This Privacy Notice sets out how we obtain and use personal data about you before and after any relationship with me, in accordance with the Data Protection (Bailiwick of Guernsey) Law, 2017 (“GDP Law”) and in accordance with the European Union General Data Protection Regulation (2016/679) (“GDPR”).
This notice applies to my clients (including their clients and their underlying principals, directors, officers and employees) service providers, intermediaries and other contacts of me (whether current, prospective, declined, exited or former) and all users of my website, including those that sign up to my blog and other news items. I may update this Policy at any time, however when I do, and the change is substantive, I will notify you.
The data I hold
The personal data I hold varies depending on the services provided by me, ensuring I only process personal data that is adequate, relevant and necessary for the purpose. The types of data I collect and process include:
Information required to meet legal and regulatory requirements
Information provided during the provision of my services
Financial information, such as payment-related information
Any other information you may provide to me.
Purposes of processing
I use your personal data for the following purposes:
Purpose and Lawful Basis for Processing
To enter into or exit client relationships and provide governance, risk, compliance and other advisory or training services
To manage my client, intermediary and other business relationships
To seek to ensure my business is conducted efficiently and with a view to enhancing client service
To administer any contract I have entered into with you or where you are a party related to an entity for which I am contracted to provide services
To fulfil the contract I have entered into
To provide my contacts with marketing material
All marketing material is provided on the basis on consent. Consent may be withdrawn at any time by unsubscribing from our newsletter or emailing: firstname.lastname@example.org.
To ensure the security of any systems I use and prevent fraud
To obtain legal advice and/or representation
To meet all legal and ethical obligations including in respect of managing conflicts of interest
To ensure I meet all legal and ethical obligations incumbent on me
Change of purpose
I will only use your personal data for the purposes for which I collected it, unless I reasonably consider that I need to use it for another reason and that reason is compatible with the original purpose. If I need to use your personal data for an unrelated purpose, I will notify you and explain the legal basis which allows me to do so.
Please note: I may process your personal data without your knowledge or consent where this is required or permitted by law.
Failure to provide personal data
If you fail to provide certain personal information and data when requested, I may not be able to fulfil the contract I have entered into with you, or on your behalf, or provide the services requested or I may be prevented from complying with my legal obligations.
Sources of personal data
My sources of data may include clients, data subjects directly, introducers, intermediaries, advisers, third parties connected to the data subject (for example: family member, employer or another service provider who provides services to the data subject) or open-source material.
I collect personal data via the completion of forms [electronic and paper] provided to you and completed by you, from documents provided including due diligence documents, from correspondence including email, from meetings and telephone conversations.
I will collect personal data throughout the course of our business relationship or while I provide services to clients connected to you.
Recipients of personal data
I rarely share information with third parties, however sometimes I may have to, including third party service providers, where required by law, where it is necessary to administer our business relationship, where it is necessary for me to provide the services to you or where I have another legitimate interest in doing so.
The following are potential recipients of personal data (in each case including respective employees, directors and officers):
Sub-contractors, agents, consultants or service providers such as insurance brokers, IT firms or other professional advisers of me or my clients, and their clients, and associated parties
bankers, auditors, accountants, investment brokers, managers or advisers, legal and other professional advisers
Guernsey and overseas regulators, or other government, or supervisory body and tax authorities when required by law
Law enforcement agencies where considered necessary for me to fulfil my legal obligations
When I engage a third party to process your personal data, I will require them to process your personal data in accordance with this instruction and protect the data against unauthorised or accidental use, access, disclosure, loss or destruction.
They cannot use your personal data for their own purposes. They will only be permitted to process your personal data for a specified purpose and in accordance with instructions. Where they no longer need to your personal data to fulfil the contract, they will need to transfer the data back to me and/or destroy or delete any data held by them.
Transferring data outside of Guernsey and the EU
In the event any of the third parties detailed above are outside of Guernsey and the EU and where I am transferring personal data, which would be protected under the GDP Law or GDPR, I will ensure that I meet the relevant requirements prior to carrying out such a transfer. This may include only transferring the data where I am satisfied that:
The non-European Union country has Data Protection laws similar to the Laws in Guernsey and the European Union
The recipient has agreed, through contract, to protect the information to the same Data Protection standards as Guernsey and the European Union
I have obtained consent from the relevant data subjects to the transfer, or
If transferred to the United States of America, the transfer will be to organisations that are part of the Privacy Shield
I have put in place appropriate security measures to prevent your personal data from being accidentally lost, altered, disclosed, used or accessed without authorisation. In addition, I restrict access to your personal data to those employees, agents, contractors, consultants and other third parties who have a business need to access these data. They will only process your personal data on my instruction and they are subject to a duty of confidentiality.
