Group Privacy Policy

You have a right to see all the information that we hold about you. Where data is held electronically in a structured form, such as in a database, you have a right to receive that data in a common electronic format that allows you to supply that data to a third party – this is called “data portability”.

To make a request for your own information please contact the data processing team.

If we are holding data about you that is incorrect, you have the right to have it corrected.

Please email any related request to the data processing team.

You can ask that we delete your data and where this is appropriate we will take reasonable steps to do so.

Please email any related request to the data processing team.

If you think there is a problem with the accuracy of the data we hold about you, or you are of the opinion that we are using data about you unlawfully, you can request that any current processing is suspended until a resolution is agreed.

Please email any related request to the data processing team.

You have a right to opt out of direct marketing.

You have a right to object to how we use your data if we do so on the basis of “legitimate interests” or “in the performance of a task in the public interest” or “exercise of official authority” (a privacy notice will clearly state this to you if this is the case). Unless we can show a compelling case why our use of your data is justified, we have to stop using your data in the way that you’ve objected to.

Please email any related request to the data processing team.

You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making as we do not use automated decision-making.

This privacy notice demonstrates how we handle the personal data we obtain about you in the course of us providing one of the following services to you:

1. Legal Services;
2. Fund Management Solutions;
3. IR & Marketing;
4. International Administration;
5. Investment Advisory;
6. Data & Analytics;
7. ESG Reporting & Consulting.

To help you find the information that is most relevant to your situation, we have separated this policy into sections applicable to each type of service we provide.  Please click on the heading above that is most appropriate for your situation to find out more regarding what we do with your data.  General information applicable to all of our services is set out below.

This statement does not apply to:

1. the collection and processing of personal data submitted through our Websites or from marketing events or provided to us by prospective, current or former customers, other than in the course of us providing legal or other services. For information about privacy in this context, click here.
2. the collection and processing of personal data about our employees. For information about privacy in the context of doing work for MJ Hudson, please see the employee handbook.
3. the collection and processing of personal data in relation to job candidates or applications for roles advertised on our websites. For information about privacy in this context, click here.

Where the client is a data controller and MJ Hudson is a data processor

Where, in relation to any personal data, MJ Hudson is the data processor under the terms of the agreement, for example, when MJ Hudson provide perception studies for clients upon their request, the data is provided by the client and used solely for the purpose of conducting the perception study on behalf of the client, the following provisions will apply.

For the purposes of Article 28.3 of the GDPR the subject matter of the processing is as follows:

• the personal data used in the processing will be based on the agreement between MJ Hudson and the controller. For example: forename(s), surname, email address, password, IP address, client instructions.
• the duration of the processing will be the duration of the agreement (as may be extended from time to time);
• the nature and purpose of the processing will be limited to the agreement between the parties.

MJ Hudson shall:

1. process the personal data only in accordance with the data controllers instructions, including where relevant for transfers of personal data outside the European Economic Area (EEA) (unless required to do so by European Union, Member State and/or UK law to which MJ Hudson is subject, in which case MJ Hudson shall inform the data controller of that legal requirement before processing unless prohibited by that law);
2. ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
3. take all measures required pursuant to Article 32 of the GDPR;
4. appoint sub-processors only in accordance with Article 28.2 and Article 28.4 of the GDPR;
5. taking into account the nature of the processing, assist the data controller by taking appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the data controllers obligation to respond to requests for exercising a data subject’s rights laid down in Chapter III of the GDPR;
6. taking into account the nature of the processing and the information available to MJ Hudson, assist the data controller in ensuring compliance with the data controllers obligations to:
7. keep personal data secure (Article 32 GDPR);
8. notify personal data breaches to the Supervisory Authority (Article 33 GDPR);

• advise data subjects when there has been a personal data breach (Article 34 GDPR);

1. carry out data protection impact assessments (Article 35 GDPR); and
2. consult with the supervisory authority where a data protection impact assessment indicates that there is an unmitigated high risk to the processing (Article 36 GDPR);
3. upon the data controllers request, delete or return all personal data to the data controller upon termination of the Agreement, save to the extent that European Union or EU member state law requires retention of the personal data;
4. make available to the data controller all information necessary to demonstrate compliance with the obligations laid down in these terms and allow for and contribute to audits, including inspections, conducted by the data controller or another auditor mandated by the data controllers;
5. co-operate on request, with the Information Commissioner’s Office (or any successor body thereto or any relevant supervisory authority) in the performance of its tasks; and
6. notify the data controller without undue delay after becoming aware of a personal data breach.

We shall be liable in respect of any breach of our obligations under the agreement and/or Data Protection Legislation with respect to the processing of personal data other than where such breach is caused by or results from an act or omission by the data controller. We shall fully and effectively indemnify the data controller for any claim brought by a data subject and/or any competent authority or body arising from any action or omission by us with respect to the processing of their personal data other than to the extent that such action or omission resulted from compliance with the data controllers instructions.

Retention Period

Unless otherwise indicated below, your data will be stored for the duration of our contract with you plus a maximum period of 7 years.  After this time it will be destroyed unless we have identified a lawful purpose(s) for which we need to keep your data longer or you request that we keep it for longer. If we feel that we may need to keep your data for longer than the lawful purposes for which it was obtained, we will contact you to obtain your consent to such longer period.

For further information on your rights, please see the relevant supervisory authority’s website.

      i.        Legal Services

The kind of information we hold about you

MJ Hudson provide legal services including advice in relation M&A, Hedge Funds, Venture Capital and Private Funds (Legal Services). Legal services are provided by MJ Hudson Limited (company number 08607159 and ICO registration number ZA031740), MJH Services (Guernsey) Limited, Jonathan Fraser Bale t/a MJ Hudson (OIC notification number 58059) and their subsidiary companies. If you engage us to provide Legal Services to you, we may collect, store, and use the following categories of Personal Data about you:

• name;
• business postal address;
• business email address;
• telephone number;
• date of birth;
• nationality;
• job title;
• fax number;
• mobile telephone number;
• copy of your passport or other form of photographic ID;
• corporate bank details;
• source of wealth and source of funds;
• criminal convictions;
• whether you are a politically exposed persons;
• whether you are on a sanctioned or watch list; and
• other information about you which you may provide to us in the course of us providing legal services.

Note that, in certain circumstances, the information we hold about you may include Special Category Data (as defined in the GDPR), including data which reveals your ethnicity, your political opinions, your health or your criminal convictions.

How your data is collected

We collect your data from the following sources:

1. directly from you during our client inception and on-boarding process and our ongoing client relationship;
2. background check providers, from which we collect the following categories of data:
3. whether you are on a sanctioned or watch list;
4. details of criminal convictions; and

• whether you are a politically exposed persons

1. your professional reference from whom we collect confirmation of your name and address; and
2. other service providers to you, such as your company’s administrator or company secretary, who may provide us with copies of your passport or other ID.

