The Hatstone Group comprises a number of law firms and investment fund and corporate services businesses with offices in the Island of Jersey, the United Kingdom, South Africa, Panama and the British Virgin Islands (collectively the “Hatstone Group”). ‘Hatstone’ is the business name used by the various entities of the Hatstone Group.
The Hatstone Group respects your privacy and is committed to protecting your personal data. This Privacy Notice will inform you as to how we look after your personal data (including personal data in respect of individuals who are clients, intermediaries or other third parties or any individual connected to those parties) and summarises the key points about how we collect use, disclose, transfer and store your personal data, sets out your privacy rights and explains how the law protects you.
Should you have any questions on the content of this Privacy Notice or how we use your data, please contact us by email on firstname.lastname@example.org.
As mentioned above, the Hatstone Group is made up of different legal entities, details of which can be found here. This Privacy Notice is issued on behalf of the Hatstone Group so when we mention “Hatstone”, “we”, “us” or “our” in this Privacy Notice, we are referring to the relevant entity in the Hatstone Group responsible for processing your data.
We will let you know which entity will be the controller of your data and this will be set out in our letter of engagement with you. Where you make use of our website, this is provided and maintained by our Jersey law firm and our servers are located in Jersey which is a jurisdiction which the European Commission has deemed to be “adequate” in relation to data protection.
This version of our Privacy Notice was updated in June 2018. Historic versions can be obtained by contacting us. We may update our Privacy Notice from time to time.
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
If you have any queries, require further information or wish to exercise any of the rights set out in this Privacy Notice, please contact us at email@example.com or contact our Data Privacy Manager, Stephen Wauchope.
You have the right to make a complaint at any time to the relevant data protection authority in the jurisdiction in which the services are being provided to you. We would, however, appreciate the chance to deal with your concerns before you approach the data protection authority so please contact us in the first instance.
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
We may collect, use, store and transfer different kinds of personal data about you which we have grouped together follows:
We may also collect information about people connected to you such as family members or business connections.
Where we need to collect personal data by law, for example to comply with anti money laundering and know your client legislation, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you and, in this case, we may be unable to act for you and provide you with our services but we will notify you if this is the case at the time.
We use different methods to collect data from and about you including through:
Where you contact us through our website by sending an email to firstname.lastname@example.org or email@example.com email addresses any personal information which you provide to us will be collected and may be shared amongst our offices. In respect of any potential job applicants, information may be collected from a number of sources and may include CVs, education and employment history, references and background checks. We will use this information to assess your suitability for any vacancy and to determine how to progress your application. This information will typically be retained on our systems for up to six months after which time it shall be destroyed unless we have a legitimate reason for retaining your information for a longer period.
Our website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the Privacy Notice of every website you visit.
If you attend our offices and connect to our guest wifi you should be aware that we may receive information relating to your device. While we do not routinely collect or analyse this information such information will be retained on our systems and we may receive information relating to websites that you visit and the name of your device. We will not have access to any emails that you send.
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
Generally we do not rely on consent as a legal basis for processing your personal data save in respect of matters where we collect data relating to Criminal Charges, Convictions or Offences or other than in relation to sending third party direct marketing communications to you via email or text message. We will only send this type of communication to you if you have provided us with your express consent. You have the right to withdraw consent to marketing at any time by contacting us. Please do so by emailing our Data Privacy Manager at firstname.lastname@example.org.
We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.
Please note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.
Lawful basis for processing including basis of legitimate interest
Anti-money laundering information for prospective and existing clients
The processing is necessary to comply with our legal obligations under the anti-money laundering and know your client legislation.
To take you on as a client and provide legal services to you
To process personal data for the purpose of providing legal services where the processing is necessary for legal proceedings, the obtaining of legal advice or establishing, exercising or defending legal rights; To fulfil the contract we have entered into with you to provide legal services; or The processing is necessary to pursue our legitimate interests in a way which can be reasonably expected as part of running our business and providing legal services.
To take you on as a client and provide corporate administration services to you
To process personal data for the purpose of providing corporate administration services to you; To fulfil the contract we have entered into with you to provide legal services; or The processing is necessary to pursue our legitimate interests in a way which can be reasonably expected as part of running our business and providing corporate administration services.
To process and deliver invoices and collect payments from you in connection with our fees for services rendered
The processing is necessary for the performance of our contract with you; and It is necessary for our legitimate interests (to recover debts due to us).
To comply with all legal, regulatory and ethical obligations which the Hatstone Group is required to take into account
It is within the legitimate interest of the Hatstone Group to process data to the extent necessary to ensure we meet all legal, regulatory and ethical obligations; and The processing may also be necessary for to allow the Hatstone Group to comply with a legal obligation.
Internal know-how and training
The Hatstone Group must provide internal know-how and staff training in order to ensure its staff members comply with their obligations to regulators and the Hatstone Group has a legitimate interest in processing data for this purpose. Where possible, personal data will be redacted prior to processing.
To establish exercise or defend the rights of the Hatstone Group in relation to any complaints we receive or in connection with any legal proceedings in which we may be a named party or in which we wish to bring against another third party
It is necessary for our legitimate interests.
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.
If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
We may have to share your personal data with the parties set out below for the purposes set out in the table above:
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
We operate in a number of jurisdictions across the world such as South Africa, Panama, and the British Virgin Islands.
When we share your personal data within the Hatstone Group, this may involve transferring your data outside the European Economic Area (“EEA”). The Hatstone Group operates a global Data Protection Policy and we ensure your personal data is protected by requiring all our group companies to follow the same rules when processing your personal data to ensure a similar degree of protection is afforded to your data across all offices.
In certain circumstances we may also transfer your data to third party service providers who support the operation of our business (such as providers of software and cloud computing services) and who may be located outside the European Economic Area. In relation to jurisdictions in which the European Commission has recognised an adequate level of protection, we will rely on this finding. If no such recognition has been provided then we would seek to ensure that your data is adequately protected for example where the European Commissions Standard Contractual Clauses can be used, the entity is Privacy Shield certified, or we can rely on an appropriate derogation which may include the provision of legal advice.
Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we will consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. The Hatstone Group policy is to retain personal data in relation to a client matter for so long as may be required by data protection laws and other regulatory requirements (in the local jurisdiction where services were provided) on conclusion of that matter.
In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
Under certain circumstances, you have rights under data protection laws in relation to your personal data.
Requesting access to your personal data (commonly known as a “data subject access request”) enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in certain circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
We try to respond to all legitimate requests within four weeks. Occasionally it may take us longer than four weeks if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
Requesting correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
Requesting erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
Objecting to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
Requesting restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
Requesting the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
Withdrawing consent where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
Legitimate Interest Legitimate Interest means the interest of our business in conducting and managing our business to enable us to give you the best service and the best and most secure experience. We may use your data in pursuing our legitimate interests in carrying on the business of a legal firm. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.
Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.
Comply with a legal or regulatory obligation means processing your personal data where it is necessary for compliance with a legal or regulatory obligation that we are subject to.