Group Privacy Notice

1.0 About Us

1.1 This notice applies to the following members of the Capital International Group all of whom are registered with The Isle of Man Information Commissioner as data controllers and who for the purposes of this notice are referred to as ‘the Group’:
1.1.1. Capital International Limited
1.1.2. Capital International Bank Limited
1.1.3. CIGTS Limited
1.1.4. Capital Select Limited
1.1.5. Mill Yard Services Limited

In addition this notice applies to the following Group company, based in South Africa:
1.1.6. CILSA Investments (PTY) Ltd

For the avoidance of doubt, the entity is not registered with the Isle of Man Information Commission but is registered with the Information Regulator in South Africa.

1.2. Capital International Limited and Capital International Bank Limited are wholly owned subsidiaries of Capital International Group Limited (www.capital-iom.com), a privately owned financial services group based in the Isle of Man and are licensed by the Isle of Man Financial Services Authority. Capital International Limited is a member of the London Stock Exchange. Capital International Bank Limited operates as a non-retail, restricted deposit taker under a Class 1 (2) licence. Deposits are not covered by the Isle of Man Depositors’ Compensation Scheme and terms and conditions apply.

1.3 CILSA Investments (PTY) Ltd (FSP No. 44894), trading as Capital International SA, is licensed by the Financial Sector Conduct Authority in South Africa.

1.4. Unless otherwise indicated our services will not be targeted at, nor will they be offered or available, to the residents of any particular country where their advertisement, offer or sale is restricted or prohibited by law or regulation or where a Group company is not appropriately licensed.

The Legal Bit
‍

1.5 The Isle of Man Data Protection Act 2018 (DPA 2018) permitted the EU General Data Protection Regulation (GDPR) and EU Law Enforcement Directive (LED) to be applied to the Isle of Man by ‘Order’ and brought into effect through ‘Implementing Regulations’ (the Data Protection Laws).  

1.6 The Data Protection Laws came into effect on 1 August 2018 with only a few transitional arrangements and savings.

1.7 In relation to relevant South African data protection legislation, it should be noted that certain sections of the Protection of Personal Information Act came into effect on 1 July 2020 and that all processing of personal information had to conform to POPIA by 1 July 2021. Specifically sections 2 to 38 (application provisions; conditions for lawfully processing personal information; and exemptions); sections 55 to 109 (the duties and responsibilities of the information officer and deputies; prior authorisation; codes of conduct; supervision; the rights of data subjects regarding direct marketing by means of unsolicited electronic communications, directories and automated decision making; enforcement; and offences and penalties); section 111 (fees) and section 114 (1), (2) and (3) (transitional arrangements).

For any further clarification please refer to the local Information Officer in South Africa or the Group’s Data Protection Officer (“DPO”) in the Isle of Man.

1.8. This Privacy Notice details the steps the Group (we, us or our) take to protect your personal data when either you in your personal capacity or an entity of which you are an individual director, officer, employee or beneficial owner of an entity or of any entity within a group structure and which is the ultimate beneficial owner, or a settlor, trustee or protector of a trust (you or your) engage in the services offered by the Group . It explains the personal data that we collect, how it is collected, held and used, and your choices regarding our use of it.  

1.9. Any entity wishing to make use of the services of the Group should bring this Notice to the attention of 

• all directors, officers, employees or beneficial owners of that entity or trustees, settlors and protectors or similar of any trust relating to the entity and any similar persons interested or concerned with other entities in a group structure; 
• all trustees, settlors and protectors of any trust, settlement or foundation.

1.10. In our capacity as data controller, we will securely store and process your personal data which you provide to us from time to time. We, the Group, are committed to protecting your privacy and personal data.

