Privacy
Purpose of this notice
This privacy notice describes how Hamilton Trust Company Limited and International Mangers Bermuda Ltd. (“HTCL/IMBL”, “we”, “us” or “our”) collects and uses Personal Data, in accordance with Bermuda’s Personal Information Protection Act 2016 (PIPA), the EU General Data Protection Regulation (GDPR), and any other applicable data protection laws in the United Kingdom and EU (collectively “data protection laws”). GDPR extends the scope of current EU data protection regulations to data controllers and data processors located outside of the EU where data is processed in connection with the offer of goods and services to individuals in the EU. Personal Data is any information relating to an identified or identifiable living person. Words used with first letter capitalisation (e.g. Personal Data), unless otherwise defined in this policy, have the same definition and meaning as under data protection law.
We are committed to protecting your personal, financial and business information. Types of Personal Data Given the diversity of the services we provide to clients as well recruiting high caliber associates, we may
process many categories of Personal Data. By way of example, we could collect and process:
- contact and personal details (including name (current and former), address, date of birth, nationality, employer name, contact title, phone, email and other business or family contact details)
- detailed tax status information, including your tax domicile and identification number (TIN)
- business activities
- family information
- information related to transactions or financial behaviour arising from your relationship with us and from other financial institutions
- information that you provide on an application form for any services that we provide
- other information obtained from checking tools we use and form searching information in the public domain
- in respect of corporate or institutional customers, information on persons including but not limited to shareholders, partners, trustees, settlors, protectors, beneficiaries etc...
Collection of Personal Data
We will only collect such Personal Data that is necessary for us to perform our services and comply with regulatory requirements and we ask our clients only to share such Personal Data as required for that
purpose. Where we identify that a client has provided us with unnecessary Personal Data we will either return that information to its source or destroy it, taking into account our client’s preference wherever
possible. We may collect and confirm your information during the course of our relationship with you and will only use personal information which constitutes personal data in accordance with relevant data protection laws
Generally, we collect Personal Data from individuals, our clients or from third parties acting on the instructions of the relevant client. Examples of this collection include when:
- we are contacted about our services
- a proposal is requested from us in respect of the services we provide
- our clients engage us to provide our services and also during the provision of those services
- from third parties(e.g. agents of our clients, or from corporate entities who employ Data Subjects) and/or publicly available resources and
- applications for employment.
Use of Personal Data
Here we set out the basis upon which we process Personal Data. Please note that we may process Personal Data for more than one lawful basis, depending on the specific purpose for which we are using that
information. We may use or process your information for the following purposes:
- To verify your identity and investigate your personal background;
- To facilitate or otherwise assist in the provision of your trust and or company with us or any service provided by us to you;
- To service any of your other relationships within the Moore Global Network Limited (“MGNL”) group
- To meet our regulatory and or legal and or financial and or other reporting obligations in any jurisdiction (as applicable);
- To comply with laws, regulations or court orders in any jurisdiction;
- To prevent or detect fraud, money laundering, terrorist financing or other criminal conduct (including but not limited to compliance with HTCL and IMBL’sinternal know your client, anti‐money laundering and anti‐terrorist financing and anti‐bribery and corruption policies).
- As a record of any information obtained from or about you in the course of our relationship; and
- To allow for certain efficiencies including operating and managing systems,systems back‐up and data recovery, risk evaluations, know your client procedures to verify client identity, and anti‐money laundering screening.
Many of our services require us to process Personal Data for purposes necessary for the performance of our relationship with our clients. For example, this may include processing Personal Data to provide trust and or corporate services to our clients, or processing the Personal Data of a Data Subject who is the employee, subcontractor, supplier or customer of our client.
