Privacy Statement

This page details the privacy statement for The ID Register (Guernsey) Limited trading as IDR and its affiliates (“we”, “us” and “our”).

The purpose of this privacy statement is to explain how we collect, process and protect personal data. “Personal data” means any information relating to an identified or identifiable individual.

About us

IDR is a centralised investor onboarding utility, offering a one-and-done sign-off that makes investment faster, easier and more cost-effective.

We provide a web portal where any user who publishes or subscribes to information may access the services we offer through the website https://idrgroup.com (the “Site”). The Site is owned by The ID Register (Holdings) Limited, a limited company registered in Guernsey under company number 68115 and with a registered office at 5th Floor, Market Building, Fountain Street, St Peter Port, Guernsey GY1 1BX.

For the purposes of the Data Protection (Bailiwick of Guernsey) Law, 2017, the Data Controller in relation to The ID Register group of companies is The ID Register (Guernsey) Limited.

We have appointed Mark Quigley as our representative in the European Union who may be contacted at privacy@idrgroup.com.

This privacy statement applies to all those accessing the Site, including Authorised Users and their agents or delegates (“you”, “your”) and all those whose personal data is collected by us in connection with providing the Services, marketing the Services or employing staff. This privacy statement only covers this website https://www.idrgroup.com and its associated applications including https://app.theidregister.com. It does not cover any other sites that you can link to from this site so you should always be aware when you are moving to another site and read the privacy statement on that site.

Capitalised words/phrases used but not defined in this Privacy Statement are defined in the Terms of Business or the Services Agreement between you and us.

The Law

The following laws principally regulate how we collect, store, manage, use, disclose and provide access to personal data:

  • The Data Protection (Bailiwick of Guernsey) Law, 2017
  • General Data Protection Regulation (Regulation EU 2016/679)
  • The Mauritius Data Protection Act, 2017

Public Areas of Site

When using the public areas of this site you are not required to provide us with any personal data and we do not monitor or collect any personally identifiable information from you on your use of the public portions of this site. We may track the number of users who visit areas of the site, but this tracking will not identify you.

Our Clients

Our clients are typically participants in private investment markets such as funds, fund managers, advisors, administrators, broker-dealers and trust and corporate service providers. Their clients are typically investors although investors may also be our direct clients for certain services.

Our Services

The main services we offer clients are:

  • Investor registration i.e. recording the particulars of each investor in a collective investment scheme / fund;
  • Conducting know your client due diligence checks (“KYC”) on all participants in a fund, investment vehicle or portfolio company including name screening;
  • Conducting Foreign Account Tax Compliance Acts and Common Reporting Standard (“FATCA CRS”) reporting to tax authorities; and
  • Assisting investors in completing a subscription questionnaire with the purpose of complying with securities laws and providing a facility for digital signing of the subscription agreement.

Interaction between our Services and your Personal data

  • KYC checks involve the identification and verification of participants in an investment vehicle (including investors and the manager or advisor) who are natural persons and the beneficial owners and controllers of participants which are legal entities (such as companies) and legal arrangements (such as trusts).
  • FATCA CRS reporting involves the reporting of information to tax authorities including personal data such as the name, tax ID, date of birth and address of the above mentioned individuals.
  • The subscription questionnaire and subscription agreement involves gathering details of an investor’s suitability to participate in the fund, for example, establishing if they are a qualified purchaser and/or accredited investor and details necessary for the administration of the fund.

How we collect personal data directly from you

Where we contract with a client such as a fund, fund manager, administrator or broker-dealer to provide one or more of our Services, the contract you sign with that client (for example, a subscription agreement) will generally require you to provide KYC and provide securities law representations. The client will direct you to create a Passport on our platform (or share your existing Passport)  in order to provide the required items and our team will assist you in completing the Passport.

You may also choose to contract with us directly to manage your KYC and facilitate your counterparties accessing your KYC.

When you register to use the platform and/or services and create a Passport provided through the Site, we will ask you to voluntarily provide us with certain personally identifiable data, such as your name, date of birth, address, telephone number, e-mail address, driver’s licence, passport details, bank account details, credit or debit card details, investment information and employment information including source of wealth and source of funds. You may also choose to provide the personally identifiable data of other individuals having been duly authorised to do so by the individuals in accordance with our Terms of Business. A simple example of this is where you are acting on behalf of an investment company and are required to provide KYC on the company structure which may include natural person directors, signatories and beneficial owners.

