- PURPOSE OF DATA PROTECTION
- DATA WE COLLECT ABOUT YOU
- PURPOSES & LAWFUL BASIS FOR PROCESSING
- SHARING YOUR PERSONAL DATA
- TRANSFERRING YOUR DATA OVERSEAS
- RETAINING YOUR DATA
- PROTECTING YOUR DATA
- YOUR RIGHTS & OPTIONS
- CONTACT US
The Ocorian group is a global provider of fiduciary and administration services to corporate, institutional and private investors and to private individuals. This global privacy notice ("notice") explains how we collect, manage and protect your personal data if we need to process it as a data controller for the purposes of providing services to our clients. References to "we", "us" and "our" in this notice are to one or more members of the Ocorian group.
The Ocorian group consists of Ocorian Limited, a company incorporated in Jersey with registered number 52417, whose registered office is at 26 New Street, St Helier, Jersey JE2 3RA and its subsidiaries, its ultimate holding body, all subsidiaries of its ultimate holding body and any corporate entity managed or controlled any of those entities. A full list of all the members of the Ocorian group can be found here. You can contact any member of the Ocorian group using the details provided on our website. You can also contact our Data Privacy Officer using the details provided at the end of this notice.
We collect and process your personal data if you are:
- a client that is an individual receiving services in your own capacity (an "individual client"), for instance, related to a trust or a foundation, from us; or
- associated with a corporate client because you are (for instance) an owner, director, officer, employee or contractor of the corporate client, or an investor in it, or if you are the subject of, for example, share plan administration services that we provide to our client, your employer.
We also collect your personal data if you represent other entities or organisations that we deal with, such as advisers, governmental and judicial bodies, regulators, suppliers or anyone that makes any form of enquiry in relation to us or our services or if you personally make any enquiry in relation to (for instance) our services or employment with us.
If you are an individual client, the data controller of your personal data is the member of the Ocorian group named in the engagement agreement you have agreed with us.
If you are not an individual client and a member of the Ocorian group is a data controller in relation to personal data collected from you, the data controller is the member of the Ocorian group which has collected that personal data.
This notice does not apply to the collection or use of personal data by any member of the Ocorian group as a data processor acting on instructions from a client. Where this applies, the client will be the data controller and its privacy notice and/or the terms of an agreement as to processing agreed between us will apply.
Purpose of Data Protection
The purpose of data protection law is to protect your rights and privacy when we process your personal data. Personal data is any information relating to an identified or identifiable natural person. A person is "identifiable" if he or she can be identified, directly or indirectly, not only by things such as a name or an identification number, but also by things such as location data or some factor specific to (for example) the physical, physiological or social identity of that person.
More common examples of personal data include names, identification numbers, contact information, identity documents, medical records and photographic images and it may be contained in written document or in a recording, voicemail, for example. "Processing" covers any activity involving personal data and includes such things as the collection, recording, storage, adaptation, use, disclosure and destruction of personal data.
Because of the broad definition of "processing", we will in many cases need to start processing personal data about you before you or an entity with which you are associated or otherwise connected, actually become(s) a client or a supplier, as the case may be. Therefore, where the context allows, references in this notice to "clients", "suppliers" and others are to be read as including references to potential clients, suppliers and so on, even if you or they never actually become(s) a "client" or a "supplier" and so on. The only exception to this is in relation to "potential employees", who are dealt with separately below.
Data We Collect About You
Clients & Persons Connected to Clients
If you are an individual client, are associated with a corporate client1 or are otherwise connected with
client (whether private or corporate) because (i) you are a legal or beneficial owner, investor, a settlor,
protector or beneficiary or (ii) you are a director, officer, employee or contractor of a client or (iii) you
are the subject of, for example, share plan administration services that we provide to our client, your
employer, we collect and process your personal data for various purposes connected with our
What personal data we collect and for what purpose will depend on our relationship with the client in
question and/or you but will include:
- Name and Contact Details: Information that we require for the purposes of managing our relationship, including your names and your postal addresses, email addresses and telephone numbers.
