Guernsey Privacy Notice
For clients, prospective clients, beneficial owners and other persons connected to client entities
The Data Protection (Bailiwick of Guernsey) Law, 2017
In the course of our business, NWH (Guernsey) Limited (‘NWH’) needs to collect personal information about our clients and other persons connected to the trusts, companies and other entities (‘structures’) under our administration, and in some circumstances we may need to share such information with third parties.
We are therefore a ‘data controller’ for the purposes of Guernsey’s Data Protection (Bailiwick of Guernsey) Law, 2017 (the ‘DP Law’), which came into force on the same date, 25 May 2018, as the EU’s General Data Protection Regulation (GDPR), and which the European Commission recognises as providing an adequate level of data protection. As a consequence of this ‘adequacy ruling’ by the EC, though Guernsey is not a part of the EEA and is therefore not directly subject to the GDPR, it is effectively treated for data protection purposes as if it were.
The DP Law, like the GDPR, aims to protect individuals’ (or ‘data subjects’) personal information by imposing certain obligations on data controllers and strengthening the rights of data subjects in relation to the processing of their ‘personal data’ (defined as any information about an identified or identifiable individual). We are committed to processing your personal data in accordance with the DP Law and respecting your rights as a data subject.
In accordance with Schedule 3 of the DP Law, this privacy notice provides general information relating to our processing of your personal data, including why we need to collect it, who we might need to share it with, and what your rights are in relation to it. If you would like further detail on any of the matters discussed in the notice, please contact our Compliance Officer on the telephone number or email address provided at the bottom of this notice.
Further information, including guidance and a link to the DP Law, is available on the Guernsey Data Protection Commissioner’s website: https://dataci.gg/new-law/ .
- Lawyers, family members and other persons acting on the data subject’s behalf. If you provide us with information relating to another person (for example, to assist us in completing our due diligence process in relation to a new account), you must ensure that you have a lawful basis (e.g. their consent) for doing so, and we ask that you give them a copy of this privacy statement.
- A data subject’s chosen referees.
- Regulatory compliance / risk management databases and agencies (subject to strict information security and confidentiality requirements).
- Publicly available sources, such as news outlets.
We may need to share your personal data with third parties in order to comply with our regulatory (e.g. tax reporting and anti-money laundering) obligations, fulfil our legal and contractual duties in relation to the structures under our administration, and achieve our legitimate interests as a business. Examples of third parties with whom we might need to share personal data for one or another of these purposes are included under ‘Purposes and legal bases for processing’, below.
Most third party recipients of personal data are subject to the GDPR or equivalent legislation themselves. In the event that we need to share your personal data with a third party in a jurisdiction that is not subject to the GDPR or equivalent legislation, we will only do so if one or more of the conditions under which the DP Law permits such a transfer have been satisfied (for example, you have explicitly consented to the transfer, or appropriate safeguards are in place to ensure that the data is subject to adequate levels of protection and that your rights as a data subject will be respected).
Where our processing of personal data involves the services of a third party data ‘Processor’ (i.e. a person that processes data on our behalf), we will take such measures as may be required by the DP Law to safeguard your rights as a data subject.
Purposes and legal bases for processing
The DP Law lists several lawful grounds or "legal bases" for the processing of personal data. We will only process your personal data to the extent that one of these legal bases applies. The legal bases that apply most commonly to our processing of personal data are outlined below, together with examples of processing undertaken and third parties with whom personal data may be shared pursuant to each legal basis.
- The processing is necessary to comply with our legal / regulatory obligations
For example, regulations relating to the countering of financial crime and terrorist financing require us to carry out due diligence, which generally includes the processing of personal data, on anyone who directly or indirectly controls, contributes to or benefits from any structure under our administration.
Third parties to whom personal data may be transferred pursuant to our regulatory obligations include tax authorities (e.g. under the intergovernmental tax information sharing regimes CRS and FATCA); law enforcement agencies; regulatory authorities; and regulatory compliance / risk management agencies.
- The processing is necessary for the performance of our contract with you / for your benefit
For example, as trustees we may need to have an understanding of beneficiaries’ personal and financial circumstances in order to effectively carry out our responsibilities towards them, and we often need to provide due diligence information to counterparties in order to take some or other action (e.g. opening or maintaining a bank account or investment portfolio, or obtaining legal advice) that is necessary for the effective administration of a structure.
Third parties with whom we might share personal data in the course of administering a structure include legal and financial advisors, bankers, investment managers, and other corporate service providers (e.g. the provider of a registered office in another jurisdiction).
- The processing is necessary to achieve our ‘legitimate interests’ (or those of a third party) and such legitimate interests are not outweighed by your interests, rights and freedoms as a data subject.