Legitimate interests
We may process Personal Data for the purposes of our own legitimate interests in the effective delivery of information and services to our clients, and in the effective and lawful operation of our businesses, provided that those interests do not override the interests, rights and freedoms of a Data Subject which require the protection of that Personal Data. Examples of such processing activities include:
- managing our relationship with clients;
- developing our businesses and services (such as identifying client needs and improvements in service delivery);
- monitoring the services we provide clients for quality control purposes, which may involve processing the Personal Data stored on the relevant professional file;
- managing risk in relation to client engagements and to the firm generally;
- maintaining and using IT systems, including security monitoring to identify harmful programs;
- hosting or facilitating the hosting of events;
- administering and managing our website and systems and applications.
Compliance with a legal obligation
As with any provider of professional services, we are subject to legal, regulatory and professional
obligations. We will process Personal Data as necessary to comply with those obligations.
One example of such processing includes anti‐money laundering activities such as carrying out searches
(such as internet searches and sanctions lists) to identify politically exposed persons and heightened risk
individuals and organisations, and to check that there are no issues that would prevent us from working
with a particular client (such assanctions, criminal convictions (including in respect of company directors),
conduct or other reputational issues).
Consent
In certain limited circumstances, such as where a Data Subject has agreed to receive marketing
communicationsfrom us, we may process Personal Data by consent. Where consent isthe only basis upon
which Personal Data is processed the relevant Data Subject shall always have the right to withdraw their
consent to processing for such specific purposes.
It is our policy to only process Personal Data by consent where there is no other lawful basis for
processing.
Data retention
We retain the Personal Data processed by us for as long as is considered necessary for the purpose for
which it was collected (including as required by applicable law or regulation).
In the absence of specific legal, regulatory or contractual requirements, our standard retention period for
records and other documentary evidence created in the provision of services is 10 years.
Our standard email retention period is 10 years.
We continually review our data retention policies, and we reserve the right to amend the above retention
periods without notice.
Other records, which are not required to be retained as part of our professional services, will be kept for
a period of time depending on:
•the type, amount and categories of Personal Data we have collected;
•the requirements of our business and the services we provide;
•the purposes for which we originally collected the Personal Data;
•the lawful grounds upon which we based our processing;
•any relevant legal or regulatory obligations;
•whether the purpose of the processing could be reasonably fulfilled by other means.
Data Security
We take the security of all the data we hold very seriously. We have a framework of policies, procedures
and training in place covering data protection, confidentiality and security and regularly review the
appropriateness of the measures we have in place to keep the data we hold secure.
We have put in place appropriate security measures to prevent Personal Data from being accidentally
lost, used or accessed in an unauthorised way, altered or disclosed. This is not only in accordance with our
obligations under PIPA and GDPR, but also in accordance with our regulatory obligations of confidentiality.
In addition, we limit access to Personal Data to those employees, agents, contractors and other third
parties who have a business need to know, and our IT systems operate on a ‘least privileged’ basis by
default. Third parties will only process Personal Data on our instructions and they are subject to a duty of
confidentiality.
We have put in place procedures to deal with any suspected data security breach and will notify any
affected Data Subject and any applicable regulator of a suspected breach where we are legally required
to do so.
In some circumstances we may anonymise or pseudonymise Personal Data so that it can no longer be
associated with the Data Subject, in which case we may use it without further notice.
Data transfers
We will share Personal Data with third parties where we are required by law, where it is necessary to
administer our relationships between clients and Data Subjects, or where we have another legitimate
interest in doing so.
We are part of a global network of firms and accordingly Personal Data may be transferred to other
member firms of MGNL. This may result in Personal Data being transferred outside the countries where
we and our clients are located. This includes to countries outside the European Union (EU) and to
countries that do not have laws that provide specific protection for personal data. All Personal Data will
be provided with adequate protection and all transfers of Personal Data outside the EU are done lawfully.
Where we transfer Personal Data outside of Bermuda and the EU to a country not determined by the
Bermuda Privacy Commissioner (BPC) and the European Commission (EC) as providing an adequate level
of protection for Personal Data, the transfers will be under an agreement which covers both PIPA and EU
requirements for the transfer of personal data outside the applicable jurisdiction, such as the BPC and EC
approved standard contractual clauses.
Please also see https://www.moore‐global.com/locations for a list of firms and countries in which
member firms of MGNL operate. We will also share Personal Data with other entities within our group,
subject to the safeguards mentioned above.
