18-06-2021 Version: 1
20-05-2021 Version: 2
11.11.2022 (Date of latest review) Version: 3
Added clauses with respect to the use and grounds for processing of personal data, data protection measures, data subject’s rights, types of processed personal data;
Privacy is a fundamental human right and persons engaging with Trustmoore must trust that their personal data is handled with care. Therefore, protection of privacy and security of Personal Data is very important to Trustmoore. Any processing of Personal Data relating to identified or identifiable natural person may only be processed in accordance with this Policy.
|GR&CB||The Global Risk & Compliance Board is Trustmoore’s highest decision-making and executive body deciding on all risk and compliance matters that impact Trustmoore.|
|Client||Natural person or company with which TM enters into a business relationship or for which a trust service is performed.|
|Controller||The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of Personal Data;|
|Consent||It is any freely given, specific, informed and unambiguous indication of the data subject by which he or she agrees with the processing of their Personal Data.|
|Data Breach||A breach existing in case of accidental or intended unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.|
|Data Protection Laws||The legislation regarding data privacy which may be applicable, based on the location of the TM service provider and of the Data Subject, such as the EU General Data Protection Regulation 2016/679 ("GDPR") or any other applicable data protection, privacy laws or privacy regulations.|
|Data Subject||A natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, account number, information about payments made from the bank account, among others.|
|DPO||Data Protection Officer|
|Joint Controllers||Entities that jointly determine the “means and purposes” of the processing of Personal Data.|
|Personal data||Means any information relating to a Data Subject.|
|Processing of Personal Data||Personal data processing is a broad concept that encompasses everything that can be done with personal data. For example, “using”, “destroying” and “providing” are forms of processing. This Policy refers to any operation or set of operations which may be performed on Personal Data or on sets of Personal Data.|
|Processor||Processor is a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the controller.|
|Recipient||Recipient is a natural or legal person, public authority, agency or another body, to which the Personal Data are disclosed, whether a Third Party or not.|
|Sub Processor||The legal or natural person appointed by the processor to process Personal Data on behalf of the Controller.|
|Third Party||An individual or a company (i.e. consultants, agents, intermediaries, representatives, subcontractors, suppliers) that performs work, provides a service or sells goods to TM.|
|UBO||Ultimate beneficial owner|
 Controller, Joint Controller and Processor, and DPO are terms based on the GDPR, which will be only used for jurisdictions outside the European Union in those cases where GDPR is applicable.
Terms that are capitalized, but not defined in this Policy have the same meaning as in the TMG Compliance Charter and the TMG Compliance Risk Control Framework.
2. Background, Scope & Purpose
TM recognizes the expectations of its Clients and Employees, and the inherent risk regarding the privacy, confidentiality and security of their Personal data when it resides within TM.
TM globally applies this Policy as a minimum standard for protecting Personal Data of its Clients and Employees around the world. Each TM service provider will ensure the application of local regulations .
 Please refer to Annex I ‘List of TM Entities & Data protection authorities and legislation’ for more information.
3. Types of Personal Data
The Personal Data that TM collects and processes may depend on the type and scope of the activities engaged:
|Services||Data Subjects||Types of personal data|
|Funds Services||Clients, UBOs, investors (if physical persons), business associates (contact persons, ambassadors, etc.)||Name (first name, middle name, family name), address, telephone, email, nationality, date of birth, place of birth, gender, Tax / Social / National identification number, job title, Client ID (IDs, passport, driving license), signature, bank account details, financial
information, user account details.
|Multi-Family Office||Clients, UBOs, client employees, trustees, beneficiaries, business associates (contact persons, ambassadors, etc.)||Name (first name, middle name, family name), address, telephone, email, nationality, date of birth, place of birth, gender, Tax / Social / National identification number, compensation and benefits financials, job title, Client ID (IDs, passport, driving license), signature, bank account details, financial information.|
Structured Finance & Capital Markets
|Clients, UBOs, client employees, investors (if natural persons), originators (if natural persons) business associates (contact persons, ambassadors, etc.)||Name (first name, middle name, family name), address, telephone, email, nationality, date of birth, place of birth, gender, Tax / Social / National identification number, compensation and benefits financials, user account details, job title, Client ID, signature, bank account details, financial information.|
|Corporate Expansion Services||Clients, client employees, UBOs, business associates (contact persons, ambassadors, etc.);||Name (first name, middle name,
family name), address, telephone, email, nationality, date of birth, place of birth, gender, Tax / Social / National identification number, compensation and benefits financials, user account details, job title,
Client ID, signature, bank account details, financial information.
