🔒 Privacy Notice

 

Overview

 

The Isle of Man Financial Services Authority (‘the Authority’) is registered with the Isle of Man Information Commissioner as a data controller for the purposes of Isle of Man data protection legislation.

 

This notice explains what information the Authority collects about individuals (‘personal data’), its reasons for doing so and how it holds, uses and discloses that information.

 

Please see the Website and Cookies webpage for information the Authority collects from users of its website, what that information is used for and how the Authority uses cookies.

 

Questions and Answers (Q&As)

 

Why do we collect personal data?

 

We are responsible for regulating persons who carry on financial services activity in or from the Isle of Man. This includes businesses such as banks, credit unions, insurers, investment businesses, collective investment scheme service providers, pension service providers, trust and corporate service providers, money transmission service providers and crowdfunding platforms.

 

Our main statutory functions are laid out in the following Isle of Man legislation:

 

 

  • Financial Services Act 2008
  • Collective Investment Schemes Act 2008
  • Insurance Act 2008
  • Retirement Benefits Schemes Act 2000.

 

We also have significant statutory functions under the following legislation:

 

  • Bank (Recovery and Resolution) Act 2020
  • Beneficial Ownership Act 2017
  • Designated Businesses (Registration and Oversight) Act 2015

 

We exercise a variety of functions in order to help achieve our regulatory objectives, which are:

 

  1. Securing an appropriate degree of protection for policyholders, members of retirement benefits schemes and the customers of persons carrying on a regulated activity;
  2. The reduction of financial crime; and
  3. The maintenance of confidence in the Island’s financial services, insurance and pensions industries through effective regulation, thereby supporting the Island’s economy and its development as an international financial centre.

 

We need to collect and process personal data in order to exercise our functions appropriately. We may collect personal data directly from individuals or indirectly from other entities or agencies. The table below provides examples of ways in which we collect and process personal data:

 

Personal data is collected from…

To enable us to…

People looking to carry on financial services or designated business activity

Authorise people to carry on financial services activity in or from the Isle of Man or to become registered as a designated business

 

People we regulate

Assess whether people we regulate comply with regulatory standards

Take appropriate action to supervise and enforce compliance with regulatory standards

Customers of people we regulate

Assess whether people we regulate comply with regulatory standards

Take appropriate action to supervise, investigate and enforce compliance with regulatory standards

People we register

Assess whether people we register comply with relevant standards

Take appropriate action to supervise, investigate and enforce compliance with relevant standards

People who use our website

Monitor use of the website to identify areas for improvement

People who use our web portals to submit regulatory information

Receive regulatory information electronically

People who subscribe to our RSS feed or electronic newsletter

Provide relevant information to interested parties

People who receive other services we provide

Provide services to help achieve our regulatory objectives, such as by hosting annual conferences or seminars

People who contact us

Respond to an enquiry or address a particular issue

People who respond to our consultations and surveys

Consider feedback and develop our approach accordingly

People who work on our behalf or from whom we receive goods or services

Provide online services, such as the Collective Investment Schemes FRS (Financial Reporting System) website and Designated Businesses website

Carry out surveys on our performance and other areas of interest

Operate in an effective and efficient manner

People who apply to us for jobs, and current and former employees

To enable us to employ suitable candidates, manage existing employees and comply with our obligations as an employer

 

What is our legal basis for collecting personal data?

 

We take our responsibilities under data protection law seriously and aim to ensure that personal data is handled appropriately. The legal basis for our collecting, holding, using and disclosing personal data is covered by relevant legislation. To summarise the general position:

 

  • We have statutory functions to fulfil as the Island’s financial services regulator
  • We have statutory rights to request information, inspect and investigate people carrying on (or suspected of carrying on) financial services activity
  • We have similar functions and rights in respect of designated non-financial businesses and the Island’s register of beneficial ownership
  • Information we obtain for the purposes of exercising our statutory functions is ‘restricted information’, which includes both personal data and non-personal data
  • Our legislation imposes a number of restrictions on the disclosure of restricted information in order to protect the people to whom that information relates and safeguard our ability to exercise our functions appropriately
  • These restrictions are subject to certain exceptions to recognise situations where we may need to share personal data to enable us to exercise our functions appropriately.

 

Data we collect about legal entities, such as companies, in the course of exercising our statutory functions is restricted information but is not personal data as it does not relate to an individual.

 

In addition to the above, we are designated as a competent authority for the inspection and investigation of criminal matters identified whilst exercising our statutory functions. Personal data that is obtained for law enforcement purposes is protected under Isle of Man data protection legislation, however an individual’s rights in relation to such personal data are more limited to reflect the fact that the data subject is subject to law enforcement proceedings.

