Privacy Policy - Summit Group

Introduction

The Summit Group operates in multiple jurisdictions, through our member companies, which are all subject to their own data protection and privacy requirements, listed below. We keep our Privacy Statements and Notices under regular review and any updates will be posted on our website in the most recent version.

CAYMAN ISLANDS

Summit Trust (Cayman) Limited Privacy Statement

Summit Trust (Cayman) Limited (“STCL”) is subject to the Data Protection Law, 2017 in the Cayman Islands (“the DPL”), which took effect on 30th September 2019. STCL is a data controller for the purposes of the DPL and any settlor, beneficiary, enforcer or protector who is in a trust-based relationship with STCL will be a data subject as defined in the DPL as will any person having a contractual relationship with STCL. STCL collects and processes certain personal data in order to fulfil its legal duties and responsibilities as trustee or as company manager or agent; it does not transfer such data for marketing purposes. STCL may transfer personal data to third party professionals or financial institutions as a consequence of the services it provides or to other companies in the Summit Trust Group in connection with the purchase of administration services or to comply with international tax reporting obligations.

The personal data that is typically collected include an individual’s name, address, date & place of birth, nationality, tax residency, taxpayer identification numbers, contact details, personal financial information, educational information and bank details. In some cases other information may be sought and processed.

Data subjects have various rights under the DPL. Reference to the DPL should be made for details of the individual rights of data subjects. Data is retained in accordance with the DPL and certain information will be kept for 5 years after the termination of a business relationship.

All requests concerning data protection and any complaints should be made to privacy@summittrustgroup.com, and we will do our utmost to revert to you within a month of receiving your correspondence.

This policy statement may be revised from time to time in accordance with the law and in the light of regulations issued by the Information Commissioner in the Cayman Islands.

GUERNSEY

Summit Trust Guernsey Limited Privacy Statement

Summit Trust Guernsey Limited and its affiliated companies (which we refer to in the rest of this statement collectively as “Summit Trust Guernsey“, “we” or “us“), as data controllers, are dedicated to safeguarding your personal information. This privacy statement contains an explanation of what happens to the personal data that we collect from you or about you. Please read it carefully and ask us about anything that you do not understand.

INFORMATION WE COLLECT AND ITS USE

We are required by law to verify the identity and activity of clients, potential clients and people with close connections to them. We must do this to reduce the risk of our services being used for illegal purposes.

If you apply to use our fiduciary services, we may ask for extensive personal information from you. By law, we may also collect personal information on people who have a close connection to clients and people applying to be our clients. If a potential client applies for us to provide services to their company, we must collect information about that company’s owners, directors, officers and agents. If a potential client applies for us to provide services to their trust, we must collect information about its settlors, beneficiaries, enforcers and protectors. If a potential client applies for us to provide services to their foundation, we must collect information about its guardians, founders, members and agents. If you are any of these people or someone else who has control or a close connection to one of our clients, then we may need to collect information about you. If you become one of these people due to a change in a company, trust or foundation to which we provide services, then we may also need to collect information about you. If you are not our client or an applicant, we may ask the client or applicant for your information if we cannot obtain it from you.

The personal information that we may request includes your name, addresses, telephone numbers, nationalities, date of birth, tax residency, length of residence, tax and social insurance numbers, passport numbers, marital status, wealth and business activities. We may also ask for some of this information about your family members and associates. We may also ask you if you have political, military or judicial roles or connections. We may also ask if you have connections with regulatory or criminal infractions or investigations, or with activities that have a high risk of being associated with regulatory or criminal infractions. We may ask for copies of official documents that prove your identity and place of residence.

We will use the information that we collect to conduct background checks on you. We may search for information about you, both on publicly-available internet search engines and in subscription-based databases that keep records of people involved in illegal or risky activities. This information will help us decide whether to do business with you or the person or body that you are connected with. If you or the person or body connected to you becomes our client, we will repeat these background checks periodically. The information will help us decide whether to continue to do business with you or the person or body connected to you, or whether to change the type of services that we provide. If you do not provide us with the information that we request, we may refuse to accept you or the person or body connected to you as a client, or terminate our services if you or they are existing clients. This information will be kept on file for as long as required by law and our regulator, even after you, or someone connected with you, stops doing business with us.

Political opinions and criminal data are “special category data” which requires your permission for us to collect, use and keep in our files. Your application to use our services, or your agreement to be bound by this privacy statement, includes your agreement that we may collect and keep “special category data” about you, and in particular about your political connections and any connection to criminal activity, for as long as we are required by the laws and regulations that apply to us. You may withdraw this agreement at any time. If you withdraw your agreement, or someone connected with you withdraws their agreement, we may be forced to terminate our services.

Our services as a licensed fiduciary may require us, both by law and under contract, to act on behalf of our client or in the best interests of our client. If you are our fiduciary client, or if we have a duty to act in your best interests, we may use personal information that we have about you to judge how best to act on your behalf or in your interests.

We are required by laws and regulations that apply to us as licensed fiduciaries to keep accurate and updated client records, which we may need to demonstrate to our regulator from time to time. This means that we may need to keep your personal information in our files for the length of time satisfactory to our regulator or those authorised by our regulator to inspect our files. These inspections are kept confidential as required by laws and regulations.

We may receive requests for your personal information from people or firms dealing with you or a company, trust or foundation connected to you. For example, bankers, agents, accountants, auditors, lawyers, fund administrators, financial advisors and other professionals may be required by law to have your personal information to verify your identity before providing their services. We may provide such information to them if we have been authorised by you. We may also provide such information if we have been authorised or required to act on your behalf or in your interest as part of our fiduciary duty or our contractual services, or if we are required or permitted by law.

If we are setting up a company, trust, foundation or other body outside Guernsey for you or a company, trust or foundation that is connected to you, we will need to send your personal information to an agent outside Guernsey.

Guernsey, the United Kingdom and the Crown Dependencies have data protection laws equivalent to the European Union, but this is not true of every country or territory outside the European Union. If we send your data outside the European Union or somewhere without equivalent laws, you may not have the same rights to protect your data there, or as many ways to stop or punish those who misuse your data. It is your right to know if any country or territory where we send your data has equivalent data protection laws to Guernsey, or what other safeguards for your data exist.

We do not make decisions based on the automated processing of your personal data. If we ever intend to do so in the future, we will let you know the reason for doing so and your rights in relation to such processing.

STORING YOUR PERSONAL DATA

Except as required by law or our regulator, we will generally keep your personal information as long as we need it to reply to your queries or, if you are a client or connected to our client, for as long as we need it to provide the client services. We also have a document retention policy of keeping records for an additional number of years after our relationship with you is over, to make sure that we have fulfilled all of our fiduciary and contractual duties and that the documents are not needed to resolve disputes or legal issues. This retention is both for our protection and yours, to balance our legitimate interest and the need to properly conclude our relationship with you. If you would like details on our retention policy at any time, please contact us by email or post.

