What is a Privacy Notice?
AIX wants to ensure that individuals understand what information we have about them, how we will use it and for what purpose. We are also required by data protection legislation to explain certain matters to you. This Privacy Notice is intended to set these matters out in one place and in a way that you can understand.
As a “data controller”, we are responsible for deciding how we hold and use certain personal information about you and we are required under data protection legislation to notify you of the information contained in this Privacy Notice.
It is important that you read this Notice, together with any other Privacy Notice we may provide to you on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information.
Changes to this Privacy Notice?
This Privacy Notice may be updated from time to time in line with changes to how we process personal data. We will publish any new version of the Privacy Notice on our website.
Data Protection Legislation
On 25th May 2018 Regulation 2016/678 of the European Union on the protection of personal data (“GDPR”) came into effect in Gibraltar.
Data Protection Principles
AIX will ensure that the personal information we hold about you is:
- Used lawfully, fairly and in a transparent way
- Collected only for specified and legitimate purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes
- Adequate, relevant and limited to what is necessary in relation to the purposes we have told you about
- Accurate and kept up to date
- Not kept in a form which permits your identification for longer than necessary and kept only as long as necessary for the purposes we have told you about
- Kept securely
- Not transferred to another country without appropriate safeguards being in place
What information about you will we use?
“Personal data”, or “personal information”, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (“anonymous data”).
Whilst personal data does not extend to Companies, LLPs, Trust structures or other similar entities, please note that we will often obtain personal information about the individuals connected to such an entity.
There are also “special categories” of more sensitive personal data which require a higher level of protection.
The types of personal data that we will collect, store and use about you may include:
- Name (including where relevant), maiden name and contact information such as your home and/or business address, email address and telephone number and emergency contact details
- Identity and biographical information including your nationality, gender, date of birth, marital status and dependants, tax status information, passport/national identity card details and country of domicile, your employment and employment history, job title and role, educational profile, interests and other information relevant to our provision of professional services
- Information in relation to your financial assets and liabilities, sources of wealth, as well as your bank account details and other information necessary for processing payments and for fraud prevention purposes
- Information that you provide to us for the provision of professional services, including information about out meetings with you
Special Categories of Personal Data
Special Categories of more sensitive personal data which we may also collect, process and store for the purpose of the provision of professional services may include your race or ethnicity, religious beliefs, sexual orientation, trade union membership, political opinions and information relating to criminal convictions and offences.
These special categories of personal data require a higher level of protection and we will ensure that this is achieved.
How is your personal information collected?
When you are our client most of the information we collect is obtained from you. You may, for example, provide us with personal information when you initially request us to provide professional services and also during the normal course of providing those professional services.
You may also provide personal information when completing client engagement formalities and when are responding to our “know your customer” (“KYC”) requirements.
You provide us with personal information when you:
- Get in touch with us via our website
- Email our trust.gi email addresses
- Directly interact with us personally
- Provide us with documentation we may require for compliance with our KYC obligations
- Complete any forms which we may require you to complete to assist us with our compliance with our KYC, obligations
We may receive personal data about you from public registries and from various third parties (including your organisation, agents, advisers, intermediaries or custodians of your assets and our clients or those involved in the matter which we are engaged).
We may also collect personal information about you from you, or sometimes from persons or entities authorised by you to provide us with information.
As you interact with our website, we may automatically collect personal information about you.
We collect this personal data by using cookies and other similar technologies. A cookie is a small file of letters and numbers that we store on your browser or the hard disk of your computer.
Our basis for processing and how and why we use your personal information
How we use your personal data will depend on whether you are a client, a representative of a client, a business contact, someone whose personal data we necessarily process as part of our provision of professional services, or otherwise.
