EPIC is committed to respecting its customers’ rights to privacy. We ask that you read this policy
which sets out the basis on which we process your personal data.
The Gibraltar Data Protection Act (DPA) of 2004 was formally adopted on 1st June 2006 giving rights to individuals on whom information is kept and giving responsibilities to those organisations who collect, control, and process such data. New General Data Protection Regulations “GDPR” came into force on 25th May 2018.
The Company is a “data controller” with regards to the information it collects and holds on individuals to allow it to provide appropriate services to its clients. The Company is registered with the Gibraltar Regulatory Authority under the registration number [ ].
1. REASONABLE & FAIR INFORMATION REQUIREMENTS AND USAGE
- Clients voluntarily submit information required by the Company to complete forms and documents in the normal course of business.
- Additional information, such as employment details, names and ages of children, other professional advisors, interest in real estate or art, possible anticipated future cash flow events may be required and will be recorded by the Company to meet the requirements of the GFSC (e.g., Newsletter Number 5 of 1992 “Guidance Notes on Know your Customer”).
- The Company may be required to share information with regulated third parties to satisfy regulatory KYC requirements. We anticipate this to be mainly other financial institutions.
- A “legal basis” is needed to justify the processing of each data category. A legal basis can be a statutory requirement, such as recording for tax purposes, necessary for a legal obligation, or for the performance of an employment contract, like paying the individual or ensuring work is performed. For much employee data, the legal basis will be a “legitimate interest”, for example capturing data to improve workforce performance or to respond to a dispute.
2. PURPOSE SPECIFICATION; USE AND DISCLOSURE OF INFORMATION
- We obtain and hold information, which is necessary to open bank accounts, establish an investment mandate, and adhere to both good practice and regulatory KYC.
- We do not go beyond these parameters except where you offer additional personal information for a particular purpose.
- Our registration with the Data Protection Commissioner (DPC) will reflect the above and will be monitored by the DPCCO.
The Company maintains security provisions integral to its business. These provisions are detailed in our IT policy and will be updated in line with the other regulatory obligations of the Company but can be summarised as follows:
- Computer Acceptable Use Policy
- Security Measures and Breach of Security
- Password Construction Guidelines
- Password Protection Policy
- Clear Desk Policy
- Email Policy
- Internet usage Policy
- Virus Protection
- Remote Access Tools Policy
- Removable Media Policy
- Social Engineering Awareness Policy
- Software Installation Policy
- Technology Equipment Disposal Policy
4. Adequate, relevant, and not excessive
- Staff are required not to seek information beyond that required to offer investment arrangements for you. We do not require Sensitive Personal Data such as racial or ethnicity, political opinions, religious beliefs, trade union membership, health conditions or sexual preferences.
- Whilst data concerning criminal offences committed, or alleged to have been committed, or criminal proceedings is also considered to be “Sensitive Personal Data”, it is of clear relevance to assessing suitability of the client for our services and is required to meet our suspicious transactions / MLRO duties.
5. ACCURATE AND UP TO DATE
- Client relationship managers – when meeting with you, will request relevant/up to date KYC and client information, to maintain accurate and up to date client files.
6. RETENTION TIME
- Records relating to the verification of your identity must be retained for five years after an account is closed or the business relationship ended.
- Invoices, accounts, financial reports, and other significant company records are retained indefinitely.
7. RIGHT OF ACCESS
- You have the right to access information held about you.
- Requests received from you are to be directed to the managing director or the deputy, who will as necessary, refer to and/or take advice on how to ensure the handling of such requests is in line with the DPO.
- Any data held on paper or electronically should be available to you, free of charge, in a commonly used format, electronically and within one month. You should communicate what categories of data you need, and an explanation of why, to narrow down what the Company needs to provide. An administration fee can be charged for an excessive request.
- You also have the right to ask us not to process your personal data for marketing purposes.