ACCESS TO INFORMATION

You may request us to confirm whether or not we are holding personal information about you. You may request a copy of any personal information that we hold about you. Please contact us by email or post if you wish to make such a request. The first copy of your information is free of charge, although we reserve the right to charge a fee if the request is excessive.

Guernsey fiduciary law protects the confidentiality of certain information which may limit your general right of access.

You have the right to ask us to correct any incorrect or incomplete information, or update out-of-date information that we have about you. If you would like to make this request, please send us an email explaining what information that you believe is incorrect, incomplete or out of date, and how you believe that it should be corrected, completed or updated. You may request that we not use information until having determined if it needs correction or updating. If we no longer need information that is incorrect or out of date, you may ask us to delete it. You may also ask us to delete incorrect or out of date information that we need your consent to keep or that we do not hold in accordance with the data protection laws. If we have shared your incorrect or incomplete information with third parties, you may ask us to have it corrected or completed, if it is practicable and proportionate to do so.

You may ask us to provide you with your personal information in a commonly-used, machine readable format of any of your personal information that we process automatically, if you ever switch from our services to another provider. This will not apply to information that we have in our files which we must keep by law, such as our background checks on you.

FURTHER INFORMATION

If you have any queries, comments or requests regarding this Privacy Policy, please contact the data controller at datacontroller@summit-group.com or by post at P.O Box 357, Level 5, Mill Court, La Charroterie, St Peter Port, Guernsey GY1 3XH. If we have appointed a data protection officer, he or she may be contacted at this address.

Your personal information is protected by the Data Protection (Bailiwick of Guernsey) Law, 2017. If you believe that we have not respected (or will not respect) your rights under this law, you may make a complaint to Guernsey’s Data Protection Authority. Decisions of the Data Protection Authority can be appealed in court.

JERSEY

Garfield-Bennett Trust Company Limited Privacy Statement

INTRODUCTION

This Privacy Policy, describes how we process personal information received during the course of our business. This Policy may be amended from time to time and new versions will be published on this page.

WHO WE ARE

This Privacy Notice applies to all personal information processing activities carried on by the businesses of Garfield-Bennett Trust Company Limited and its affiliates “GBTC”. It also extends to directors and employees who act as data controllers on behalf of GBTC. GBTC is the data controller of all personal information you provide during your relationship with us.

Garfield-Bennett Trust Company Limited also trades as Garfield-Bennett and GBTC.

Our business address is First Floor, Durell House, 28 New Street, St. Helier, Jersey JE2 3RA.

Our services are not offered to any person in any jurisdiction where their advertisement, offer or sale is restricted or prohibited by law or regulation or where we are not appropriately licensed.

GBTC is registered under the Data Protection (Jersey) Law 2018 (the “Law”). GBTC will process personal information in accordance with the provisions of the Law.

GBTC is regulated by the Jersey Financial Services Commission in the carrying on of Trust Company Business and Funds Services Business.

KEY DEFINITIONS

For clarification the following items are defined:

“Clients” means the persons defined as “Clients” in GBTC’s Terms of Business;

“Law” means the Data Protection (Jersey) Law 2018, as amended, and other applicable laws and regulations;

“Entity” means a trust, company, foundation, fund or other entity which GBTC forms, manages or to which GBTC provides Services.

THE INFORMATION WE PROCESS

We collect and process various categories of personal information at the start of and during your relationship with us. We limit the collection and processing of information to information necessary to achieve one or more legitimate purposes as identified herein. Personal information may include:

Identification information such as name and residential address, date of birth, occupation, contact details; signature, marital status;
Photographic images (through copies of passports or other forms of ID);
Information about you such as your occupation, profession, any disputes or legal proceedings you may be involved in;
Information about your family (including spouse, dependants and next of kin), lifestyle etc. including connections with politically exposed persons;
Financial information including personal wealth, assets and liabilities, income and expenditure, education, qualifications and employment information, financial needs and considerations together with information to make payments and transactional history; and
Information on goods and services that we provide you together with associated information on billing and fee collection.

We may collect personal information relating to the beneficiaries or potential beneficiaries of a trust without their knowledge or consent, but only where we are lawfully permitted to do so, for example under Article 47 of the Law which gives certain exemptions to trustees in relation to transparency, or if it is in the legitimate interest of such beneficiaries or potential beneficiaries. In cases where we hold information on beneficiaries, we normally only hold minimal identity information, such as their name, date of birth and relationship to the trust or settlor or other relevant parties and, for minor beneficiaries, their parents’ contact details. On occasion, we may be provided with information relating to potential beneficiaries such as copies of passports and verifications of address and other information considered to be relevant to the nature of the trustees’ discretions which we keep on file in the legitimate interests of that beneficiary.

We may also collect special category information for specific and limited purposes such as detecting and preventing financial crime or making decisions as trustee. We will only process special category information where we have your specific consent or are otherwise lawfully permitted to do so, for example due to the legitimate interest of a beneficiary or potential beneficiary. Examples of special category information that we may collect include:

Physical or psychological health details and/or medical conditions;
Information about racial or ethnic origin; or
Religious or philosophical beliefs.

Where permitted by law, we may process information about criminal convictions or offences and alleged offences for specific purposes. Primarily this is to enable us to perform and record checks to prevent and detect crime and comply with laws relating to money laundering, fraud, terrorist financing, bribery and corruption and international sanctions. It may involve investigating and gathering intelligence on suspected financial crime, fraud and threats and sharing data with law enforcement and regulatory bodies.

HOW WE OBTAIN INFORMATION

Individuals provide us with personal information when they apply for services using our application forms and throughout the business relationship in various ways, including through correspondence, telephone calls and meetings and undertaking transactions with you or between you and relevant Entities.

We may obtain information from third parties including third parties who provide services to your Entities and other parties such as family members connected with the Entity. If you provide information in respect of a third party, we may need to make them aware of how their information was obtained. However, we do not make potential beneficiaries aware of information we hold relating to them unless it is considered necessary and relevant to do so.

To check the identity of an individual and to prevent or detect fraud or money laundering we may also search the files of address validation directories, the electoral register, internet databases (and similar) and may contact an individual’s referees, bankers, persons certifying or providing relevant documentation or information, to confirm details given to us and may make such other enquiries of relevant third parties e.g. of another financial institution or party providing funds, as we deem necessary either in connection with our take-on process or at any other time in connection with the provision of Services to you.

USE OF YOUR INFORMATION

• Legitimate interests

Under the Law, we may process your information where it is in our legitimate interests to do so as a business, as long as it does not prejudice your interests and fundamental rights and freedoms. We process the personal information of Clients and persons associated with Entities because it is in our legitimate interest to do so in order to run a business providing services to Clients or to Entities.