Where you are certifying documents on behalf of a User of the Site, we will gather certain details from you or the person on whose behalf you are acting. Such details may include your name, email address, employer, IP address and professional identification number (for example, your registration number with an accountancy body). These details will be present on the document you certify and therefore will be visible to counterparties of the person on whose behalf you are acting in a similar manner to a wet ink signature.

We may also collect details of your visits to the Site (including but not limited to traffic data, location data, IP addresses, weblogs and other communication data, and the resources that you access).

Generally, this information will be collected directly from you, for example when you fill out an application form, create a Passport, upload KYC documents, email our Helpdesk, submit an online form to us, use the Services, connect with other users, download information or correspond with us.

How we collect Personal Data from third parties

We may also obtain personal data about you from third parties such as:

  • Professional service providers used by us such as Refinitiv (WorldCheck) with the purpose of identifying and managing risks. Such data may include details of your family connections, associates, political associations, law enforcement actions and regulatory enforcement actions. Further details on the type of data held by Refinitiv (WorldCheck) and how they process data may be found here: https://www.refinitiv.com/en/policies/privacy-statement
  • Professional service providers such as lawyers and fund administrators who are our clients or are used by our clients. The purpose is to share KYC already provided by you so as to minimise repetition.
  • Public databases such as Companies House in the UK with the purpose of evidencing your ownership or control over legal persons and/or your fitness and propriety.
  • Your authorised representative or contractual counterparty, for example, when you or an entity that you own or control makes an investment application with one of our clients. Our client in turn contracts with us to provide one of our Services and may share personal data already gathered from you.

We will retain your personal data for as long as you are using the Services provided through the Site or are connected with a client of ours using the Services and for such additional period as we or our clients may be required to retain such personal data under applicable law.

Reasons for collecting and lawful grounds for processing Personal Data

We collect personal data from you and process such personal data for a variety of reasons:

  • Opening and operating an account with us
  • Managing KYC on your behalf and providing it to your investments at your direction or issuing an introduction certificate in lieu of providing the underlying information
  • Processing necessary for the performance of a contract to which you are a direct or indirect party, for example, an investment application from you or managing your investments(s) including communicating about your investment(s). This may be due to your association with an investment inter alia as: investment manager, investment advisor; lawyer; administrator; investor; or owner / controller of an investment vehicle
  • Processing necessary to comply with a legal obligation to which we or our clients are subject:
    • As part of an investment application, our clients (the Data Controllers) are typically under a legal obligation to identify and verify their investors including beneficial owners and controllers (“KYC”)
    • Our clients may also (depending on the jurisdiction of the investment) be under a legal obligation to provide certain personal data to tax authorities (“FATCA CRS”)
    • Our clients may also (depending on the jurisdiction of the investment) be under a legal obligation to ensure that you are eligible to make an investment under applicable securities laws
    • We may also be under an obligation to identify and verify our clients including beneficial owners and controllers
  • To notify you about changes to the Site or to the services under which your information is processed.
  • Accessing the Site and Services
  • Sending marketing communications in relation to information, updates, products or services which you have requested from us or which we feel may interest you, where you have consented to be contacted for such purposes or have been added to our contact list by another lawful means. We will collect and process your name, job title and company name, location and contact details.
  • Personalising your experience
  • To carry out our obligations arising from any contracts entered into between you and us, including accounting, billing and other internal administrative purposes
  • Complying with our legal obligations under applicable laws and to the extent required by applicable laws, rules or regulations, including at the request of any competent authority, court or regulator
  • Where such personal data constitutes special category or criminal data, for example, details of criminal convictions or political associations then we will process such data in the substantial public interest of preventing financial crime on the basis of applicable law
  • Document certifiers: processing in order to verify your identity and also to prove that you are suitably qualified to certify documents, for example, by evidencing you have been admitted to practice law. We do this in the public interest of preventing financial crime by mitigating the risk of fraudulent documents being used on our Site

By creating a Passport through the Site you consent to the collection and processing of your personal data and other personal data provided by you for the above purposes.

Where you have not entered into a contract for Services with us or with another user of the platform which requires the collecting and ongoing monitoring of your personal data then you may withdraw your consent at any time by deleting your Passport. We may be obliged to retain a record of your personal data, however, to comply with our legal obligations and it will be deleted after an appropriate period of time.

