Privacy Notice

General

This Privacy Notice sets out how we obtain and use personal data about you before and after your relationship with us, in accordance with the Data Protection (Bailiwick of Guernsey) Law, 2017 (“the Guernsey DP Law”) and in accordance with the European Union General Data Protection Regulation (2016/679) (“GDPR”).

LMRR Limited (“LMRR”, “we”, “us”, “our”) is a “data controller”. This means that we are responsible for deciding how we hold and use your personal data. We are required under the data protection legislation detailed above to notify you of the information contained in this privacy notice.

This notice applies to clients (including their clients and their key principals, directors, officers and employees), service providers, intermediaries and other contacts of LMRR (whether current, prospective, declined, exited or former) and users of our website. We may update this Notice at any time.

Any questions in relation to this Privacy Notice or requests in respect of personal data should be directed to trubuil@lmrr.gg in the first instance.

The data we hold

The personal data we hold varies depending on the services provided, ensuring we only process personal data that is adequate, relevant and necessary for the purpose. The types of data we collect and process include:

  • Name
  • Contact details
  • Information required to meet legal and regulatory requirements
  • Information provided during the provision of our services
  • Information relating to the outcome of training
  • Financial information, such as payment-related information
  • Any other information you may provide to us.

Purposes of processing

We use your personal data for the following purposes:

Purpose

Lawful Basis for Processing

To enter into or exit client relationships and provide regulatory risk, compliance and training services

The legitimate interest of LMRR as a provider of regulatory risk, compliance and training services to process personal data for the purpose of providing those services

To manage our client, intermediary and other business relationships

The legitimate interest of LMRR to seek to ensure its business is conducted efficiently and with a view to enhancing client service

To administer any contract we have entered into with you or where a party related to an entity for which we are contracted to provide services

To fulfil the contract we have entered into

To provide our contacts with marketing material

The legitimate interest of LMRR in providing its clients and other business contacts, current or otherwise, with updates on regulation and LMRR’s activities & services. Contacts may opt-out at any time by unsubscribing from our newsletter or emailing: trubuil@lmrr.gg

To ensure the security of LMRR systems and staff and prevent fraud

The legitimate interest of LMRR in protecting its systems and staff from being misused or the victim of criminal activity

To obtain legal and/or tax advice or representation

The legitimate interests of LMRR and its clients to ensure that it is able to engage relevant tax or legal advisers and/or representation

To meet all legal, regulatory and ethical obligations applicable to LMRR including in respect of managing conflicts of interest

The legitimate interests of LMRR as a provider of regulatory risk, compliance and training services to process data to the extent necessary to ensure it meets all legal, regulatory and ethical obligations incumbent on it

The processing is necessary for compliance with a legal obligation to which LMRR is subject

 

The data sought will vary and the purposes for processing will overlap depending on the type of services provided.

Change of purpose

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note: we may process your personal data without your knowledge or consent where this is required or permitted by law.

Failure to provide personal data

If you fail to provide certain personal information and data when requested, we may not be able to fulfil the contract we have entered into for you, or on your behalf, or provide the services requested or we may be prevented from complying with our legal obligations.

Sources of personal data

Our sources of data may include clients, data subjects directly, introducers, intermediaries, advisers, third parties connected to the data subject (for example: family member, employer or another service provider who provides services to the data subject) or open-source material.

We collect personal data via the completion of forms provided to you and completed by you, from documents provided including due diligence documents, from correspondence including email or from meetings and telephone conversations.

We will collect personal data throughout the course of our business relationship or while we provide services to clients connected to you.

Recipients of personal data

LMRR shares information with third parties including third party service providers where required by law, where it is necessary to administer our business relationship, where it is necessary for us to provide the services to you or where we have another legitimate interest in doing so.

The following are potential recipients of personal data (in each case including respective employees, directors and officers):

  • Sub-contractors, agents, consultants or service providers such as insurance brokers, IT firms or other professional advisers of LMRR or its clients and their clients and associated parties
  • Bankers, auditors, accountants, investment brokers, managers or advisers, legal and other professional advisers
  • Guernsey and overseas regulators, or other government, or supervisory body and tax authorities when required by law
  • Law enforcement agencies where considered necessary for LMRR to fulfil legal obligations applicable to it

When we engage a third party to process your personal data, we will require them to process your personal data in accordance with our instructions and protect the data against unauthorised or accidental use, access, disclosure, loss or destruction. LMRR does not allow them to use your personal data for their own purposes. They will only be permitted to process your personal data for a specified purpose and in accordance with our instructions. Where they no longer need your personal data to fulfil the contract, they will need to transfer the data back to us and/or destroy or delete any data held by them.