In most circumstances, our legitimate interest to process your personal data aligns with your interest to be able to avail yourself of our services or benefit from Entities that we manage. We need certain personal data in order to provide services and undertake transactions on your behalf or for your benefit. In other words, being able to process your data is usually in both of our interests.

We continually seek to develop and improve as an organisation, adapt our services to the commercial and legal environment and offer the most appropriate and beneficial services to Clients, Entities and those who benefit from Entities. To achieve this, we may need to process your information to enable us to send you relevant updates and information about services we offer. We may also use your information to assist us to monitor and review Entities under management to assess the performance and effectiveness of products and services, undertake staff training, analyse customer complaints and shortfalls in standards and risk management generally. Our legitimate interest to process your personal data to ensure that we review and assess services and inform you of options, updates and changes that may benefit you, aligns with your interest in remaining informed of such options, updates and changes which in turn will assist you to make informed choices in relation to services you require. You can always indicate you do not want to receive updates and information from us and such notice will override the legitimate interest and your information will be excluded from processing until you indicate your consent.

• Other lawful bases for processing

Whilst we consider that our legitimate interest provides us with a lawful basis for processing most of your data, we may also rely on the following lawful bases to process data:

Processing data to fulfil a contractual obligation: the contractual arrangements that we enter into on behalf of Entities may give rise to certain contractual obligations in relation to how we use your personal information, including obligations to share information with third parties such as banks and other regulated financial institutions providing services.
Processing data to fulfil a legal or regulatory obligation: we may be required to process data to fulfil a legal or regulatory obligation, for example, to meet our obligations to verify the identity of an individual, for the purposes of participating in any proceedings, enquiries or disputes arising from the business relationship with an individual and to meet our international reporting obligations as provided in paragraph 12 below.

• Using Data as Processor

GBTC also processes data on behalf of Clients and/ or Entities, for example if we provide services to an entity which is itself a data controller. Data we process may include information about officers and other parties associated with underlying investments as well as tenants of properties and suppliers. GBTC processes information and screens such parties to ensure there is no risk known in the public domain with regard to money laundering or sanctions.

HOW LONG WE KEEP YOUR INFORMATION

Following the termination of the business relationship to which an individual is connected, in order to satisfy legal requirements in Jersey we will normally keep all personal information for a minimum of 10 years from the date of termination. At the expiration of the 10-year period, if there are outstanding proceedings, enquiries or disputes concerning that business relationship, we will keep the records of connected Individuals for such additional time as is reasonable in all the circumstances and otherwise we shall destroy your records in such a manner as we see fit.

HOW WE PROTECT YOUR PERSONAL INFORMATION

We are committed to ensuring that your information is secure with us and with the third parties who act on our behalf. Our processes for security include organisational and physical security measures as well as protection of networks and information systems.

Unencrypted email is not secure. We recommend that where possible you use a secure email function or contact us to find out your options for secure communication with us. We never recommend you include personal or confidential information in an unencrypted email.

If you receive an unsolicited call that claims to be from Garfield-Bennett which you do not recognise, do not continue but instead call back our general telephone number (or the mobile phone of your usual contact).

We will not rely on information for the purposes of transactions without verifying it with you in person.

DISCLOSING OR TRANSFERRING INFORMATION TO THIRD PARTIES

Personal information of an individual is confidential and we will only disclose that information in the following situations:

with an individual’s consent or, if the individual is a minor, with the consent of the individual’s parent or guardian;
to third parties who are providing a service directly to the Entity, for example financial institutions which provide banking or investment services;
to persons acting as our agent for the provision of services;
if we are obliged to do so, by regulations or law or pursuant to an order of a competent court, government department, regulatory authority or auditor or to meet our regulatory or legal obligations;
if we consider that disclosure is necessary for GBTC to fulfil its internal policies and its regulatory obligations in respect of anti-money laundering, combatting terrorist financing, anti-bribery and anti-corruption legislation and such other regulations and laws that may apply from time to time;
if we consider that disclosure is necessary to defend ourselves in any legal action threatened or brought against us or any Entity; and
where failure to disclose information would expose GBTC to civil liability or the risk of prosecution in any jurisdiction.

TRANSFERRING INFORMATION OVERSEAS

Most of the information we hold on you will be used and stored in Jersey and Guernsey. We will only transfer data to persons in jurisdictions that do not have equivalent data protection laws, with consent or in such manner which is otherwise compliant with the Law.

USE OF DATA PROCESSOR

GBTC uses Clarity Limited which is based in Guernsey as its principal data processor (the “Data Processor”). The Data Processor is responsible for the provision of our network platform and for all operational support with regard to our IT systems processing, including arrangements for back-up and disaster recovery. The Data Processor may not make any decisions on day to day data management and accuracy, may not perform any data processing for its own purposes and shall only store and retain the personal data in accordance with the contractual arrangements established by GBTC as data controller.

GBTC also uses other data processors for screening services using limited information or information processed on a one-off temporary basis. It also uses an external data processor to collate information for tax returns.

Each data processor will be subject to a legal agreement and may not enter into any sub-contract arrangements without the prior knowledge and consent of GBTC.

AUTOMATIC EXCHANGE OF INFORMATION

If Jersey enters into any agreements with other jurisdictions for the automatic exchange of tax or other information, we may be required to collect and disclose reportable information in respect of an Individual or Entity or other relevant person connected to the individual or Entity, to foreign tax or governmental authorities either directly or via relevant Jersey statutory bodies. This obligation to obtain, disclose and exchange reportable information extends beyond the ultimate beneficial owner of the Entity to other relevant parties such as the directors, minority shareholders and persons who receive certain payments from the Entity.

MARKETING

Unless you have told us not to we will send you marketing information relating to our services that we think will be of interest and relevant to you. It is our legitimate interest as a business to process personal information to communicate with you regarding issues, developments and topics that may be of interest to you. If you change your mind and no longer wish to receive these communications, please exercise your right.

GBTC does not share information with third parties for their own marketing purposes without your express permission.

YOUR RIGHTS

You have rights under the Law which are summarised below together with the circumstances in which they arise. As we are a regulated business such rights cannot override our legal obligation to hold certain minimum data and information about our customers. If this information is not available, we will not be able to continue to provided services. If you wish to exercise your rights or have any other queries about the use of your personal information then please speak to your usual contact at GBTC or contact the data protection officer using dpo@garfieldbennett.com.

Under the Law, you have the following rights:

Right of access to personal data – If you would like to access your personal data please send a written request to: the Data Protection Officer, Garfield-Bennett Trust Company Limited, First Floor, Durell House, 28 New Street, St. Helier, Jersey JE2 3RA or to dpo@garfieldbennett.com. Please note for your security we may need to verify the request and depending on the nature of the request we may need to collect more information as to your specific requirements.