- Due Diligence & Regulatory Details: Information that we require to meet our legal and regulatory obligations, particularly anti‐money laundering legislation, and to assess the risk associated with providing services to the client in question, including:
- Identity information including your current and former names, aliases, date of birth, country of birth, place of birth, gender, nationality and a copy of your valid passport and/or birth certificate (including issue date and expiry date, where applicable).
- Documents providing proof of your identity and address(es), such as copies of government issued documents, bank statements, utility bills and similar documents.
- Detailed tax status information, including your tax domicile, tax identification number, copies of tax returns and tax advice received.
- Proof of the source of your wealth and funds, such as bank statements, pension plans, property sales agreements and loan documents.
- Occupation and employment information, including details of legal entities you are employed by or associated or otherwise connected with.
- Details of criminal convictions and disqualifications, history of bankruptcy and details of investigations by any official body and/or if you are named on a sanctions list.
- Details of involvement in high‐risk or high‐profile activities and of any activities of a political nature.
- Other due diligence information gathered from checking tools we use and from searching information in the public domain.
- Share Plan Details: If you participate in an employee share plan which we administer on behalf of your employer, we will also collect information such as the number of shares that you own and their value at any particular point in time.
- Records of Correspondence: personal data contained in communications that take place between you and us and/or the client in question and us, including emails, letters, meetings minutes and telephone call and voicemail recordings.
- Other information: Additional information that (a) you provide to us or that the client in question (or someone else on its behalf) to provides us; (b) we collect; or (c) we create when providing services to the client in question. We collect personal data from information we learn about you through our relationship and from you from third parties, including the client's professional advisers, due diligence and risk assessment screening service providers and from the public domain, including from internet searches.
The types of data we collect may include data relating to your race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health and your sex life or sexual orientation ('special category personal data') and data relating to criminal convictions or offences.
1 In this notice a "corporate client" includes any entity, organisation or other body, whether incorporated or
not, that is not an individual that is a client of Ocorian in his or her own capacity.
Professional Adviser, Regulators & Suppliers
We work with entities or organisations that provide professional advice or services to us or to our clients, those that supervise and regulate us, and our clients and other suppliers of products and services to our business. We will collect personal data about you if you work for one of these organisations.
The personal data that we collect will include professional and/or personal contact details, including addresses, telephone numbers and email addresses, and records of communications that take place between you and/or others at the organisation for which you work and us, including emails, letters, minutes of meetings and recordings of telephone calls (where made) and voicemails. In addition, we also, we collect personal data that you provide us with or that is created by us during our relationship with the entity or organisation for which you work.
If you are an applicant for a job with us (a potential employee), the personal data that we process about you will include:
- your name, address and contact details, including telephone numbers and email address(es);
- details of your qualifications, skills, experience and employment history;
- information about your current level of remuneration, including entitlement to benefits;
- whether or not you have a disability that we may need to make adjustments for during the recruitment process;
- information about your entitlement to reside and/or work in the place where you have applied for a job; and
- equal opportunity monitoring information, including information about your ethnic origin, sexual orientation, health and religion or beliefs.
If your application for a job with us is unsuccessful, we will retain your personal data for 6 months after the date on which we inform you (or any recruitment agency through which you have applied to us) that your application was unsuccessful, unless you ask us to retain your details on file for a longer period. We will delete any personal information no longer required, and will do so in an appropriate and secure manner.
If your application for a job with us is successful, our retention of your personal data will be governed by our separate policy on staff personal data, which will be made available to you by our HR department as part of your becoming a member of staff.
Enquirers & Website Visitors
If you contact by us by telephone, email, using a contact form or via our social media channels we will collect the personal data that you provide to us and use it to respond to your enquiry. This personal data typically includes your name, your organisation and your professional and/or personal contact details.