|Human Resources and Payroll||employees, candidates, managers||Name (first name, middle name, family name), address, telephone, email, nationality, date of birth, place of birth, gender, marital status, Tax / Social / National identification number, compensation and benefits financials,
user account details, job title, employee
ID, signature, bank account details, health status related data, CVs, education, employment information, work history, declaration of good behaviour/extract of criminal record.
|Suppliers||Managers or other designated individuals||Name, name of employer, phone, email and other contact details.|
In few cases, as some of the TM entities are licensed and regulated under a strict set of rules, e.g. when applying enhanced due diligence measures as per the applicable AML&CTF legislation and performing background checks thereunder, TM may process special categories of Personal Data such as Personal Data relating to: race or ethnicity, membership in trade unions, criminal convictions and offenses. In such cases TM will apply additional safeguarding measures with regard to these types of Personal Data as per the Information Security Policy.
Personal Data related to health and health status may sometimes be required in connection with the provision of additional benefits to employees (such as health insurance) and handling of HR activities (sick leaves). TM will apply additional safeguarding measures with regard to these types of Personal Data as per the Information Security Policy.
TM does not knowingly process Personal data of minors. TM does not knowingly collect data related to religious or philosophical beliefs, sex life, sexual orientation, political views, information about genetic and biometric data.
4. Use of Personal data, Purposes and Legal grounds:
When a Client engages TM with the provision of professional services, TM will collect and use Personal data when TM has a valid business reason to do so in connection with those services and legal obligation thereof. In the context of providing professional services to Clients, TM also processes personal data of individuals who are not directly TM’s Clients (for example: Client’s employees, customers or suppliers, Ultimate Beneficial Owners, business associates, others as the case may require). The legal grounds for processing such Personal Data are:
- TM’s legal obligations under the AML&CTF legal acts and other applicable legislation in force, as well as TM’s internal KYC procedures;
- Performance of the contract between the Client and TM;
- Legitimate interest in providing the Client with seamless, consistent, high-quality services;
TM processes data of its employees for HR and payroll purposes. TM also does background checks required by law or regulation, for example, adverse media, bribery and corruption, and other financial crime checks.
The legal grounds for processing such data are:
- Legal obligation under the applicable labour legislation;
- Performance of the labour agreement;
- Compliance with a legal or regulatory obligation (when carrying out background checks to warrant a candidate is eligible to work).
4.3. Job Applicants:
TM collects information from and about applicants in connection with available employment opportunities at TM. The information that TM collects, the manner in which it is used, and the timing in which it is gathered varies depending on the country in which the applicant applies. Depending on the country in which you apply, TM collects personal data about candidates from the following sources:
- Directly from the applicant – for example, information that an applicant has provided when applying for a position directly through the TM website;
- From recruitment agencies – for example, when a recruitment agency with applicant’s details contacts TM to suggest them as a potential candidate;
- Through publicly available sources online – for example, where the applicant has a professional profile posted online (e.g., on his/her current employer's website or on a professional networking site, such as LinkedIn)
- By reference – for example, through a reference from a former employee or employer, or from a referee within or outside TM;
Legal grounds for processing personal data of job applicants are:
- Explicit consent of the applicant;
- TM legitimate interest in attracting, identifying and sourcing talents;
- TM legitimate interest to process and manage applications for roles at TM, including the screening and selecting of applicants;
- Compliance with a legal or regulatory obligation (when carrying out background checks to warrant a candidate is eligible to work);
TM processes personal data about suppliers (including subcontractors, and individuals associated with suppliers and contractors) in order to manage TM’s relationship and contract with them, and to receive services from the respective suppliers. Before TM takes on a new supplier, TM also carries out audit independence and other background checks required by law or regulation, for example, adverse media, bribery and corruption, and other financial crime checks.
Legal grounds for processing personal data of our suppliers are:
- Performance of a contract;
- Compliance with a legal or regulatory obligation;
- Legitimate interest in managing payments, fees and charges;
- Legitimate interest in understanding any conflict of interest, conducting or defending in legal proceedings;
- Legitimate interest in safeguarding against dealing with the proceeds of criminal activities or assist in any other unlawful or fraudulent activities;
TM shall not store, transfer, modify, amend or alter, disclose or permit the disclosure, or process the Personal data in any other way other than as appointed above. In cases where processing is required, but not explicitly envisaged in this Policy, then the affected Data Subject will be notified accordingly and without undue delay.
5. Personal Data retention
Personal data will be kept for the duration of the business relationship with TM and the years afterwards stipulated on local regulations for complying with all legal, regulatory, and internal policy purposes. After expiration of this retention period, the corresponding data are routinely deleted and any hard copies of them are destroyed. For more information, please refer to the Data Retention Procedure.
