Client Data Privacy Statement
This statement sets out how MitonOptimal Portfolio Management (CI) Limited (MOCI) will process your personal data (as the Data Controller).
In providing Services, MOCI is obligated and/or permitted by Guernsey law to retain copies of certain Personal Data in respect of its relationship with its clients.
MOCI is registered under the Data Protection (Bailiwick of Guernsey) Law 2017 and will retain the Personal Data collected from you in electronic and hard copy form.
Your personal information may be disclosed to other companies within the MitonOptimal Group in order to facilitate the provision of the Services. When processing Personal
Data there will be times where MOCI acts in the capacity of a data controller (as defined under the Data Protection (Bailiwick of Guernsey) Law 2017).
Please note the following terms set out below will apply to the way in which MOCI process Personal Data when acting as a data controller.
Purposes of processing and legal basis for processing MOCI may process Personal Data for the following purposes:
- MOCI will itself (or through a third party e.g. media screening agency) process certain information about you or your directors, officers and employees and your beneficial owners (if applicable) in order to carry out media and anti-money laundering checks and related actions which MOCI considers appropriate to meet any legal obligations imposed on MOCI relating to data processing, the prevention of fraud, money laundering, terrorist financing, bribery, corruption, tax evasion and to prevent the provision of financial and other services to persons who may be subject to economic or trade sanctions, on an on-going basis, in accordance with MOCI’s anti-money laundering procedures;
- to provide the Services to you and/or for MOCI’s internal administration;
- to monitor calls and electronic communications for investigation and fraud prevention purposes, for crime detection, prevention, investigation and prosecution, and to enforce or defend MOCI and its affiliates’ rights, itself or through third parties to whom it delegates such responsibilities or rights in order to comply with a legal obligation imposed on MOCI.
Recipients of data and international transfer of data MOCI may disclose your personal information as follows:
- to Compliance Consultancies in order to carry out money laundering and identity checks to comply with regulatory obligations;
- to third party vendors in order to process the data for the above mentioned purposes, such as IT providers and Custodians;
- to competent authorities, courts and bodies as required by law or requested or to affiliates for internal investigations and reporting; and
- to MOCI’s affiliates in order to share your Personal Data for hosting and future investments or Services.
The disclosure of personal information to third parties set out above may involve the transfer of data to the United States of America and other jurisdictions outside the EEA. Such countries may not have the same data protection laws as your jurisdiction.
MOCI will not transfer Personal Data to persons located outside the European Economic Area (EEA) until, if required by applicable Data Protection Law, that person has entered into an agreement with MOCI that includes the standard contractual clauses (known as model contract clauses) that are recognised by the European Commission as offering adequate safeguards in relation to data protection.
Your Personal Data is only processed in accordance with applicable Data Protection Laws and in order to maintain an appropriate level of protection over that Personal Data. Please contact MOCI Data Protection Officer for further details, including copies of the standard contractual clauses referred to above (see further contact details below).
MOCI will retain your personal information for six years or any longer term required for it and its Affiliates to perform the Services and/or as required by Data Protection or other applicable law.
Data Subject Rights
You have the following rights, in certain circumstances, in relation to your Personal Data:
- right to access your Personal Data;
- right to rectify your Personal Data;
- right to restrict the use of your Personal Data;
- right to request that your Personal Data is erased;
- right of data portability;
- right not to be to be subject to a decision based solely on automated processing; and
- right to object to processing of your Personal Data.
Where you have provided your consent to processing, you may withdraw your consent at any time by contacting MOCI by writing to our Data Protection Officer stating that you withdraw your consent. Where MOCI requires your Personal Data to comply with CDD or other legal requirements, failure to provide this information means MOCI may not be able to provide the Services.
You have the right to lodge a complaint with a Supervisory Authority.
What kind of Personal Data do we collect?
We do not collect extensive data in relation to Suppliers – we simply need to make sure that our relationship runs smoothly. We’ll collect the details for our contacts within your organisation, such as names, telephone numbers and email addresses. We’ll also collect bank details, so that we can pay you. We may also hold extra information that someone in your organisation has chosen to tell us.
How do we collect it?
We collect Personal Data during the course of our working relationships.
How do we use Personal Data?
The main reasons for using Personal Data are to ensure that the contractual arrangement can properly be implemented and to comply with legal requirements. We will only use information:
- To store (and update when necessary) details on our database, so that we can contact you in relation to our agreements;
- To offer services to you or to obtain support and services from you;
- To perform certain legal obligations; and
- To help us to establish, exercise or defend legal claims.