Where your Passport has been connected with another Passport on the Site to comply with a legal obligation and/or fulfil the terms of a contract then the legal basis for processing your personal data is, in order of priority, (a) compliance with a legal obligation to which the Data Controller is subject or, where the legal obligation does not exist, (b) the processing is necessary for the performance of the contract.

In such circumstances, should you wish to delete your Passport,  we will refer the matter to the Data Controller(s) and comply with its directions provided we can do so in accordance with applicable law.

Sharing of information with users of IDR by you

Personal data uploaded to your Passport may be viewed by you and us. It also may be shared with other users of IDR under the following circumstances:

  • A connection request is sent from your Passport to another Passport by you (or upon your instructions) and the connection request is accepted by the recipient or vice versa. For example, an investor sends a request to connect with a fund in the role of ‘beneficial owner or investor’. If the fund accepts this request then the fund will be able to see the content of the investor’s(including personal data and related party profiles such as owners and controllers) with the exception of details of the investor’s other investments which are unrelated to that fund
    • Please note that by making such a connection, you consent for your personal data to be shared with those with whom you connect, including their Super Users, Authorised Users, their agents or delegates. The persons with whom you connect may be based in a country which does not have the same level of data protection as the country in which your data was gathered.
  • A user is added to your Passport by you or by us with your consent
  • Other users may search for your Passport in order to make a connection request. Passports created on IDR contain geographic address information and when another user of IDR wishes to connect to your Passport they can search for the name of your Passport and make a connection request. In order to minimize mistaken requests to connect to a Passport with a similar or identical name (for example, there may be multiple individuals with the same name on IDR), the User will also see the Country and City where the individual or entity is located when they search for the name.
    • If you wish to disable this information (name and city/country) from being searchable to other Users, you may do so by unticking the ‘Allow others to connect to me’ box on your Passport.

Disclosure of your information to third parties by us

Your choices as to who is able to see your personal data will be respected and we will not transfer that information to others, save as set out in this privacy statement.

We will not disclose or transfer personal data to third parties for the purposes of marketing or profiling, however we may disclose or transfer such information to agents or third parties authorized to act on our behalf such as our screening provider and other sub-processors or to our affiliates or employees only for the purposes of providing the Services or maintaining the platform.

Sub-Processors

IDR also uses sub-processors to provide the Services, provide auditing and consulting services for the Services, support the Site and support our Information Technology environment. A list of our sub-processors is contained in Appendix 1.

On occasion, we will use and disclose statistical data regarding the use of the Services,  but this will not include personal data or any identifiers from which you could be identified. Your personal data will not be used in advertisements for the Services.

Transfers outside the EEA and Guernsey

When sharing data about you with employees or other entities in the IDR group, or if it is necessary to provide you with our Services or to maintain the platform, your data may be transferred outside the country in which it was collected. If your data is collected within the European Economic Area (EEA), this means that your data may be transferred outside of the EEA, including to a country that may not have data protection standards equivalent to those in the EEA.

To the extent that your personal data is transferred to a country outside the European Economic Area and/or outside a country with an adequacy decision from the European Commission, such transfer will only be undertaken where we have a lawful basis to do so such as:

(a) with your explicit consent, which will be given by you connecting with a person located outside the European Economic Area;

(b) as required under a contract to which you (directly as a contractual party or indirectly as beneficial owner / controller) are a party or have indicated your intent to become a party to the contract and the disclosure of this information is required under this contract and/or by law;

(c) between our employees or affiliates for the purposes of providing the services and maintaining the platform and always subject to appropriate safeguards. All our employees are subject to contractual confidentiality obligations and all our affiliates have agreed to standard contractual clauses (“Standard Contractual Clauses”), to the extent required by applicable law, in the form approved by the European Commission within the meaning of Article 46 GDPR ;

(d) As part of The ID Register screening service further details of which are provided in Appendix 1.

Security

We have strict security and confidentiality procedures covering the storage and disclosure of your information in order to safeguard it, prevent unauthorised access and to comply with applicable laws. Whilst we take appropriate technical and organizational measures to safeguard your personal data, we cannot ensure or warrant the security of any information that you transmit to us.

Cookies/IP addresses

Cookies are pieces of information that your web browser transfers to your computer’s hard drive for record keeping purposes. Cookies can make the web more useful by storing information about your preferences on a particular site, thus enabling website owners to provide more useful features for their users. IDR uses cookies in accordance with our Cookie Policy which can be found here: https://idrgroup.com/cookie-policy/

We do not currently log user IP addresses (the location of your computer on the internet) but we reserve the right to do so for systems administration, site security, evidence certification and trouble-shooting purposes.