What we use your data for

We use your data for the following purposes:

1. in order to provide legal services pursuant to our contract with you;
2. in order to comply with our legal obligation such as to carry out anti-money laundering checks on our clients;
3. in order to provide marketing communications to you (but only where we have obtained your consent to do so). Please see the Marketing Policy for further details of how we use your data for marketing purposes; and
4. for our legitimate business interests such as for internal record keeping purposes or to manage our client relationship with you.

Any special category data we hold about you will only be processed so far as necessary in order to comply with our legal requirements.

Who we share your data with

We will never sell your data and we will only disclose your data to other parties where necessary in order to provide our services or where we are legally obliged to do so.  Details of the organisations we may share your data with are set out below:

1. MJ Hudson Group Companies

We may share your data with other members of MJ Hudson for the purposes set out in this policy.  All members of MJ Hudson will process your data in accordance with this privacy policy and subject to the requirements of the Applicable Local Laws or the GDPR, as applicable.

2. Your other advisors or lawyers

It is sometimes necessary to share information, including your data, with third parties who are providing you with advice or other professional services ancillary to the legal services we are providing.  For example, if we are providing legal advice to a fund, we may share certain information with the fund administrator or fund manager, in order to provide our services or to permit them to provide theirs.

3. Our Consultants

We use consultants to provide certain of our services to our Legal clients. These consultants are not employees of MJ Hudson and are, therefore, considered third party processors for the purposes of the GDPR and/or Applicable Local Laws but they are subject to the same policy and procedure requirements as all of our staff in relation to how they handle personal data.

4. Third party service providers

We use carefully selected third parties to provide certain services to us, such as our IT Infrastructure or document management systems. By the nature of the service they provide, some such third party service providers may have limited access to your data for support purposes. All of our service providers have entered or will shortly enter into contracts which contain strict confidentiality and data processing provisions.  A full list of all of the third party service providers we use is available on request.

5. Auditors

We may need to share limited information regarding our clients with our auditors, including, in some instances, your data.  Our auditors are subject to strict confidentiality provisions in their contract with us.

6. Regulatory Bodies/Government Agencies

We may disclose your data to certain regulatory bodies or government agencies where such disclosure is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person. We may also disclose your data where such disclosure is necessary for the establishment, exercise or defence of legal claims.

In relation to any other categories of recipients not listed above, we will only disclose your information in the following circumstances:

1. where you have given your consent;
2. where it is necessary for the purpose of, or in connection with legal proceedings or in order to exercise or defend legal rights; and
3. if we sell our company, go out of business, or merge with another company.

International Transfers

In certain circumstances, we may transfer your data to countries outside the EEA, which may not adhere to the same levels of data protection to which countries within the EEA are subject.  Any such transfers are, at all times, made in accordance with the Applicable Local Laws and the GDPR.  Details of the circumstances and mechanisms in place to ensure compliance are set out below:

1. MJ Hudson Group Companies in the Channel Islands, Switzerland, Canada and the USA.

We have offices in Jersey, Guernsey and Switzerland.  Our central servers are also located in Jersey. The European Commission has ruled that Jersey, Guernsey and Switzerland offer adequate levels of data protection in their domestic legislation and transfers to these jurisdictions are, therefore, permitted under the GDPR and/or Applicable Local Laws.

We also have operations in the USA and Canada, we have put in place Standard Contractual Clauses between us and our American and Canadian employees to safeguard EU data subject’s rights under the GDPR.  All Personal Data used by staff in these locations is held on MJ Hudson’s central servers located in Jersey. Emails are held within EU based Microsoft servers.

2. Your other advisors

In some instances, you may have instructed other lawyers or advisors who are based outside the EEA and who we need to share information with, in order to provide our services to you. In these circumstances, we ensure that any personal data transferred is limited to that which is required for us to perform our contract with you and the transfer is made in accordance with the GDPR and/or Applicable Local Laws.

3. NetDocuments in the United States

We use a document management system called NetDocuments to store some of our client files and this may include your data.  NetDocuments is operated by NetVoyage Corporation in the United States.  NetVoyage Corporation participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework.  Transfers of Personal Data to NetDocuments in the United States are therefore made subject to appropriate safeguards in accordance with the Applicable Local Laws and the GDPR. To learn more about the Privacy Shield Frameworks, visit the U.S. Department of Commerce’s Privacy Shield website: https://www.privacyshield.gov/welcome.  NetDocuments’s privacy policy can be viewed here.

Data Retention

We only keep data for as long as is necessary to fulfil the purposes (as set out above) for which we collected it. Please note that, in Jersey and Guernsey, local law requires us to retain records for a period of 10 years and we may, therefore, retain your data for this period.

    ii.        Fund Management Solutions

MJ Hudson provide third party compliance services regulating firms on behalf of the Financial Conduct Authority and Commission de Surveillance du Secteur Financier, as well as fund management, administration and operation services (Fund Management Solutions). Fund Management Solutions are provided by MJ Hudson Fund Management Limited (FRN: 193171) and MJ Hudson Advisers Limited (FRN: 692447) in the UK, and MJ Hudson Management S.A. (CSSF ID: A00002036) in Luxembourg.

The kind of information we hold about you

If you engage us to provide Fund Management Solutions to you, we may collect, store, and use the following categories of personal data about you:

1. name;
2. business postal address;
3. residential address;
4. business email address;
5. telephone number;
6. date of birth;
7. nationality;
8. job title;
9. fax number;
10. mobile telephone number;
11. copy of your passport or other form of photographic ID;
12. corporate Bank Details;
13. source of wealth and source of funds;
14. FCA/CSSF/GFSC registration number (if applicable);
15. list of directorships;
16. employment history;
17. criminal convictions;
18. credit reports/ratings;
19. whether you are a politically exposed persons;
20. whether you are on a sanctioned or watch list; and
21. other information about you which you may provide to us in the course of us providing Fund Management Solutions.

In certain circumstances, the information we hold about you may include special category data (as defined in the GDPR), including data which reveals your ethnicity, your political opinions, your health or your criminal convictions

How your data is collected

We collect your data from the following sources:

1. directly from you during our client inception and on-boarding process and our ongoing client relationship;
2. background check providers, from which we collect the following categories of data:
3. whether you are on a sanctioned or watch list;
4. details of criminal convictions;

• whether you are a politically exposed persons; and

1. a credit report.
2. Companies House or other local public company registers, as applicable; and
3. other service providers to you, such as your company’s administrator, who may provide us with copies of your passport or other ID.

What we use your data for

We use your data for the following purposes:

1. in order to provide Fund Management Solutions pursuant to our contract with you;
2. in order to comply with our legal obligation such as to carry out anti-money laundering checks on our clients and to comply with our obligations to the Financial Conduct Authority;
3. in order to provide marketing communications to you (but only where we have obtained your consent to do so). Please see here for further details of how we use your data for marketing purposes;
4. for our legitimate business interests such as for internal record keeping purposes or to manage our client relationship with you;
5. Any special category data we hold about you will only be processed so far as necessary in order to comply with our legal requirements.

