DATA PROTECTION POLICY AND PRIVACY NOTIFICATION

Who is responsible for your data

Steadfast Trustees Limited t/a Steadfast Corporate Services (“Steadfast” / “we” / “us”, “our”) is registered with the Gibraltar Regulatory Authority both as Data Controller and Data Processor and controls and processes personal information, 

The term “personal data” refers to information that relates to you and allows us to identify you, either directly or in a combination with other information that we may hold. The below sets out the way Steadfast collects, stores and otherwise uses your personal data and the reasons for doing that. 

Types of personal data we collect

Steadfast collects personal data from you at various points during the period in which we supply services either to you as an individual, a corporate entity and/or trust vehicle in which you have an interest. We may collect and process the following categories of information about you (please note this list is not exhaustive):

Category of Personal Information

Description


Personal Identifiers


Title, Name, Surname, Gender, Data of Birth

Contact


Permanent Residential Address, Correspondence address, Home/Mobile/Work phone number and E-mail address


Social Demographic

Employment, Earnings, Nationality, Country of Birth, City of Birth, Country of issue of Identity card/ Passport, Politically Exposed Person (“PEP”) classification and Tax residency 


Documentary Data

Details about you that is stored on documents in different formats, or copies of them. This may include documents such as Passport, Drivers licence, Birth certificate or Bank Statements


Social relationships

Marital status


Financial Data

Bank accounts, payment card details


National Identifier

A number or code given to you by a government to identify who you are, such as a national insurance number, passport number or tax identification Number


Behavioural

Risk profile, nominated beneficiaries linked to death benefits

You may also provide further information (either on request or voluntarily) by email, post, in face-to-face meetings or by phone. Finally, your appointed tax advisor, lawyer, bankers, financial adviser/intermediary may also pass on information to us which you have provided to them and which relates to the administration of our services.

How Steadfast collects your personal data

We collect information from our applicants and clients predominantly through our application form but also through any subsequent interactions with you.

We use different methods to collect data from and about you including through:

The above lists under each method are not exhaustive.

Why and how Steadfast uses your personal data

Steadfast uses your personal data for the following purposes:

Steadfast does not use systems to make automated decisions based on personal data collected.

How long will Steadfast retain your personal data

Steadfast will keep your personal data during the period in which we supply services to your company or trust, and potentially up to 12 years once our services have ceased, for the following reasons:

Steadfast may be required to keep your personal data for longer than 12 years if it cannot be deleted for legal, regulatory or technical reasons. Steadfast may also keep your personal data for research or statistical purposes. In these circumstances, appropriate measures will be established to ensure your privacy is protected, and the personal data is only used for the purposes intended.

Sharing your personal data

Steadfast might share your personal data with others, in limited circumstances. Predominantly that sharing is carried out in order to ensure that our services are provided and administered successfully and in compliance with our regulatory and professional obligations. Your personal data may be shared by Steadfast as follows:

Sharing your personal data internationally (outside of the European Union “EU” and European Economic Area “EEA”)

As set out above, we will share your information with third parties (including investment providers and your financial adviser/intermediary). As such, this will involve transferring your personal data internationally, including transfers outside the EU or EEA.

Steadfast will take steps to ensure that the transfers outside EEA are legitimate and, in these circumstances, agreements which include the EU standard model clauses will be put in place between Steadfast which is transferring the data and those entities operating outside the EEA who are receiving the data. The receiving entities will be mainly your bankers, lawyers, accountants, tax advisors or other nominated professionals, investment providers and financial advisers/intermediaries.

Steadfast will only share your personal data outside of the EU or EEA where the European Commission has decided that the third country where your data will be shared provides an adequate level of protection However, in instances where the third country is not considered to have adequate levels of protection, Steadfast will transfer your personal data only after taking the appropriate safeguards and ensuring that you are able to resort to legal remedies if necessary.

Security of your personal data

Steadfast have in place appropriate security measures to prevent your personal data from being accidently lost, used or accessed in an unauthorized way, altered or disclosed.

There are inherent risks involved when transmitting personal data by post, email, and phone, however Steadfast takes reasonable steps to limit these risks by adopting the appropriate technical and organisational measures in order to protect and secure your personal data against unauthorised or unlawful processing and against accidental losses, destruction and/or damage.

Employees of Steadfast will be sufficiently trained to ensure that your personal data is always processed with due care. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

Steadfast will ensure that when your personal data is shared, it is done is a secure manner, using and adopting appropriate organisation measures such as encryption.

As described above, where we disclose your personal data to third parties, we will require that the third party has appropriate technical and organisational measures in place. However, in some instances where we are compelled by law to disclose your personal data, we may have limited control over how it is being protected by that party.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so. 

Your legal rights

Lawful processing

In addition to our Data Protection and Privacy Notification statement, your privacy is protected by law.

