Privacy Notice (Clients)

This Privacy Notice (the “Notice”) explains what personal data the Suntera Global group of companies (“Suntera”, “we”, “us”) will collect from you and how we will use that personal data during the course of our providing services to you. We are committed to being transparent with you regarding our use of your personal data and encourage you to contact us via the details provided below should you have any concerns.

This Notice applies to the Suntera Global group of companies and is intended to cover our handling of personal data across the jurisdictions in which we operate and from which we deliver services.

Your personal data is collected, retained and processed in accordance with applicable data protection law, including the GDPR as applied in our operating jurisdictions and, where relevant, the UK GDPR and the Data Protection Act 2018 (“DP Laws”).

For the purposes of DP Laws, the ultimate Data Controller is Suntera Group Limited, a company incorporated in the Isle of Man with a registered office address at: Peveril Buildings, Peveril Square, Douglas, Isle of Man, IM99 1RZ. Suntera Group Limited is registered with the Isle of Man Information Commissioner under registration number R001070.

For a complete list of our Global registrations, please see Appendix A.

If your query relates to your services or your relationship manager, you can also contact your usual Suntera representative. For data protection queries, contact the Data Protection Officer using the details below:

Data Protection Officer and Information Governance Team
Email: dataprotection@suntera.com
Address: Peveril Buildings, Peveril Square, Douglas, Isle of Man, IM99 1RZ

Depending on the services and your relationship with us, we may collect the following categories of personal data.

• Identity and contact details: name and contact details including business and residential address, email and phone
• Personal details: date of birth, nationality and identification information
• Professional information: job title, directorships, employment history and relevant registration numbers where applicable
• Due diligence information: source of wealth and source of funds and related onboarding information
• Financial information: bank details where relevant to providing services
• Compliance screening information: PEP status and sanctions screening and related risk assessment information
• Civil and Criminal convictions information: where required and permitted by law
• Special category data: in limited cases where necessary and permitted by law

Directly from you

• When you complete our application forms or provide details as part of our onboarding process
• Through correspondence, whether by email, post, telephone or in person
• When you supply identification documents or other verification materials
• By responding to our requests for information necessary to deliver services or meet regulatory obligations
• When you provide feedback or raise queries relating to our services
  

 From your organisation or authorised representatives 

• We may receive information about you from your employer or the organisation you represent, for example when they provide your contact details as a point of contact or as part of an account setup
• Data may be shared by colleagues or managers acting as your authorised representatives, such as when submitting documentation or correspondence on your behalf
• We may obtain updates regarding your role, responsibilities, or authorisation status from your organisation for account maintenance or compliance purposes
• Your organisation or representatives might also provide us with verification or identification documents as part of regulatory requirements or onboarding procedures

 From third parties and publicly available sources 

• We may obtain information about you from third-party service providers, such as credit reference agencies, identity verification providers, background check providers, or fraud prevention organisations
• Details about you might be collected from regulatory bodies or government agencies, for example to verify your professional credentials or to confirm compliance with legal requirements
• We may access publicly available sources, including company registries, social media platforms, or official websites, to confirm your identity or gather relevant business information
• Information may also be received from business partners, suppliers, or other organisations we work with, particularly where such data is required to deliver our services or meet regulatory obligations
• We may review published press articles or industry reports that mention you or your organisation, where this is relevant to our relationship or services provided

We may also receive personal data about you as part of a merger, acquisition, sale, purchase, restructure, transfer of business, transfer of client relationships, or other corporate transaction involving Suntera or another organisation.

Some personal data is required to enter into and perform our client service agreement and to meet legal and regulatory obligations such as due diligence and risk assessments. If you do not provide the required information, we may be unable to onboard you, provide the services, or continue the relationship.

We process your personal data for the following purposes and on the following lawful bases.