 

We will only process your personal data if a lawful basis to do so exists. We may rely on:

 

  • The need to meet a legal obligation in carrying out our statutory functions
  • The need to enter into or ensure the performance of a contract to which you are a party
  • The need to meet a request you have made for information or a service
  • The need to prevent or investigate suspected or actual violations of law
  • The need to protect the public interest
  • Your consent (in limited circumstances) – where we rely on your consent to process your data (such as your subscription to our electronic newsletters) you may withdraw your consent at any time by contacting the Data Protection Officer (see below)
  • The need to retain information for historical or archiving purposes by the Public Record Office under the Public Records Act 1999. For more information on retention by the Public Record Office please click here.

 

Where there is a legal basis for doing so, we may share your personal data with other authorities or law enforcement agencies to help us (or them) to exercise our (or their) functions appropriately. Any personal data we share in this way is shared in accordance with the law and is limited to the type and amount of data we believe necessary in order to achieve our objectives.

 

The key statutory provisions regarding our handling of information may be found in the following legislation:

 

Legislation

Key Information Provisions

Financial Services Act 2008

Schedule 2 – Inspection and investigation

Schedule 5 – Disclosure of information

Bank (Recovery and Resolution) Act 2020

As under the Financial Services Act 2008

Beneficial Ownership Act 2017

As under the Financial Services Act 2008

Collective Investment Schemes Act 2008

As under the Financial Services Act 2008

Designated Businesses (Registration and Oversight) Act 2015

Section 22 – Restrictions on disclosure of information

Schedule 2 – Exceptions to prohibition on disclosure

Insurance Act 2008

Section 46 – Restrictions on disclosure of information

Schedule 6 – Restrictions on disclosure of information

Retirement Benefits Schemes Act 2000

Section 43 – Restrictions on disclosure of information

As under Schedule 6 to the Insurance Act 2008

 

What personal data do we collect?

 

We collect personal data about individuals involved in regulated financial services or designated business activity in the course of exercising our functions. These may be people who control a regulated or registered firm, people who are employed by (or otherwise engaged by) a firm to carry out certain roles, or people who undertake financial services activity in their own right. We also collect personal data about individuals with whom we interact with on a regular basis to meet our operational needs, such as those who provide us with goods and services.

 

The type and amount of personal data we collect depends on the circumstances. For example, where an individual is seeking to carry on certain roles (Controlled Functions) for financial services firms, we use personal data to help us determine whether a person is fit and proper to carry on that Controlled Function. Such data is necessary to help us assess an individual’s integrity, competence and solvency. By contrast, where a person contacts us by email to ask a question, we only use personal data to the extent that it enables us to answer their question and help us to improve the work we do.

 

We generally collect the following types of personal data for the work we do:

 

  • Identifying: such as name, date and place of birth, nationality and other unique identifiers such as government-issued identification and national insurance number
  • Contact: such as telephone number, email address, physical address
  • Professional: such as education and employment history including schools and places of higher education attended, relevant qualifications, details of current and previous employment, and academic and employment references
  • Financial: such as a person’s financial situation, solvency and any past declarations of bankruptcy
  • Legal: such as being subject to current or past litigation, or being subject to successful investigation by a governmental, professional or other regulatory body
  • Criminal activity: such as convictions and charges
  • Authenticating: such as usernames, passwords and security details for access to our online services.

 

Under almost all circumstances, we do not collect personal data relating to special categories such as race, ethnicity, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, health, sex life or sexual orientation. If we find that we hold personal data of this nature, we will take appropriate steps to delete that data and prevent it from being acquired in future. The general exception to this is health data we collect and maintain in relation to our staff for employment purposes. All such data is subject to appropriate operational safeguards.

 

How do we use the personal data we collect?

 

We use the personal data we collect to enable us to exercise our functions as the Island’s financial services regulator in the most appropriate and effective manner. Our functions cover a broad range of activities but can be summarised into the following categories:

 

We use personal data for…

To enable us to…

Applications for authorisation or registration

Determine whether people are fit and proper to carry on financial services activity

Fitness and propriety assessments

Supervising people we regulate or register

Assess whether people we regulate or register comply with relevant standards

Investigating people carrying on financial services activity

Help prevent and detect crime including fraud, money laundering, identity theft or other criminal offences

Enforcing compliance with regulatory standards

Take action against people who do not comply with regulatory standards

Developing regulatory policy, rules and guidance

Consult with relevant people to gain feedback on our proposals and develop our approach accordingly

Conducting surveys

Obtain feedback on our performance or other areas of interest

Responding to enquiries

Provide a response to an enquiry and communicate effectively with people

Communicating

Communicate effectively with people

Obtaining goods and services

Operate in an effective and efficient manner

Employing staff

Employ suitable candidates, manage existing employees and comply with our obligations as an employer

Appointment as Scheme Manager of the Isle of Man Depositors’ Compensation Scheme

Manage the Depositors’ Compensation Scheme (‘DCS’) to ensure that eligible customers of covered banks receive compensation of their deposits in accordance with the DCS framework.