Steadfast are legally only allowed to collect and process personal data where there exists a proper reason to do so. The law says Steadfast must have one or more of these reasons:

Below is a list of ways in which we may use your personal data, which of the reasons we rely on to do so, and what our legitimate interests are (this is not an exhaustive list): 

Why we use your information

Our Reasons

Our Legitimate Interest

  • To manage our relationship with you. 
  • To develop new ways to meet our clients’ needs and grow our business.
  • To provide guidance about our products and services.
  • Your explicit consent
  • Fulfilling contractual obligations
  • Our legitimate interests
  • Our legal duty
  • Keeping our records about you up to date.
  • Seeking your consent when we need it to contact you.
  • Being efficient about how we fulfil our legal obligations.


  • To deliver our products and services.
  • To make and manage entity/customer payments.
  • To manage fees, charges and interest due on entity/customer accounts.
  • To collect and recover money owed to us.


  • Fulfilling contractual obligations
  • Our legitimate interest
  • Our legal duty
  • To develop products and services and what we charge for them.
  • Being efficient about how we fulfil our legal and contractual duties.


  • To detect, investigate, report and seek to prevent financial crime.
  • To manage risk for us and our customers and their entities we support.
  • To comply with laws and regulations applicable to us.
  • To respond to complaints and seek to resolve them.


  • Fulfilling contractual obligations
  • Our legitimate interest
  • Our legal duty
  • To develop and improve how we deal with financial crime, as well as doing out legal duties in respect.
  • Comply with regulations applicable to us.
  • Being efficient about how we fulfil our legal and contractual duties.
  • To run our business in an efficient manner by managing our business capability, planning, governances, communications and audit.
  • Our legitimate interest
  • Our legal duty
  • Comply with regulations applicable to us.
  • Being efficient about how we fulfil our legal obligations and contractual obligations.

Steadfast does not intentionally collect personal data that could reveal your racial or ethnic origin, physical or mental health, religious beliefs or alleged commission or conviction of criminal offences. Such information is considered “sensitive personal data”. Steadfast will only collect this information where one of the above reasons is satisfied. We cannot prevent you or your bankers, lawyers, accountants, tax advisors, financial advisers/intermediaries from disclosing the same to Steadfast as part of your correspondence with us but you should ensure that such information is only provided where it is absolutely necessary and in circumstances where you would be content for us to use it in the manner described above.

Right to access your personal data

You also have the right to request access to the personal data that we hold about you. Should you wish to request a copy of your personal data, or have any questions in relation to your personal data, please contact Steadfast.

Requests for access to your personal data will be processed free of charge. However, if we deem that requests for access are being made in a frequent, excessive and repetitive manner or on an unfounded basis, Steadfast reserves the right to charge a reasonable fee to meet our administrative costs.

Right to stop Steadfast from using your personal data

You have the right to object to Steadfast using your personal data, or ask Steadfast to delete, remove or stop using your personal data.

There may be legal or other official reasons why Steadfast needs to keep or use your data.

You also have the right to restrict Steadfast from using your data. This means that your personal data can only be used for certain things such as legal claims or in order to exercise legal rights. During such instances, Steadfast will not use or share your personal data in other ways.

You may ask Steadfast to restrict processing your personal data if it is not accurate, it has been unlawfully used but you don’t want Steadfast to delete it, it is not relevant anymore but you want Steadfast to keep it for use in legal claims, or you have already asked Steadfast to stop using your data but you’re waiting for confirmation as to whether Steadfast are allowed to use it.

Right to withdraw your consent

You have the right to withdraw your consent. Please contact Steadfast if you wish to do so.

Where consent is the only lawful basis upon which your personal data can be processed, withdrawing your consent may mean Steadfast cannot provide you with a full service. If this is the case, Steadfast will clarify this to you.

Right to rectify inaccurate personal data

You have the right to question any personal data we have about you that you think is wrong or incomplete. Should you do so, Steadfast will take reasonable steps to check the accuracy of all information held, and correct it where necessary.

Right to complain

Please let us know if you are unhappy with how we have used your personal data. Our contact details for all complaints can be found on our website (www.steadfast.gi ).

You also have the right to complain to the Gibraltar Regulatory Authority who are the nominated Data Protection Commissioner for Gibraltar. Please refer to their website for details of how to report a concern. (http://www.gra.gi/data-protection)

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Time limit to respond

We try to respond to all legitimate requests within [1] one month. Occasionally it may take us longer than this if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Updates to this Policy

We will occasionally update this Policy to reflect changes in the applicable Regulation, and/or relevant legislation as well as both company and customer feedback. We will contact you to inform you of the same whilst the revised Policy can be found on our website. (www.steadfast.gi)

Download this Privacy Policy