Privacy Policy

Data Protection Information Notice for

KBA Associates Consulting (UK) LLP

Waystone Financial Investments Limited

Waystone Transfer Agency Solutions (UK) Limited

Waystone Administration Solutions (UK) Limited

Waystone Capital Solutions (UK) Limited

Waystone Compliance Solutions (UK) Limited

Waystone Governance (UK) Limited

Waystone Management (UK) Limited

1. Who are we?

Each of the legal entities listed above are part of the Waystone group of companies (‘Waystone’), which is a global organisation providing financial and compliance services in Europe, the UK, the UAE, Switzerland, Singapore, Hong Kong, Bermuda, the Cayman Islands and the USA.


Our business in the United Kingdom is as follows:

KBA Associates Consulting (UK) LLP UK Facilities Agent
Waystone Financial Investments Limited  ISA management service
Waystone Transfer Agency Solutions (UK) Limited  Administration services provider to collective investment schemes
Waystone Administration Solutions (UK) Limited  Administration services provider to Alternative Investment Funds and Qualified Investor schemes
Waystone Capital Solutions (UK) Limited  Investment advice and distribution services provider
Waystone Compliance Solutions (UK) Limited  Regulatory compliance advisory services provider
Waystone Governance (UK) Limited  Process Agent
Waystone Management (UK) Limited  Authorised Corporate Director and manager of collective investment schemes

 

2. What is this Data Protection Information Notice (‘Notice’)?

This Notice describes where we obtain personal data, what we do with it, the legal basis relied on for processing, the retention of the personal data, the recipients, and transfers of personal data and how we ensure data protection rights are respected.


This Notice reflects the requirements as set out in Article 13 and 14 of the UK General Data Protection Regulation (2016/2016/679) (‘UK GDPR’).


It applies to individuals whose personal data we process in the course of operating as a data controller.

A data controller is defined in the UK GDPR as the entity who determines the ‘why’ and the ‘how’ in terms of processing your personal data.

There are also circumstances where we process personal data as a data processor. In this instance, we are acting upon the instructions of our clients, who are the data controllers. This processing activity is outside the scope of this Notice. The personal data collected, the purpose of collecting, the means of collecting and the retention period are all determined by our clients, the data controllers and outlined, in their respective Data Protection Information Notices or similar documents.

If you are an employee, contractor or job applicant for any of the listed Waystone legal entities, please refer to the separate ‘Employee and Candidate Data Protection Information Notice’.

 

3. What personal data do we collect and from who?

Personal Data is information that identifies you as an individual.


We will collect and use only as much personal data from you as is necessary to be able to provide you with the products and services you have requested from us.

The personal data we collect and process depends on the nature of our relationship with you. For example you may be,

  • a director or employee of a Waystone corporate client,
  • an investor in a fund we manage,
  • an Independent Financial Adviser representing an investor,
  • a beneficiary, or a legal representative of an investor,
  • an executor to the estate of a deceased investor,
  • an attendee at an event or a webinar we organise, or
  • a visitor to our website where you have requested information about our products and services.

We may process all or some of the following categories of personal data:

  • name, date of birth, marital status, address, email address, telephone number, gender, and other contact details which you provide us with on completing, for example, an Enquiry Form, Event Form or Application Form.
  • circumstances or needs you share with us, which may warrant tailored treatment.
  • nationality and residency details.
  • identification information such as your national insurance number, passport, tax identification number and driving licence.
  • proof of address.
  • bank account details or other payment or financial information.
  • information relevant to your investment.
  • your marketing preferences.
  • your job title, role, employer and work contact details.

We may collect personal data directly from you:

  • via ISA or fund application/account opening forms.
  • through feedback forms and other forums.
  • when you purchase any of our products or services.
  • when you fill out a survey or vote in a poll on our website.
  • when you register for and attend an event we organise
  • via our telephone calls with you, which may be recorded.
  • when you provide your details to us either online or offline.
  • when you send an email or letter
  • via cookies, which you can find out more about in the cookies policy on our website.
  • when you subscribe for our newsletter.

Depending on the nature of our relationship with you, we may also collect your personal data from several different sources including:

  • through companies which validate identity for financial crime purposes using tools such as the electoral register (this is not a credit check, but a record of the search may be retained).
  • from third party registers maintained by regulators such as the Financial Conduct Authority.
  • through business interactions between you and other companies within the Waystone Group.
  • from your authorised independent financial advisor.
  • from family members / or your legal representative or an appropriately appointed authorised representative if you become incapacitated or unable to provide information relevant to your investment.
  • from social media platforms you interact with Waystone on, or
  • from your employer, if you work for a client organisation or service provider we deal with.
  • from the organisation that you are a director/partner/ member of.

