• Who we are;
• What information we may collect about you and when;
• How we might use your information;
• How we protect your information; and
• Your rights regarding the information you provide.

• complying with data protection law and following good practice
• protecting the rights of staff, clients, partners and business contacts
• being open about how we use personal data, how we store it, how we secure and delete it
• protecting Gouldson against the risks of both inadvertent and intentional data breaches.

As accountants and tax advisers we have historically been considered to be data controllers but we may be considered to be data controllers or processors depending on the nature of our agreement with you.

We have clients that are individuals and clients that are corporate bodies, including limited liability partnerships, government departments and agencies and other public bodies. Even where our clients are not themselves individuals, they will be represented by individuals and they may be owned by individuals and invested in by individuals. As a result, we will inevitably process Personal Data in the course of our relationships with those clients too.

If you are a client, the information we process about you will include personal and/or professional contact details (addresses, telephone numbers, email addresses), copy identity documents and proofs of address, copy professional and educational certificates, details of bank accounts and/or other payment details, details of financial standing and investment objectives. Depending on the services we provide, we may additionally process details of family wealth, names, addresses and other personal details concerning family members and/or those employed by families or family members and other information categorised as “special category data”, such as information about an individual’s race; politics; religion; biometrics (used for ID purposes) and health.

Gouldson makes every effort to maintain the accuracy of personal data, although you must assist with this by promptly contacting Gouldson if there are changes to the personal data you have previously provided or if you become aware that Gouldson holds inaccurate personal data.

We may also obtain personal data about you, or another person you have provided us personal data for, under a legal basis from sources other than from you. The sources and categories of personal data, along with whether these are publicly accessible are listed below:

Source:

• Type of information (categories of personal data)
• Due diligence screening providers.
• Names, addresses, age, financial or economic information, social standing, crime or security related matters. This is publicly available.
• Internet search engines and public information sources.
• Names, addresses, age, financial or economic information, social standing, crime or security related matters. This is publicly available.
• Those authorised to act on behalf of a client including an advisor or attorney.
• Name, address, financial information, identifier code, age, gender. This is not publicly available.

If you are a client, Gouldson collects your personal data, or that of other individuals provided by you, in order to provide you with the services you have requested under the Terms of Business you have entered into with Gouldson and also to meet certain legal obligations. We do not collect more information than we need in order to provide you with the services. If you do not provide the information that we ask for, we may not be able to provide you with the services that you require.

We may also use your personal data to provide you with newsletters that will contain information about Gouldson, including latest news and other Gouldson services that we think may be of interest to you because we think you have a legitimate interest in our contacting you in this way. We may also seek your consent to publish any client testimonial you provide on the Gouldson website. Where consent is required to process personal data of an individual who has not reached the required age to provide consent under the applicable data protection law, Gouldson will obtain consent from a person with parental responsibility for that individual.

If you are a visitor to our website you may give us your information if you fill in a form on the Site or if you send us an email (name, email address, telephone number and/or postal address). We do this so that we can monitor who accesses our Site and also to correspond with you.

Gouldson does not collect sensitive information (defined as “special category data” under the DPJL 2018) in respect of clients.

If you are a client, we will process your data in connection with providing the relevant services under a contract. We may also need to transfer personal data to third parties to be processed in connection with the services we provide to you, or to fulfil legal or regulatory requirements as necessary. If we do, any third parties that process your personal data are assessed by us to ensure they adhere to the requirements of applicable data protection requirements.

If you are a visitor to our Site (including completing a form), make a new business enquiry or contact us with a general enquiry, we will process your data for the purpose of our legitimate interest in responding to those enquiries.

The personal data you provide to us will only be used for the purpose specified. Gouldson does not and will not sell, rent or trade your personal data.

The personal data may be used in a number of ways, including to:

• verify your identity
• verify identity of others authorised to act on your behalf
• perform due diligence screening
• provide you with services and to contact you
• manage your transactions
• meet financial crime prevention requirements
• meet regulatory or legal obligations of Gouldson
• register or subscribe you to receive Gouldson newsletters
• publish news or your service opinion on the Minerva website (where you have provided consent)
• when you fill out forms on the Gouldson website
• when you contact Gouldson with a request

Part of Gouldson’s duty is to ensure that in the planning of new processes or procedures which involve the use of personal data, we consider the impact of the changes and ensure that we have fully considered and complied with our obligations under the DPJL 2018. Gouldson will always ensure that all such changes are designed and implemented in accordance with the law, and that the DPO is consulted and their recommendations are taken into account in the planning and introduction of such changes. In any situation where new technologies are being deployed and the processing of the personal data is likely to result in a high risk to the data subjects’ rights and freedoms under the regulation, we will carry out a data impact assessment, overseen by the DPO.

