This Privacy Notice sets out how we obtain and use personal data about you before and after any relationship with me, in accordance with the Data Protection (Bailiwick of Guernsey) Law, 2017 (“GDP Law”) and in accordance with the European Union General Data Protection Regulation (2016/679) (“GDPR”).
This notice applies to our clients (including their clients and their underlying principals, directors, officers and employees) service providers, intermediaries and other contacts of ours (whether current, prospective, declined, exited or former) and all users of our website, including those that sign up to our blog and other news items. CoSteer may update this Policy at any time, however when we do, and the change is substantive, we will notify you.
The data we hold
The personal data we hold varies depending on the services provided by us, ensuring we only process personal data that is adequate, relevant and necessary for the purpose. The types of data we collect and process include:
Information required to meet legal and regulatory requirements
Information provided during the provision of our services
Financial information, such as payment-related information
Any other information you may provide to us.
Purposes of processing
CoSteer use your personal data for the following purposes:
Purpose and Lawful Basis for Processing
To enter into or exit client relationships and provide governance, risk, compliance and other advisory or training services
To manage our client, intermediary and other business relationships
To seek to ensure our business is conducted efficiently and with a view to enhancing client service
To administer any contract we have entered into with you or where you are a party related to an entity for which we are contracted to provide services
To fulfil the contract we have entered into
To provide our contacts with marketing material
All marketing material is provided on the basis of consent. Consent may be withdrawn at any time by unsubscribing from our newsletter or emailing: [email protected]
To ensure the security of any systems we use and prevent fraud
To obtain legal advice and/or representation
To meet all legal and ethical obligations including in respect of managing conflicts of interest
To ensure we meet all legal and ethical obligations incumbent on us.
Change of purpose
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and explain the legal basis which allows us to do so.
Please note: We may process your personal data without your knowledge or consent where this is required or permitted by law.
Failure to provide personal data
If you fail to provide certain personal information and data when requested, we may not be able to fulfil the contract we have entered into with you, or on your behalf, or provide the services requested or we may be prevented from complying with our legal obligations.
Sources of personal data
Our sources of data may include clients, data subjects directly, introducers, intermediaries, advisers, third parties connected to the data subject (for example: family member, employer or another service provider who provides services to the data subject) or open-source material.
We collect personal data via the completion of forms [electronic and paper] provided to you and completed by you, from documents provided including due diligence documents, from correspondence including email, from meetings and telephone conversations.
We will collect personal data throughout the course of our business relationship or while we provide services to clients connected to you.
Recipients of personal data
We rarely share information with third parties, however sometimes we may have to, including third party service providers, where required by law, where it is necessary to administer our business relationship, where it is necessary for us to provide the services to you or where we have another legitimate interest in doing so.
The following are potential recipients of personal data (in each case including respective employees, directors and officers):
Sub-contractors, agents, consultants or service providers such as insurance brokers, IT firms or other professional advisers of me or our clients, and their clients, and associated parties
bankers, auditors, accountants, investment brokers, managers or advisers, legal and other professional advisers
Guernsey and overseas regulators, or other government, or supervisory body and tax authorities when required by law
Law enforcement agencies where considered necessary for me to fulfil our legal obligations
When we engage a third party to process your personal data, we will require them to process your personal data in accordance with this instruction and protect the data against unauthorised or accidental use, access, disclosure, loss or destruction.
They cannot use your personal data for their own purposes. They will only be permitted to process your personal data for a specified purpose and in accordance with instructions. Where they no longer need to your personal data to fulfil the contract, they will need to transfer the data back to me and/or destroy or delete any data held by them.
Transferring data outside of Guernsey and the EU
In the event any of the third parties detailed above are outside of Guernsey and the EU and where we are transferring personal data, which would be protected under the GDP Law or GDPR, we will ensure that we meet the relevant requirements prior to carrying out such a transfer. This may include only transferring the data where we are satisfied that:
The non-European Union country has Data Protection laws similar to the Laws in Guernsey and the European Union
The recipient has agreed, through contract, to protect the information to the same Data Protection standards as Guernsey and the European Union
We have obtained consent from the relevant data subjects to the transfer, or
If transferred to the United States of America, the transfer will be to organisations that are part of the Privacy Shield or any subsequent reciprocal arrangement.
