Data Privacy Policy – clients of Gouldson

For the purpose of this document, the term ‘Gouldson’ refers to both Gouldson & Co Limited and Gouldson Finance Limited.

In the course of its business, Gouldson needs to gather and use certain information about individuals. This will include clients, prospective clients, suppliers and other business contacts, and employees and prospective employees, as well as other people that we have a relationship with, may need to contact, or with whom we need to deal.

This data privacy policy (“Policy”) describes how this personal data must be collected, processed, transferred, handled and stored in order to meet the requirements of relevant data protection legislation, in particular the Data Protection (Jersey) Law 2018 (the “DPJL 2018”).

We use your information strictly in accordance with all applicable laws concerning the protection of personal information and you can be assured that any information provided will only be used in accordance with this Policy.

In it we explain:
• Who we are;
• What information we may collect about you and when;
• How we might use your information;
• How we protect your information; and
• Your rights regarding the information you provide.

Why this policy exists
This Policy provides help and guidance to our staff and managers in
• complying with data protection law and following good practice
• protecting the rights of staff, clients, partners and business contacts
• being open about how we use personal data, how we store it, how we secure and delete it
• protecting Gouldson against the risks of both inadvertent and intentional data breaches.

Data protection law – What is personal data?
The DPJL 2018 regulates how organisations must collect, handle and store personal data. Personal data is any information relating to an identified or identifiable living individual. It is information which enables that person to be identified, directly or indirectly, and may include their name, address, telephone number(s), email address(es), age, location data, or online and biometric identifiers. We also hold a wide range of information about clients, including highly confidential financial data such as their individual tax information.

These rules apply to all data stored in any structured way, including both paper files and electronically.

How do we collect personal data?
As accountants and tax advisers we have historically been considered to be data controllers but we may be considered to be data controllers or processors depending on the nature of our agreement with you.

We have clients that are individuals and clients that are corporate bodies, including limited liability partnerships, government departments and agencies and other public bodies. Even where our clients are not themselves individuals, they will be represented by individuals and they may be owned by individuals and invested in by individuals. As a result, we will inevitably process Personal Data in the course of our relationships with those clients too.

If you are a client, the information we process about you will include personal and/or professional contact details (addresses, telephone numbers, email addresses), copy identity documents and proofs of address, copy professional and educational certificates, details of bank accounts and/or other payment details, details of financial standing and investment objectives. Depending on the services we provide, we may additionally process details of family wealth, names, addresses and other personal details concerning family members and/or those employed by families or family members and other information categorised as “special category data”, such as information about an individual’s race; politics; religion; biometrics (used for ID purposes) and health.

Gouldson makes every effort to maintain the accuracy of personal data, although you must assist with this by promptly contacting Gouldson if there are changes to the personal data you have previously provided or if you become aware that Gouldson holds inaccurate personal data.

We may also obtain personal data about you, or another person you have provided us personal data for, under a legal basis from sources other than from you. The sources and categories of personal data, along with whether these are publicly accessible are listed below:


• Type of information (categories of personal data)
Due diligence screening providers.
Names, addresses, age, financial or economic information, social standing, crime or security related matters. This is publicly available.
• Internet search engines and public information sources.
Names, addresses, age, financial or economic information, social standing, crime or security related matters. This is publicly available.
• Those authorised to act on behalf of a client including an advisor or attorney.
• Name, address, financial information, identifier code, age, gender. This is not publicly available.

Purpose and basis for collection
If you are a client, Gouldson collects your personal data, or that of other individuals provided by you, in order to provide you with the services you have requested under the Terms of Business you have entered into with Gouldson and also to meet certain legal obligations. We do not collect more information than we need in order to provide you with the services. If you do not provide the information that we ask for, we may not be able to provide you with the services that you require.

We may also use your personal data to provide you with newsletters that will contain information about Gouldson, including latest news and other Gouldson services that we think may be of interest to you because we think you have a legitimate interest in our contacting you in this way. We may also seek your consent to publish any client testimonial you provide on the Gouldson website. Where consent is required to process personal data of an individual who has not reached the required age to provide consent under the applicable data protection law, Gouldson will obtain consent from a person with parental responsibility for that individual.

If you are a visitor to our website you may give us your information if you fill in a form on the Site or if you send us an email (name, email address, telephone number and/or postal address). We do this so that we can monitor who accesses our Site and also to correspond with you.

Gouldson does not collect sensitive information (defined as “special category data” under the DPJL 2018) in respect of clients.

How personal data will be used
If you are a client, we will process your data in connection with providing the relevant services under a contract. We may also need to transfer personal data to third parties to be processed in connection with the services we provide to you, or to fulfil legal or regulatory requirements as necessary. If we do, any third parties that process your personal data are assessed by us to ensure they adhere to the requirements of applicable data protection requirements.

If you are a visitor to our Site (including completing a form), make a new business enquiry or contact us with a general enquiry, we will process your data for the purpose of our legitimate interest in responding to those enquiries.

The personal data you provide to us will only be used for the purpose specified. Gouldson does not and will not sell, rent or trade your personal data.

The personal data may be used in a number of ways, including to:
• verify your identity
• verify identity of others authorised to act on your behalf
• perform due diligence screening
• provide you with services and to contact you
• manage your transactions
• meet financial crime prevention requirements
• meet regulatory or legal obligations of Gouldson
• register or subscribe you to receive Gouldson newsletters
• publish news or your service opinion on the Minerva website (where you have provided consent)
• when you fill out forms on the Gouldson website
• when you contact Gouldson with a request

Privacy by design – data impact assessments
Part of Gouldson’s duty is to ensure that in the planning of new processes or procedures which involve the use of personal data, we consider the impact of the changes and ensure that we have fully considered and complied with our obligations under the DPJL 2018. Gouldson will always ensure that all such changes are designed and implemented in accordance with the law, and that the DPO is consulted and their recommendations are taken into account in the planning and introduction of such changes.

