🔒 Privacy Policy

Overview
Questions and Answers (Q&As):
Other Privacy Notices
Other Information:

Overview

The Isle of Man Financial Services Authority (‘the Authority’) is registered with the Isle of Man Information Commissioner as a data controller for the purposes of Isle of Man data protection legislation.

This policy explains what information the Authority collects about individuals (‘personal data’), its reasons for doing so and how it holds, uses and discloses that information.

Please see the Website and Cookies webpage for information the Authority collects from users of its website, what that information is used for and how the Authority uses cookies.

Questions and Answers (Q&As)

Why do we collect personal data?

We are responsible for regulating persons who carry on financial services activity in or from the Isle of Man. This includes businesses such as banks, credit unions, insurers, investment businesses, collective investment scheme service providers, pension service providers, trust and corporate service providers, money transmission service providers and crowdfunding platforms.

Our main statutory functions are laid out in the following Isle of Man legislation:

Financial Services Act 2008
Collective Investment Schemes Act 2008
Insurance Act 2008
Retirement Benefits Schemes Act 2000.

We also have significant statutory functions under the following legislation:

Beneficial Ownership Act 2017
Designated Businesses (Registration and Oversight) Act 2015.

We exercise a variety of functions in order to help achieve our regulatory objectives, which are:

Securing an appropriate degree of protection for policyholders, members of retirement benefits schemes and the customers of persons carrying on a regulated activity;
The reduction of financial crime; and
The maintenance of confidence in the Island’s financial services, insurance and pensions industries through effective regulation, thereby supporting the Island’s economy and its development as an international financial centre.

We need to collect and process personal data in order to exercise our functions appropriately. We may collect personal data directly from individuals or indirectly from other entities or agencies. The table below provides examples of ways in which we collect and process personal data:

Personal data is collected from…	To enable us to…
People looking to carry on financial services or designated business activity	Authorise people to carry on financial services activity in or from the Isle of Man or to become registered as a designated business
People we regulate	Assess whether people we regulate comply with regulatory standards
People we regulate	Take appropriate action to supervise and enforce compliance with regulatory standards
Customers of people we regulate	Assess whether people we regulate comply with regulatory standards
Customers of people we regulate	Take appropriate action to supervise, investigate and enforce compliance with regulatory standards
People we register	Assess whether people we register comply with relevant standards
People we register	Take appropriate action to supervise, investigate and enforce compliance with relevant standards
People who use our website	Monitor use of the website to identify areas for improvement
People who use our web portals to submit regulatory information	Receive regulatory information electronically
People who subscribe to our RSS feed or electronic newsletter	Provide relevant information to interested parties
People who receive other services we provide	Provide services to help achieve our regulatory objectives, such as by hosting annual conferences or seminars
People who contact us	Respond to an enquiry or address a particular issue
People who respond to our consultations and surveys	Consider feedback and develop our approach accordingly
People who work on our behalf or from whom we receive goods or services	Provide online services, such as the Collective Investment Schemes FRS (Financial Reporting System) website and Designated Businesses website
	Carry out surveys on our performance and other areas of interest
	Operate in an effective and efficient manner
People who apply to us for jobs, and current and former employees	To enable us to employ suitable candidates, manage existing employees and comply with our obligations as an employer

What is our legal basis for collecting personal data?

We take our responsibilities under data protection law seriously and aim to ensure that personal data is handled appropriately. The legal basis for our collecting, holding, using and disclosing personal data is covered by relevant legislation. To summarise the general position:

We have statutory functions to fulfil as the Island’s financial services regulator
We have statutory rights to request information, inspect and investigate people carrying on (or suspected of carrying on) financial services activity
We have similar functions and rights in respect of designated non-financial businesses and the Island’s register of beneficial ownership
Information we obtain for the purposes of exercising our statutory functions is ‘restricted information’, which includes both personal data and non-personal data
Our legislation imposes a number of restrictions on the disclosure of restricted information in order to protect the people to whom that information relates and safeguard our ability to exercise our functions appropriately
These restrictions are subject to certain exceptions to recognise situations where we may need to share personal data to enable us to exercise our functions appropriately.

Data we collect about legal entities, such as companies, in the course of exercising our statutory functions is restricted information but is not personal data as it does not relate to an individual.

