18-06-2021 Version: 1
20-05-2021 Version: 2
The protection of privacy and security of Personal Data is very important to Trustmoore. Any processing of Personal Data relating to identified or identifiable natural person will only be processed in accordance with this Policy.
|Board||Trustmoore’s highest decision-making and executive body deciding on all matters that have impact on Trustmoore.|
|Client||Natural person or company with which TM enters into a business relationship or for which a trust service is performed.|
|Controller||The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of Personal Data;|
|Consent||It is any freely given, specific, informed and unambiguous indication of the data subject by which he or she agrees with the processing of their Personal Data.|
|Data Breach||A breach exists in case of accidental or intended unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.|
|Data Protection Laws||The legislation regarding data privacy which may be applicable, based on the location of the TM service provider and of the Data Subject, such as the EU General Data Protection Regulation 2016/679 ("GDPR") or any other applicable data protection, privacy laws or privacy regulations.|
|Data Subject||A natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, account number, information about payments made from the bank account, among others.|
|Joint Controllers||Entities that jointly determine the “means and purposes” of the processing of Personal Data.|
|Personal data||Means any information relating to a Data Subject.|
|Processing of Personal Data||Personal data processing is a broad concept that encompasses everything that can be done with personal data. For example, “using”, “destroying” and “providing” are forms of processing. This Policy refers to any operation or set of operations which may be performed on Personal Data or on sets of Personal Data.|
|Processor||Processor is a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the controller.|
|Recipient||Recipient is a natural or legal person, public authority, agency or another body, to which the Personal Data are disclosed, whether a Third Party or not.|
|Sub Processor||The legal or natural person appointed by the processor to process Personal Data on behalf of the Controller.|
|Third Party||An individual or a company (i.e. consultants, agents, intermediaries, representatives, subcontractors, suppliers) that performs work, provides a service or sells goods to TM.|
Terms that are capitalized, but not defined in this Policy have the same meaning as in Trustmoore Compliance Charter and Framework.
2. Background, Scope & Purpose
TM recognizes the expectations of its Clients and Employees, and the inherent risk that has the privacy, confidentiality and security of their personal data when it resides within TM.
This Personal Data Protection Policy (hereinafter referred as the “Policy") describes the privacy practice standards of TM for mitigating the risk, regarding the processing of personal data: what type of personal data TM collects, why and how TM collects, uses and stores it; the legal basis for processing it; and TM’s rights and obligations in relation to such processing.
TM globally applies this Policy as a minimum standard for protecting Personal Data of its Clients and Employees around the world. Furthermore, each TM service provider is also in charge of ensuring the application of local regulations .
3. Types of Personal Data
The Personal Data that TM collects and processes may depend on the type and scope of the services provided:
|Services||Types of personal data|
First name and family name, address, telephone, email, nationality, date of birth, place of birth, gender, Tax / Social / National identification number, compensation and benefits financials, user account details, job title, Client ID, signature, bank account details.
|Human Resources and Payroll||
First name and family name, address, telephone, email, nationality, date of birth, place of birth, gender, marital status, Tax / Social / National identification number, compensation and benefits financials, user account details, job title, employee ID, Client ID, signature, bank account details, health status related data.
4. Mitigating measures regarding the risk of processing Personal Data:
4.1 Use of personal data
TM shall not process, transfer, modify, amend or alter the personal data or disclose or permit the disclosure of the personal data to any Third Party other than:
- As necessary to process Personal Data to provide the Services and/or otherwise in accordance with the documented instructions of the Client (e.g. contractual provisions), or
- As required to comply with Data Protection Laws or other laws (e.g. tax regulatons) to which TM is subject, in which case TM shall (to the extent permitted by law) inform the Client of that legal requirement before processing the Personal Data.
It is important to highlight that sometimes it may be necessary to conclude a contract, which includes Personal Data that must be subsequently processed by TM. The Data Subject is, for example, obliged to provide TM with specific Personal Data when our company signs a contract with him or her. The non-provision of Personal Data would have the consequence that the contract with the Data Subject could not be concluded.
However, before the Data Subject provides its Personal Data to TM, he or she may contact a TM employee in order to clarify the scope and purpose of this collection. The employee clarifies to the Data Subject whether the provision of Personal Data is required by law or is necessary for the conclusion of the contract, and also the consequences of non-provision of the personal data.