We do not log IP addresses to track a user’s session, nor do we link IP addresses to anything personally identifiable. Your browser will also inform us of the type of computer or operating system being used by you.

Data protection and article 28 of the General Data Protection Regulation

IDR classifies itself as a Data Processor in circumstances where our clients instruct us to perform the Services and such Services involve the processing of Personal Data and our clients are therefore classified as the Data Controllers. Our clients may also be the Data Processor where their client is the Data Controller in which case IDR will be the sub-processor.

Notwithstanding this, in any situation in which IDR determines the purpose and means of data processing, for example of a potential employer, we will be a Data Controller and therefore agree to comply with our obligations under applicable law.

IDR is headquartered in Guernsey which has been granted an adequacy decision by the European Commission within the meaning of Article 45 of GDPR. IDR may employ staff worldwide.

Our current sub-processors are detailed in Appendix A. You agree that we may add further sub-processors or replace existing sub-processors and we in turn agree to provide you with written notice and a suitable period in which to object.

As a Data Processor, IDR:

  • Complies with Article 28 of the General Data Protection Regulation
  • Processes personal data only on instructions from our clients, their clients or the Data Subject
  • Only transfers data outside the EEA and countries subject to an adequacy decision with a lawful basis as outlined in this Privacy Statement
  • Implements technical and organizational measures to comply with all data protection laws to which the Services are subject
  • Binds sub-processors to equivalent standards of data protection by appropriate means such as a contract or an approved certification mechanism.
  • Ensures our staff have signed confidentiality agreements

We confirm that for clients who have signed a services agreement with IDR for remuneration, we will:

  • Inform clients of any changes to sub-processors and provide an opportunity to object
  • Taking into account the nature of processing, provide reasonable assistance to our clients with Data Subject Access Requests insofar as possible
  • Taking into account the nature of processing, provide reasonable assistance to our clients insofar as possible with obligations pursuant to Articles 32 to 36 of GDPR
  • Inform you if we believe your processing instructions are contrary to any applicable law
  • Notify you without undue delay of any personal data breach related to your Client Files as defined in our Terms of Business
  • Maintain records of processing and make them available to a competent regulatory authority or data protection authority upon request
  • Inform you of any official Data Subject Requests and only respond upon your documented instruction. For the avoidance of doubt, this does not include business as usual requests for individuals to access theirPassport on IDR
  • Allow for and contribute to data protection audits including inspections, conducted by the controller or another auditor mandated by the controller at a maximum frequency of once per calendar year. Such audits are conditional on all reasonable efforts being made by the auditors to avoid causing disruption, damage or injury to IDR’s business and ability to provide services. The costs of such audits will be borne by the Data Controller or Data Processor requesting the audit.

Definitions

Unless otherwise stipulated, the following terms have the same meaning as set out in GDPR: Data Breach; Data Controller; Data Processor; Data Protection Officer; Data Subject; Personal Data; Standard Contractual Clauses; Subject Access Request; & Supervisory Authority

Should you require more information, please email privacy@idrgroup.com

Access to your information and contacting

You have a right to access your information to check whether it is accurate and up to date. Should you wish to access or amend information held about you, or if you have any other queries on our privacy policy or site security please contact us using the details provided below.

In addition, you have the ability to view and edit your information online. You have the right to request the rectification or erasure of your personal data and the right to restrict or object to any processing in relation to such personal data. These rights are not absolute and are subject to exceptions such as those outlined in Article 17 of GDPR, for example, where the processing of your personal data is required to comply with a legal obligation.

You also have the right to data portability.

If you wish to exercise any of these rights, please contact us using the details provided below.

Privacy Complaints

We work hard to ensure that the service we provide meets your expectations. However, should you wish to raise any issues regarding the operation of this privacy statement or its impact on you, please contact us using the contact details provided below.

If your complaint remains unresolved following completion of our internal complaints procedures you have a right to lodge a complaint with the Data Protection Authority of Guernsey, the Data Protection Commissioner (Ireland) or any other relevant data protection supervisory authority.

Monitoring telephone calls and e-mails to our offices

Telephone calls using the telephone numbers provided on this website and all extensions of IDR and e-mail correspondence with IDR via generic or individual employees’ e-mail addresses may be recorded or monitored. By using such communication methods you are consenting to the recording or monitoring of the same.