4. Why do we collect your information?

This is again dependent upon the nature of the relationship we have with you:

  • if you are an investor, we use your personal data to review your application, administer your investment product or provide a service to you in our capacity as data controller or to communicate with you.
  • if you are an investor, and we are the transfer agent, we use your personal data to verify your identity as we have legal obligations to undertake anti-money laundering and Know-Your-Client-checks on you.
  • if you are an investor, and you share circumstances and needs, we will use this to help support and tailor services to you.
  • if you are a financial advisor or an employee of a financial advisory firm, we use your personal data to communicate with you and provide you      with information.
  • if you are a client or a prospective client or a representative of a client, we process your personal data as part of our due diligence and on boarding processes and to comply with on- going legal obligations on anti-money laundering and counter terrorist financing, taxation, crime-detection, crime prevention, investigation, the prevention of fraud, bribery, anti-corruption, tax evasion.
  • if you are representing a client, for the purpose of delivering a service to that client, for the purpose of maintaining appropriate business records, including maintaining appropriate registers required under applicable law and regulation, for the purpose of quality control, business and statistical analysis, market research, for the purpose of tracking fees and costs and for the purpose of customer service, provision of regulatory updates, corporate updates, training, and related purposes.
  • if you are representing a client for the purpose of maintaining our ongoing relationship with you, such as via correspondence and calls, and in connection with the administration of our relationship with you. Telephone calls with you may be recorded for the purposes of record keeping, security and training.
  • if you work for an organisation that provides other services to us or our clients.
  • if you visit our website, we process your personal data to respond to your request to contact you, to analyse user journeys and to carry out upgrades and maintenance.
  • if you accept an invitation to attend an event or webinar, we process your contact details for registration purposes.

5. What is the legal basis associated with such purposes?

We always ensure a lawful reason to use and process your personal data in accordance with the principle of ‘lawfulness of processing’ under the UK GDPR and the UK Data Protection Act. We have provided further details on the same in the table below.

Purpose of Processing  Personal data we may process shall include, but shall not be limited to, the types of information set out below Legal Basis for Processing
To review your investment application (including tax domicile status).
  • Your name, contact details, date of birth, NI number, gender, marital status, and address for tax purposes.
    Similar information for other individuals included in the investment, such as beneficiaries, including minor children.

To provide you with your investment (contract).

To meet obligations imposed on us by tax authorities and regulator (legal obligation).
To administer, provide and service your investment.
  • Your name, contact details, date of birth, NI number, gender, marital status, and address for tax purposes.
  • Similar information for other individuals included in the investment, such as beneficiaries, including minor children.
  • Investment performance information.
  • Your bank account details.

To provide you with your investment (contract).

To meet obligations imposed on us by tax authorities and regulator (legal obligation).

To receive payments from you and to make payments to you (our legitimate interest).
To regularly communicate with you.
  • Your name, contact details and any information relevant to your investment.
  • Similar information for other individuals included in the investment, such as beneficiaries, including minor children.
  • Investment performance information.
  • Information you share with us for example if you request communications in Braille or other easier to read formats.
  • Special category data e.g., health data (for purposes of accessibility).

To provide you with your investment (legitimate interests)

To meet obligations imposed on us by tax authorities and regulator (legal obligation); and

To receive payments from you and to make payments to you (Legitimate Interests).

To provide support with circumstances such as health, life events, financial resilience, and capability- related (Legal Obligation)

Collected in the course of administering your investment (Consent)
To provide services to our corporate clients
  • Your name, work contact details, role within a client organisation, date of birth, passport number and other fitness and propriety information, if required and relevant for the service we are providing.

To meet obligations imposed on us by regulatory authorities(legal obligation)

To ensure we deliver services to our corporate clients as agreed in our contract with (Legitimate Interests).
To resolve a complaint, you may have.
  • Your name, contact details and any information relevant to your investment.
  • Similar information for other individuals included in the investment, such as beneficiaries including minor children.
 To resolve any complaints (Legal Obligation and Legitimate Interests).
To prevent financial crime such as money laundering, sanctions breaches, tax evasion and fraud.
  • Your name, contact details, date of birth, NI number, or other official personal identifiers and address for tax purposes.
  • Similar information for other individuals included in the investment, such as beneficiaries including minor children.
  • Your bank account details.
  • Special category data e.g., personal data revealing political opinion.
  • Criminal convictions if discovered on a Disclosures check

To provide you with your investment (Contract)

To meet obligations imposed on us by tax authorities and regulator (Legal Obligation).