We will also share Personal Data with relevant legal and third‐party service providers.
For example:
regulators;
law enforcement agencies;
government institutions;
court systems;
our IT and cloud services, and to operate and manage these services;
professional advisory services (including auditors);
administration services;
marketing services;
banking services.
All of our third‐party service providers are required to take commercially reasonable and appropriate
security measures to protect your personal data. We only permit our third‐party service providers to
process your personal data for specified purposes and in accordance with our instructions.
Rights and responsibilities
A Data Subject’s duty to inform us of changes
It is important that the Personal Data we hold about you is accurate and current. Should your personal
information change, please notify us of any changes of which we need to be made aware by contacting
us, either through your usual contact at HTCL or IMBL or by using one of the means set out at the end of
this privacy notice.
A Data Subject’s rights in connection with Personal Data
If you believe that any of the centrally held information including your personal information is incorrect
or inaccurate, you should notify us so that the information can be updated or corrected as appropriate.
Data Subjects may have certain rightsin relation to the Personal Data held by us about them. In particular,
they may have a right to:
•request access to their Personal Data. This enables a Data Subject to receive details of the
Personal Data we hold about them and to check that we are processing it lawfully;
•ask that we update the Personal Data we hold about them, or correct such Personal Data that
they think is incorrect or incomplete;
•request erasure of their Personal Data. This enables a Data Subject to ask us to delete or remove
Personal Data where there is no good reason for us continuing to process it. Data Subjects also
have the right to ask us to delete or remove Personal Data where they have exercised their right
to object to processing (see below). Please note that we may not always be able to comply with a
request for deletion of Personal Data for legal reasons which will be notified, if applicable, after
receiving such a request;
•request the restriction of processing of their Personal Data. This enables a Data Subject to ask us
to suspend the processing of Personal Data about them, for example if they want us to establish
its accuracy or the reason for processing it;
These rights are subject to any applicable exemptions under relevant data protection laws.
Withdrawal of consent
You can withdraw your consent to the processing of personal information (where we are processing your
personal information based on your consent). If you object to the processing of your personal
information, or if you have provided your consent to processing and you later choose to withdraw it, we
will respect that choice in accordance with our legal obligations. However, this may limit or prevent us
from providing the services you have asked for. It may also make it more difficult to advise you orsuggest
appropriate alternatives.
If you feel that we do not comply with applicable privacy rules you have the right to lodge a complaint
with the competent data protection authority.
To withdraw consent to our processing of your Personal Data please email us at
dataprotection@moorehtcl.bm
Contacting us to exercise a right
You may seek to exercise these rights at any time by sending a request by email
dataprotection@moorehtcl.bm or by writing to Data Privacy Officer, Hamilton Trust Company Limited and
or International Managers Bermuda Ltd., Wessex House, 45 Reid Street, Hamilton HM 12, Bermuda and
providing further information (including appropriate proof of identity) as requested by us.
Please note that it is our policy not to provide copy documents if we are contacted by a Data Subject
seeking access to their Personal Data. We will comply with this request in another way, usually by
providing a newly created document listing the information we are required to provide under data
protection law.
We may need to request specific information from those individuals who contact us to help us confirm
their identity and ensure their right to access their personal data (or to exercise any of their other rights).
This is a security measure to ensure that personal data is not disclosed to any person who has no right to
receive it. We may also contact an individual to ask them for further information in relation to their
request to speed up our response.
We try to respond to all legitimate requests within six weeks. Occasionally it may take us longer than six
weeks if a request is particularly complex. In this case, we will notify the individual concerned and keep
them updated.
Changes to this notice
We recognise that transparency is an ongoing responsibility so we will keep this privacy statement under
regular review.
This privacy statement was last updated on 5 February, 2021.
Contacts
If there are any questions regarding this notice or if anyone would like to contact us about the manner in
which we process their Personal Data, please email our Data Privacy Officer (Claudio Satasi) at:
dataprotection@moorehtcl.bm