How we collect and use your personal information
As an investor in a fund or product of which HSBC Management (Guernsey) Limited is a ‘data controller’ (as defined under the General Data Protection Regulation ((EU) 2016/679) (GDPR) and The Data Protection (Guernsey) Law, 2017 (the Data Protection Law)) we are responsible for deciding how we hold and use personal information about you. We may collect and use personal information about you or individuals connected with you eg; your directors, employees and/or agents.
This notice explains how we will use that information, who we might share it with, and what steps we’ll take to make sure it stays private and secure. This notice continues to apply even if your agreement with us ends.
This notice applies to any personal data we receive from you, create or obtain from other sources and explains how it will be used by us. If we’ve provided you with separate or further information about how we collect and use your personal information for a particular product or service, those terms will continue to apply to that service. If you interact with HSBC in a different context, eg as a banking customer or in a country outside the EU, separate terms will apply to that interaction.
It is important that you take the time to read and understand this notice so that you understand how we will use personal information relating to you, your directors, employees and/or agents and the applicable rights in relation to that personal information.
Before we begin
Wherever we’ve said ‘you’ or ‘your’, this means any individual who deals with us and if you are acting on behalf of a company, trust or pension fund for and on behalf of that company, trust or pension fund. (eg directors, employees, consultants, agents) or other people connected to your account. This notice only applies to information about individuals and not to information which is solely related to companies, trusts or pension funds.
Wherever we’ve said ‘we’ or ‘our’, this includes HSBC Management (Guernsey) Limited and other companies in the HSBC Group. For the purposes of data protection law, HSBC Management (Guernsey) Limited is the data controller in relation to your information.
What information we collect
The information we collect or have about you might come from different sources. It may include information relating to any of our investment products or services (including any you may have applied for by completion of an application form, subscription agreement (or equivalent), or held previously) or information we generate to improve our service and to manage, administer and take decisions about your account. Some of it will come directly from you, for example, client due diligence documentation or other correspondence by you with us by phone, email or otherwise. Some of it might come from other HSBC companies. Some of it we might find from publicly available sources which we have lawfully accessed. Some of it might come from third parties or other organisations (eg fraud prevention agencies). Some information may be the result of combining different sets of information. We sometimes also record telephone conversations and monitor e-mail communications to resolve complaints, improve our service and in order to comply with our legal and regulatory requirements.
This information may include:
- Information that you provide to us. This includes:
- information about you that you give us when completing an application form, subscription agreement (or equivalent) with us, applying for shares or units in any fund, or by communicating with us, whether face-to-face, by phone, e-mail, or otherwise. The information you give us may include your (and/or if applicable, your financial adviser or employee’s) name, address, e-mail address and phone number, financial and tax status;
- information concerning your identity (eg passport or identification information);
- Information we collect or generate about you. This includes:
- client relationship information, payment and trade transactions information and other financial information;
- geographic information;
- information included in relevant customer documentation (eg record of advice) and other comparable information;
- marketing and sales information, such as details of the advice and services you receive;
- Information we obtain from other sources. This includes:
- communications information (eg email information);
- entities in which you or someone connected to you has an interest;
- your legal and/or financial advisors;
- other financial institutions who hold and process your personal data to satisfy their own regulatory requirements; and
- combined information from external sources (eg information pertaining to social interactions between individuals, organizations, prospects and other stakeholders acquired from companies that collect combined information and information from fraud avoidance systems).
See Appendix 1 for additional details.
How we’ll use your information
We will collect information about you for various reasons as set out in this privacy notice, including to:
- manage and administer your accounts and holdings;
- provide you with information, products and services you may request from us;
- verify your identity as part of our client onboarding process;
- detect and prevent fraud and money laundering;
- identify politically exposed persons;
- carry out your instructions;
- improve our products and services;
- keep track of our conversations with you (by phone, in person, by email or any kind of communication);
- manage our relationship with you – including (if you agree or unless you tell use otherwise) telling you about our products, or carrying out market research;
- corresponding with solicitors, and third party intermediaries;
- manage our internal operational requirements for risk management, system or product development and planning, insurance, audit and administrative purposes; and
- liaising with or reporting to any regulatory authority (including tax authorities) with whom a fund either is required to cooperate, report to or with whom it decides or deems appropriate to cooperate in relation to an investment, and which has jurisdiction over the Fund or its investments notwithstanding that such processing may be undertaken by a party who is located in a territory which is outside of the European Economic Area (which for the purposes of this Notice includes the Bailiwick of Guernsey, the "EEA") and which does not offer an adequate level of protection for the rights and freedoms of data subjects which is equivalent to those data protection standards afforded within the EEA.
