CLOSE

Data protection and privacy

Your privacy is important to us, and we are committed to protecting your personal data. Our role towards certain personal data may be that we collect certain personal data or process certain personal data that is controlled by our clients. Our commitments in both cases can be found in respectively the Privacy Notice and the Data Processing Protocol.

Data Processing Protocol

The Data Processing Protocol is applicable in the situation where we may process certain personal information of which our client or client entities are the controller. It sets, among others, out the principle of confidentiality, the security practices and technical and organizational measures that Intertrust has put in place.

Please find our full Data Processing Protocol in the snap-down below:

Data Processing Protocol

This Data Processing Protocol (the “Protocol”) shall apply between Intertrust and the Client Entity (“Client”) it is servicing, where Intertrust Group may process Personal Data, of which the Client is the Controller.

The Protocol forms part of any agreement in place between Intertrust and the Client (the “Service Agreement”).

1. Definitions

Where this Protocol uses terms which are defined in the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, the “GDPR”), then the definitions set out in that Regulation shall apply.

Client” shall mean the company, trust, foundation, any other form of legal entity, partnership, or unincorporated business, set up, to which Intertrust provides any service at the request or instruction of such entity and/or its group members;

Intertrust” shall mean the relevant Intertrust group compan(y)/(ies) that are affiliates to Intertrust Group B.V. (the Netherlands, 1097 JB Amsterdam, Prins Bernhardplein 200) and have concluded a Service Agreement with the Client; and

Personal Data” shall mean personal data as defined in Article 4 GDPR, which Intertrust processes as a Processor in the course of providing services to the Client.

2. Scope of the Protocol

2.1 The Client and Intertrust note that:

a) Intertrust may process Personal Data whilst providing services to the Client, acting on behalf and under the direct authority of the Client (acting as sole controller) who (i) initiates and delegates such processing to Intertrust and (ii) ultimately reviews, controls, confirms and approves such processing. Intertrust shall (I) only carry out such processing on the instructions of the Client and in accordance with the provisions of this Protocol and the associated Service Agreement(s), and (II) immediately inform the Client if, in its opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions, to the extent permitted by law; and

b) the Protocol does not apply to Intertrust’s processing of Personal Data concerning the Client’s representatives, stakeholders and ultimate beneficial owners as necessary for the purposes of its service providing or as required by applicable laws (notably for AML and KYC purposes).

2.2 Intertrust will have no control over the purposes and means of processing the Personal Data.

2.3 The GDPR and any other applicable privacy laws apply to this Protocol and anything not specifically mentioned in this Protocol shall be governed by the GDPR and any other applicable privacy laws.

3. Confidentiality

3.1 Intertrust, and any person authorized to process Personal Data on its behalf, receiving the Personal Data from the Client pursuant to the Service Agreement, will exercise at least the same degree of care with respect to Personal Data with which Intertrust protects its own Personal Data of the same or similar nature.

3.2 Intertrust shall ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Intertrust and its employees shall not communicate the Personal Data to or put the Personal Data at the disposal of third parties without the Client’s prior written consent thereto unless (a) it is required to do so by mandatory law or regulation or ordered to do so by a competent authority or (b) pursuant to Clause 9.

3.3 Intertrust will only use or reproduce the Client’s Personal Data to the extent necessary to it to fulfil its obligations under the Service Agreement.

4. Security Practices, Procedures and Technical and Organisational Measures

4.1 Intertrust shall implement appropriate commercially reasonable, technical, physical and organisational security measures to protect Personal Data from misuse and/or accidental, unlawful and/or unauthorized destruction, loss, alteration, disclosure, acquisition and/or access and against all other unlawful forms of Processing in accordance with adequate internal instructions adopted by Intertrust. Intertrust will ensure a level of security suitable (taking into account the state of the art and the costs of implementation of such security) in relation to the risks and the nature of the Personal Data to be protected to the identified risks and pursuant to applicable Data Protection Laws and, where the Processing concerns Personal Data of EU residents or in case GDPR applies, shall take all measures required pursuant to Article 32 GDPR. Where local laws prescribe specific instructions and measures to be adopted for the purposes of this Article, local laws will be applied.

