Data confidentiality and security are at the heart of all that we do, and Cains is committed to protecting the personal data that we collect about you and that you provide to us in the course of our business.
In this Privacy Notice we describe the personal data that we may collect about you, how and why it is processed by us, and the rights you have in relation to that data and our processing of it.
“Cains” (including “we”, “us” or “our”) refers to the Cains Group of companies, including Cains Advocates Limited, Cains Corporate Services Limited, Cains Holdings Limited, CCS Searches Limited, and Cains Listing Services Limited.
This Privacy Notice applies to the processing of your personal data if you are:
- a client/prospective client of Cains or an employee of a client/prospective client;
- a transaction counterparty or litigant in legal proceedings involving a client/prospective client;
- a supplier/subcontractor/service provider or an employee of a supplier/subcontractor/service provider;
- a business contact;
- a visitor to our offices;
- a visitor to our website; or
- a recruitment applicant.
When we refer to “processing” of your personal data, this means anything we do with that data, whether or not by automated means, such as collection, recording, storage, alteration, use, disclosure, erasure or destruction.
2. Data Controller
A data controller is the person or entity that determines the purposes for which personal data is processed and the way in which this is carried out.
The Cains Group controls the collection and processing of any personal data that you provide to us through or in relation to the Cains website or which we obtain from public sources. The specific entity, which is responsible for the processing of your data, i.e., the Data Controller, will be the group company or companies providing services to you (or to whom you apply for employment, as applicable). You can check this in our terms and conditions or request further details using the information below. This Notice applies to all companies within the Cains Group of companies, which is located at:
Isle of Man,
Telephone: (+44) 1624 638300
If you have any questions or enquiries you can also email our Data Protection Officer at firstname.lastname@example.org.
3. Personal data we collect about you
Personal data includes any information about you that may be used by us to identify you, directly or indirectly. The personal data that we collect and the way in which we collect it depends upon our relationship with you.
The categories of personal data we collect about you may include:
Contact data including your name, residential/work address, email address, and telephone numbers;
Biographical data such as your employer and job title, and for job applicants’ education and employment history, professional qualifications, nationality, immigration and work permit status;
Identity data including your date of birth, ‘selfie’ photographs, gender, passport, driving licence or other identification documents;
Billing data including your bank account details, billing address, and payment history;
Services data such as details of services we have provided to you, or you have provided to us;
Marketing and communications data including marketing and communications preferences and events attendance;
Website usage data about your visit to our website and how you interact with it; and
Technical data collected when you visit our website, including your domain name, browser, operating system and platform, IP address and location.
Special categories of personal data include information about your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life and sexual orientation, as well as genetic and biometric data, and will only be collected in limited circumstances, for example where the information is relevant to the client services we are providing to you or you need to provide us with information about your health or physical limitations for incidental purposes. We may also process special category personal data in connection with recruitment, for instance to make adaptations for access to premises or to our processes where you have additional needs.
We may also collect information about your criminal convictions and offences if these are relevant to the client services we are providing or as part of our recruitment process.
We do not provide services directly to children or proactively collect their personal information. However, we may sometimes collect information about children where this is relevant to our client services, for example where we are acting on behalf of a Trust, the beneficiaries of which may be children. The information in the relevant parts of this notice applies to children as well as adults.
4. How your personal data is collected
Most of the data that we collect about you we will ask you to provide to us voluntarily.
In some circumstances we may collect additional personal data about you from publicly available sources, such as public registers or other public sources including those accessible online.
Cains utilises an identification and verification system called ID-Pal to securely collect, through its online portal, the necessary identity data and supporting documents from their clients, and other stakeholders. ID-Pal uses independent sources to verify the information and documentation provided. As the Data Controller, Cains determines why, what and how your information is collected, used, shared, retained and under what lawful basis it is processed; ID-Pal as its Data Processor, is expressly obliged to comply with the instructions of Cains.
We may also collect additional data from third party sources such as our clients, regulators, governmental or other authorities, or other companies that provide services to us.
Information supplied to us by a client may include personal data that relates to individuals who are relevant to the instructions we have received, and who for reasons of confidentiality we cannot approach in order to provide them with this Privacy Notice. If you supply us with the personal data of individuals who are not aware of our role in processing their personal data, and with whom we will not have direct contact, you must ensure that the individuals have been provided with the relevant notices in relation to our services.
If you choose not to provide information to us where we have a legal requirement to collect personal data (for example, where required by anti-money laundering legislation), or where the information is required in order to enter into a contract with you, we may not be able to provide the services you have requested from us.
5. How we use your personal data
We will only use your personal data where we have a lawful basis for doing so. When we collect and use your personal data, we will rely on one of the following grounds.
Legal obligation – where we have a legal or regulatory obligation to collect or use your personal data, for example carrying out client due diligence checks or keeping records of our transactions with you.
Performance of a contract – where we require the information in order to be able to enter into a contract to which you are a party, or we process information at your request prior to entering into a contract.
