Group Privacy Policy

Group Privacy Policy

MJH Group Holdings Limited, its subsidiaries and associated businesses (“MJ Hudson” and “we”) is committed to protecting your personal data and informing you of your rights in relation to that data.

MJ Hudson is registered as a data controller under the Data Protections Act 1998. Our registration details can be found via the Information Commissioner’s Office Search Register link here.

One of our responsibilities as a data controller is to be transparent in our processing of your personal data and to tell you about the different ways in which we collect and use your personal data. MJ Hudson will process your personal data in accordance with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 and the Data Protection (Jersey) Law 2018 and Data Protection (Bailiwick of Guernsey) Law, 2017 (Applicable Local Laws) this privacy notice is issued in accordance with the GDPR Articles 13 and 14.

We may update our privacy policy at any time. The current version of our privacy policy can be found below, and we encourage you to check here regularly to review any changes.

For the purposes of the GDPR and Applicable Local Laws, MJ Hudson is the controller of your data.  If you have any queries regarding this policy or complaints about our use of your data, please contact the data processing team at data-processing@mjhudson.com or at the address below and we will do our best to deal with your complaint or query as soon as possible.

MJ Hudson
8 Old Jewry,
London
EC2R 8DN
FAO: The Data Privacy Manager

Personal data is defined in the GDPR as information relating to a live, identifiable individual. It can also include special categories of data, which is information about your racial or ethic origin, religious or other beliefs, physical or mental health, the processing of which is subject to strict requirements. Similarly information about criminal convictions and offences is also subject to strict requirements. “processing” means any operation which we carry out using your personal data, for example obtaining, storing, transferring or deleting.

We only process data for specified purposes and if it is justified in accordance with data protection law. Details of each processing purpose and its legal basis are given within each privacy notice listed below – please consult the notice relevant to your relationship with MJ Hudson.

Unless specific time periods are given in the relevant privacy notice, your data will be kept in line with our data retention policy.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

If you require more detailed advice on how long your data will be kept for, please contact the data processing team.

You have the following rights in relation to your personal data processed by us:

 

We will ensure you have sufficient information to ensure that you’re happy about how and why we’re handling your personal data, and that you know how to enforce your rights.

We will provide information in the form of privacy notices. You can read all of our privacy notices online.

You have a right to see all the information that we hold about you. Where data is held electronically in a structured form, such as in a database, you have a right to receive that data in a common electronic format that allows you to supply that data to a third party – this is called “data portability”.

To make a request for your own information please contact the data processing team.

If we are holding data about you that is incorrect, you have the right to have it corrected.

Please email any related request to the data processing team.

You can ask that we delete your data and where this is appropriate we will take reasonable steps to do so.

Please email any related request to the data processing team.

If you think there is a problem with the accuracy of the data we hold about you, or you are of the opinion that we are using data about you unlawfully, you can request that any current processing is suspended until a resolution is agreed.

Please email any related request to the data processing team.

You have a right to opt out of direct marketing.

You have a right to object to how we use your data if we do so on the basis of “legitimate interests” or “in the performance of a task in the public interest” or “exercise of official authority” (a privacy notice will clearly state this to you if this is the case). Unless we can show a compelling case why our use of your data is justified, we have to stop using your data in the way that you’ve objected to.

Please email any related request to the data processing team.

You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making as we do not use automated decision-making.

If we are relying on your consent to process your data, you may withdraw your consent at any time.

In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal data for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact the data processing team. Once we have received notification that you have withdrawn your consent, we consider your request and where applicable, will no longer process your personal data for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.

For more information on your rights, if you wish to exercise any right, for any queries you may have or if you wish to make a complaint, please contact our Data Privacy Manager.

You have a right to complain to the supervisory authority about the way in which we process your personal data. You may lodge a complaint with any supervisory authority regarding our processing of your personal data.  The relevant supervisory authorities are set out below:

  1. United Kingdom – the Information Commissioner’s Office whose contact details can be found on their website which can be viewed here – https://ico.org.uk/
  2. Jersey – the Office of the Information Commissioner whose contact details can be found on their website which can be viewed here – https://oicjersey.org/
  3. Guernsey – the Office of the Guernsey Data Protection Commissioner whose contact details can be found on their website which can be viewed here – https://dataci.gg/
  4. Luxembourg – the National Commission for Data whose contact details can be found on their website which can be viewed here – https://cnpd.public.lu/en.html.
  5. Switzerland – the Federal Data Protection and Information Commissioner whose contact details can be found on their website which can be viewed here – https://www.edoeb.admin.ch/edoeb/en/home/the-fdpic/contact.html
  6. The USA – There is no single national authority. The Federal Trade Commission (FTC) has jurisdiction over most commercial entities and has authority to issue and enforce privacy regulations in specific areas and to take enforcement action to protect consumers against unfair or deceptive trade practices. The FTC’s contact details can be found on their website which can be viewed here – https://www.ftc.gov/contact

Where, in relation to any personal data, MJ Hudson is the data processor under the terms of the agreement, the following provisions will apply. For the purposes of Article 28.3 of the GDPR the subject matter of the processing is as follows:

  • the personal data used in the processing will be based on the agreement between MJ Hudson and the controller. For example: forename(s), surname, email address, password, IP address, client instructions.
  • the duration of the processing will be the duration of the agreement (as may be extended from time to time);
  • the nature and purpose of the processing will be limited to the agreement between the parties.

MJ Hudson shall:

  1. process the personal data only in accordance with the data controllers instructions, including where relevant for transfers of personal data outside the European Economic Area (EEA) (unless required to do so by European Union, Member State and/or UK law to which MJ Hudson is subject, in which case MJ Hudson shall inform the data controller of that legal requirement before processing unless prohibited by that law);
  2. ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  3. take all measures required pursuant to Article 32 of the GDPR;
  4. appoint sub-processors only in accordance with Article 28.2 and Article 28.4 of the GDPR;
  5. taking into account the nature of the processing, assist the data controller by taking appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the data controllers obligation to respond to requests for exercising a data subject’s rights laid down in Chapter III of the GDPR;
  6. taking into account the nature of the processing and the information available to MJ Hudson, assist the data controller in ensuring compliance with the data controllers obligations to:
  7. keep personal data secure (Article 32 GDPR);
  8. notify personal data breaches to the supervisory authority (Article 33 GDPR);
  • advise data subjects when there has been a personal data breach (Article 34 GDPR);
  1. carry out data protection impact assessments (Article 35 GDPR); and
  2. consult with the supervisory authority where a data protection impact assessment indicates that there is an unmitigated high risk to the processing (Article 36 GDPR);
  3. upon the data controllers request, delete or return all personal data to the data controller upon termination of the agreement, save to the extent that European Union or EU member state law requires retention of the personal data;
  4. make available to the data controller all information necessary to demonstrate compliance with the obligations laid down in these terms and allow for and contribute to audits, including inspections, conducted by the data controller or another auditor mandated by the data controllers
  5. co-operate on request, with the Information Commissioner’s Office (or any successor body thereto or any relevant supervisory authority) in the performance of its tasks; and
  6. notify the data controller without undue delay after becoming aware of a personal data breach.

We shall be liable in respect of any breach of our obligations under the agreement and/or data protection legislation with respect to the processing of personal data other than where such breach is caused by or results from an act or omission by the data controller. We shall fully and effectively indemnify the data controller for any claim brought by a data subject and/or any competent authority or body arising from any action or omission by us with respect to the processing of their personal data other than to the extent that such action or omission resulted from compliance with the data controllers instructions.

Your personal data is securely stored. Our emails are stored on a Microsoft server within the EU. All other personal data is stored in our Jersey based servers.

Third parties will only process your personal information on our instructions and where they have agreed to treat the information confidentially and securely.

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, altered, disclosed, used or accessed without authorisation. In addition, we restrict access to personal data to those employees, agents, contractors, consultants and other third parties who have a business need to access the personal data.  They will only process personal data on our instructions and they are also subject to a duty of confidentiality.

We have in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally obliged to do so.

This privacy policy and notices do not form, and should in no way be construed as, a contract and no contractual rights or causes of action shall arise in relation to or consequence of the content of this notice.

We keep our privacy policy under constant review and may change it from time to time to reflect our practices or to remain compliant with relevant legislation. We will notify you of any material changes to our privacy policy, which may be via a notification on our Websites. Your continued use of our services, following the posting of changes to these terms, will mean you accept these changes.

This privacy policy was last updated in July 2019. Previous versions of the privacy policy can be provided on request from the data processing team.

Please consult the privacy notice below that best fits your relationship with MJ Hudson.  

