DATA PRIVACY POLICY

Effective Date:

18-06-2021   Version: 1

20-05-2021  Version: 2

Main change: The Cookie Policy and list of sub-processors separated from this policy.

11.11.2022 (Date of latest review)  Version: 3

Added clauses with respect to the use and grounds for processing of personal data, data protection measures, data subject’s rights, types of processed personal data;

14.03.2023  Version: 4

Added PDPA (Singapore) related clauses.

KEY PRINCIPLES

Privacy is a fundamental human right and persons engaging with Trustmoore must trust that their personal data is handled with care. Therefore, protection of privacy and security of Personal Data is very important to Trustmoore. Any processing of Personal Data relating to identified or identifiable natural person may only be processed in accordance with this Policy.

1. Definitions

GR&CB  

 

The Global Risk & Compliance Board is Trustmoore’s highest decision-making and executive body deciding on all risk and compliance matters that impact Trustmoore.

 

CF  

 

Compliance Function

 

Client  

 

Natural person or company with which TM enters into a business relationship or for which a trust service is performed.

 

Data        Controller[1]  

 

The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of Personal Data;

 

Data Processor  

 

Natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Data Controller.

 

Consent  

 

It is any freely given, specific, informed and unambiguous indication
of the data subject by which he or she agrees with the processing of their Personal Data.

 

Personal Data Breach  

 

A breach of security leading to the accidental or unlawful destruction, loss, alteration, compromise, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed by or on behalf of TMG, and which triggers regulatory obligations.

 

Personal Data Incident  

 

An event that involves or could involve Personal Data and which has the potential to become a Personal Data Breach. For the purpose of this Policy, Personal Data Incident may also refer to potential Personal Data Breach.

 

Data
Protection Laws
 

 

The legislation regarding data privacy which may be applicable, based on the location of the TM service provider and of the Data Subject, such as the EU General Data Protection Regulation 2016/679 ("GDPR"), UK GDPR, Personal Data Protection Act (PDPA) Singapore, or any other applicable data protection, privacy laws or privacy regulations.

 

Data Subject  

 

A natural person to whom Personal Data relates and who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, etc.

 

DPO  

 

Data Protection Officer

 

Joint Controllers  

 

Entities that jointly determine the “means and purposes” of the processing of Personal Data.

 

KYC  

 

Know-your-client

 

Personal
Data
 

 

Any information that relates to an identified or identifiable living individual (“Data Subject”). Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data. Personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data.

 

Processing
of Personal Data
 

 

Any operation or set of operations performed on Personal Data or on sets of Personal Data, whether by automated means, such as collecting, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

 

Recipient  

 

Recipient is a natural or legal person, public authority, agency or another body, to which the Personal Data are disclosed, whether a Third Party or not.

 

Sub Processor  

 

The legal or natural person appointed by the processor to process Personal Data on behalf of the Controller.

 

Third Party  

 

An individual or a company (i.e. consultants, agents, intermediaries, representatives, subcontractors, suppliers) that performs work, provides a service or sells goods to TM.

 

TMG Staff (Employee)  

 

Natural person who works part time or full time under a contract of employment (employment agreement) with a TMG entity or a natural person providing managerial services to TMG based on an agreement between TM and the natural person directly or via a management company indirectly, as well as other persons who act on behalf of TMG within the scope of its business activities and who are therefore in a similar position to the TMG staff, but who are not employed by TMG
(e. g. self-employed or temporary workers).

 

UBO  

 

Ultimate beneficial owner

 

 

[1] Controller, Joint Controller and Processor, and DPO are terms based on the GDPR, which will be only used for jurisdictions outside the European Union in those cases where GDPR is applicable or the local legislation implements similar terms (such as the PDPA in Singapore or UK GDPR).

Terms that are capitalized, but not defined in this Policy have the same meaning as in the TMG Compliance Charter and the TMG Compliance Risk Control Framework.