For example, we have legitimate interests in processing personal data in order to provide and market our services, maintain service standards, manage our client and other business relationships, and protect the security of our systems. Examples of processing that may be undertaken pursuant to such legitimate interests include:
Holding personal data relating to a beneficiary who is not aware and is not to be informed until a future date that he or she stands to benefit from a trust, to enable us to contact, identify and distribute trust funds to that beneficiary at the appropriate time.
Recording and monitoring telephone calls and other communications for the purposes of training, fraud prevention, responding to complaints, and ensuring that we are meeting service standards. Note that communications may also be monitored on other grounds, for example to assist us in meeting regulatory obligations.
Sending marketing and other communications about our business to clients (provided that marketing will not be sent to anyone we would not contact in the ordinary course of business and will always include the option to unsubscribe from receiving such communications in the future).
Providing due diligence to a counterparty in the event of a sale or merger of our business, or meeting our reporting obligations to our group holding company. To be clear, we do not have a legitimate interest in deriving a profit from your personal data, and will never sell your personal data or otherwise disclose it to any third party for our own commercial benefit.
- You have expressly consented to the processing of your personal data
We may ask for consent to process personal data in particular circumstances, for example, to the extent required to allow us to process a minor’s personal data (e.g. where a child is named as a beneficiary of a trust); to the extent required to allow us to process sensitive data; and otherwise to the extent that consent for the processing of personal data is required under the DP Law. If we are processing your personal data on the basis of your consent, you may withdraw such consent at any time: see ‘Your rights as a data subject’ below.
Retention and security
Our policy is to keep copies of files relating to structures formerly under our administration – which will generally contain personal data – for 6 1⁄2 years following the termination of the relevant business relationship. This retention period takes account of statutory retention requirements and legal prescription periods. After 6 1⁄2 years the files are destroyed unless (and only for as long as) there is a compelling reason (such as ongoing litigation involving the structure in question) to continue to retain them.
We take appropriate measures to protect all personal data and other confidential information under our control from unauthorised access and disclosure.
Your rights as a data subject
In summary, and subject to the conditions and exceptions set out in the DP Law, you rights as a data subject are:
- The right to certain information relating to the processing of your personal data. The purpose of this privacy notice is to provide you with that information.
- From 25 May 2019, the right to portability of your personal data. This will entail, for example, that you may require us as data controller to transfer your personal data to a new service provider on the termination of our relationship with you.
- The right to access your personal data that we have on file (or are otherwise processing in any way).
- The right to object to the processing of your personal data for certain purposes, including marketing. Any marketing communication that we send you will allow you to opt-out of receiving any marketing from us in the future.
- The right to require us to rectify your personal data if the personal data that we hold on you is inaccurate or incomplete.
- The right to require us to erase your personal data in certain circumstances, for example if we retain the data for longer than is necessary.
- The right to require us to restrict the processing of your personal data in certain circumstances, for example, pending the determination of a dispute about the accurateness or completeness of the personal data that we hold on you.
- The right not to be subject to automated decision making. NWH does not rely on automated decision making processes.
- The right to withdraw your consent to the processing of your personal data: if we are relying on your consent to process your personal data for a particular purpose, you have the right to withdraw that consent at any time. To withdraw your consent, please contact our Compliance Officer, whose details are below. The withdrawal of consent does not affect the lawfulness of processing on other grounds (for example, where the processing is necessary to comply with our regulatory obligations).
If you refuse to provide the information that we requestAs we need the information that we request from you in order to comply with our regulatory obligations and fulfil our contractual and legal duties, we may be unable to establish or continue a business relationship with you if you refuse to provide us with such information.
Enquiries, exercise of rights & complaintsPlease direct any enquiries, requests or directions relating to your rights as a data subject or our processing of your personal data more generally, to our Compliance Officer, Adam Pickering. While you are always free to call with any general enquires you may have, please note that any enquiries, requests or directions relating to a specific person’s personal data must be made in writing (by email or post). Adam’s contact details are as follows:
|Postal address:||NWH (Guernsey) Limited|
|PO Box 212|
|St Martin’s House, Le Bordage|
|St Peter Port|
|Tel:||+44(0)1481 734 565|
If you want to make a formal complaint in relation to our processing of your personal data, please refer to our complaints procedure, a copy of which is provided to new clients and is available on request. You are also entitled to lodge a complaint about our processing of your personal data with Guernsey’s Data Protection Commissioner (see: https://dataci.gg/online-enquiry/#/complain/form).
Changes to this privacy notice
We reserve the right to update this privacy notice at any time and we will ensure that you are notified of any update as soon as is reasonably practicable. We encourage you to regularly review this notice to ensure that you are always aware of how personal data is collected, used, stored and disclosed. We may also notify you in other ways from time to time about the processing of your personal data.