TM may be required to appoint certain third parties to provide part of the services to its Clients or Employees, or assist with providing technical support, such as I.T. service providers or other suppliers. By signing the Contract or Service Agreement, depending on the case, the respective Employee or the Client authorizes TM to subcontract the Processing their Personal Data to Sub-processors. TM maintains an extensive Third-party register and Outsourcing register. In case a query or reference to these registers is made, the local CF or DPO at email@example.com can provide the relevant information therefrom.
Sub-processors are in each case subject to the terms and conditions laid down by TM, which are no less protective than those set out in this Policy. TM will inform the Client or Employee of the details of such Sub-processor(s) upon written request from the Data Subject. Such requests can be made at: firstname.lastname@example.org TM will inform the Client or Employee in advance of any intended changes concerning the addition or replacement of Sub-processors and thereby give the Data Subject the opportunity to object to such changes. If the Client or Employee does not object in writing within five (5) days of receipt of the notice, the Data subject is deemed to have accepted the new Sub-processor. If the Client or Employee does object in writing within five (5) days of receipt of the notice, TM and the Client or Employee will discuss possible resolutions.
7. Joint Controllers
In case TM acts as a Director of a Client’s company (Object company), it will act as a Joint Controller together with the Client. Since TM determines the purpose and means of the processing of Personal Data of the Object company, its role as a Joint Controller together with the Client is justified. In all other cases in which TM will provide services to the Client, it will act as a Processor, within the meaning of the Processor definition.
8. Rights of Data Subjects
TM takes appropriate measures to comply with Data protection laws in order to ensure Data Subjects rights. In case Data Subjects have any questions, requests or complaints regarding their rights, they are encouraged to contact TM via email@example.com. Any written question, request or complaint should have a clear subject related to the rights of the Data Subjects.
Subject to the applicable local legislation, all Data Subjects will have at least the following rights with respect to their Personal Data:
- The right to be informed: Data Subjects have the right to be informed about the collection and use of their personal data. In case they have question, a request or a complaint regarding their rights, they are encouraged to contact TM via firstname.lastname@example.org.
- The right of access: Data subjects will have a right to access their Personal Data by making a written request to TM. The initial request is free, though a charge can be made for subsequent requests. TM can refuse the request if it is manifestly unfounded or excessive. The response must be provided within a month, though this can be extended by two months if the request is complex.
- The right to rectification: Data Subjects have the right to request from TM the rectification of inaccurate personal data concerning him or her.
- The right to erasure (right to be forgotten): Data Subject can ask that their data is deleted in certain circumstances unless there is a legal obligation or other legal grounds for TM to retain the data.
- The right to restrict processing: Data Subjects have the right to request the restriction or suppression of their Personal Data in certain circumstances;
- The right to data portability: Data subjects will also have a right to data portability where the condition for processing Personal Data is consent or the performance of a contract. It entitles Data Subjects to obtain any personal data they have “provided” to TM in a machine-readable format. Data Subjects can also ask for the data to be transferred directly from one controller to another.
- Right to object: A Data Subject can object to their Personal Data being processed for direct marketing purposes at any time. This includes the processing of their personal data for profiling purposes.
- Rights in relation to automated decision making and profiling: TM does not use automated decision making and profiling.
9. Personal Data Breach
A breach exists in case of accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed. For the avoidance of doubt, even in cases where it is not certain whether any Personal Data was actually accessed, the existence of the (possibility to) access the data in question qualifies as a breach. This means that any possible access to encrypted devices of Trustmoore accompanied with an unauthorised disclosure of passwords will qualify as a data breach, unless there are security reasons justifying the access to encrypted devices. Data Breaches are handled in accordance with the Data breach procedure.
10. Safeguarding Measures
10.1. Confidentiality and Security
TM keeps the Personal Data confidential and will ensure its employees, managers and Sub-processors are bound by the same confidentiality obligation.
10.2. Training and Awareness
Local Statutory Board supported by the CF ensures a proper level of awareness of this Policy by means of providing trainings and awareness sessions to employees, managers and if needed – sub-processors. Each Trustmoore employee must adhere to and comply with this Policy and raise any questions and concerns with respect to this Policy to the CF.
10.3. Technical safeguarding measures
TM has adopted and implements an Information Security Policy governing all technical and organisational measures to protect Personal Data. Some of the technical measures include, but are not limited to:
- Removable media encryption tools;
- Desktop and laptop firewalls;
- Antivirus and anti-malware software;
- Multifactor authentication approaches;
- Automated patching and security vulnerability assessments;
- Strong physical, environmental, network and perimeter controls;
- Intrusion, detection and prevention technologies;
- Monitoring and detection systems.