Who we share your data with

We will never sell your data and we will only disclose your data to other parties where necessary in order to provide our services or where we are legally obliged to do so.  Details of the organisations we may share your data with are set out below:

1. MJ Hudson Group Companies

We may share your data with other members of MJ Hudson for the purposes set out in this Policy.  All members of MJ Hudson will process your data in accordance with this privacy policy and subject to the requirements of Applicable Local Laws or the GDPR, as applicable.

2. Your other advisors, service providers or fund investors

It is sometimes necessary to share information, including your data, with third parties who are providing you with advice or other professional services ancillary to the services we are providing.  For example, if we are providing services to a fund, we may share certain information with the fund, the investors, the fund administrator, fund auditor, fund manager, bank or depository, in order to provide our services or to permit them to provide theirs.

3. Third party service providers

We use carefully selected third parties to provide certain services to us, such as our IT Infrastructure or document management systems. By the nature of the service they provide, some such third party service providers may have limited access to your data for support purposes.  All of our service providers have entered into contracts which contain strict confidentiality and data processing provisions.  A full list of all of the third party service providers we use is available on request

4. Background Check providers

As detailed above, we may obtain certain personal data about you from third party background check providers.  In order to obtain such information we need to share some of your data with those background check providers.

One of the background check providers that we use is KYC6. KCY6 may have a list of our clients’ names on a database on some occasions after a search has been performed.

We have data processing agreements with all background check providers with whom we share personal data.

5. Auditors

We may need to share limited information regarding our clients with our auditors, including, in some instances, your data.  Our auditors are subject to strict confidentiality provisions in their contract with us.

6. Regulatory Bodies/Government Agencies

We may disclose your data to certain regulatory bodies or government agencies where such disclosure is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person. We may also disclose your data where such disclosure is necessary for the establishment, exercise or defence of legal claims.

In relation to any other categories of recipients not listed above, we will only disclose your information in the following circumstances:

1. where you have given your consent;
2. where it is necessary for the purpose of, or in connection with legal proceedings or in order to exercise or defend legal rights; and

• if we sell our company, go out of business, or merge with another company.

International Transfers

In certain circumstances, we may transfer your data to countries outside the EEA, which may not adhere to the same levels of data protection to which countries within the EEA are subject.  Any such transfers are, at all times, made in accordance with the Applicable Local Laws and the GDPR.  Details of the circumstances and mechanisms in place to ensure compliance are set out below:

1. MJ Hudson Group Companies in the Channel Islands, Switzerland, Canada and the USA.

We have offices in Jersey, Guernsey and Switzerland.  Our central servers are also located in Jersey. The European Commission has ruled that Jersey, Guernsey and Switzerland offer adequate levels of data protection in their domestic legislation and transfers to these jurisdictions are, therefore, permitted under the GDPR and/or Applicable Local Laws.

We also have operations in the USA and Canada, we have put in place our Group Standard Contractual Clauses between us and our American and Canadian employees to safeguard EU data subject’s rights under the GDPR.  All Personal Data used by staff in these locations is held on our central servers located in Jersey.  Emails are stored within EU based Microsoft servers.

2. Your other advisors

In some instances, you may have instructed other lawyers or advisors who are based outside the EEA and who we need to share information with, in order to provide our services to you. In these circumstances, we ensure that any personal data transferred is limited to that which is required for us to perform our contract with you and the transfer is made in accordance with the GDPR and/or Applicable Local Laws.

3. Sharepoint in the United States

We use Sharepoint to store some of our client files and this may include your data.  Sharepoint is operated by Microsoft in the United States.  Microsoft participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework.  Transfers of Personal Data to Sharepoint in the United States are therefore made subject to appropriate safeguards in accordance with the Applicable Local Laws and the GDPR. We have also put in place a Data Processing Agreement based on the Standard Contractual Clauses approved by the European Commission to provide enhanced protection for your data. To learn more about the Privacy Shield Frameworks, visit the U.S. Department of Commerce’s Privacy Shield website:

https://www.privacyshield.gov/welcome.

Microsoft’s privacy policy can be viewed here.

4. Sterling Talent Solutions in Canada and the United States

We use Sterling Talent Solutions UK Limited (Sterling) as a background check service provider. Sterling stores personal data in Canada and the United States.

The European Commission has ruled that Canada offers adequate levels of data protection in their domestic legislation and transfers to these jurisdictions are, therefore, permitted under the GDPR and Applicable Local Laws.

Sterling’s US entities, Sterling Info systems Inc. and its U.S. affiliates and subsidiaries, participate in and have certified their compliance with the EU-U.S. Privacy Shield Framework.  Transfers of Personal Data to Sterling in the United States are therefore made subject to appropriate safeguards in accordance with the Applicable Local Laws and the GDPR. Sterling’s privacy can be viewed here.

Data Retention

MJ Hudson only keeps data for as long as is necessary to fulfil the purposes (as set out above) for which we collected it. Please note that, in Jersey and Guernsey, local law requires us to retain records for a period of 10 years and we may, therefore, retain your data for this period.

   iii.        IR & Marketing 

MJ Hudson provides investor relationship and marketing solutions including perception studies, advice in relation to fundraising and marketing materials, branding and communications to support Fund Managers and other clients (IR & Marketing Solutions).

The kind of information we hold about you

If you engage us to provide IR & Marketing Solutions to you, we may collect, store, and use the following categories of personal data about you:

1. name;
2. business postal address;
3. business email address;
4. telephone number;
5. date of birth/age;
6. job title;
7. company;
8. corporate bank details;
9. whether you are a politically exposed persons;
10. whether you are on a sanctioned or watch list;
11. other information about you which you may provide to us in the course of us providing IR & Marketing Solutions.

In certain circumstances, the information we hold about you may include special category data (as defined in the GDPR), including data which reveals your ethnicity, your political opinions, your health or your criminal convictions

How your data is collected

We collect your data from the following sources:

1. directly from you during our client inception and on-boarding process and our ongoing client relationship;
2. background check providers, from which we collect the following categories of data:
3. whether you are on a sanctioned or watch list;
4. details of criminal convictions; and

• whether you are a politically exposed persons

1. publicly available sources such as electronic databases and lists.

What we use your data for

We use your data for the following purposes:

1. in order to provide IR & Marketing Solutions pursuant to our contract with you;
2. in order to provide marketing communications to you (but only where we have obtained your consent to do so). Please see here for further details of how we use your data for marketing purposes; and
3. for our legitimate business interests such as for internal record keeping purposes or to manage our client relationship with you.

Any special category data we hold about you will only be processed so far as necessary in order to comply with our legal requirements.

Who we share your data with

We will never sell your data and we will only disclose your data to other parties where necessary in order to provide our services or where we are legally obliged to do so.  Details of the organisations we may share your data with are set out below:

1. MJ Hudson Group Companies

We may share your data with other members of MJ Hudson for the purposes set out in this Policy.  All members of MJ Hudson will process your data in accordance with this privacy policy and subject to the requirements of Applicable Local Laws or the GDPR, as applicable.

