Introduction
The Summit Group operates in multiple jurisdictions, which are all subject to their own data protection and privacy requirements, listed below. We keep our Privacy Statements and Notices under regular review and any updates will be posted on our website in the most recent version.
CAYMAN ISLANDS
Summit Trust (Cayman) Limited Privacy Statement
Summit Trust (Cayman) Limited (“STCL”) is subject to the Data Protection Law, 2017 in the Cayman Islands (“the DPL”), which took effect on 30th September 2019. STCL is a data controller for the purposes of the DPL and any settlor, beneficiary, enforcer or protector who is in a trust-based relationship with STCL will be a data subject as defined in the DPL as will any person having a contractual relationship with STCL. STCL collects and processes certain personal data in order to fulfil its legal duties and responsibilities as trustee or as company manager or agent; it does not transfer such data for marketing purposes. STCL may transfer personal data to third party professionals or financial institutions as a consequence of the services it provides or to other companies in the Summit Trust Group in connection with the purchase of administration services or to comply with international tax reporting obligations.
The personal data that is typically collected include an individual’s name, address, date & place of birth, nationality, tax residency, taxpayer identification numbers, contact details, personal financial information, educational information and bank details. In some cases other information may be sought and processed.
Data subjects have various rights under the DPL. Reference to the DPL should be made for details of the individual rights of data subjects. Data is retained in accordance with the DPL and certain information will be kept for 5 years after the termination of a business relationship.
All requests concerning data protection and any complaints should be made to privacy@summittrustgroup.com, and we will do our utmost to revert to you within a month of receiving your correspondence.
This policy statement may be revised from time to time in accordance with the law and in the light of regulations issued by the Information Commissioner in the Cayman Islands.
GUERNSEY
Aquitaine Group Ltd Privacy Statement
Aquitaine Group Limited and its affiliated companies (which we refer to in the rest of this statement collectively as “Aquitaine“, “we” or “us“), as data controllers, are dedicated to safeguarding your personal information. This privacy statement contains an explanation of what happens to the personal data that we collect from you or about you. Please read it carefully and ask us about anything that you do not understand.
INFORMATION WE COLLECT AND ITS USE
We are required by law to verify the identity and activity of clients, potential clients and people with close connections to them. We must do this to reduce the risk of our services being used for illegal purposes.
If you apply to use our fiduciary services, we may ask for extensive personal information from you. By law, we may also collect personal information on people who have a close connection to clients and people applying to be our clients. If a potential client applies for us to provide services to their company, we must collect information about that company’s owners, directors, officers and agents. If a potential client applies for us to provide services to their trust, we must collect information about its settlors, beneficiaries, enforcers and protectors. If a potential client applies for us to provide services to their foundation, we must collect information about its guardians, founders, members and agents. If you are any of these people or someone else who has control or a close connection to one of our clients, then we may need to collect information about you. If you become one of these people due to a change in a company, trust or foundation to which we provide services, then we may also need to collect information about you. If you are not our client or an applicant, we may ask the client or applicant for your information if we cannot obtain it from you.
The personal information that we may request includes your name, addresses, telephone numbers, nationalities, date of birth, tax residency, length of residence, tax and social insurance numbers, passport numbers, marital status, wealth and business activities. We may also ask for some of this information about your family members and associates. We may also ask you if you have political, military or judicial roles or connections. We may also ask if you have connections with regulatory or criminal infractions or investigations, or with activities that have a high risk of being associated with regulatory or criminal infractions. We may ask for copies of official documents that prove your identity and place of residence.
We will use the information that we collect to conduct background checks on you. We may search for information about you, both on publicly-available internet search engines and in subscription-based databases that keep records of people involved in illegal or risky activities. This information will help us decide whether to do business with you or the person or body that you are connected with. If you or the person or body connected to you becomes our client, we will repeat these background checks periodically. The information will help us decide whether to continue to do business with you or the person or body connected to you, or whether to change the type of services that we provide. If you do not provide us with the information that we request, we may refuse to accept you or the person or body connected to you as a client, or terminate our services if you or they are existing clients. This information will be kept on file for as long as required by law and our regulator, even after you, or someone connected with you, stops doing business with us.
Political opinions and criminal data are “special category data” which requires your permission for us to collect, use and keep in our files. Your application to use our services, or your agreement to be bound by this privacy statement, includes your agreement that we may collect and keep “special category data” about you, and in particular about your political connections and any connection to criminal activity, for as long as we are required by the laws and regulations that apply to us. You may withdraw this agreement at any time. If you withdraw your agreement, or someone connected with you withdraws their agreement, we may be forced to terminate our services.
