North Atlantic Trust Company Limited as General Partner to the North Atlantic Partnership

1. POLICY STATEMENT

  1. The North Atlantic Partnership (the “Partnership”) established pursuant to a partnership agreement dated 9th April 1992 (the “Partnership Agreement”) and is a limited partnership registered under laws of Gibraltar.
  2. The general partner of the Partnership is North Atlantic Trust Company Limited (“NATCO”) a company incorporated and registered in Gibraltar.
  3. The business of the Partnership (as more particularly described in the Partnership Agreement) is undertaken by NATCO as the general partner.
  4. As part of the undertaking of the business of the Partnership, NATCO will collect, store and process Personal Data belonging to clients, representatives/agents of clients and other third parties and, in the course of doing so, would like to endeavour to ensure that the Personal Data collected is protected in accordance with the Data Protection Legislation and that Data Subjects are adequately protected in accordance with the same.
  5. Everyone has rights with regard to the way in which their Personal Data is handled. We recognise that the correct and lawful treatment of this Data will maintain confidence in our organisation and will provide for successful business operations.
  6. Data Users are obliged to comply with this policy when Processing Personal Data on our behalf. Any breach of this policy may result in disciplinary action.
  7. For the purposes of this policy, “Data Protection Legislation” means Regulation 2016/678 of the European Union on the protection of personal data (“GDPR”), the Data Protection Act 2004 as amended from time to time and all capitalised terms which are not otherwise defined in this policy shall have the meaning they have in the relevant Data Protection Legislation.
  8. In this policy, references to “we” and “us” shall be interpreted and construed as being references to the Partnership and NATCO, as the general partner of the Partnership.
  9. In this policy, “Group” means in relation to a company, that company, any subsidiary or holding company from time to time of that company, and any subsidiary from time to time of a holding company of that company.

2. WHO THIS POLICY APPLIES TO

This policy shall apply to:

  • (a) The Partnership;
  • (b) NATCO (as the General Partner of the Partnership);
  • (c) the directors, company secretary and other officers of NATCO;
  • (d) the Employees of NATCO;
  • (e) the Limited Partners of the Partnership, from time to time, (including their respective agents, representatives and/or permitted assignees);
  • (f) any other member of our Group.

3. ABOUT THIS POLICY

  1. The Personal Data, which may be held on paper or on a computer or other media, is subject to certain legal safeguards specified in the Data Protection Legislation.
  2. This policy and any other documents referred to in it sets out the basis on which we will process any Personal Data we collect from Data Subjects, or that is provided to us by Data Subjects or other sources.
  3. This policy does not form part of any employee’s contract of employment and may be amended at any time.

4. DATA PROTECTION PRINCIPLES

Anyone Processing Personal Data must comply with the eight enforceable principles of good practice. These provide that Personal Data must be:

  • (a) Processed fairly and lawfully;
  • (b) Processed for limited purposes and in an appropriate way;
  • (c) adequate, relevant and not excessive for the purpose;
  • (d) accurate;
  • (e) not kept longer than necessary for the purpose;
  • (f) processed in line with Data Subjects’ rights;
  • (g) secure; and
  • (h) not transferred to people or organisations situated in countries without adequate protection.

5. FAIR AND LAWFUL PROCESSING

  1. For Personal Data to be processed lawfully, it must be processed on the basis of one of the legal grounds set out in the Data Protection Legislation. These include (but are not limited to):
    • (a) the Data Subject’s informed clear, specific and unambiguous consent to the Processing for one or more specific purposes – where we are managing a bare trust under which children are the sole named beneficiaries, we will ensure that the children’s parents understand our data privacy notice and, if satisfied with it, provide that consent;
    • (b) the necessity of the Processing for the performance of a contract with the Data Subject or in order to take steps, at the request of the Data Subject prior to entering into a contract;
    • (c) the necessity of Processing to ensure our compliance with our legal obligations;
    • (d) the protection of the Data Subjects legitimate interests (or those of a third party) – except where such interests are over ridden by the interests or fundamental rights and freedoms of the Data Subject.
  2. In the vast majority of cases, the main basis on which we will process any Personal Data will be those set out in sections 5.1(a) and 5.1(b).

6. PROCESSING FOR LIMITED PURPOSES

  1. In the course of our business, we may collect and Process the Personal Data set out in Schedule 1. This may include data we receive directly from a Data Subject and data we receive from other sources (including, for example, business partners, sub-contractors in technical, payment and delivery services, credit reference agencies and others).
  2. We will only process Personal Data for the specific purposes set out in Schedule 1or for any other purposes specifically permitted by the Data Protection Legislation. We will notify those purposes to the data Subject when we first collect the data or as soon as possible thereafter.