2. Third party service providers

We use carefully selected third parties to provide certain services to us, such as our IT Infrastructure or document management systems. By the nature of the service they provide, some such third party service providers may have limited access to your data for support purposes.  All of our service providers have entered or will shortly enter into contracts which contain strict confidentiality and data processing provisions.  A full list of all of the third party service providers we use is available on request

3. Auditors

We may need to share limited information regarding our clients with our auditors, including, in some instances, your data. Our auditors are subject to strict confidentiality provisions in their contract with us.

4. Regulatory Bodies/Government Agencies

We may disclose your data to certain regulatory bodies or government agencies where such disclosure is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person. We may also disclose your data where such disclosure is necessary for the establishment, exercise or defence of legal claims.

In relation to any other categories of recipients not listed above, we will only disclose your information in the following circumstances:

1. where you have given your consent;
2. where it is necessary for the purpose of, or in connection with legal proceedings or in order to exercise or defend legal rights; and

• if we sell our company, go out of business, or merge with another company.

International Transfers

In certain circumstances, we may transfer your data to countries outside the EEA, which may not adhere to the same levels of data protection to which countries within the EEA are subject.  Any such transfers are, at all times, made in accordance with the Applicable Local Laws and the GDPR.  Details of the circumstances and mechanisms in place to ensure compliance are set out below:

1. MJ Hudson Group Companies in the Channel Islands, Switzerland, Canada and the USA.

We have offices in Jersey, Guernsey and Switzerland.  Our central servers are also located in Jersey. The European Commission has ruled that Jersey, Guernsey and Switzerland offer adequate levels of data protection in their domestic legislation and transfers to these jurisdictions are, therefore, permitted under the GDPR and/or Applicable Local Laws.

We also have operations in the USA and Canada, we have put in place our Group Standard Contractual Clauses between us and our American and Canadian employees to safeguard EU data subject’s rights under the GDPR.  All personal data used by staff in these locations is held on MJ Hudson’s central servers located in Jersey. Emails are stored within EU based Microsoft servers.

2. Your other advisors

In some instances, you may have instructed other advisors or service providers who are based outside the EEA and who we need to share information with, in order to provide our services to you. In these circumstances, we ensure that any personal data transferred is limited to that which is required for us to perform our contract with you and the transfer is made in accordance with the GDPR and/or Applicable Local Laws.

3. SurveyMonkey in the United States

We use SurveyMonkey to carry out our online surveys.  SurveyMonkey stores survey data on its servers in the United States.  If you participate in one of our surveys, your personal data will be transferred to the United States.  SurveyMonkey Inc. (and its subsidiary company, Infinity Box Inc.) participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework.  Transfers of Personal Data to SurveyMonkey in the United are therefore made subject to appropriate safeguards in accordance with the GDPR and Applicable Local Laws. We have also put in place a Data Processing Agreement based on the Standard Contractual Clauses approved by the European Commission to provide enhanced protection for Your data. To learn more about the Privacy Shield Frameworks, visit the U.S. Department of Commerce’s Privacy Shield website: https://www.privacyshield.gov/welcome.  SurveyMonkey’s privacy policy can be viewed here.

We may also transfer your data to such other service providers as may be necessary for the execution of the work you have contracted us to perform. In these circumstances, we ensure that any personal data transferred is limited to that which is required for us to perform our contract with you and the transfer is made in accordance with the GDPR and/or Applicable Local Laws.

   iv.        International Administration

MJ Hudson’s International Administration team provide trust and corporate services or investment management and administration services (International Administration Services). International Administration Services are provided by MJ Hudson Fiduciaries Limited (GFSC reference 2265283 Data Protection reference 54017), MJ Hudson Fund Management Guernsey Limited (GFSC reference 2293292 Data Protection reference 58843), Tower Managers Limited (GFSC reference 2291851 Data Protection reference 58853), Tower Gate GP II Limited, VFS Trustees Limited (GFSC reference 2265380  Data Protection reference 54017), VFS Nominees Limited (GFSC reference 2265383 Data Protection reference 54017), VFS Directors 1 Limited (GFSC reference 2265378  Data Protection reference 54017) and VFS Directors 2 Limited (GFSC reference 2265379 Data Protection reference 54017).   If you engage us to provide trust and corporate services or investment management and administration services to you, we may collect, store, and use the following categories of personal data about you:

The kind of information we hold about you

If you engage us to provide International Administration Services to you, we may collect, store, and use the following categories of personal data about you:

1. contact details (including names, postal and email addresses, telephone numbers and website URL)
2. information required for us to meet legal and regulatory requirements in particular in respect of anti-money laundering legislation, including identification data (date and place of birth, nationality, identity number, copies of your passport or other identification document), and information regarding source of funds and source of wealth and beneficial ownership disclosure requirements
3. information required for us to meet reporting obligations for example: tax reporting including tax status, tax number, tax residency and financial information
4. information required for us to provide the services including financial information to process payments, background information including employment details and details of dependents
5. any other information you may provide to us

We may also collect, store and use special category data including:

1. information about your race or ethnicity, religious beliefs, sexual orientation and political opinions
2. information about your health, including any medical condition, health and sickness records
3. data relating to a person’s criminal record or alleged criminal activity

Special category data requires a higher level of protection and will only be processed where we have received explicit consent or the processing is necessary for compliance with a legal obligation.

How your data is collected

The sources of your data may include clients, data subjects directly, introducers, intermediaries, advisers, third parties connected to the data subject (for example: family member, employer or another service provider who provides services to the data subject) or open-source material.

We collect personal data via the completion of forms provided to you and completed by you, from documents provided including due diligence documents, from correspondence including email, from meetings and telephone conversations.

We will collect personal data throughout the course of our business relationship or while we provide services to clients connected to you.

What we use your data for

We use your data for the following purposes.  This table also confirms the lawful basis we are relying on in each case:

Any special category data we hold about you will only be processed so far as necessary in order to comply with our legal requirements.

The data sought will vary and the purposes for processing will overlap depending on the type of services provided.

Who we share your data with

We share information with third parties including third party service providers where required by law, where it is necessary to administer our business relationship, where it is necessary for us to provide the services to you or where we have another legitimate interest in doing so.

The following are potential recipients of personal data (in each case including respective employees, director and officers):

1. sub-contractors, agents, consultants or service providers such as insurance brokers, compliance, IT firms or other professional advisers of MJ Hudson or its clients and their clients and associated parties;
2. other parts of MJ Hudson where it is relevant for the services we are providing to you. A full list of all MJ Hudson group entities and affiliates is available on the Group Privacy Policy page of our Websites;
3. bankers, auditors, accountants, investment brokers, managers or advisers, legal and other professional advisers;
4. company formation agencies and registries;
5. land or property agents and registries;
6. Guernsey and overseas regulators, or other government or supervisory body and tax authorities when required by law; and
7. law enforcement agencies where considered necessary for MJ Hudson to fulfil legal obligations applicable to it.

