Clairvaux is committed to respecting its customers’ rights to privacy. We ask that you read this policy which sets out the basis on which we process your personal data.
The Gibraltar Data Protection Act (DPA) of 2004 was formally adopted on 1st June 2006 giving rights to individuals on whom information is kept and giving responsibilities to those organisations who collect, control and process such data. New General Data Protection Regulations “GDPR” came into force on 25th May 2018.
The Company is a “data controller” with regards to the information it collects and holds on individuals to allow it to provide appropriate services to its clients. The Company is registered with the Gibraltar Regulatory Authority since 20th October 2017 under the registration number DP014428.
The protection of your privacy and the security of your personal data are very important to us. The purpose of this Privacy Notice is to explain how we collect and use personal information in connection with our business. Clairvaux Limited is a private Wealth Management and Administration provider to a family office. Our contact details are:
➢ Business address: 6.19 World Trade Center, 6 Bayside Road, Gibraltar
➢ Email address: email@example.com
➢ Telephone number: +350 222 50500
➢ Data Protection Officer: June.Lutkin@clairvaux.com
1) REASONABLE & FAIR INFORMATION REQUIREMENTS AND USAGE
- Clients voluntarily submit information required by the Company in order to complete forms and documents in the normal course of business.
- Additional information, such as employment details, names and ages of children, other professional advisors, interest in real estate or art, possible anticipated future cash flow events may be required and will be recorded by the Company in order to meet the requirements of the GFSC (e.g. Newsletter Number 5 of 1992 “Guidance Notes on Know your Customer”).
- the Company may be required to share information with regulated third parties in order to satisfy regulatory KYC requirements. We anticipate this to be mainly other financial institutions.
- A “legal basis” is needed to justify the processing of each data category. A legal basis can be a statutory requirement, such as recording for tax purposes, necessary for a legal obligation, or for the performance of an employment contract, like paying the individual or ensuring work is performed. For much employee data, the legal basis will be a “legitimate interest”, for example capturing data to improve workforce performance or to respond to a dispute.
2) PURPOSE SPECIFICATION; USE AND DISCLOSURE OF INFORMATION
- We obtain and hold information which is necessary to open bank accounts, establish an investment mandate, and adhere to both good practice and regulatory KYC.
- We do not go beyond these parameters except where you offer additional personal information for a particular purpose.
- Our registration with the Data Protection Commissioner (DPC) will reflect the above and will be monitored by the DPCCO.
3) THE DATA WE COLLECT ABOUT YOU
- We may collect, use, store and transfer different kinds of personal data about you during our relationship. However, we will only collect and process that personal data which is necessary in order to achieve one or more legitimate or lawful purposes as set out in this Privacy Notice.
- Personal information collected by us may include:a. Identity and basic personal data, including name, family information, lifestyle, date of birth and gender (and this includes data on personal appearance, such as identity cards or passport copies).
b. Contact data, including personal address, billing address, delivery address, email address and telephone number.
c. Financial and transaction data, including bank account information, transactional information and information about your financial circumstances (such as wealth, assets and liabilities).
d. Technical and profile data, including internet protocol (IP) address, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on devices used to access our website.
e. Usage data, including information about how you use our website, products or services.
f. Marketing and communications data, including your marketing preferences and your communication preferences.
- We may also, to the extent required only for specific and limited purposes, control, process and use certain special categories of personal information (for example, when undertaking “Know Your Customer” or anti-money laundering (AML) checks).
- Any processing of special categories of information will only be undertaken where we have obtained your explicit consent or are otherwise lawfully permitted to do so. These categories of data may include information:
1) on racial or ethnic origin;
2) religious or philosophical beliefs;
3) trade union membership;
4) physical or psychological health details or medical conditions; and
5) biometric data relating to physical, physiological or behavioural characteristics.
- In addition, and only to the extent permitted by law, we may process information about criminal convictions or offences or alleged offences for specific and limited purposes. These may include processing personal data to perform checks in relation to anti-money laundering, fraud, terrorist financing, bribery and corruption. We may also be required to carry out checks in order to comply with our legal obligations to prevent and detect criminal activity.
6) DISCLOSURE OF PERSONAL DATA
- We will only use and share your information where it is necessary for us to lawfully carry out our business activities and for the purposes set out in the above table.