7. NOTIFYING DATA SUBJECTS

  1. Where we collect Personal Data directly from Data Subjects, we will inform them, at the time the Personal Data is obtained, about:
    • (a) the purpose or purposes for which we intend to process that Personal Data;
    • (b) the legal basis for the processing;
    • (c) the categories of Personal Data concerned;
    • (d) the types of third parties, if any, with which we will share or to which we will disclose that Personal Data;
    • (e) How long we will retain the Personal Data or if that is not possible the criteria used to determine the period;
    • (f) the means, if any, with which Data Subjects can limit our use and disclosure of their Personal Data;
    • (g) the existence of their rights to withdraw consent, deletion, rectification, restriction of Processing and to lodge a complaint with the Gibraltar Regulatory Authority;
    • (h) on what basis Personal Data is to be transferred outside the EEA.
  2. Where we receive Personal Data about a Data Subject from other sources, we will provide the Data Subject with this information on receipt of a data subject access request within a reasonable period of obtaining it and in any event no later than one month.
  3. We will also inform Data Subjects whose Personal Data we process that we are the Data Controller with regard to that Data.
  4. In order to achieve the goals listed in this section 7, we will incorporate onto our website the “Data Privacy Notice” (the “Notice”) in the form set out in Schedule 2 of this policy. Our terms of business will direct prospective Data Subjects to the Notice.

8. ADEQUATE, RELEVANT AND NON-EXCESSIVE PROCESSING

We will only collect Personal Data to the extent that it is required for the specific purpose complying with our contractual obligations.

9. ACCURATE DATA

We will endeavour to ensure that the Personal Data we hold is accurate and kept up to date. In order to do so, Data Subjects will need to inform us of any changes to the information they have provided to us in the past. We will inform Data Subjects of their obligation to inform us of any such material changes.

10. TIMELY PROCESSING

We will not keep Personal Data longer than is necessary for the purpose or purposes for which they were collected. We will take all reasonable steps to destroy, or erase from our systems, all data which is no longer required – to the extent only, where we are permitted to do so in accordance with other legal obligations. In certain circumstances, we will be required to keep our records after our engagement with a client has ended.

Our practice is delete and destroy all records relating to a particular client 7 years following the end of our engagement by that client.

11. RIGHTS OF DATA SUBJECT’S RIGHTS

We will process all Personal Data in line with Data Subjects’ rights, in particular their right to:

  • (a) be provided with clear, transparent and easily understandable information about how we use Personal Data;
  • (b) withdraw consent (to the extent that we rely on the consent of a Data Subject);
  • (c) request access to any data held about them;
  • (d) restrict the Processing of their data for direct-marketing purposes;
  • (e) request to have inaccurate data amended;
  • (f) have their Personal Data erased (subject to the circumstances in which we are required to keep records);
  • (g) prevent Processing that is likely to cause damage or distress to themselves or anyone else;
  • (h) make a complaint to the Gibraltar Regulatory Authority about any matter concerning their Personal Data.

12. DATA SECURITY

  1. We will take appropriate security measures against unlawful or unauthorised Processing of Personal Data, and against the accidental loss of, or damage to, Personal Data.
  2. We will put in place procedures and technologies to maintain the security of all Personal Data from the point of collection to the point of destruction. Personal Data will only be transferred to a Data Processor if he agrees to comply with those procedures and policies, or if he puts in place adequate measures himself.
  3. We will maintain data security by protecting the confidentiality, integrity and availability of the Personal Data, defined as follows:
    • (a) Confidentiality means that only people who are authorised to use the data can access it.
    • (b) Integrity means that Personal Data should be accurate and suitable for the purpose for which it is processed.
    • (c) Availability means that authorised users should be able to access the data if they need it for authorised purposes. Personal Data should therefore be stored on the central server instead of individual PCs.
  4. Security procedures include:
    • (a) Entry controls. Any stranger seen in entry-controlled areas should be reported.
    • (b) Secure lockable desks and cupboards. Desks and cupboards should be kept locked if they hold confidential information of any kind. (Personal information is always considered confidential.)
    • (c) Methods of disposal. Paper documents should be shredded. Digital storage devices should be physically destroyed when they are no longer required.
    • (d) Equipment. Data Users must ensure that individual monitors do not show confidential information to passers-by and that they log off from their PC when it is left unattended.
    • (e) Passwords. Individual passwords and log-in details and the office wifi password shall be changed periodically and monitored by the IT Department.
    • (f) Clean desks. Individuals should ensure that no documents and/or other materials displaying or containing personal data is on their desk at the end of each working day before they leave the premises.