4.2 Storage of personal data
Personal data will be kept for the duration of the business relationship with Trustmoore and the years stipulated on local regulations for complying with all legal, regulatory and internal policy purposes. After expiration of this retention period, the corresponding data is routinely deleted.
Personal Data can be stored on Trustmoore systems, or third-party systems to which TM has been provided access to for the provision of Services. Personal data in hard copy files will be stored in locked cabinets, that can only be accessed if an employee of Trustmoore is present in that space.
4.3 Lawfulness of Processing
As a minimum legal standard, all processing of Personal Data must comply with the following general data quality principles, therefore Personal Data must be: (i) processed fairly and lawfully; (ii) collected for specific, explicit and legitimate purposes and not processed in a manner incompatible with those purposes; (iii) adequate, relevant and not excessive; (iv) accurate and, where necessary, up to date; (v) kept in an identifiable form for no longer than necessary; and (vi) kept secure.
Further, TM may only process Personal Data when either of the following legitimate purposes apply:
- Consent: The Data Subject has given consent to the Processing of his or her Personal Data for one or more specific purposes.
- Performance of Contract: Processing of Personal Data is necessary for the performance of a contract to which the Data Subject is party, or in order to take steps at the request of the Data Subject prior to entering into a contract;
- Legal Obligation: Processing of Personal Data is required for complying with a legal or regulatory obligation (including the laws of the financial sector, anti-money laundering and tax laws) to which TM is subject;
- Vital interest of the Data Subject: Processing of Personal Data is necessary for protecting the vital interests of the data subject or of another natural person;
- Task carried out in the public interest: Processing of Personal Data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.
- Legitimate interests: Processing of Personal Data is necessary for the purposes of the legitimate interests pursued by TM, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require protection of Personal Data, in particular where the Data Subject is a child.
It is Trustmoore’s obligation to identify the appropriate basis for processing, and to document it accordingly using the form ‘Record of Processing Activities’ .
TM must provide Data Subjects with a privacy notice setting out how the employees or client’s Personal Data will be processed .
TM may be required to appoint certain Third Parties to provide part of the services to its Client and Employee, or assist with providing technical support, such as I.T. service providers or other suppliers. By signing the Contract or Service Agreement, depending on the case, the Employee or the Client authorises TM to subcontract the Processing their Personal Data to Subprocessors.
Subprocessors are in each case subject to the terms and conditions laid down by TM, which are no less protective than those set out in this Policy and Contract or the Service Agreement. TM will inform the Client or Employee of the details of such Subprocessor(s) upon written request from the Data Subject. TM will inform the Client or Employee in advance of any intended changes concerning the addition or replacement of Subprocessors and thereby give the Data Subject the opportunity to object to such changes. If the Client or Employee does not object in writing within five (5) days of receipt of the notice, the Data subject is deemed to have accepted the new Subprocessor. If the Client or Employee does object in writing within five (5) days of receipt of the notice, TM and the Client or Employee will discuss possible resolutions.
4.4 Joint Controller
In case Trustmoore acts as a Director of the object company, it will act as a Joint Controller and will sign the Record of Processing Activities. Since Trustmoore determines the purpose and means of the processing of Personal Data of the object company, its role as a Joint Controller together with the Client is justified. In all other cases in which Trusmoore will provide services to the Client, it will act as a Processor, within the meaning of the Processor definition.
4.5 Rights of Data Subjects
TM takes appopriate measures to comply with Data protection laws in order to ensure Data Subjects rights. In case Data Subjects have any questions, requests or complaints regarding their rights, they are encouraged to contact TM via email@example.com. A written question, request or complaint should have a clear subject related to the rights of the Data Subjects, that are listed in the Annex IV ‘Right of Data Subjects’ of this Policy.
4.6 Personal Data Breach
A breach exists in case of accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed. For the avoidance of doubt, even in cases where it is not certain whether any Personal Data was actually accessed, the existence of the (possibility to) access the data in question qualifies as a breach. This means that any possible access to encrypted devices of Trustmoore accompanied with an unauthorised disclosure of passwords will qualify as a data breach, unless there are security reasons justifying the access to encrypted devices. Below is a list of examples of Data Breaches:
- A USB drive with unencrypted documents containing personal data is left/lost/stolen in a public environment;
- A corporate email account is hacked or otherwise (presumably) accessed by anyone not granted access by the IT manager;
- (desktop) computers and/or servers containing personal data are stolen from (outside) the office.