Our online training portal uses Laravel session cookies and XSRF tokens to authenticate users when they log-in. These cookies are necessary for the security of the training portal.

 

Our portal provider (Traineasy.com Ltd) uses Google Analytics cookies to collate anonymised user information for operational and system development purposes. You may opt-out of Google Analytics via your web browser. Please click on this link for further information Google opt-out.

 

Our portal provider also collects IP addresses for system audit trail purposes. This data is used for no other purpose.

Transferring data outside of Guernsey and the EU

In the event any of the third parties detailed above are outside of Guernsey and the EU and where we are transferring personal data which would be protected under the Guernsey DP Law or GDPR we will ensure that we meet the relevant requirements prior to carrying out such a transfer.  This may include only transferring the data where we are satisfied that:

  • The non-European Union country has Data Protection laws similar to the Laws in Guernsey and the European Union
  • The recipient has agreed through contract to protect the information to the same Data Protection standards as Guernsey and the European Union
  • We have obtained consent from the relevant data subjects to the transfer or
  • The transfer is subject to an approved code or mechanism where the recipient is subject to binding and enforceable commitments to apply relevant safeguards in the code/mechanism

Data Security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, altered, disclosed, used or accessed without authorisation. In addition, we restrict access to your personal data to those employees, agents, contractors, consultants and other third parties who have a business need to access the data.  They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

Data Retention

LMRR only keeps data for as long as is necessary to fulfil the purposes (as set out above) for which we collected it. Details of retention periods for different aspects of your personal data are available in our retention policy which is available on request from the Data Protection Representative.  To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential for harm from unauthorised use or disclosure of the data, the purposes for which we process the personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

Once our business relationship ends, we will retain and securely destroy your personal data in accordance with our record retention and destruction policy, applicable legislation and/or regulatory requirements.

Your Rights

As a data subject you have certain rights in respect of your personal data. You have the following rights:

  • Right of access - you have the right to request a copy of the personal data that we hold about you and to check that we are lawfully processing that data. You will not have to pay a fee to access your personal data (or exercise any of the other rights) unless your request is clearly unfounded or excessive in which case we may charge a reasonable fee or refuse to comply with the request.
  • Right of rectification - you have the right to correct data that we hold about you which is inaccurate or incomplete.
  • Right of erasure - of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us to continue to process it.
  • Right to restrict processing - this enables you to ask us to suspend the processing of your personal data for example: if you want us to establish its accuracy or the reasons for processing it.
  • Right of portability - you have the right to have the data we hold about you transferred to another organisation.
  • Right to object - you have the right to object to certain types of processing including direct marketing. You also have the right to ask us to delete or remove personal data where you have exercised your right to object.
  • Right to object to automated processing including profiling - you have the right not to be subject to decisions based on automated processing or profiling.  LMRR does not currently undertake any automated processing or profiling.

If you wish to exercise these rights you should send the request in the first instance to trubuil@lmrr.gg

Status

This Privacy Notice sets out our current policy as regards the maintenance and processing of personal data.  It does not form, and should in no way be construed as, a contract and no contractual rights or causes of action shall arise in relation to or consequence of the content of this Notice.

Complaints

In the event you wish to make a complaint about how your personal data is being processed or how your complaint has been handled you have the right to lodge a complaint directly with the Guernsey Data Protection Authority either via email enquiries@odpa.gg or by post at:

The Office of the Data Protection Authority

St Martin’s House

Le Bordage

St. Peter Port

Guernsey

GY1 1BR

You may also appeal to certain courts against (i) any failure of the Guernsey Data Protection Authority to give written notice of whether the complaint is either being investigated or not being investigated and where applicable, the process and outcome of the investigation and (ii) a determination of the Guernsey Data Protection Authority not to investigate the complaint or a determination that a controller or processor has not breached or is not likely to breach an operative provision in connection with the complaint.

Changes to this Privacy Notice

This Privacy Notice is kept under review and any updates will appear on our website at www.lmrr.gg

We last updated this Privacy Notice on 2nd December 2022.

Contact details

If you have any questions about this Privacy Notice or any data which we hold about you, please contact us:

Email:              trubuil@lmrr.gg

Telephone:      +44 (0)1481 727113

Post:                LMRR Limited

                        Suite 4, Harbour View

                        The Albany, South Esplanade

                        St Peter Port

                        Guernsey

                        GY1 1AG