Data protection policy

Processing of personal data

We process personal data in order to satisfy our statutory functions, and in particular:

• to determine whether or not a prospective principal person or principal person is 'fit and proper' to carry on a particular role
• to determine whether or not an individual’s association with an applicant for registration or registered person has any impact on the “fit and proper” status of the applicant or registered person to carry on a particular regulated activity
• to determine whether or not the ownership or control of (i) a registered company, (ii) units in a unit trust, (iii) interests in a limited partnership, or (iv) interests in a limited liability partnership will detract from the reputation and integrity of the Island
• to record or register matters relating to the incorporation of companies, establishment of limited partnerships and limited liability partnerships, and use of business names, and matters related thereto
• to determine the probity and competence of its workforce - (including individuals that have applied for employment in the JFSC).

In addition, we may occasionally be required by law to process personal data to comply with the requirements of departments of the Government of Jersey, e.g. in matters relating to the administration of United Nations sanctions. Personal data may also be processed for our suppliers and others with whom we conduct business.

In order to assist with the determination of 'fitness and propriety', assessment of ownership and control, or determination of probity and competence, we may make further enquiries and seek further information, as it considers appropriate, to verify personal data that is provided. In the case of assessing 'fitness and propriety' this will involve police record checks, checks with other regulators, the use of external databases, and bankers’ references. In the case of determining probity and competence, this will involve police record checks and taking references.

As part of our administration of our employees, third parties under our direction may carry out some processing of personal data.

We expect registered persons and principal persons to notify us of material changes to personal data. Applicants for registration and prospective principal persons are required to declare that any material change to personal data will be immediately notified to us, and –  under Codes of Practice - registered persons are required to deal with us in an open and co-operative manner.

We expect companies, unit trusts, limited partnerships, and limited liability partnerships that are required by law to disclose changes in ownership and control to us to do so in accordance with relevant legislation or published timescales.

Personal data that is processed by us under our statutory functions cannot be disclosed to another party unless permitted by legislation. In particular, regulatory legislation provides for us to share personal data with various parties and authorities in Jersey and with overseas financial services regulators.

We may continue to hold personal data after an individual ceases to be a principal person, ceases to be associated with a registered person, ceases to own or control a company, units in a unit trust, interest in a limited partnership, or interest in a limited liability partnership, or ceases to be an officer or employee of the JFSC, so that it may deal with any matters that may subsequently arise with respect to that individual.

How we protect privacy of personal data

Notwithstanding the statutory obligations imposed on the us (and others) under the Data Protection (Jersey) Law 2018 (the Data Protection Law), we consider that the fair and accurate processing of personal data is important to the achievement of our objectives, to the success of our operations, and to maintaining confidence in the JFSC.

This means that we will:

• collect personal data fairly
• tell you why we are collecting personal data and how we will use it
• use personal data only to comply with our statutory functions or for operational purposes related to those statutory functions and to comply with legislation
• ensure that the personal data collected and held is accurate and, where necessary, kept up to date
• hold personal data only for so long as is necessary
• keep personal data secure
• share personal data only with other agencies by adopting practices that will keep it secure
• ensure that individuals can exercise rights under the Data Protection Law including the right to request access to the personal data held on that individual and respond to requests for inaccurate personal data to be corrected

Security of processing

We have taken appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, or accidental loss or alteration, and unauthorised disclosure or access (including where the process involves transmission of personal data over a network) and against all other unlawful forms of processing.

In particular, we take measures that are intended to ensure that:

• everyone  managing  and  handling  personal  data  understands  that  they  are contractually responsible for following good data protection practice
• everyone managing and handling personal data is appropriately trained to do so
• everyone managing and handling personal data is appropriately supervised.

Outsourcing to a data processor

Where the processing of personal data has been outsourced to a third party, we may use third parties to conduct onsite examinations - such outsourcing shall be undertaken in line with a written agreement between us and the third party and shall specify the rights and obligations of each party. In particular, the agreement shall state that the third party has adequate security measures in place and shall only process personal data on the specific written instruction from us.

The third party shall carry the same obligations, as we are required to observe, under the Data Protection Law.

Individuals rights

Under the Data Protection Law, you have rights as an individual which you can exercise in relation to the information we hold about you. These include the right to request that inaccurate personal data we hold about you is corrected, and the right to access your personal data. To request your personal data you should make a written 'subject access request'. This right is subject to certain exemptions, and further information about how to make a subject access request, can be found in our guidance.

We would encourage you to find out more about your rights by visiting the Office of the Information Commissioner's website.

If you have any queries in relation to this policy, contact the JFSC Data Protection Officer:

Jersey Financial Services Commission
PO Box 267
14 – 18 Castle Street
St Helier
Jersey
JE4 8TP