13. TRANSFERRING PERSONAL DATA TO A COUNTRY OUTSIDE THE EEA

  1. We may transfer any Personal Data we hold to a country outside the European Economic Area (“EEA“), provided that one of the following conditions applies:
    • (a) The country to which the Personal Data are transferred ensures an adequate level of protection for the Data Subjects’ rights and freedoms.
    • (b) The Data Subject has given clear and unambiguous consent.
    • (c) The transfer is necessary for one of the reasons set out in the Data Protection Legislation, including the performance of a contract between us and the Data Subject, or to protect the vital interests of the Data Subject.
    • (d) The transfer is legally required on important public interest grounds or for the establishment, exercise or defence of legal claims.
    • (e) The transfer is authorised by the relevant data protection authority where we have adduced adequate safeguards with respect to the protection of the Data Subjects’ privacy, their fundamental rights and freedoms, and the exercise of their rights.
  2. Personal Data we hold may also be processed by staff operating outside the EEA who work for us or for one of our suppliers. That staff maybe engaged in, among other things, the fulfilment of contracts with the Data Subject, the Processing of payment details and the provision of support services.

14. DISCLOSURE AND SHARING OF PERSONAL INFORMATION

We may share Personal Data if we are under a duty to disclose or share a Data Subject’s Personal Data in order to comply with any legal obligation, or in order to enforce or apply any contract with the Data Subject or other agreements; or to protect our rights, property, or safety of our employees, customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.

15. DEALING WITH SUBJECT ACCESS REQUESTS

  1. Data Subjects must make a formal request for information we hold about them. This must be made in writing. Employees who receive a written request should forward it to the Data Protection Management Team (see below) immediately.
  2. Our employees will refer a request to the Data Protection Management Team for assistance in difficult situations. Employees should not be bullied into disclosing personal information.
  3. We will endeavour to respond to Data Subject access requests as soon as possible and, in any event, within the prescribed time limit under the Data Protection Legislation currently the period of one month.

16. CHANGES TO THIS POLICY

We reserve the right to change this policy at any time. Where appropriate, we will notify Data Subjects of those changes by mail or email.

17. STAFF TRAINING

  1. We will endeavour to ensure that staff receive the training necessary in order to ensure compliance with this policy and the adherence to best practices.
  2. Training will not necessarily be “in house” and may consist of sending relevant members of staff to seminars on the relevant Data Protection Legislation and data protection generally.

18. THE DATA PROTECTION MANAGEMENT TEAM

  1. The team will comprise of:
    • (a) Charles Bottaro
    • (b) Linda Smith
    • (c) Robert Anes
    • (d) Andrew Skillicorn
    • (together the “Data Protection Management Team”).
  2. The Data Protection Management Team will be the first point of contact for members of staff for any queries in relation to the implementation and maintenance of this policy and/or any other queries relating to the compliance with this policy and Data Protection Legislation.

Schedule 1

Types of Personal Data we will collect, store and use

  • name (including where relevant) maiden name;
  • date of birth;
  • address;
  • contact details;
  • gender;
  • marital status and dependants;
  • emergency contacts, and immigration status;
  • Physical and mental health;
  • Individual’s salary details (including bonuses, discretionary payments and other benefits in kind);
  • passport/ID card (and/or other forms of identification documentation);
  • information about all forms of taxation, duties, imports, levies, withholding, taxes, rates and charges of whatsoever nature whether in Gibraltar or elsewhere in any part of the world wherever or whenever, created or imposed and includes (without limitation); and
  • bank account details.

Schedule 2

Draft Privacy Notice

Privacy notice – North Atlantic Trust Company Limited, as general partner of the North Atlantic Partnership (the “Company” “we”)

What is a privacy notice?

We want to ensure that individuals (“you”) understand what information we have about you, how we will use it and for what purpose. We are also required by data protection legislation to explain certain matters to you.

We are a “data controller”. This means that we are responsible for deciding how we hold and use certain personal information about you. We are required under data protection legislation to notify you of the information contained in this privacy notice.

It is important that you read this notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information.

This Privacy Notice is effective 25th May 2018.

Changes to this Privacy Notice

We may update this Privacy Notice in line with changes to how we process personal data. We will publish any new version of the Privacy Notice on our website.

