Whitmill Group Data Privacy Notice
The Whitmill Group (as defined below) understands that your privacy is important to you and that you care about how your personal data is used. We respect and value the privacy of all our customers and will only collect and use personal data in ways that are described here, and in a way that is consistent with our obligations and your rights under the Law (as defined below). In this Privacy Notice “you” and “your” refer to the customer and “we” and “our” refer to the Whitmill Group.
We obtain and process personal data in connection with our services or when offering prospective services to our clients which include:
- providing services to our clients relating to the formation, management and administration of entities (companies, trusts, foundations etc.), accountancy services, provision of trustees, directors, council members and secretaries, provision of marine and aviation services;
- fund services including, fund establishment, multi-currency valuation and fund accountancy, shareholder registration and dealing, corporate secretarial, regulatory compliance monitoring, fund administration across the full regulatory spectrum; and
- assisting clients with the creation of executive remuneration solutions, employee benefit schemes and arrangements for companies, the provision of employed contractors as well as corporate turnarounds, restructuring and insolvency and investment funds.
In this Privacy Notice, when we refer to the “Whitmill Group”, we mean Whitmill Trust Company Limited and Whitmill Trust Company (Gibraltar) Limited.
“Law” shall include the General Data Protection Regulation (EU Regulation 2016/679) and any law issued from it in any relevant jurisdiction, including but not limited to, the Data Protection (Jersey) Law 2018 the Data Protection Act 2018, the Data Protection Act (Gibraltar) 2004, and the Data Protection Act 2004 (Amendment) Regulations (Gibraltar) 2019.
Information About Us
Companies included in the Whitmill Group are registered with the relevant data protection authorities and are regulated by the relevant financial services regulators in each jurisdiction.
- Whitmill Trust Company Limited is registered in Jersey (Company No. 48480) and its registered office is situated at First Floor 17 The Esplanade, St Helier, Jersey, JE2 3QA.
- Whitmill Trust Company (Gibraltar) Limited is registered in Gibraltar (Company No. 101911) and its registered office is situated at 8c Pitman’s Alley, Gibraltar.
What Does This Notice Cover?
This Privacy Notice explains how we, as controllers, use your personal data, how it is collected, how it is held, and how it is processed. It also explains your rights relating to your personal data.
What is Personal Data?
Personal data is defined as any information relating to an identifiable person who can be directly or indirectly identified. In simpler terms, any information that enables you to be identified.
Personal data covers obvious information such as your name and contact details, but it also covers less obvious information such as identification numbers, electronic location data, and other online identifiers. The personal data that we use is set out below in Part 6.
What Rights do you have?
Under the law, you have the following rights, which we will always work to uphold:
- The right to be informed about our collection and use of your personal data;
- The right to access the personal data we hold about you;
- The right to have your personal data rectified if any of your personal data held by us is inaccurate or incomplete;
- The right to be forgotten (i.e. the right to ask us to delete or otherwise dispose of any of your personal data that we have);
- The right to restrict (i.e. prevent) the processing of your personal data; and
- The right to object to the Whitmill Group using your personal data for a particular purpose or purposes.
For more information about our use of your personal data or exercising your rights as outlined above, please contact the relevant Data Protection Reporting Officer using the details provided in Part 13.
What Personal Data do we Collect?
The Whitmill Group may collect some or all of the following personal data (this may vary according to your relationship with us):
- Date of birth;
- Email address;
- Telephone number;
- Business name;
- Job title;
- Payment information;
- Financial details (e.g. assets, sources of wealth, salary and details of other income, and details of bank accounts, TIN details or their equivalent);
- Education and employment details/employment status for anti-money laundering and customer due diligence purposes; and
- The provision of personal information relating to settlors of trusts, beneficiaries, trustees and protectors, and other related persons such as spouses or children linked to entities / structures we administer / are associated with.
The Whitmill Group may collect your personal data from other companies in the Whitmill Group and persons with whom we have joint ventures or third-party providers or administrators.
How is your personal data collected?
We use different methods to collect data from and about you including through:
- Direct interactions: You may give us your Identity, Contact and Financial Data by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you apply for our services, subscribe to our services or publications, request marketing to be sent to you and give us feedback or contact us.
- Automated technologies or interactions: As you interact with our website, we will automatically collect technical data about your equipment, browsing actions and patterns. We collect this personal data by using cookies and other similar technologies.
- Third parties or publicly available sources: We will receive personal data about you from various third parties and public sources such as analytics providers (Google, for example) and companies’ public registrars.
How Do We Use Your Personal Data?
Under the Law, Whitmill must always have a lawful basis for using personal data. We will process personal data:
- As necessary in order to carry out fund, trust and company administration, executive remuneration solutions, employee benefit schemes and arrangements, marine and aviation administration services by providing management services, the provision of employed contractors and acting on behalf of the managed entity for clients and related parties including, but not limited to:
- To take steps at a client’s request prior to entering into the contract for services;
- To decide whether to enter into a contract for services with prospective clients;
- To be responsible for the management of entities whether funds, trust, company or other structures;
- To arrange for the setting up of bank accounts and discretionary mandates for investment managers;
- To prepare details of assets held by the client and related parties;
- To update clients and related parties’ records; and
- To trace clients’ and related-parties’ whereabouts to contact them about the distribution of assets and to make payments.