We may process your personal data for the following purposes:
- Providing a proposal to you or your organisation in relation to the professional services we offer and for client engagement purposes (including the carrying out of background checks)
- Providing professional services to you and/or our clients (including legal research and advice, associated advisory services)
- Managing our relationship with you and/ or our clients (including billing and financial management), for record-keeping purposes and more generally for our proper and efficient operation
- Dealing with any complaints or feedback you may have
- Monitoring and improving the performance and effectiveness of our services, including by training our staff
- In circumstances where we require our own legal advice, and to exercise and defend our legal rights
- Compliance with our legal and regulatory obligations, such as anti-money laundering laws (which may include the carrying out of the background checks and retention of a record of such checks), data protection laws and tax reporting requirements, and/or to assist with investigations by police and/or other competent authorities (where such investigation complies with relevant law) and to comply with court orders
- Safeguarding the security of our systems and communications
- For security purposes generally and to ensure the safety of our employees and visitors and/or
- Our marketing purposes
We may process your personal data for any of the purposes set out above where one (or more) of the following lawful processing grounds applies:
- It is necessary to perform a contract with you, or to take steps at your request before entering into a contract with you
- It is necessary for us to comply with our legal obligations
- It is necessary for out legitimate interests (including the operation for our business, and the provision of professional services) or those of any client or relevant third party, unless those legitimate interests are overridden by your interests or fundamental rights or freedoms and/or
- Have consented to the processing in question
The situations in which we will commonly use your personal information include:
- To provide services to you under the engagement letter we have entered into with you
- To pay (on occasion) any disbursements to third parties in connection with the services provided to you
- Liaising with the Supreme Court of Gibraltar and public registries (like Companies House or Land Property Services)
- Liaising with regulators (like the Gibraltar Financial Services Commission);
- Liaising with third party service providers (which may be providing other services to you or others)
- Liaising with legal advisors to third parties in respect of the services being provided to you by us (where those third parties are a party to the matter in which we act for you)
With what other entities might your personal information be shared?
We may have to share your data with third parties where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so.
Such third parties include your organisation, our own client in a particular matter and third-party service providers.
We require third parties to respect the security of your data and to treat it in accordance with the law.
We may transfer your personal information outside the EEA. If we do so, you can expect a similar degree of protection in respect of your personal information.
For how long will your personal information be kept?
We will only retain your personal data for as long as necessary to fulfil the purposes set out above. We may keep your personal data for longer where we are required to do so by law, or if it is necessary to make or defend a legal claim or an applicable code of conduct permits or requires us to retain the data for longer.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process any data, and the likelihood of any legal claim.
Is information being kept safe?
We take the security of your personal information very seriously and we have put in place internal controls and security measures to protect it.
We have put in place appropriate measures to prevent your personal information from being accidentally lost, used, altered, disclosed or accessed in an authorised way. Personal data will only be transferred to another data processor if they agree to comply with those measures, or if they have adequate measures.
In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.
Your duty to inform us of changes
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changed during your working relationship with us.
Your rights in relation to your personal information
You have certain rights in relation to your personal data as summarised here:
- Right to be informed- you have the right to be provided with clear, transparent and easily understandable information about how we use your personal data and your rights; this is why we are providing you with the information in this privacy notice
- Right to withdraw consent- Where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time
- Right to access- you can request access to your personal data
- Correcting your information- where we hold information about you that is inaccurate to correct inaccuracies, or complete it
- Erasing your information- in certain circumstances you may require us to erase and/or destroy the information
- Right to restrict processing- in certain circumstances you have the right to restrict some processing of your personal information, which means that you can ask us to limit what we do with it
- Right to object to processing- you can object to us processing your personal information in certain circumstance, including where we are using it for the purpose of the Company’s legitimate business interests as set out above
- Right to data portability- you have the right to obtain from us and re-use your personal data for your own purposes. This only applies, however, where the processing is carried out by automated means, to personal data that you have provided to yourself (not any other information) and where the processing is based on your consent or for the performance of a contract
- Right to complain- you are able to submit a complaint to Gibraltar Regulatory Authority about any matter concerning your personal information, using the details below. However, we take our obligations seriously, so if you have any questions or concerns, we would encourage you to raise them with us first, so that we can try to resolve them
Subject Access Requests
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may refuse to comply with your request in circumstances where your request is clearly unfounded, repetitive or excessive.
What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data or to exercise any of your other rights. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to facilitate up our response to any request your make.
Time limit to respond
We try to respond to all legitimate requests as soon as reasonably practicable and, in any event, within 30 days of receipt of such requests except in cases of complex or multiple requests.
You have the right to make a complaint at any time to the Gibraltar Regulatory Authority (“GRA”), who the supervisory authority for data protection issues in Gibraltar (www.gra.gi).
We would, however, appreciate the chance to deal with your concerns before you approach the GRA and we ask you to contact us in the first instance.
The GRA’s contact details are:
Gibraltar Regulatory Authority
1 Europort Road
Tel: (+350) 200 74636
If you have any questions about anything in this privacy notice, please do not hesitate to contact our Data Protection Officer.
His contact details are:
AIX Corporate Services
292 Main Street
PO Box 547
Tel: (+350) 200 74573