Data Protection Legislation

On 25th May 2018 Regulation 2016/678 of the European Union on the protection of personal data (“GDPR”) came into force and the Data Protection Act (“DPA”) was amended by the Data Protection Act 2004 (Amendment Regulations) 2018 incorporating the requirements under the GDPR.

Data Protection Principles

We will ensure that the personal information we hold about you is:

  • used lawfully, fairly and in a transparent way.
  • collected only for specified and legitimate purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
  • adequate, relevant and limited to what is necessary in relation to the purposes we have told you about.
  • accurate and kept up to date.
  • not kept in a form which permits your identification for longer than necessary and kept only as long as necessary for the purposes we have told you about.
  • kept securely.
  • not transferred to another country without appropriate safeguards being in place.

What information about you will we use?

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

Whilst personal data does not extend to Companies, LLP’s, Trust structures or other vehicles, please note that we would ultimately be obtaining personal information about the individuals behind the relevant vehicle.

The types of personal data that we will collect, store and use about you may include:

  • name (including where relevant) maiden name and contact information such as your home and/or business address, email address and telephone number and emergency contact details;
  • identity and biographical information including your nationality gender, date of birth, marital status and dependants, tax status and information, passport / national identity card details and country of domicile, your employment and employment history, job title and role, educational profile, interests and other information relevant to our provision of professional services;
  • information in relation to your financial situation such as income, expenditure, assets and liabilities, sources of wealth, as well as your bank account details and other information necessary for processing payments and for fraud prevention purposes;
  • information that you provide to us for the provision of professional services

Special Categories of Personal Data

There are also “special categories” of more sensitive personal data which we may also collect, process and store.

These special categories may include your race or ethnicity, religious beliefs, sexual orientation, trade union membership, political opinions and information relating to criminal convictions and offences. These special categories of personal data require a higher level of protection and we will ensure that this is achieved.

Personal data of children

In carrying out our contractual obligations to you and/or your clients, there may circumstances where we are required to obtain, hold, control and process personal data of children. For example, where a child (under the age of 16) is the beneficiary of a trust.

We understand that children need a particular level of protection when their personal data is collected and processed because they may be less aware of the risks involved.

As with all the personal data that we process, we will always ensure that a child’s personal data is protected in accordance with our obligations.

In these circumstances we will collect, store and process a child’s (under the age of 16) personal data for their own legitimate interest and in some cases, the legitimate interest of a third party (which will, in most cases, be the settlor of the trust). Where required, we will take additional measures (proportionate to the level of risk that may be involved) to protect that personal data.

How is your personal information collected?

When you are a client most of the information we collect is obtained from you. You may, for example, provide us with personal information when you initially request us to provide our services and otherwise during the normal course of providing our services. You may also provide us with personal information when you complete client engagement formalities and when are responding to our KYC (“know your customer”) requirements.

You provide us with personal information when you:

  • get in touch with us via our website;
  • get in touch with us via email (charles.bottaro@natco.gi);
  • directly interact with us personally;
  • provide us with documentation we may require for compliance with our “know your customer” obligations;
  • complete any forms which we may require you to complete to assist us with our compliance with our “know your customer” obligations.

We may receive personal data about you from public registries and from various third parties (including your organisation, agents, advisers, intermediaries or custodians of your assets and our clients or those involved in the matter which we are engaged).

We may also collect personal information about you from you or sometimes from persons or entities authorised by you to provide us with information.

Our Basis for processing – How and why will we use your personal information?

How we use your personal data will depend on whether you are a client, a representative of a client, a business contact, someone whose personal data we necessarily process as part of our provision of services, or otherwise.

We may process your personal data for the following purposes;

  • providing a proposal to you or your organisation in relation to the services we offer and for client engagement purposes (including the carrying out of background checks);
  • perform the contract we have entered into with you;
  • providing our services to you and / or our clients;
  • managing our relationship with you and / or our clients (including billing and financial management), for record-keeping purposes and more generally for our proper and efficient operation;
  • dealing with any complaints or feedback you may have;
  • monitoring and improving the performance and effectiveness of our services, including by training our staff;
  • any other purpose for which you provide us with your personal data;
  • seeking advice on our rights and obligations, such as where we require our own legal advice, and to exercise and defend our legal rights;
  • compliance with our legal and regulatory obligations, such as anti-money laundering laws (which may include the carrying out of background checks and retention of a record of such checks), data protection laws and tax reporting requirements, and / or to assist with investigations by police and / or other competent authorities (where such investigation complies with relevant law) and to comply with Court orders;
  • where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests;
  • to protect your interests;
  • (on rare occasions) where it is needed in the public interest.