This privacy notice demonstrates how we handle the personal data you provide to us, or which we collect about you, in the following ways:

  1. by you submitting information to us through our websites mjhudson.com www.mjhudson-allenbridge.com or https://mjhudson-amaces.com (Websites) for example, when you subscribe to our newsletter (Website user data);
  2. by you submitting information to us when you complete one of our surveys (Survey data);
  3. through your use of our other marketing resources, such as events or webinars which we run or sponsor (Marketing data);
  4. from what we learn about you from your visit to our Websites (Website background data);
  5. by you otherwise interacting with us a prospective, current or former client or customer, (for example, where you provide your business card to us) other than in connection with ongoing legal services we are providing to you or your organisation (Prospect data);
  6. by you providing your details to us, or your employer providing your details to us, in connection with a service you or your employer provides to MJ Hudson (Supplier data); and/or
  7. by you contacting us or otherwise providing your personal data to us (Other data).

This statement does not apply to:

  1. the collection and processing of personal data in the course of our providing legal or other services to our clients. For information about privacy in the context of services provided by us to our clients, please contact the relevant MJ Hudson partner or person responsible for your matter.
  2. the collection and processing of personal data about our employees or contractors. For information about privacy in the context of doing work for MJ Hudson, please see the employee handbook.
  3. the collection and processing of personal data in relation to job candidates or applications for roles advertised on our Websites. For information about privacy in this context, click here.

What we use your data for The table below sets out the purposes for which we may process your data and the legal basis for the processing:

Data Purpose Legal Basis
Website user data Marketing data Prospect data Supplier data Other data To keep you informed of any activities undertaken by us which we believe may be of interest to you and this use may include sending you email and postal marketing from time to time or requests to respond to a survey Consent – this will be requested either when you submit your data to us or, if we have received your data indirectly, by way of an email sent prior to us sending you any marketing communications.
Website user data Website background data Website analytic purposes.  For further details on the technology we use in order to analyse our Websites’ performance, please see our cookies policy here. Consent – this will be obtained when you click on the banner at the top of our Websites to accept certain cookies.   Legitimate interest of MJ Hudson (see our cookies policy for further information)
Website user data Marketing data Prospect data To provide you with the newsletter(s) or information you have requested Performance of a contract
Your data To respond to requests for information from regulated bodies or government agencies Compliance with a legal obligation
Website user data Prospect data To respond to an enquiry you have submitted Legitimate interest of MJ Hudson – it may be necessary for us to process your data in order to reply or respond to your enquiry
Survey data To gather and analyse information on the market for our internal purposes which may be used to publish a report Consent – this will be requested when you submit Survey Data to us.
Survey data To provide perception study services to our clients Performance of a contract
Supplier data To contact you regarding the service you or your employer is providing to us Performance of a contract

Who we share your data with Please note that we may on occasion be required to share your information with the following categories of recipients:

  1. MJ Hudson offices and branches and our associated firms. A full list of all of the entities within MJ Hudson group is listed on our Websites.
  2. Third parties who provide services on our behalf. For example, we use third parties such as Worldpay to provide payment processing services on our MJHudson-Allenbridge website. A full list of all our third party service providers is available on request.

We have taken steps to ensure that all such third party providers keep your data confidential and secure and only use it for the purposes that we have specified and have informed you of.  Our service providers are subject to data processing agreements which have been, or are in the process of being, updated to become, compliant with the requirements set out in the GDPR and/or Applicable Local Laws.  Further details regarding any third parties who are located outside the EEA are set out below. In relation to any other third parties, we will only disclose your information in the following circumstances:

  1. where you have given your consent;
  2. where we are required to do so by law or enforceable request by a regulatory body;
  3. where it is necessary for the purpose of, or in connection with legal proceedings or in order to exercise or defend legal rights; and
  4. if we sell our business, go out of business, or merge with another company.

International Transfers In certain circumstances, we may transfer your data to countries outside the EEA, which may not adhere to the same levels of data protection to which countries within the EEA are subject.  Any such transfers are, at all times, made in accordance with the GDPR and/or Applicable Local Laws.  Details of the circumstances and mechanisms in place to ensure compliance are set out below:

  1. MJ Hudson Group Companies in the Channel Islands, Switzerland, Canada and the USA.

We have offices in Jersey, Guernsey and Switzerland.  Our central servers are also located in Jersey. The European Commission has ruled that Jersey, Guernsey and Switzerland offer adequate levels of data protection in their domestic legislation and transfers to these jurisdictions are, therefore, permitted under the GDPR and/or Applicable Local Laws. We also have operations in the USA and Canada, we have put in place our Group Standard Contractual Clauses between us and our American and Canadian employees to safeguard EU data subject’s rights under the GDPR.  All personal data used by staff in these locations is held on MJ Hudson’s central servers located in Jersey. Emails are stored securely within EU based Microsoft servers.

  1. Think Studio

We use Think Systems UK Limited (t/a Think Studio) to host and manage our Websites and to provide us with marketing automation services. Think Studio is based in the United Kingdom but use Campaign Monitor Pty Limited, located in Australia, to provide our marketing automation services.  If you have consented to us using Your data to send you marketing communications, Your data may be transferred to servers located in Australia.  Any such transfer outside the EEA is made in accordance with the Standard Contractual Clauses approved by the European Commission. Think Studio’s privacy policy can be viewed here and Campaign Monitor’s privacy policy can be viewed here.

  1. SurveyMonkey

We use SurveyMonkey to carry out our online surveys.  SurveyMonkey stores survey data on its servers in the United States.  SurveyMonkey Inc. (and its subsidiary company, Infinity Box Inc.) participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework.  Transfers of Personal Data to SurveyMonkey in the United States are therefore made subject to appropriate safeguards in accordance with the GDPR and/or Applicable Local Laws. We have also put in place a Data Processing Agreement based on the Standard Contractual Clauses approved by the European Commission to provide enhanced protection for Your data. To learn more about the Privacy Shield Framework, visit the U.S. Department of Commerce’s Privacy Shield website: https://www.privacyshield.gov/welcome.  SurveyMonkey’s privacy policy can be viewed here. Retention Period Your data will be stored for a period of 7 years from our latest interaction with you.  After this time it will be destroyed unless we have identified a lawful purpose(s) for which we need to keep your data longer or you request that we keep it for longer. If we feel that we may need to keep your data for longer than the lawful purposes for which it was obtained, we will contact you to obtain your consent to such longer period. Your rights in relation to your data Under the GDPR and/or Applicable Local Laws, you will have the following rights in relation to how we process your data:

  1. right to request access – you may obtain confirmation from us as to whether or not your data is being processed and, where that is the case, access to your data;
  2. right to rectification – you have the right to obtain rectification of inaccurate personal data we hold concerning you;
  3. right to erasure – you have the right to obtain the erasure of your data without undue delay in certain circumstances
  4. right to restriction of processing or to object to processing – you may require us to restrict the processing we carry out on your data in certain circumstances or to object to us processing your data;
  5. right to data portability – you have the right to receive your data in a structured, commonly used and machine-readable format;
  6. right to withdraw consent – where you have provided your consent to us processing your data (for example, for marketing purposes), you have the right to withdraw your consent at any time. This can be done by emailing data-processing@mjhudson.com at any time or by clicking the “unsubscribe” link on any marketing communications you receive from us;
  7. right to lodge a complaint – you may lodge a complaint with any supervisory authority. The relevant supervisory authorities are set out below and their websites contain the relevant contact details:
    • United Kingdom – the Information Commissioner’s Office whose contact details can be found on their website which can be viewed here – https://ico.org.uk/
    • Jersey – the Office of the Information Commissioner whose contact details can be found on their website which can be viewed here – https://oicjersey.org/
    • Guernsey – the Office of the Guernsey Data Protection Commissioner whose contact details can be found on their website which can be viewed here – https://dataci.gg/
    • Luxembourg – the National Commission for Data whose contact details can be found on their website which can be viewed here – https://cnpd.public.lu/en.html.
    • Switzerland – the Federal Data Protection and Information Commissioner whose contact details can be found on their website which can be viewed here – https://www.edoeb.admin.ch/edoeb/en/home/the-fdpic/contact.html
    • The USA – There is no single national authority. The Federal Trade Commission (FTC) has jurisdiction over most commercial entities and has authority to issue and enforce privacy regulations in specific areas and to take enforcement action to protect consumers against unfair or deceptive trade practices. The FTC’s contact details can be found on their website which can be viewed here – https://www.ftc.gov/contact