2.0 Definition

2.1 For the purposes of this Privacy Notice the following terms shall be thus defined:

• “Personal Data” or "Personal Information" in simple terms is any data which enables you to be identified (as a data subject);
• “Data Subject” is an identified or identifiable person to whom personal data relates. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to their physical, physiological, mental, economic, cultural and social identity;
• “Data Controller” shall be defined as a person who determines the purposes for which and the manner in which any personal data is, or are to be processed. 

3.0 Changes to this Privacy Notice

3.1 We reserve the right to modify this Notice from time to time in order that it accurately reflects the regulatory environment and our data collection principles.  When material changes are made to this Notice, we will post the revised Privacy Notice on our website and notify you of this.

4.0 Collection of data

4.1 We will require documentation which, in respect of any person who opens an account with a Group company (the account holder), settlor, trustee or beneficial owner, assists us to identify and verify (as necessary) the identity, the source of wealth and the source of funds of such account holder settlor, trustee or beneficial owner together with the authority of such person to act in relation to the account. 

We may require other personal data in order to comply with our obligations under relevant legislation concerning anti money-laundering, countering the financing of terrorism, bribery & corruption, prevention of human trafficking / slavery, tax evasion or tax reporting legislation as updated from time to time.  

In this regard we may collect some or all of the following personal data:

a) Information you give us or which is given to us by your agent; 

We receive and store any information you (or your agent) enter via our website or give us in any other way; this may include but is not limited to:

• Basic personal information; including your name, residential address, date of birth and contact details;
• Financial information, including bank account details and transactional information and history at other institutions;
• information about your family, lifestyle and social circumstances (such as dependents, marital status, next of kin and contact details);
• information about your financial circumstances, including personal wealth, assets and liabilities, proof of income and expenditure, investment needs and goals, tax information and certifications;
• investment experience, risk tolerance, transaction history and investment activity 
• education and employment information;
• goods and services provided;
• identification documents, visual images and personal appearance (such as copies of passports or video verification recordings);
• any communication you have with us;
• any other data that you may submit to us via the website from time-to-time; and
• sensitive personal data as defined in the regulations. 

Whilst you are not required to provide any of this information, if you do not agree to provide us with this or any other requested information, it may not be possible for us to continue to operate your account(s) and/or provide products and services to you.

b) Publicly available sources
Information that we gather from publicly available sources, such as the press, the electoral register, company registers and online search engines.

c) Automatic information
We receive and store certain types of information whenever you interact with the Group. 

• For example, like many websites, we use ‘cookies’ and we obtain certain types of information when your web browser accesses the Group website.  In this connection refer to the website privacy and cookie notice.
• Calls to our offices may be recorded and monitored for security and training purposes.
• Incoming and outgoing email messages may be recorded and monitored during the provision of our services to you and for security and training purposes.
• We may also collect technical information to help us identify your mobile device(s) for fraud prevention and diagnostic purposes.
• Most mobile devices provide users with the ability to disable location services. Most likely, these controls are located in the device’s settings menu. If you have questions about how to disable your device’s location services, we recommend you contact your mobile service carrier or your device manufacturer.

d) Co-Branded & Joint Offerings

• We may from time to time offer joint or co-branded products and services.

5.0 How is your personal data used?

5.1 Our use of your personal data must always have a lawful basis, either because it is necessary for our performance of a contract with you, because you have consented to our use of your personal data (e.g. by subscribing to marketing emails), because we are acting under a legal obligation or because it is in our legitimate business interests. Specifically, we may use your data for one or more of the following purposes:

A Contractual Necessity

We may process your information during the account opening process, when you use our products or services, or to perform our obligations under any contract entered into. This may include processing to:

1. assess and process applications for products or services;
2. provide and administer those products and services during your relationship with a Group company, including opening, setting up or closing your accounts or products, collecting and issuing all necessary documentation, executing your instructions, processing transactions in connection with our banking and investment services, including current and deposit services, providing loans and loan facilities, foreign exchange,  sale and purchase of investments, making payments and transferring money between accounts, resolving any queries or discrepancies and administering any changes;
3. manage and maintain our relationships with you and for ongoing customer service. This may involve sharing your information with other Group companies to facilitate or improve the availability of our services and your accounts with us; and
4. communicate with you about your account(s) or the products and services you receive from us.