- As necessary for our clients’ own legitimate interests or those of other related parties and organisations, e.g.:
- For good governance, accounting, managing and auditing business operations;
- To monitor emails, calls, and other communications with clients and relevant parties; and
- For market research, analysis and developing statistics.
- As necessary to comply with a legal obligation, e.g.:
- When a client exercises their rights under data protection Law and makes a request(s);
- For compliance with legal and regulatory requirements and related disclosures;
- For establishment and defence of legal rights;
- For activities relating to the prevention, detection and investigation of crime; and
- To verify clients’ identity, make fraud prevention and anti-money laundering checks.
- Based on consent, e.g.:
- When clients or related parties request that we disclose personal data to other people or organisations such as an audit or accountancy firm handling a tax return, or otherwise agree to disclosures; and
- To send clients or related parties communications including marketing communications where they have agreed to this.
With your permission and/or where permitted by law, we may also use your personal data for marketing purposes, which may include contacting you by email or post with information, and news about our services. You will not be sent any unlawful marketing. We will always work to fully protect your rights and comply with our obligations under the Law and you will always have the opportunity to opt out. Should you choose to opt-out, we may not be able to provide services to you as requested.
How Long Will You Keep My Personal Data?
We will not keep your personal data for any longer than is necessary in light of the reason(s) for which it was first collected, and in line with the Law’s requirements.
Where events occur that would result in data needing to be kept for longer, the following factors will be used to determine data retention periods for personal data:
- Retention in case of queries. We will retain personal data as long as necessary to deal with queries (e.g. if an application to subscribe is unsuccessful);
- Retention in case of claims. We will retain personal data for as long as a client or a data subject might legally bring claims against us; and
- Retention in accordance with legal and regulatory requirements. We will retain personal data after the services provided have come to an end based on our legal and regulatory requirements.
How and Where Do You Store or Transfer My Personal Data?
We will only store your personal data on our servers based in Jersey and Guernsey. This means that it will be fully protected under the Law.
Personal data will be transferred to the Whitmill Group in order to allow us to provide our services to clients. Personal data will be processed in jurisdictions where we manage entities and structures. Personal data will also be sent to banks in jurisdictions requested by our clients to open bank accounts and liaise with such banks in respect of bank accounts. Some countries have equivalent protections in place for personal data under their applicable laws, in other countries steps will be necessary to ensure appropriate safeguards apply. These include imposing contractual obligations of adequacy in line with data protection legislation. Where this is not possible, the Whitmill Group will rely on the client’s explicit consent to provide such information to entities in these jurisdictions which is considered to be obtained based on the client’s instructions to us.
Please note that we have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorised way, altered, or disclosed. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
Do You Share My Personal Data?
Subject to the Law, we may share clients’ personal data with:
- Our group of companies and related joint ventures or representative companies and their employees, officers, agents or professional advisors;
- Sub-contractors and other persons who help us provide our products and services;
- Companies and other persons providing services to clients and related parties;
- Legal and other professional advisors, including auditors;
- Relevant government bodies and authorities, who may in turn share it with relevant overseas tax authorities or regulators in the relevant jurisdictions;
- Courts, to comply with legal requirements, and for the administration of justice;
- Other parties where necessary in an emergency or to otherwise protect clients’ and related-parties’ vital interests;
- Other parties connected with the managed entities and our clients e.g. directors, shareholders, beneficial owners, beneficiaries, trustees or any named official;
- Other parties if there is a restructure or selling of assets or in the case of a merger or re-organisation;
- Payment systems (e.g. Visa or Mastercard), and who may transfer personal data to others as necessary to operate the accounts and for regulatory purposes, to process transactions, resolve disputes, and for statistical purposes, including sending personal data overseas; and
- Anyone else where the clients or related-parties consent is given or as required by Law.
We require all third parties to respect the security of personal data and to treat it in accordance with the Law. We do not allow our third-party service providers to use personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with the data subjects’ instructions.
If any of your personal data is required by a third party, as described above, we will take steps to ensure that your personal data is handled safely, securely, and in accordance with your rights, our obligations, and the third party’s obligations under the Law.
How Can I Access My Personal Data?
If you want to know what personal data we have about you, you can ask us for details of that personal data and for a copy of it (where any such personal data is held). This is known as a “subject access request”.
All subject access requests should be made in writing and sent to the email or postal addresses shown in Part 12. There is not normally any charge for a subject access request. If your request is ‘manifestly unfounded or excessive’ (for example, if you make repetitive requests) a fee may be charged to cover our administrative costs in responding.
We will respond to your subject access request as soon as possible and within 30 days of receiving it. Normally, we aim to provide a complete response, including a copy of your personal data within that time. In some cases, however, particularly if your request is more complex, more time may be required up to a maximum of three months from the date we receive your request. You will be kept fully informed of our progress.
How Do I Contact You?
To contact us about anything to do with your personal data and data protection, including to make a subject access request, please contact our responsible person (Data Protection Officer), depending on the jurisdiction, by email at:
firstname.lastname@example.org – Jersey
email@example.com – Gibraltar
If you have any cause for complaint about our use of your personal data, you have the right to lodge a complaint with the applicable competent authority within the relevant jurisdiction.
Changes to this Privacy Notice
We may change this Privacy Notice from time to time. This may be necessary, for example, if the law changes, or if we change our business in a way that affects personal data held.