Our services as a licensed fiduciary may require us, both by law and under contract, to act on behalf of our client or in the best interests of our client. If you are our fiduciary client, or if we have a duty to act in your best interests, we may use personal information that we have about you to judge how best to act on your behalf or in your interests.
We are required by laws and regulations that apply to us as licensed fiduciaries to keep accurate and updated client records, which we may need to demonstrate to our regulator from time to time. This means that we may need to keep your personal information in our files for the length of time satisfactory to our regulator or those authorised by our regulator to inspect our files. These inspections are kept confidential as required by laws and regulations.
We may receive requests for your personal information from people or firms dealing with you or a company, trust or foundation connected to you. For example, bankers, agents, accountants, auditors, lawyers, fund administrators, financial advisors and other professionals may be required by law to have your personal information to verify your identity before providing their services. We may provide such information to them if we have been authorised by you. We may also provide such information if we have been authorised or required to act on your behalf or in your interest as part of our fiduciary duty or our contractual services, or if we are required or permitted by law.
If we are setting up a company, trust, foundation or other body outside Guernsey for you or a company, trust or foundation that is connected to you, we will need to send your personal information to an agent outside Guernsey.
Guernsey, the United Kingdom and the Crown Dependencies have data protection laws equivalent to the European Union, but this is not true of every country or territory outside the European Union. If we send your data outside the European Union or somewhere without equivalent laws, you may not have the same rights to protect your data there, or as many ways to stop or punish those who misuse your data. It is your right to know if any country or territory where we send your data has equivalent data protection laws to Guernsey, or what other safeguards for your data exist.
We do not make decisions based on the automated processing of your personal data. If we ever intend to do so in the future, we will let you know the reason for doing so and your rights in relation to such processing.
STORING YOUR PERSONAL DATA
Except as required by law or our regulator, we will generally keep your personal information as long as we need it to reply to your queries or, if you are a client or connected to our client, for as long as we need it to provide the client services. We also have a document retention policy of keeping records for an additional number of years after our relationship with you is over, to make sure that we have fulfilled all of our fiduciary and contractual duties and that the documents are not needed to resolve disputes or legal issues. This retention is both for our protection and yours, to balance our legitimate interest and the need to properly conclude our relationship with you. If you would like details on our retention policy at any time, please contact us by email or post.
ACCESS TO INFORMATION
You may request us to confirm whether or not we are holding personal information about you. You may request a copy of any personal information that we hold about you. Please contact us by email or post if you wish to make such a request. The first copy of your information is free of charge, although we reserve the right to charge a fee if the request is excessive.
Guernsey fiduciary law protects the confidentiality of certain information which may limit your general right of access.
You have the right to ask us to correct any incorrect or incomplete information, or update out-of-date information that we have about you. If you would like to make this request, please send us an email explaining what information that you believe is incorrect, incomplete or out of date, and how you believe that it should be corrected, completed or updated. You may request that we not use information until having determined if it needs correction or updating. If we no longer need information that is incorrect or out of date, you may ask us to delete it. You may also ask us to delete incorrect or out of date information that we need your consent to keep or that we do not hold in accordance with the data protection laws. If we have shared your incorrect or incomplete information with third parties, you may ask us to have it corrected or completed, if it is practicable and proportionate to do so.
You may ask us to provide you with your personal information in a commonly-used, machine readable format of any of your personal information that we process automatically, if you ever switch from our services to another provider. This will not apply to information that we have in our files which we must keep by law, such as our background checks on you.
FURTHER INFORMATION
If you have any queries, comments or requests regarding this Privacy Policy, please contact the data controller at datacontroller@aquitainetrust.com or by post at P.O Box 357, Level 5, Mill Court, La Charroterie, St Peter Port, Guernsey GY1 3XH. If we have appointed a data protection officer, he or she may be contacted at this address.
Your personal information is protected by the Data Protection (Bailiwick of Guernsey) Law, 2017. If you believe that we have not respected (or will not respect) your rights under this law, you may make a complaint to Guernsey’s Data Protection Authority. Decisions of the Data Protection Authority can be appealed in court.
