QUEENSGATE BANK AND TRUST COMPANY LTD. (“QUEENSGATE”) DISCLOSURE NOTICE REGARDING COMPLIANCE WITH EU GENERAL DATA PROTECTION REGULATION (THE “NOTICE”)
Introduction and Definitions
This privacy notice is relevant to you, if you have a business relationship with Queensgate (as defined below) either as a Queensgate client or a related party (‘Client Relationship”).
In this Notice certain other defined terms appear, whose meaning is as follows:
- A Client Relationship or a Vendor Relationship shall be a “Business Relationship”;
- “Business Relationship Contract” shall mean a fee agreement (between Queensgate and its client) or a vendor agreement (between Queensgate and its vendor); and
- “Data Subject” refers to the natural person to whom the Personal Data relates (as defined in the GDPR);
- “EEA” means the European Economic Area, the current members at the date hereof being the European Union Member States, Iceland, Liechtenstein and Norway; and
- “Queensgate” means the relevant Queensgate operating entity which has the Business Relationship with you.
General Data Protection Regulation and Impact on Queensgate
The European Union recently passed Regulation (EU) 2016/679 (the “GDPR”), which went into effect on 25 May 2018. The GDPR affects Queensgate, as the controller or processor of Personal Data (as defined in the GDPR) in the course of its business.
This Notice outlines Queensgate’s data protection obligations and your data protection rights as they relate to your Business Relationship with Queensgate under the GDPR.
Below is Queensgate’s policy statement of how Queensgate complies with the GDPR in relation to such Personal Data.
Collection and Use of Personal Data
In the usual course of Queensgate’s business, it collects and uses certain personal information which constitutes Personal Data. This includes, but is not restricted to, data such as name, residential address, email address, telephone number, place of birth, date of birth, passport number, photo, social security number, tax ID number, bank account details, personal details required to complete background checks and personal details required to complete anti-money laundering and anti-terrorist financing checks (including but not limited to identification verification information), details relating to investment activity and email correspondence.
Queensgate will only collect, store and use this Personal Data for lawful purposes including, in particular:
(i) Where this is necessary for the performance of the Business Relationship Contract;
(ii) Where this is necessary for compliance with a legal obligation to which Queensgate is subject (such as the anti-money laundering and anti-terrorist financing obligation to verify the identity of Queensgate’s clients (and, if applicable their beneficial owners) and retain copies of materials in respect thereof for such period after the relationship terminates as may be required by applicable law); or
(iii) Where this is necessary for the purposes of the legitimate interests of Queensgate and such legitimate interests are not overridden by your interests, fundamental rights or freedoms.
Analysing Personal Data for quality control, business and statistical analysis, tracking fees and costs, training and related purposes are considered legitimate interests for using your Personal Data. Any such use of your Personal Data in this way is subject to any relevant overriding prohibitions or restrictions in such use by Queensgate in the Business Relationship Contract.
Queensgate may use your Personal Data for such purposes as described above, provided that it is acting in a fair, transparent and accountable manner and has taken appropriate steps to prevent such activity having any unwarranted impact on you and also noting your right to object to such use, as discussed below.
Queensgate is required to use your personal data to fulfill its obligations defined in the Business Relationship Contract, and under the provisions of GDPR, Queensgate is not required to obtain your consent to do so. Should Queensgate wish to use your Personal Data for other specific purposes that require your consent, then Queensgate will contact you to request this.
Processing, Transmission and Storage of Personal Data
It may be necessary for Queensgate to transfer Personal Data for processing to agents, delegates, subcontractors or other representatives of Queensgate to carry out sub-processing activities on behalf of Queensgate (each a “Permitted Processor”) under an appropriate agreement between the Permitted Processor and Queensgate. A list of the Queensgate Permitted Processors is available on the Queensgate website under the Transmission and Outsourcing Arrangements. Queensgate may only transmit Personal Data:
- To Permitted Processors with the prior consent of the counterparty to the Business Relationship Contract (“Counterparty”); or
- Where required to do so under applicable law.
In addition, it may be necessary for Queensgate to transfer Personal Data to certain third parties, upon the instruction of the Counterparty, whose involvement is necessary to carry out all or part of Queensgate’s duties and obligations defined in the Business Relationship Contract. In these cases, the third party will not be a Permitted Processor of Queensgate and will instead be engaged directly by the Counterparty as a processor.
Where Queensgate is required to transfer Personal Data to a legal, regulatory or taxation information authority under applicable law any such transfer shall not constitute the engagement of a Permitted Processor by Queensgate. The local taxation information authority may, in turn, exchange this information with foreign tax authorities under their own international agreements.
Subject to applicable provisions of the GDPR, the Personal Data shall not be shared other than has been described here.
The Data Protection Measures Queensgate Takes
Queensgate operates a comprehensive Information Security Policy framework that includes a specific policy on Data Protection. All Queensgate employees attend annual training to ensure compliance with these policies.
Any transmission of Personal Data by Queensgate to a Permitted Processor outside the EEA shall be in accordance with the conditions of the GDPR.
Queensgate shall apply and shall contractually obligate Permitted Processors to apply appropriate information security measures to protect Personal Data from unauthorised access by third parties or any form of computer corruption.
Queensgate shall notify you of any Personal Data breach affecting you that is likely to result in a high risk to your rights and freedoms.
Your Data Protection Rights
You have certain rights regarding Queensgate’s use of your Personal Data such as:
- the right to access your Personal Data (in an easily readable form);
- the right to examine and correct your Personal Data;
- the right to restrict the use of your Personal Data;
- the right to withdraw any consent given to the processing of your Personal Data (where applicable);
- the right to receive information regarding any entities Queensgate discloses your Personal Data to;
- the right to lodge a complaint with Queensgate’s lead supervisory authority in accordance with GDPR.
These rights may be restricted either by local legal obligations or to safeguard the fundamental rights and freedoms in a democratic society, as defined in Article 23 of the GDPR.
Retention of Your Personal Data
Queensgate or Permitted Processors may retain your Personal Data following the conclusion of your Business Relationship with Queensgate for such minimum period as may be required by applicable laws.
As Queensgate does not control or process Personal Data on a large scale, Queensgate is not required to designate a data protection officer. However, an individual has been designated as a Responsible Person for each of:
- The receipt of any queries relating to data protection or in the event a Data Subject wishes to discuss his/her data protection rights with Queensgate (“General Queries”); and
- Communicating with the relevant supervisory authorities (“Regulatory Communications”).
The Responsible Person for Queensgate can be contacted at the following email address email@example.com