2. Background, Scope & Purpose

In this policy, “TM,” “our”, “we” or “us” refers to the global group of entities within the Trustmoore Group, each of which is a separate legal entity, or refers to one or more of those entities. The controllers of Personal Data are one or more of the TM entities listed in Annex I hereto “List of TM Entities & Data protection authorities and legislation”. TM entities in countries outside the European Union (EU) have appointed Trustmoore Coöperatief U.A. as representative in the EU.

TM recognizes the expectations of its Clients and Employees, and the inherent risk regarding the privacy, confidentiality and security of their Personal data when it resides within TM.

This Data Privacy Policy describes the privacy practice standards of TM for mitigating the risk, regarding the processing of Personal Data: what type of Personal Data TM collects, why and how TM collects, uses and stores it; the legal basis for processing it; and TM’s rights and obligations in relation to such processing.

TM globally applies this Policy as a minimum standard for protecting Personal Data of its Clients and Employees around the world. Each TM entity will ensure the application of local regulations [2]. In particular, TM entities (Data Controllers) will ensure that data privacy and protection is methodically embedded into relevant business processes and procedures and integrated into affected IT systems and applications (Privacy by design and by default). TM entities (Data Controllers) consider the state of the art, cost of implementation and the nature, scope, context and purposes of processing, as well as the severity and likelihood of risks to the rights and freedoms of Data Subjects posed by the processing. Thus, TM Entities implement appropriate technical and organizational measure (e. g. pseudonymization and data minimization) in an effective manner and integrate the necessary safeguards into the processing of Personal Data.

[2] Please refer to Annex I ‘List of TM Entities & Data protection authorities and legislation’ for more information.

3. Types of Personal Data

The Personal Data that TM collects and processes may depend on the type and scope of  the activities engaged:

Services Data Subjects Types of personal data
Funds Services Clients, UBOs, investors (if physical persons), directors of Client companies and affiliate entities, Client’s shareholders, Client’s employees, business associates (contact persons, ambassadors, etc.)  

Name (first name, middle name, family name), address, telephone, email, nationality, date of birth, place of birth, gender, Tax / Social / National identification number, job title, Client ID (IDs, passport, driving license), signature, bank account details, financial information, user account details, professional life data, personal life data;

 

Multi-Family Office Clients, UBOs, client employees, trustees, beneficiaries, business associates (contact persons, ambassadors, etc.)  

Name (first name, middle name, family name), address, telephone, email, nationality, date of birth, place of birth, gender, Tax / Social / National identification number, compensation and benefits financials, job title, Client ID (IDs, passport, driving license), signature, bank account details, financial information, professional life data, personal life data;

 

Structured Finance
&
Capital Markets

Clients, UBOs, client employees, investors (if natural persons), originators (if natural persons) directors of Client companies and affiliate entities, Client’s shareholders, business associates (contact persons, ambassadors, etc.)  

Name (first name, middle name, family name), address, telephone, email, nationality, date of birth, Place of birth, gender, Tax / Social / National identification number, compensation and benefits financials, user account details, job title, Client ID, signature, bank account details, financial information, professional life data, personal life data;

 

Corporate Expansion Services Clients, client employees, UBOs, directors of Client companies and affiliate entities, Client’s shareholders business associates (contact persons, ambassadors, etc.);  

Name (first name, middle name, family name), address, telephone, email, nationality, date of birth, place of birth, gender, Tax / Social / National identification number, compensation and benefits financials, user account details, job title, Client ID, signature, bank account details, financial information, professional life data, personal life data;

 

Human Resources
and Payroll
employees, candidates, managers  

Name (first name, middle name, family name), address, telephone, email, nationality, date of birth, place of birth, gender, marital status, Tax / Social / National identification number, compensation and benefits financials, user account details, job title, employee ID, signature, bank account details, health status related data, CVs, education, employment information, work history, declaration of good behaviour/extract of criminal record (if permitted by law).

 Suppliers  

Managers or other designated individuals

 

Name, name of employer, phone, email and other contact details.