Processing for any of the above purposes is necessary to enable us to pursue our legitimate business interests (or the legitimate interests of one or more of our affiliates) provided that your fundamental rights do not override these interests. It may also be necessary for other reasons, as outlined below.
We will only use your information where we have a lawful basis for using it. These lawful bases include where:
- we need to pursue our legitimate business interests, such as enforcing the terms and conditions of any agreement we have with you;
- we need to process the information to perform our obligations under our contract with you;
- we need to process the information to comply with a legal and regulatory obligations;
- we need to establish, exercise or defend our legal rights and / or for the purpose of (or in connection with) legal proceedings (including for the prevention of fraud); and
See Appendix 2 for additional details.
Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal data.
Even if you ask us not to use your information, we may continue to use your personal information in circumstances where (a) the law says we have to; (b) we need to for the purposes of performing a contract; (c) we have a public interest to do so; or (d) we have a legitimate business reason for doing so.
Tracking or recording what you say or do
We may record and keep track of conversations you have with us – including phone calls, face-to-face meetings, letters, emails, live chats, video chats and any other kinds of messaging in order to use these recordings to check your instructions to us, assess, analyse and improve our service, train our people, manage risk or to prevent and detect fraud and other crimes.
Who we might share your information with
We may share your personal information with our affiliates or with entities external to HSBC Management (Guernsey) Limited where:
- • we need to for the purposes of providing you with investment products and services you have requested (eg pursuant to an investment management agreement);
- we have a public or legal duty to do so eg to assist with detecting fraud and tax evasion, financial crime prevention, regulatory reporting, litigation or defending legal rights;
- we have a legitimate reason for doing so eg to manage risk, verify your identity, or assess your suitability for products and services;
- we have asked you for your permission to share it, and you’ve agreed;
- we need to ensure the safety and security of our data; or
- we need to for internal research and statistical analysis purposes.
We may transfer and disclose your information to:
- other HSBC group companies and any sub-contractors, agents or service providers who work for, or provide services to, us or other HSBC group companies (including their employees, sub-contractors, directors and officers);
- anyone who deals with us in relation to your investment and agreement with us (eg financial adviser), the people you make payments to, your beneficiaries, intermediary, correspondent and agent banks, clearing houses, clearing or settlement systems, market counterparties, upstream withholding agents, swap or trade repositories, stock exchanges, and any companies you hold securities in through us (eg stocks, bonds or options);
- other financial institutions, fraud prevention agencies, tax authorities, trade associations, credit reference agencies and debt recovery agents;
- any person, company or other entity that has an interest in or takes on the risk in relation to or in connection with the products or services that we provide to you;
- any prospective or new HSBC companies (eg if we restructure, or acquire or merge with other companies) – or any businesses that buy part or all of any HSBC company;
- to auditors, regulators or dispute resolution bodies and to comply with their requests;
- other companies who do marketing or market research for us (but not without your permission);
- if there’s a dispute over a transaction, anyone else who’s involved;
- law enforcement, government, courts, or our regulators; or
- fraud prevention agencies who will use it to prevent fraud and money-laundering and to verify your identity. If fraud is detected, you could be refused certain services, finance or employment. Further details of how your information will be used by us and these fraud prevention agencies, and your data protection rights, can be found by clicking on this link https://www.cifas.org.uk/privacy-notice
Sharing Aggregated or Anonymised Information
We may share aggregated or anonymised information outside of HSBC with partners such as research groups, universities or advertisers. For example, we may share such information publicly to show trends about the general use of our services. However, you won’t be able to be individually identified from this information.
How long we’ll keep your information
How long we hold your personal information for will vary. The retention period will be determined by various criteria including:
- the purpose for which we are using it – we will need to keep the data for as long as is necessary for that purpose; and
- legal obligations – laws or regulation may set a minimum period for which we have to store your personal data.
Transferring your information overseas
Your information may be transferred to, and stored at, a destination outside the European Economic Area (for the purposes of this Privacy Notice, the European Economic Area includes the Bailiwicks of Guernsey and Jersey) (“EEA”), including to locations which may not have the same level of protection for personal information. We may need to transfer your information in this way to perform our contract with you, to fulfil a legal obligation, to protect the public interest and/or for our legitimate business interests.
Where we transfer your information outside the EEA, including to India, we will ensure that it is protected by us in a manner that is consistent with how your information will be protected by us in the EEA. We will always do this in a way that is permissible under data protection law.
You can obtain more details of the protection given to your information when it is transferred outside the EEA by contacting us in accordance with the “More details about your information” section below.