Right of rectification – You have a right to rectification of inaccurate personal information and to update incomplete personal information. If you believe something we hold is inaccurate please contact us so we can correct the information. We may require supporting information to ensure such changes are valid. We can provide more information if required.

Right of erasure – You have a right to request that we delete your information but please note that this may impact on the services we can provide and certain information is held in order to comply with our legal and regulatory obligations and cannot therefore be deleted if transactions have taken place. We can provide more information if required.

Right to restrict processing – You have a right to request us to restrict the processing of your personal information but please note that this may result in us having to suspend the operation of your Entity or transactions.

Right to objection – You have the right to object to us processing your personal information (and restrict processing, see above) unless we can demonstrate compelling and legitimate grounds for the processing which may override your own interests or where we need to process your information to investigate and protect us or others from legal claims.

Marketing – You have a right to object to direct marketing.

Withdraw consent – You have a right to withdraw consent where we rely on your permission to process your personal information. Please note that this may result in further operation of the entity or transactions may not be possible for legal reasons.

Lodge complaints – You have a right to lodge a complaint in the first instance we recommend you contact our Data Protection Officer who will investigate the matter. We would hope to be able to address your concerns but you can always contact the Jersey Information Commissioner. For more information, please visit wwww.dataci.je.

SAUDI ARABIA

Sanctuary Business Services LLC

CLIENT DATA: PRIVACY NOTICE CONCERNING PERSONAL DATA PROCESSED

1 Introduction

This Privacy Notice ( the “Notice”) describes the ways in which Sanctuary Corporate Services FZ LLC, a member of the Summit Group, through its Dubai branch office and the legal entities listed in Annex 2 (together the “Company”, “our” and “we”) processes and protects the personal data of our clients, individuals related to our clients and other business contacts.

The Company is committed to the protection and promotion of individual privacy. This Notice specifically provides relevant information about the Company’s processing of our clients’ (“you” and “your”) personal data in the United Arab Emirates and the Kingdom of Saudi Arabia. In connection with your use of our Services (see below), it is necessary for the Company to collect, store and use personal data about you for specified purposes in order to provide the Services. The Company complies with the Data Protection laws of the countries where it is established, being the UAE and KSA and other applicable data protection laws, such as the Federal Decree Law No. 44 & 45/2021 (as may be amended and/or supplemented by further implementing regulations) (“UAE DPL”), the ADGM Data Protection Regulations 2021 (“ADGM DPR”) and the Royal Decree M/19 of 9/2/1443H, Cabinet Resolution No. 98 of 7/2/1443H (as may be amended and/or supplemented by regulatory guidelines issued by the Saudi Authority for Data and Artificial Intelligence in the Kingdom of Saudi Arabia) (“PDPL”).

It is important that you read and understand this notice to understand how we will process your personal data and your rights.

2 Identity of the Data Controller

The Company is responsible for handling your personal data and is the data controller in respect to your personal data. Our contact details are set out in Section ‎11 below.

3 Purposes for Processing Personal Data

We process data that as a provider of corporate services, personal and business administration, tax advice and related services (the “Services”) from our branches and offices in the United Arab Emirates (the “UAE”), the Abu Dhabi Global Market (the “ADGM”) and the Kingdom of Saudi Arabia (the “KSA”).

The Company processes personal data relating to you necessary for the performance of the agreement with the Company for the Services. The Company endeavors to safeguard personal information and will only collect personal information that is required in order to effectively provide these Services, pursue its legitimate business interests and/or to remain in compliance with all applicable laws.

Where applicable, we will let you know at the time of the data collection, if the provision of the personal data is a statutory or contractual requirement and whether you are obliged to provide personal data and the possible consequences of the failure to provide such data.

4 How we may collect your Personal Data

We use different methods to collect personal data from and about you including through:

Direct interactions

You may give us your Identity, Contact, Profile and Financial Data by filling in forms or by corresponding with us by post, phone, messaging service, email or otherwise.

This includes personal data you provide as part of the provision of:

(a) applying for our Services;

(b) engagement of our Services;

(d) registration or creation of an account on our website;

(d) communications with us, including email, post, telephone, and social media;

(e) networking;

(f) requesting marketing to be sent to you;

(g) you entering a promotion or survey; or

(h) you giving us feedback or contacting us.

Third parties or publicly available sources

We may obtain personal data about you from various third parties and public sources as set out below:

(a) Contact, Financial and Transaction Data from providers of technical, or payment services;

(b) Identity and Contact Data from data brokers or aggregators, including specialist databases used to comply with our legal and regulatory obligations under applicable anti money laundering and counterterrorism laws, trade organizations or exhibition organizers; and

5 Categories of Personal Data that we Process

The categories of personal data that the Company processes about its clients are set out in Annex 1 to this Notice, which also identifies the lawful basis for the processing, including where the processing is for the Company’s pursuit of its legitimate business interests.

The data in which the Company processes may include Sensitive Personal Data, as defined under applicable laws, and to the extent allowed therein. Such Sensitive Personal Data may include data about:

(a) Race or ethnicity or religious beliefs (where relevant to the Services); or

(b) Health or illness.

Your data may be sourced in multiple ways, including, but not limited to: from you or representatives authorized to provide such information on your behalf; information made available in the public domain (e.g., websites, social media, news articles, public statements, interviews, etc.); and through business dealings with third parties.

6 Recipients of Personal Data and International Transfers

The Company may disclose your personal data to certain third parties. The following is a non-exhaustive list of recipients to whom your personal data may be transferred:

Subsidiaries, affiliates and parent companies of the Company;
Service providers;
Regulatory authorities;
Third party intermediaries;
Legal and other professional advisors; and
Prospective purchasers of the Company or Company assets.

The Company is a member of the Summit Group. As a result, we may share your personal data with other companies in the Summit Group as well as with external third parties in order to provide our Services and otherwise in connection with the running of our business, including to enable us to comply with our legal obligations.

Where we share your personal data with selected service providers and/or third party intermediaries who are engaged by us to assist us to provide our Services or with the running of our business, we ensure that these service providers and/or third party intermediaries are bound by law and/or contract to protect the confidentiality and security of personal data and to only use the personal data to provide the requested services to us and in accordance with applicable law.