4.2 In fulfillment of Intertrust’s obligation to demonstrate compliance with paragraph 4.1, Intertrust will make available a description of its Technical and Organizational Measures. The Intertrust Information Security Overview as published on the website of Intertrust includes an overview of the Technical and Organizational Measures, as may be amended from time to time. Intertrust may from time to time also make, at its discretion, reference to certificates, third party audit reports or other relevant information.

4.3 Client shall provide Intertrust with thirty (30) calendar days advance notice of any audit request, which may be at the Client’s expense. The Client may not engage in an audit which would compromise confidentiality obligations towards any other Clients of Intertrust, access to non-public external reports, supplier internal pricing information, Intertrust confidential information and/or any internal reports prepared by Intertrust’s internal audit function. If the Client wishes to nominate another auditor to undertake the audit, it shall ensure that the auditor enters into a confidentiality agreement with Intertrust in such form as Intertrust shall reasonably require. Any liability, indemnity and all obligations under this contract shall also remain with the Client, even if it nominates another auditor. The Client warrants that any auditors are suitably qualified to undertake such an exercise.

5. Duration of processing of the Personal Data

5.1 Intertrust will process the Personal Data for as long as it provides services to the Client and will hold the Personal Data in archive after that date to the extent necessary for legitimate business purposes or for bona fide compliance purposes.

5.2 The Client may instruct Intertrust to delete or return Personal Data at the end of the period during which Intertrust will process such Personal Data. Intertrust shall be authorized to keep a copy to the extent required for legal, regulatory or bona fide compliance purposes, as well as the exercise or defense of legal claims for as long as is legally required for such purposes. Intertrust will delete such Personal Data at the end of such period.

6. Data Breach Incident

6.1 Intertrust will comply with GDPR requirements with respect to notifying the impacted Client whenever Intertrust becomes aware that there has been a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data processed by Intertrust in the context of this Protocol (“Data Breach Incident”). Intertrust will investigate the Data Breach Incident and take necessary steps to eliminate or contain the impact of the Data Breach Incident.

6.2 Intertrust shall maintain written procedures which enable it to provide a response to the Client about a Data Breach Incident as soon as practicably possible.

7. Transfer of Personal Data

The Client confirms that Intertrust may transfer Personal Data to its affiliates and subprocessors inside and outside the European Economic Area (EEA) for purposes of servicing, support, back-up or any other legitimate interest Intertrust may have to transfer Personal Data in order to fulfil its obligation(s) as per the relevant Service Agreement(s). Intertrust confirms that it has established safeguards to protect Personal Data transferred to countries outside the EEA that are, as a minimum, in accordance with the relevant Standard Contractual Clauses as approved by the European Commission. Where Intertrust enters such arrangements, it may act either for itself or as an agent for the Client or in both capacities. Every Intertrust group company has adhered to or is bound by the Standard Contractual Clauses through an intragroup arrangement.

8. Rights of Data Subjects

8.1 Upon instruction of the Client, Intertrust will cooperate to enable the Client:

a) in providing access to Data Subjects whose Personal Data are being processed via the provision of the services by Intertrust;

b) in deleting or correcting their Personal Data;

c) demonstrating that their Personal Data have been deleted or corrected if they are incorrect, or, if the Client disagrees with the point of view of the Data Subject, recording that the Data Subject is of the opinion that the Personal Data is incorrect;

d) in restricting the processing of Personal Data as per Article 18 GDPR;

e) in protecting the rights of Data Subjects to its best advantage;

f) in case a Data Subject exercises his or her right to data portability to another Data Controller pursuant to Article 20 GDPR and where technically feasible; and

g) in case a Data Subject exercises his or her right to object in accordance with Article 21 GDPR.