Special category data or data relating to criminal convictions will only be processed to prevent financial crime (Substantial Public Interest).
For our own internal and external management information purposes, maintaining accounting records, analysis of financial results, internal audit requirements, receiving professional advice.
  • Your name, contact details, date of birth, NI number, address for tax purposes.
  • Similar information for other individuals included in the investment, such as beneficiaries including minor children.
  • Investment performance information.

To maintain appropriate records to monitor performance and evaluate business performance (legitimate interest)

To meet obligations imposed on us by tax authorities and regulator (Legal Obligation).

For analytical purposes and to improve our products and services.

To support updates and upgrades on our systems
  • Cookie tracking data.

  • Your name, personal identifiers.

For internal analysis and service improvement (Consent).

Essential System Maintenance (Legitimate Interests).
Carry out market research on specific products and services
  • Your name, contact details.
 For internal analysis to help us meet service obligations (Legitimate Interests).
To comply with our legal or regulatory obligations.
  • Your name, contact details and any information relevant to your investment.
  • Similar information for other individuals included in the investment, such as beneficiaries including minor children, may be shared where there is a legal or regulatory imperative.
 To meet obligations imposed on us by tax authorities and regulator (legal obligation).
To register attendance at an event or webinar
  • Your name, contact details and job role
 To promote Waystone products and services (Legitimate Interests)

 

6. Who we share personal data with?

We will only disclose your personal data in accordance with applicable laws and regulations. We will disclose your information to the following third parties:

  • a promoter, investment manager, sponsor, fund manager, administrator, or the depositary/trustee (as applicable) of the relevant collective investment scheme that you have invested in.
  • any person with legal or regulatory powers (such as the FCA, the police or the Serious Fraud Office that may require disclosure on legal grounds, HM Revenue & Customs and tax authorities in overseas jurisdictions or other relevant Government departments where reasonably necessary for financial crime and sanction prevention purposes).
  • your relatives, powers of attorney, guardians acting on your behalf
  • a financial advisor or a lawyer that you have appointed and advised us to share your personal data with them.
  • other people or organisations associated with you such as your financial advisor or your lawyer whenever you have authorised them to act on your behalf
  • our third-party investment product and service administrators.
  • credit reporting agencies for the purposes of verifying your identity.
  • 3rd parties organisations who provide SaaS, IaaS, and/or PaaS services & support, event management, marketing services, market research, couriers and postal services, website hosting, and cloud-based services to Waystone.
  • our lawyers, advisors, and auditors who provide services to Waystone and are subject to confidentiality obligations.
  • any member of the Waystone group of companies, which means our subsidiaries, our ultimate holding company, and its subsidiaries and any prospective investors or acquirers, as necessary.

Some of these third party recipients will process your personal data on our behalf as data processors. Others will determine the purposes and means of processing of your personal data as data controller and may be permitted to disclose your personal data to other parties in accordance with applicable law.

For certain aspects of the processing activities, we may transfer personal data outside of the UK where privacy laws may be different.

In these instances, we always take steps to ensure that any transfer of personal data outside of the UK is carefully managed to protect your data protection and privacy rights and ensure that adequate safeguards are in place by carrying out transfer risk assessments, due diligence and ensuring adequate contractual obligations are in place with such third parties with whom the information is being shared for further processing.

For more information about data transfers and the safeguards we have put in place, please contact us at dataprotection@waystone.com.

7. How do we keep your information secure?


We store the information provided about you in secure databases and take appropriate security measures to protect such information from unauthorised access.

Any personal data which is collected, recorded, or used in any way have appropriate safeguards applied in line with our data protection obligations.

We implement Internal and external audits and carry out regular independent assurance exercises across our business to ascertain the effectiveness of our security control environment and our security strategy.

Your information is protected by controls designed to minimise loss or damage through accident, negligence, or deliberate actions.

Our security controls are aligned to industry standards and good practice, providing an environment that effectively manages risks to the confidentiality, integrity, and availability of your information.

