This Privacy Notice sets out how we obtain and use personal data about you before and after your relationship with us, in accordance with the Data Protection (Bailiwick of Guernsey) Law, 2017 (“the Guernsey DP Law”) and in accordance with the European Union General Data Protection Regulation (2016/679) (“GDPR”).
LMRR Limited (“LMRR”, “we”, “us”, “our”) is a “data controller”. This means that we are responsible for deciding how we hold and use your personal data. We are required under the data protection legislation detailed above to notify you of the information contained in this privacy notice.
This notice applies to clients (including their clients and underlying principals, directors, officers and employees), investors, shareholders, service providers, intermediaries and other contacts of LMRR (whether current, prospective, declined, exited or former) and users of our website. We may update this Notice at any time.
Any questions in relation to this Privacy Notice or requests in respect of personal data should be directed to email@example.com in the first instance.
The data we hold
The personal data we hold varies depending on the services provided, ensuring we only process personal data that is adequate, relevant and necessary for the purpose. The types of data we collect and process include:
- Contact details (including names, postal and email addresses, telephone numbers)
Information required to meet legal requirements
Information required by us to provide regulatory risk and compliance services in particular data provided to enable us to advise or report on your compliance with your anti-money laundering and regulatory obligations
Financial information, such as payment-related information
Any other information you may provide to us.
Purposes of processing
We use your personal data for the following purposes:
Lawful Basis for Processing
To enter into or exit client relationships and provide regulatory risk, compliance and training services
The legitimate interest of LMRR as a provider of regulatory risk, compliance and training services to process personal data for the purpose of providing those services
To manage our client, intermediary and other business relationships
The legitimate interest of LMRR to seek to ensure its business is conducted efficiently and with a view to enhancing client service
To administer any contract we have entered into with you or where you are a party related to an entity for which we are contracted to provide services
To fulfil the contract we have entered into
To provide our contacts with marketing material
All marketing material is provided on the basis on consent. Consent may be withdrawn at any time by unsubscribing from our newsletter or emailing: firstname.lastname@example.org
To ensure the security of LMRR systems and staff and prevent fraud
The legitimate interest of LMRR in protecting its systems and staff from being misused or the victim of criminal activity
To obtain legal advice and/or representation
The legitimate interests of LMRR and its clients to ensure that it is able to engage relevant legal advisers and/or representation
To meet all legal and ethical obligations applicable to LMRR including in respect of managing conflicts of interest
The legitimate interests of LMRR as a provider of regulatory risk, compliance and training services to process data to the extent necessary to ensure it meets all legal and ethical obligations incumbent on it
The processing is necessary for compliance with a legal obligation to which LMRR is subject
The data sought will vary and the purposes for processing will overlap depending on the type of services provided.
Change of purpose
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note: we may process your personal data without your knowledge or consent where this is required or permitted by law.
Failure to provide personal data
If you fail to provide certain personal information and data when requested, we may not be able to fulfil the contract we have entered into for you, or on your behalf, or provide the services requested or we may be prevented from complying with our legal obligations.
Sources of personal data
Our sources of data may include clients, data subjects directly, introducers, intermediaries, advisers, third parties connected to the data subject (for example: family member, employer or another service provider who provides services to the data subject) or open-source material.
We collect personal data via the completion of forms provided to you and completed by you, from documents provided including due diligence documents, from correspondence including email, from meetings and telephone conversations.
We will collect personal data throughout the course of our business relationship or while we provide services to clients connected to you.
Recipients of personal data
We share information with third parties including third party service providers where required by law, where it is necessary to administer our business relationship, where it is necessary for us to provide the services to you or where we have another legitimate interest in doing so.