For further information on your rights, please see the relevant supervisory authority’s website. Additional Information There is no statutory or contractual requirement for you to provide your data to us and you are not obliged to do so.  Please note, however, that we may not be able to provide you with the services you have requested, such as to receive our newsletter, if you do not provide us with your contact details.  As set out in our cookies policy, our Websites may not be able to function fully if you do not agree to certain cookies being set on your computer. We do not undertake automated decision-making or profiling on your data. We keep our privacy policy under constant review and may change it from time to time to reflect our practices or to remain compliant with relevant legislation. We will notify you of any material changes to our privacy policy which may be via a notification on our Websites. Your continued interaction with us, following the posting of changes to these terms, will mean you accept these changes. Security of personal information We recognise the need to ensure that personal information gathered via our Websites or otherwise remains secure. Our site has security measures in place to protect against the loss, misuse and alteration of the personal information under our control. Our security measures include the use of a hardware firewall to prevent unauthorised access. You acknowledge that although we exercise adequate care and security there remains a risk that information transmitted over the Internet and stored by computer may be intercepted or accessed by an unauthorised third party. Surveys Participation in our surveys is entirely voluntary and, by submitting your responses, you are consenting to use collecting and processing your data in accordance with this privacy policy.  We will never share Survey Data with third parties (other than SurveyMonkey as set out above and all data is amalgamated and anonymised before the results of the survey are published). In most circumstances, we do not collect the name or contact details of our respondents and this is only provided voluntarily by the respondent if they wish to be entered into a prize draw, so that we can contact them with their prize. Some of your responses to our surveys may include personal data which falls within the definition of special category data for the purposes of the GDPR.  For example, your responses may reveal your ethnicity or race or your political opinions. Where a question requires an answer that may include special category data, we will request your explicit consent to our processing this data in accordance with this privacy notice, before you submit your response. Please note that in certain circumstances, we also undertake surveys on behalf of our clients. The personal data we collect through client surveys is held in accordance with this privacy policy and is anonymised prior to us creating our report.  We never share your survey data with our clients. Data obtained indirectly In some circumstances, we may obtain personal data about you from other sources.  This information may include your name, contact details and job title, which we obtain from third party sources such as Preqin, organisers of events we sponsor or other publicly available sources, such as your company’s website. Links Our websites contain links to other websites belonging to third parties. We do not control the privacy practices of these other websites. You should therefore make sure when you leave our websites that you have read that website’s privacy policy.

This privacy notice demonstrates how we handle the personal data we obtain about you in the course of us providing one of the following services to you:

  1. Legal Services;
  2. Fund Management Solutions;
  3. IR & Marketing;
  4. International Administration;
  5. Investment Advisory;
  6. Data & Analytics.

To help you find the information that is most relevant to your situation, we have separated this policy into sections applicable to each type of service we provide.  Please click on the heading above that is most appropriate for your situation to find out more regarding what we do with your data.  General information applicable to all of our services is set out below. This statement does not apply to:

  1. the collection and processing of personal data submitted through our Websites or from marketing events or provided to us by prospective, current or former customers, other than in the course of us providing legal or other services. For information about privacy in this context, click here.
  2. the collection and processing of personal data about our employees. For information about privacy in the context of doing work for MJ Hudson, please see the employee handbook.
  3. the collection and processing of personal data in relation to job candidates or applications for roles advertised on our websites. For information about privacy in this context, click here.

Where the client is a data controller and MJ Hudson is a data processor Where, in relation to any personal data, MJ Hudson is the data processor under the terms of the agreement, the following provisions will apply. For the purposes of Article 28.3 of the GDPR the subject matter of the processing is as follows:

  • the personal data used in the processing will be based on the agreement between MJ Hudson and the controller. For example: forename(s), surname, email address, password, IP address, client instructions.
  • the duration of the processing will be the duration of the agreement (as may be extended from time to time);
  • the nature and purpose of the processing will be limited to the agreement between the parties.

MJ Hudson shall:

  1. process the personal data only in accordance with the data controllers instructions, including where relevant for transfers of personal data outside the European Economic Area (EEA) (unless required to do so by European Union, Member State and/or UK law to which MJ Hudson is subject, in which case MJ Hudson shall inform the data controller of that legal requirement before processing unless prohibited by that law);
  2. ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  3. take all measures required pursuant to Article 32 of the GDPR;
  4. appoint sub-processors only in accordance with Article 28.2 and Article 28.4 of the GDPR;
  5. taking into account the nature of the processing, assist the data controller by taking appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the data controllers obligation to respond to requests for exercising a data subject’s rights laid down in Chapter III of the GDPR;
  6. taking into account the nature of the processing and the information available to MJ Hudson, assist the data controller in ensuring compliance with the data controllers obligations to:
  7. keep personal data secure (Article 32 GDPR);
  8. notify personal data breaches to the Supervisory Authority (Article 33 GDPR);
  • advise data subjects when there has been a personal data breach (Article 34 GDPR);
  1. carry out data protection impact assessments (Article 35 GDPR); and
  2. consult with the supervisory authority where a data protection impact assessment indicates that there is an unmitigated high risk to the processing (Article 36 GDPR);
  3. upon the data controllers request, delete or return all personal data to the data controller upon termination of the Agreement, save to the extent that European Union or EU member state law requires retention of the personal data;
  4. make available to the data controller all information necessary to demonstrate compliance with the obligations laid down in these terms and allow for and contribute to audits, including inspections, conducted by the data controller or another auditor mandated by the data controllers;
  5. co-operate on request, with the Information Commissioner’s Office (or any successor body thereto or any relevant supervisory authority) in the performance of its tasks; and
  6. notify the data controller without undue delay after becoming aware of a personal data breach.

We shall be liable in respect of any breach of our obligations under the agreement and/or Data Protection Legislation with respect to the processing of personal data other than where such breach is caused by or results from an act or omission by the data controller. We shall fully and effectively indemnify the data controller for any claim brought by a data subject and/or any competent authority or body arising from any action or omission by us with respect to the processing of their personal data other than to the extent that such action or omission resulted from compliance with the data controllers instructions. Retention Period Unless otherwise indicated below, your data will be stored for the duration of our contract with you plus a maximum period of 7 years.  After this time it will be destroyed unless we have identified a lawful purpose(s) for which we need to keep your data longer or you request that we keep it for longer. If we feel that we may need to keep your data for longer than the lawful purposes for which it was obtained, we will contact you to obtain your consent to such longer period. For further information on your rights, please see the relevant supervisory authority’s website.

      i.        Legal Services

The kind of information we hold about you MJ Hudson provide legal services including advice in relation M&A, Hedge Funds, Venture Capital and Private Funds (Legal Services). Legal services are provided by MJ Hudson Limited (company number 08607159 and ICO registration number ZA031740), MJH Services (Guernsey) Limited, Jonathan Fraser Bale t/a MJ Hudson (OIC notification number 58059) and their subsidiary companies. If you engage us to provide Legal Services to you, we may collect, store, and use the following categories of Personal Data about you:

  • name;
  • business postal address;
  • business email address;
  • telephone number;
  • date of birth;
  • nationality;
  • job title;
  • fax number;
  • mobile telephone number;
  • copy of your passport or other form of photographic ID;
  • corporate bank details;
  • source of wealth and source of funds;
  • criminal convictions;
  • whether you are a politically exposed persons;
  • whether you are on a sanctioned or watch list; and
  • other information about you which you may provide to us in the course of us providing legal services.

Note that, in certain circumstances, the information we hold about you may include Special Category Data (as defined in the GDPR), including data which reveals your ethnicity, your political opinions, your health or your criminal convictions. How your data is collected We collect your data from the following sources:

  1. directly from you during our client inception and on-boarding process and our ongoing client relationship;
  2. background check providers, from which we collect the following categories of data:
  3. whether you are on a sanctioned or watch list;
  4. details of criminal convictions; and
  • whether you are a politically exposed persons
  1. your professional reference from whom we collect confirmation of your name and address; and
  2. other service providers to you, such as your company’s administrator or company secretary, who may provide us with copies of your passport or other ID.

What we use your data for We use your data for the following purposes:

  1. in order to provide legal services pursuant to our contract with you;
  2. in order to comply with our legal obligation such as to carry out anti-money laundering checks on our clients;
  3. in order to provide marketing communications to you (but only where we have obtained your consent to do so). Please see the Marketing Policy for further details of how we use your data for marketing purposes; and
  4. for our legitimate business interests such as for internal record keeping purposes or to manage our client relationship with you.

Any special category data we hold about you will only be processed so far as necessary in order to comply with our legal requirements. Who we share your data with We will never sell your data and we will only disclose your data to other parties where necessary in order to provide our services or where we are legally obliged to do so.  Details of the organisations we may share your data with are set out below:

  1. MJ Hudson Group Companies

We may share your data with other members of MJ Hudson for the purposes set out in this policy.  All members of MJ Hudson will process your data in accordance with this privacy policy and subject to the requirements of the Applicable Local Laws or the GDPR, as applicable.

  1. Your other advisors or lawyers

It is sometimes necessary to share information, including your data, with third parties who are providing you with advice or other professional services ancillary to the legal services we are providing.  For example, if we are providing legal advice to a fund, we may share certain information with the fund administrator or fund manager, in order to provide our services or to permit them to provide theirs.

  1. Our Consultants

We use consultants to provide certain of our services to our Legal clients. These consultants are not employees of MJ Hudson and are, therefore, considered third party processors for the purposes of the GDPR and/or Applicable Local Laws but they are subject to the same policy and procedure requirements as all of our staff in relation to how they handle personal data.