11. Transfers of Personal Data
TM entities operate in more than one jurisdiction. Certain aspects of TM infrastructure are centralized, including information technology services provided to TM entities. In addition, where engagements with TM Clients span more than one jurisdiction, certain information will need to be accessed by all those within TM who are working on the matter on a need-to-know basis. Therefore, Personal Data may be made available or transferred to and stored outside the country in which Data Subjects are located. This may also include countries outside the European Economic Area (EEA). By adopting this global Policy, TM ensures appropriate security and legal precautions to protect the safety and integrity of Personal data that is transferred within the TM group. This Policy requires all TM entities worldwide to use the same minimum standards of protection for Personal Data as required by countries Member states of the European Union. Moreover, TM enters into standard data protection clauses as adopted by the European Commission with all third-parties outside the EEA.
Personal data is also processed by TM support providers (Sub-processors) as indicated in Section 6 “Sub-Processors” herein above.
12. Other Disclosures
TM discloses your personal data:
- Where this is appropriate for the purposes described in Section 4 “Use of Personal data, Purposes and Legal grounds”, including within the TM group itself;
- If required, by applicable law;
- In order to comply with a judicial proceeding, court order or other legal obligation, or a regulatory or government inquiry;
- With Data Subject’s consent;
- TM has a legal obligation to report suspicious transactions and other activity to relevant regulatory authorities under AML&CTF acts or related legislation. TM also reports suspected criminal activity to the police and other law enforcement bodies;
- Third-party recipients such as: professional advisors, such as law firms, tax advisors or auditors, insurers, public registries of company directors and shareholdings, regulatory bodies, providers of background checks services, service providers, support providers,
Data Subjects have the right to lodge a complaint to the respective data protection authority in their country. List of data protection authorities in the jurisdictions within which TM operates is indicated in Annex I “List of TM Entities & Data protection authorities and legislation & Data protection authorities and legislation”. Complaints may also be submitted to email@example.com.
14. Reporting and Escalation
Employees must report instances of non-compliance with this Policy to the CF/DPO or their line manager who reports to Local Statutory Board. The CF/DPO will report any material issues to the Global Risk and Compliance Board. Local authorities should be informed in accordance with local rules and the Data Breach procedure. In case hierarchical reporting is not possible or appropriate, TM employees may report a (suspected) incident or a concern via the whistleblowing channel in accordance with TM Whistleblowing Policy.
15. Roles and Responsibilities
- The GR&CB - approves this Policy and oversees its implementation on TM level.
- Local Statutory Board - responsible for the proper implementation of this Policy at the local level, proper level of awareness and for ensuring that personal data privacy is adequately addressed by means of allocating appropriate resources for the day-to-day management of Personal Data.
- Employees - responsible for ensuring personal data privacy in his/her daily work and for complying with this Policy by following the rules, attending compliance training and awareness sessions.
- Compliance Function (the “CF”) - responsible for providing an oversight, guidance and monitoring with regards to the rules and requirements of this Policy in accordance with the Compliance Charter.
- Audit Function – responsible for providing an independent review of the activities performed by the 1st and 2nd lines of defence in connection with this Policy.
This Policy is a Level I Policy that provides a global de-minimis norm that will be adopted by and implemented in all entities of the TM Group. Variations in accordance with local procedures are permitted in a Level II policy in accordance with the Group Corporate Governance Policy to the extent that they process Personal Data.
List of TM Entities & Data protection authorities and legislation & Data protection authorities and legislation
Commission for Personal Data Protection
Commission for Personal Data Protection
TM Fund Services Curaçao NV;
Trustmoore (Curaçao) N.V.;
Trustmoore Private Management N.V.;
Trustmoore Global Trustee Services N.V.;
Trustmoore Corporate & Administrative Services N.V.;
Emoore Holding B.V.;
Office of the Commissioner for Personal Data Protection
Trustmoore Cyprus Ltd.;
Emoore Cyprus Ltd;
Data Protection Commission (DPC)
Trustmoore Ireland Ltd;
Trustmoore Nominee Services (Ireland) Ltd;
Trustmoore Corporate Secretary (Ireland) Ltd;
Trustmoore Trustee (Ireland) Ltd.;
Commission Nationale pour la Protection des Données
Trustmoore Luxembourg S.A.;
TM Luxembourg Director-Funds SARL;
TM Luxembourg Director-Structured Finance SARL;
TM Administration Services Luxembourg Sarl;
Trustmoore Coöperatief U.A.;
Trustmoore Netherlands B.V.;
TM Administration Services B.V.;
TM Support Netherlands B.V.;
TM Fund Services (Netherlands) B.V.;
Trustmoore SFCM Netherlands B.V.;
Trustmoore SFCM Trustee & Management NL B.V.;
EM Group Administration Services Netherlands BV;
iGaming Compliance Netherlands B.V.;
Personal Data Protection Commission Singapore
Trustmoore Singapore pte Ltd.