All exchanges of information between you and our website go through encrypted channels in order to prevent interception of your information. Public access to your information via our website / the portal / any web-hosted platform is protected by a login using at least your user ID and password. You should ensure that these are kept secret and not divulged to other people.

8. How long will we store your information for?

As required under UK GDPR, we will not retain your personal data on our systems for any longer than is necessary for the purpose for which your personal data is processed. Such purposes are outlined in section 4.

Typically, in order to comply with our various legal and regulatory obligations, including but not limited to anti money laundering and Know-your-client obligations, we will retain your personal data for 7 years from the end of our relationship with our clients and/or the investors in the funds we provide services to.

In some cases where there may be a dispute or a legal action, we may be required to keep personal data for longer.

9. Your rights

You have the following rights in relation to how we use your information. If you’d like to exercise these rights, please contact us using the contact details listed below “Who can you speak to about Data Protection?”

The right to lodge a complaint
You have a right to complain to the Information Commissioner’s Office at any time if you object to the way in which we use your personal data.

Contact details as follows:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF

Telephone: 0303 123 1113

https://ico.org.uk/

Right of access
You have the right to know if we are using your information and, if so, the right to access it and information about how we are using it. There will not usually be a charge for dealing with these requests. Your personal data will usually be provided to you in writing, unless otherwise requested. Where you have made the request by electronic means the information will be provided to you by electronic means where possible.

Right of rectification
We take reasonable steps to ensure that the personal data we hold about you is accurate and complete. However, if you do not believe this is the case you have the right to require us to rectify any errors in the information we hold about you.

Right to erasure
You have the right to require us to delete your information if our continued use is not justified. However, this will need to be balanced against other factors, depending upon the type of personal data we hold about you and why we have collected it, there may be some legal and regulatory obligations which mean we cannot comply with your request.

Right to restrict processing
In some circumstances, although you may not be entitled to require us to erase your information, you may be entitled to limit the purposes for which we can use your information.

Right of data portability
You have the right to require us to provide you with a copy of the personal data that you have supplied to us in a commonly used machine-readable format or to transfer your information directly to another controller (e.g., a third-party offering services competing with ours). Once transferred, the other party will be responsible for looking after your personal data.

Right to object to direct marketing
You can ask us to stop sending you marketing messages at any time.

Right not to be subject to automated decision making
We do not make decisions about you using automated decision making or profiling of your personal data.

The right to withdraw consent
For certain limited uses of your personal data, we may ask for your consent. Where we do this, you have the right to withdraw your consent to further use of your personal data. If you withdraw your consent, we may not be able to provide certain products and services to you. If this is the case, we’ll tell you at the time you ask to withdraw your consent.

You can make any of the requests set out above using the contact details in this Notice. Please note that in some cases we may not be able to comply with your request for reasons such as our own obligations to comply with other legal or regulatory requirements.

We will, however, always respond to any request you make and if we cannot comply with your request, we will tell you why.

Marketing
We may use your personal data for marketing purposes where you have purchased similar products and services from us or where you have consented.

If you wish to unsubscribe from any emails sent by us, you may do so at any time by following the unsubscribe instructions that appear in the email. In addition, you can always contact us using the details set out in this Notice to update your contact preferences. In such circumstances, we will continue to send you service related (non-marketing) communications where necessary.

10. How do we use cookies on our website?

We use a number of cookies on our website to enhance your experience and analyse your journey on our website. For details on what and how we use cookies on our website, please see our Cookie Policy.

11. Following links from our websites

Our site may contain links to other sites. Such other sites may also make use of their own cookies and will have their own privacy policies. You should carefully review the privacy policies and practices of other sites, as we cannot control or be responsible for their privacy practices. We do not accept any liability for the privacy practices of such third-party websites and your use of such websites is at your own risk.

12. Social Media

If you interact with us via social media, for example LinkedIn, your personal data may be used to respond and communicate with you. We will not use your personal data for any other social media purposes unless you ask us to.

13. Changes to this Notice

Please note that this Notice will be reviewed and may be changed from time to time. Any changes we may make to this Notice in the future will be posted on this page.

14. Who can you speak to about Data Protection?

Questions, comments and the exercise of your rights regarding this Notice and your information are welcomed and should be addressed to the Data Protection Officer and sent by email to dataprotection@waystone.com or by post to

3rd Floor,
Central Square,
29 Wellington Street,
Leeds,
United Kingdom, LS1 4DL

 

Dated : September 2024
Revisions in September 2024- reflecting name changes of legal entities