Group Privacy Notice
1.0 About Us
1.1 This notice applies to the following members of the Capital International Group all of whom are registered with The Isle of Man Information Commissioner as data controllers and who for the purposes of this notice are referred to as ‘the Group’:
1.1.1. Capital International Limited
1.1.2. Capital Treasury Services Limited
1.1.4. Capital Select Limited
1.1.5. Mill Yard Services Limited
In addition this notice applies to following Group companies, based in South Africa, which are not registered with the Isle of Man Information Commission:
1.1.6. CILSA Investments (PTY) Ltd and
1.1.7. CILSA Solutions (PTY) Ltd and collectively referred to as ‘Group companies’
1.2. Capital International Limited, Capital Treasury Services Limited and Capital Financial Markets Limited are licensed by the Isle of Man Financial Services Authority.
- Capital International Limited is a Member of the London Stock Exchange.
- CILSA Investments (PTY) Ltd, trading as Capital International SA (FSP No 44894), and CILSA Solutions (PTY) Ltd (FSP No 6650) are licensed by the Financial Services Conduct Authority in South Africa as a Financial Services Provider.
1.3. Unless otherwise indicated our services will not be targeted at, nor will they be offered or available, to the residents of any particular country where their advertisement, offer or sale is restricted or prohibited by law or regulation or where a Group company is not appropriately licensed.
1.4 The Isle of Man Data Protection Act 2018 (DPA 2018) permitted the EU General Data Protection Regulation (GDPR) and EU Law Enforcement Directive (LED) to be applied to the Isle of Man by ‘Order’ and brought into effect through ‘Implementing Regulations’.
1.5 The Data Protection Regulations came into effect on 1 August 2018 with only a few transitional arrangements and savings.
1.6 In relation to relevant South African data protection legislation, it should be noted that certain sections of the Protection of Personal Information Act came into effect on 1 July 2020 and that all processing of personal information must conform to POPIA by 1 July 2021. Specifically sections 2 to 38 (application provisions; conditions for lawfully processing personal information; and exemptions); sections 55 to 109 (the duties and responsibilities of the information officer and deputies; prior authorisation; codes of conduct; supervision; the rights of data subjects regarding direct marketing by means of unsolicited electronic communications, directories and automated decision making; enforcement; and offences and penalties); section 111 (fees) and section 114 (1), (2) and (3) (transitional arrangements).
To this end, for any further clarification please refer to the local Compliance Officer or the Group’s Data Protection Officer (“DPO”).
1.7. We, the Group, are committed to protecting your privacy and personal data. This Privacy Notice details the steps we take to protect your personal data. It describes the personal data that we collect, the purposes for which we use such information, and your choices regarding our use of it.
1.8. In our capacity as data controller, we will securely store and process your personal data which you provide to us from time to time.
2.1 For the purposes of this Privacy Notice the following terms shall be thus defined:
- “Personal Data” shall be defined as any information or data relating to you as data subject;
- “Data Subject” is an identified or identifiable person to whom personal data relates. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to their physical, physiological, mental, economic, cultural and social identity;
- “Data Controller” shall be defined as a person who determines the purposes for which and the manner in which any personal data are, or are to be processed
3.0 Changes to this Privacy Notice
3.1 We reserve the right to modify this Notice from time to time in order that it accurately reflects the regulatory environment and our data collection principles. When material changes are made to this Notice, we will update the version date and post the revised Privacy Notice on our website.
4.0 Collection of data
4.1 We will require documentation which in respect of any person who opens an account with a Group company (the account holder), settlor, trustee or beneficial owner verifies the identity, the source of wealth and the source of funds of such account holder settlor, trustee or beneficial owner together with the authority of such person to act in relation to the account.
We may require other personal data in order to comply with our obligations under relevant legislation concerning anti money-laundering, countering the financing of terrorism, bribery & corruption, prevention of human trafficking / slavery, tax evasion or tax reporting legislation as updated from time to time. In this regard we may collect some or all of the following personal data:
a) Information you give us; we receive and store any information you enter on our website or give us in any other way; this may include but is not limited to:
- Basic personal information; including your name, residential address, date of birth and contact details;
- Financial information, including account and transactional information and history;
- information about your family, lifestyle and social circumstances (such as dependents, marital status, next of kin and contact details);
- information about your financial circumstances, including personal wealth, assets and liabilities, proof of income and expenditure, investment needs and goals;
- education and employment information;
- goods and services provided;
- visual images and personal appearance (such as copies of passports or CCTV images);
- any communication you have with us; and
- any other data that you may submit to us via the site from time-to-time;
- sensitive personal data as defined in the regulations.
You are not required to provide any of this information, but if you do not, we may not be able to provide you the requested services/products.
b) Publicly available sources
Information that we gather from publicly available sources, such as the press, the electoral register, company registers and online search engines.
c) Automatic information
We receive and store certain types of information whenever you interact with the Group. For example, like many websites, we use ‘cookies’ and we obtain certain types of information when your web browser accesses the Group website.