You have a number of rights in relation to the information that we hold about you. These rights include:
- the right to obtain information regarding the processing of your information and access to the information which we hold about you;
- in certain circumstances, the right to withdraw your consent to our processing of your information at any time. Please note, however, that we may still be entitled to process your information if we have another legitimate reason for doing so;
- in some circumstances, the right to receive some information electronically and/or request that we transmit the information to a third party where this is technically feasible. Please note that this right only applies to information which you have provided to us;
- the right to request that we rectify your information if it is inaccurate or incomplete;
- the right to request that we erase your information in certain circumstances. Please note that there may be circumstances where you ask us to erase your information but we are legally entitled to retain it;
- the right to object to and the right to request that we restrict our processing of your information in certain circumstances. Again, there may be circumstances where you object to, or ask us to restrict, our processing of your information but we are legally entitled to continue processing your information and / or to refuse that request; and
- the right to lodge a complaint with the data protection regulator (details of which are provided below) if you think that any of your rights have been infringed by us.
You can exercise your rights by contacting us using the details set out in the “More details about your
information” section below. You can find out more information about your rights by contacting the Data
Protection Authority, or by visiting their website at https://odpa.gg/
What we expect from you
You are responsible for making sure the information you give us is accurate and up to date. And you must tell us if anything changes, as soon as possible. If we ask you for any information and you do not provide it to us, we may need to stop providing products and services to you.
If you give us any personal information that does not relate to you (eg information about your financial adviser and/or your employees), you must obtain the necessary consent to disclose such personal information, tell them what information you have given to us, and make sure they agree we can use it as set out in this notice. You must also tell them how they can see what information we have about them and correct any mistakes.
Some of the links on our websites lead to other HSBC or non-HSBC websites, with their own privacy and information protection policies, which may be different to this notice.
How we keep your information secure
We implement internal technical and organisational measures to keep your information safe and secure which may include encryption, anonymisation and physical security measures. We require our staff and any third parties who carry out any work on our behalf to comply with appropriate compliance standards including obligations to protect any information and applying appropriate measures for the use and transfer of information.
More details about your information
If you would like further information on any of the information above, please address questions, comments and requests to HSBC Securities Services (Ireland) DAC at firstname.lastname@example.org.
This Privacy Notice may be updated from time to time, please see the latest version here https://www.global.assetmanagement.hsbc.com/privacy-policy
Last updated: May 2018
Appendix 1 – Information we collect about you
- Contact details such as your name, date and place of birth, and nationality, postal address, telephone number, email address;
- Identification information such as passport ID, date of birth, picture, paper copy of identity;
- Client Relationship Data eg products and services held (including pricing information), channels and modes of interaction, interactions with HSBC (eg call history, digital communications, feedback etc.), client accounts, holding and location information,
- Payment Transactions Data: such as records from our payments processing systems that contain the information about executed transactions and includes order information (eg payment order), payment information and other information from the fulfillment of our contractual obligations (eg sales information in payments processing);
- Other Financial Data: including information regarding your financial situation (eg, tax status or the source of your assets);
- Risk Data / Ratings: Credit risk ratings and risk identification information (incl. vendor risk management), predicted transactional behaviour, client due diligence and periodic review results, financial crime risk management (FCRM) rating (high/medium/low), external intelligence reports, screening alerts (eg Transaction Screening, Name Screening, AML), unusual activity information (to develop (SARs) / and UARs).
- Investigations Data (Information pertaining to results from investigations on internal HSBC business practices, processes and operations). Grey information (eg allegations of wrongdoing, considered unproven, highly sensitive, may be structured or unstructured.)
- Information about the products and services allocated to clients, as well as information about credit decisioning variables and assumptions, posted collateral, calculated exposures, and likelihood estimates that the client cannot meet the commitment it has entered into. Data pertaining to known or suspected risk associated with clients, acquired from external watchlists and internal risk intelligence systems (eg Risk / Case Management).
- Data and artefacts required to support compliance to regulations that require screening of clients, their transactions and detection of suspicious and unusual activity. FCC Risk Data.
- Profile Data for KYC purposes such as Individual identity and reference information, information published on the internet or which has been received from external providers; publically available or internally collected identity and demographic reference information about individuals who may be HSBC customers, connected parties, prospects, stakeholders or not at all related with HSBC (eg, marketing lists) that contain personally identifiable information.