In addition to the above, we are designated as a competent authority for the inspection and investigation of criminal matters identified whilst exercising our statutory functions. Personal data that is obtained for law enforcement purposes is protected under Isle of Man data protection legislation, however an individual’s rights in relation to such personal data are more limited to reflect the fact that the data subject is subject to law enforcement proceedings.

We will only process your personal data if a lawful basis to do so exists. We may rely on:

The need to meet a legal obligation in carrying out our statutory functions
The need to enter into or ensure the performance of a contract to which you are a party
The need to meet a request you have made for information or a service
The need to prevent or investigate suspected or actual violations of law
The need to protect the public interest
Your consent (in limited circumstances) – where we rely on your consent to process your data (such as your subscription to our electronic newsletters) you may withdraw your consent at any time by contacting the Data Protection Officer (see below)
The need to retain information for historical or archiving purposes by the Public Record Office under the Public Records Act 1999. For more information on retention by the Public Record Office please click here.

Where there is a legal basis for doing so, we may share your personal data with other authorities or law enforcement agencies to help us (or them) to exercise our (or their) functions appropriately. Any personal data we share in this way is shared in accordance with the law and is limited to the type and amount of data we believe necessary in order to achieve our objectives.

The key statutory provisions regarding our handling of information may be found in the following legislation:

Legislation	Key Information Provisions
Financial Services Act 2008	Schedule 2 – Inspection and investigation Schedule 5 – Disclosure of information
Beneficial Ownership Act 2017	As under the Financial Services Act 2008
Collective Investment Schemes Act 2008	As under the Financial Services Act 2008
Designated Businesses (Registration and Oversight) Act 2015	Section 22 – Restrictions on disclosure of information Schedule 2 – Exceptions to prohibition on disclosure
Insurance Act 2008	Section 46 – Restrictions on disclosure of information Schedule 6 – Restrictions on disclosure of information
Retirement Benefits Schemes Act 2000	Section 43 – Restrictions on disclosure of information As under Schedule 6 to the Insurance Act 2008

What personal data do we collect?

We collect personal data about individuals involved in regulated financial services or designated business activity in the course of exercising our functions. These may be people who control a regulated or registered firm, people who are employed by (or otherwise engaged by) a firm to carry out certain roles, or people who undertake financial services activity in their own right. We also collect personal data about individuals with whom we interact with on a regular basis to meet our operational needs, such as those who provide us with goods and services.

The type and amount of personal data we collect depends on the circumstances. For example, where an individual is seeking to carry on certain roles (Controlled Functions) for financial services firms, we use personal data to help us determine whether a person is fit and proper to carry on that Controlled Function. Such data is necessary to help us assess an individual’s integrity, competence and solvency. By contrast, where a person contacts us by email to ask a question, we only use personal data to the extent that it enables us to answer their question and help us to improve the work we do.

We generally collect the following types of personal data for the work we do:

Identifying: such as name, date and place of birth, nationality and other unique identifiers such as government-issued identification and national insurance number
Contact: such as telephone number, email address, physical address
Professional: such as education and employment history including schools and places of higher education attended, relevant qualifications, details of current and previous employment, and academic and employment references
Financial: such as a person’s financial situation, solvency and any past declarations of bankruptcy
Legal: such as being subject to current or past litigation, or being subject to successful investigation by a governmental, professional or other regulatory body
Criminal activity: such as convictions and charges
Authenticating: such as usernames, passwords and security details for access to our online services.

Under almost all circumstances, we do not collect personal data relating to special categories such as race, ethnicity, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, health, sex life or sexual orientation. If we find that we hold personal data of this nature, we will take appropriate steps to delete that data and prevent it from being acquired in future. The general exception to this is health data we collect and maintain in relation to our staff for employment purposes. All such data is subject to appropriate operational safeguards.

How do we use the personal data we collect?