  1. Third party service providers

We use carefully selected third parties to provide certain services to us, such as our IT Infrastructure or document management systems. By the nature of the service they provide, some such third party service providers may have limited access to your data for support purposes. All of our service providers have entered or will shortly enter into contracts which contain strict confidentiality and data processing provisions.  A full list of all of the third party service providers we use is available on request.

  1. Auditors

We may need to share limited information regarding our clients with our auditors, including, in some instances, your data.  Our auditors are subject to strict confidentiality provisions in their contract with us.

  1. Regulatory Bodies/Government Agencies

We may disclose your data to certain regulatory bodies or government agencies where such disclosure is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person. We may also disclose your data where such disclosure is necessary for the establishment, exercise or defence of legal claims. In relation to any other categories of recipients not listed above, we will only disclose your information in the following circumstances:

  1. where you have given your consent;
  2. where it is necessary for the purpose of, or in connection with legal proceedings or in order to exercise or defend legal rights; and
  3. if we sell our company, go out of business, or merge with another company.

International Transfers In certain circumstances, we may transfer your data to countries outside the EEA, which may not adhere to the same levels of data protection to which countries within the EEA are subject.  Any such transfers are, at all times, made in accordance with the Applicable Local Laws and the GDPR.  Details of the circumstances and mechanisms in place to ensure compliance are set out below:

  1. MJ Hudson Group Companies in the Channel Islands, Switzerland, Canada and the USA.

We have offices in Jersey, Guernsey and Switzerland.  Our central servers are also located in Jersey. The European Commission has ruled that Jersey, Guernsey and Switzerland offer adequate levels of data protection in their domestic legislation and transfers to these jurisdictions are, therefore, permitted under the GDPR and/or Applicable Local Laws. We also have operations in the USA and Canada, we have put in place Standard Contractual Clauses between us and our American and Canadian employees to safeguard EU data subject’s rights under the GDPR.  All Personal Data used by staff in these locations is held on MJ Hudson’s central servers located in Jersey. Emails are held within EU based Microsoft servers.

  1. Your other advisors

In some instances, you may have instructed other lawyers or advisors who are based outside the EEA and who we need to share information with, in order to provide our services to you. In these circumstances, we ensure that any personal data transferred is limited to that which is required for us to perform our contract with you and the transfer is made in accordance with the GDPR and/or Applicable Local Laws.

  1. NetDocuments in the United States

We use a document management system called NetDocuments to store some of our client files and this may include your data.  NetDocuments is operated by NetVoyage Corporation in the United States.  NetVoyage Corporation participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework.  Transfers of Personal Data to NetDocuments in the United States are therefore made subject to appropriate safeguards in accordance with the Applicable Local Laws and the GDPR. To learn more about the Privacy Shield Frameworks, visit the U.S. Department of Commerce’s Privacy Shield website: https://www.privacyshield.gov/welcome.  NetDocuments’s privacy policy can be viewed here. Data Retention We only keep data for as long as is necessary to fulfil the purposes (as set out above) for which we collected it. Please note that, in Jersey and Guernsey, local law requires us to retain records for a period of 10 years and we may, therefore, retain your data for this period.

    ii.        Fund Management Solutions

MJ Hudson provide third party compliance services regulating firms on behalf of the Financial Conduct Authority and Commission de Surveillance du Secteur Financier, as well as fund management, administration and operation services (Fund Management Solutions). Fund Management Solutions are provided by MJ Hudson Fund Management Limited (FRN: 193171) and MJ Hudson Advisers Limited (FRN: 692447) in the UK, and MJ Hudson Management S.A. (CSSF ID: A00002036) in Luxembourg. The kind of information we hold about you If you engage us to provide Fund Management Solutions to you, we may collect, store, and use the following categories of personal data about you:

  1. name;
  2. business postal address;
  3. residential address;
  4. business email address;
  5. telephone number;
  6. date of birth;
  7. nationality;
  8. job title;
  9. fax number;
  10. mobile telephone number;
  11. copy of your passport or other form of photographic ID;
  12. corporate Bank Details;
  13. source of wealth and source of funds;
  14. FCA/CSSF/GFSC registration number (if applicable);
  15. list of directorships;
  16. employment history;
  17. criminal convictions;
  18. credit reports/ratings;
  19. whether you are a politically exposed persons;
  20. whether you are on a sanctioned or watch list; and
  21. other information about you which you may provide to us in the course of us providing Fund Management Solutions.

In certain circumstances, the information we hold about you may include special category data (as defined in the GDPR), including data which reveals your ethnicity, your political opinions, your health or your criminal convictions How your data is collected We collect your data from the following sources:

  1. directly from you during our client inception and on-boarding process and our ongoing client relationship;
  2. background check providers, from which we collect the following categories of data:
  3. whether you are on a sanctioned or watch list;
  4. details of criminal convictions;
  • whether you are a politically exposed persons; and
  1. a credit report.
  2. Companies House or other local public company registers, as applicable; and
  3. other service providers to you, such as your company’s administrator, who may provide us with copies of your passport or other ID.

What we use your data for We use your data for the following purposes:

  1. in order to provide Fund Management Solutions pursuant to our contract with you;
  2. in order to comply with our legal obligation such as to carry out anti-money laundering checks on our clients and to comply with our obligations to the Financial Conduct Authority;
  3. in order to provide marketing communications to you (but only where we have obtained your consent to do so). Please see here for further details of how we use your data for marketing purposes;
  4. for our legitimate business interests such as for internal record keeping purposes or to manage our client relationship with you;
  5. Any special category data we hold about you will only be processed so far as necessary in order to comply with our legal requirements.

Who we share your data with We will never sell your data and we will only disclose your data to other parties where necessary in order to provide our services or where we are legally obliged to do so.  Details of the organisations we may share your data with are set out below:

  1. MJ Hudson Group Companies

We may share your data with other members of MJ Hudson for the purposes set out in this Policy.  All members of MJ Hudson will process your data in accordance with this privacy policy and subject to the requirements of Applicable Local Laws or the GDPR, as applicable.

  1. Your other advisors, service providers or fund investors

It is sometimes necessary to share information, including your data, with third parties who are providing you with advice or other professional services ancillary to the services we are providing.  For example, if we are providing services to a fund, we may share certain information with the fund, the investors, the fund administrator, fund auditor, fund manager, bank or depository, in order to provide our services or to permit them to provide theirs.

  1. Third party service providers

We use carefully selected third parties to provide certain services to us, such as our IT Infrastructure or document management systems. By the nature of the service they provide, some such third party service providers may have limited access to your data for support purposes.  All of our service providers have entered into contracts which contain strict confidentiality and data processing provisions.  A full list of all of the third party service providers we use is available on request

  1. Background Check providers

As detailed above, we may obtain certain personal data about you from third party background check providers.  In order to obtain such information we need to share some of your data with those background check providers. One of the background check providers that we use is KYC6. KCY6 may have a list of our clients’ names on a database on some occasions after a search has been performed. We have data processing agreements with all background check providers with whom we share personal data.

  1. Auditors

We may need to share limited information regarding our clients with our auditors, including, in some instances, your data.  Our auditors are subject to strict confidentiality provisions in their contract with us.

  1. Regulatory Bodies/Government Agencies

We may disclose your data to certain regulatory bodies or government agencies where such disclosure is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person. We may also disclose your data where such disclosure is necessary for the establishment, exercise or defence of legal claims. In relation to any other categories of recipients not listed above, we will only disclose your information in the following circumstances:

  1. where you have given your consent;
  2. where it is necessary for the purpose of, or in connection with legal proceedings or in order to exercise or defend legal rights; and
  • if we sell our company, go out of business, or merge with another company.

International Transfers In certain circumstances, we may transfer your data to countries outside the EEA, which may not adhere to the same levels of data protection to which countries within the EEA are subject.  Any such transfers are, at all times, made in accordance with the Applicable Local Laws and the GDPR.  Details of the circumstances and mechanisms in place to ensure compliance are set out below:

  1. MJ Hudson Group Companies in the Channel Islands, Switzerland, Canada and the USA.

We have offices in Jersey, Guernsey and Switzerland.  Our central servers are also located in Jersey. The European Commission has ruled that Jersey, Guernsey and Switzerland offer adequate levels of data protection in their domestic legislation and transfers to these jurisdictions are, therefore, permitted under the GDPR and/or Applicable Local Laws. We also have operations in the USA and Canada, we have put in place our Group Standard Contractual Clauses between us and our American and Canadian employees to safeguard EU data subject’s rights under the GDPR.  All Personal Data used by staff in these locations is held on our central servers located in Jersey.  Emails are stored within EU based Microsoft servers.

  1. Your other advisors

In some instances, you may have instructed other lawyers or advisors who are based outside the EEA and who we need to share information with, in order to provide our services to you. In these circumstances, we ensure that any personal data transferred is limited to that which is required for us to perform our contract with you and the transfer is made in accordance with the GDPR and/or Applicable Local Laws.

