Nerine Group Privacy Notice
Purpose of privacy notice
This privacy notice (the Notice) describes how Nerine collects, uses and shares data, whether on individuals (including personal data in respect of individuals who are clients, intermediaries or other third parties Nerine interact with, or any individual who is connected to those parties) or otherwise. Where the data held are on individuals, this document also sets out the rights of those individuals in respect of that personal data
Any questions in relation to this Notice or requests in respect of personal data should be directed to our Data Protection Officer whose details appear at the end of this Notice.
A separate privacy notice is available in relation to visitors to our website and those we communicate through our newsletter.
We encourage you to read this privacy notice and to regularly check this page to review any changes made. We last updated this privacy notice on 23rd April 2019.
Who we are
In this Notice, where we refer to Nerine (or we/us/our) we mean Nerine International Holdings Limited and its subsidiaries. The Nerine Group is a group of worldwide financial services businesses operating in five international jurisdictions. Our offices include jurisdictions outside the European Union, which have not been deemed adequate for European Union data protection purposes (namely the British Virgin Islands, Hong Kong and India). However, please note that Nerine operates global data protection policies and all Nerine offices are required to meet the same data protection standards as our Guernsey and Swiss offices (which are deemed to have comparable data protection frameworks to the EU and therefore allow transfers on the basis of an adequacy decision).
The relevant Nerine entity with the primary relationship is set out in our application form in relation to any client relationship. Details of the Nerine entities are provided at the end of the company information section of our website.
Why we collect and use this data
Nerine processes data in order to provide fiduciary services. We use data (including personal data of individuals) for the following purposes (the below also confirming the lawful basis we are relying on in each case):
Lawful Basis for Processing
To enter into client relationships and provide fiduciary services
Any one or more of the following:
To manage our client, intermediary and other business relationships
Any one or more of the following:
To ensure the security of Nerine systems, staff and premises
Any one or more of the following:
To provide our contacts with marketing material (such as newsletters and factsheets) and to invite contacts to events which may be of interest to them, and to manage such mailings and events.
The legitimate interests of Nerine as a provider of fiduciary services to process personal data to communicate with persons on topics and events which may be of interest to those individuals.
The right of those individuals to unsubscribe from mailings and is possible by selecting unsubscribe within the mailings or by contacting our Data Protection Officer.
To meet all legal, regulatory and ethical obligations applicable to Nerine (including in respect of managing potential conflicts of interest)
The processing is necessary for Nerine to exercise any right or power, or perform or comply with any duty, conferred or imposed on it by law. For example, Nerine is required by law to collect due diligence information on its clients and those associated with them.
The legitimate interests of Nerine as a provider of fiduciary services to process data to the extent necessary to ensure it meets all legal, regulatory and ethical obligations incumbent on it.
To protect Nerine through legal means
The processing is necessary for the purpose of obtaining legal advice or otherwise for the purposes of establishing, exercising or defending legal rights.
For the purposes of internal know-how and training
The legitimate interests of Nerine as a provider of fiduciary services to process data for the purposes of internal know-how and staff training. Nerine will use reasonable endeavours to ensure any personal data contained in the material which is not integral to the understanding of the material is redacted.
To carry out research
The legitimate interests of Nerine as a provider of fiduciary services to process data collected through cookies or otherwise to carry out research about our visitors' and clients' demographics, interests and behaviour. We do this to better understand our visitors, clients and potential clients. This research is compiled and analysed on an aggregated and anonymous basis.
To review and process recruitment applications
The processing is necessary for the performance of a contract with a recruitment firm, in the interest of the job applicant.
The legitimate interests of Nerine in recruiting suitable personnel.
In certain instances, personal data processed may include "Special Category Data" (which includes information on a person's race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data processed for the purpose of uniquely identifying a natural person, health data, data on a person's sex life or sexual orientation or data relating to a person's criminal record or alleged criminal activity). In such instances, legal bases for processing that data may include explicit consent (where the Special Category Data has been provided to Nerine by the data subject for any of the above-listed purposes) or the processing being necessary for compliance with a legal obligation or the purposes of legal proceedings or legal advice.
The categories of data that we collect, process, hold and share include:
- contact details (including names, postal addresses, email addresses and telephone numbers);
- other personal information such as gender, marital status, nationality, tax residence/domicile, occupation, TIN numbers (tax, social insurance, global tax compliance data), director ID numbers, information on any powers of attorney;
- information required for Nerine to meet legal and regulatory requirements, in particular in respect of anti-money laundering legislation, including a copy of your passport (inc passport number) and address verification documentation and information on source of funds, screening against proprietary data bases and publicly available information (e.g. World-Check, Google), politically/commercially exposed person information, high-profile individual information/public positions held, information on gifts, hospitality & entertainment activities, information on political and charitable donations and lobbying activities, CRS/FATCA classification information, ownership of assets prior to placing in structures and source of wealth;
- information provided in the course of the provision of fiduciary services for example, information on professional relationships and background, disputes and court proceedings engaged in, introducers of clients, type of applicant, accounting status of applicant, file notes which may contain personal data and potentially 'Special Category Data' (e.g. health information), information on personal circumstances which may have affected a business decision, letter of wishes, financial statements for entities that may contain sensitive commercial data or personal data;
- your family relationships (which may include your marital status, the identity of your spouse and children and family issues);
- your professional and employment information (which may include your level of education and professional qualifications, references, your employment, employer’s name and details of directorships and other offices which you may hold);
- financial information, such as sources of wealth, your assets (which may include details of your shareholdings and your beneficial interest in assets), transactions entered into, tax status, tax identification number (or equivalent), personal tax or legal advice, payment related information such as bank account details and credit history;
- professional interests and events attended;
- meetings attended and visits to our offices; and
- any other information you may provide to us.