I have in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator or a suspected breach where I am legally obliged to do so.
I only keep data for as long as is necessary to fulfil the purposes (as set out above) for which I collected it. To determine the appropriate retention period for personal data, I consider the amount, nature and sensitivity of the personal data, the potential for harm from unauthorised use or disclosure of the data, the purposes for which I process the personal data and whether I can achieve those purposes through other means, and the applicable legal requirements.
Once our business relationship ends, I will retain and securely destroy your personal data in accordance with my record retention and destruction policy, applicable legislation and/or regulatory requirements.
As a data subject you have the following rights in respect of your personal data:
Right of access - you have the right to request a copy of the personal data that I hold about you and to check that I am lawfully processing that data. You will not have to pay a fee to access your personal data (or exercise any of the other rights) unless your request is clearly unfounded or excessive, in which case I may charge a reasonable fee or refuse to comply with the request.
Right of rectification - you have the right to correct data that I hold about you, which is inaccurate or incomplete.
Right of erasure - of your personal data. This enables you to ask me to delete or remove personal data where there is no good reason for me to continue to process it.
Right to restrict processing - this enables you to ask me to suspend the processing of your personal data for example: if you want me to establish its accuracy or the reasons for processing it.
Right of portability - you have the right to have the data I hold about you transferred.
Right to object - you have the right to object to certain types of processing including direct marketing. You also have the right to ask me to delete or remove personal data where you have exercised your right to object.
Right to object to automated processing including profiling - you have the right not to be subject to decisions based on automated processing or profiling. I do not currently undertake any automated processing or profiling.
If you wish to exercise these rights, you should send the request in the first instance to email@example.com
In the event you wish to make a complaint about how your personal data is being processed or how your complaint has been handled you have the right to lodge a complaint directly with the Office of the Data Protection Authority (“ODPA”) either via email or by post at:
The Office of the Data Protection Authority
St Martin’s House
St. Peter Port
You may also appeal to certain courts against (i) any failure of the ODPA to give written notice of whether the complaint is either being investigated or not being investigated and where applicable, the process and outcome of the investigation and (ii) a determination of the ODPA not to investigate the complaint or a determination that a controller or processor has not breached or is not likely to breach an operative provision in connection with the complaint.
Cookies are small text files which are transferred to your computer or mobile when you visit a website or app.
I use them to:
Remember information about you, so you don’t have to give it to me again. And again. And again
Keep you signed in [if required], even on different devices
Help me understand how people are using my services, so I can make them better
To deliver advertising to websites outside of the UK
To find out if my emails have been read and if you find them useful
First Party Cookies
These cookies are set by the website you’re visiting. And only that website can read them.
Third Party Cookies
These cookies are set by someone other than the owner of the website you’re visiting. Some of my web pages may also contain content from other sites like BPP or ICSA, which may set their own cookies. Also, if you share a link to a page on my website, the service you share it on (for example, LinkedIn) may set a cookie on your browser. I have no control over third-party cookies - you can turn them off, but not through me.
These cookies only last as long as your online session, and disappear from your computer or device when you close your browser (like Internet Explorer or Safari).
These cookies stay on your computer or device after your browser has been closed and last for a time specified in the cookie. I might use persistent cookies when I need to know who you are for more than one browsing session. For example, I use them to remember your preferences for the next time you visit, if you use the members area.
Strictly Necessary Cookies
These cookies let you use all the different parts of my website. Without them, services that you’ve asked for can’t be provided. Also, I may collect data from you to help me understand how you are using the website, so I can make it better.
Other Tracking Technologies
Some sites use things like web beacons, clear GIFs, page tags and web bugs to understand how people are using them and to target advertising to them.
They usually take the form of a small, transparent image that is embedded in a web page or email. They work with cookies and capture data like your IP address, when you viewed the page or email, what device you were using and where you were.
Telephone: +44 (0) 7911 766928