Legitimate interests – where we have deemed the processing to be necessary for the purposes of our business interests (or those of a third party), and these are not overridden by your rights or fundamental freedoms.
Consent – where you have given consent to our use of your personal data for one or more specific purposes. In such circumstances, we will provide appropriate information about the processing to enable you to make an informed choice and will ask you to confirm your wishes so that these are respected.
You can see more detail on the purposes for which we use your personal data here.
6. Sharing your information
We will only share personal data when we are legally permitted to do so. We may share information with the following categories of recipients in accordance with the purposes for processing set out in this Privacy Notice:
- Other members of the Cains Group, in accordance with the data sharing agreements we have in place;
- Sub-contractors, agents, professional advisers or service providers such as information technology providers, auditors, consultants, insurers, bankers, analytics providers and event hosting services;
- Regulatory, governmental and other authorities, where we are required by law to do so;
- Other legal or professional advisers, agents or third parties, if required in relation to a specific matter or services that you have instructed us to provide;
- Registrars of a public register, where the data is to be held in a registry; or
- Otherwise in accordance with your specific instructions and with your consent.
We may also share high level aggregated and statistical data with other third parties in the context of a possible sale or restructuring of the Cains Group.
Where we share your data with other parties, we do not allow recipients to use your data for their own purposes, and will only permit them to use your data in accordance with our instructions. We require that any recipient of your personal data complies with our data protection, confidentiality and security standards as well as with applicable laws and regulations.
Your personal data will not be transferred to a recipient outside of the European Union or a country determined by the European Commission as providing an adequate level of protection for personal data unless you have instructed us to do so.
Personal data and supporting documents provided through the ID-Pal portal are secured in a Cains controlled mailbox within the ID-Pal system. All information held in this mailbox is encrypted while in transit to Cains. Data retained in this mailbox is ‘geolocked’ to Dublin and/or Frankfurt.
7. Data security and retention
The information we collect about you is stored under our control and with our selected archive and data backup service providers.
Access to internal data servers is limited to specialist personnel and is controlled using defined policies. We have put in place appropriate technical and organisational measures to safeguard your personal data, considering the nature, scope, context and purposes for which we use your personal data. These measures are kept under regular review.
ID-Pal uses Amazon Web Services in Europe as their storage and security provider. Personal data and supporting documents provided through the ID-Pal portal are retained in the secure, Cains controlled, mailbox within the ID-Pal system, until all validation and remediation work has been satisfied by Cains. On transferring the validated client due diligence to Cains’ client record management system, the data will be manually and permanently deleted from the ID-Pal system by Cains. In any event, data may only be retained in this mailbox for 30 days, before the ID-Pal system automatically and permanently deletes the contents of the box.
Cains will only retain your personal data for as long as is necessary, considering relevant laws and regulations and our data retention criteria.
8. Your rights
You have certain rights over your personal data that we use, and these are outlined below. You may exercise your rights at any time.
Right of access – you have the right to be provided with a copy of any personal data we hold about you, subject to certain restrictions (for example, where the information is subject to legal privilege).
Right to rectification – if the information we hold about you is inaccurate or incomplete, you have the right to have that information corrected or supplemented.
Right to deletion – you can request us to delete any personal data that we hold about you. While we are not obliged to comply with this in all circumstances, we will carefully consider every request for deletion of data and will inform you to what extent we are able to comply.
Right to restrict processing – you have the right to request that we restrict processing of your data in certain circumstances:
- If you dispute the accuracy of the personal data we hold;
- If you believe we are processing your personal data unlawfully, but do not wish us to delete it;
- If we no longer need to hold your data, but you require us to do so to establish, exercise or defend a legal claim; or
- If you object to our processing of your personal data based on our legitimate interests, pending resolution on this point.
Right to data portability – if our processing of your personal data is based on performance of a contract or consent, and is carried out by automated means (such as completing an online form or providing information via our website), you can request a copy of your personal data in a commonly used and machine-readable format.
If you have any questions, or if you wish to exercise any of your rights, please email us at email@example.com, or you may use the contact details in Section 2. We may request proof of your identity in order to protect your privacy and ensure that we do not disclose your personal data to anyone else.
We aim to respond to all legitimate requests within one calendar month, however we may extend this if your request is particularly complex, or if you have submitted a number of requests. In this case, we will notify you as soon as we are aware that an extension will be required, and will keep you updated of our progress.
We do not charge a fee for responding to a request to exercise one or more of your rights, however where a request is manifestly unfounded or excessive, in particular because of its repetitive character, we may choose to charge a reasonable fee.
If you have any concerns or want to complain about our processing or retention of your personal data you can email our Data Protection Officer directly at firstname.lastname@example.org, or you may use the contact details in Section 2.
If you are not satisfied with our response you may also make a complaint to the the Isle of Man Information Commissioner:
First Floor, Prospect House
Isle of Man
Telephone: (+44) 1624 693260
We would encourage you to raise any concerns you may have with us initially, so that we can try and resolve these for you.