We may use personal data for these purposes if we deem this to be necessary for our legitimate interests.
If you are not happy about this, in certain circumstances you have the right to object and can contact us at the address detailed at the end of this notice.
How long do we keep Personal Data for?
If we have not had meaningful contact with you for a period of three years, we will delete your personal data from our systems unless we believe in good faith that the law or other regulation requires us to preserve it (for example, because of our obligations to local authorities or in connection with any anticipated litigation). After this period, it is unlikely your data will be relevant for the purpose for which it was collected.
When we refer to “meaningful contact”, we mean, for example, communication between us (either verbal or written), or where you are actively engaging with us and using our services. We will consider there to be meaningful contact with you if you communicate with us about potential services, either by verbal or written communication. Your receipt, opening or reading of an email or other digital message from us will not count as meaningful contact – this will only occur in cases where you click-through or reply directly.
Data Protection Officer – contact details
If you have any questions about our use of your Personal Data, please contact the Data Protection Officer, MitonOptimal Portfolio (CI) Limited, PO Box 354, Suite 1, Weighbridge House, Lower Pollet, St. Peter Port, Guernsey, GY1 3XF, or on +44 (0) 1481 740044.
MOCI may change this policy from time to time by updating this page. You should check this page from time to time to ensure that you are happy with any changes. This policy is effective from 4th May 2018.
The Information we collect
So we can provide you with services that meet your precise financial needs we obtain certain information about your personal and financial situation and may collect the following information:
- identity details: Such as your name, age, date of birth, gender and national insurance number
- personal and professional contact details: this includes your email, phone number, mobile number and address:
- associated third party information, this could include your spouse, children or beneficiaries of trusts financial details, this could include source of wealth, existing investments, tax returns and bank details concerning your attitude to investment risk
- information on your children or dependants: where a child is named as a beneficiary on the policy taken out by a parent or guardian on their behalf. In these cases, we will collect and use only the information required to identify the child (such as their name, date of birth and gender)
- use of our website: This information is collected through cookies as further explained in our cookies policy.
How and why we use this information
We have published this policy so that you understand what we do and why, and in order that, if you wish to challenge us, you have information about the rights. This policy is not detailed with respect to all aspects of our processing of personal data because so much depends on your needs and individual circumstances. We have given as much information as we can by way of default, and we supplement this where appropriate in other documentation.
The purposes are as follows:
- Marketing to you as a prospective client
- Accepting you as a client
- Dealing with you as a client
- Performing our Services to clients, which involve processing personal data about others associated with them, such as a spouse, parent, guardian, child or other family member, a representative of our client, or a trustee, settlor or beneficiary
- Operating our business
We may use the information to improve our products and services.
We may periodically send promotional emails about new products, special offers or other information which we think you may find interesting using the email address which you have provided.
From time to time, we may also use your information to contact you for market research purposes. We may contact you by email, phone, fax or mail. We may use the information to customise the website according to your interests. Security We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect online.
A cookie is a small file which asks permission to be placed on your computer’s hard drive. Once you agree, the file is added and the cookie helps analyse web traffic or lets you know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.
You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the website.
Links to other Websites
Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website.
Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.
Controlling your Personal Data
You may choose to restrict the collection or use of your Personal Data in the following ways:
- whenever you are asked to fill in a form on our website, look for the box that you can click to indicate that you do not want the information to be used by anybody for direct marketing purposes
- if you have previously agreed to us using your Personal Data for direct marketing purposes, you may change your mind at any time by writing to or emailing us at [email protected]
We will not sell, distribute or lease your personal information to third parties unless we are required by law to do so. We may use your personal information to send you promotional information about third parties which we think you may find interesting if you tell us that you wish this to happen.
You may request details of personal information which we hold about you under the Data Protection (Bailiwick of Guernsey) Law 2017 as amended. If you would like a copy of the information held on you please write to:
MitonOptimal Portfolio Management (CI) Limited
PO Box 354
Suite 1, Weighbridge House
St. Peter Port
If you believe that any information we are holding on you is incorrect or incomplete, please write to or email us as soon as possible, at the above address. We will promptly correct any information found to be incorrect.