- This will include but not be limited to: the IP address used to connect your computer to the Internet; login; e-mail address; computer and connection information such as browser type and version; time zone setting; browser plug-in types and versions and operating systems, online profile and social media information and activity, based on your interaction with us and our websites and applications, including for example, your banking profile and login information, Internet Protocol (IP) address, smart device information, location coordinates, online and mobile banking security authentication, mobile phone network information, searches, site visits and spending patterns, your preferences in relation to the site and our services/products.
- We may use browser data such as cookies, Flash cookies, or similar data on certain parts of our website for fraud prevention and other purposes.
- We may also collect technical information to help us identify your device for fraud prevention and diagnostic purposes.
- Most mobile devices provide users with the ability to disable location services. Most likely, these controls are located in the device’s settings menu. If you have questions about how to disable your device’s location services, we recommend you contact your mobile service carrier or your device manufacturer.
e) Co-Branded & Joint Offerings
- We may from time to time offer joint or co-branded products and services.
f) Information You Can Access
- Examples of information you can access easily include: personally identifiable information (including name, e-mail, password, communications and personalised advertising preferences and address book); payment settings (including bank and credit-card information); e-mail notification settings;
5.0 How is your personal data used?
5.1 Personal data is processed and stored securely, for no longer than is necessary in light of the reason(s) for which it was first collected. We will comply with our obligations and safeguard your rights under the regulations at all times. Please note that if you do not agree to provide us with any requested information, it may not be possible for us to continue to operate your account and/or provide products and services to you.
5.2 Our use of your personal data will always have a lawful basis, either because it is necessary for our performance of a contract with you, because you have consented to our use of your personal data (e.g. by subscribing to marketing emails), or because it is in our legitimate interests. Specifically, we may use your data for the following purposes:
A Contractual necessity
We may process your information during the account opening process, if you decide to use our products or services, or to perform our obligations under any contract entered into. This may include processing to:
- assess and process applications for products or services;
- provide and administer those products and services during your relationship with a Group company, including opening, setting up or closing your accounts or products, collecting and issuing all necessary documentation, executing your instructions, processing transactions, including sale and purchase of investments, transferring money between accounts, resolving any queries or discrepancies and administering any changes. Calls to our offices may be recorded and monitored for these and training purposes.
- manage and maintain our relationships with you and for ongoing customer service. This may involve sharing your information with other Group companies to improve the availability of our services.
- communicate with you about your account(s) or the products and services you receive from us.
B Legal Obligation
When you apply for a product or service (and throughout your relationship with us), we are required by law to collect and process certain personal information about you. This may include processing to:
- confirm your identity;
- perform checks and monitor transactions and location data for the purpose of preventing and detecting crime and to comply with laws relating to money laundering, fraud, terrorist financing, bribery and corruption, and international sanctions. This may require us to process information about criminal convictions and offences, to investigate and gather intelligence on suspected financial crimes, fraud and threats and to share data with law enforcement and regulatory bodies;
- share data with police, law enforcement, tax authorities or other government and fraud prevention agencies where we have a legal obligation, including reporting suspicious activity and complying with production and court orders;
- deliver mandatory communications to customers or communicate updates to product and service terms and condition;
- investigate and resolve complaints;
- conduct investigations into breaches of conduct and corporate policies by our employees;
- manage contentious regulatory matters, investigations and litigation;
- perform assessments and analyse customer data for the purposes of managing, improving and fixing data quality;
- provide assurance that Group companies have effective processes to identify, manage, monitor and report the risks they are or might be exposed to;
- investigate and report on incidents or emergencies on any Group company properties and premises;
- coordinate responses to business disrupting incidents and to ensure facilities, systems and people are available to continue providing services; and
- monitor dealings to prevent market abuse;
C Legitimate interest and purposes of the Group
- to manage our risk and determine what products and services we can offer and the terms of those products and services;
- to carry out financial risk assessments and for risk reporting and risk management;
- to protect our business by preventing financial crime or from being used to facilitate financial crime;
- to send marketing to include recommending services or products which may be of interest to you (but only where you have consented to be contacted for such purposes);
- to develop, test, monitor and review the performance of products and services, internal systems and security arrangements offered by the Group;
- to assess the quality of services to clients;
- to provide staff training;
- to analyse your use of our site and gather feedback to enable us to continually improve our site and your user experience;
- to provide you with access to our corporate literature and information about our services and products;
- to develop our offers and the layout of our website to ensure that our services are as useful and enjoyable as possible;
- to send out news updates which you have signed up for;
- to prevent or detect fraud or abuse and
- to enable third parties to carry out technical, logistical and other functions on our behalf.
6.0 With whom is your personal data shared?
6.1 In order to provide services to you, Group companies may be required to share personal data. This will be subject to the conditions as set out below.
6.2 Third Party Service Providers: We employ other companies and individuals to perform functions on our behalf and for the provision of the services to you. We may supply information needed to perform their functions, but may not use it for other purposes. Further, they must process the personal information in accordance with this Privacy Notice and as permitted by applicable data protection laws.
