Clearwater’s Privacy Policy
… it’s better in Clearwater

Privacy Statement

In the normal course of carrying out our business, we will have to obtain personal informationabout individuals. However, in doing so we are bound by certain legislation. This is Man Data Protection Act 2018, which adopts the principles and objectives of the EU General Data Protection Regulation (GDPR).

The Act requires us to ensure as far as possible, personal information privacy, and to provide you with a full explanation covering:

  • Why the personal data is processed;
  • Whose personal data is processed;
  • What personal data is processed;
  • When personal data is processed; and
  • Where personal data is processed;

GDPR also provides individuals with certain rights:

  • Access to an individuals data, in a commonly used electronic format (data portability);
  • Have inaccuracies corrected;
  • Withdrawal of consent;
  • Have information erased;
  • Prevent direct marketing;
  • Prevent automated decision-making and profiling;

We must also advise you of how to make a complaint.

Why do we collect personal data?

  • We have regulatory requirements in respect of Anti Money Laundering and Countering the Financing of Terrorism (AML/CFT). A major component part of these requirements is to be able to verify the identity of individuals, their source of wealth, and the source of any funds that may be being utilised
  • There are now obligations on us regarding international initiatives in respect of Automatic Exchange of Information (AEOI). These comprise the United States Foreign Account Tax Compliance Act (FATCA), and the OECD Common Reporting Standard (CRS), and we are required to make reports comprising personal information to Isle of Man Income Tax, who will then send this information to other jurisdictions where individuals have a tax obligation
  • Our ability to offer/provide services to clients and prospective clients is dependant on having access to personal information
  • Legislation such as the Employment Act 2006, and certain regulatory requirements, for example Business Continuity Planning, and payment of salaries, mean that we need to collect personal data in respect of Staff

Whose personal data is processed?

To enable us to provide our professional services as efficiently as possible, we will process personal data in respect of:

  • Clients – current, potential and former
  • Staff – current and former
  • Business Contacts
  • Suppliers
  • Complainants
  • Settlors, Protectors, Trustees & Beneficiaries (who in certain circumstances may be children)
  • Controlling Persons of Entities
  • Politically Exposed Persons, their families and associates
  • Associates, Employees, Consultants of Client Entities

What personal data is processed?

The GDPR requires us to advise you what type of personal information will be processed. In addition we need to advise you how the information is obtained, and the legal basis upon which it is based.

  • Name, address, telephone no., e-mail, date of birth, place of birth, photos, hobbies, sourced from individuals themselves, internet, social media and third party introducers. The legal basis for this is AML/CFT, legislation such as the Bribery Act 2013 and consent
  • Financial details, National Insurance numbers and individual tax reference numbers, which are primarily sourced from individuals themselves. The legal basis for this is AEOI and consent
  • Know Your Client (KYC) and Client Due Diligence (CDD) information, comprising such things as passport, utility bill, driving licence, source of wealth, source of funds, and bank account details. These are generally sourced from individuals themselves or from third party introducers. The legal basis for this is AML/CFT, legislation such as the Bribery Act 2013 and consent
  • CV’s, references, absence records (whether through leave or illness), sourced from individuals themselves or internal Human Resources (HR) records. The legal basis for this is legislation in respect of HR, regulatory requirements and consent
  • In certain circumstances we may hold information relating to criminal convictions/allegations or whether a person holds PEP status, and this would normally be sourced through independent screening agencies. The legal basis for this is AML/CFT and legislation such as the Bribery Act 2013

Where the legal basis is “consent” we will require this to be “explicit consent”. Similarly, where personal information is collected in respect of children (being anyone under the age of 13), it will be necessary for the parent or guardian to provide “explicit consent”.

Explicit consent has to be a positive indication of agreement to personal data being processed, and this is obtained from you when you sign any of the information gathering questionnaires required by Clearwater which enable us to provide professional services to you.

When is personal data processed?

We will obtain information from you at the start of our business relationship or potential business relationship, and moving forwards at any regulatory or contractual “trigger events”.

A trigger event can be constituted by any of the following:

  • Change of address
  • Change of signatories
  • Change of ownership or structure
  • Change of name
  • Substantial deposits (relative to expected activity)
  • Forming a new company
  • Opening a client portfolio
  • Adding monies to an existing client portfolio
  • Any other significant change to the client’s circumstances

Unless we receive written consent from yourself, we will not release any information about you to third parties. However, there are some exceptions to this where we are obliged to provide private information:

  • On receipt of a Court Order
  • To comply with an authorised request from a regulatory or financial investigative authority
  • Where we are opening a bank account
  • As required by regulatory audit regulations
  • To our IT service providers as custodians of our operational and management information systems
  • To comply with international agreements on AEOI

We will retain your private information only for as long as is appropriate, and for a period of 6 years as required under regulation. In rare circumstances this regulatory period can be extended to up to 18 years. These vary dependent on certain factors, and we would be happy to discuss these if you require.

At the end of the designated retention period, all private information held on whatever medium is destroyed.

Where is personal data processed?

All manual records are held at our registered office address, South Suite, Ragnall House, 18 Peel Road, Douglas, IM1 4LZ, Isle of Man.

Electronic records take the form of all/any of the Microsoft Office suite together with Adobe Acrobat and Dropbox. These are held on individual workstations situate at the registered office address, as well as personal portable devices for remote working and access.

Where electronic records are utilised, the systems/services used comprise:

  • External host based in the Isle of Man
  • The Cloud as utilised by our external host and ourselves utilising Dropbox
  • Remote connection to a virtual server

To assist with the protection of personal information Clearwater has four layers of firewalls which all comply with “Stateful Packet Inspection” (“SPI”), an internationally defined standard for firewalls, and additionally utilises AuthAnvil to protect remote access. We are also required to regularly monitor technological developments and cybercrime.

Your rights

Access Requests
You are entitled to ask for details of any personal information that we hold. This will be provided as quickly as possible, but in any event, no later than 30 days after receipt of the request. We will not charge for accessing and providing you with the information. At the same time we will remind you of your rights which are to:

  • Have your data provided in a commonly used electronic format (data portability);
  • Have inaccuracies corrected;
  • Withdrawal of consent, (except in certain circumstances as outlined above);
  • Have information erased;
  • Prevent direct marketing;
  • Prevent automated decision-making and profiling;

Privacy breaches

Should a privacy breach occur we will notify you directly as soon as possible following identification of the breach. This notification will include:

  • Date of the Breach
  • Description of the Breach comprising a general description of what happened
  • Description of the information inappropriately accessed, collected, used or disclosed
  • The steps taken so far to control or reduce the harm
  • Future steps planned to prevent further privacy breaches
  • Steps you might consider taking
  • Contact details of the Information Commissioner
  • Our contact details


Should you feel it necessary to make a complaint, in the first instance this should be made in writing explain the reasons for the complaint to:

Mr S Hulbert
Director and Compliance Officer
Clearwater Fiduciary Services Limited
South Suite
Ragnall House
18 Peel Road
Isle of Man

T: +44 (0)1624 626400 M: +44 (0)7624 493844
F : +44 (0)1624 616203
E :

You will receive an acknowledgement of this within 3 working days, and a full response within 10 working days.

If you feel that your complaint has not been satisfactorily resolved, you may complain directly to the Information Commissioner:

Mr I McDonald
Information Commissioner
PO Box 69,
Isle of Man
IM99 1EQ

T: +44(0)1624 693260


Wherever you are.

Please Contact us to find out how we can help you.
We welcome the opportunity to assist you.

Contact Us