This Privacy Notice explains how the Guernsey Financial Services Commission (the “GFSC”) processes personal data and sets out the rights of the individuals to whom that data relates (data subjects). Any questions about personal data processed by the GFSC should be directed to our Data Protection Officer the contact details for whom are provided below.
The GFSC is a statutory body and public authority established pursuant to the Financial Services Commission (Bailiwick of Guernsey) Law, 1987 (the “FSC Law”).
The GFSC is a data controller, and is registered with the office of the Data Protection Commissioner pursuant to the Data Protection (Bailiwick of Guernsey) Law, 2017 (the “Data Protection Law”).
The States of Guernsey (the “States”) have provided the GFSC with a wide range of powers and functions in order that we are able to meet our statutory objectives as set out in the FSC Law and the laws applicable to the regulation and registration of financial services businesses.
These objectives include:
- supervising finance business in Guernsey;
- reporting to, advising, and assisting the States on any matter connected with finance business in Guernsey;
- preventing financial crime and terrorist financing from taking place in Guernsey;
- maintaining confidence in Guernsey’s financial services sector;
- ensuring the safety, soundness, and integrity of Guernsey’s financial services sector;
- assisting certain other bodies to carry out and exercise their powers and functions which may include protecting the public, and protecting and enhancing the reputation of Guernsey as a financial centre;
- providing statistical information relating to the finance business sector of Guernsey’s economy; and
- protecting the public against financial loss due to dishonesty, incompetence, or malpractice by people carrying on finance business in Guernsey.
In order to perform its functions effectively, the GFSC needs to process personal data. The processing activities that the GFSC may by law carry out in relation to personal data include requesting it, collecting it, storing it, analysing it, sharing it, disclosing it, and publishing it.
Regulated and registered entities must provide information to the GFSC at regular intervals and additionally in certain ad hoc or specific situations. The majority of this information will be provided under the FSC Law and/or the laws for the regulation and registration of financial services businesses, through our reporting systems, or in response to specific requests for information made by us in correspondence. Most of this information will be about regulated or registered entities and their business, but some of it will include personal data about their employees as well as their clients or customers.
It is because the GFSC has statutory powers to obtain and process information, including personal information, that consent will not be a legal basis that we rely upon in order to process personal data where we are exercising our statutory powers and performing our regulatory purposes and protective functions.
From time to time, the GFSC may make public information. This may include personal data, relevant to the financial services sector. In such cases, the GFSC will rely on its statutory powers to make certain information publicly available.
The GFSC is bound by strict provisions, set out in the FSC Law and in the laws applicable to the regulation and registration of financial services business, as to the confidentiality of the information that it acquires during the course of carrying out its legal functions. Such information may be disclosed, without the consent of those who may be identified from it, only in exceptionally limited circumstances such as:
- where necessary to enable the GFSC to perform its functions or discharge its obligations (both in Guernsey and internationally);
- for the purposes of the investigation, prevention, or detection of crime; or
- in order to comply with directions given by a court.
These confidentiality provisions bind the GFSC and its members, officers and servants and contravention of them is an offence which carries liability to punishment. In cases where the GFSC discloses information, it will do so on the basis of conditions designed to ensure that the confidentiality of the information is protected by imposing undertakings in relation to the use, disclosure, safe-keeping, and return of the information concerned.
Data processed by the GFSC
The personal data that the GFSC may collect and process includes information within the following categories:
- date of birth;
- contact information (address, telephone and email etc.);
- financial information (returns data, invoicing information, and notifications data etc.);
- credentials; such as ID, logins, and passwords (please note, passwords are stored in such a way that they cannot be recovered (or disclosed) by anyone, including the GFSC);
- identity (passports and identity cards etc.);
- family members (next of kin and beneficiaries etc.);
- employment (employment history, qualifications, training etc.);
- due diligence documentation (identification information, PEP status information, source of wealth data);
- special category data (health, origin, political opinion etc.);
- criminal convictions and offences (fraud, money laundering, market abuse, taxation offences etc.); and
- fitness and propriety (disciplinary issues, professional memberships, qualifications, credit status, investigations, legal actions, police checks etc.)
Sources of data
In addition to gathering information from data subjects directly, the GFSC may use other sources of data in order to gather information, some of which may include personal data. Examples of such sources of information include:
- subscribed service sources of risk intelligence;
- membership registers;
- open-source or publicly available sources; and
- other regulators both within and without the Bailiwick of Guernsey.
Reasons for processing data
The GFSC processes personal data for a number of legal reasons or grounds which may include:
- the exercise by a public authority of public functions;
- the performance by a public authority of tasks carried out in the public interest;
- the exercise of rights or powers conferred or imposed on the GFSC by law;
- the performance of, or compliance with, duties imposed on the GFSC by law;
- processing in connection with any legal proceedings, or for the discharge of any court functions, for the purpose of obtaining legal advice or otherwise in connection with legal rights;
- processing necessary for the administration of justice;
- the legitimate interests of the GFSC to process personal data to the extent required in order to ensure that it meets all of its legal obligations pursuant to the FSC Law and the other regulatory laws applicable to the regulation and registration of businesses operating in the financial services sector; or
- using and analysing data in accordance with international best practice for regulators.
In exercising its regulatory and supervisory purposes, and its protective functions, the GFSC may share information (including personal data), with other entities. These other entities may include, for example:
- external providers of professional services (such as lawyers, accountants, auditors, or other experts);
- service providers (for services such as IT, document storage, office maintenance, and conference or event services); and
- entities with a legal right to the information (such as law enforcement agencies, the States, other regulators or supervisory bodies, and controllers of public registers); and
- courts and tribunals.