When you visit our website, we will automatically collect data about you, including:
- technical information including the Internet Protocol (IP) address used to connect your computing device to the Internet, your browser type and version, time zone setting, operating system and platform;
- information about your visit, which may include the pages viewed and page response times; and
- your country of location by reference to a look‐up of your IP address against public sources.
If you subscribe to our marketing communications or your details have been otherwise lawfully added to one of our contact lists, we will collect and process your name, job title and company name, location and contact details in order to provide you with promotional update communications about us or our services.
Purposes & Lawful Basis for Processing
Clients & Persons Connected to Clients
If you are a client that is an individual, are associated with corporate client or are otherwise connected with client (whether private or corporate), we will process the personal data that we collect from or about you for the following purposes and on the following lawful bases:
|Purpose||Lawful basis for processing|
|Carrying out due diligence and performing risk assessments, including carrying out standard due diligence checks, enhanced due diligence checks, politically exposed person checks and performing risk assessments in relation to a client's financial standing, credit worthiness and eligibility for our services.||
Necessary to comply with legal obligations to which we are subject.
Our legitimate interests to assess the risk associated with providing our client with our services.
When processing special category personal data, we do so only with your explicit consent.
|Legal & regulatory compliance and compliance with law enforcement requests, including performing checks and monitoring transactions for the purpose of preventing and detecting crime and to comply with laws relating to money laundering, fraud, terrorist financing, bribery and corruption, and international sanctions. Also, sharing information on suspected financial crimes, fraud and threats with law enforcement and regulatory bodies.
||Necessary to comply with legal obligations to which we are subject.
When processing special category personal data, we do so only with your explicit consent.
|Providing our fiduciary and administration services to our client.||
Necessary for the entry into and performance of the agreement to which our client is a party.
Our legitimate interests to provide our services to a client that you are associated with or connected to.
|Managing and developing our relationship with our client, including providing account management, contacting our client for feedback and inviting our client to participate in customer satisfaction surveys.
||Our legitimate interests to develop our relationship with our client, by such things as responding to enquiries about our services and/or other requests, and collecting feedback, to assess levels of client satisfaction and to improve our services. In addition, with your consent where necessary, we may process your personal data, to inform you about our present and future services and to give you relevant news and service updates.
|Internal management, administrative and organisational purposes, including maintaining internal records and carrying out other business administration tasks.
||Our legitimate interests to manage our business.|
|Statistics and other data analysis, including creating forecasts and business plans, improving our services and developing new services.
||Our legitimate interests to develop and improve our business through aggregated and anonymised reporting and analysis.
|Sharing data with entities in the Ocorian group, including sharing client records and results of due diligence exercises with our global entities.
We accept that sharing your personal data for such purposes may be barred by, or be subject to our compliance with, local laws protecting personal or professional secrecy in some jurisdictions.
|Our legitimate interests to identify and develop shared clients across the Ocorian group and the jurisdictions in which we operate and to utilise existing due diligence and risk assessment information when providing an existing client with services in a new jurisdiction.
|Sharing data with other third parties, including third parties who process personal data on our behalf.||Our legitimate interests to share your data with trusted third parties who provide us with services relevant to our provision of services to our clients, including professional advisers, screening service providers and IT service providers.
Professional Adviser, Regulators & Suppliers
If you work for or represent one of our professional advisers or suppliers or an organisation that supervises or regulates us, we will process your personal data for the purpose of our legitimate interests in carrying out our business and in providing services to our clients.
If you are an applicant for a job with us (a potential employee), we will process personal data about you in order, in our legitimate interests, to assess your application and to advance that application through our recruitment processes, including by making details of your application, including personal data, to relevant members of our management and of our HR group, and to comply with policies and procedures under applicable professional regulations, guidelines or notices and/or that may have been put in place by us, relation to staff and recruitment.
Enquirers & Website Visitors
When you make contact with us, we will process your personal data for the purpose of our legitimate interests in responding to your enquiries and/or request for information. We will collect information about you, in our legitimate interest, when you visit our website in order to present content to you in the most effective manner for you and your computer and on order to keep our website safe and secure.