4.7 Management of a Data Breach
All Data Breaches discovered or caused by employees of Trustmoore will be notified to the IT-Manager immediately and in any case within 24 hours. Where applicable an assessment will be made of the need to inform the local supervisory authority  .
If notification is required, it must be done not later than 72 hours after having become aware of it. The notification is not required in case there is no risk to the rights and freedom of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay. Assessment whether in case of a Data Breach there was a risk to the rights and freedom of natural persons is to be done by Data Privacy Officer in collaboration with a Compliance Officer. The data breach notification obligation reflects a risk based approach. When assessing the impact of the breach the following must be taken into account:
- Type of breach;
- Nature, sensitivity, and volume of personal data;
- Ease of identification of individuals;
- Severity of consequences for individuals;
- Special characteristics of the individual;
- Special characteristics of the data controller;
- The number of affected individuals.
All the above factors need to be carefully assessed each one separate or in combination with the others to indicate the level of the risks to the individuals.
In cases where the Data Breach is likely to be deemed high risk to the rights and freedom of natural persons, Trustmoore shall also notify the Data Subject regarding the Data Breach without undue delay. The notification must at least describe the nature of the Data Breach, the categories and approximate number of Data Subjects and records concerned, details of the contact point, the likely consequences and the measures proposed to be taken. In case Trustmoore has taken subsequent measures which ensure that the high risk to the rights and freedoms of Data Subjects is no longer likely to materialize, no notification is required.
Alternatively, whenever TM is acting as Data Processor only any Data Breach must be notified to the Data Controller - Information Security Policy.
4.8 Confidentiality and Security
TM keeps the Personal Data confidential and will ensure its staff and Sub-processors are bound by the same confidentiality obligation. TM implements appropriate technical and organisational measures to protect Personal Data; preventing unauthorized or unlawful access to it. - Information Security Policy.
4.9 Training and Awareness
Local Statutory Board supported by the CF should ensure a proper level of awareness of this Policy by means of providing trainings and awareness sessions. Each Trustmoore employee must adhere to and comply with this Policy and raise any questions and concerns with respect to this Policy to the CF.
4.10 Reporting and Escalation
Employees must report instances of non-compliance with this Policy to their line manager who reports to Local Statutory Board. Material issues must also be reported to the Global Risk and Compliance Board. Local authorities together with the regulator should be informed in accordance with local rules.
In case hierarchical reporting is not possible or appropriate, Trustmoore employees may report a (suspected) incident or a concern via the whistleblowing channel in accordance with Trustmoore Whistleblowing Policy.
This Policy also applies to the collection of Personal Data through our website. With regard to the collection of Personal Data through Cookies.
6. Roles and Responsibilities
- The Board - approves this Policy and oversees its implementation on Trustmoore level.
- Local Statutory Board - responsible for the proper implementation of this Policy at the local level, proper level of awareness and for ensuring that personal data privacy is adequately addressed by means of allocating appropriate resources for the day-to-day management of Personal Data.
- Employees - responsible for ensuring personal data privacy in his/her daily work and for complying with this Policy by following the rules, attending compliance training and awareness sessions.
- Compliance Function (the “CF”) - responsible for providing an oversight, guidance and monitoring with regards to the rules and requirements of this Policy in accordance with the Compliance Charter.
- Audit Function – responsible for providing an independent review of the activities performed by the 1st and 2nd lines of defence in connection with this Policy.
This Policy is a Level I Policy that provides a global de-minimis norm that will be adopted by and implemented in all entities of the Trustmoore Group. Variations in accordance with local procedures are permitted in a Level II policy in accordance with the Group Corporate Governance Policy to the extent that they process Personal Data.
The CF is responsible for amending this Pesonal Data Protection Policy in order to remain compliant with any changes in law and/or to reflect how our business processes personal data. This version was created on 18 March 2020. The most recent version is available at TM.com, as well as on the local Trustmoore websites in each country where we operate.