In some cases, this may be to the UK or one of the British Islands, or to a Member State of the European Union, or to a jurisdiction outside of these areas which ensures that there is an adequate level of protection with regard to personal data for the purposes of the GDPR.
From time to time, in accordance with international standards for financial supervision, and on the lawful basis of its regulatory and supervisory purposes and protective functions, the GFSC may share personal data outside of the aforementioned jurisdictions. In such cases, the GFSC will take appropriate steps to do so on the basis of available safeguards. Every such instance will be handled on a case-by-case basis.
The GFSC retains information, which may include personal data, for as long as necessary for the purpose(s) for which that information was collected. The GFSC may retain information for longer periods where it is necessary to do so for the purpose of archiving in the public interest.
Data Subject rights
The GFSC collects personal data about a range of people. The Data Protection Law provides data subjects with a number of rights.
There are circumstances where, because of the status of the GFSC as a public authority engaged in the exercise of statutory objectives for the purpose of supervising and regulating the financial services sector, certain data subject rights may not be applicable. These may include exemptions to data subject rights where to honour those rights would be likely to prejudice:
- the exercise or discharge of a protective function;
- a regulatory purpose; or
- the economic security of Guernsey.
A protective function is a function imposed on the GFSC by law to do the following:
- protect the public against for example: dishonesty, malpractice, improper conduct, unfitness or incompetence, misconduct, or mismanagement in the financial services sector; or
- to protect the reputation and standing of Guernsey as a financial centre.
A regulatory purpose might include any of our statutory functions under the laws applicable to the regulation and registration of financial services business including the following:
- investigating, preventing, or punishing breaches; or
- authorising and approving licences and registrations.
Data subject rights may also not apply in situations where legal obligations (such as statutory confidentiality obligations), court orders, or indeed other legal rights are applicable.
Exercising data subject rights
Where a data subject has reason to make a complaint in relation to the GFSC’s processing of their personal data or protection of their data subject rights, a written complaint may be made to the Data Protection Commissioner.
The Data Protection Law provides for a data subject who has reason to complain about the handling of their complaint by the Data Protection Commissioner to appeal to court where specified grounds exist.
Also known as browser cookies or tracking cookies, cookies are small, often encrypted text files, located in browser directories. They are used by web developers to help users navigate their websites efficiently and to perform certain functions.
For more information about cookies (including how to turn them off) please visit: www.allaboutcookies.org
Our website www.gfsc.gg uses the cookies listed in the table below.
|Google Analytics||Google Analytics is a web analytics service provided by Google. Google Analytics uses ‘cookies’, which are text files placed on your computer, to help analyse how visitors use the website. For further details on Google Analytics cookies, visit Google Analytics Cookie Usage on Websites||
|Content management cookies||Drupal cookies display and remember content based on selections you have already made.||
|AddThis||AddThis provides sharing widgets, to enable visitors to share content from our website across social media providers.||_atuvc
|CloudFlare cookies||CloudFlare is a content delivery network that provides DDOS protection to our website. This cookie is necessary for site security operations.||_cfduid|
Our Online Submissions Portal submit.gfsc.gg uses the cookies listed in the Table below.
|RequestVerificationToken||This cookie is used during registration and login to the GFSC's Online Submissions Portal. This cookie is deleted when you close your browser.|
|UserCookie||This cookie is used if you choose the option to remember your email address on login.|
|AspNet.ApplicationCookie||This cookie is used to check whether you are an authenticated user, and contains encrypted data to identify the user on each page load. This cookie is deleted when the session is closed.|
|ASP.NET_SessionId||This cookie is used to identify the given user's session on the server|
|AspNet.TwoFactorCookie||Enables the application to temporarily store user information when they are verifying the second factor in the two-factor authentication process|
Enables the application to remember the second login verification factor; such as email
Identifies the website user
This cookie is used during registration and login to the GFSC's Online Submissions Portal. This cookie is deleted when you close your browser
CloudFlare is a content delivery network that provides DDOS protection to our website. This cookie is necessary for site security operations (cfduid)
Our PQ Portal online.gfsc.gg uses the cookies listed in the Table below.
|RequestVerificationToken||This cookie is used during registration and login to the GFSC Portal. This cookie is deleted when you close your browser.|
|PortalAuth||This cookie is used to match your login details to your account on the GFSC's Portal. This cookie is deleted when you close your browser and when you sign out.|
The GFSC website uses a software called Hotjar. Hotjar is used to anonymously track and record your journey through this website, so that it can be reviewed at later date for the sole purpose of helping us to improve the user experience.The following information may collected through the Hotjar tracking code embedded on the GFSC website:
Device Specific Data
The following information may be collected from your browser:
- Your device’s IP address (collected and stored in an anonymized format)
- Device screen size
- Device type (unique device identifiers) and browser information
- Geographic location (country only)
- Preferred language used to display the webpage
Hotjar records information that is created whilst using the GFSC website. This information includes:
- Referring domain
- Pages visited within the site, including the order in which they were visited
- Geographic location (country only)
- Preferred language used to display the webpage
- Date and time when website pages were accessed
- Mouse clicks & keystrokes
Hotjar will never track or store values that you enter into forms on the website. If you do not wish to be tracked by Hotjar, then follow the instructions here.