When we engage a third party to process your personal data, we will require them to process your personal data in accordance with our instructions and protect the data against unauthorised or accidental use, access, disclosure, loss or destruction. We do not allow them to use your personal data for their own purposes. They will only be permitted to process your personal data for a specified purpose and in accordance with our instructions.  Where they no longer need to your personal data to fulfil the contract, they will need to transfer the data back to us and/or destroy or delete any data held by them.

International Transfers

In the event any of the third parties detailed above are outside of Guernsey and the EU and where we are transferring personal data which would be protected under Applicable Local Law or GDPR we will ensure that we meet the relevant requirements prior to carrying out such a transfer. This may include only transferring the data where we are satisfied that:

1. the non-European Union country has Data Protection laws similar to the Laws in Guernsey and the European Union
2. the recipient has agreed through contract to protect the information to the same Data Protection standards as Guernsey and the European Union
3. we have obtained consent from the relevant data subjects to the transfer, or
4. if transferred to the United States of America, the transfer will be to organisations that are part of the Privacy Shield or we will put sufficient contractual documentation in place.

Data Retention

We only collect data for as long as is necessary to fulfil the purposes (as set out above) for which we collected it. Details of retention periods for different aspects of your personal data are available in our data management policy which is available on request. To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential for harm from unauthorised use or disclosure of the data, the purposes for which we process the personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

Once our business relationship ends, we will retain and securely destroy your personal data in accordance with our record retention and destruction policy, applicable legislation and/or regulatory requirements.

    v.        Investment Advisory

MJ Hudson’s Investment Advisory team operates under the MJ Hudson Allenbridge name.  MJ Hudson Allenbridge provide independent investment advisory and consulting services, due diligence, governance, investment research, introductions, and execution-only brokerage services (“Investment Advisory Services”).

The kind of information we hold about you

If you engage us to provide Investment Advisory Services to you, we may collect, store, and use the following categories of Personal Data about you:

1. name;
2. postal address;
3. email address;
4. telephone number;
5. IP address;
6. date of birth/age;
7. job title;
8. company;
9. information about your professional and educational background and experience;
10. copy of your passports or other form of photographic ID;
11. corporate bank details;
12. criminal convictions;
13. whether you are a politically exposed persons;
14. whether you are on a sanctioned or watch list;
15. other information about you which you or other controllers of your personal data may provide to us in the course of us providing Investment Advisory Services.

In certain circumstances, the information we hold about you may include special category data (as defined in the GDPR), including data which reveals your ethnicity, your political opinions, your health or your criminal convictions

How your data is collected

We collect your data from the following sources:

1. directly from you during our client inception and on-boarding and our ongoing client relationship;
2. background check providers, from which we collect the following categories of data:
3. whether you are on a sanctioned or watch list;
4. details of criminal convictions; and

• whether you are a politically exposed persons

1. Companies House or other local public company registers, as applicable; and
2. your employer or agent;
3. references you have provided;
4. administrative sources such as receiving agents and custodians (if we provide you with execution only services;
5. proprietary database system, such as AdvantageIQ;
6. other business contacts who may refer you to us; and
7. third party/publicly available sources such as Smart Search AML, Blue Book, Bloomberg, Alternative Soft, your company’s website, trade websites and LinkedIn.

What we use your data for

We use your data for the following purposes:

1. in order to provide Investment Advisory Services pursuant to our contract with you;
2. in order to comply with our legal obligations such as to carry out anti-money laundering checks on our clients;
3. in order to provide marketing communications to you (but only where we have obtained your consent to do so). Please see here for further details of how we use your data for marketing purposes; and
4. for our legitimate business interests such as for internal record keeping purposes or to manage our client relationship with you.

Any special category data we hold about you will only be processed so far as necessary in order to comply with our legal requirements.

Who we share your data with

We will never sell your data and we will only disclose your data to other parties where necessary in order to provide our services or where we are legally obliged to do so. Details of the organisations we may share your data with are set out below:

1. MJ Hudson Group Companies

We may share your data with other members of MJ Hudson for the purposes set out in this Policy.  All members of MJ Hudson will process your data in accordance with this privacy policy and subject to the requirements of Applicable Local Laws or the GDPR, as applicable.

2. Your other advisors or service providers

It is sometimes necessary to share information, including your data, with third parties who are providing you with advice or other professional services ancillary to the Investment Advisory Services we are providing.  For example, if we are providing Investment Advisory Services to a pension fund, we may share certain information with the trustees of the fund, in order to provide our services or to permit them to provide theirs. We may also share the results of our reports (which may contain personal data) with certain third parties with whom you (or your company) authorise us to share such data.

3. Consultants and our Senior Advisors

We use consultants and Senior Advisors to provide certain of our services to our Investment Advisory clients. These consultants and Senior Advisors are not employees of MJ Hudson and are, therefore, considered third party processors for the purposes of the GDPR and/or Applicable Local Laws but they are subject to the same policy and procedure requirements as all of our staff in relation to how they handle personal data.

4. Third party service providers

We use carefully selected third parties to provide certain services to us, such as our IT Infrastructure or document management systems. By the nature of the service they provide, some such third party service providers may have limited access to your data for support purposes.  All of our service providers have entered or will shortly enter into contracts which contain strict confidentiality and data processing provisions.  A full list of all of the third party service providers we use is available on request

5. Auditors

We may need to share limited information regarding our clients with our auditors, including, in some instances, your data.  Our auditors are subject to strict confidentiality provisions in their contract with us.

6. Regulatory Bodies/Government Agencies

We may disclose your data to certain regulatory bodies or government agencies where such disclosure is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person. We may also disclose your data  where such disclosure is necessary for the establishment, exercise or defence of legal claims.

In relation to any other categories of recipients not listed above, we will only disclose your information in the following circumstances:

1. where you have given your consent;
2. where it is necessary for the purpose of, or in connection with legal proceedings or in order to exercise or defend legal rights; and
3. if we sell our company, go out of business, or merge with another company.

International Transfers

In certain circumstances, we may transfer your data to countries outside the EEA, which may not adhere to the same levels of data protection to which countries within the EEA are subject.  Any such transfers are, at all times, made in accordance with the Applicable Local Laws and the GDPR.  Details of the circumstances and mechanisms in place to ensure compliance are set out below:

1. MJ Hudson Group Companies in the Channel Islands, Switzerland, Canada and the USA.

We have offices in Jersey, Guernsey and Switzerland.  Our central servers are also located in Jersey. The European Commission has ruled that Jersey, Guernsey and Switzerland offer adequate levels of data protection in their domestic legislation and transfers to these jurisdictions are, therefore, permitted under the GDPR and/or Applicable Local Laws.

We also have operations in the USA and Canada, we have put in place our Group Standard Contractual Clauses between us and our American and Canadian employees to safeguard EU data subject’s rights under the GDPR.  All Personal Data used by staff in these locations is held on MJ Hudson’s central servers located in Jersey. Emails are stored within EU based Microsoft servers.