The following are potential recipients of personal data (in each case including respective employees, directors and officers):
- Sub-contractors, agents, consultants or service providers such as insurance brokers, IT firms or other professional advisers of LMRR
- Bankers, auditors, accountants, legal and other professional advisers
- Guernsey and overseas regulators, or other government, or supervisory body and tax authorities when required by law
- Law enforcement agencies where considered necessary for LMRR to fulfil legal obligations applicable to it
When LMRR engages a third party to process your personal data, we will require them to process your personal data in accordance with our instructions and protect the data against unauthorised or accidental use, access, disclosure, loss or destruction. We do not allow them to use your personal data for their own purposes. They will only be permitted to process your personal data for a specified purpose and in accordance with our instructions. Where they no longer need to your personal data to fulfil the contract, they will need to transfer the data back to us and/or destroy or delete any data held by them.
Transferring data outside of Guernsey and the EU
In the event any of the third parties detailed above are outside of Guernsey and the EU and where we are transferring personal data which would be protected under the Guernsey DP Law or GDPR we will ensure that we meet the relevant requirements prior to carrying out such a transfer. This may include only transferring the data where we are satisfied that:
- The non-European Union country has Data Protection laws similar to the Laws in Guernsey and the European Union;
- The recipient has agreed through contract to protect the information to the same Data Protection standards as Guernsey and the European Union;
- We have obtained consent from the relevant data subjects to the transfer; or
- If transferred to the United States of America, the transfer will be to organisations that are part of the Privacy Shield
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, altered, disclosed, used or accessed without authorisation. In addition, we restrict access to your personal data to those employees, agents, contractors, consultants and other third parties who have a business need to access the data. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally obliged to do so.
LMRR only keeps data for as long as is necessary to fulfil the purposes (as set out above) for which we collected it. Our data retention policy is available on request from the Data Protection Representative. To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential for harm from unauthorised use or disclosure of the data, the purposes for which we process the personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Once our business relationship ends, we will securely destroy your personal data in accordance with our record retention and destruction policy, applicable legislation and/or regulatory requirements.
As a data subject you have certain rights in respect of your personal data:
- Right of access - you have the right to request a copy of the personal data that we hold about you and to check that we are lawfully processing that data.
- Right of rectification - you have the right to correct data that we hold about you which is inaccurate or incomplete.
- Right of erasure - of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us to continue to process it.
- Right to restrict processing - this enables you to ask us to suspend the processing of your personal data for example: if you want us to establish its accuracy or the reasons for processing it.
- Right of portability - you have the right to have the data we hold about you transferred to another organisation.
- Right to object - you have the right to object to certain types of processing including direct marketing. You also have the right to ask us to delete or remove personal data where you have exercised your right to object.
- Right to object to automated processing including profiling - you have the right not to be subject to decisions based on automated processing or profiling. LMRR does not currently undertake any automated processing or profiling.
If you wish to exercise these rights you should send the request in the first instance to email@example.com
This Privacy Notice sets out our current policy as regards the maintenance and processing of personal data. It does not form, and should in no way be construed as, a contract and no contractual rights or causes of action shall arise in relation to or consequence of the content of this Notice.
Changes to this Privacy Notice
This Privacy Notice is kept under review and any updates will appear on our website at www.lmrr.gg.
We last updated this Privacy Notice on 31st October 2018.
In the event you wish to make a complaint about how your personal data is being processed or how your complaint has been handled you have the right to lodge a complaint directly with the Guernsey Data Protection Commissioner either via email firstname.lastname@example.org or by post at:
The Office of the Data Protection Commissioner, St Martin's House, Le Bordage, St. Peter Port, Guernsey, GY1 1BR.
Alternatively, you may lodge a complaint with the supervisory authority in the EU member state of your usual residence or place or work or the place of the alleged breach.
You may also appeal to certain courts against (i) any failure of the Office of the Data Protection Commissioner to give written notice of whether the complaint is either being investigated or not being investigated and where applicable, the progress and the outcome of the investigation and (ii) a determination that a controller or processor has not breached or is not likely to breach an operative provision in connection with the complaint.
If you have any questions about this Privacy Notice or any data which we hold about you, please contact us:
Telephone: +44 (0)1481 727113
Post: LMRR Limited
Suite 4, Harbour View
The Albany, South Esplanade
St Peter Port