Personal Data Protection Policy

1. Introduction and scope

This Personal Data Protection Policy ("Policy") describes the privacy practices of Fiduchi regarding the Processing of Personal Data in respect of our clients (and their associated parties) as part of the provision of services by Fiduchi to clients. Personal Data collected may be received directly from the individual in question or could be received from a third party such as the client's professional advisers. We may sometimes collect additional information from third parties including, credit reference agencies or other background check agencies or databases.

This Policy does not apply to the collection of Personal Data through our website or through cookies. Please refer to our separate Privacy Notice, which includes our Cookies and Google Analytics Policies.

Fiduchi reserves the right to update this Policy at any time without consulting or pre-informing its clients.

2. Definitions

The capitalized terms listed below have the follow meaning in this Policy:
a.   “Client” means the counterparty to the Service Agreement with Fiduchi;
b.   “Client Affiliate” means any legal entity affiliated to the Client;
c.   “Client Data Subjects” means the client, their family members, former and current directors, officers and employees and customers of the Client and Client Affiliates and any other party such as professional advisers and officers and employees of those professional advisers appointed formally or informally to the structure to which Fiduchi has been engaged to provide services;
d.   “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data;
e.   “Data Protection Laws” means the Data Protection (Jersey) Law 2018 which came into force on 25 May 2018 together with all implementing laws and any other applicable data protection, privacy laws or privacy regulations;
f.    “Personal Data” means any information through which a Client Data Subject can be identified directly or indirectly;
g.   “Processing” means any operation or set of operations which is performed upon Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
h.   “Processor” shall mean the party, which Processes Personal Data on behalf of the Controller;
i.    “Services” means the services Fiduchi provides to the Client under the Service Agreement;
j.    “Service Agreement” means any written contract, any letter of engagement, any written statement of work, or any other written binding agreement, including any annexes thereto, between Fiduchi and the Client;
k.   “Sub-processor” means any data processor appointed by a Processor to process Personal Data on behalf of the Controller;
l.    “Fiduchi” means the Fiduchi Affiliate that is the contracting entity to the Service Agreement;
m.  “Fiduchi Affiliate” means with respect to any specified person or entity, any other person or entity directly or indirectly controlling or controlled by or under direct or indirect common control with such specified person or entity. For the purpose of this definition, “control”, when used with respect of any specified person or entity means the power to direct or cause the direction of the management or policies of such person or entity, whether through ownership of voting securities or by contract or otherwise. The terms “controlling” and “control” have meaning correlative to the foregoing. Specifically excluded from this definition is Fiduchi Group Limited the shareholding company which controls the Fiduchi Limited affiliation and Fiduchi Yacht Services Limited.

3. Personal data processed by Fiduchi

Fiduchi may collect, store, and use the following categories of personal data about you:
> Personal contact details such as name, title, addresses, telephone numbers, and personal email addresses;
> Information to meet legal and regulatory requirements including "know your client" information on clients and related parties to comply with anti-money laundering and anti-terrorist financing obligations including identity information (including date of birth, gender and marital status) and information in relation to source of funds and source of wealth;
> Copies of clients legal/ tax or other professional advice, personal tax classification information and tax, social security or other unique identification numbers provided to us in order to enable us to provide services under the Service Agreement;
> Bank account and transactional details and records;
> Information regarding an individual's personal circumstances, including employment status and history, salary details, business interests, property or other assets, or other information about Client Data Subjects which we require to be able to provide the Services;
> Next of kin and emergency contact information;
> Information about your legal requirements and sector of interest• Information about your personal and business assets and information relevant to a specific legal issue you seek advice upon.

We may also collect, store and use the following "special categories" of more sensitive personal information:
> Information about criminal convictions and offences;
> Information about Client Data Subjects family and personal life relevant to the provision of Services;
> In certain circumstances, primarily where a Fiduchi affiliate acts as trustee of a trust and has a legitimate interest in knowing such information, we may collect information concerning the health of individuals and personal data relating to children, for example where such children may have a beneficial interest in any company or trust arrangement in connection with the Services.