- Social Data: Data pertaining to social interactions between individuals, organizations, prospects and other stakeholders acquired from external information aggregators. The information is typically user generated / and or provided by and includes information from sources such as Linked In, Facebook, Google Plus, Twitter, etc. as well as information from social media analytics tools such as Radian 6
- Information Security Risk Data; External information used to manage the information security threat environment, including watchlists, lists of bad URLs and known bad IP addresses, threat and vulnerability alerts, and information breach intelligence reports and news. Known actors (cyber criminals), external email addresses, leaked information lists (eg external breaches which has employees involved), acquired credit card / account details;
- Other Financial Data: investment portfolio details, investment fund details
Other non HSBC financial information (excluding Market Trades and Payment Transactions);
- Market Trades: Information about exchanges in ownership of cash, securities or financial instruments between individuals or organizations through an exchange (ie organized market) or over the counter, which results in one or more transactions recorded in an account. This may include Buy side or Sell side trades and positions.
- Communications Data: eg email information, third party information, chat information, instant messages, corporate and media broadcasts, disputes / litigation, correspondence between solicitors and stakeholders and transcripts or minutes.
- Information pertaining to results from investigations on internal HSBC business practices, processes and operations. Content and meta-data related to exchanges of information between and among individuals, organizations, workers, prospects, customers, other stakeholders and HSBC. Electronically recorded communications in the form of voice, email, or chat; corporate media communications, operational communications between two or more individuals or organizations regarding any HSBC activity that is directly or indirectly supporting customer servicing, third-party relationship and fulfillment.
- Complaints information; including disputes / litigation (legal case and matter information including legal strategy, document production, deposition and court transcripts, legal billing and time booking information).
- Cookie Information: IP Address, Browser behaviour etc.
- User Activity Reports (UAR) and Suspicious Activity reports (SARs).
Appendix 2 – How we use the information
We will use your information for the following purposes:
- Deliver our products and services, or process your transaction in order to meet your investment objectives: We will use your information to provide you with our products and services and to process your transactions. We will do this in line with our legitimate interests, legal obligations and in order to perform our contract with you.
- Compliance with Laws and Regulations: comply with the law, or any relevant rules or regulations. This may include to help detect or prevent crime (including terrorism, money laundering and other financial crimes), filing of relevant reports to regulators, disclosing information to authorities, regulators or government agencies to fulfill our legal obligations. This is carried out to comply with legal obligations, because it is in the public interest, and because it is in our legitimate interest to do.
- Preventing and Detecting Crime: We will use your information to take measures to prevent crime including fraud monitoring and mitigation and fraud risk management, carrying out customer due diligence, name screening, transaction screening and customer risk identification, in order to comply with our legal obligations, because this is in the public interest to carry out and assess risk in our legitimate interest. We may share your information with fraud agencies, law enforcement and other third parties where the law allows us to for the purpose of preventing or detecting crime. Additionally we may take steps along with other financial institutions to help prevent financial crime and manage risk where we have a legitimate business interest or public interest to do so, such as where it is important to prevent or detect crime. We may be required to use your information to do this, even if you have asked us to stop using your information. That could include (among other things):
- screening, intercepting and investigating any payments, instructions or communications you send or receive (including drawdown requests and application forms);
- investigating who you’re paying or who’s paying you eg checks on payments in and out of your account;
- passing information to fraud prevention agencies, if we think you’ve given us false or inaccurate information, or we suspect fraud;
- combining the information we have about you with information from other HSBC companies;
- checking whether the people or organisations you’re paying or receiving payments from are who they say they are, and aren’t subject to any sanctions.
- Security and Business Continuity: we take measures to aid business continuity, information security and we undertake physical security activities in order to fulfill our legal obligation and for internal risk strategy purposes as required in our legitimate interest.
- Risk Management: We will use your information to measure, detect and prevent the likelihood of financial, reputational, legal, compliance or customer loss. This includes credit risk, traded risk, operational risk & insurance risk. We will do this to fulfill our legal obligation and also because we have a legitimate interest in using your information for these purposes.
- Product & Service Improvement: We will use your information to identify possible service and product improvements (including profitability) by analysing information. The lawful basis for processing your information for this purpose is our legitimate interests.
- Information as a product: Where we collect your information for another purpose, eg for client on boarding, we may share such information or analytics results with third parties including other HSBC entities where it is in our legitimate interest to do so. The information may be presented as research whitepapers, the delivery of customer-specific information or insights back to same customer, credit checks, and anonymisation of information for the wider market. If we need to process your information for any other purpose, we will notify you with details of the new purpose (and obtain consent, if required) prior to that further processing.
- Protecting our legal rights: We may need to use your information to protect our legal rights such as in the case of defending or the protection of legal rights and interests (eg collecting money owed; defending rights of intellectual property); court action; managing complaints or disputes; in the event of a restructuring of companies or other mergers or acquisition. We would use this on the basis of legitimate business interests.