Explanation of legal bases and what they mean for you:

• Contract: We need certain personal data to enter into and perform our agreement with you and to deliver the services you request.
• Legal obligation: We must process certain personal data to comply with legal and regulatory requirements, including due diligence and risk assessments.
• Legitimate interests: We may process personal data where it is necessary for our legitimate business interests, such as maintaining internal records, managing client relationships, improving services, and ensuring the security of our systems, provided your rights do not override those interests. Where we rely on legitimate interests, we complete and keep a record of a legitimate interests assessment that balances our interests against your rights and expectations.
• Consent: Where we rely on consent, this is typically for marketing communications. You can withdraw consent at any time. This will not affect the lawfulness of processing carried out before you withdraw consent.

Special category data and criminal convictions information
We process special category data and criminal convictions information only where necessary, where permitted by applicable law, and typically in connection with regulated services, compliance requirements, and risk management.

For the United Kingdom, where special category data or criminal convictions information is processed for anti-money laundering and compliance purposes, we rely on conditions in the Data Protection Act 2018 Schedule 1, Part 2, Paragraph 2(2)(a) (prevention or detection of unlawful acts) and Paragraph 2(2)(b) (compliance with regulatory requirements).

We may share personal data with:

• Other companies within the Suntera group of companies, where this is required to provide services, deliver group wide support functions, or manage risk and compliance on a group basis;
• Third party processors and service providers who act on our instructions to support service delivery and business operations (including IT and hosting, secure communications, document management, and administrative support services);
• Professional advisers who support us in providing services and meeting our obligations (including legal, audit, tax and compliance advisers);
• Due diligence, identity verification and screening providers used for onboarding, ongoing monitoring and risk assessments (including sanctions and PEP screening);
• Financial institutions and other counterparties where required for the provision of services and the operation of client structures;
• Credit reference and information providers where relevant and lawful;
• Prospective purchasers, sellers, successors, investors, funders, and professional advisers where this is necessary in connection with a proposed or completed merger, acquisition, disposal, restructure, transfer of assets, transfer of client relationships, or other corporate transaction; and 
• Regulators, law enforcement, courts and other authorities where required by law, regulation or enforceable request.

Where third parties process personal data on our behalf, they do so on our instructions and are subject to contractual obligations covering confidentiality, security and permitted use.

Where we transfer personal data outside the United Kingdom, the European Economic Area or another jurisdiction that has been recognised as providing an adequate level of protection, we put in place appropriate safeguards. These may include the UK Information Commissioner’s Office International Data Transfer Agreement or the UK Addendum to the European Commission Standard Contractual Clauses, or another method recognised by applicable law.

In addition, for restricted transfers from the United Kingdom we complete a proportionate Transfer Risk Assessment to consider the legal and practical risks in the destination country and apply additional controls where appropriate.

We keep personal data only for as long as necessary for the purposes described in this Notice. We set and document retention periods by considering legal and regulatory requirements, contractual obligations, limitation periods, and the nature and sensitivity of the data. Where records are held for regulatory purposes, retention may be required for longer periods in line with the applicable rules and guidance.  Any information destroyed is done so in a safe and secure manner.  For further information on your data retention and destruction, please contact the Data Protection Officer using the details below.

We implement a range of robust technical and organisational measures to safeguard your data against misuse, loss, unauthorised access, alteration, or disclosure. Our technical controls include the use of up-to-date encryption technologies to protect data both in transit and at rest, secure firewalls and intrusion detection systems to monitor for potential threats, and regular security testing to identify and address vulnerabilities. Where we use third-party systems or service providers, we require that they also maintain appropriate safeguards and controls to ensure the security and confidentiality of your data.

To support these measures, we provide essential training to all staff on data protection and information security practices, ensuring they understand their responsibilities and remain vigilant in protecting your personal data. We provide regular data protection and information security training to all employees to help everyone understand their responsibilities and to ensure we protect personal information properly. This training covers key topics such as handling personal data safely, recognising potential risks, and understanding how Suntera meets its legal obligations.

Organisationally, we ensure that only those individuals who require access to personal data for legitimate business purposes are granted such access, and all staff are required to comply with strict confidentiality and data protection obligations. In addition, we have established clear procedures for managing and responding to potential data breaches. Our approach is designed to ensure that your information remains secure throughout its lifecycle, from collection to secure destruction or anonymisation when no longer required.