We may process your personal data for any of the purposes set out above where one (or more) of the following lawful processing grounds applies:

  • it is necessary to perform a contract with you;
  • to take steps at your request before entering into a contract with you;
  • it is necessary for us to comply with our legal obligations;
  • it is necessary for our legitimate interests (including the operation of our business, and the provision of professional services) or those of any client or relevant third party, unless those legitimate interests are overridden by your interests or fundamental rights or freedoms; and/or
  • you have consented to the processing in question.

The situations in which we will commonly use your personal information include:

  • provide services to you under the client mandate we have entered into with you and/or your agent or representative;
  • pay (on occasion) any disbursements to third parties in connection with the services provided to you;
  • liaising with public registries;
  • liasing with regulators (like the Gibraltar Financial Services Commission);
  • liaising with third party service providers (where relevant);
  • liaising with other legal advisors in respect of the services being provided to you by us.

Who else might your personal information be shared with?

We may have to share your data with third parties where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so.

Such third parties include third-party service providers.

We require third parties to respect the security of your data and to treat it in accordance with the law.

We may transfer your personal information outside the EEA. If we do, you can expect a similar degree of protection in respect of your personal information.

For how long will your personal information be kept?

We will not keep personal data longer than is necessary for the purpose or purposes for which they were collected.

We may keep your personal data for longer where we are required to do so by law, or it is necessary to establish make or defend a legal claim or an applicable code of conduct permits or requires us to retain the data for longer.

In most cases we will keep your personal data for 7 years following the termination of our engagement with you.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data, and the likelihood of a legal claim.

How will your personal information be kept safe?

We take the security of your personal information very seriously and we have put in place internal controls and security measures to protect it.

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used, altered, disclosed or accessed in an unauthorised way. Personal data will only be transferred to a data processor if he agrees to comply with those measures, or if he puts in place adequate measures himself.

In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.

Your duty to inform us of changes

It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us.

What are your rights in relation to your personal information?

You have certain rights in relation to your personal data as summarised here:

  • Right to be informed – you have the right to be provided with clear, transparent and easily understandable information about how we use your personal data and your rights; this is why we are providing you with the information in this privacy notice;
  • Right to withdraw consent – where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time;
  • Right of access – you can request access to your personal data;
  • Correcting your information – where we hold information about you that is inaccurate or incomplete, you have the right to ask us to rectify, or complete it;
  • Erasing your information – in certain circumstances you may require us to erase and/or destroy the information;
  • Right to restrict processing – in certain circumstances you have the right to restrict some processing of your personal information, which means that you can ask us to limit what we do with it;
  • Right to object to processing – you can object to us processing your personal information in certain circumstances, including where we are using it for the purpose of the Company’s legitimate business interests as set out above;
  • Right to data portability – you have the right to obtain from us and re-use your personal data for your own purposes. This only applies, however, where the processing is carried out by automated means, to personal data that you have provided to us yourself (not any other information) and where the processing is based on your consent or for the performance of a contract;
  • Right to complain – you are able to submit a complaint to the Regulator about any matter concerning your personal information, using the details below. However, we take our obligations seriously, so if you have any questions or concerns, we would encourage you to raise them with us first, so that we can try to resolve them.

Subject Access Requests

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may refuse to comply with your request in circumstances where your request is clearly unfounded, repetitive or excessive.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Time limit to respond

We try to respond to all legitimate requests as soon as reasonably practicable and, in any event, within 30 days of receipt of the request except in cases of complex or multiple requests.

Data Protection Management Team

We have not appointed a Data Protection Officer.

We do however, have a Data Protection Management team that will attend to any queries you have in respect of this notice, any requests you have with regard to your information and/or any other queries you may have with regard to your personal data.

The Regulator

The regulator for data protection in Gibraltar is the Gibraltar Regulatory Authority (the “GRA”). The GRA’s contact details are:

Gibraltar Regulatory Authority
2nd floor
Eurotowers 4
1 Europort Road
Gibraltar
GX11 1AA
Tel: (+350) 20074636
Email: info@gra.gi

Contact information

If you have any questions about anything in this privacy notice, please do not hesitate to contact us.

Our contact details are:

North Atlantic Trust Company Limited as General Partner of the North Atlantic Partnership
3rd Floor 62/64 Irish Town
PO Box 894
Gibraltar
GX11 1AA
Tel: 350 200 42889