 Controller, Joint Controller and Processor are terms based on the GDPR, which will be only used for Curaçao in those cases where GDPR is applicable.
 For TM entities outside the EU, the Record of Processing Activities will be only mandatory in those cases where GDPR is applicable.
 For TM entities outside the EU, the application of this varies depending on their local regulation.
 This section shall not apply to TM entities with no relevant local regulation regarding data breach notification obligation and data authorities. In the aforementioned TM locations, all Data Breaches discovered or caused by employees of TM will be notified to the Local Statutory Board and CF immediately, and in any case within 24 hours. Where applicable, an assessment will be made of the need to inform the local supervisory authority.
ANNEX I: Data protection authorities and legislation
|Data protection authorities and legislation|
|Bulgaria||Commission for Personal Data Protection||https://www.autoriteitpersoonsgegevens.nl/||https://www.cpdp.bg/en/index.php?p=rubric&aid=2
|Curacao||Data Protection Board (College Bescherming Persoonsgegevens)-not yet appointed||https://irp-cdn.multiscreensite.com/9e98b338/files/uploaded/Landsverordening-bescherming-persoonsgegevens-Curacao-4-9-2010.pdf
|Cyprus||Office of the Commissioner for Personal Data Protection||http://www.dataprotection.gov.cy/||http://www.dataprotection.gov.cy/dataprotection/dataprotection.nsf/page3b_en/page3b_en?opendocument|
|Gibraltar||Gibraltar Regulatory Authority||https://www.gra.gi||https://www.gra.gi/data-protection/legislation|
|Hong Kong||Privacy Commissioner for Personal Data||https://www.pcpd.org.hk/||https://www.elegislation.gov.hk/hk/cap486!en-zh-Hant-HK.pdf?FROMCAPINDEX=Y|
|Ireland||Data Protection Commission (DPC)||https://www.dataprotection.ie/||https://www.dataprotection.ie/en/legal/data-protection-legislation
|Luxemburg||Commission Nationale pour la Protection des Données||https://cnpd.public.lu/en.html||https://cnpd.public.lu/en/legislation/droit-lux.html|
|Malta||Office of the Information and Data Protection Commissioner||https://idpc.org.mt/||https://idpc.org.mt/en/Pages/dp/legislation.aspx|
|United Kingdom||Information Commissioner’s Office (ICO)||https://ico.org.uk/||https://www.gov.uk/data-protection|
|Singapore||Personal Data Protection Commission Singapore||https://www.pdpc.gov.sg/||https://www.pdpc.gov.sg/Legislation-and-Guidelines/Legislation|
ANNEX II: Right of the Data Subjects
a) The right to be informed: Data Subjects have the right to be informed about the collection and use of their personal data. In case they have question, a request or a complaint regarding their rights, they are encouraged to contact TM via firstname.lastname@example.org.
b) The right of access: Data subjects will have a right to access copies of their personal data by making a written request to the controller. The initial request is free, though a charge can be made for subsequent requests. Controllers can refuse the request if it is manifestly unfounded or excessive. The response must be provided within a month, though this can be extended by two months if the request is complex.
c) The right to rectification: Data Subjects have the right to obtain from the controller the rectification of inaccurate personal data concerning him or her.
d) The right to erasure (right to be forgotten): Data Subject can ask that their data be deleted in certain circumstances. However, those circumstances are relatively limited, for example where the processing is based on consent, that consent is withdrawn and there are no other grounds for processing. Even where the right does arise, there are range of exemptions, for example where there is a legal obligation to retain the data.
e) The right to restrict processing: Data Subjects have the right to request the restriction or suppression of their Personal Data in certain circumstances/
f) The right to data portability: Data subjects will also have a right to data portability where the condition for processing Personal Data is consent or the performance of a contract. It entitles individuals to obtain any personal data they have “provided” to the controller in a machine-readable format. Individuals can also ask for the data to be transferred directly from one controller to another.
g) Right to object: A Data Subject can object to their Personal Data being processed for direct marketing purposes at any time. This includes the processing of their personal data for profiling purposes.
h) Rights in relation to automated decision making and profiling: TM can only carry out this type of decision-making where the decision is:
i. necessary for the entry into or performance of a contract;
ii. authorized by Union or Member state law applicable to the controller;
iii. or based on the individual’s explicit consent.