You have rights in relation to your personal data, including the right to be informed, access, rectification, erasure (where applicable), restriction, objection (including to direct marketing) and data portability (where applicable). To exercise your rights, please contact your usual Suntera representative or the Data Protection Officer using the details above. Any request to exercise any of your rights may be subject to your providing acceptable proof of identification, if required for us to ensure that the request has come from you.

You have the following rights under data protection law:

Right to access (subject to exceptions): You have a right to request access to the personal data we hold about you and to receive information about how we use it, subject to statutory exceptions.

Right to be informed: You have a right to clear information about how your personal data will be used. For example, receiving details when registering for a new service.

Right to rectification: You have a right to request corrections if your personal data is inaccurate or incomplete, such as updating a misspelled detail in your records.

Right to erasure (subject to local law): You have a right to ask for your personal data to be deleted when permitted by law, for instance, requesting that your account and records are removed.

Right to restrict or object to processing: You have a right to limit how your data is used, such as temporarily stopping marketing communications while a concern is reviewed.

Right to data portability (where applicable): You have a right to receive your personal data in a portable format to share with another provider if you wish.

Right to lodge a complaint with a supervisory authority: If you think your data protection rights have been breached, you can complain to the data protection authority.

Contact for all rights requests: dataprotection@suntera.com

We use approved AI assisted tools within our Microsoft 365 environment to help draft, search and summarise business content. These tools operate within our enterprise service boundary, are governed by our AI Acceptable Use Policy, and are supported by appropriate data processing terms. We do not allow these tools to use client data to train public models, and we do not make decisions that have legal or similarly significant effects based solely on automated processing. Human review and accountability apply in all cases.

We do not use automated decision making that produces legal or similarly significant effects based solely on automated processing.

In certain engagements, we act as a data processor by handling personal data strictly on behalf of a client who serves as the data controller. This means we process personal data solely based on the client’s documented instructions, ensuring we do not use the data for any other purpose. We implement robust technical and organisational security measures to protect the data against unauthorised access, loss, or misuse. Where individuals exercise their data protection rights, such as access, rectification, or erasure, we support the client in responding to these requests, provided it is appropriate and permitted by law.

Furthermore, should a personal data breach occur, we promptly notify the relevant client and, if necessary, assist them in meeting any legal obligations to inform affected individuals or regulatory authorities. This approach aligns with our commitment to data privacy and compliance with applicable data protection laws and contractual requirements.

By agreeing to this Notice, and only where you have provided your express consent, we may from time to time send you promotional communications in respect of services offered by the wider Suntera Group of companies which we feel may be of interest to you.  If at any time you wish to opt-out, you can do so by e-mailing the Group’s Data Protection Officer or by clicking the unsubscribe link on the respective email communication.

You have the right to make a complaint about how your personal data is processed. We hope that you will make any complaints to us directly in the first instance to allow us to attempt to resolve any issues, however, if you are not satisfied with this, you can complaint to the supervisory authority in the jurisdiction where you are based or to the appropriate supervisory authority in the jurisdiction from which we provide you services. 

Supervisory authority contact details may change. The information below is provided for convenience and you can also refer to the relevant authority website for the latest contact details.

• Isle of Man: http://www.inforights.im
• Jersey: https://jerseyoic.org
• United Kingdom: https://ico.org.uk
• Guernsey: https://odpa.gg
• Cayman Islands: https://ombudsman.ky/data-protection
• Hong Kong: https://www.pcpd.org.hk
• Bahamas: https://www.bahamas.gov.bs
• Luxembourg: https://cnpd.public.lu/en.html
• Singapore: https://www.pdpc.gov.sg/

We may change this Notice from time to time by updating this page. You should check this page regularly to ensure that you are happy with any changes.

Personal Data: information relating to an identified or identifiable individual

Special Category Data: personal data revealing health, ethnicity, political opinions, religious beliefs, or similar

Controller: the organisation that decides why and how personal data is processed

Processor: the organisation that processes personal data on a controller’s instructions