Some of the companies in our group are located outside of the UAE, the ADGM and/or the KSA in territories that do not have the same level of protection for personal data as within the UAE, the ADGM and/or the KSA, and some of our external service providers may process your personal data outside of the UAE, the ADGM and/or the KSA. If and when transferring your personal data outside the UAE, the ADGM and/or the KSA, we will only do so when we have an appropriate mechanism or safeguard in place, including:

the transfer is to a country that has been the subject of an adequacy decision by the European Commission, the UAE Data Office, the ADGM Office of Data Protection and/or the Saudi Data & AI Authority (as may be applicable);
in relation to the KSA, we may transfer data outside the KSA subject to appropriate safeguards being in place (provided the regulatory requirements in the relevant country do not prejudice your privacy or our ability to enforce appropriate safeguards). This may comprise (i) binding common rules, (ii) standard contractual clauses (in accordance with a standard form to be issued by the competent authority in the KSA), (iii) certifications of compliance or (iv) binding codes of conduct; or
the transfer is covered by a contractual agreement, which covers the applicable law requirements relating to transfers to countries outside the UAE, the ADGM, the KSA and/or the EEA (e.g., ICO’s International Data Transfer Agreement or Addendum to the EU Standard Contractual Clauses or if the service provider is in the US, it has self-certified to the EU/US Privacy Shield Framework).

These transfers of your personal data may be made subject to the above-mentioned safeguards, and/or where the transfer is occasional and necessary for the performance of a contract or the implementation of pre-contractual measures between you and the Company. Additionally, where it is in your interests, we may also transfer data belonging to you that is necessary for the performance/conclusion of a contract between the Company and a third party.

The Company may choose to sell, transfer, or merge parts of its business, or its assets or Company may seek to acquire other businesses or merge with them. During any such process, the Company may share your data with other parties. The Company will only do this if they agree to keep your data safe and private.

7 Your Rights

You have the following rights:

to obtain access to your personal data – you may request information on how your personal data is handled by us and request a copy of such personal data;
to request that we correct or update your personal data if it is inaccurate or out of date;
to object to the processing of your personal data for the purposes of our legitimate interests, unless we:
1. demonstrate compelling legitimate grounds which override your right to object; or
2. the processing is necessary for the establishment, exercise or defense of legal claims;
to ask us to erase your personal data held by us, for example:
1. which is no longer necessary in relation to the purposes for which it was collected;
2. to the processing of which you object; or
3. which may have been unlawfully processed by us;

e. to ask us to this restrict processing by us, for example:

where you would like us to verify the accuracy of the data; or
where you object to the processing of it by us on the basis of legitimate interests (see para ‎7‎c) above) pending verification of whether we have overriding legitimate grounds to process the data; and

f. to ask us to transmit personal data, you submitted to us back to you or to another organization in certain circumstances.

The right to erasure and to restrict processing listed above may not apply or may be limited in certain circumstances, such as where the processing is necessary for compliance with our legal obligations or the establishment, exercise or defense of legal claims.

Where the processing of your personal data is based on your consent, you have the right to withdraw your consent at any time, but this will not affect the lawfulness of processing based on your consent prior to withdrawal.

These rights are not absolute and may be subject to certain conditions under the GDPR, UAE DPL, ADGM DPR and/or the PDPL (as may be applicable). Should you wish to exercise any of these rights, please contact Company using the details in Section 11.

8 Retention of Personal Data

The Company will keep and process your personal data only for as long as is necessary for the purposes for which it was collected in connection with the Services, unless the Company has a legal right or obligation to retain the data for a longer period, or in order to establish, exercise, or defend potential legal claims.

9 Automated Decision-Making

We do not envisage that any decisions will be taken about you using solely automated means. We will notify you if this changes.

10 Complaints

We strive to process your personal data in accordance with the applicable legal obligations but if you have any complaint(s) in that regard, please address your complaint(s) using the contact details set out in Section 11.

You also have the right to lodge a complaint with a supervisory authority for data protection in your jurisdiction. We ask that if you are not happy with how we handle your personal data that you reach out to us in the first instance so that we can try to provide you with a satisfactory resolution to your request.

11 Contact Details

If you have any questions about this Notice or information we hold about you, please email us on ask@sanctuary.ae, or write to us below.

Sanctuary Corporate Services FZ LLC
Suite 902, 9th floor
Control Tower
Motor City
Dubai, UAE

We may update this Notice periodically. Where the changes made are material, we will inform you of these.

Annex 1: Categories of Personal Data and Grounds for Processing

The Company will process the following categories of personal data based on specified lawful bases for processing under the GDPR, UAE DPL, ADGM DPR and/or the PDPL as may be applicable. Key examples of data and the legal bases for processing are set out below:

1 Personal data necessary for the performance of the agreement with the Company for the Services:

Contact Details
1. Name
2. Personal Contact details (personal email address, phone numbers, physical address etc.)
3. Contact details of managers, legal and professional advisors; and
4. Travel Information (e.g. passports etc.)
Government-issued KYC documents/ Due diligence
1. Passports;
2. Certificate of incorporation;
3. Banking Details, including bank statements, name of banking institution(s), and account and/or routing numbers for deposits or electronic transfers (i.e. wire transfer);
4. Property title deeds; and
5. Wills.
Tax records and any other tax related documentation necessary for the performance of the Services (e.g. VAT Number.)
Transaction Data including details about services you have purchased from us or your visits to our premises.
Profile Data including your username and password, purchases or orders made by you, your interests, preferences (including details about your personal likes and dislikes as identified during your visits to our premises), feedback and survey responses.
Usage Data including information about how you use our website, products and services.
Marketing and Communications Data including your preferences in receiving marketing from us and our third parties and your communication preferences.

2 Personal Data necessary to comply with Company’s legal obligations

Some examples legal obligations include:

Record-keeping and reporting obligations;
Conducting audits, compliance with government inspections and other requests from government or other public authorities; and
Responding to legal processes, pursuing legal rights and remedies, defending litigation, managing any internal complaints or claims, and conducting investigations (e.g., processing personal data in response to a court order).

The categories of personal data collected may include:

Records of payments received and/or disbursed to you;
Tax records;
Contracts, deal memos, or other agreements; and
Contact details.

Personal Data processed where necessary for the purposes of pursuing the legitimate interests of the Company or a third party.

Personal data will only be processed with regard to pursuing legitimate interests of the Company or a third party where appropriate and where such legitimate interest is not overridden by your rights and freedoms.

Some examples of the Company’s legitimate interests include:

Mergers and acquisitions with other companies;
Dealings with prospective purchasers of the Company or its assets;
Improvement of the services provided to our clients, invoicing for our services or dealing with complaints;
To pursue or defend against legal claims; and
Business dealings with subsidiaries, affiliates, and parent companies of the Company.

3 Processing of Special Categories of Personal Data

As mentioned in Section 5 of the Notice above, we may process certain personal data which are considered to be Sensitive Personal Data under the GDPR, UAE DPL, ADGM DPR and/or the PDPL. The categories of data include:

(a) Race or ethnicity or religious beliefs (where relevant to the Services); and

(b) Health or illness.