2. Your other advisors

In some instances, you may have instructed other lawyers or advisors who are based outside the EEA and who we need to share information with, in order to provide our services to you. In these circumstances, we ensure that any personal data transferred is limited to that which is required for us to perform our contract with you and the transfer is made in accordance with the GDPR and/or Applicable Local Laws.

3. Sharepoint in the United States

We use Sharepoint to store some of our client files and this may include your data.  Sharepoint is operated by Microsoft in the United States.  Microsoft participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework. Transfers of personal data to Sharepoint in the United States are therefore made subject to appropriate safeguards in accordance with the Applicable Local Laws and the GDPR. We have also put in place a Data Processing Agreement based on the Standard Contractual Clauses approved by the European Commission to provide enhanced protection for your data.

To learn more about the Privacy Shield Frameworks, visit the U.S. Department of Commerce’s Privacy Shield website:

https://www.privacyshield.gov/welcome.

Microsoft’s privacy policy can be viewed here.

   vi.        Data & Analytics

MJ Hudson provides an independent, empirical view on the strengths and weaknesses of our clients, their service providers and their investment opportunities (Data & Analytics).

Data & Analytics Services are provided by Amaces Limited, Amaces Inc and MJ Hudson Allenbridge.

We help our clients benchmark, select and monitor service providers and investment products, with data that is unavailable elsewhere and using techniques and analysis tools that we have developed, in-house, over many years.

Our Benchmarking & Consulting team works with some of the world’s largest asset owners and asset managers to benchmark their custodian banks and FX providers in terms of the fees they charge and also the services they provide.

In the Venture & Tax-Advantaged Investments market, we provide independent reviews of investment managers and their products. We do this for wealth managers, financial advisers and private investors. Beyond these focus areas, we also conduct perception studies and other kinds of market research.

The kind of information we hold about you

If you engage us to provide Data & Analytics Services to you, we may collect, store, and use the following categories of personal data about you:

1. name;
2. business postal address;
3. business email address;
4. telephone number;
5. Username;
6. Job Title;
7. bank details;
8. IP addresses.

Note that, in certain circumstances, the information we hold about you may include Special Category Data (as defined in the GDPR), including data which reveals your ethnicity, your political opinions, your health or your criminal convictions

How your data is collected

We collect your data directly from you during our client inception and on-boarding process and our ongoing client relationship.

What we use your data for

We use your data for the following purposes:

1. in order to provide Data & Analytics Services pursuant to our contract with you;
2. in order to provide marketing communications to you (but only where we have obtained your consent to do so). Please see here for further details of how we use your data for marketing purposes; and
3. for our legitimate business interests such as for internal record keeping purposes or to manage our client relationship with you.

Any special category data we hold about you will only be processed so far as necessary in order to comply with our legal requirements.

Who we share your data with

We will never sell your data and we will only disclose your data to other parties where necessary in order to provide our services or where we are legally obliged to do so.  Details of the organisations we may share your data with are set out below:

1. MJ Hudson Group Companies

We may share your data with other members of MJ Hudson for the purposes set out in this Policy.  All members of MJ Hudson will process your data in accordance with this privacy policy and subject to the requirements of Applicable Local Laws or the GDPR, as applicable.

2. Third party service providers

We use carefully selected third parties to provide certain services to us, such as our IT Infrastructure or document management systems. By the nature of the service they provide, some such third party service providers may have limited access to your data for support purposes.  All of our service providers have entered or will shortly enter into contracts which contain strict confidentiality and data processing provisions.  A full list of all of the third party service providers we use is available on request.

3. Auditors

We may need to share limited information regarding our clients with our auditors, including, in some instances, your data.  Our auditors are subject to strict confidentiality provisions in their contract with us.

4. Regulatory Bodies/Government Agencies

We may disclose your data to certain regulatory bodies or government agencies where such disclosure is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person. We may also disclose your data  where such disclosure is necessary for the establishment, exercise or defence of legal claims.

5. In relation to any other categories of recipients not listed above, we will only disclose your information in the following circumstances:
6. where you have given your consent;
7. where it is necessary for the purpose of, or in connection with legal proceedings or in order to exercise or defend legal rights; and
8. if we sell our company, go out of business, or merge with another company.

International Transfers

We may transfer your data to countries outside the EEA, which may not adhere to the same levels of data protection to which countries within the EEA are subject.  Any such transfers are, at all times, made in accordance with the Applicable Local Laws and the GDPR. Details of the circumstances and mechanisms in place to ensure compliance are set out below:

1. MJ Hudson Group Companies in the Channel Islands, Switzerland, Canada and the USA.

We have offices in Jersey, Guernsey and Switzerland.  Our central servers are also located in Jersey. The European Commission has ruled that Jersey, Guernsey and Switzerland offer adequate levels of data protection in their domestic legislation and transfers to these jurisdictions are, therefore, permitted under the GDPR and/or Applicable Local Laws.

We also have operations in the USA and Canada, we have put in place our Group Standard Contractual Clauses between us and our American and Canadian employees to safeguard EU data subject’s rights under the GDPR.  All Personal Data used by staff in these locations is held on MJ Hudson’s central servers located in Jersey. Emails are stored on EU based Microsoft servers.

2. Your other advisors

In some instances, you may have instructed other advisors or service providers who are based outside the EEA and who we need to share information with, in order to provide our services to you. In these circumstances, we ensure that any personal data transferred is limited to that which is required for us to perform our contract with you and the transfer is made in accordance with the GDPR and/or Applicable Local Laws.

3. SurveyMonkey in the United States

We use SurveyMonkey to carry out our online surveys.  SurveyMonkey stores survey data on its servers in the United States.  If you participate in one of our surveys, your personal data will be transferred to the United States.  SurveyMonkey Inc. (and its subsidiary company, Infinity Box Inc.) participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework.  Transfers of Personal Data to SurveyMonkey in the United are therefore made subject to appropriate safeguards in accordance with the GDPR and Applicable Local Laws. We have also put in place a Data Processing Agreement based on the Standard Contractual Clauses approved by the European Commission to provide enhanced protection for your data. To learn more about the Privacy Shield Frameworks, visit the U.S. Department of Commerce’s Privacy Shield website: https://www.privacyshield.gov/welcome.  SurveyMonkey’s privacy policy can be viewed here.

We may also transfer your data to such other service providers as may be necessary for the execution of the work you have contracted us to perform. In these circumstances, we ensure that any personal data transferred is limited to that which is required for us to perform our contract with you and the transfer is made in accordance with the GDPR and/or Applicable Local Laws.

      vii.        ESG Reporting & Consulting

MJ Hudson Spring B.V are experts in the integration of environmental, social and governance factors into investment strategy and activity. The team help businesses, fund managers and their investors mitigate risks and create value (ESG reporting and Consulting).

The kind of information we hold about you

If you engage us to provide ESG Reporting and Consulting Services to you, we may collect, store, and use the following categories of personal data about you

1. name;
2. business postal address;
3. business email address;
4. telephone number;
5. job title;
6. bank details.