 

In some cases, we have a statutory obligation to check and verify the data you provide to us (in application forms, annual returns etc.). This may include checks of publicly available information but in some cases, where it is necessary and relevant, the information you provide may be disclosed or shared with other organisations. This will only be done where there is a legal need for us to do so.

 

We aim to ensure that we process personal data fairly and appropriately in accordance with the law in order to help maintain trust and confidence in the Authority. For example, we aim to ensure that personal data we hold is accurate and up-to-date, relevant to our functions, not excessive, and is appropriately reviewed, maintained and destroyed when it is no longer required.

 

We do not make use of any automated decision-making such as profiling in relation to the personal data we hold.

 

How do we share personal data?

 

Personal data we collect when exercising our functions is ‘restricted information’ and subject to appropriate safeguards.  However, we sometimes need to share information with other bodies acting in the public interest in order to exercise our functions effectively or to assist those bodies in carrying out their functions.

 

We share information with other bodies under statutory powers known as ‘information gateways’. The Island’s position as an international finance centre means that the bodies with whom we may share information (such as other regulators) are sometimes based outside of the European Economic Area. Where that is the case, we will take appropriate steps to help ensure that your personal data is subject to appropriate safeguards in that jurisdiction and that the type and amount of personal data we share is relevant and proportionate to the purpose for which it is being shared. Equally, personal data we receive from other bodies will be treated in accordance with this Privacy Notice.

 

We make decisions to disclose personal data on a case-by-case basis subject to suitable controls within our organisation.

 

Sometimes we may be required by another body to disclose personal data under relevant legislation or by court order.

 

The types of people who we may share personal data with are as follows:

 

We may share personal data with…

To enable us to…

Other regulatory authorities in or outside of the Isle of Man

Determine whether people are fit and proper to carry on financial services activity

Assist them in determining whether people are fit and proper to carry on financial services activity

Law enforcement agencies in or outside of the Isle of Man

Determine whether people are fit and proper to carry on financial services activity

Assist them in conducting investigations about persons suspected of carrying out criminal activities

Courts or other judicial authorities on production of a valid court order

Exercise our statutory functions or discharge our legal responsibilities

Some government departments or agencies in or outside of the Isle of Man

Exercise our statutory functions

Assist them in exercising their statutory functions

Educational institutions

Determine whether people are fit and proper to carry on financial services activity

Professional bodies

Determine whether people are fit and proper to carry on financial services activity

Assist them in determining whether people are fit and proper to be members of that body

People we regulate or register

Communicate our assessment of whether people are fit and proper to carry on activity for that person

People who work on our behalf or from whom we receive goods or services

Provide online services, such as the FRS (Financial Reporting System) website and Designated Businesses website

Carry out surveys on our performance and other areas of interest

Operate in an effective and efficient manner

 

We take care to ensure that personal data shared with third parties will not be used for any purpose other than the original purpose for which it was shared.

 

How do we protect your personal data?

 

The security and confidentiality of your personal data is very important to us. We maintain an Information Security Policy, which applies to all of the information we hold.

 

To keep your personal data secure we will ensure that, where we are controller for your data:

 

  • safeguards are in place to make sure personal data is kept securely
  • your data will only be held in digital storage areas under the control of the Cabinet Office, Government Technology Services or within secure physical storage areas only authorised persons are able to view your data
  • security of the systems which hold personal data is maintained in line with the ISO27001 standard.

 

To protect your personal data, we will:

 

  • keep your personal data safe and secure in compliance with our information security policy
  • only use and disclose your personal data as detailed above, where necessary
  • retain your personal data for no longer than is necessary and your personal data will be permanently deleted in accordance with our Record Retention Schedule. There is an authorisation process to dispose of this in line with the schedule and retention periods, as outlined below (unless there is an overriding reason to retain this information).

 

Where we use service providers to provide a service which may involve personal data (such as to provide online services or conduct independent surveys), we will put in place contractual agreements that will specify the data protection clauses on that service provider.