In few cases, as some of the TM entities are licensed and regulated under a strict set of rules, e.g. when applying enhanced due diligence measures as per the applicable AML&CTF legislation and performing background checks and screenings thereunder, TM may process special categories of Personal Data such as Personal Data relating to: race or ethnicity, membership in trade unions, criminal convictions and offenses. TM will only process such Personal Data in order to verify the Data Subject’s background, if there is no other way to confirm it, and with the Data Subject’s consent, after having them informed about the reasons for collecting such Data. TM will apply additional safeguarding measures regarding these types of Personal Data as per the TMG Information Security Policy.

Personal Data related to health and health status may sometimes be required in connection with the provision of additional benefits to employees (such as health insurance) and handling of HR activities (sick leaves). TM will only process such Personal Data with Employer’s consent and after having them informed about the reasons for collecting such Data. TM will apply additional safeguarding measures with regard to these types of Personal Data as per the TMG Information Security Policy.

TM does not knowingly process Personal data of minors. TM does not knowingly collect data related to religious or philosophical beliefs, sex life, sexual orientation, political views, information about genetic and biometric data.

4. Use of Personal data, Purposes and Legal grounds:

4.1 Clients:

When a Client engages TM with the provision of professional services, TM will collect and use Personal Data when TM has a valid business reason to do so in connection with those services and legal obligation thereof. In the context of providing professional services to Clients, TM also processes Personal Data of individuals who are not directly TM’s Clients (for example: Client’s employees, customers or suppliers, Ultimate Beneficial Owners, Client’s directors or shareholders, business associates, others as the case may require). The legal grounds for processing such Personal Data are:

  • TM’s legal obligations under the AML&CTF legal acts and other applicable legislation in force, as well as TM’s internal KYC procedures;
  • Performance of the contract between the Client and TM;
  • Legitimate interest in providing the Client with seamless, consistent, high-quality services;

4.2. Employees:

TM processes data of its employees for HR and payroll purposes. TM also does background checks required by law or regulation, for example, adverse media, bribery and corruption, and other financial crime checks.

The legal grounds for processing such data are:

  • Legal obligation under the applicable labour legislation;
  • Performance of the labour agreement;
  • Compliance with a legal or regulatory obligation (when carrying out background checks to warrant a candidate is eligible to work).

4.3. Job Applicants:

TM collects information from and about applicants in connection with available employment opportunities at TM. The information that TM collects, the manner in which it is used, and the timing in which it is gathered varies depending on the country in which the applicant applies. Depending on the country in which you apply, TM collects personal data about candidates from the following sources:

  • Directly from the applicant – for example, information that an applicant has provided when applying for a position directly through the TM website;
  • From recruitment agencies – for example, when a recruitment agency with applicant’s details contacts TM to suggest them as a potential candidate;
  • Through publicly available sources online – for example, where the applicant has a professional profile posted online (e.g., on his/her current employer's website or on a professional networking site, such as LinkedIn)
  • By reference – for example, through a reference from a former employee or employer, or from a referee within or outside TM. 

Legal grounds for processing personal data of job applicants are:

  • Explicit consent of the applicant;
  • TM legitimate interest in attracting, identifying and sourcing talents;
  • TM legitimate interest to process and manage applications for roles at TM, including the screening and selecting of applicants;
  • Compliance with a legal or regulatory obligation (when carrying out background checks to warrant a candidate is eligible to work).

4.4. Suppliers

TM processes personal data about suppliers (including subcontractors, and individuals associated with suppliers and contractors) in order to manage TM’s relationship and contract with them, and to receive services from the respective suppliers. Before TM takes on a new supplier, TM also carries out audit independence and other background checks required by law or regulation, for example, adverse media, bribery and corruption, and other financial crime checks.

Legal grounds for processing personal data of our suppliers are:

  • Performance of a contract;
  • Compliance with a legal or regulatory obligation;
  • Legitimate interest in managing payments, fees and charges;
  • Legitimate interest in understanding any conflict of interest, conducting or defending in legal proceedings;
  • Legitimate interest in safeguarding against dealing with the proceeds of criminal activities or assist in any other unlawful or fraudulent activities;

TM shall not store, transfer, modify, amend or alter, disclose or permit the disclosure, or process the Personal data in any other way other than as appointed above. In cases where processing is required, but not explicitly envisaged in this Policy, then the affected Data Subject will be notified accordingly and without undue delay.