Changes to this privacy statement

If this privacy statement changes in any way, an updated version of it will be placed on this page. Regularly reviewing this page ensures that you are always aware of what information is collected by us, how it is used and under what circumstances it will be shared with other parties. If we make any material changes, we will notify you by means of a conspicuous notice on this Website or via e-mail or notification via our Site. Your continued use of our Websites or the Service(s) following the posting of this notice shall constitute your acceptance of the changes.

Contacting Us

Should you have any questions or comments about this Privacy Statement, or otherwise wish to contact us, our data protection officer or our representatives please contact us at help@theidregister.com or contact, through the Site at https://idrgroup.com/about-us/contact-us/, or by post as follows:

  • The ID Register (Guernsey) Limited at 5th Floor, Market Building, Fountain Street, St Peter Port Guernsey, GY1 1BX
Privacy statement

for potential employees and suppliers

Potential Employees

If you are an applicant for a job with us (a potential employee), we will process personal data about you in our legitimate interests so as to assess and advance that application through our recruitment processes, including by making details of your personal data available to relevant members of staff and to comply with policies, procedures applicable law and guidelines in relation to staff and recruitment.

The personal data that we process about you may include:

  • Your name, address and contact details, including telephone numbers and email address(es);
  • Details of your qualifications, skills, experience and employment history;
  • Information about your current level of remuneration, including entitlement to benefits;
  • Whether or not you have a disability that we may need to make adjustments for during the recruitment process;
  • Information about your entitlement to reside and/or work in the place where you have applied for a job; and
  • Equal opportunity monitoring information, including information about your ethnic origin, sexual orientation, health and religion or beliefs
  • Checking the references you have provided having obtained your consent to do so

If your application for a job with us is unsuccessful, we will retain your personal data on our systems for 6 months after the date on which we inform you (or any recruitment agency through which you have applied to us) that your application was unsuccessful. We will then delete any personal data unless required to retain it under applicable law.

If your application for a job with us is successful, our retention of your personal data will be governed by our Employee Handbook which will be provided to you upon joining.

Professional Adviser, Regulators & Suppliers

We work with entities or organisations that provide professional advice or services to us or to our clients, those that supervise and regulate us, and our clients and other suppliers of products and services to our business. We will collect personal data about you if you work for one of these organisations.

The personal data that we collect will include professional and/or personal contact details, including addresses, telephone numbers and email addresses, and records of communications that take place between you and/or others at the organisation for which you work and us, including emails, letters, minutes of meetings and recordings of telephone calls (where made) and voicemails. In addition, we collect personal data that you provide us with or that is created by us during our relationship with the entity or organisation for which you work.

Appendix 1

 

Sub-Processor Purpose Location
Ballard Chalmers Limited Site development support and Site maintenance United Kingdom
Freshworks Inc. Email hosting and ticketing European Union
BDO Limited and BDO Cerberus Regulatory Consulting Limited Financial and regulatory compliance auditing Guernsey
Bottomline Technologies Limited Financial Messaging (for clients availing of services involving financial messaging only) United Kingdom
Cloud CoCo Limited Microsoft Gold Partner – managing The ID Register group’s IT environments including Microsoft Azure and 365 United Kingdom
KPMG Channel Islands Limited Review of FATCA CRS classifications Guernsey and Jersey
Microsoft Azure Hosting of the Site European Union
Microsoft Microsoft Office 365 services for employees including email and SharePoint European Union
Refinitiv Limited Screening names against various lists such as Sanctions and Politically Exposed Persons United Kingdom / European Union
SendGrid Inc. (a Twilio company) Send automated communications from the Site such as multi-factor authentication mails USA
SWIFT Financial Messaging (for clients availing of services involving financial messaging only) Belgium
Resolution IT Limited Manage our Microsoft Office 365 IT environment (excluding the Site) Guernsey

Group companies

Sub-Processor Purpose Location
TIDR (Mauritius) Limited (From April 2021) Assist in providing Services to clients and in Site development and maintenance Mauritius
IDR (Services) Limited Assist in providing Services to clients and in Site development and maintenance Guernsey
The ID Register South Africa (PTY) Limited Assist in providing Services to clients and in Site development and maintenance South Africa
TIDR (UK) LIMITED Assist in providing Services to clients and in Site development and maintenance United Kingdom