In any situation where new technologies are being deployed and the processing of the personal data is likely to result in a high risk to the data subjects’ rights and freedoms under the regulation, we will carry out a data impact assessment, overseen by the DPO.

This will deal with
• the type(s) of personal data that will be collected, held and processed
• the purpose for which it is to be used
• Gouldson’s objectives in processing this data and making this innovation
• how the personal data is to be used
• internal and external parties to be consulted
• why we need the data and how the collection of the data is proportionate to our need for it
• what risks there are for data subjects
• what risks Gouldson runs, and
• what measures we are proposing to minimise and protect against the risks.

Your rights
Your rights in relation to your personal data are included within applicable data protection requirements, which include the DPJL 2018 and the General Data Protection Regulation 2016 (“GDPR”) (if applicable);

Dependant on where you reside and because of the implementation of one of the above, you have rights as an individual which you can exercise in relation to the personal data we hold about you. Your rights are listed below:

Right of access:
   You have the right to know what type of personal data we hold about you and details about how we use it. You also have the Right to rectification:
You have the right to have any errors or incomplete personal data corrected.

Right to erasure (to be forgotten):
    In certain circumstances, you have the right to request the deletion of all personal data relating to you.

Right to restriction of processing:
    You have the right to restrict how we use your data e.g. you can request that we do not process your data for a particular purpose.

Right to object to processing:
    You have the right to object to our use of your personal data (including for direct marketing purposes).

Right to withdraw consent:
    If you have previously given us consent to process your data for a particular purpose, you have the right to withdraw that consent at any time.

Right to data portability:
    You have the right to be supplied with all of your personal data you have given to us in a structured, commonly used and machine readable format. You also have the right to have your personal data transferred from one controller to another.

Right to lodge a complaint:
    You have a right to lodge a complaint with the relevant Data Protection Authority.

When you exercise your rights Gouldson will consider any exemptions that may apply. It is possible an exemption may affect how we are able to respond to your request, if this is the case Gouldson will explain this to you in writing.

If you would like to exercise any of the above rights please contact us via email: or in writing to Carl Gouldson, Regency House, Regent Road, St Helier, Jersey JE2 4UZ.

Data security – transferring personal data
When Gouldson uses your personal data for the purposes outlined we may transfer and disclose it to third parties who either process the personal data on our behalf in connection with the services we provide to you, to a third party who requires the information under a legal requirement (where Gouldson are legally obliged to provide the personal data), where we have a vital or legitimate interest for sharing your personal data or where you have provided consent.

The third parties may include:

• recruitment agencies
• authorities (including Government departments, financial regulators, law enforcement)
• financial service providers
• learning and development providers
• information technology providers
• audit firms
• legal and tax advisors
• due diligence screening firms
• other persons authorised to act on your behalf (including legal advisors)
• a third party involved with marketing activity including the Gouldson website provider
• medical professionals
• your emergency contact
• social media websites

In certain cases, Gouldson may need to transfer personal data to other countries where we have operations or where our service providers are located. Where such transfers are made outside Jersey and the European Economic Area, we will make sure that the recipient of your data is able to keep your information safe (by use of appropriate technical and organisation measures) and that appropriate contractual arrangements are in place with those entities and which will have only been approved for use by Gouldson following due diligence.

Transfer of personal data outside the EEA
Gouldson may from time to time transfer personal data outside the EEA. This will only be done if one or more of the following applies to the transfer:
• it is to a territory or sector within that territory that the European Commission has determined has an adequate level of protection for personal data, or appropriate safeguards as determined by the supervisory authorities
• it is made with the informed consent of the data subject
• it is necessary for the performance of a contract between the data subject and Gouldson, or for pre-contractual steps taken at the request of the data subject
• it is necessary for important public interest reasons, or for the conduct of legal claims, or to protect the vital interests of the data subject

Data storage and general security
We take appropriate measures to ensure that any personal data are kept secure and are kept for the duration of your use of our service. Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data when transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.

To safeguard against unauthorised access to personal information, all electronic personal information held by us is maintained on systems protected by secure network architectures that contain firewalls and intrusion-detection devices. The servers holding personal information are “backed-up” on a regular basis in an effort to avoid any inadvertent erasure or destruction of such personal information and are stored in facilities with appropriate security and fire-detection and response systems.

Gouldson has obtained certification under the National Cyber Security Centre’s Cyber Essentials scheme.

How long is the personal data retained?
Gouldson will retain your personal data for as long as we need it for the purposes for which it was collected and subject to any applicable law or other legal obligation that may apply.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

Where there is a contract between us, we will retain your personal data for the duration of the contract and for a period of ten years following the termination or expiry, to ensure we are able to comply with any contractual, legal, audit and other regulatory requirements or any orders from competent courts or authorities.

If you are on our marketing list, we will keep your details on that list for three years after the termination or expiry of any contract between us because we think that we have a legitimate interest in contacting you with updates from time-to-time. You can ask for your details to be removed from our marketing lists, at any time.

Changes to this Policy
We keep our Policy under regular review and we reserve the right to modify it at any time. Any changes we may make to our Policy in the future will be notified and made available to you using the Website, or by contacting you directly.

How to contact us
All questions, comments and requests regarding this Notice should be addressed to your usual Gouldson contact, the Data Protection Officer or Data Contact person in your location directly on the details below:

Carl Gouldson

Regency House, Regent Road, St Helier, Jersey JE2 4UZ