5. Personal Data retention

Personal data will be kept for the duration of the business relationship with TM and the years afterwards stipulated on local regulations for complying with all legal, regulatory, and internal policy purposes. After expiration of this retention period, the corresponding data are routinely deleted and any hard copies of them are destroyed. For more information refer to TMG Data Retention Policy or contact TMG DPO at [email protected].

6. Sub-processing and third parties:

TM may be required to appoint certain third parties to provide part of the services to its Clients or Employees, or assist with provision of the services, or render technical support, to which Personal Data may be disclosed, such as: I.T. service providers, banks, accountancy and legal firms, auditors or other suppliers (Sub-processors) as required by law or contract88 . TM maintains an extensive Third-party register and Outsourcing register. In case a query with respect to these registers is made, the DPO at [email protected] can provide the relevant information.

Sub-processors are in each case subject to the terms and conditions laid down by TM, which are no less protective than those set out in this Policy. TM will inform the Client or Employee of the details of such Sub-processor(s) and types of Personal Data disclosed to them upon written request from the Data Subject. Such requests can be made at: [email protected] TM will inform the Client or Employee in advance of any intended changes concerning the addition or replacement of Sub-processors and thereby give the Data Subject the opportunity to object to such changes. If the Client or Employee does not object in writing within five (5) days of receipt of the notice, the Data subject is deemed to have accepted the new Sub-processor. If the Client or Employee does object in writing within five (5) days of receipt of the notice, TM and the Client or Employee will discuss possible resolutions.

7. Joint Controllers

In case TM acts as a Director of a Client’s company (Object company), it will act as a Joint Controller together with the Client. Since TM determines the purpose and means of the processing of Personal Data of the Object company, its role as a Joint Controller together with the Client is justified. In all other cases in which TM will provide services to the Client, it will act as a Processor, within the meaning of the Processor definition.

8. Rights of Data Subjects

TM takes appropriate measures to comply with data protection laws in order to ensure Data Subjects rights. In case Data Subjects have any questions, requests or complaints regarding their rights, they are encouraged to contact TM via [email protected]. Any written question, request or complaints should have a clear subject related to the rights of the Data Subjects.

Subject to the applicable local legislation, all Data Subjects will have at least the following rights with respect to their Personal Data:

  • The right to withdrawal or revocation of any consent given to TM: Data subjects have the right to withdraw or revoke any consent given to TM unless the applicable legislation requires otherwise.
  • The right to be informed: Data Subjects have the right to be informed about the collection and use of their personal data. Data Subjects have also the right to be informed of the recipients or classes of recipients to whom their Personal data has been or may be disclosed.
  • The right of access: Data subjects will have a right to access their Personal Data TM can refuse the request if it is manifestly unfounded or excessive. TM will provide its response within a month as of receipt of the request, though this can be extended by two months if the request is too complex.
  • The right to rectification: Data Subjects have the right to request from TM the rectification of inaccurate personal data concerning him or her.
  • The right to erasure (right to be forgotten): Data Subject can ask that their data is deleted in certain circumstances unless there is a legal obligation or other legal grounds for TM to retain the data.
  • The right to restrict processing: Data Subjects have the right to request the restriction or suppression of their Personal Data in certain circumstances.
  • The right to data portability: Data subjects will also have a right to data portability where the condition for processing Personal Data is consent or the performance of a contract. It entitles Data Subjects to obtain any personal data they have “provided” to TM in a machine-readable format. Data Subjects can also ask for the data to be transferred directly from one controller to another.
  • Right to object: A Data Subject can object to their Personal Data being processed for direct marketing purposes at any time. This includes the processing of their personal data for profiling purposes.
  • Rights in relation to automated decision making and profiling: TM does not use automated decision making and profiling.

9. Personal Data Breach

A Personal Data Incident is any event that involves or could involve Personal Data and which has the potential to become a Personal Data Breach. Personal Data Incidents are all potential Data Breaches that have not yet materialized.