We may use your personal data to send you marketing about our fiduciary and administration services, our news and events if you have subscribed to our marketing communications and we have obtained your consent. If your details have been lawfully added to one of our contact lists by other means, we will send you marketing information based on our legitimate interests to send you promotional materials from time to time.
You can tell us to stop sending you marketing information at any time by objecting or withdrawing your consent. You can do so by contacting us at [email protected] or by using the "Unsubscribe" link in any marketing email you receive from us. Alternatively, you can change your preferences at any time, also by using the links in our marketing communications or by contacting us through our website.
Even if you tell us that you do not want to receive marketing information from us, we still may have the right to process your personal data for the purposes of providing services to you or a client with which you are associated or otherwise connected and, in such cases, we will continue to process your personal data for those purposes.
We do not sell or otherwise pass on your contact details to any third party outside Ocorian for marketing purposes.
Where we do not base our use of personal data about you on one of the above legal bases or some other legal basis that we might explain to you in a supplemental privacy notice (see below), we will ask for your consent before we process the personal data (these cases will be clear from the context).
In some instances, we may use personal data about you in ways that are not described above. Where this is the case, we will provide a supplemental privacy notice that explains such use. You should read any supplemental notice in conjunction with this notice.
To the extent that we rely upon consent as the legal basis under which we use your data for any purpose, you are permitted to withdraw your consent at any time.
Sharing Your Personal Data
We may share your data with:
- Other entities in the Ocorian group, subject to any applicable confidentiality laws. We do this because we are a global organisation and work with clients across multiple jurisdictions. Sharing records and the results of due diligence and risk assessments enables us to provide our services more efficiently and develop our relationship with you. Access to shared data is limited only to personnel who need access to carry out their assigned duties and, where relevant, to those who are entitled to receive it under applicable confidentiality laws.
- Third parties who process data on our behalf to provide us or our clients with products or services for the purposes outlined in the table above in the row entitled "Sharing data with other third parties". These third parties include:
- Professional advisers, including lawyers and tax advisers.
- Screening service providers, including due diligence and financial crime screening database providers, such as Thompson Reuters World‐Check.
- Credit reference agencies: For the purpose of assessing your credit standing or that of a potential or current client (whether private or corporate) with which you are associated or otherwise connected where this is a condition of us entering into a contract with you/that client.
- IT service providers, including hosting and cloud service providers, such as Microsoft.
- external networking sites, as a result of you visiting our website (which contains plugins to social media sites) while logged in to a relevant social network provider.
- Other suppliers and providers of services to us, including banks, our sub‐contractors and agents.
- Other third parties, where required or permitted by law, for example:
- Regulatory authorities.
- Government departments.
- In response to a request from law or revenue enforcement authorities or other government bodies.
- In compliance with an order of a competent court or other authority, with which we are obliged to comply.
Transferring your data overseas
When sharing data about you with other entities in the Ocorian group, or if it is necessary to provide you with our services, your data may be transferred outside the country in which it was collected. If your data is collected within the European Economic Area (EEA), this means that your data may be transferred outside of it, including to a country or organisation that may not have data protection standards equivalent to those in the EEA. If your data is collected outside of the EEA, this means that your data may be transferred into the EEA.
Where we transfer personal data to a country or organisation outside the EEA, we will only do so where:
- The country or organisation we are transferring your data to is recognised by the European Commission as providing adequate data protection standards; or
- We have implemented appropriate safeguards to ensure the protection of your personal data, such as standard data protection clauses adopted by the European Commission.
If you would like to receive a copy of the information relating to the safeguards we put in place when we transfer your personal data outside the EEA, then you can contact our Data Privacy Officer using the details provided at the end of this notice.
