Version 1.1, 24 May 2018
This privacy notice tells you what to expect when our organisation collects personal data, and how to contact us should you wish to discuss any aspect of how we handle that data.
We have offices in Jersey and Guernsey and are registered with the data protection authorities under our various trading names and companies:
- Jersey (notification number 18295):
Grant Thornton Limited
Grant Thornton Services (Jersey) Limited
Castle Nominees Limited
LSI Nominees Limited
LSI Secretaries Limited
- Guernsey (notification number 11594):
Grant Thornton Limited
Grant Thornton Services (Guernsey) Limited
We are part of a global group of member companies (you can read about our global presence at https://www.grantthornton.com/). Some of our offices are in jurisdictions that have not been deemed adequate for data protection purposes by the EU, but we have appropriate agreements between the member firms to ensure that any personal data transferred around the group is handled appropriately. Any transfers that take place comply with all applicable data protection and information security laws.
Our data protection contact
We have a single point of contact for data protection queries relating to both our Jersey and Guernsey offices:
- Email (preferred): Data.Protection@gt-ci.com
- Phone: +44 1534 885788
The information we collect and process
We collect various types of personal data, including:
- Contact information.
- Family relationships.
- Personal identification information, which may include items such as your name, address, passport data, PEP status and other data that we might need for Client Due Diligence (“CDD”), Anti Money Laundering (“AML”) checks, and the like.
- Financial information such as sources of wealth, assets and shareholdings.
- Information about client matters.
- Relevant data about job applicants, employees and former staff.
We have a separate privacy notice for candidates who are applying to be employed by or otherwise work for the company. (Read candidate privacy notice).
Our sources of information
As well as collecting data from the individuals themselves we also obtain personal data from various sources. Some examples are:
- Materials gathered as part of regulatory requirements (e.g. CDD and AML).
- References from third parties.
- Documents that we work with as part of the services we carry out for our clients.
- Advisors, lawyers, regulators or official authorities.
- Introducers (e.g. organisations that introduce someone as a potential client).
How we use the personal data we collect
We use personal data in order to operate our business and provide our clients with the services for which they’ve engaged us. The reason that we need any data will generally be made clear when we collect it, but if you do have any specific questions about why we’re collecting any item then please get in touch and ask.
There are various other reasons for which we might use personal data, for example:
- For internal administration (e.g. billing).
- Compliance with legal and regulatory obligations.
- To protect our interests (e.g. to defend against legal claims).
- To send you relevant marketing materials (e.g. invitations to events or updates on the services we provide).
- To process queries from customers or other client feedback.
- For other legitimate business purposes.
- To monitor our compliance with data protection law (e.g. records of subject access requests or data corrections).
If we use data for statistical analysis purposes that don’t need us to be able to identify the individuals to which it relates, we’ll anonymise it (i.e. take out the personal references that could identify people).
Sharing personal data with others.
We may share personal data with other members of the Grant Thornton group – for instance if running a multi-jurisdiction piece of work or engaging subject matter experts from other locations. As mentioned above we have formal controls over what we share around the organisation.
We may also need to share personal data with third parties, such as:
- External agents, suppliers or contractors.
- Service providers (e.g. contractors or IT service providers).
- Lawyers, accountants and other professional entities.
- Regulatory or government authorities.
- Law enforcement agencies.
Personal data is only shared outside the organisation where it is lawful and legitimate to do so.
Sharing personal data overseas
Where data is being shared with organisations outside the Channel Islands, this will always take place in line with the relevant data protection law both locally and remotely. Consideration will be given to the overseas location, particularly:
- Whether the location is in the EU, and is therefore regulated under the GDPR legislation.
- Whether the location has a valid adequacy finding from the EU (at the time of writing there are 11 jurisdictions with adequacy findings; these include Jersey and Guernsey).
- If the location is in the USA, whether the organisation is registered under the Privacy Shield scheme.
Where none of the above applies, the appropriate risk assessments will be carried out and any necessary controls implemented to ensure the data is protected.
Data retention and disposal
We retain personal data only for as long as it is required to fulfil the purposes to which it relates; we also retain data for as long as we may need it to defend against a legal claim or if we’re required to do so by law or other regulatory requirements.
When data is no longer required it is deleted (for electronic data) or destroyed (for physical documents). Data deletion exercises are carried out regularly (e.g. quarterly or annually) so any item that is no longer required will be disposed of in the next deletion exercise.
As mentioned previously, personal data may be used to communicate relevant marketing materials. You’ll see a link at the bottom of each email message that you can click in order to unsubscribe from mailings, but you’re welcome to email us at the above address to ask us to remove you from any list too.
Rights of data subjects
Data subjects – the individuals to which personal data relates – have a number of rights under data protection legislation. For example, individuals can request a copy of the data we hold on them, ask us to correct mistakes, ask us to restrict processing of the data or erase it completely, or request that we send it to a third party.
If we’re using individuals’ data solely because they consented to us doing so, that consent may also be withdrawn.
Data subjects can email us at the address given above to exercise any of these rights.
Other sources of data protection information
As mentioned previously, we have a separate privacy notice regarding how we deal with data on job applicants. (Read candidate privacy notice).
Our standard Terms of Business have some more detail about confidentiality in general and data protection in particular: please see (Read terms of business).
Details on how we process current employees’ data are available on the company Intranet.
Should you have any cause for complaint, please write to us at:
46/50 Kensington Place
If you’re dissatisfied with the way in which your complaint has been handled you may contact your local data protection supervisory authority, or write to our local Information Commissioner:
For Jersey complaints
Office of the Information Commissioner
5 Castle Street
For Guernsey complaints
The Office of the Data Protection Authority
St Martin's House
St. Peter Port