A Personal Data Breach exists in case of accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

Personal Data Incidents and Personal Data Breaches are handled according to the Data Protection Laws and in accordance with TMG Data Breach Procedure whereunder TM entities (Data Controllers) and Data Processors have implemented and maintain effective processes to ensure timely notification to the DPO and respective Data protection authorities.

10. Safeguarding Measures

10.1. Confidentiality and Security TM keeps the Personal Data confidential and will ensure its employees, managers and Sub-processors are bound by the same confidentiality obligation.

10.2. Training and Awareness Local Statutory Board supported by the CF ensures a proper level of awareness of this Policy by means of providing trainings and awareness sessions to employees, managers and if needed – sub-processors. Each Trustmoore employee must adhere to and comply with this Policy and raise any questions and concerns with respect to this Policy to the CF.

10.3. Technical safeguarding measures TM has adopted and implements an Information Security Policy governing all technical and organisational measures to protect Personal Data. Some of the technical measures include, but are not limited to:

  • Data encryption tools;
  • Desktop and laptop firewalls;
  • Antivirus and anti-malware software;
  • Multifactor authentication approaches;
  • Automated patching and security vulnerability assessments;
  • Strong physical, environmental, network and perimeter controls;
  • Intrusion, detection and prevention technologies;
  • Monitoring and detection systems.

11. Transfers of Personal Data

TM entities operate in more than one jurisdiction. Certain aspects of TM infrastructure are centralized, including information technology services provided to TM entities. In addition, where engagements with TM Clients span more than one jurisdiction, certain information will need to be accessed by all those within TM who are working on the matter on a need-to-know basis. Therefore, Personal Data may be made available or transferred to and stored outside the country in which Data Subjects are located. This may also include countries outside the European Economic Area (EEA).

By adopting this global Policy, TM ensures appropriate security and legal precautions to protect the safety and integrity of Personal data that is transferred within the TM group. This Policy requires all TM entities worldwide to use the same minimum standards of protection for Personal Data as required by countries Member states of the European Union. Moreover, TM enters into standard data protection clauses as adopted by the European Commission with all third-parties outside the EEA.

Personal data is also processed by TM support providers (Sub-processors) as indicated in Section 6 “Sub-Processors” herein above.

12. Other Disclosures

TM discloses your personal data:

  • Where this is appropriate for the purposes described in Section 4 “Use of Personal data, Purposes and Legal grounds”, including within the TM group itself;
  • If required, by applicable law;
  • In order to comply with a judicial proceeding, court order or other legal obligation, or a regulatory or government inquiry;
  • With Data Subject’s consent;
  • TM has a legal obligation to report suspicious transactions and other activity to relevant regulatory authorities under AML&CTF acts or related legislation. TM also reports suspected criminal activity to the police and other law enforcement bodies;
  • Third-party recipients such as: professional advisors, such as law firms, tax advisors or auditors, insurers, public registries of company directors and shareholdings, regulatory bodies, providers of background checks services, service providers, support providers.

TM does not share any Personal Data for advertising or direct marketing purposes without the Data Subject’s explicit consent.

13. Complaints

Data Subjects have the right to lodge a complaint to the respective data protection authority in their country. List of data protection authorities in the jurisdictions within which TM operates is indicated in Annex I “List of TM Entities & Data protection authorities and legislation & Data protection authorities and legislation”. Complaints may also be submitted to [email protected].

For our complaints procedure, please click here.

14. Reporting and Escalation

Employees must report instances of non-compliance with this Policy to the CF/DPO or their line manager who reports to Local Statutory Board. The CF/DPO will report any material issues to the Global Risk and Compliance Board. Local authorities should be informed in accordance with local rules and the Data Breach procedure. In case hierarchical reporting is not possible or appropriate, TM employees may report a (suspected) incident or a concern via the whistleblowing channel in accordance with TM Whistleblowing Policy.