‍B Legal Obligation

When you apply for a product or service (and throughout your relationship with us), we are required by law to collect and process certain personal information about you.  This may include processing to:

1. confirm your identity;
2. perform checks and monitor transactions and location data for the purpose of preventing and detecting crime and to comply with laws relating to money laundering, fraud, terrorist financing, bribery and corruption, and international sanctions. This may require us to process information about criminal convictions and offences, to investigate and gather intelligence on suspected financial crimes, fraud and threats and to share data with law enforcement and regulatory bodies;
3. share data with police, law enforcement, tax authorities or other government and fraud prevention agencies where we have a legal obligation, including reporting suspicious activity and complying with production and court orders;
4. deliver mandatory communications to customers or communicate updates to product and service terms and condition;
5. investigate and resolve complaints;
6. conduct investigations into breaches of conduct and corporate policies by our employees;
7. manage contentious regulatory matters, investigations and litigation;
8. perform assessments and analyse customer data for the purposes of managing, improving and fixing data quality;
9. provide assurance that Group companies have effective processes to identify, manage, monitor and report the risks they are or might be exposed to;
10. investigate and report on incidents or emergencies on any Group property or premises;
11. coordinate responses to business disrupting incidents and to ensure facilities, systems and people are available to continue providing services; and
12. monitor dealings to prevent market abuse.

C Legitimate interest and purposes of the Group

1. to manage our risk and determine what products and services we can offer and the terms of those products and services;
2. to carry out financial risk assessments and for risk reporting and risk management;
3. to protect our business by preventing financial crime or from being used to facilitate financial crime;
4. to send marketing material, to include recommending services or products which may be of interest to you (but only where you have consented to be contacted for such purposes);
5. to develop, test, monitor and review the performance of products and services, internal systems and security arrangements offered by the Group;
6. to assess the quality of services to clients;
7. to provide staff training;
8. to analyse your use of our site and gather feedback to enable us to continually improve our site and your user experience;
9. to provide you with access to our corporate literature and information about our services and products;
10. to develop our offers and the layout of our website to ensure that our services are as useful and enjoyable as possible;
11. to send out news updates which you have signed up for;
12. to prevent or detect fraud or abuse, and
13. to enable third parties to carry out technical, logistical and other functions on our behalf.

6.0 With whom is your personal data shared?

6.1 In order to provide services to you, Group companies may be required to share personal data, with other Group companies or as set out below, and upon and subject to the conditions set out below.

6.2 Third Party Service Providers: We employ other companies and individuals to perform functions on our behalf and for the provision of the services to you. We may supply information needed for them to perform their functions but may not use it for other purposes. Further, they must process the personal information in accordance with their obligations and as permitted by applicable data protection laws in their jurisdiction.

6.3 When specifically authorised by you: If you ask us to, we will share information with any third party that provides you with investment advice or banking and other professional services. If you ask a third-party provider to provide such services, you are allowing that third party to access information relating to your account.  We are not responsible for any such third party’s use of your account information, which will be governed by their agreement with you and any privacy statement they provide to you.

6.4 We may occasionally be required by law, court order or governmental authority to disclose certain types of personal data. Examples of the type of situation where this would occur would be:

• where we are required by law and by law enforcement agencies, judicial bodies, government entities, tax authorities or regulatory bodies around the world;
• where we have to defend ourselves legally.

6.5 We may disclose anonymised data (such as aggregated statistics) about the users of our site in order to describe our web users, traffic patterns and other site information to prospective partners, investors and other reputable third parties and for other lawful purposes, but these statistics will include no personally identifying information.

