Cerberus is obliged to comply with the Data Protection (Bailiwick of Guernsey) Law, 2017 ("the Data Law”) and is registered as a controller with the Office of the Data Protection Authority ("the ODPA”).
What is Personal Data?
Personal data is information about you and that identifies you or may reasonably identify you (in conjunction with any other information that we hold about you), for example, your name, e-mail address, address or telephone number, IP address, copies of ID, proof of address, etc.
What Personal Data Does Cerberus Collect?
Cerberus routinely only collects the following categories of personal data:
- name (including surname and first name);
- e-mail address;
- job title; and
- contact telephone number.
Why and How Does Cerberus Collect this Personal Data?
In the majority of cases the personal information that Cerberus collects will be provided directly by clients who wish to engage with us in relation to one of our services.
Cerberus collects personal information from individuals who message us about our services via the “Contact Us” section of the website and from direct correspondence with us, including e-mails, written correspondence and telephone calls.
Cerberus collects personal data from individuals who wish to book training events, such as workshops and seminars, and who use the online booking form in order to do so.
In certain cases, Cerberus may also collect identification information in the context of due diligence enquiries. This information may come in the first instance directly from the client but may also be verified by us using third party sources of information.
Cerberus may come into contact with personal data during the provision of its regulatory compliance consultancy services, for example, during file reviews, but this data would be protected by confidentiality and would not be controlled by Cerberus or further processed by Cerberus. For the purpose of client reports, Cerberus anonymises all personal data.
Special Category Data
Special categories of personal data are specific categories of personal data related to a person’s profile, race or ethnicity, beliefs (whether political, religious or philosophical), sexual life or sexual orientation, health, genetic or biometric data, or trade union membership. Cerberus does not collect any special category data.
What is the Data Used For?
Cerberus may need to process personal data for various reasons which might include (but not be limited to):
- providing the core services of regulatory compliance consultancy;
- providing training services;
- performing due diligence checks and screening;
- complying with instructions, orders and requests from law enforcement agencies, regulatory bodies or any court, or as otherwise required by law;
- reporting tax related information to tax authorities;
- communicating with and disclosing information to third parties such as auditors and technology providers;
- updating and maintaining our records;
- providing information on our services;
- operation of our IT systems and infrastructure, including software and relevant business applications;
- administrative functions, including accounting, legal, risk management, IT and business support, and storage;
- maintaining the integrity of our software, systems, platforms, premises and communications;
- conducting checks and related actions to comply with our legal obligations relating to the detection, investigation and prevention of crime and to prevent the provision of services to persons subject to economic or other sanctions;
- communicating with our advisers for the purposes of obtaining advice;
- conducting business analytics and diagnostics; and
- managing, planning and delivery of our business strategy and marketing objectives.
Reasons (or Grounds) for Collecting Personal Data
Cerberus relies on the following lawful bases for processing your data:
- your consent to the processing;
- that the processing is necessary in order to perform a contract for professional services with you;
- that it is necessary for Cerberus to comply with a legal obligation; and/or
- it is necessary for the legitimate interests of Cerberus.
To the extent that any processing is based on your consent, you can withdraw that consent at any time.
Where we rely on legitimate interests, we can only process your personal data if your fundamental rights and interests do not override our own.
Our legitimate interests include:
- discharging our legal obligations effectively;
- complying with regulatory requirements; and
- evaluating, developing and improving our services, including marketing such services.
Where the processing is based on our legitimate interests, you can object to that processing at any time. If you object, we will stop processing your data, unless we can show you a compelling reason why the processing overrides your privacy rights, or where the processing is for the establishment, exercise or defence of legal claims.
We will only process your personal data for the purposes for which it has been collected, unless we reasonably consider that we require its use in another fashion, which is compatible with the original purpose. If we wish to use the data for a new purpose, you will be notified in advance and the legal basis for processing explained to you.
We may process your personal data without your knowledge or consent where required to do so by law.
Cerberus does not make decisions about you based on automated processing of your personal data.
Who is the Data Shared With?
We may share your personal data in limited circumstances, for example:
- with our IT or other service providers, auditors, accounting and legal professionals;
- with regulatory, supervisory, law enforcement or other governmental authorities, including courts, court-appointed persons/entities and administrators or liquidators;
- with our insurers;
- with professional bodies; and
- with tax authorities.