4. Use of personal data

We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:
> Where we need to perform the Services;
> Where we need to comply with a legal obligation;
> Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

We may also use your personal information in the following situations, which are likely to be rare:
> Where we need to protect your interests (or someone else's interests);
> Where it is needed in the public interest.We need all the categories of information we collect primarily to allow us to perform our contract with you and to enable us to comply with legal obligations. In some cases we may use your personal information to pursue legitimate interests of our own or those of third parties, provided your interests and fundamental rights do not override those interests. Sometimes there will be several grounds which justify our use of your personal data.

The situations in which we will process your personal information, together with the purposes for which we are processing or will process your personal information are set out in Schedule 1.

We will only use your personal information for the purposes for which we have collected it unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.

In addition, Fiduchi is allowed to use aggregated data – to the extent this can no longer be considered Personal Data - for analysing purposes, for website and for internal operations, including troubleshooting, data analysis, testing, research, for statistical purposes and for improving the quality of its Services.

5. Subprocessing and sharing of Personal Data

Fiduchi may appoint certain third parties to provide part of the Services to the Client or assist with providing technical support, such as IT service providers or other suppliers. By signing the Service Agreement, the Client authorises Fiduchi to subcontract the Processing of Personal Data to Sub-processors. Sub-processors are in each case subject to the terms between Fiduchi and the Sub-processor which are no less protective than those set out in this Policy and the Service Agreement. Fiduchi will inform the Client of the details of such Sub-processor(s) upon written request from the Client. Fiduchi will inform the Client in advance of any intended changes concerning the addition or replacement of Sub-processors and thereby give the Client the opportunity to object to such changes.

We will share your personal information with third parties where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so. This may involve us sharing your information with:
> Any person with legal or regulatory power over us (such as the Jersey Financial Services Commission, tax authorities, the Jersey Financial Crimes Unit) who may require disclosure on legal grounds or where otherwise required as a matter of law;
> Third party service providers who help us work with you and operate our business and perform the Services (for example IT service providers);
> Entities working with you or your business’ product or service including client entities you have an interest in or which are affiliated to you (unless you instruct us not to);
> Organisations that introduce you to us (unless you instruct us not to);
> Organisations that we introduce you to (unless you instruct us not to);
> Organisations you ask us to share your data with; and
> Banks, Credit card companies and direct debit operators and transaction counterparties to the extent necessary to provide the Services.

6. Confidentiality and security

Fiduchi shall keep the Personal Data confidential and will instruct its staff and Sub-processors to the same. Fiduchi shall implement appropriate technical and organisational measures to ensure a level of security of the Personal Data appropriate to the risk required pursuant to data protection law and with effect from the 25 May 2018, to the Data Protection (Jersey) Law 2018. In assessing the appropriate level of security, Fiduchi shall take account in particular of the risks that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed.

7. Co-operating with requests of the client

Fiduchi shall, upon request and to the extent required under Data Protection Law, co-operate with requests of the Client that relate to the Processing of Personal Data. In particular, Fiduchi shall co-operate with requests that relate to Client Data Subject rights, Data Protection Impact Assessments and audit rights as described below.

Client Data Subject rights: 

Data protection law affords data subjects certain rights in respect of their data. With effect from 25 May 2018, under certain circumstances, by law you have the right to:
> Request access to your personal information (commonly known as a "data subject access request"). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
> Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
> Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
> Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
> Request the transfer of your personal information to another party.
> Where you wish to exercise one of these rights we would request that you make a request in writing.  We will ask you to complete our data subject request form to help us respond to your request as quickly and efficiently as possible. We may need to ask you to provide information to verify that you are the data subject or, where the request is made on behalf of another data subject that you are authorised by that data subject.  Where a data subject request is received verbally, we will write to you to confirm your request.
> In accordance with section 27, Part 6 of the Law, upon receipt of a valid data subject access request, we are required to respond to your request within 4 weeks of receipt. Where upon initial investigation we identify that we may require longer than 4 weeks, we will contact you to advise you accordingly and provide an up-date at regular intervals until such point we have fulfilled your request and within a further period of 8 weeks.• Where we identify that no action is required by us under the Law, we will inform you accordingly.
> There will be no charge for the request, unless we consider that the request is either manifestly vexatious, unfounded or excessive, in particular because of the repetitive character, of the request.  Where we consider that a request meets such characteristics we will write to inform you. In such circumstances we may either charge you a reasonable administrative fee for providing the information or decline to respond.
> If you are not satisfied with the response we provide to you in respect of your data subject request, you are able to contact the Office of the Information Commission in Jersey who is able to resolve complaints about such matters. The Information Commissioner can be contacted online using the following link: https://oicjersey.org/online-enquiry/#/complain/form
> For any such complaints you will be required to download and complete an enquiry form including all relevant details of your complaint, which can then be submitted via email to enquiries@oicjersey.org or the form can also be sent by post to: Office of the Information Commissioner, One Liberty Place, Liberty Wharf, La Route De La Liberation, St Helier, Jersey JE2 3NY.