  1. Sharepoint in the United States

We use Sharepoint to store some of our client files and this may include your data.  Sharepoint is operated by Microsoft in the United States.  Microsoft participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework.  Transfers of Personal Data to Sharepoint in the United States are therefore made subject to appropriate safeguards in accordance with the Applicable Local Laws and the GDPR. We have also put in place a Data Processing Agreement based on the Standard Contractual Clauses approved by the European Commission to provide enhanced protection for your data. To learn more about the Privacy Shield Frameworks, visit the U.S. Department of Commerce’s Privacy Shield website: https://www.privacyshield.gov/welcome. Microsoft’s privacy policy can be viewed here.

  1. Sterling Talent Solutions in Canada and the United States

We use Sterling Talent Solutions UK Limited (Sterling) as a background check service provider. Sterling stores personal data in Canada and the United States. The European Commission has ruled that Canada offers adequate levels of data protection in their domestic legislation and transfers to these jurisdictions are, therefore, permitted under the GDPR and Applicable Local Laws. Sterling’s US entities, Sterling Info systems Inc. and its U.S. affiliates and subsidiaries, participate in and have certified their compliance with the EU-U.S. Privacy Shield Framework.  Transfers of Personal Data to Sterling in the United States are therefore made subject to appropriate safeguards in accordance with the Applicable Local Laws and the GDPR. Sterling’s privacy can be viewed here. Data Retention MJ Hudson only keeps data for as long as is necessary to fulfil the purposes (as set out above) for which we collected it. Please note that, in Jersey and Guernsey, local law requires us to retain records for a period of 10 years and we may, therefore, retain your data for this period.

   iii.        IR & Marketing 

  MJ Hudson provides investor relationship and marketing solutions including perception studies, advice in relation to fundraising and marketing materials, branding and communications to support Fund Managers and other clients (IR & Marketing Solutions). The kind of information we hold about you If you engage us to provide IR & Marketing Solutions to you, we may collect, store, and use the following categories of personal data about you:

  1. name;
  2. business postal address;
  3. business email address;
  4. telephone number;
  5. date of birth/age;
  6. job title;
  7. company;
  8. corporate bank details;
  9. whether you are a politically exposed persons;
  10. whether you are on a sanctioned or watch list;
  11. other information about you which you may provide to us in the course of us providing IR & Marketing Solutions.

In certain circumstances, the information we hold about you may include special category data (as defined in the GDPR), including data which reveals your ethnicity, your political opinions, your health or your criminal convictions How your data is collected We collect your data from the following sources:

  1. directly from you during our client inception and on-boarding process and our ongoing client relationship;
  2. background check providers, from which we collect the following categories of data:
  3. whether you are on a sanctioned or watch list;
  4. details of criminal convictions; and
  • whether you are a politically exposed persons
  1. publicly available sources such as electronic databases and lists.

What we use your data for We use your data for the following purposes:

  1. in order to provide IR & Marketing Solutions pursuant to our contract with you;
  2. in order to provide marketing communications to you (but only where we have obtained your consent to do so). Please see here for further details of how we use your data for marketing purposes; and
  3. for our legitimate business interests such as for internal record keeping purposes or to manage our client relationship with you.

Any special category data we hold about you will only be processed so far as necessary in order to comply with our legal requirements. Who we share your data with We will never sell your data and we will only disclose your data to other parties where necessary in order to provide our services or where we are legally obliged to do so.  Details of the organisations we may share your data with are set out below:

  1. MJ Hudson Group Companies

We may share your data with other members of MJ Hudson for the purposes set out in this Policy.  All members of MJ Hudson will process your data in accordance with this privacy policy and subject to the requirements of Applicable Local Laws or the GDPR, as applicable.

  1. Third party service providers

We use carefully selected third parties to provide certain services to us, such as our IT Infrastructure or document management systems. By the nature of the service they provide, some such third party service providers may have limited access to your data for support purposes.  All of our service providers have entered or will shortly enter into contracts which contain strict confidentiality and data processing provisions.  A full list of all of the third party service providers we use is available on request

  1. Auditors

We may need to share limited information regarding our clients with our auditors, including, in some instances, your data. Our auditors are subject to strict confidentiality provisions in their contract with us.

  1. Regulatory Bodies/Government Agencies

We may disclose your data to certain regulatory bodies or government agencies where such disclosure is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person. We may also disclose your data where such disclosure is necessary for the establishment, exercise or defence of legal claims. In relation to any other categories of recipients not listed above, we will only disclose your information in the following circumstances:

  1. where you have given your consent;
  2. where it is necessary for the purpose of, or in connection with legal proceedings or in order to exercise or defend legal rights; and
  • if we sell our company, go out of business, or merge with another company.

International Transfers In certain circumstances, we may transfer your data to countries outside the EEA, which may not adhere to the same levels of data protection to which countries within the EEA are subject.  Any such transfers are, at all times, made in accordance with the Applicable Local Laws and the GDPR.  Details of the circumstances and mechanisms in place to ensure compliance are set out below:

  1. MJ Hudson Group Companies in the Channel Islands, Switzerland, Canada and the USA.

We have offices in Jersey, Guernsey and Switzerland.  Our central servers are also located in Jersey. The European Commission has ruled that Jersey, Guernsey and Switzerland offer adequate levels of data protection in their domestic legislation and transfers to these jurisdictions are, therefore, permitted under the GDPR and/or Applicable Local Laws. We also have operations in the USA and Canada, we have put in place our Group Standard Contractual Clauses between us and our American and Canadian employees to safeguard EU data subject’s rights under the GDPR.  All personal data used by staff in these locations is held on MJ Hudson’s central servers located in Jersey. Emails are stored within EU based Microsoft servers.

  1. Your other advisors

In some instances, you may have instructed other advisors or service providers who are based outside the EEA and who we need to share information with, in order to provide our services to you. In these circumstances, we ensure that any personal data transferred is limited to that which is required for us to perform our contract with you and the transfer is made in accordance with the GDPR and/or Applicable Local Laws.

  1. SurveyMonkey in the United States

We use SurveyMonkey to carry out our online surveys.  SurveyMonkey stores survey data on its servers in the United States.  If you participate in one of our surveys, your personal data will be transferred to the United States.  SurveyMonkey Inc. (and its subsidiary company, Infinity Box Inc.) participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework.  Transfers of Personal Data to SurveyMonkey in the United are therefore made subject to appropriate safeguards in accordance with the GDPR and Applicable Local Laws. We have also put in place a Data Processing Agreement based on the Standard Contractual Clauses approved by the European Commission to provide enhanced protection for Your data. To learn more about the Privacy Shield Frameworks, visit the U.S. Department of Commerce’s Privacy Shield website: https://www.privacyshield.gov/welcome.  SurveyMonkey’s privacy policy can be viewed here. We may also transfer your data to such other service providers as may be necessary for the execution of the work you have contracted us to perform. In these circumstances, we ensure that any personal data transferred is limited to that which is required for us to perform our contract with you and the transfer is made in accordance with the GDPR and/or Applicable Local Laws.

   iv.        International Administration

MJ Hudson’s International Administration team provide trust and corporate services or investment management and administration services (International Administration Services). International Administration Services are provided by MJ Hudson Fiduciaries Limited (GFSC reference 2265283 Data Protection reference 54017), MJ Hudson Fund Management Guernsey Limited (GFSC reference 2293292 Data Protection reference 58843), Tower Managers Limited (GFSC reference 2291851 Data Protection reference 58853), Tower Gate GP II Limited, VFS Trustees Limited (GFSC reference 2265380  Data Protection reference 54017), VFS Nominees Limited (GFSC reference 2265383 Data Protection reference 54017), VFS Directors 1 Limited (GFSC reference 2265378  Data Protection reference 54017) and VFS Directors 2 Limited (GFSC reference 2265379 Data Protection reference 54017).   If you engage us to provide trust and corporate services or investment management and administration services to you, we may collect, store, and use the following categories of personal data about you: The kind of information we hold about you If you engage us to provide International Administration Services to you, we may collect, store, and use the following categories of personal data about you:

  1. contact details (including names, postal and email addresses, telephone numbers and website URL)
  2. information required for us to meet legal and regulatory requirements in particular in respect of anti-money laundering legislation, including identification data (date and place of birth, nationality, identity number, copies of your passport or other identification document), and information regarding source of funds and source of wealth and beneficial ownership disclosure requirements
  3. information required for us to meet reporting obligations for example: tax reporting including tax status, tax number, tax residency and financial information
  4. information required for us to provide the services including financial information to process payments, background information including employment details and details of dependents
  5. any other information you may provide to us

We may also collect, store and use special category data including:

  1. information about your race or ethnicity, religious beliefs, sexual orientation and political opinions
  2. information about your health, including any medical condition, health and sickness records
  3. data relating to a person’s criminal record or alleged criminal activity