This will deal with:

• the type(s) of personal data that will be collected, held and processed
• the purpose for which it is to be used
• Gouldson’s objectives in processing this data and making this innovation
• how the personal data is to be used
• internal and external parties to be consulted
• why we need the data and how the collection of the data is proportionate to our need for it
• what risks there are for data subjects
• what risks Gouldson runs, and
• what measures we are proposing to minimise and protect against the risks.

Your rights in relation to your personal data are included within applicable data protection requirements, which include the DPJL 2018 and the General Data Protection Regulation 2016 (“GDPR”) (if applicable);

Dependant on where you reside and because of the implementation of one of the above, you have rights as an individual which you can exercise in relation to the personal data we hold about you. Your rights are listed below:

Right of access
You have the right to know what type of personal data we hold about you and details about how we use it. You also have the Right to rectification: You have the right to have any errors or incomplete personal data corrected.

Right to erasure (to be forgotten):
In certain circumstances, you have the right to request the deletion of all personal data relating to you.

Right to restriction of processing:
You have the right to restrict how we use your data e.g. you can request that we do not process your data for a particular purpose.

Right to object to processing:
You have the right to object to our use of your personal data (including for direct marketing purposes).

Right to withdraw consent:
If you have previously given us consent to process your data for a particular purpose, you have the right to withdraw that consent at any time.

Right to data portability:
You have the right to be supplied with all of your personal data you have given to us in a structured, commonly used and machine readable format. You also have the right to have your personal data transferred from one controller to another.

Right to lodge a complaint:
You have a right to lodge a complaint with the relevant Data Protection Authority.

When you exercise your rights Gouldson will consider any exemptions that may apply. It is possible an exemption may affect how we are able to respond to your request, if this is the case Gouldson will explain this to you in writing.

If you would like to exercise any of the above rights please contact us via email: privacy@gouldson.co.uk or in writing to:

Carl Gouldson,
Regency House,
Regent Road,
St Helier,
Jersey JE2 4UZ.

When Gouldson uses your personal data for the purposes outlined we may transfer and disclose it to third parties who either process the personal data on our behalf in connection with the services we provide to you, to a third party who requires the information under a legal requirement (where Gouldson are legally obliged to provide the personal data), where we have a vital or legitimate interest for sharing your personal data or where you have provided consent.

The third parties may include:

• recruitment agencies
• authorities (including Government departments, financial regulators, law enforcement)
• financial service providers
• learning and development providers
• information technology providers
• audit firms
• legal and tax advisors
• due diligence screening firms
• other persons authorised to act on your behalf (including legal advisors)
• a third party involved with marketing activity including the Gouldson website provider
• medical professionals
• your emergency contact
• social media websites

In certain cases, Gouldson may need to transfer personal data to other countries where we have operations or where our service providers are located. Where such transfers are made outside Jersey and the European Economic Area, we will make sure that the recipient of your data is able to keep your information safe (by use of appropriate technical and organisation measures) and that appropriate contractual arrangements are in place with those entities and which will have only been approved for use by Gouldson following due diligence.

Gouldson may from time to time transfer personal data outside the EEA. This will only be done if one or more of the following applies to the transfer:

• it is to a territory or sector within that territory that the European Commission has determined has an adequate level of protection for personal data, or appropriate safeguards as determined by the supervisory authorities
• it is made with the informed consent of the data subject
• it is necessary for the performance of a contract between the data subject and Gouldson, or for pre-contractual steps taken at the request of the data subject
• it is necessary for important public interest reasons, or for the conduct of legal claims, or to protect the vital interests of the data subject

Gouldson will retain your personal data for as long as we need it for the purposes for which it was collected and subject to any applicable law or other legal obligation that may apply.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

Where there is a contract between us, we will retain your personal data for the duration of the contract and for a period of ten years following the termination or expiry, to ensure we are able to comply with any contractual, legal, audit and other regulatory requirements or any orders from competent courts or authorities. If you are on our marketing list, we will keep your details on that list for three years after the termination or expiry of any contract between us because we think that we have a legitimate interest in contacting you with updates from time-to-time. You can ask for your details to be removed from our marketing lists, at any time.

All questions, comments and requests regarding this Notice should be addressed to your usual Gouldson contact, the Data Protection Officer or Data Contact person in your location directly on the details below:

Carl Gouldson
Regency House,
Regent Road,
St Helier,
Jersey JE2 4UZ

email: admin@gouldson.co.uk