We use the personal data we collect to enable us to exercise our functions as the Island’s financial services regulator in the most appropriate and effective manner. Our functions cover a broad range of activities but can be summarised into the following categories:

We use personal data for…	To enable us to…
Applications for authorisation or registration	Determine whether people are fit and proper to carry on financial services activity
Fitness and propriety assessments
Supervising people we regulate or register	Assess whether people we regulate or register comply with relevant standards
Investigating people carrying on financial services activity	Help prevent and detect crime including fraud, money laundering, identity theft or other criminal offences
Enforcing compliance with regulatory standards	Take action against people who do not comply with regulatory standards
Developing regulatory policy, rules and guidance	Consult with relevant people to gain feedback on our proposals and develop our approach accordingly
Conducting surveys	Obtain feedback on our performance or other areas of interest
Responding to enquiries	Provide a response to an enquiry and communicate effectively with people
Communicating	Communicate effectively with people
Obtaining goods and services	Operate in an effective and efficient manner
Employing staff	Employ suitable candidates, manage existing employees and comply with our obligations as an employer

In some cases, we have a statutory obligation to check and verify the data you provide to us (in application forms, annual returns etc.). This may include checks of publicly available information but in some cases, where it is necessary and relevant, the information you provide may be disclosed or shared with other organisations. This will only be done where there is a legal need for us to do so.

We aim to ensure that we process personal data fairly and appropriately in accordance with the law in order to help maintain trust and confidence in the Authority. For example, we aim to ensure that personal data we hold is accurate and up-to-date, relevant to our functions, not excessive, and is appropriately reviewed, maintained and destroyed when it is no longer required.

We do not make use of any automated decision making such as profiling in relation to the personal data we hold.

How do we share personal data?

Personal data we collect when exercising our functions is ‘restricted information’ and subject to appropriate safeguards. However, we sometimes need to share information with other bodies acting in the public interest in order to exercise our functions effectively or to assist those bodies in carrying out their functions.

We share information with other bodies under statutory powers known as ‘information gateways’. The Island’s position as an international finance centre means that the bodies with whom we may share information (such as other regulators) are sometimes based outside of the European Economic Area. Where that is the case, we will take appropriate steps to help ensure that your personal data is subject to suitable protection in that jurisdiction and that the type and amount of personal data we share is relevant and proportionate to the purpose for which it is being shared. Equally, personal data we receive from other bodies will be treated in accordance with this Privacy Policy.

We make decisions to disclose personal data on a case-by-case basis subject to suitable controls within our organisation.

Sometimes we may be required by another body to disclose personal data under relevant legislation or by court order.

The types of people who we may share personal data with are as follows:

We may share personal data with…	To enable us to…
Other regulatory authorities in or outside of the Isle of Man	Determine whether people are fit and proper to carry on financial services activity
	Assist them in determining whether people are fit and proper to carry on financial services activity
Law enforcement agencies in or outside of the Isle of Man	Determine whether people are fit and proper to carry on financial services activity
	Assist them in conducting investigations about persons suspected of carrying out criminal activities
Courts or other judicial authorities on production of a valid court order	Exercise our statutory functions or discharge our legal responsibilities
Some government departments or agencies in or outside of the Isle of Man	Exercise our statutory functions
	Assist them in exercising their statutory functions
Educational institutions	Determine whether people are fit and proper to carry on financial services activity
Professional bodies	Determine whether people are fit and proper to carry on financial services activity
Professional bodies	Assist them in determining whether people are fit and proper to be members of that body
People we regulate or register	Communicate our assessment of whether people are fit and proper to carry on activity for that person
People who work on our behalf or from whom we receive goods or services	Provide online services, such as the FRS (Financial Reporting System) website and Designated Businesses website
	Carry out surveys on our performance and other areas of interest
	Operate in an effective and efficient manner

We take care to ensure that personal data shared with third parties will not be used for any purpose other than the original purpose for which it was shared.

How do we protect your personal data?

The security and confidentiality of your personal data is very important to us. We maintain an Information Security Policy, which applies to all of the information we hold.

To keep your personal data secure we will ensure that, where we are controller for your data:

safeguards are in place to make sure personal data is kept securely
your data will only be held on servers that are under the control of the Cabinet Office, Government Technology Services and within the jurisdiction of the Isle of Man
only authorised persons are able to view your data
security of the systems which hold personal data is maintained in line with the ISO27001 standard.

To protect your personal data, we will:

keep your personal data safe and secure in compliance with our information security policy
only use and disclose your personal data as detailed above, where necessary
retain your personal data for no longer than is necessary and your personal data will be permanently deleted in accordance with our Record Retention Schedule. There is an authorisation process to dispose of this in line with the policy and retention periods, as outlined below (unless there is an overriding reason to retain this information).

Where we use service providers to provide a service which may involve personal data (such as to provide online services or conduct independent surveys), our terms of engagement will specify that that service provider may not use your personal data for any other purpose.