We may also collect and process personal data regarding people connected to you, either by way of professional (or other) association or by way of family relationship.
If you apply for a position with us we may collect personal data relating to your past employment, professional qualifications and education, your nationality and immigration/residential status, opinions from third parties about you (such as references) and other details about you which may be gathered during the recruitment process. We may also review publicly available information about you on social media.
How we collect this data
We may collect data from you through your use of our website, when you request information from us, if you engage us to provide fiduciary services or as a result of your relationship with one or more of our clients (e.g. if you are a tax or legal adviser) or otherwise in the course of our business.
Along with any data that you give to us, we collect your personal data from the following sources, including but not limited to:
- such forms and documents as we may request that are completed in relation to the administration/management of any of our services;
- information gathered through client due diligence carried out as part of our compliance with regulatory requirements;
- any personal data provided by way of correspondence with us by phone, email or otherwise;
- personal data we receive from third party sources, such as:
- our clients in connection with fiduciary services (for example where you are a counterparty to a transaction with one of our clients or an employee of one of our clients);
- press releases or other information publicly available on the internet;
- entities in which you or someone connected to you has an interest;
- your legal and/or financial advisors;
- financial institutions who hold and process your personal data;
- credit reference agencies and financial crime databases for the purposes of complying with our regulatory obligations;
- personal data received in the course of dealing with advisors, regulators, official authorities and service providers by whom you are employed or engaged or for whom you act;
- in the process of our recruitment processes we may obtain information from recruitment agencies, past or current employers, educational institutions, professional bodies and/or the internet.
We also create personal data about you, such as records of your transactions and interactions with us, details of your affairs and accounts, records of your interactions with various entities with which we are engaged, etc.
The lawful basis on which we process this data
Specific details of the lawful basis for different types of processing of personal data is included above under 'Why we collect and use this data'. Generally, we process this data for the lawful purpose of meeting the legitimate interests of Nerine and for meeting its legal and contractual obligations to clients (actual, potential and former), data subjects connected with such clients and others.
Personal data relating to clients, prospective clients and former clients can be processed in order to establish, execute and terminate a contract. This may also include advisory services for such client entities if this is related to the contract purpose. Prior to engagement as a client, personal data can be used to prepare bids, quotes or proposals or to fulfil other requests of the prospective client that relate to that contact conclusion. Prospective clients can be contacted during the contract preparation process using the data that they have provided. Any restrictions requested by prospective clients must be complied with. During our engagement with clients our activities are governed by contracts with entities or persons, often involving the application of fiduciary duties of care. We process personal data in order to allow us to act in accordance with our responsibilities and duties in accordance with such contracts. At the termination of such contracts, and beyond as a matter of course, we often enter into supplemental agreements relating to the terms on which previous contracts are deemed to cease. These again often require the processing of personal data.
The processing of personal data is also permitted where legislation requests, requires or allows this. The type and extent of data processing must be necessary for the legally authorised data processing activity and must comply with the relevant statutory provisions.
When personal data is processed in the legitimate interests of Nerine rather than contractual or legal obligations, it is generally of a legal or commercial nature (e.g. collection of outstanding receivables, avoiding breaches of contract or preservation of evidence relating to the performance of duties in case of any dispute). Personal data may not be processed for the purposes of a legitimate interest if, in individual cases, there is evidence that the interests of the data subject merit protection, and that this takes precedence. Before data is processed, Nerine determines whether there are interests that merit protection.
Who we share client data with and why
We share personal data between Nerine’s offices (for example if you receive services from more than one Nerine office). As a result, your personal data may be transferred to locations outside Europe as well as within it for the purposes described above.
The provision of data to one Nerine entity may result in that data being accessible by other members of other Nerine entities. Reasonable endeavours are made to ensure that data is only accessible by those with a need for access to fulfil the purposes set out above. Requests for access to be restricted in any particular manner should be made to our Data Protection Officer and will be considered and, where possible with reference to legal and regulatory obligations, actioned.
As the Group forms part of the wider PraxisIFM Group Limited group, we may from time to time share such data with other members of that group to facilitate the effective administration across that wider group.