8.2 Notwithstanding Clause 8.1, Intertrust shall not be obligated to delete copies of Personal Data that it holds, to the extent where further processing is required in order to comply with a legal obligation to which Intertrust is subject or for the establishment, exercise or defence of legal claims.

8.3 The Client, as Controller, has the responsibility to provide the Data Subject with the information necessary to ensure fair and transparent processing in respect of the Data Subject (as set out in Article 14.1 of the GDPR or any similar provision under other applicable Data Protection Law). Where further processing of the Personal Data is required, for a purpose other than that for which the Personal Data were obtained, the Client shall provide the Data Subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in Articles 13.1 and 14.2 of the GDPR or any similar provision under any other applicable privacy laws. Intertrust shall not be held responsible if it is not aware of such information not being provided to the Data Subject.

8.4 Intertrust shall not correct, delete or restrict data to be processed on behalf of the Client in an unauthorized manner. Should a Data Subject contact Intertrust directly in this context, Intertrust shall forward this request to the Client without undue delay.

9. Subprocessors and contractors

9.1 The Client hereby generally authorizes Intertrust to use subprocessors and/or contractors (as defined and under the conditions described in Intertrust’s General Terms & Conditions and/or Intertrust’s Service Delivery Conditions) to provide support to the services under the Service Agreement.

9.2 Intertrust shall remain primarily responsible for the performance of its obligations under this Protocol and shall ensure that its agreements with such subprocessors and/or contractors are at least as restrictive as this Protocol. A list of the current main subprocessors and Contractors can be found in the Intertrust Outsourcee Overview as published on the website of Intertrust. Intertrust may change or add subprocessors and/or contractors from time to time, which changes shall be announced via an update of the Intertrust Outsourcee Overview as published on the website of Intertrust. The Client shall consult the Intertrust Outsourcee Overview regularly in order to be kept informed of such changes and may, within a reasonable period of time, object to such changes.

10. Modification or amendment

Any amendment to this Protocol shall be published on the website of Intertrust, but shall not reduce or otherwise limit the rights of the Client.

11. Assistance to Client compliance with Articles 32 to 36 GDPR

Intertrust shall assist the Client in ensuring compliance with its obligations pursuant to Articles 32 to 36 GDPR taking into account the nature of processing and the information available to Intertrust.

12. Applicable Law and Jurisdiction

This Data Processing Protocol is governed by the applicable law of the relevant Service Agreement and any dispute in respect of this Data Processing Protocol or execution thereof shall be submitted to the Intertrust entity servicing the Client and before the competent court as defined in the relevant Service Agreement.

 

Annex 1 – Description of processing of personal data

1. Subject Matter, Nature and Purpose

All processing activities (including the collection, organization and analysis of Personal Data) as are reasonably required to facilitate or support the provision of the services described under the Service Agreement.

2. Categories of Data Subjects

The Data Subjects may include individuals that represent the Client, that are advising the Client, that are in any contractual or statutory relationship with the Client, or that the Client has collected in view of its servicing towards such individuals or are otherwise connected to such individuals.

Most commonly the Data Subjects will include: (1) employees, contractors or other workers of the Client and/or their family members, representatives or others connected with workers and (2) past, existing or prospective Clients and/or contractual counterparties of the Client, and/or their employees or other individuals connected with them, and/or their family members, representatives or others connected with them.

3. Types of Personal Data

The services under the Service Agreement may involve the processing of the following types of Personal Data:

  • names and contact information;
  • general demographic information (such as gender, age, date of birth, marital status, nationality, employment details, residence, utility bills, etc.);
  • personal identification documentation and related information such as passport numbers and employee identification numbers;
  • financial and payment data such as bank account numbers and transaction information;
  • details of shareholdings and other assets which are legally or beneficially owned by the Data Subject;
  • details of people and organizations which may be connected to the Data Subject (family or otherwise); and
  • information related to the provision of the services performed under the Service Agreement or per the services provided by the Client to such individuals.