Please see our Whistleblowing FAQs to learn how we handle whistleblowing situations.

How long do we keep your personal data?

We keep all of the information we collect in accordance with our record retention policy. This policy states the minimum periods for which we will keep certain categories of information. We may keep information for longer than these periods, however where we do we will record the reason for doing so.

Our Record Retention Schedule sets out how long we hold information, including personal data.

Will your personal data be a public record?

The Authority is subject to the Public Records Act 1999, under which the Isle of Man Public Record Office preserves public records that are of historic and cultural significance. We are obliged to look after the records we hold and to work with the Public Record Office to determine records of any historic or long-term research value. Selected records may be transferred to the Public Record Office in accordance with the agreed Record Retention Schedule.

If selected, your personal data may be offered for transferral to the Public Record Office for permanent retention. This is likely to be rare, because records of significance will often be about the Authority itself or entities it regulates.

The contact details for the Public Record Office can be found on its webpage.

What rights do you have over your personal data we process?

You have a right to…	Explanation
Be informed about how we use your personal data.	This Privacy Policy explains how we collect and process personal data. When we request personal data from you we will provide you with information to explain what personal data we collect, why we are doing so and how we process that information. For example, all forms on our website that request personal data refer to this Privacy Policy and provide a link to access it online or to contact us by telephone for further information. Our FRS (Financial Reporting System) and Designated Business websites also make reference to this Privacy Policy.
Access your personal data to ensure that it is accurate and, if it is inaccurate, to request that it is rectified, blocked, erased or destroyed.	To make any request relating to your personal data held by us, please contact the Authority’s Data Protection Officer (see below).
Withdraw your consent at any time in the limited circumstances where we process your personal data with your express consent (i.e. where you are not legally compelled to provide such information).	This applies to situations where you are not legally compelled to provide information, for example when you sign up to receive our electronic newsletter. It would not apply where you are required by law to provide information to assist us in exercising our statutory functions.

Your rights may be limited where we are processing your personal data for law enforcement purposes, such as the inspection and investigation of criminal offences. We will be able to advise you if this is the case when you seek to exercise rights in relation to your personal data.

How can you access your personal data?

To make any request relating to your personal data held by us, please contact the Authority’s Data Protection Officer (see below).

Other Privacy Notices
The Authority has issued the following Privacy Notices to provide individuals with additional information on how their personal data is processed for specific purposes or when using specific systems:

Other Information

Contact our Data Protection Officer

The information provided in this Privacy Policy is not exhaustive. If you would like more information or explanation of a particular area then you may contact the Authority’s Data Protection Officer by email, telephone or post using the details below.

If you have any concerns about the way in which we collect or process personal data then we would like to know to see what we can do better. You can discuss your concerns with our Data Protection Officer.

If you are not satisfied with a response you receive from us then you can make a complaint to the Isle of Man Information Commissioner, whose details can be found on www.inforights.im. You may have a right to other remedies.

Data Protection Officer Contact Details
By email	dataprotection@iomfsa.im
By telephone	+44 (0)1624 646032
In writing	Data Protection Officer Isle of Man Financial Services Authority PO Box 58 Finch Hill House Douglas Isle of Man IM99 1DT

Offences for false or misleading information or failure to provide

People may commit an offence where they provide us with false or misleading information or fail to provide information when lawfully required to do so. The offences can be found in the relevant legislation, however generally they are as follows:

Offence	Legal Liability
A person who provides false or misleading information to us when lawfully required	Liable on conviction to a fine or custody of up to 2 years, or both.
A person who, without reasonable excuse, fails to provide information to us when lawfully required	Liable on conviction to a fine or custody of up to 2 years, or both.

More information

You can find out more information by:
- Contacting our Data Protection Officer (see above)
- Asking to see your information or making a complaint if you feel that your information is not being handled correctly by contacting our Data Protection Officer
- Making a subject access request which is a request for some or all of the personal data we hold about you by contacting our Data Protection Officer
- Obtaining a copy of this Privacy Policy in large print, braille, or in an alternative language by contacting our Data Protection Officer.
Changes to this Privacy Policy

This Privacy Policy may change. If any significant change is made to this Privacy Policy we will provide a prominent notice on this website so that you can review the updated Privacy Policy.

This Privacy Policy was last updated on 28 July 2023 to include references to Other Privacy Notices issued by the Authority.