- We will not share your personal information with third parties except:a. where we have your consent;
b. with other companies in our group;
c. where required as part of our contractual obligations or the provision of our services, which includes sharing:
➢ with financial institutions related to Clairvaux such as custodians and sub-custodians;
➢ with third parties who administer, organise or direct private equity investments;
➢ with service providers, including IT or client relationship management platforms;
d. with our professional advisers, including lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services;
e. where we are required by law or by regulators, law enforcement agencies, judicial bodies, governmental or tax authorities;
f. where we choose to sell, transfer, or merge parts of our business or our assets (alternatively, we may seek to acquire other businesses or merge with them); or
g. where we are permitted by law and it is necessary for our legitimate interests or those of a third party (and is not inconsistent with the purposes set out in this Privacy Notice).
- We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
- In certain cases, we may disclose information to third parties about you if we believe disclosure is in accordance with, or required by our contractual relationship with you or the law. In addition, we may be required by a Court or legal process to disclose certain personal information to a regulatory, law enforcement or other competent authorities.
- Your personal data may also be shared with our affiliates, agents, vendors, consultants or suppliers, as well as any other third-party service providers (such as external Counsel, financial institutions or administrators) who are performing certain services for the purposes of our contractual relationship, or on your specific instructions.
7) TRANSFER OF DATA OVERSEAS
- In connection with the provision of our services, your personal data may be transferred to countries or territories outside the European Economic Area (EEA) where necessary (such as where we use service providers outside the EEA). These transfers will only be undertaken on the basis that the relevant transferee protects the data to at least the same standard that we would.
- In the event that we are required to transfer any data outside of the EEA, we will only do so if:a. the country or organisation we are sharing your information with will protect your information adequately;
b. the transfer has been authorised by the relevant data protection authorities; or
c. we arrange for contractual safeguards where such territories do not offer an adequate level of personal data protection similar to the EEA.
- We may also rely on derogations for specific situations as provided by Article 49 of the General Data Protection Regulation (GDPR). In particular, we may transfer your Personal Data outside the EEA only:
- with your consent; b. to perform a contract with you; or c. to fulfil a compelling legitimate interest we may have in a manner that does not outweigh your rights and freedoms.
The Company maintains the following security provisions:
- “Clear desk policy”: client documentation is not to be visible on desks.
- All Personnel are to lock their computers if they are not at their desks.
- Computer screens to go to screen saver mode after a period of non-usage.
- Scanned versions of client documentation and client reports to be held on the shared computer drive with password protection. Only relevant staff have access and can make amendments to these files. Originals are stored in a locked cabinet.
- All computers, banking software are password protected.
- These provisions are to be updated in line with the other regulatory obligations of the Company.
9) ADEQUATE, RELEVANT AND NOT EXCESSIVE
- Staff are required not to seek information beyond that required to offer investment arrangements for you. In particular, we do not require Sensitive Personal Data such as racial or ethnicity, political opinions, religious beliefs, trade union membership, health conditions or sexual preferences.
- Whilst data concerning criminal offences committed, or alleged to have been committed, or criminal proceedings is also considered to be “Sensitive Personal Data”, it is of clear relevance to assessing suitability of the client for our services and is required to meet our suspicious transactions / MLRO duties.
10) ACCURATE AND UP TO DATE
- Client relationship managers – when meeting with you, will request relevant/up to date KYC and client information, in order to maintain accurate and up to date client files.
11) RETENTION TIME
- Records relating to the verification of your identity must be retained for five years after an account is closed or the business relationship ended.
- Invoices, accounts, financial reports and other significant company records are retained indefinitely.
12) RIGHT OF ACCESS
- You have the right to access information held about you.
- Requests received from you are to be directed to the managing director or the deputy, who will as necessary refer to and/or take advice on how to ensure the handling of such requests is in line with the DPO.
- Any data held on paper or electronically should be available to you, free of charge, in a commonly used format, electronically and within one month. You should communicate what categories of data you need, and an explanation of why, to narrow down what the Company needs to provide. An administration fee can be charged for an excessive request.
- You also have the right to ask us not to process your personal data for marketing purposes.