Privacy Notice

The Privacy Notice sets out what personal data we collect and how we collect and use it. It also sets out the rights you have in relation to the Personal Data.

Please find our full Privacy Notice in the snap-down below:

Intertrust Group Privacy Notice

15 April 2021

About Intertrust, introduction

This Privacy Notice is issued by Intertrust Group B.V. (the Netherlands, 1097 JB Amsterdam, Prins Bernhardplein 200) and applies to Intertrust N.V. (with same registered office) and to its direct or indirect subsidiaries (hereinafter “Intertrust”).

Intertrust’s main establishment in charge of decision-making regarding the purposes and means of data processing in the EU (Intertrust Group B.V.) is established in the Netherlands. Therefore, Intertrust’s lead supervisory authority is the Dutch Data Protection Authority (Authoriteit Persoonsgevens).

Intertrust understands that your privacy is important. Therefore, we respect and protect your right to privacy and will process your personal data in accordance with the provisions of the European General Data Protection Regulation (“GDPR”) and other applicable privacy laws.

The GDPR and any other applicable privacy laws apply to this Privacy Notice and anything not specifically mentioned in this notice shall be governed by the GDPR and any other applicable privacy laws.

This Privacy Notice explains how we may use, process and store your personal data.

What kind of personal data does Intertrust collect?

Personal data means any information relating to an identified or identifiable natural person. Intertrust collects and processes the following types of personal data:

  • name, address, email address, telephone number and other contact information;
  • date and place of birth;
  • nationality;
  • gender;
  • employment details;
  • marital status;
  • copies of identity documents (such as passport, national ID cart, driver’s license, employee identification numbers);
  • source of wealth;
  • utility bills, bank statements;
  • tax residency;
  • details of shareholdings and other assets which are legally or beneficially owned by the data subject; and
  • details of people and organisations which may be connected to the data subject (family or otherwise).

Please note that the list is not exhaustive and that Intertrust may also collect and process personal data to extent this is useful or necessary for the provision of our services.

How does Intertrust collect personal data?

Intertrust obtains and processes personal data in different ways.

  • Personal data provided to Intertrust directly;

We collect personal data directly from (prospective) clients, business partners and intermediaries for the purposes of entering into a contract or a service agreement and/or to meet certain legal requirements.

  • Personal data obtained from third parties;

We also collect and process personal data from publicly accessible sources such as internet, social networks, World-Check or commercial registers. Furthermore we may receive personal data from third parties as part of the service we provide to you or to people which are connected to you (including but not limited to organisations in which you have a shareholding or by which you are employed) or in connection with legal requirements that are applicable to us.

How does Intertrust use personal data?

The majority of the personal data processed by Intertrust is necessary for the performance of a contract to which the data subject is a party or to comply with the request of the data subject prior to entering into a contract. Intertrust also processes personal data in order to comply with our legal and regulatory obligations.

We may furthermore process personal data for the purposes of the legitimate business interests pursued by Intertrust. Such legitimate interests include general research and development (including statistical research or as a basis to analyze our current security measures), administration of our business and systems, including IT, billing and invoicing systems or to develop and improve our services or to strengthen our relationship with you. We may provide you with communications or information regarding our service offering which we think will be interesting for you. When we process your personal data for our legitimate business interests, or where consent to process personal data was received, we will consider and balance any potential impact on you and your rights under the relevant data protection and any other relevant law. Whenever we process personal data for these purposes you have the right to object to this way of processing.

To whom does Intertrust provide personal data?

Intertrust may disclose or transfer personal data collected by Intertrust to our group companies insofar as reasonably necessary for the purposes of our service offering or for bona fide compliance purposes as well as on the legal basis as set out in this Privacy Notice.

Except as described in this paragraph, Intertrust will not disclose, transfer or sell your personal data to any third party unless you have consented to this.