Annex 2 – Legal Entities

DLK HOLDINGS LIMITED
3520ResCo-work04,
35, Al Maqam Tower, Adgm Square,
Al Maryah Island,
Abu Dhabi, UAE

ELEMENTS GROUP LIMITED
C/o SANCTUARY CORPORATE SERVICES FZ LLC – DUBAI BRANCH
Suite 902, 9th floor,
Control Tower
Motor City
Dubai, UAE

ELEMENTS YELLOW LIMITED
80 Main Street,
PO Box 3200,
Road Town, Tortola,
VG1110, British Virgin Islands

ELEMENTS BLUE LIMITED
80 Main Street,
PO Box 3200,
Road Town, Tortola,
VG1110, British Virgin Islands

ELEMENTS GREEN LIMITED
80 Main Street,
PO Box 3200,
Road Town, Tortola,
VG1110, British Virgin Islands

ELEMENTS RED LIMITED
80 Main Street,
PO Box 3200,
Road Town, Tortola,
VG1110, British Virgin Islands

ALDERLEY GLOBAL LLC
Sharjah Media City,
Sharjah, UAE

ALDERLEY GLOBAL LLC – DUBAI BRANCH
Office 1715,
The Binary By Omniyat
Business Bay
Dubai, UAE

SANCTUARY CORPORATE SERVICES FZ LLC
Fujairah-Creative Tower
P.O.Box 4422 Fujairah

SANCTUARY CORPORATE SERVICES FZ LLC – DUBAI BRANCH
Suite 902, 9th floor
Control Tower
Motor City
Dubai, UAE

SANCTUARY CORPORATE SERVICES FZ LLC – ADGM BRANCH
3520ResCo-work04,
35, Al Maqam Tower, Adgm Square,
Al Maryah Island,
Abu Dhabi, UAE

SANCTUARY BUSINESS SERVICES LLC
Riyadh
Office 16, Floor 5
Samama Tower
King Fahd Road
Al Olaya, Riyadh, Saudi Arabia

SANCTUARY HOLDINGS LIMITED
3520ResCo-work04,
35, Al Maqam Tower, Adgm Square,
Al Maryah Island,
Abu Dhabi, UAE

SANCTUARY HOLDCO LTD
3520ResCo-work04,
35, Al Maqam Tower, Adgm Square,
Al Maryah Island,
Abu Dhabi, UAE

SWITZERLAND

Summit Trust International SA (“STI”) Privacy Statement

Data Protection and Privacy Notice to Settlors, Beneficiaries and other Interested Persons

STI, like other financial services businesses, is subject to Swiss laws on the protection of personal data. Where STI deals with persons resident in European Union Member States, the General Data Protection Regulation is also relevant. This document provides a summary of the rights that you have as a data subject by STI as a data controller and the policies STI has adopted to control the processing of personal data in accordance with the law.

Reasons for Collecting Data

STI only collects personal data in order to administer trusts, companies, foundations, partnerships and other fiduciary structures (“fiduciary relationships”) that it administers for its client families. Personal data is not sold for marketing purposes to third parties.

Personal Data

The personal data that we collect includes name; date of birth; address; taxpayer or social security numbers; identity documents such as passport, driving licence, and national identity cards; proofs of address; bank account details so that payments can be made; information about your personal financial and domestic situation so that trustee discretions can be properly made, which may include information about your dependants; and other information that we may consider necessary in connection with our fiduciary duties and legal obligations.

Personal data is usually provided to us by you upon request but may be obtained by us from third parties and other sources such as databases and internet searches as well as from professional advisers such as lawyers, accountants, bankers and financial advisers.

Data Transfer

STI may transfer such data to third parties such as law firms, accountancy firms, banks, asset managers, securities custodians, and investment advisers in order to comply with laws such as those directed against money laundering or to obtain legal or tax advice required in connection with the administration of a fiduciary relationship. Personal data may be viewed by our auditors and can be produced to regulators and law enforcement bodies if requests are made. Personal data may also be reported to tax authorities under various international tax reporting obligations such as FATCA (where the United States is concerned) or the Automatic Exchange of Information provisions (for most countries outside of the United States). Personal data may also be exchanged as part of due diligence exercises in connection with the acquisition, merger or sale of trust businesses including STI and its subsidiaries. Personal data may also be transferred by STI to its subsidiaries or affiliated companies.

Storage of Personal Data

STI maintains electronic records of personal data on servers in Switzerland and on back-up servers in a separate location in Switzerland. Personal data is also maintained on paper files in its offices in Geneva. Paper files are kept in locked cabinets overnight and the office is protected by an alarm system when not staffed overnight or at weekends. Staff are bound by personal undertakings to maintain client confidentiality, which includes protection of personal data, and office policies require that files containing personal data are filed away at night and not left on desktops. Where personal data is transferred outside of Switzerland, it will either be transferred to a jurisdiction that has equivalent legislative protection for personal data (e.g. the UK or a country within the European Economic Area) or we will, in other cases, take steps to secure equivalent protection for personal data by means of contractual undertakings.

Personal data will be retained by us for as long as you are the subject of or might be concerned with a fiduciary relationship with us and for such periods as may be prescribed by law from time to time afterwards such as under the anti-money laundering legislation.

Once personal data is no longer required, STI will anonymise or erase it.

Personal Data Information Rights

STI will adequately inform you when personal data is collected from yourself or a third party. The use of sensitive data is subject to your express consent.

When personal data is communicated outside Switzerland, STI will inform you of the name of the third State or international body to which the data is to be communicated.

You may also request that we provide you with information about the personal data that we may hold about you and copies of that information. We will provide copies of information or documents we hold about you upon written request under the ‘Contact’ section below. If the information we hold about you is inaccurate you may require us to correct it by written request. You may also request that we cease to process information about you but in such cases this may impede our ability to provide financial benefits to you under a fiduciary relationship.

You may request that we erase all of your personal data under the “right to be forgotten” if (i) it is no longer necessary for us to hold that personal data with respect to the original purpose for which it was obtained; or (ii) where your consent was the basis of our receiving your personal data, you wish to withdraw that consent; or (iii) you have objections to our processing your personal data and there is no overriding legitimate interest that would entitle us to continue doing so; or (iv) your personal data has been processed unlawfully; or (v) your personal data has to be erased in order to comply with a particular legal or regulatory obligation. Erasure of personal data will prevent us from providing any financial benefit to you as without such information it would not be lawful for us to administer a fiduciary relationship from which you could benefit.

In Switzerland, the government body responsible for supervising data processing is the Federal Data Protection and Information Commissioner (FDPIC) whose address is: Office of the Federal Data Protection and Information Commissioner FDPIC, Feldeggweg 1, CH-3003 Bern, Switzerland. Telephone: +41 58 462 43 95; Fax: +41 58 465 99 96.

