in your own name (such as a member of a Pension Scheme, a shareholder of a company to be set up, or a settlor of a Trust) or 2) representing a legal person (such as Director of a corporate shareholder, or a Director to a company where we offer registered agent/office services, or an introducer), we will be holding your personal data on the basis of ‘Contract’ as well. Under this basis, processing of your data is necessary either for the performance of the contract to which you are a party or in order to take steps at your request prior to entering into a contract (e.g. provide a quote).
- If you are a member of a pension scheme, we will be processing your health declaration (stated on your application) under 1) the legal basis of legitimate interest: this is the way for us to prove that our client (you) has a the legitimate reason for transferring their wealth into a pension scheme, other than tax avoidance; and 2) the special category condition of “processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity”.
- Within the bounds of strict necessity and proportionality, in some cases we will process your personal data under the lawful basis of ‘legitimate interest’ where the processing is necessary for any or all of the following 1) keeping a relevant and appropriate relationship, 2) commercial interests, 3) exercise or defence of legal claims, 4) fraud prevention or 5) prevent cyberattacks.
If the purpose under which we process your data change, we still may be able to continue processing under the original lawful basis if our new purpose is compatible with the initial purpose (unless your original lawful basis was consent).
Who do we share your personal data with
We could share your personal data with one or more of the below recipients:
- Tax Services Providers
- Financial services providers (such as wealth management firms, banks, investment platforms, etc.)
- Any other service provider we enter into a business relationship in order to fulfil and comply with our contractual or statutory obligations (such as Surveyor Company, accountancy firm, solicitor’s firm, etc.)
- Company group.
- Any regulator, enforcement agency, Government agency necessary to fulfil and comply with our statutory and/or legal obligations (such as the FCA in the Uk, the FSA in the IOM, HMRC, etc), or to protect our rights or the rights of any third party.
- Any legal or natural person that we or our clients enter into a business relationship, if required by law or contract (such as Companies that we buy in as legal representatives of our clients or as Trustees, etc.)
- Debt collector companies - in the specific case of default on the payments of our services.
- Auditors - as part of our statutory requirements.
International sharing of the personal data.
As we do business internationally, we could share your information with any relevant country for the business based in two considerations:
- In order to meet our statutory and legal obligations. Such as FATCA Agreements and Regulations where we are obliged (as any other jurisdiction in the world) to report all UK and USA nationals to their relevant national authority
- In order to fulfil contractual obligations
Example: A UK national, shareholder of a company ‘Z’ in the IOM, that will buy into a Jersey registered company X that is regulated in Guernsey to provide insurance services to client Y.
In this example, your information could be shared with the UK, IOM, Jersey and Guernsey.
Under the GDPR, an international transfer of data may be made where:
A third country, a territory or one or more specific sectors in the third country, or an international organisation ensures an adequate/equivalent level of protection, and
The transfer is:
- made with the individual’s informed consent;
- necessary for the performance of a contract between the individual and the organisation or for pre-contractual steps taken at the individual’s request;
- necessary for the performance of a contract made in the interests of the individual between the controller and another person;
- made from a register which under UK or EU law is intended to provide information to the public
If none of the above apply, such transfers are permitted only where the transfer:
- is not repetitive (similar transfers are not made on a regular basis);
- involves data related to only a limited number of individuals;
- is necessary for the purposes of the compelling legitimate interests of the organisation (provided such interests are not overridden by the interests of the individual); and
- is made subject to suitable safeguards put in place by the organisation (in the light of an assessment of all the circumstances surrounding the transfer) to protect the personal data.
In these cases, we would be obliged to inform the relevant supervisory authority of the transfer and provide additional information to you.
We will retain your information for
- As long as we hold a business relationship
- As long as we are obliged by any relevant law (usually between 5 and 7 years), after our business relationship has ended.
- As long as you do not withdraw your consent, if we hold your data under this legal basis.
- As long as necessary to provide the relevant service to our clients.
- As long as you maintain a business relationship with our client.
Your data security.
We in OFL and OPAL have put in place security measures to ensure your data’s:
- Confidentiality- the data can be accessed, altered, disclosed or deleted only by those you have authorised to do so (and that those people only act within the scope of the authority you give them);
- Integrity- the data we hold is accurate and complete in relation to why are we processing it; and
- Availability- the data remains accessible and usable, i.e. if personal data is accidentally lost, altered or destroyed, we are be able to recover it and therefore prevent any damage or distress to the individuals concerned.
Under the GDPR, you are provided with the following rights:
- The right to be informed, hence this privacy notice.
- The right of access, so you are aware of and can verify the lawfulness of the processing.
- The right to rectification, so you can have inaccurate personal data rectified, or completed if it is incomplete.
- The right to erasure, also known as the ‘right to be forgotten. This is not applicable to data held under the lawful basis of ‘legal obligation’ or if processing is necessary for the establishment, exercise or defence of legal claims.
- The right to restrict processing, so you can limit the use of your data, but only applies in certain circumstances.
- The right to data portability. Does not apply to you as our processing is not carried out by automated means
- The right to object the processing of your personal data. So you can object processing based on legitimate interests or direct marketing (in the last case we must stop as soon as we receive your objection).
- Rights in relation to automated decision making and profiling. Does not apply to you as we do not carry out decision making and profiling by automated means.
To exercise one or more of the above rights please submit your request to our contact details shown below on this document and we will contact you within one calendar month**.
All the recipients with whom we have disclosed your personal data will be notified once a request of data rectification, erasure or restriction has been granted by us.
**Dates are calculated from the day after we receive the request (whether the day after is a working day or not) until the corresponding calendar date in the next month.
Please be advised that where we hold personal data in our capacity as processor (i.e. for companies where we provide registered agent/address services only) neither OFL nor OPAL will be able to provide a third party with any information on request.
If you are a third party requesting information on the above cases, please send by post/email your data request and it will be automatically forwarded to the Officers of the relevant company. You will obtain an answer from them within the periods marked by the law.
Automatic decision making and profiling
No automated decision making or profiling is made from these details.
You will be notified of:
You will be notified by either via email, correspondence, phone call, etc. of:
- Any changes in this privacy notice, including changes in:
- Purpose of processing of your personal data
- Additional personal data obtained by third party sources (when you have not been previously notified that this could happen)
- Additional personal data sharing with third parties (when you have not been previously notified that this could happen).
- Data breaches. In the unlikely case of a breach to your personal data.
We will inform you of this changes before starting any new processing, giving you sufficient advance notice so that you have the opportunity to exercise your rights.
We don't offer our services directly to children. If due to a statutory or contractual obligation we see the need to request child’s personal information, we will never request it directly to the child but through the person with parental responsibility.
Your right to lodge a complaint with a supervisory authority and seeking a judicial remedy.
If you are dissatisfied with our advice, you have the right to lodge a complaint with the Supervisory Authority:
Isle of Man Information Commissioner
P.O. Box 69, Douglas, Isle of Man,
Telephone: +44 1624 693260