Our Legal Bases for processing your data – Legitimate Interests
Schedule 2, part 1 (4) of the Data Protection (Bailiwick of Guernsey) Law 2017 is the one that is relevant here – it says that we can process your data where it “is necessary for the purposes of legitimate interests to the controller or a third party, except where the processing is in the context of exercise or performance by a public authority of a function or task.”
We don’t think that any of the following activities prejudice individuals in any way – in fact, they help us to offer you a more tailored, efficient service which is beneficial to both parties. However, you do have the right to object to us processing your personal data on this basis.
We think it’s reasonable to expect that if you are looking for us to provide a Service, you are happy for us to collect and otherwise use your personal data to offer or provide our services to you.
We must make sure our business runs smoothly, so that we can carry on providing services to clients like you. We therefore also need to use your data for our internal administrative activities, like invoicing where relevant.
We have our own obligations under the law, which is a legitimate interest of ours to insist on meeting. If we believe in good faith that it is necessary, we may therefore share your data in connection with crime detection, tax collection or actual or anticipated litigation.
In certain circumstances, we are required to obtain your consent to the processing of your personal data in relation to certain activities. Depending on exactly what we are doing with your information, this consent will be opt-in consent or soft opt-in consent.
Section 10 of the Data Protection (Bailiwick of Guernsey) Law 2017 states that consent “means any specific, informed and unambiguous indication of the data subject’s wishes by which the data subject, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to the data subject”.
In plain language, this means that:
- you have to give us your consent freely, without us putting you under any type of pressure;
- you have to know what you are consenting to – so we’ll make sure we give you enough information;
- you need to take positive and affirmative action in giving us your consent – we’re likely to provide a tick box for you to check so that this requirement is met in a clear and unambiguous fashion.
We will keep records of the consents that you have given in this way.
In some cases, we will be able to rely on soft opt-in consent. We are allowed to market products or services to you which are related to the services we provide as long as you do not actively opt-out from these communications.
As we have mentioned, you have the right to withdraw your consent to these activities. You can do so at any time, and details of how to do so can be found by contacting us using the contact details provided at the end of this privacy notice.
Establishing, exercising or defending legal claims
Sometimes it may be necessary for us to process personal data and, where appropriate and in accordance with local laws and requirements, sensitive personal data in connection with exercising or defending legal claims. Schedule 2, part 1(6) “The processing is necessary for the controller to exercise any right or power, or perform or comply with any duty, conferred or imposed on the controller by law, otherwise than by an enactment or an order or a judgment of a court or tribunal having the force of law in the Bailiwick”.
This may arise for example where we need to take legal advice in relation to legal proceedings or are required by law to preserve or disclose certain information as part of the legal process.
Appendix 2 – General
How can you access, amend or take back the personal data that you have given us?
One of the GDPR’s main objectives is to protect and clarify your rights with regards to data privacy. This means that you retain various rights in respect of your data, even once you have given it to us. These are described in more detail below.
To get in touch with us about these rights, please contact us using the contact details listed at the bottom of this notice. We will seek to deal with your request without undue delay, and in any event within one month (subject to any extensions to which we are lawfully entitled). Please note that we may keep a record of your communications to help us resolve any issues which you raise.
Right of access: You may ask us to confirm what information we hold about you at any time. We may ask you to verify your identity and for more information about your request. If we provide you with access to the information we hold about you, we will not charge you for this unless your request is “manifestly vexatious, unfounded or excessive”. Where we are legally permitted to do so, we may refuse your request. If we refuse your request, we will always tell you the reasons for doing so. Right to rectification: You have the right to request that we rectify any inaccurate or incomplete personal data that we hold about you. If we have shared this personal data with third parties, we will notify them about the rectification unless this is impossible or involves disproportionate effort. Where appropriate, we will also tell you which third parties we have disclosed the inaccurate or incomplete personal data to. Where we think that it is reasonable for us not to comply with your request, we will explain our reasons for this decision.
Right to erase (to be forgotten): You have the right to request that we erase your personal data in certain circumstances. Normally, the information must meet one of the following criteria:
- the data is no longer necessary for the purpose for which we originally collected and/or processed them;
- where previously given, you have withdrawn your consent to us processing your data, and there is no other valid reason for us to continue processing;
- the data has been processed unlawfully (i.e. in a manner which does not comply with the GDPR);
- it is necessary for the data to be erased in order for us to comply with our legal obligations as a data controller; or
- if we process the data because we believe it necessary to do so for our legitimate interests, you object to the processing and we are unable to demonstrate overriding legitimate grounds for our continued processing.