15. Roles and Responsibilities

  • The GR&CB - approves this Policy and oversees its implementation on TM level.
  • Local Statutory Board - responsible for the proper implementation of this Policy at the local level, proper level of awareness and for ensuring that personal data privacy is adequately addressed by means of allocating appropriate resources for the day-to-day management of Personal Data.
  • Employees - responsible for ensuring personal data privacy in his/her daily work and for complying with this Policy by following the rules, attending compliance training and awareness sessions.
  • Compliance Function (the “CF”) - responsible for providing an oversight, guidance and monitoring with regards to the rules and requirements of this Policy in accordance with the Compliance Charter.
  • DPO – Group DPO is Katya Mihaylova available at [email protected]. The DPO advises on all topics related to Data privacy and protection laws, regulations, regulatory guidance, as well as compliance therewith and must support and liaise with other functions on related topics. DPO liaises with authorities, regulators, associations and other stakeholders on matters related to Data privacy and protection, monitors TM entities’ implementation and adherence to this Policy in conjunction with other relevant functions at TMG or through independent reviews, Maintains and updates the Data Privacy Policy and notifies TM entities of any such changes without undue delay.
  • Audit Function – responsible for providing an independent review of the activities performed by the 1st and 2nd lines of defense in connection with this Policy.
ANNEX I

List of TM Entities & Data protection authorities and legislation & Data protection authorities and legislation

Countries

Authority

Website

Legislation

Entity

Bulgaria

Commission for Personal Data Protection

Trustmoore
Bulgaria EOOD,
Address: 105 Knyaz Boris I Str., 1000 Sofia, Bulgaria

Curaçao

Data Protection Board

N/A

TM Fund Services Curaçao NV;
Trustmoore (Curaçao) N.V.;
Trusthouse Holding N.V.;
Trustmoore Private Management N.V.;
Trustmoore Global Trustee Services N.V.;
Trustmoore Corporate & Administrative Services N.V.;
Emoore Holding B.V.;
Emoore N.V.;

Cyprus

Office of the Commissioner for Personal Data Protection

Trustmoore Cyprus Ltd.;
Emoore Cyprus Ltd;

Address: 30 Chytron street
office A22, 2nd floor
1075, Nicosia, Cyprus

Ireland

Data Protection Commission (DPC)

Trustmoore Ireland Ltd;
Trustmoore Nominee Services (Ireland) Ltd;
Trustmoore Corporate Secretary (Ireland) Ltd;
Trustmoore Trustee (Ireland) Ltd.;

Luxembourg

Commission Nationale pour la Protection des Données

Trustmoore Luxembourg S.A.;
TM Luxembourg Director-Funds SARL;
TM Luxembourg Director-Structured Finance SARL;
TM Administration Services Luxembourg Sarl;

Address:  6 Rue Dicks, L-1417 Luxembourg, Luxembourg

Malta

Office of the Information and Data Protection Commissioner

Trustmoore Corporate Services (Malta) Ltd.;
Trustmoore Malta Ltd.;
Emoore Malta Ltd;
EM Services (Malta) Ltd;
EM Admin (Malta) Limited;
TM Admin (Malta) Limited;

Address: 97 Windsor Street, Sliema, SLM 1853
Malta

Netherlands

Authoriteit Persoonsgegevens

Trustmoore Coöperatief U.A.;
Trustmoore Netherlands B.V.;
TM Administration Services B.V.;
TM Support Netherlands B.V.;
Premises B.V.;
TM Fund Services (Netherlands) B.V.;
Trustmoore SFCM Netherlands B.V.;
Trustmoore SFCM Trustee & Management NL B.V.;
EM Group Administration Services Netherlands BV;
iGaming Compliance Netherlands B.V.;

Address: De Lairessestraat 145, 1075 HJ Amsterdam
Netherlands

United Kingdom

Information Commissioner’s Office (ICO)

Trustmoore (UK) Ltd.;
Trustmoore Trustee (UK) Ltd.;
Trustmoore UK Officer Ltd.;
Trustmoore Nominee Services Ltd;

Address: 30 Binney Street
London W1K 5BW, UK

Singapore

Personal Data Protection Commission Singapore

Trustmoore Singapore Pte Ltd.

Address: 83B Tanjong Pagar Rd
Singapore 088504

TOP