Information about data protection in Switzerland is available from the FDPIC website: www.edoeb.admin.ch

Contact

If you have any questions about our data protection policy please contact your usual trust officer or director contact or write to The Data Protection Officer, Summit Trust International SA, 6 Place des Eaux-Vives, CH-1207 Geneva, Switzerland. Tel +41 22 707 8399; fax +41 22 707 8395.

UNITED ARAB EMIRATES

Sanctuary Corporate Services FZ LLC

CLIENT DATA: PRIVACY NOTICE CONCERNING PERSONAL DATA PROCESSED

1 Introduction

It is important that you read and understand this notice to understand how we will process your personal data and your rights.

2 Identity of the Data Controller

The Company is responsible for handling your personal data and is the data controller in respect to your personal data. Our contact details are set out in Section ‎11 below.

3 Purposes for Processing Personal Data

4 How we may collect your Personal Data

We use different methods to collect personal data from and about you including through:

Direct interactions

You may give us your Identity, Contact, Profile and Financial Data by filling in forms or by corresponding with us by post, phone, messaging service, email or otherwise.

This includes personal data you provide as part of the provision of:

(a) applying for our Services;

(b) engagement of our Services;

(d) registration or creation of an account on our website;

(d) communications with us, including email, post, telephone, and social media;

(e) networking;

(f) requesting marketing to be sent to you;

(g) you entering a promotion or survey; or

(h) you giving us feedback or contacting us.

Third parties or publicly available sources

We may obtain personal data about you from various third parties and public sources as set out below:

(a) Contact, Financial and Transaction Data from providers of technical, or payment services;

5 Categories of Personal Data that we Process

The data in which the Company processes may include Sensitive Personal Data, as defined under applicable laws, and to the extent allowed therein. Such Sensitive Personal Data may include data about:

(a) Race or ethnicity or religious beliefs (where relevant to the Services); or

(b) Health or illness.

6 Recipients of Personal Data and International Transfers

The Company may disclose your personal data to certain third parties. The following is a non-exhaustive list of recipients to whom your personal data may be transferred:

Subsidiaries, affiliates and parent companies of the Company;
Service providers;
Regulatory authorities;
Third party intermediaries;
Legal and other professional advisors; and
Prospective purchasers of the Company or Company assets.

the transfer is to a country that has been the subject of an adequacy decision by the European Commission, the UAE Data Office, the ADGM Office of Data Protection and/or the Saudi Data & AI Authority (as may be applicable);
in relation to the KSA, we may transfer data outside the KSA subject to appropriate safeguards being in place (provided the regulatory requirements in the relevant country do not prejudice your privacy or our ability to enforce appropriate safeguards). This may comprise (i) binding common rules, (ii) standard contractual clauses (in accordance with a standard form to be issued by the competent authority in the KSA), (iii) certifications of compliance or (iv) binding codes of conduct; or
the transfer is covered by a contractual agreement, which covers the applicable law requirements relating to transfers to countries outside the UAE, the ADGM, the KSA and/or the EEA (e.g., ICO’s International Data Transfer Agreement or Addendum to the EU Standard Contractual Clauses or if the service provider is in the US, it has self-certified to the EU/US Privacy Shield Framework).

7 Your Rights

You have the following rights:

to obtain access to your personal data – you may request information on how your personal data is handled by us and request a copy of such personal data;
to request that we correct or update your personal data if it is inaccurate or out of date;
to object to the processing of your personal data for the purposes of our legitimate interests, unless we:
1. demonstrate compelling legitimate grounds which override your right to object; or
2. the processing is necessary for the establishment, exercise or defense of legal claims;
to ask us to erase your personal data held by us, for example:
1. which is no longer necessary in relation to the purposes for which it was collected;
2. to the processing of which you object; or
3. which may have been unlawfully processed by us;

e. to ask us to this restrict processing by us, for example:

where you would like us to verify the accuracy of the data; or
where you object to the processing of it by us on the basis of legitimate interests (see para ‎7‎c) above) pending verification of whether we have overriding legitimate grounds to process the data; and

f. to ask us to transmit personal data, you submitted to us back to you or to another organization in certain circumstances.

8 Retention of Personal Data

9 Automated Decision-Making

We do not envisage that any decisions will be taken about you using solely automated means. We will notify you if this changes.

10 Complaints

11 Contact Details

If you have any questions about this Notice or information we hold about you, please email us on ask@sanctuary.ae, or write to us below.

Sanctuary Corporate Services FZ LLC
Suite 902, 9th floor
Control Tower
Motor City
Dubai, UAE
Sanctuary Business Services LLC
Riyadh
Office 16, Floor 5
Samama Tower
King Fahd Road
Al Olaya, Riyadh, Saudi Arabia

We may update this Notice periodically. Where the changes made are material, we will inform you of these.

Annex 1: Categories of Personal Data and Grounds for Processing

1 Personal data necessary for the performance of the agreement with the Company for the Services:

Contact Details
1. Name
2. Personal Contact details (personal email address, phone numbers, physical address etc.)
3. Contact details of managers, legal and professional advisors; and
4. Travel Information (e.g. passports etc.)
Government-issued KYC documents/ Due diligence
1. Passports;
2. Certificate of incorporation;
3. Banking Details, including bank statements, name of banking institution(s), and account and/or routing numbers for deposits or electronic transfers (i.e. wire transfer);
4. Property title deeds; and
5. Wills.
Tax records and any other tax related documentation necessary for the performance of the Services (e.g. VAT Number.)
Transaction Data including details about services you have purchased from us or your visits to our premises.
Profile Data including your username and password, purchases or orders made by you, your interests, preferences (including details about your personal likes and dislikes as identified during your visits to our premises), feedback and survey responses.
Usage Data including information about how you use our website, products and services.
Marketing and Communications Data including your preferences in receiving marketing from us and our third parties and your communication preferences.

2 Personal Data necessary to comply with Company’s legal obligations

Some examples legal obligations include:

Record-keeping and reporting obligations;
Conducting audits, compliance with government inspections and other requests from government or other public authorities; and
Responding to legal processes, pursuing legal rights and remedies, defending litigation, managing any internal complaints or claims, and conducting investigations (e.g., processing personal data in response to a court order).

The categories of personal data collected may include:

Records of payments received and/or disbursed to you;
Tax records;
Contracts, deal memos, or other agreements; and
Contact details.

Personal Data processed where necessary for the purposes of pursuing the legitimate interests of the Company or a third party.

Some examples of the Company’s legitimate interests include:

Mergers and acquisitions with other companies;
Dealings with prospective purchasers of the Company or its assets;
Improvement of the services provided to our clients, invoicing for our services or dealing with complaints;
To pursue or defend against legal claims; and
Business dealings with subsidiaries, affiliates, and parent companies of the Company.