SWITZERLAND
Summit Trust International SA (“STI”) Privacy Statement
Data Protection and Privacy Notice to Settlors, Beneficiaries and other Interested Persons
STI, like other financial services businesses, is subject to Swiss laws on the protection of personal data. Where STI deals with persons resident in European Union Member States, the General Data Protection Regulation is also relevant. This document provides a summary of the rights that you have as a data subject by STI as a data controller and the policies STI has adopted to control the processing of personal data in accordance with the law.
Reasons for Collecting Data
STI only collects personal data in order to administer trusts, companies, foundations, partnerships and other fiduciary structures (“fiduciary relationships”) that it administers for its client families. Personal data is not sold for marketing purposes to third parties.
Personal Data
The personal data that we collect includes name; date of birth; address; taxpayer or social security numbers; identity documents such as passport, driving licence, and national identity cards; proofs of address; bank account details so that payments can be made; information about your personal financial and domestic situation so that trustee discretions can be properly made, which may include information about your dependants; and other information that we may consider necessary in connection with our fiduciary duties and legal obligations.
Personal data is usually provided to us by you upon request but may be obtained by us from third parties and other sources such as databases and internet searches as well as from professional advisers such as lawyers, accountants, bankers and financial advisers.
Data Transfer
STI may transfer such data to third parties such as law firms, accountancy firms, banks, asset managers, securities custodians, and investment advisers in order to comply with laws such as those directed against money laundering or to obtain legal or tax advice required in connection with the administration of a fiduciary relationship. Personal data may be viewed by our auditors and can be produced to regulators and law enforcement bodies if requests are made. Personal data may also be reported to tax authorities under various international tax reporting obligations such as FATCA (where the United States is concerned) or the Automatic Exchange of Information provisions (for most countries outside of the United States). Personal data may also be exchanged as part of due diligence exercises in connection with the acquisition, merger or sale of trust businesses including STI and its subsidiaries. Personal data may also be transferred by STI to its subsidiaries or affiliated companies.
Storage of Personal Data
STI maintains electronic records of personal data on servers in Switzerland and on back-up servers in a separate location in Switzerland. Personal data is also maintained on paper files in its offices in Geneva. Paper files are kept in locked cabinets overnight and the office is protected by an alarm system when not staffed overnight or at weekends. Staff are bound by personal undertakings to maintain client confidentiality, which includes protection of personal data, and office policies require that files containing personal data are filed away at night and not left on desktops. Where personal data is transferred outside of Switzerland, it will either be transferred to a jurisdiction that has equivalent legislative protection for personal data (e.g. the UK or a country within the European Economic Area) or we will, in other cases, take steps to secure equivalent protection for personal data by means of contractual undertakings.
Personal data will be retained by us for as long as you are the subject of or might be concerned with a fiduciary relationship with us and for such periods as may be prescribed by law from time to time afterwards such as under the anti-money laundering legislation.
Once personal data is no longer required, STI will anonymise or erase it.
Personal Data Information Rights
STI will adequately inform you when personal data is collected from yourself or a third party. The use of sensitive data is subject to your express consent.
When personal data is communicated outside Switzerland, STI will inform you of the name of the third State or international body to which the data is to be communicated.
You may also request that we provide you with information about the personal data that we may hold about you and copies of that information. We will provide copies of information or documents we hold about you upon written request under the ‘Contact’ section below. If the information we hold about you is inaccurate you may require us to correct it by written request. You may also request that we cease to process information about you but in such cases this may impede our ability to provide financial benefits to you under a fiduciary relationship.
You may request that we erase all of your personal data under the “right to be forgotten” if (i) it is no longer necessary for us to hold that personal data with respect to the original purpose for which it was obtained; or (ii) where your consent was the basis of our receiving your personal data, you wish to withdraw that consent; or (iii) you have objections to our processing your personal data and there is no overriding legitimate interest that would entitle us to continue doing so; or (iv) your personal data has been processed unlawfully; or (v) your personal data has to be erased in order to comply with a particular legal or regulatory obligation. Erasure of personal data will prevent us from providing any financial benefit to you as without such information it would not be lawful for us to administer a fiduciary relationship from which you could benefit.
In Switzerland, the government body responsible for supervising data processing is the Federal Data Protection and Information Commissioner (FDPIC) whose address is: Office of the Federal Data Protection and Information Commissioner FDPIC, Feldeggweg 1, CH-3003 Bern, Switzerland. Telephone: +41 58 462 43 95; Fax: +41 58 465 99 96.