How your data is collected

We collect your data directly from you during our client inception and on-boarding process and our ongoing client relationship.

What we use your data for

We use your data for the following purposes:

1. in order to provide ESG Reporting and Consulting Services pursuant to our contract with you and
2. for our legitimate business interests such as for internal record keeping purposes or to manage our client relationship with you.

Any special category data we hold about you will only be processed so far as necessary in order to comply with our legal requirements.

Who we share your data with

We will never sell your data and we will only disclose your data to other parties where necessary in order to provide our services or where we are legally obliged to do so.  Details of the organisations we may share your data with are set out below:

1. MJ Hudson Group Companies

We may share your data with other members of MJ Hudson for the purposes set out in this Policy.  All members of MJ Hudson will process your data in accordance with this privacy policy and subject to the requirements of Applicable Local Laws or the GDPR, as applicable.

2. Third party service providers

We use carefully selected third parties to provide certain services to us, such as our IT Infrastructure or document management systems. By the nature of the service they provide, some such third party service providers may have limited access to your data for support purposes.  All of our service providers have entered or will shortly enter into contracts which contain strict confidentiality and data processing provisions.  A full list of all of the third party service providers we use is available on request.

3. Auditors

We may need to share limited information regarding our clients with our auditors, including, in some instances, your data.  Our auditors are subject to strict confidentiality provisions in their contract with us.

4. Regulatory Bodies/Government Agencies

We may disclose your data to certain regulatory bodies or government agencies where such disclosure is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person. We may also disclose your data where such disclosure is necessary for the establishment, exercise or defence of legal claims.

5. In relation to any other categories of recipients not listed above, we will only disclose your information in the following circumstances:
   a. where you have given your consent;
   b. where it is necessary for the purpose of, or in connection with legal proceedings or in order to exercise or defend legal rights; and
   c. if we sell our company, go out of business, or merge with another company.

International Transfers

We may transfer your data to countries outside the EEA, which may not adhere to the same levels of data protection to which countries within the EEA are subject.  Any such transfers are, at all times, made in accordance with the Applicable Local Laws and the GDPR. Details of the circumstances and mechanisms in place to ensure compliance are set out below:

1. MJ Hudson Group Companies in the Channel Islands, Switzerland, Canada and the USA.

We have offices in Jersey, Guernsey and Switzerland.  Our central servers are also located in Jersey. The European Commission has ruled that Jersey, Guernsey and Switzerland offer adequate levels of data protection in their domestic legislation and transfers to these jurisdictions are, therefore, permitted under the GDPR and/or Applicable Local Laws.

We also have operations in the USA and Canada, we have put in place our Group Standard Contractual Clauses between us and our American and Canadian employees to safeguard EU data subject’s rights under the GDPR.  All Personal Data used by staff in these locations is held on MJ Hudson’s central servers located in Jersey. Emails are stored on EU based Microsoft servers.

2. Your other advisors

In some instances, you may have instructed other advisors or service providers who are based outside the EEA and who we need to share information with, in order to provide our services to you. In these circumstances, we ensure that any personal data transferred is limited to that which is required for us to perform our contract with you and the transfer is made in accordance with the GDPR and/or Applicable Local Laws.

3. SurveyMonkey in the United States

We use SurveyMonkey to carry out our online surveys.  SurveyMonkey stores survey data on its servers in the United States.  If you participate in one of our surveys, your personal data will be transferred to the United States.  SurveyMonkey Inc. (and its subsidiary company, Infinity Box Inc.) participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework.  Transfers of Personal Data to SurveyMonkey in the United are therefore made subject to appropriate safeguards in accordance with the GDPR and Applicable Local Laws. We have also put in place a Data Processing Agreement based on the Standard Contractual Clauses approved by the European Commission to provide enhanced protection for your data. To learn more about the Privacy Shield Frameworks, visit the U.S. Department of Commerce’s Privacy Shield website: https://www.privacyshield.gov/welcome.  SurveyMonkey’s privacy policy can be viewed here.

We may also transfer your data to such other service providers as may be necessary for the execution of the work you have contracted us to perform. In these circumstances, we ensure that any personal data transferred is limited to that which is required for us to perform our contract with you and the transfer is made in accordance with the GDPR and/or Applicable Local Laws.

The kind of information we hold about you 

In connection with your job application, we will collect, store, and use the following categories of personal information about you:

1. the information you have provided to us in your curriculum vitae (CV) and covering letter;
2. the information you have provided on our application form, including name, title, address, telephone number, personal email address, employment history, education history, qualifications, and employment references;
3. any information you provide to us during an interview;
4. the results of any tests we ask you to undertake and
5. documentation relating to your right to work in the jurisdiction in which the job is located including a copy of your passport or driving licence.

We may also collect, store and use the following special categories of more sensitive personal information:

1. Information about your race or ethnicity, religious beliefs, sexual orientation and political opinions.
2. Information about your health, including any medical condition, health and sickness records.
3. Information about criminal convictions and offences.

How is your personal information collected? 

We collect data about you in a variety of ways including directly from you by way of the information you include in your CV or job application cover letter and notes made by our recruitment team during a recruitment interview. Other details may be collected directly from you in the form of official documentation such as your driving licence, passport or other right to work evidence. In some cases, we will collect data about you indirectly from the following sources:

1. recruitment agencies;
2. your named referees;
3. background check providers; and
4. credit reference agencies.
5. Personal data is kept in personnel files or within the Company’s HR and IT systems.

How we will use information about you 

We will use the personal information we collect about you to:

1. assess your skills, qualifications, and suitability for the role you are applying to;
2. carry out background and reference checks, where applicable;
3. communicate with you about the recruitment process;
4. keep records related to our hiring processes; and
5. comply with legal or regulatory requirements.

Once you submit your CV and covering letter and/or application form and test (where applicable) we will then process that information to decide whether you meet the basic requirements to be shortlisted for the role. If you do, we will decide whether your application is strong enough to invite you for an interview. If we decide to call you for an interview, we will use the information you provide to us at the interview to decide whether to offer you the role. If we decide to offer you the role, we will then take up references and/or carry out a criminal record checks.  We may also carry out other checks if necessary before confirming your appointment.

Why we process your data

The law on data protection allows us to process your data for certain reasons only:

1. in order to perform a contract that we are party to;
2. in order to carry out legally required duties;
3. in order for us to carry out our legitimate interests;
4. to protect your interests; and
5. where something is done in the public interest.

We need to collect your personal data to ensure we are complying with legal requirements such as:

1. carrying out checks in relation to your right to work in the UK and
2. making reasonable adjustments for disabled employees.

We also process personal data so that we can carry out activities which are in our legitimate interests.

We have set these out below:

1. making decisions about who to offer employment to;
2. making decisions about salary and other benefits;
3. assessing training needs; and
4. dealing with legal claims made against us.