We enter into data processing agreements with all of our third-party service providers to ensure that they process your personal data with the equivalent level of security and confidentiality as we ourselves apply.
In certain circumstances we may also disclose your personal data to third parties who will receive it as controllers in their own right for the purposes set out above, in particular:
- if Cerberus transfers, merges, reorganises, purchases or sells any part of its business and it discloses your data to a prospective seller, buyer or third party involved in a business transfer, merger or reorganisation arrangement (including advisors); and
- if Cerberus needs to disclose your data in order to comply with a legal obligation, enforce a contract or to protect the rights, property and safety of its employees, clients or others.
Except as set out above, we will not disclose, transfer or sell your personal data to any third party without your express written consent.
Transferring the Data Overseas
The consultancy and other services that Cerberus offers are aimed at businesses based or operating in Guernsey. However, the processing of your data may be undertaken outside of the Bailiwick of Guernsey. For example, our servers are run on Microsoft Office 365 (https://products.office.com/en-gb/home) which has servers based in Europe and our systems are backed up by Avepoint (https://www.avepoint.com/products/cloud/backup) an IT company based in the United Kingdom.
Insofar as processing may take place outside the Bailiwick, then Cerberus will ensure that no transfers of your data will take place without ensuring that adequate safeguards exist to ensure that your data is protected.
Should you have any questions in relation to transfers of data overseas, please contact our data protection representative the contact details for whom are provided below.
How Long is the Data Kept?
Your personal data will be retained for the longest of the following periods (providing always that the data is required to be retained by law, contract or similar provision and its processing remains compatible with the purpose(s) for which it was collected):
- the duration of your relationship with Cerberus together with any statutory retention period applicable;
- the relevant prescription period applicable in order for Cerberus to establish or defend its legal rights or obligations, or to satisfy reporting or accounting obligations; or
- any applicable retention periods required by the Data Law or similar laws or regulation.
Our default policy is for data to be deleted after six and a half years, subject to any requirements above.
Cerberus is required by law to ensure that adequate technical and organisational security measures are in place to protect your data from unauthorised or unlawful processing, including accidental loss, damage or destruction.
All personal data held by us is stored on secure servers. We use strict procedures and security features to maintain the security of our systems and the personal data and other information stored in them. We take cyber-security very seriously and implement multiple different layers of physical and technological controls to prevent unauthorised access and to ensure data security, integrity and privacy.
Third Party Websites and Social Media
The Cerberus website does not link directly to social media services. However, you should be aware that social media services can track your browser across websites and build a profile of your interests.
Any information that you disclose in public forums becomes public information. You should therefore exercise caution when using these public areas and avoid posting any personal data on them. Any information that you communicate in these public places may be viewed and used by third parties, for example, to send you messages or to send you advertising.
Cerberus is unable to control the activities of third parties in public areas. Accordingly, if you disclose personal data in public spaces, you do so at your own risk. We recommend that you review the privacy policies of any relevant third parties before disclosing your personal data on their websites or platforms.
Note that Cerberus cannot guarantee the security of your personal data over the internet or via e-mail.
The Cerberus website is provided by Submarine Limited (https://submarine.gg/).
What are My Rights and How Can I Exercise Them?
Your rights in relation to your personal data may include the following rights in relation to the personal data Cerberus holds on you:
- the right of access: you may request access to the personal data that we hold about you;
- the right of rectification: you may require the rectification of any inaccurate personal data, to have incomplete personal data about you completed, or the erasure of your personal data if it is no longer required by us; and
- the right of portability: you may request that we transmit your personal data to another controller, where technically possible, by automated means.
Your rights in relation to your personal data are set out in full in sections 12 to 24 of the Data Law.
Please note that should you have any concerns over the processing of your data, you should contact our data protection representative, the contact details for whom are provided below. We will endeavour to resolve the issue as soon as possible. In the event you remain dissatisfied, and in any case, you have the right to complain to the Office of the Data Protection Authority, whose contact details are set out below:
Office of the Data Protection Authority
St. Martin’s House, Le Bordage, St. Peter Port, Guernsey GY1 1BR
Tel: +44 1481 742074
E-mail: [email protected]
Who Should I Contact?
If you have any questions about our use of your personal data then please do not hesitate to contact our data representative, Kerry Berchem, or indeed any of us via email at: [email protected] or by correspondence to Level 3, Victoria House, 29-31 High Street, GY1 2JX.
Cerberus (Guernsey) Limited