Dixcart Management (IOM) Limited

Privacy Statement

In the normal course of carrying out our business, we will have to obtain personal information about individuals. However, in doing so we are bound by certain legislation. The Isle of Man is committed to adopting the principles and objectives of the EU General Data Protection Regulation (GDPR). As such, Dixcart Management (IOM) Limited will be bound by these requirements.

GDPR requires us to ensure as far as possible, personal information privacy, and to provide you with a full explanation covering:

  • Why the personal data is processed;
  • Whose personal data is processed;
  • What personal data is processed;
  • When personal data is processed; and
  • Where personal data is processed;

GDPR also provides individuals with certain rights:

  • Access to an individual’s data, in a commonly used electronic format (data portability);
  • Have inaccuracies corrected;
  • Have information erased;
  • Prevent direct marketing;
  • Prevent automated decision-making and profiling;

We must also advise you of how to make a complaint.

Why do we collect personal data?

• The personal data we collect from you will be used in providing corporate or trustee services to you. Our ability to offer/provide services to clients and prospective clients is dependent on having access to personal information

• We have regulatory requirements in respect of Anti Money Laundering and Countering the Financing of Terrorism (AML/CFT). A major component part of these requirements is to be able to verify the identity of individuals, their source of wealth, and the source of any funds that may be being utilised

• There are now obligations on us regarding international initiatives in respect of Automatic Exchange of Information (AEOI). These comprise the United States Foreign Account Tax Compliance Act (FATCA), and the OECD Common Reporting Standard (CRS), and we are required to make reports comprising personal information to Isle of Man Income Tax, who will then send this information to other jurisdictions where individuals have a tax obligation

• There may also be situations where we are required to disclose information to foreign authorities e.g. HMRC to comply with the Trust Registration Service in respect of relevant trusts as defined in the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 as amended from time to time.

Whose personal data is processed?

To enable us to provide our professional services as efficiently as possible, we will process personal data in respect of:

  • Clients – current, former and potential
  • Business Contacts
  • Suppliers
  • Complainants
  • Settlors, Protectors, Trustees & Beneficiaries (who in certain circumstances may be children)
  • Controlling Persons of Entities
  • Politically Exposed Persons, their families and associates
  • Associates, Employees, Consultants of Client Entities

What personal data is processed?

The GDPR requires us to advise you what type of personal information will be processed. In addition, we need to advise you how the information is obtained, and the legal basis upon which it is based.

  • Name, address, telephone number, e-mail, nationality, date of birth, place of birth, the date on which an individual has acquired an interest in a legal entity and the nature of such interest, sourced from individuals themselves, internet searches (such as screening providers like World Check), social media and third-party introducers. The legal basis for this is AML/CFT, legislation such as the Bribery Act 2013 and the Beneficial Ownership Act 2017 as amended.
  • Financial details, National Insurance numbers and individual tax reference numbers, which are primarily sourced from individuals themselves. The legal basis for this is AEOI.
  • Know Your Client (KYC) and Client Due Diligence (CDD) information, comprising such things as passport, utility bill, driving licence, source of wealth, source of funds, and bank account details. These are generally sourced from individuals themselves or from third party introducers. The legal basis for this is AML/CFT, legislation such as the Bribery Act 2013.
  • In certain circumstances we may hold information relating to criminal convictions/allegations or whether a person holds PEP (Politically Exposed Person) status, and this would normally be sourced through independent screening agencies. The legal basis for this is AML/CFT and legislation such as the Bribery Act 2013
  • Where personal information is collected in respect of children (being anyone under the age of 13), it will be necessary for the parent or guardian to provide “explicit consent”. Explicit consent has to be a positive indication of agreement to personal data being processed, and this is obtained from you when you sign any of application forms required by Dixcart Management (IOM) Limited which enable us to provide professional services to you.

When is personal data processed?

We will obtain information from you at the start of our business relationship or potential business relationship, and moving forwards at any regulatory or contractual “trigger events”.