Retaining Your Data
We have retention policies in place to meet regulatory requirements and client obligations. We retain personal data for the duration of the services that we provide as necessary to meet our obligations under our contractual obligations to you, to identify issues or to issue and resolve legal proceedings. We also retain personal data beyond the duration of the services that we provide as necessary to meet our legal and regulatory obligations to retain such information under applicable law. We may also retain aggregate information beyond this time for statistical analysis and research purposes and to help us improve our services. Old media (PC and server disks, tapes, etc.) are stored and then destroyed using a reputable specialist organisation.
Retention periods are kept under review. There may be some cases in which we are obliged to delete personal data that we process, such as data that has been processed in breach of applicable law or to comply with a legal obligation to delete it. In other cases, there may be no specific time limit applicable to the retention of particular personal data and, in determining how long particular personal data will be retained for, we will use criteria including whether (a) the data is no longer necessary for the purpose for which it was collected and (b) the data can, if required, be collected again without undue delay or difficulty.
Protecting Your Data
We implement appropriate technical and organisational measures to protect the personal data that we process from unauthorised disclosure, use, alteration or destruction. For more information about the steps we are taking to protect your data, please contact our Data Privacy Officer using the details provided at the end of this notice.
Your Rights & Options
Depending on where you are resident, you may have some or all of the following rights under applicable data protection laws in respect of your data that we hold:
- You have the right of access to your personal data and can request copies of it and information about our processing of it.
- If the personal data we hold about you is incorrect or incomplete, you can ask us to rectify or add to it.
- Where we are using your personal data with your consent, you can withdraw your consent at any time.
- Where we are using your personal data because it is in our legitimate interests to do so, you can object to us using it this way.
- Where we are using your personal data for direct marketing, including profiling for direct marketing purposes, you can object to us doing so and opt out of all future marketing.
- You can ask us to restrict the use of your personal data if:
- It is not accurate.
- It has been used unlawfully but you do not want us to delete it.
- We do not need it anymore, but you want us to keep it for use in legal claims; or
- If you have already asked us to stop using your data but you are waiting to receive confirmation from us as to whether we can comply with your request.
- In some circumstances you can compel us to erase your personal data and request a machinereadable copy of your personal data to transfer to another service provider.
- The right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you.
Your rights to object to our processing of your personal data are not absolute and it may be that in some circumstances we can continue to process your personal data if we can demonstrate compelling legitimate grounds, which override your interests, rights and freedoms or if the processing is for the establishment, exercise or defence of legal claims.
Further, if you object to our processing of your personal data and, as a result, we stop processing it, we may not be able to continue to provide services to you or to the client with which you are associated or otherwise connected in a particular manner or at all and we may, as a result, need to terminate the provision of our services.
We will delete any personal data no longer required, and will do so in an appropriate and secure manner.
You will not generally have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
If you wish to exercise your rights, please contact our Data Privacy Officer using the details provided at the end of this notice.
You can also lodge a complaint with the national data protection authority of your habitual residence, place of work or place of an alleged infringement.
If you have any questions, or wish to exercise any of your rights, then you can contact our Data Privacy Officer by email at [email protected] or by post to Ocorian Limited, 26 New Street, St Helier, Jersey JE2 3RA, marked for the attention of the Data Privacy Officer.
In respect of any controller of your Personal Data that is situated outside of the European Union, that controller's EU‐based representative is:
Ocorian Services (Luxembourg) S.à r.l., 6C, rue Gabriel Lippmann, L‐5365 Munsbach, Grand Duchy of Luxembourg, Tel: +352 26 25 88 88; Fax: +352 26 25 88 79; Email: [email protected]an.com and enquiries should be marked to the attention of: The Data Privacy Officer
Data protection regulator contact details
If your request or concern is not satisfactorily resolved by us you may approach your local data protection data protection authority in the jurisdiction in which we provide services to you.
The contact details for the data protection regulators in the jurisdictions in which we operate are as follows:
- Bermuda: Information Commissioner's Office, Valerie T. Scott Building, 60 Reid Street, Hamilton, Bermuda HM12. Tel: 441‐294‐9181. Email: [email protected]
- British Virgin Islands: There are currently no dedicated data protection laws in the BVI. If you have any questions, or wish to exercise any of your rights, in relation to any BVI‐related data processing by Ocorian, please contact our Data Privacy Officer in the first instance using the details provided above.