3 Processing of Special Categories of Personal Data

(a) Race or ethnicity or religious beliefs (where relevant to the Services); and

(b) Health or illness.

Annex 2 – Legal Entities

DLK HOLDINGS LIMITED
3520ResCo-work04,
35, Al Maqam Tower, Adgm Square,
Al Maryah Island,
Abu Dhabi, UAE

ELEMENTS GROUP LIMITED
C/o SANCTUARY CORPORATE SERVICES FZ LLC – DUBAI BRANCH
Suite 902, 9th floor,
Control Tower
Motor City
Dubai, UAE

ELEMENTS YELLOW LIMITED
80 Main Street,
PO Box 3200,
Road Town, Tortola,
VG1110, British Virgin Islands

ELEMENTS BLUE LIMITED
80 Main Street,
PO Box 3200,
Road Town, Tortola,
VG1110, British Virgin Islands

ELEMENTS GREEN LIMITED
80 Main Street,
PO Box 3200,
Road Town, Tortola,
VG1110, British Virgin Islands

ELEMENTS RED LIMITED
80 Main Street,
PO Box 3200,
Road Town, Tortola,
VG1110, British Virgin Islands

ALDERLEY GLOBAL LLC
Sharjah Media City,
Sharjah, UAE

ALDERLEY GLOBAL LLC – DUBAI BRANCH
Office 1715,
The Binary By Omniyat
Business Bay
Dubai, UAE

SANCTUARY CORPORATE SERVICES FZ LLC
Fujairah-Creative Tower
P.O.Box 4422 Fujairah

SANCTUARY CORPORATE SERVICES FZ LLC – DUBAI BRANCH
Suite 902, 9th floor
Control Tower
Motor City
Dubai, UAE

SANCTUARY CORPORATE SERVICES FZ LLC – ADGM BRANCH
3520ResCo-work04,
35, Al Maqam Tower, Adgm Square,
Al Maryah Island,
Abu Dhabi, UAE

SANCTUARY BUSINESS SERVICES LLC
Riyadh
Office 16, Floor 5
Samama Tower
King Fahd Road
Al Olaya, Riyadh, Saudi Arabia

SANCTUARY HOLDINGS LIMITED
3520ResCo-work04,
35, Al Maqam Tower, Adgm Square,
Al Maryah Island,
Abu Dhabi, UAE

SANCTUARY HOLDCO LTD
3520ResCo-work04,
35, Al Maqam Tower, Adgm Square,
Al Maryah Island,
Abu Dhabi, UAE

UNITED KINGDOM

Summit Trust Company LTD (“STCL”) Privacy Statement

This note sets out how the personal information that we collect about you will be used. For the purposes of data protection legislation STCL is a “controller” meaning that we determine the purpose and means of processing the information we collect from you.

The types of personal information we may collect about you includes your name, marital status, title, nationality and date of birth; identification data includes taxpayer identification numbers, passport details, driving licence or other identification documents; contact data includes postal addresses, email address and telephone numbers; and financial data includes details of your financial position and bank details if payments are to be made to you.

We use your information in order that we may provide services as trustee and to comply with the law and regulatory requirements in the UK generally. Specifically this is to enable us to confirm your identity and allow us to carry out checks in the interest of security and to prevent and detect fraud; to administer and maintain fiduciary structures you may have established or which may benefit you; to respond to your queries; and to carry out our obligations under any contracts entered into between you and us.

We do not send you marketing messages but may respond to specific inquiries received if we consider it appropriate to do so.

We will not pass your information on to third parties except to other companies in the Summit Trust Group which are subject to equivalent data protection laws as apply in the UK or to professionals such as lawyers and accountants where there is a legitimate reason to do so or to information technology and information security providers used in connection with our business as trustees or to third parties where you have given your consent (e.g. legal or tax advisers who are aware of the fiduciary structure with which you are concerned or connected) or to banks, asset managers, securities custodians and other agents who are engaged to provide banking or asset management or related services to trust structures that we administer.

In addition, information may be passed on to law enforcement agencies, fraud prevention agencies and regulators where we are under a duty to disclose or share your information in order to comply with any legal or regulatory obligation, or if we reasonably consider that this is necessary to help prevent or detect fraud or other crime or to protect the rights, property, or safety of STCL, or if we are under a duty to disclose or share your information with HM Revenue & Customs (HMRC), who may then transfer it to the government or the tax authorities in another country where you may be subject to tax, or if STCL (or all or part of its assets) were to be acquired by a third party, in which case personal data about you would be one of the transferred assets as part of a due diligence exercise or business sale, or if you have consented to any disclosure to a third party.

We currently transfer data to Switzerland, which is outside of European Economic Area (“EEA”). The transfer, use and/or storage of your personal information outside of the EEA may not offer the same standard of protection for personal information as in the UK.

Transfers to our third party service providers are to enable them use and store your personal information on our behalf. We will, however, put in place appropriate security procedures in order to protect your personal information. We also ensure that, where your information is transferred to any country outside the EEA this is done using specific legally-approved safeguards.

We will keep your information only for as long as necessary depending on the purpose for which it was provided or to comply with our legal obligations and duties. Information provided in connection with trusts may by its very nature require to be kept for a very long time.

We have put in place measures to protect the security of your information. These measures are intended to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

You have the right to be provided with clear, transparent and easily understandable information about how we use your information and your rights. This is why we are providing you with the information in this notice. The various rights are not absolute and each is subject to certain exceptions or qualifications.

Under certain circumstances, by law you have the right (1) to object to the processing of your personal information where we are relying on a legitimate interest (or that of a third party); (2) to request access to your personal information which enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it; (3) request correction of the personal information that we hold about you; (4) request erasure of your personal information; (5) request the restriction of processing of your personal information; and (6) request the transfer of your personal information to another party in a machine-readable, commonly used and structured format.

If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact the Data Protection Officer in writing at the address below. You will not have to pay a fee to gain access to your personal information (or to exercise any of the other rights). In some cases, we may charge a reasonable fee if your request for access is clearly unfounded or excessive, or if you request multiple copies of the information. Alternatively, we may refuse to comply with the request in such circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

If you wish to request further information about any of the above rights, or if you have any questions concerning data protection please contact, by post, The Data Protection Officer, Summit Trust Company Ltd, 17 Cavendish Square, London W1G 0PH, United Kingdom.

If you are not satisfied with our response to any complaint you may make concerning data protection or believe our processing of your information does not comply with data protection law, you can make a complaint to the Information Commissioner’s Office (“ICO”): https://ico.org.uk/global/contact-us ICO Helpline: + 44 (0) 303 123 1113.