6.6 The information we hold on you will be used and stored principally in either the Isle of Man or South Africa depending on which entity is providing services to you.  However, we may store or transfer your data within the UK or the EEA on the basis that anyone to whom we pass it protects it in the same way we would and in accordance with applicable laws.

7.0 The requirements of Data Protection Laws

7.1   We regard the lawful and correct treatment of your personal data by us as very important to our successful operation, and to maintaining confidence between us and our users. We ensure that Group Companies treat personal data lawfully and correctly. 

In particular, without your consent or first amending this Privacy Notice to reflect any change in our usage of personal data, all Group companies will apply the following concepts:

• we will ensure that we will not use your personal data for any purpose that is incompatible with this Privacy Notice;
• we will ensure that any processing of your personal data is fair, transparent and sufficient for the uses as set out above;
• we will endeavour to keep your personal data up-to-date;
• we will not retain your personal data longer than necessary unless required to do so by law;
• we will implement appropriate technical and organizational measures to enable inaccuracies to be corrected and minimize the risk of errors;
• Secure personal data in a way that is proportionate to the risk to the interest and right of you as data subject;
• we will operate appropriate technical and organisational processes to protect your personal data against unauthorized or unlawful access or processing and against accidental loss or destruction. The detailed measures we take are described elsewhere in this Privacy Notice;
• we will not transfer your personal data to a country outside the European Economic Area unless sufficient safeguards have been established to protect your personal data to a standard at least equivalent to those, which apply within the EEA.

8.0 Your rights

8.1 We will look to ensure that all of your rights as defined in the Data Protection Laws in place from time to time, to include but not limited to the following:

• Right to be informed;
• Right to erasure – but please note that we may have to suspend the operation of your account with us;
• Right to data subject access (see part 9 below);
• Right to restrict processing that is likely to cause or is causing damage or distress;
• Right to data portability – that is you have a right at any time to receive a portable copy of your personal data that we hold;
• Right of rectification of inaccurate information;
• Right to object to direct marketing;
• Rights relating to the use of automated decision making and profiling systems based on personal data;
• Right to apply/remove consent for processing of personal data;
• the right to lodge a complaint with the Information Commission’s Office (see below)

8.2 For more information about our use of your personal data or exercising your rights as outlined above, please contact us using the details provided in Part 12.  

If you are unsure about your rights or are concerned about how your personal data may be processed, you should contact the Information Commission’s Office – either by telephone +44 1624 693260 or ask@inforights.im.

9.0 How Can I Access My Personal Data?

9.1 If you want to know what personal data we have about you, you can ask us for details of that personal data and for a copy of it (where any such personal data is held). This is known as a “subject access request”.

9.2 All subject access requests should be made in writing and sent to the email or postal addresses shown in Part 12. 

There is not normally any charge for a subject access request.   However, if your request is ‘manifestly unfounded or excessive’ (for example, if you make repetitive requests) a fee may be charged to cover our administrative costs in responding.

10.0 Retention

10.1   We will hold your personal data for so long as we are providing services to you and in accordance with financial services regulation and the data protection regulations in place in the Isle of Man from time to time. We will endeavour to delete any personal data sooner where it is not necessary for us to hold this.

10.2 In addition, personal data will also be retained in line with anti-money laundering and countering the financing of terrorism requirements. Please be aware that we may hold personal data for longer if we are under a legal obligation to do so or where we have a reasonable belief that it is necessary to do so for business or legal reasons.

11.0 Links to other websites

Our site may contain links to other websites. While we try to link only to websites that share our high standards and respect for privacy, we are not responsible for the content, security, or privacy practices employed by other websites.

12.0 How to contact us

If you have questions regarding this notice, would like to enforce your rights set out above (at section 8) or our handling of your personal data, please contact our Data Protection Officer:
In writing at Capital House Circular Road Douglas Isle of Man IM1 1AG.
By email at dpo@capital–iom.com

We will promptly address your concern and strive to reach a satisfactory resolution.

Last updated - September 2024

‍