6.3 When specifically authorised by you: If you ask us to, we will share information with any third party that provides you with investment advice or services. If you ask a third party provider to provide such services, you are allowing that third party to access information relating to your account. We are not responsible for any such third party’s use of your account information, which will be governed by their agreement with you and any privacy statement they provide to you.
6.4 We may occasionally be required by law, court order or governmental authority to disclose certain types of personal data. Examples of the type of situation where this would occur would be:
- where we are required by law and by law enforcement agencies, judicial bodies, government entities, tax authorities or regulatory bodies around the world;
- where we have to defend ourselves legally.
6.5 We may disclose anonymised data (such as aggregated statistics) about the users of our site in order to describe our web users, traffic patterns and other site information to prospective partners, investors and other reputable third parties and for other lawful purposes, but these statistics will include no personally identifying information.
6.6 The information we hold on you will be used and stored principally in either the Isle of Man or South Africa depending on which entity is providing services to you. However, we may transfer your data (including to other Group companies) on the basis that anyone to whom we pass it protects it in the same way we would and in accordance with applicable laws.
7.0 The requirements of Data Protection Laws
7.1 We regard the lawful and correct treatment of your personal data by us as very important to our successful operation, and to maintaining confidence between us and our users. We ensure that Group Companies treat personal data lawfully and correctly. To this end we fully endorse and adhere to the data protection principles set out in legislation.
In particular, without your consent or first amending this Privacy Notice to reflect any change in our usage of personal data, all Group companies will apply the following concepts:
- we will ensure that we will not use your personal data for any purpose that is incompatible with this Privacy Notice;
- we will ensure that any processing of your personal data is fair, transparent and sufficient for the uses as set out above;
- we will endeavour to keep your personal data up-to-date;
- we will not retain your personal data longer than necessary unless required to do so by law;
- we will implement appropriate technical and organizational measures to enable inaccuracies to be corrected and minimize the risk of errors;
- Secure personal data in a way that is proportionate to the risk to the interest and right of you as data subject;
- we will operate appropriate technical and organisational processes to protect your personal data against unauthorized or unlawful access or processing and against accidental loss or destruction. The detailed measures we take are described elsewhere in this Privacy Notice;
- we will not transfer your personal data to a country outside the European Economic Area unless sufficient safeguards have been established to protect your personal data to a standard at least equivalent to those, which apply within the EEA.
8.0 Your rights
8.1 We will look to ensure that all of your rights as defined in the Isle of Man data protection legislation in place from time to time, to include but not limited to the following:
- Right to be informed;
- Right to erasure – but please note that we may have to suspend the operation of your account with us;
- Right to data subject access;
- Right to restrict processing that is likely to cause or is causing damage or distress;
- Right to data portability – that is you have a right at any time to receive a portable copy of your personal data that we hold;
- Right of rectification of inaccurate information;
- Right to object to direct marketing;
- Rights relating to the use of automated decision making and profiling systems based on personal data;
- Right to apply/remove consent for processing of personal data;
8.2 If you do not want to receive email or other mail from us, or for us to use personal information that we gather, please contact customer services in the first instance at the address below.
8.3 If you contact us in relation to your rights we will do our best to accommodate your request or objection.
8.4 You can help us to maintain the accuracy of your information by notifying us of any change at firstname.lastname@example.org.
8.5 If you are unsure about your rights or are concerned about how your personal data may be processed you should contact the Information Commission’s Office – either by telephone +44 1624 693260 or email@example.com.
9.1 We work to protect the security of your information during transmission by using Secure Sockets Layer (SSL) software, which encrypts information you input.
9.2 We maintain physical, electronic and procedural safeguards in connection with the collection, storage and disclosure of personally identifiable customer information. Our security procedures mean that we may occasionally request proof of identity before we disclose personal information to you.
9.3 As a condition of employment, employees of all Group entities are required to follow all applicable laws and regulations, including those in relation to data protection law. Unauthorised use or disclosure of confidential client information by a Group employee is prohibited and may result in disciplinary measures.
9.4 It is important for you to protect against unauthorised access to your password and to your computer.
9.5 Be sure to sign off when you finish using a shared computer.
10.1 We will hold your personal data for so long as we are providing services to you and in accordance with financial services regulation and the data protection regulations in place in the Isle of Man from time to time. We will endeavour to delete any personal data sooner where it is not necessary for us to hold this.
10.2 In addition, personal data will also be retained in line with anti money laundering and countering the financing of terrorism requirements. Please be aware that we may hold personal data for longer if we are under a legal obligation to do so or where we have a reasonable belief that it is necessary to do so for business or legal reasons.
11.0 Links to other websites
Our site may contain links to other websites. While we try to link only to websites that share our high standards and respect for privacy, we are not responsible for the content, security, or privacy practices employed by other websites.
12.0 How to contact us
If you have questions regarding this notice, would like to enforce your rights set out above (at section 8) or our handling of your personal data, please contact our Data Protection Officer:
In writing at Capital House Circular Road Douglas Isle of Man IM1 1AG.
by email at dpo@capital–iom.com.
We will promptly address your concern and strive to reach a satisfactory resolution.
Last updated - 30th July 2020