 

Please see our Whistleblowing FAQs to learn how we handle whistleblowing situations. 

 

How long do we keep your personal data?

 

We keep all of the information we collect in accordance with our records management policy and record retention schedule. This schedule states the minimum periods for which we will keep certain categories of information. We may keep information for longer than these periods, however where we do we will record the reason for doing so.

 

Our Record Retention Schedule sets out how long we hold information, including personal data.

 

Will your personal data be a public record?

 

The Authority is subject to the Public Records Act 1999, under which the Isle of Man Public Record Office preserves public records that are of historic and cultural significance. We are obliged to look after the records we hold and to work with the Public Record Office to determine records of any historic or long-term research value. Selected records may be transferred to the Public Record Office in accordance with the agreed Record Retention Schedule.

 

If selected, your personal data may be offered for transferral to the Public Record Office for permanent retention. This is likely to be rare, because records of significance will often be about the Authority itself or entities it regulates.

 

The contact details for the Public Record Office can be found on its webpage.

 

What rights do you have over your personal data we process?

 

You have a right to…

Explanation

Be informed about how we use your personal data.

This Privacy Notice explains how we collect and process personal data. When we request personal data from you we will provide you with information to explain what personal data we collect, why we are doing so and how we process that information. For example, all forms on our website that request personal data refer to this Privacy Notice and provide a link to access it online or to contact us by telephone for further information. Our FRS (Financial Reporting System) and Designated Business websites also make reference to their Privacy Notices’.

Access your personal data to ensure that it is accurate and, if it is inaccurate, to request that it is rectified, blocked, erased or destroyed.

To make any request relating to your personal data held by us, please contact the Authority’s Data Protection Officer (see below).

Withdraw your consent at any time in the limited circumstances where we process your personal data with your express consent (i.e. where you are not legally compelled to provide such information).

This applies to situations where you are not legally compelled to provide information, for example when you sign up to receive our electronic newsletter. It would not apply where you are required by law to provide information to assist us in exercising our statutory functions.

 

Your rights may be limited where we are processing your personal data for law enforcement purposes, such as the inspection and investigation of criminal offences. We will be able to advise you if this is the case when you seek to exercise rights in relation to your personal data.

 

How can you access your personal data?

 

To make any request relating to your personal data held by us, please contact the Authority’s Data Protection Officer (see below).

 

Other Privacy Notices

 

The Authority has issued the following Privacy Notices to provide individuals with additional information on how their personal data is processed for specific purposes or when using specific systems:

 

 

Other Information

 

Contact our Data Protection Officer

 

The information provided in this Privacy Notice is not exhaustive. If you would like more information or explanation of a particular area then you may contact the Authority’s Data Protection Officer by email, telephone or post using the details below.

 

If you have any concerns about the way in which we collect or process personal data then we would like to know to see what we can do better. You can discuss your concerns with our Data Protection Officer.

 

If you are not satisfied with a response you receive from us then you can make a complaint to the Isle of Man Information Commissioner, whose details can be found on www.inforights.im. You may have a right to other remedies.

 

Data Protection Officer Contact Details

By email

dataprotection@iomfsa.im

By telephone

+44 (0)1624 646032

In writing

Data Protection Officer

Isle of Man Financial Services Authority

PO Box 58

Finch Hill House

Douglas

Isle of Man

IM99 1DT

 

Offences for false or misleading information or failure to provide

 

People may commit an offence where they provide us with false or misleading information or fail to provide information when lawfully required to do so. The offences can be found in the relevant legislation, however generally they are as follows:

 

Offence

Legal Liability

A person who provides false or misleading information to us when lawfully required

Liable on conviction to a fine or custody of up to 2 years, or both.

A person who, without reasonable excuse, fails to provide information to us when lawfully required

Liable on conviction to a fine or custody of up to 2 years, or both.

 

More information

 

You can find out more information by:

 

  • Contacting our Data Protection Officer (see above)
  • Asking to see your information or making a complaint if you feel that your information is not being handled correctly by contacting our Data Protection Officer
  • Making a subject access request which is a request for some or all of the personal data we hold about you by contacting our Data Protection Officer
  • Obtaining a copy of this Privacy Notice in large print, braille, or in an alternative language by contacting our Data Protection Officer.

 

Changes to this Privacy Notice

 

This Privacy Notice may change. If any significant change is made to this Privacy Notice we will provide a prominent notice on this website so that you can review the updated Privacy Notice.

 

This Privacy Notice was last updated on 18 July 2024.