Special category data requires a higher level of protection and will only be processed where we have received explicit consent or the processing is necessary for compliance with a legal obligation. How your data is collected The sources of your data may include clients, data subjects directly, introducers, intermediaries, advisers, third parties connected to the data subject (for example: family member, employer or another service provider who provides services to the data subject) or open-source material. We collect personal data via the completion of forms provided to you and completed by you, from documents provided including due diligence documents, from correspondence including email, from meetings and telephone conversations. We will collect personal data throughout the course of our business relationship or while we provide services to clients connected to you. What we use your data for We use your data for the following purposes.  This table also confirms the lawful basis we are relying on in each case:

Purpose Lawful Basis for Processing
To provide trust, corporate and foundation management and administration services including bookkeeping and accounting services The legitimate interests of MJ Hudson as a provider of trust, foundation and corporate management and administration services.   The legitimate interests of MJ Hudson’s clients and their underlying and connected persons.  
To provide investment management and administration services including registrar services The legitimate interests of MJ Hudson as a provider of investment management and administration services.   The legitimate interests of MJ Hudson’s clients and their underlying and connected persons.
To administer any contract we have entered into with you or where a party related to an entity for which we are contracted to provide services To fulfil the contract we have entered into.
Making arrangements for the termination of our business relationship The legitimate interests of MJ Hudson to seek to ensure that business relationships are terminated efficiently and effectively
To manage our client, intermediary and other business relationships The legitimate interests of MJ Hudson to seek to ensure that its business is conducted efficiently and with a view to enhancing business services
To obtain legal and/or tax advice or representation The legitimate interests of MJ Hudson and its clients to ensure that it is able to engage relevant tax or legal advisers and/or representation
To ensure the security of MJ Hudson systems and staff and prevent fraud The legitimate interest of MJ Hudson in protecting its systems and staff from being misused or the victim of criminal activity
To meet all legal and regulatory obligations applicable to MJ Hudson including in respect of managing conflicts of interest The legitimate interests of MJ Hudson as a financial services provider to process data to the extent necessary to meet all legal and regulatory obligations incumbent on it   The processing is necessary for compliance with a  legal obligation to which MJ Hudson is subject for example: relevant anti-money laundering and countering the financing of terrorism legislation
To provide marketing communications to you Where consent has been provided. Please see here for further details of how we use your data for marketing purposes here.

Any special category data we hold about you will only be processed so far as necessary in order to comply with our legal requirements. The data sought will vary and the purposes for processing will overlap depending on the type of services provided. Who we share your data with We share information with third parties including third party service providers where required by law, where it is necessary to administer our business relationship, where it is necessary for us to provide the services to you or where we have another legitimate interest in doing so. The following are potential recipients of personal data (in each case including respective employees, director and officers):

  1. sub-contractors, agents, consultants or service providers such as insurance brokers, compliance, IT firms or other professional advisers of MJ Hudson or its clients and their clients and associated parties;
  2. other parts of MJ Hudson where it is relevant for the services we are providing to you. A full list of all MJ Hudson group entities and affiliates is available on the Group Privacy Policy page of our Websites;
  3. bankers, auditors, accountants, investment brokers, managers or advisers, legal and other professional advisers;
  4. company formation agencies and registries;
  5. land or property agents and registries;
  6. Guernsey and overseas regulators, or other government or supervisory body and tax authorities when required by law; and
  7. law enforcement agencies where considered necessary for MJ Hudson to fulfil legal obligations applicable to it.

When we engage a third party to process your personal data, we will require them to process your personal data in accordance with our instructions and protect the data against unauthorised or accidental use, access, disclosure, loss or destruction. We do not allow them to use your personal data for their own purposes. They will only be permitted to process your personal data for a specified purpose and in accordance with our instructions.  Where they no longer need to your personal data to fulfil the contract, they will need to transfer the data back to us and/or destroy or delete any data held by them. International Transfers In the event any of the third parties detailed above are outside of Guernsey and the EU and where we are transferring personal data which would be protected under Applicable Local Law or GDPR we will ensure that we meet the relevant requirements prior to carrying out such a transfer. This may include only transferring the data where we are satisfied that:

  1. the non-European Union country has Data Protection laws similar to the Laws in Guernsey and the European Union
  2. the recipient has agreed through contract to protect the information to the same Data Protection standards as Guernsey and the European Union
  3. we have obtained consent from the relevant data subjects to the transfer, or
  4. if transferred to the United States of America, the transfer will be to organisations that are part of the Privacy Shield or we will put sufficient contractual documentation in place.

Data Retention We only collect data for as long as is necessary to fulfil the purposes (as set out above) for which we collected it. Details of retention periods for different aspects of your personal data are available in our data management policy which is available on request. To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential for harm from unauthorised use or disclosure of the data, the purposes for which we process the personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. Once our business relationship ends, we will retain and securely destroy your personal data in accordance with our record retention and destruction policy, applicable legislation and/or regulatory requirements.

    v.        Investment Advisory

MJ Hudson’s Investment Advisory team operates under the MJ Hudson Allenbridge name.  MJ Hudson Allenbridge provide independent investment advisory and consulting services, due diligence, governance, investment research, introductions, and execution-only brokerage services (“Investment Advisory Services”). The kind of information we hold about you If you engage us to provide Investment Advisory Services to you, we may collect, store, and use the following categories of Personal Data about you:

  1. name;
  2. postal address;
  3. email address;
  4. telephone number;
  5. IP address;
  6. date of birth/age;
  7. job title;
  8. company;
  9. information about your professional and educational background and experience;
  10. copy of your passports or other form of photographic ID;
  11. corporate bank details;
  12. criminal convictions;
  13. whether you are a politically exposed persons;
  14. whether you are on a sanctioned or watch list;
  15. other information about you which you or other controllers of your personal data may provide to us in the course of us providing Investment Advisory Services.

In certain circumstances, the information we hold about you may include special category data (as defined in the GDPR), including data which reveals your ethnicity, your political opinions, your health or your criminal convictions How your data is collected We collect your data from the following sources:

  1. directly from you during our client inception and on-boarding and our ongoing client relationship;
  2. background check providers, from which we collect the following categories of data:
  3. whether you are on a sanctioned or watch list;
  4. details of criminal convictions; and
  • whether you are a politically exposed persons
  1. Companies House or other local public company registers, as applicable; and
  2. your employer or agent;
  3. references you have provided;
  4. administrative sources such as receiving agents and custodians (if we provide you with execution only services;
  5. proprietary database system, such as AdvantageIQ;
  6. other business contacts who may refer you to us; and
  7. third party/publicly available sources such as Smart Search AML, Blue Book, Bloomberg, Alternative Soft, your company’s website, trade websites and LinkedIn.

What we use your data for We use your data for the following purposes:

  1. in order to provide Investment Advisory Services pursuant to our contract with you;
  2. in order to comply with our legal obligations such as to carry out anti-money laundering checks on our clients;
  3. in order to provide marketing communications to you (but only where we have obtained your consent to do so). Please see here for further details of how we use your data for marketing purposes; and
  4. for our legitimate business interests such as for internal record keeping purposes or to manage our client relationship with you.

Any special category data we hold about you will only be processed so far as necessary in order to comply with our legal requirements. Who we share your data with We will never sell your data and we will only disclose your data to other parties where necessary in order to provide our services or where we are legally obliged to do so. Details of the organisations we may share your data with are set out below:

  1. MJ Hudson Group Companies

We may share your data with other members of MJ Hudson for the purposes set out in this Policy.  All members of MJ Hudson will process your data in accordance with this privacy policy and subject to the requirements of Applicable Local Laws or the GDPR, as applicable.

  1. Your other advisors or service providers

It is sometimes necessary to share information, including your data, with third parties who are providing you with advice or other professional services ancillary to the Investment Advisory Services we are providing.  For example, if we are providing Investment Advisory Services to a pension fund, we may share certain information with the trustees of the fund, in order to provide our services or to permit them to provide theirs. We may also share the results of our reports (which may contain personal data) with certain third parties with whom you (or your company) authorise us to share such data.

  1. Consultants and our Senior Advisors

We use consultants and Senior Advisors to provide certain of our services to our Investment Advisory clients. These consultants and Senior Advisors are not employees of MJ Hudson and are, therefore, considered third party processors for the purposes of the GDPR and/or Applicable Local Laws but they are subject to the same policy and procedure requirements as all of our staff in relation to how they handle personal data.

  1. Third party service providers

We use carefully selected third parties to provide certain services to us, such as our IT Infrastructure or document management systems. By the nature of the service they provide, some such third party service providers may have limited access to your data for support purposes.  All of our service providers have entered or will shortly enter into contracts which contain strict confidentiality and data processing provisions.  A full list of all of the third party service providers we use is available on request

  1. Auditors

We may need to share limited information regarding our clients with our auditors, including, in some instances, your data.  Our auditors are subject to strict confidentiality provisions in their contract with us.