A trigger event can be constituted by any of the following:

  • Change of address
  • Change of signatories
  • Change of ownership or structure
  • Change of name
  • Substantial deposits (relative to expected activity)
  • Forming a new company
  • Any other significant change to the client’s circumstances

Unless we receive written consent from yourself, we will not release any information about you to third parties. However, there are some exceptions to this where we are obliged to or may provide private information:

  • On receipt of a Court Order
  • To comply with an authorised request from a regulatory or financial investigative authority
  • Where we are opening a bank account
  • As required by regulatory audit regulations
  • To comply with international agreements on AEOI
  • To comply with the Beneficial Ownership Act 2017 as amended
  • To comply with the Trust Registration Service
  • To other members of the Dixcart group of companies including but not limited to its subsidiaries and its associated companies

We will retain your private information only for as long as is appropriate, and as required under regulation. In certain circumstances this regulatory period can be up to 18 years. These vary dependent on certain factors, and we would be happy to discuss these if you require.

At the end of the designated retention period, all private information held on whatever medium is destroyed.

Where is personal data processed?

All current manual records are held at our registered office address, 4th Floor, 64

Athol Street, Douglas, Isle of Man, IM1 1JD.

Archived manual records are maintained by a 3rd party provider within the Isle of Man.

Electronic records take the form of any of the Microsoft Office suite together with Adobe Acrobat and those held in our company secretarial software package. These are held on individual IT infrastructure situated in the Isle of Man.

Where electronic records are utilised, the systems/services used comprise:

  • Servers based in the Isle of Man
  • Replica (Business Continuity) servers based in the Isle of Man
  • Messaging archive solution by a hosted provider

To assist with the protection of personal information Dixcart Management (IOM) Limited has firewalls in place, and additionally utilises software to protect against malware and unauthorised access to the information systems. We are also required to regularly monitor technological developments and cybercrime to maintain the confidentiality and integrity of the data held.

Your rights

Access Requests

You are entitled to ask for details of any personal information that we hold. This will be provided as quickly as possible, but in any event, no later than 30 days after receipt of the request. We will not charge for accessing and providing you with the information.

At the same time, we will remind you of your rights which are to:

  • Have your data provided in a commonly used electronic format (data portability);
  • Have inaccuracies corrected;
  • Have information erased;
  • Prevent direct marketing;
  • Prevent automated decision-making and profiling;

You may be asked to provide supporting documents to verify your identity before we are able to release the data to you.

Privacy breaches

Should a privacy breach occur we will notify you directly as soon as possible following identification of the breach. This notification will include:

  • Date of the Breach
  • Description of the Breach comprising a general description of what happened
  • Description of the information inappropriately accessed, collected, used or disclosed
  • The steps taken so far to control or reduce the harm
  • Future steps planned to prevent further privacy breaches
  • Steps you might consider taking
  • Contact details of the Information Commissioner
  • Our contact details

Complaints

Should you feel it necessary to make a complaint, in the first instance this should be made in writing explaining the reasons for the complaint to:

Data Protection Officer

Dixcart Management (IOM) Limited

4th Floor, 64 Athol Street

Douglas

Isle of Man

IM1 1JD

gdpr.iom@dixcart.com

You will receive an acknowledgement of this within 7 working days. After the first week we will keep you informed of our progress until your complaint has been resolved. In exceptional circumstances where your complaint is particularly complex you will appreciate that matters may take longer to resolve. We will fully investigate the circumstances surrounding your complaint and notify you of the outcome of our investigation and of any action taken within 8 weeks.

If you feel that your complaint has not been satisfactorily resolved, you may complain directly to the Information Commissioner:

Mr I McDonald

Information Commissioner

PO Box 69,

Douglas

Isle of Man

IM99 1EQ

T: +44(0)1624 693260

E: ask@inforights.im

W: www.inforights.im

Dixcart Management (IOM) Limited Privacy Statement V3

Updated February 2022