Office of the Information Commissioner, One Liberty Place, Liberty Wharf, La Route De La Liberation, St Helier, Jersey JE2 3NY.

Data Protection Impact Assessment (“DPIA”):
DPIAs will be undertaken by Fiduchi where it considers appropriate in accordance with the Data Protection Laws which may include the following circumstances:
> Development of new products and services;
> Technological developments;
> Operational procedures
> Any other process which may potentially impact the processing of personal data

Audit rights: 
On reasonable request and notice and at the Client's expense, Fiduchi will co-operate in the conduct of any audit or inspection, reasonably necessary to demonstrate Fiduchi’s compliance with the obligations laid down in this Policy, provided always that this requirement will not oblige Fiduchi to provide or permit access to information concerning:
(i) Information relating to Fiduchi's other Clients;
(ii) Any of Fiduchi non-public external reports;
(iii) Fiduchi confidential information; or
(iv) any other internal reports prepared by Fiduchi's Compliance function.

The Client’s requests provided in this section 7 will be fulfilled in close co-operation with and under supervision of Fiduchi's Head of Operations & Risk.

8. Deletion or return of client personal data

At the choice of the Client, Fiduchi will delete or return the Personal Data at the end of the provision of the Services relating to Processing, subject to our stated retention period in our Terms of Business, to the extent reasonably possible and unless (i) Data Protection Laws, (ii) any law, statute, order, regulation, rule, requirement, practice and guidelines of any government, regulatory authority or self-regulating organization that applies to the Services in the country where those Services are being provided (“Applicable Law”), or (iii) competent court, supervisory or regulatory body, require the retention of such Personal Data by Fiduchi.

9. Incident management

Fiduchi shall notify a client or clients impacted by a data incident where required by the Data Protection Laws without undue delay after becoming aware of a personal data breach. All data incidents will be handled by our Head of Operations & Risk, who can be contacted at dpo@fiduchi.com.

Further Fiduchi has an obligation to report a data breach under Data Protection Law to the relevant authorities. With effect from 25 May 2018, the obligation is to notify the Office of the Information Commissioner in Jersey within 72 hours of the data incident occurring.

At all times Fiduchi will seek to keep relevant client or clients informed of the how the incident arose, what the potential impact of the incident is, the remediation actions taken and any mitigants that will be implemented or other steps being taken to rectify or provide redress.

10. Transfers of client personal data

Where during the provision of services to a client Fiduchi is required to engage with a third party in the processing of client data where that third party is outside of Jersey or the EU, and therefore not subject to data protection law which is equivalent to that in force in Jersey, Fiduchi will:
> Ensure that the third party has in place similar policies and processes which are compliant with the requirements of the Law;
> Consider undertaking a review or obtain other relevant confirmation that the data is being processed in accordance with the Law;
> Ensure that the third party has in place relevant procedures in order to be able to identify data breaches and deal with them including the immediate notification to Fiduchi of such breach arising;
> Ensure that the third party has in place appropriate measures to identify and deal with data subject access requests.

11. Indemnification

The Client warrants that all Personal Data processed by Fiduchi on behalf of the Client is accurate and will be kept up to date as set out in Fiduchi’s Terms of Business as amended from time to time.
The exclusions and limitations of the liability of Fiduchi set out in the Service Agreement and in Fiduchi’s Terms of Business shall also apply to this Policy.

Schedule - How Fiduchi uses your data >