  1. Regulatory Bodies/Government Agencies

We may disclose your data to certain regulatory bodies or government agencies where such disclosure is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person. We may also disclose your data  where such disclosure is necessary for the establishment, exercise or defence of legal claims. In relation to any other categories of recipients not listed above, we will only disclose your information in the following circumstances:

  1. where you have given your consent;
  2. where it is necessary for the purpose of, or in connection with legal proceedings or in order to exercise or defend legal rights; and
  3. if we sell our company, go out of business, or merge with another company.

International Transfers In certain circumstances, we may transfer your data to countries outside the EEA, which may not adhere to the same levels of data protection to which countries within the EEA are subject.  Any such transfers are, at all times, made in accordance with the Applicable Local Laws and the GDPR.  Details of the circumstances and mechanisms in place to ensure compliance are set out below:

  1. MJ Hudson Group Companies in the Channel Islands, Switzerland, Canada and the USA.

We have offices in Jersey, Guernsey and Switzerland.  Our central servers are also located in Jersey. The European Commission has ruled that Jersey, Guernsey and Switzerland offer adequate levels of data protection in their domestic legislation and transfers to these jurisdictions are, therefore, permitted under the GDPR and/or Applicable Local Laws. We also have operations in the USA and Canada, we have put in place our Group Standard Contractual Clauses between us and our American and Canadian employees to safeguard EU data subject’s rights under the GDPR.  All Personal Data used by staff in these locations is held on MJ Hudson’s central servers located in Jersey. Emails are stored within EU based Microsoft servers.

  1. Your other advisors

In some instances, you may have instructed other lawyers or advisors who are based outside the EEA and who we need to share information with, in order to provide our services to you. In these circumstances, we ensure that any personal data transferred is limited to that which is required for us to perform our contract with you and the transfer is made in accordance with the GDPR and/or Applicable Local Laws.

  1. Sharepoint in the United States

We use Sharepoint to store some of our client files and this may include your data.  Sharepoint is operated by Microsoft in the United States.  Microsoft participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework. Transfers of personal data to Sharepoint in the United States are therefore made subject to appropriate safeguards in accordance with the Applicable Local Laws and the GDPR. We have also put in place a Data Processing Agreement based on the Standard Contractual Clauses approved by the European Commission to provide enhanced protection for your data. To learn more about the Privacy Shield Frameworks, visit the U.S. Department of Commerce’s Privacy Shield website: https://www.privacyshield.gov/welcome. Microsoft’s privacy policy can be viewed here.

   vi.        Data & Analytics

MJ Hudson provides an independent, empirical view on the strengths and weaknesses of our clients, their service providers and their investment opportunities (Data & Analytics). Data & Analytics Services are provided by Amaces Limited, Amaces Inc and MJ Hudson Allenbridge. We help our clients benchmark, select and monitor service providers and investment products, with data that is unavailable elsewhere and using techniques and analysis tools that we have developed, in-house, over many years. Our Benchmarking & Consulting team works with some of the world’s largest asset owners and asset managers to benchmark their custodian banks and FX providers in terms of the fees they charge and also the services they provide. In the Venture & Tax-Advantaged Investments market, we provide independent reviews of investment managers and their products. We do this for wealth managers, financial advisers and private investors. Beyond these focus areas, we also conduct perception studies and other kinds of market research. The kind of information we hold about you If you engage us to provide Data & Analytics Services to you, we may collect, store, and use the following categories of personal data about you:

  1. name;
  2. business postal address;
  3. business email address;
  4. telephone number;
  5. Username;
  6. Job Title;
  7. bank details;
  8. IP addresses.

Note that, in certain circumstances, the information we hold about you may include Special Category Data (as defined in the GDPR), including data which reveals your ethnicity, your political opinions, your health or your criminal convictions How your data is collected We collect your data directly from you during our client inception and on-boarding process and our ongoing client relationship. What we use your data for We use your data for the following purposes:

  1. in order to provide Data & Analytics Services pursuant to our contract with you;
  2. in order to provide marketing communications to you (but only where we have obtained your consent to do so). Please see here for further details of how we use your data for marketing purposes; and
  3. for our legitimate business interests such as for internal record keeping purposes or to manage our client relationship with you.

Any special category data we hold about you will only be processed so far as necessary in order to comply with our legal requirements. Who we share your data with We will never sell your data and we will only disclose your data to other parties where necessary in order to provide our services or where we are legally obliged to do so.  Details of the organisations we may share your data with are set out below:

  1. MJ Hudson Group Companies

We may share your data with other members of MJ Hudson for the purposes set out in this Policy.  All members of MJ Hudson will process your data in accordance with this privacy policy and subject to the requirements of Applicable Local Laws or the GDPR, as applicable.

  1. Third party service providers

We use carefully selected third parties to provide certain services to us, such as our IT Infrastructure or document management systems. By the nature of the service they provide, some such third party service providers may have limited access to your data for support purposes.  All of our service providers have entered or will shortly enter into contracts which contain strict confidentiality and data processing provisions.  A full list of all of the third party service providers we use is available on request.

  1. Auditors

We may need to share limited information regarding our clients with our auditors, including, in some instances, your data.  Our auditors are subject to strict confidentiality provisions in their contract with us.

  1. Regulatory Bodies/Government Agencies

We may disclose your data to certain regulatory bodies or government agencies where such disclosure is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person. We may also disclose your data  where such disclosure is necessary for the establishment, exercise or defence of legal claims.

  1. In relation to any other categories of recipients not listed above, we will only disclose your information in the following circumstances:
  2. where you have given your consent;
  3. where it is necessary for the purpose of, or in connection with legal proceedings or in order to exercise or defend legal rights; and
  4. if we sell our company, go out of business, or merge with another company.

International Transfers We may transfer your data to countries outside the EEA, which may not adhere to the same levels of data protection to which countries within the EEA are subject.  Any such transfers are, at all times, made in accordance with the Applicable Local Laws and the GDPR. Details of the circumstances and mechanisms in place to ensure compliance are set out below:

  1. MJ Hudson Group Companies in the Channel Islands, Switzerland, Canada and the USA.

We have offices in Jersey, Guernsey and Switzerland.  Our central servers are also located in Jersey. The European Commission has ruled that Jersey, Guernsey and Switzerland offer adequate levels of data protection in their domestic legislation and transfers to these jurisdictions are, therefore, permitted under the GDPR and/or Applicable Local Laws. We also have operations in the USA and Canada, we have put in place our Group Standard Contractual Clauses between us and our American and Canadian employees to safeguard EU data subject’s rights under the GDPR.  All Personal Data used by staff in these locations is held on MJ Hudson’s central servers located in Jersey. Emails are stored on EU based Microsoft servers.

  1. Your other advisors

In some instances, you may have instructed other advisors or service providers who are based outside the EEA and who we need to share information with, in order to provide our services to you. In these circumstances, we ensure that any personal data transferred is limited to that which is required for us to perform our contract with you and the transfer is made in accordance with the GDPR and/or Applicable Local Laws.

  1. SurveyMonkey in the United States

We use SurveyMonkey to carry out our online surveys.  SurveyMonkey stores survey data on its servers in the United States.  If you participate in one of our surveys, your personal data will be transferred to the United States.  SurveyMonkey Inc. (and its subsidiary company, Infinity Box Inc.) participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework.  Transfers of Personal Data to SurveyMonkey in the United are therefore made subject to appropriate safeguards in accordance with the GDPR and Applicable Local Laws. We have also put in place a Data Processing Agreement based on the Standard Contractual Clauses approved by the European Commission to provide enhanced protection for your data. To learn more about the Privacy Shield Frameworks, visit the U.S. Department of Commerce’s Privacy Shield website: https://www.privacyshield.gov/welcome.  SurveyMonkey’s privacy policy can be viewed here. We may also transfer your data to such other service providers as may be necessary for the execution of the work you have contracted us to perform. In these circumstances, we ensure that any personal data transferred is limited to that which is required for us to perform our contract with you and the transfer is made in accordance with the GDPR and/or Applicable Local Laws.

The kind of information we hold about you  In connection with your job application, we will collect, store, and use the following categories of personal information about you:

  1. the information you have provided to us in your curriculum vitae (CV) and covering letter;
  2. the information you have provided on our application form, including name, title, address, telephone number, personal email address, employment history, education history, qualifications, and employment references;
  3. any information you provide to us during an interview;
  4. the results of any tests we ask you to undertake and
  5. documentation relating to your right to work in the jurisdiction in which the job is located including a copy of your passport or driving licence.

We may also collect, store and use the following special categories of more sensitive personal information:

  1. Information about your race or ethnicity, religious beliefs, sexual orientation and political opinions.
  2. Information about your health, including any medical condition, health and sickness records.
  3. Information about criminal convictions and offences.