We would only be entitled to refuse to comply with your request for one of the following reasons:
- to exercise the right of freedom of expression and information;
- to comply with legal obligations or for the performance of a public interest task or exercise of official authority;
- for public health reasons in the public interest;
- for archival, research or statistical purposes; or
- to exercise or defend a legal claim.
When complying with a valid request for the erasure of data we will take all reasonably practicable steps to delete the relevant data.
Right to restrict processing: You have the right to request that we restrict our processing of your personal data in certain circumstances. This means that we can only continue to store your data and will not be able to carry out any further processing activities with it until either: (i) one of the circumstances listed below is resolved; (ii) you consent; or (iii) further processing is necessary for either the establishment, exercise or defence of legal claims, or the protection of the rights of another individual.
The circumstances in which you are entitled to request that we restrict the processing of your personal data are:
- where you dispute the accuracy of the personal data that we are processing about you. In this case, our processing of your personal data will be restricted for the period during which the accuracy of the data is verified;
- where you object to our processing of your personal data for our legitimate interests. Here, you can request that the data be restricted while we verify our grounds for processing your personal data;
- where our processing of your data is unlawful, but you would prefer us to restrict our processing of it rather than erasing it; and
- where we have no further need to process your personal data, but you require the data to establish, exercise, or defend legal claims.
If we have shared your personal data with third parties, we will notify them about the restricted processing unless this is impossible or involves disproportionate effort. We will, of course, notify you before lifting any restriction on processing your personal data.
Right of data portability: If you wish, you have the right to receive and transfer your personal data between data controllers where technically feasible. This right of data portability applies to: (i) personal data that we process automatically (i.e. without any human intervention); (ii) personal data provided by you; and (iii) personal data that we process based on your consent or in order to fulfil a contract.
Right to object to processing: This right enables you to object to us processing your personal data where we do so for one of the following four reasons: (i) our legitimate interests; (ii) to enable us to perform a task in the public interest or exercise official authority; (iii) to send you direct marketing materials; and (iv) for scientific, historical, research, or statistical purposes.
The “legitimate interests” and “direct marketing” categories above are the ones most likely to apply to our Website Users, Clients and Suppliers. If your objection relates to us processing your personal data because we deem it necessary for your legitimate interests, we must act on your objection by ceasing the activity in question unless:
- we can show that we have compelling legitimate grounds for processing which overrides your interests;
- or we are processing your data for the establishment, exercise or defence of a legal claim.
If your objection relates to direct marketing, we must act on your objection by ceasing this activity.
Right not to be to be subject to a decision based solely on automated processing: We do not base any decisions solely on automated processing of your personal data, but if we did you would have the right to restrict our use of your data for this purpose.
You also have the right to lodge a complaint with your local authority. Details of how to contact them can be found at the end of the privacy notice.
If you would like to exercise any of these rights or withdraw your consent to the processing of your personal data (where consent is our legal basis for processing your personal data), details of how to contact us can be found at the end of the privacy notice. Please note that we may keep a record of your communications to help us resolve any issues which you raise.
If registered for newsletters or investor updates, you may ask to unsubscribe at any time using the contact details provided at the end of this privacy notice.
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during the period for which we hold your data.
Clients – This category covers our clients, and others to whom MOCI provides services in the course of its business.
Delete – while we will endeavour to permanently erase your personal data once it reaches the end of its retention period or where we receive a valid request from you to do so, some of your data may still exist within our systems, for example if it is waiting to be overwritten. For our purposes, this data has been put beyond use, meaning that, while it still exists on an archive system, this cannot be readily accessed by any of our operational systems, processes or employees.
General Data Protection Regulation (GDPR) – a European Union statutory instrument which aims to harmonise European data protection laws. It has an effective date of 25 May 2018, and any references to it should be construed accordingly to include any national legislation implementing it.
Data Protection (Bailiwick of Guernsey) Law 2017 – Will be implemented 25 May 2018 and will replace any previous the Data Protection (Bailiwick of Guernsey) Laws.
Suppliers – refers to partnerships and companies (including sole traders), and atypical workers such as independent contractors and freelance workers, who provide services to MOCI. In certain circumstances MOCI will sub-contract the services it provides to Clients to third party suppliers who perform services on MOCI behalf.
Website Users – any individual who accesses the MOCI website.