Information about data protection in Switzerland is available from the FDPIC website: www.edoeb.admin.ch
Contact
If you have any questions about our data protection policy please contact your usual trust officer or director contact or write to The Data Protection Officer, Summit Trust International SA, 6 Place des Eaux-Vives, CH-1207 Geneva, Switzerland. Tel +41 22 707 8399; fax +41 22 707 8395.
UNITED KINGDOM
Summit Trust Company LTD (“STCL”) Privacy Statement
This note sets out how the personal information that we collect about you will be used. For the purposes of data protection legislation STCL is a “controller” meaning that we determine the purpose and means of processing the information we collect from you.
The types of personal information we may collect about you includes your name, marital status, title, nationality and date of birth; identification data includes taxpayer identification numbers, passport details, driving licence or other identification documents; contact data includes postal addresses, email address and telephone numbers; and financial data includes details of your financial position and bank details if payments are to be made to you.
We use your information in order that we may provide services as trustee and to comply with the law and regulatory requirements in the UK generally. Specifically this is to enable us to confirm your identity and allow us to carry out checks in the interest of security and to prevent and detect fraud; to administer and maintain fiduciary structures you may have established or which may benefit you; to respond to your queries; and to carry out our obligations under any contracts entered into between you and us.
We do not send you marketing messages but may respond to specific inquiries received if we consider it appropriate to do so.
We will not pass your information on to third parties except to other companies in the Summit Trust Group which are subject to equivalent data protection laws as apply in the UK or to professionals such as lawyers and accountants where there is a legitimate reason to do so or to information technology and information security providers used in connection with our business as trustees or to third parties where you have given your consent (e.g. legal or tax advisers who are aware of the fiduciary structure with which you are concerned or connected) or to banks, asset managers, securities custodians and other agents who are engaged to provide banking or asset management or related services to trust structures that we administer.
In addition, information may be passed on to law enforcement agencies, fraud prevention agencies and regulators where we are under a duty to disclose or share your information in order to comply with any legal or regulatory obligation, or if we reasonably consider that this is necessary to help prevent or detect fraud or other crime or to protect the rights, property, or safety of STCL, or if we are under a duty to disclose or share your information with HM Revenue & Customs (HMRC), who may then transfer it to the government or the tax authorities in another country where you may be subject to tax, or if STCL (or all or part of its assets) were to be acquired by a third party, in which case personal data about you would be one of the transferred assets as part of a due diligence exercise or business sale, or if you have consented to any disclosure to a third party.
We currently transfer data to Switzerland, which is outside of European Economic Area (“EEA”). The transfer, use and/or storage of your personal information outside of the EEA may not offer the same standard of protection for personal information as in the UK.
Transfers to our third party service providers are to enable them use and store your personal information on our behalf. We will, however, put in place appropriate security procedures in order to protect your personal information. We also ensure that, where your information is transferred to any country outside the EEA this is done using specific legally-approved safeguards.
We will keep your information only for as long as necessary depending on the purpose for which it was provided or to comply with our legal obligations and duties. Information provided in connection with trusts may by its very nature require to be kept for a very long time.
We have put in place measures to protect the security of your information. These measures are intended to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
You have the right to be provided with clear, transparent and easily understandable information about how we use your information and your rights. This is why we are providing you with the information in this notice. The various rights are not absolute and each is subject to certain exceptions or qualifications.
Under certain circumstances, by law you have the right (1) to object to the processing of your personal information where we are relying on a legitimate interest (or that of a third party); (2) to request access to your personal information which enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it; (3) request correction of the personal information that we hold about you; (4) request erasure of your personal information; (5) request the restriction of processing of your personal information; and (6) request the transfer of your personal information to another party in a machine-readable, commonly used and structured format.
If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact the Data Protection Officer in writing at the address below. You will not have to pay a fee to gain access to your personal information (or to exercise any of the other rights). In some cases, we may charge a reasonable fee if your request for access is clearly unfounded or excessive, or if you request multiple copies of the information. Alternatively, we may refuse to comply with the request in such circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
If you wish to request further information about any of the above rights, or if you have any questions concerning data protection please contact, by post, The Data Protection Officer, Summit Trust Company Ltd, 17 Cavendish Square, London W1G 0PH, United Kingdom.
If you are not satisfied with our response to any complaint you may make concerning data protection or believe our processing of your information does not comply with data protection law, you can make a complaint to the Information Commissioner’s Office (“ICO”): https://ico.org.uk/global/contact-us ICO Helpline: + 44 (0) 303 123 1113.