How is your personal information collected?  We collect data about you in a variety of ways including directly from you by way of the information you include in your CV or job application cover letter and notes made by our recruitment team during a recruitment interview. Other details may be collected directly from you in the form of official documentation such as your driving licence, passport or other right to work evidence. In some cases, we will collect data about you indirectly from the following sources:

  1. recruitment agencies;
  2. your named referees;
  3. background check providers; and
  4. credit reference agencies.
  5. Personal data is kept in personnel files or within the Company’s HR and IT systems.

How we will use information about you  We will use the personal information we collect about you to:

  1. assess your skills, qualifications, and suitability for the role you are applying to;
  2. carry out background and reference checks, where applicable;
  3. communicate with you about the recruitment process;
  4. keep records related to our hiring processes; and
  5. comply with legal or regulatory requirements.

Once you submit your CV and covering letter and/or application form and test (where applicable) we will then process that information to decide whether you meet the basic requirements to be shortlisted for the role. If you do, we will decide whether your application is strong enough to invite you for an interview. If we decide to call you for an interview, we will use the information you provide to us at the interview to decide whether to offer you the role. If we decide to offer you the role, we will then take up references and/or carry out a criminal record checks.  We may also carry out other checks if necessary before confirming your appointment. Why we process your data The law on data protection allows us to process your data for certain reasons only:

  1. in order to perform a contract that we are party to;
  2. in order to carry out legally required duties;
  3. in order for us to carry out our legitimate interests;
  4. to protect your interests; and
  5. where something is done in the public interest.

We need to collect your personal data to ensure we are complying with legal requirements such as:

  1. carrying out checks in relation to your right to work in the UK and
  2. making reasonable adjustments for disabled employees.

We also process personal data so that we can carry out activities which are in our legitimate interests. We have set these out below:

  1. making decisions about who to offer employment to;
  2. making decisions about salary and other benefits;
  3. assessing training needs; and
  4. dealing with legal claims made against us.

If you are unsuccessful in obtaining employment, we may seek your consent to retain your personal data in case other suitable job vacancies arise within MJ Hudson for which we think you may wish to apply. You are free to withhold your consent to this and there will be no consequences for withholding consent. How we use particularly sensitive personal information   We will use your particularly sensitive personal information in the following ways:

  1. we will use information about your disability status to consider whether we need to provide appropriate adjustments during the recruitment process, for example whether adjustments need to be made during a test or interview;
  2. we may use information about your race or national or ethnic origin, religious, philosophical or moral beliefs, trade union membership, or your sexual life or sexual orientation, to ensure meaningful equal opportunity monitoring and reporting.
  3. genetic and biometric data for job applicants on a Tier 2 visa.

We do not need your consent if we use special categories of personal data in order to carry out our legal obligations or exercise specific rights under employment law. However, we may ask for your consent to allow us to process certain particularly sensitive data. If this occurs, you will be made fully aware of the reasons for the processing. As with all cases of seeking consent from you, you will have full control over your decision to give or withhold consent and there will be no consequences where consent is withheld. Consent, once given, may be withdrawn at any time. There will be no consequences where consent is withdrawn. Information about criminal convictions  We will only collect criminal conviction data where it is appropriate given the nature of your role and where the law permits us. We will collect information about your criminal convictions history if we make you a job offer role (conditional on checks and any other conditions, such as references, being satisfactory). We are required to carry out a criminal records check in order to satisfy ourselves that there is nothing in your criminal convictions history which makes you unsuitable for the role. In particular we are legally required by the Solicitors Regulatory Authority and the Financial Conduct Authority to carry out criminal record checks for certain roles within the Company. We have in place an appropriate policy document and safeguards which we are required by law to maintain when processing such data. If you do not provide your data to us One of the reasons for processing your data is to allow us to carry out an effective recruitment process. Whilst you are under no obligation to provide us with your data, we may not able to process, or continue with (as appropriate), your application. Automated decision-making  You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making as we do not use automated decision-making. Data sharing  Why might we share your personal information with third parties? We will only share your personal information with the following third parties for the purposes of processing your application:

  1. Background check providers;
  2. Other entities within the MJ Hudson group of entities;
  3. Recruitment agencies
  4. Hosted software providers (our HR system is hosted by an external provider, for example);
  5. Contractors/consultants providing HR services to MJ Hudson
  6. Third party service providers (for example, IT services).

All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions. International transfers We may transfer the personal data we collect about you to the following countries outside the EU during the course of the application process:

  1. Jersey

This is where our IT servers are located and your personal data will, therefore, be stored and processed in Jersey. There is an adequacy decision by the European Commission in respect of Jersey. This means that it is deemed to provide an adequate level of protection for your personal data.

  1. Guernsey

We have group entities in Guernsey and, whilst technical and organisational measures are in place to ensure that employee personal data is not accessed by anyone who does not strictly need it, it is possible that your personal data will be transferred to Guernsey (for example, if you are sent on secondment there).  There is an ‘adequacy decision’ in place from the European Commission in respect of Guernsey, which means that it is deemed to provide an adequate level of protection for your personal data.

  1. Switzerland

We have group entities in Switzerland, whilst technical and organisational measures are in place to ensure that employee personal data is not accessed by anyone who does not strictly need it, it is possible that your personal data will be transferred to Switzerland (for example, if you are sent on secondment there).  There is an ‘adequacy decision’ in place from the European Commission in respect of Switzerland, which means that it is deemed to provide an adequate level of protection for your personal data.

  1. United States and Canada

We have Group operations in the United States and Canada. Also, some of our third-party service providers, such as NetVoyage Corporation who operate NetDocuments and Microsoft Corporation who operate Sharepoint, are located in the United States.  All transfers of personal data to service providers in the Unites States are made on the basis of adequate safeguards in accordance with the law, either in the form of the ‘EU-US Privacy Shield’ or the Standard Contractual Clauses approved by the European Commission. To learn more about the Privacy Shield Frameworks, visit the U.S. Department of Commerce’s Privacy Shield website: https://www.privacyshield.gov/welcome. How long will you use my information for? We will retain your personal information for the period of time required in order to assess your application plus a further period of 9 (nine) months after the position for which you applied has been filled. We retain your personal information for that period so that we can show, in the event of a legal claim, that we have not discriminated against candidates on prohibited grounds and that we have conducted the recruitment exercise in a fair and transparent way. After this period, we will securely destroy your personal information in accordance with our data retention policy and applicable laws and regulations. If we wish to retain your personal information on file, on the basis that a further opportunity may arise in future and we may wish to consider you for that, we will write to you separately, seeking your explicit consent to retain your personal information for a fixed period on that basis. If your application is successful, your data will be kept and transferred to the systems we administer for employees. We have a separate privacy notice for employees, which will be provided to you following signature of your employment contract (or other contract, as relevant). If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact us using the contact details at the beginning of this policy.

This privacy notice applies to current and former employees, workers, contractors, and vacation placements/interns. It explains how we will process your personal data. This notice does not form part of any contract of employment or other contract to provide services. What information do we hold? We hold a range of personal data about you, some of which you provide to us directly and some of which we receive from third parties. Here are some examples of types of personal data we hold:

  1. Personal details such as name, title, date of birth, gender, martial status and dependents
  2. Contact details such as address, telephone number and personal email address
  3. Next of kin and emergency contact information
  4. National Insurance Number
  5. Bank account details, payroll details and tax status information
  6. Salary, annual leave, pension and benefits information
  7. Location of employment or workplace
  8. Recruitment information (including copies of qualifications, right to work documentation, driving license references and other information included in a CV or cover letter or as part of the application process)
  9. Employment records (including job titles, work history, working hours, training records and professional memberships)
  10. Immigration information (for example passport details and language proficiency)
  11. Performance information
  12. Disciplinary and grievance information
  13. Swipe card records
  14. Information about your use of our IT systems
  15. ID card image and photographs

We may also collect, store and use the following special categories of more sensitive personal information:

  1. Information about your race or ethnicity, disability, age, religious beliefs, gender reassignment, sexual orientation, political opinions, marriage and civil partnership and pregnancy and maternity
  2. Trade union membership
  3. Information about your health, including any medical condition, health and sickness records
  4. Information about any criminal convictions, offences and barred list status

How do we use it and why? We process your personal data to help us to effectively administer the employment relationship between you and MJ Hudson. We only process data for specified purposes and if it is justified in accordance with data protection law. Some processing of your personal data is justified on the basis of contractual necessity. In general this applies to personal data you provide to us at when you first start working for us and throughout the duration of your employment with MJ Hudson. It’s to manage the employment relationship and to monitor performance. Without this information we wouldn’t be able to employ you and follow the law, assess your application, offer you work with MJ Hudson or make reasonable adjustments. Some personal data is also required to fulfil our legal obligations (for example, immigration or HMRC). Further Information Please refer to the detailed privacy notice set out in your employee handbook for further information on how we protect personal data relating to our employees and contractors.