If you are unsuccessful in obtaining employment, we may seek your consent to retain your personal data in case other suitable job vacancies arise within MJ Hudson for which we think you may wish to apply. You are free to withhold your consent to this and there will be no consequences for withholding consent.

How we use particularly sensitive personal information  

We will use your particularly sensitive personal information in the following ways:

1. we will use information about your disability status to consider whether we need to provide appropriate adjustments during the recruitment process, for example whether adjustments need to be made during a test or interview;
2. we may use information about your race or national or ethnic origin, religious, philosophical or moral beliefs, trade union membership, or your sexual life or sexual orientation, to ensure meaningful equal opportunity monitoring and reporting.
3. genetic and biometric data for job applicants on a Tier 2 visa.

We do not need your consent if we use special categories of personal data in order to carry out our legal obligations or exercise specific rights under employment law. However, we may ask for your consent to allow us to process certain particularly sensitive data. If this occurs, you will be made fully aware of the reasons for the processing. As with all cases of seeking consent from you, you will have full control over your decision to give or withhold consent and there will be no consequences where consent is withheld. Consent, once given, may be withdrawn at any time. There will be no consequences where consent is withdrawn.

Information about criminal convictions 

We will only collect criminal conviction data where it is appropriate given the nature of your role and where the law permits us. We will collect information about your criminal convictions history if we make you a job offer role (conditional on checks and any other conditions, such as references, being satisfactory). We are required to carry out a criminal records check in order to satisfy ourselves that there is nothing in your criminal convictions history which makes you unsuitable for the role. In particular we are legally required by the Solicitors Regulatory Authority and the Financial Conduct Authority to carry out criminal record checks for certain roles within the Company.

We have in place an appropriate policy document and safeguards which we are required by law to maintain when processing such data.

If you do not provide your data to us

One of the reasons for processing your data is to allow us to carry out an effective recruitment process. Whilst you are under no obligation to provide us with your data, we may not able to process, or continue with (as appropriate), your application.

Automated decision-making 

You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making as we do not use automated decision-making.

Data sharing 

Why might we share your personal information with third parties?

We will only share your personal information with the following third parties for the purposes of processing your application:

1. Background check providers;
2. Other entities within the MJ Hudson group of entities;
3. Recruitment agencies
4. Hosted software providers (our HR system is hosted by an external provider, for example);
5. Contractors/consultants providing HR services to MJ Hudson
6. Third party service providers (for example, IT services).

All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

International transfers

We may transfer the personal data we collect about you to the following countries outside the EU during the course of the application process:

1. Jersey

This is where our IT servers are located and your personal data will, therefore, be stored and processed in Jersey. There is an adequacy decision by the European Commission in respect of Jersey. This means that it is deemed to provide an adequate level of protection for your personal data.

2. Guernsey

We have group entities in Guernsey and, whilst technical and organisational measures are in place to ensure that employee personal data is not accessed by anyone who does not strictly need it, it is possible that your personal data will be transferred to Guernsey (for example, if you are sent on secondment there).  There is an ‘adequacy decision’ in place from the European Commission in respect of Guernsey, which means that it is deemed to provide an adequate level of protection for your personal data.

3. Switzerland

We have group entities in Switzerland, whilst technical and organisational measures are in place to ensure that employee personal data is not accessed by anyone who does not strictly need it, it is possible that your personal data will be transferred to Switzerland (for example, if you are sent on secondment there).  There is an ‘adequacy decision’ in place from the European Commission in respect of Switzerland, which means that it is deemed to provide an adequate level of protection for your personal data.

4. United States and Canada

We have Group operations in the United States and Canada. Also, some of our third-party service providers, such as NetVoyage Corporation who operate NetDocuments and Microsoft Corporation who operate Sharepoint, are located in the United States.  All transfers of personal data to service providers in the Unites States are made on the basis of adequate safeguards in accordance with the law, either in the form of the ‘EU-US Privacy Shield’ or the Standard Contractual Clauses approved by the European Commission.

To learn more about the Privacy Shield Frameworks, visit the U.S. Department of Commerce’s Privacy Shield website: https://www.privacyshield.gov/welcome.

How long will you use my information for?

We will retain your personal information for the period of time required in order to assess your application plus a further period of 9 (nine) months after the position for which you applied has been filled. We retain your personal information for that period so that we can show, in the event of a legal claim, that we have not discriminated against candidates on prohibited grounds and that we have conducted the recruitment exercise in a fair and transparent way. After this period, we will securely destroy your personal information in accordance with our data retention policy and applicable laws and regulations.

If we wish to retain your personal information on file, on the basis that a further opportunity may arise in future and we may wish to consider you for that, we will write to you separately, seeking your explicit consent to retain your personal information for a fixed period on that basis.

If your application is successful, your data will be kept and transferred to the systems we administer for employees. We have a separate privacy notice for employees, which will be provided to you following signature of your employment contract (or other contract, as relevant).

If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact us using the contact details at the beginning of this policy.

This privacy notice applies to current and former employees, workers, contractors, and vacation placements/interns. It explains how we will process your personal data. This notice does not form part of any contract of employment or other contract to provide services.

What information do we hold?

We hold a range of personal data about you, some of which you provide to us directly and some of which we receive from third parties.

Here are some examples of types of personal data we hold:

1. Personal details such as name, title, date of birth, gender, martial status and dependents
2. Contact details such as address, telephone number and personal email address
3. Next of kin and emergency contact information
4. National Insurance Number
5. Bank account details, payroll details and tax status information
6. Salary, annual leave, pension and benefits information
7. Location of employment or workplace
8. Recruitment information (including copies of qualifications, right to work documentation, driving license references and other information included in a CV or cover letter or as part of the application process)
9. Employment records (including job titles, work history, working hours, training records and professional memberships)
10. Immigration information (for example passport details and language proficiency)
11. Performance information
12. Disciplinary and grievance information
13. Swipe card records
14. Information about your use of our IT systems
15. ID card image and photographs

We may also collect, store and use the following special categories of more sensitive personal information:

1. Information about your race or ethnicity, disability, age, religious beliefs, gender reassignment, sexual orientation, political opinions, marriage and civil partnership and pregnancy and maternity
2. Trade union membership
3. Information about your health, including any medical condition, health and sickness records
4. Information about any criminal convictions, offences and barred list status

How do we use it and why?

We process your personal data to help us to effectively administer the employment relationship between you and MJ Hudson.

We only process data for specified purposes and if it is justified in accordance with data protection law.

Some processing of your personal data is justified on the basis of contractual necessity. In general this applies to personal data you provide to us at when you first start working for us and throughout the duration of your employment with MJ Hudson. It’s to manage the employment relationship and to monitor performance.

Without this information we wouldn’t be able to employ you and follow the law, assess your application, offer you work with MJ Hudson or make reasonable adjustments. Some personal data is also required to fulfil our legal obligations (for example, immigration or HMRC).

Further Information

Please refer to the detailed privacy notice set out in your employee handbook for further information on how we protect personal data relating to our employees and contractors.