Intertrust may disclose or transfer personal data to subcontractors, intermediaries or external advisors for the purpose of the proper performance of the services we provide to our clients. It may, for example, disclose or transfer such personal data to third party service providers who provide administrative, computer, payment, data processing, debt collecting or other services. We enter into data processing agreements with such subcontractors to ensure that they process your data, on our behalf, with the same level of security and confidentiality as applied by Intertrust. Intertrust may furthermore disclose or transfer personal data when we received your consent to do so.

In addition Intertrust may disclose or transfer personal data to protect our rights or those of our clients and/or to prevent fraud. Intertrust can also be obliged to disclose or transfer personal data to competent authorities in order to comply with our legal and/or regulatory obligations.

Job Applicants and Employees

This section describes how Intertrust is handling and protecting personal information of employees and job applicantss provided to Intertrust, i.a. through the online Intertrust career website. This section should be read together with the rest of this Privacy Notice (except for the sections ‘What kind of personal data do we collect’ and ‘How does Intertrust use your personal data’).

Intertrust processes the following types of personal data of employees and job applicants:

  • Name, address, email address, telephone number and other contact information;
  • Date and place of birth;
  • Nationality;
  • Immigration, right-to-work and residence status;
  • Job-related information such as years of experience and work record;
  • Educational and training information;
  • Skills and competencies;
    • Name and contact details of references (please note that if you provide us with contact details of reference it is your responsibility to obtain consent from that individual before sending this information to Intertrust).
    • Any other personal information you choose to submit to Intertrust in connection with your application.

Intertrust does not process sensitive personal data. However, if Intertrust under certain circumstances does process sensitive personal data we will ask the applicants explicit prior consent. To the extent you make sensitive personal data available to Intertrust, you consent to Intertrust processing such personal data in accordance with this Privacy Notice. We use the personal data you provide in your application for the purpose of carrying out our recruitment activities. Your personal data will be used to assess if you are qualified for the position you apply to, to verify your information, to conduct reference checks, to communicate with you and to inform you of further career opportunities.

International transfers and data storage

Intertrust may disclose or transfer personal data to other companies of the Intertrust group that are located in countries that are outside the European Economic Area in connection with the above purposes.

The personal data Intertrust processes is stored by Intertrust on our servers, and/or on the servers of the cloud-based database management services Intertrust engages.

If disclosure or transfer of personal data is being done in a country that does not ensure an adequate level of protection of your personal data, Intertrust will make sure additional safeguards will be put in place.

Retention

Intertrust will process and store the relevant personal data for the duration of our services or for the duration of the business relationship. Intertrust may also store the data for as long as it is necessary or required in order to fulfill legal, contractual or statutory obligations or for the establishment, exercise or defense of legal claims, and in general where it has a legitimate interest for doing so.

Your rights

You have the following rights:

  • Access to your information

You have the right to access the personal information that Intertrust holds about you at any time.

  • Data portability

You may ask Intertrust to provide you with a copy of the personal information that Intertrust holds about you.

  • Correction of your personal information (the right to rectification)

You have the right to ask Intertrust to update and correct any out-of-date or incorrect personal information that we would hold about you.

  • Deletion of your personal information (the right to be forgotten)

You have the right to ask Intertrust to delete your personal information, to the extent that Intertrust has no legal and/or regulatory obligations to keep such personal information.

  • Restriction of processing of your personal information

You have the right to ask Intertrust to restrict the processing of your personal information in case:

a. You contested the accuracy of the personal information held by Intertrust;
b. The processing is unlawful but you objected to the deletion of the personal data and requests the restriction of the use instead;
c. Intertrust no longer needs the personal data for the purposes of the processing, but you require them for legal reasons;
d. You objected to processing and Intertrust is investigating whether there are legitimate grounds to override your objection.

  • Automatic decision making

Intertrust generally does not make decisions by purely automatic means, but if we do, you have the right to object.