We may also share your personal data outside Nerine. This may include disclosures to:
- other providers of services (legal, governance or otherwise, including any financial institutions, accountants or auditors providing services in relation to any structures administered by Nerine) where disclosure to that provider of services is considered necessary to fulfil the purposes set out above;
- any sub-contractors, agents or service providers of Nerine (for example, IT and communications service providers, Nerine’s auditor and external legal advisers);
- third parties engaged by Nerine for the hosting of events or other marketing initiatives;
- courts or tribunals;
- law enforcement agencies where considered necessary for Nerine to fulfil legal obligations applicable to it;
- regulators or other governmental or supervisory bodies with a legal right to the material or a legitimate interest in any material;
- any registrar of a public register where the data is to be included in a public registry;
- should you apply for a position with us, to seek references and confirm the details which you have provided to us (including, for example, former employers, educational institutions attended and referees);
- potential parties to which Nerine intends to merge or sell any Nerine entity.
Where Nerine is entering into an engagement with a third party pursuant to which data may be processed by that third party, we will seek to enter into an agreement with that third party setting out the respective obligations of each party and will seek to be reasonably satisfied that the third party has measures in place to protect data against unauthorised or accidental use, access, disclosure, damage, loss or destruction.
Where we transfer your personal data outside the European Economic Area (the EEA), we will ensure that it is protected and transferred in a manner consistent with legal requirements applicable to the data. This can be done in a number of different ways, for instance:
- the country to which we send the personal data may have been assessed by the European Commission as providing an adequate level of protection for personal data;
- the recipient may have signed a contract based on standard contractual clauses approved by the European Commission;
- where the recipient is located in the US, it may be a certified member of the EU-US Privacy Shield scheme; or
- we have obtained consent from the individuals to the transfer of their personal data.
Keeping your data secure
Nerine takes the security of your data seriously. We will ensure that the personal data that we hold is subject to appropriate security measures to protect your data from access by unauthorised persons and against unlawful processing, accidental loss, destruction and damage. However, no data transmission over the internet or any other network can be guaranteed as 100% secure. Nerine has internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed and is not accessed except by authorised parties in the performance of their duties.
Where Nerine engages third parties to process personal data on its behalf, they do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.
Keeping your data accurate
Please let us know as soon as possible if any of your personal data changes (including your correspondence details). Failure to provide accurate data or to update data when it changes may have a detrimental impact upon our ability to provide services to you.
Your personal data will be retained for as long as required:
- for the purposes for which the personal data was collected;
- in order to establish or defend legal rights or obligations or to satisfy any reporting or accounting obligations; and/or
- as required by data protection laws and any other applicable laws or regulatory requirements.
Details of retention periods for different aspects of your personal information are available in our retention policy which is available by contacting the Data Protection Officer at DPM.Nerine@PraxisIFM.com.
If you fail to provide personal data
You have some obligations under your employment contract to provide Nerine with data. In particular you are required to report absences from work and may be required to provide data about disciplinary or other matters under the implied duty of good faith. You may also have to provide Nerine with data in order to exercise your statutory rights, such as in relation to statutory leave entitlements. Failing to provide the data may mean that you are unable to exercise your statutory rights.
Certain data, such as contact details, your right to work in the relevant jurisdiction and payment details have to be provided in order to allow the Group to enter into a contract of employment with you. If you do not provide other data, this will hinder the Group’s ability to administer the rights and obligations arising as a result of the employment relationship efficiently.
You have the following rights in respect of the personal data about you that we process:
- the right to access and transmit personal data;
- the right to rectify personal data;
- the right to restrict the use of personal data;
- the right to request that personal data is erased; and
- the right to object to processing of personal data.
Where we have relied on consent to process your personal data, you have the right to withdraw consent at any time. If you wish to exercise any of the above rights, you should send your request in the first instance to our Data Protection Officer.
In any case, where you choose not to provide any personal data or where any of the rights set out above are exercised to limit the processing of personal data, Nerine may be unable to provide relevant services, or there may be a restriction on the services which can be provided.
You also have the right to lodge a complaint about the processing of your personal data either with Nerine, with the Office of the Data Protection Commissioner in Guernsey (https://dataci.gg), the Privacy Commissioner for Personal Data in Hong Kong (https://www.pcpd.org.hk) or the Federal Data Protection and Information Commissioner in Switzerland (https://www.edoeb.admin.ch).
Requesting access to your personal data
Under data protection legislation, you have the right to request access to data about you that we hold. To make a request for your personal data, contact our Data Protection Officer.
You also have the right to:
- object to processing of personal data that is likely to cause, or is causing, damage or distress;
- prevent processing for the purpose of direct marketing;
- object to decisions being taken by automated means;
- in certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed; and
- claim compensation for damages caused by a breach of the Data Protection regulations.
If you would like to discuss anything in this privacy notice, please contact our Data Protection Officer on the following contact details:
The Data Protection Officer
Nerine Group of Fiduciaries
PO Box 434
St George's Place
St Peter Port
Tel: +44 1481 701300
DD: +44 1481 747175