- Cayman Islands: The Ombudsman, 5th Floor, Anderson Square, 64 Shedden Road, George Town, Grand Cayman. Tel: +001345 946 6283. Email: [email protected]
- Cote d'Ivoire: National Data Protection Authority (Autorité de protection des données à caractère personnel) c/o ARTCI, Marcory Anoumabo, Abidjan or by post to 18 BP 2203 Abidjan 18 ‐ Côte d'Ivoire. Tel: +225 20 34 43 73 / +225 20 34 43 74. Email: [email protected]
- Dubai: The Data Protection Commissioner, Dubai International Financial Centre Authority, Level 14, The Gate, P.O. Box 74777, Dubai, United Arab Emirates. Tel: +971 4 362 2623. Email: [email protected]
- Jersey: Office of the Information Commissioner, 2nd Floor, 5 Castle St, St Helier, Jersey JE2 3BT. Tel: +44 (0)1534 716530. Email: [email protected]
- Guernsey: Office of the Data Protection Authority, St Martin’s House, Le Bordage, St. Peter Port, Guernsey GY1 1BR. Tel: +44 (0)1481 742074. Email: [email protected]
- Hong Kong: The Office of the Privacy Commissioner for Personal Data, Room 1303, 13/F, Sunlight Tower, 248 Queen's Road East, Wanchai, Hong Kong. Tel: +852 2827 2827. Email: [email protected]
- Ireland: Office of the Data Protection Commissioner, Canal House, Station Road, Portarlington, Co. Laois, R32 AP23, Republic of Ireland. Tel: +353 (0761) 104 800, LoCall 1890 25 22 31. Email: [email protected]
- Isle of Man: Isle of Man Information Commissioner, First Floor, Prospect House, Prospect Hill, Douglas, Isle of Man, IM1 1ET. Tel: +44 1624 693260 Email: [email protected]
- Luxembourg: National Commission for Data Protection, 1, avenue du Rock 'n' Roll, L‐4361 Esch‐sur‐Alzette, Luxembourg. Tel. +352 (0) 26 10 60‐1. Online: https://cnpd.public.lu/en/support/contact.html
- Malta: Office of the Information and Data Protection Commissioner, Floor 2, Airways House, High Street, Sliema, SLM 1549, Malta. Tel: +356 2328 7100. Email: [email protected]
- Mauritius: Data Protection Office, 5th Floor, SICOM Tower, Wall Street, Ebene, Republic of Mauritius. Tel: +(230)460‐0251. Email: pmo‐[email protected]
- Netherlands: Dutch Data Protection Authority (Autoriteit Persoonsgegevens), Bezuidenhoutseweg 30, 2594 AV The Hague, Netherlands or by post to Postbus 93374, 2509 AJ The Hague, Netherlands. Tel: +31 (0)70 888 85 00.
- Singapore: Personal Data Protection Commission, 460 Alexandra Road, #10‐02 PSA Building, Singapore 119963. Tel: +65 6377 3131. Online: https://www.pdpc.gov.sg/contact
- South Africa: The Information Regulator (South Africa), SALU Building, 316 Thabo Sehume Street, Pretoria, South Africa. Tel: +27 (0) 12 406 4818. Email: [email protected]
- United Kingdom: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. Tel: 0303 123 1113 (local rate). Online: https://ico.org.uk/global/contactus/email/
- United States of America: Federal Trade Commission, 600 Pennsylvania Avenue, NW, Washington, DC 20580. Tel: +1 (202) 326‐2222. Online: https://www.ftc.gov/contact
We review our policies and procedures regularly and we reserve the right to amend the terms of this notice from time to time at our absolute discretion. Any amended privacy notice will be posted on our website and you are encouraged to visit our website from time to time to ensure that you are aware of our latest policies in relation to the protection of personal data.
Last Updated: 10 February 2020