  • Object

You have the right to object at any time to the processing of your personal data for any direct marketing (and related profiling) by Intertrust.

If you wish to exercise any of the above rights, you can contact Intertrust using the below contact details.

In addition you have the right to make a complaint with the local supervisory authority with respect to the way Intertrust is processing your personal data or the way Intertrust is handling your rights.

Navigation and Cookies

Please note that Intertrust is the controller of personal data collected through the Intertrust website (the “Website”) and the Intertrust global client portal, styled as Iris (the “Portal”).

Intertrust collects personally-identifiable information on certain areas of the Website and Portal when users register, request publications or other information, send Intertrust instructions in connection with services, sign up for conferences and events, apply for jobs, and participate in user posting areas, such as bulletin boards, discussion forums, and surveys. The personally-identifiable information collected may consist of information that you provide, such as names, mailing addresses, e-mail addresses, telephone and fax numbers, and, for recruiting purposes, any other personally-identifiable information on your resume.

The Website and the Portal also uses cookies to identify you and your interests and to track usage of the Website and Portal. Cookies are small pieces of text stored on your computer that help us know which browser you are using and where you have been on the Website and the Portal and on websites to which you may link in order to use some of our features. By accepting our cookie, you will be permitted access to certain pages of the Website and the Portal without having to log in each time you visit. A user who does not accept the cookie from the Website or Portal may not be able to access certain areas of the Website or Portal. Intertrust also logs IP addresses, access history or the location of computers on the Internet, to help diagnose problems with our server, to administer the Website and the Portal and/or to prevent or remedy any security incidents. If you prefer not to accept a cookie, you can set your web browser to warn you before accepting cookies, or you can refuse all cookies by turning them off in your web browser.

Please click here to learn more about the cookies and third-party cookies that are used on the Intertrust website and how to refuse the cookies.

How we protect personal data?

Intertrust is committed to ensuring the security of your personal data. Intertrust takes appropriate commercially reasonable, technical, physical and organisational measures to prevent unauthorised or unlawful processing of your personal data or accidental loss or destruction of your personal data. Intertrust will ensure a level of security suitable to the identified risks and pursuant to applicable Data Protection Laws and, where the Processing concerns personal data of EU residents or in case GDPR applies, shall take measures required pursuant to article 32 GDPR.

Employees of Intertrust are trained to handle personal data securely and with utmost respect and they will treat your personal data strictly confidential. Staff members shall be authorized to access personal data only to the extent necessary to serve the applicable legitimate purposes for which the data are processed by Intertrust and to perform their job.

Intertrust will not divulge client information to a third party unless we have received explicit client authorisation or we are required to do so by law.

Changes to this notice

Intertrust may update this Privacy Notice from time to time. We advise you to periodically review this Privacy Notice to be informed of how Intertrust is protecting your privacy.

Contact Intertrust/Data Protection Officer

If you have any questions, concerns or complaints with respect to this Privacy Notice, the way Intertrust is handling your privacy or you wish to exercise any of your rights please contact our Data Protection Officers as mentioned in Annex 1 attached hereto.

Annex 1 – Contact information Data Protection Officer

For Group:
Corneel Ryde – [email protected]

For Jersey:
Yezdi Patel – [email protected]

For Guernsey:
Ben Looijenga – [email protected]

For Cayman:
Nedra Myles – [email protected]

For the United Arab Emirates:
Assam Ibrahim – [email protected]

For Switzerland:
René Spigt – [email protected]

Data controllers in Switzerland:

  • Intertrust (Suisse) S.A.
  • Intertrust Services (Schweiz) A.G.
  • Intertrust Suisse Trustee GmbH
  • Intertrust Services (Liechtenstein) Trust Reg.
  • Intertrust Director (Malta) Limited
  • Intertrust Nominees Limited
  • Directo S.A.
  • Edelweiss (Directors) Limited