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, altered, disclosed, used or accessed without authorisation. In addition, we restrict access to your personal data to those employees, agents, contractors, consultants and other third parties who have a business need to access these data. They will only process your personal data on our instruction and they are subject to a duty of confidentiality.
We have in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator or a suspected breach where we are legally obliged to do so.
We only keep data for as long as is necessary to fulfil the purposes (as set out above) for which we collected it. To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential for harm from unauthorised use or disclosure of the data, the purposes for which we process the personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Once our business relationship ends, we will retain and securely destroy your personal data in accordance with our record retention and destruction policy, applicable legislation and/or regulatory requirements.
As a data subject you have the following rights in respect of your personal data:
Right of access - you have the right to request a copy of the personal data that we hold about you and to check that we are lawfully processing that data. You will not have to pay a fee to access your personal data (or exercise any of the other rights) unless your request is clearly unfounded or excessive, in which case we may charge a reasonable fee or refuse to comply with the request.
Right of rectification - you have the right to correct data that we hold about you, which is inaccurate or incomplete.
Right of erasure - of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us to continue to process it.
Right to restrict processing - this enables you to ask us to suspend the processing of your personal data for example: if you want us to establish its accuracy or the reasons for processing it.
Right of portability - you have the right to have the data we hold about you transferred.
Right to object - you have the right to object to certain types of processing including direct marketing. You also have the right to ask us to delete or remove personal data where you have exercised your right to object.
Right to object to automated processing including profiling - you have the right not to be subject to decisions based on automated processing or profiling. We do not currently undertake any automated processing or profiling.
If you wish to exercise these rights, you should send the request in the first instance to [email protected]
The changes were related to the incorporation of CoSteer Limited and the changes were not substantive.
In the event you wish to make a complaint about how your personal data is being processed or how your complaint has been handled you have the right to lodge a complaint directly with the Office of the Data Protection Authority (“ODPA”) either via email [email protected] or by post at:
The Office of the Data Protection Authority
St Martin’s House
St. Peter Port
You may also appeal to certain courts against (i) any failure of the ODPA to give written notice of whether the complaint is either being investigated or not being investigated and where applicable, the process and outcome of the investigation and (ii) a determination of the ODPA not to investigate the complaint or a determination that a controller or processor has not breached or is not likely to breach an operative provision in connection with the complaint.
Cookies are small text files which are transferred to your computer or mobile when you visit a website or app.
We use them to:
Remember information about you, so you don’t have to give it to me again. And again. And again
Keep you signed in [if required], even on different devices
Help us understand how people are using our services, so we can make them better
To deliver advertising to websites outside of the UK
To find out if our emails have been read and if you find them useful
First Party Cookies
These cookies are set by the website you’re visiting. And only that website can read them.
Third Party Cookies
These cookies are set by someone other than the owner of the website you’re visiting. Some of our web pages may also contain content from other sites like BPP or ICSA, which may set their own cookies. Also, if you share a link to a page on our website, the service you share it on (for example, LinkedIn) may set a cookie on your browser. We have no control over third-party cookies - you can turn them off, but not through us.
These cookies only last as long as your online session, and disappear from your computer or device when you close your browser (like Internet Explorer or Safari).
These cookies stay on your computer or device after your browser has been closed and last for a time specified in the cookie. We might use persistent cookies when we need to know who you are for more than one browsing session. For example, we use them to remember your preferences for the next time you visit, if you use the members area.
Strictly Necessary Cookies
These cookies let you use all the different parts of our website. Without them, services that you’ve asked for can’t be provided. Also, we may collect data from you to help us understand how you are using the website, so we can make it better.
Other Tracking Technologies
Some sites use things like web beacons, clear GIFs, page tags and web bugs to understand how people are using them and to target advertising to them.
They usually take the form of a small, transparent image that is embedded in a web page or email. They work with cookies and capture data like your IP address, when you viewed the page or email, what device you were using and where you were.
Email: [email protected]