Charities and other Small Registers privacy notice

This notice sets out how we handle your personal data and how we comply with the requirements of the General Data Protection Regulation (GDPR).

Visit our website

If we do want to collect personally identifiable information through our website,  we will be up front about this. We will make it clear when we collect personal information and will explain what we intend to do with it; it will be kept securely, and the only people who have access to personal information are those who have a legitimate need to.

The Charities Registry website is part of the Isle of Man Government website, www.gov.im, which is owned by the Cabinet Office. Their Privacy Notice in relation to how you use gov.im and the use of cookies, can be found at the top of each page next to the Terms and Conditions.

Contact us by email, in person, by post or over the phone

If you contact us to make an enquiry about our services you will need to provide us with your name, contact details and any other information necessary to enable us to help you. We process this information to answer your enquiry. 

Details of any financial transaction will be retained within our daily accounting records for 6 years. Such data will be treated with the utmost confidentiality and respect. Only Central Registry team members can access the information; it will be held securely, for a minimum of 6 years and a maximum of 25 years, according to the retention periods defined by our retention schedule.

How we will securely process personal data

All personal information is kept with the highest standards and safeguards in place. This includes technical security, preventing unauthorised access, undertaking audits and maintaining backups:

• Emails - Email communications are stored on our Isle of Man Government email system, Microsoft Outlook for the duration of your enquiry/request. Email mailboxes are accessed by the team responsible for that service/product. Such emails will only be shared with your knowing, and only in order to address your enquiry or request.
  
  We encrypt and protect all our emails in line with government standards. If your email service does not support this encryption, you should be aware that any emails we send or receive may not be protected in transit. We will also monitor any emails sent to us, including file attachments, for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send is within the bounds of the law.
  
  
• Isle of Man Government Secure Network – There are strict access controls in place meaning that only the Central Registry team and senior managers have access to their folders on the network; in addition, only the teams within the Central Registry who are able to access personal information, are those that have a business need to do so. The administration of the IOMG Secure Network is undertaken by Government Technology Services in the Cabinet Office; however, they are unable to access the content of any records and so will not be able to access your personal information.
  
  
• Manual records – If we need to hold your personal information manually, we will hold it on site in our own secure, restricted access storage areas.
  
  If a member of the Central Registry team believes your communication identifies criminal or other illegal activity they may notify the Police or other regulators on the Isle of Man. They will not seek your consent for this disclosure.    

If you are an officer, trustee, director, candidate, legal practitioner, official or member or official of an organisation identified within this notice.

This section of the privacy notice sets out how the Registrar General  (“the registrar”) handles the personal data of people defined within this notice and sets out how the registrar ensures that the register maintained by the Registrar general complies with the requirements of the General Data Protection Regulation (GDPR).

As a registration authority, we have a statutory obligation to compile and maintain public registers, and to make these registers available for public inspection. This is essential to ensure the information is transparent and readily available by placing certain information in the public domain.

The Registrar General is responsible for maintaining the following registers:

• Charities under the Charities Registration Act 1989
• Legal Practitioners under the Legal Practitioners Registration Act 1986
• Trade Unions and Employers’ Associations under the Trade Unions Act 1991
• Candidates and their expenses under the Representation of the People Act 1995
• Register of Political Parties under the Representation of the People Act 1995

To compile these registers we collect information that is prescribed within the appropriate acts of Tynwald. We collect this information via an application form, usually sent to us by the responsible person identified within the appropriate Act.

Once processed, this information is entered on the public register and is available for public inspection. We keep this data permanently as part of our statutory obligations.

Identity of controller and Data Protection Officer (DPO)

The Registrar General (The registrar) is the controller of your personal data. This means it’s the registrar who decides how and why your personal data is processed. The registrar does this by referring to the statutory provisions within the Acts that establish the respective registers.

Department for Enterprise Data Protection Officer:

St George’s Court, 
Upper Church Street, 
Douglas, 
Isle of Man,
IM1 1EX

Tel: +44 1624 686733
Email: DPO-DfE@gov.im

Isle of Man Information Commissioner:

Isle of Man Information Commissioner, 
P.O. Box 69, 
Douglas, 
Isle of Man, 
IM99 1EQ

Tel: +44 1624 693260 
Email: ask@inforights.im  
Web: inforights.im

Purpose for processing

Personal data featuring on the public registers maintained by the registrar is processed for the purpose of making data available for public inspection under a statutory obligation. The registrar’s legal basis for processing is described in more detail in the attached schedule.

Lawful basis for processing

The registrar is required by provisions with the following Acts to receive and make information, including personal data, publicly available:

• Charities Registration Act 1989
• Legal Practitioners Registration Act 1986
• Trade Unions Act 1991
• Representation of the People Act 1995

The Data Protection Act 2018 introduces some domestic exemptions. In the GDPR and LED Implementing Regulation (Schedule 9, Part 1, Para 6) Information required to be disclosed by law etc. or in connection with legal proceedings.

“The listed GDPR provisions do not apply to personal data consisting of information that the controller is obliged by an enactment to make available to the public, to the extent that the application of those provisions would prevent the controller from complying with that obligation.”

Since the registrar is required to make information available to the public, they are entitled to rely on this exemption. Therefore, they have an exemption from some elements of the GDPR, including:

• the requirement to provide ‘privacy notices’ to individuals
• the requirement to provide personal data in response to subject access requests
• the requirement to rectify personal data when it is inaccurate
• the requirement to comply with requests to be ‘forgotten’
• other principles of the GDPR

This means it is unlikely the registrar will be required, or able, to comply with any exercise of these GDPR rights in respect of personal data appearing on the public register. For example, the registrar will be unable to comply with any request for an individual to be ‘forgotten’ from the public register where there is a legal obligation on the registrar to continue to make this personal data available.

The registrar is also under no obligation to provide information free of charge if a statutory fee is prescribed to provide the information. The information will be provided upon payment of the prescribed statutory fee.

If you have any queries or concerns about this, please contact the DPO at:

Email: DPO-DfE@gov.im

Presenters’ details

If you file a paper form, you have the option to include certain contact details for the presenter of the form. If you include these presenter details, they will be placed onto the public record in the same way as all other information contained within the filing.

What we do with your data

Before becoming an officer, trustee, director, candidate, legal practitioner, official or member or official of an organisation identified within this notice it is important that you are familiar with the legal implications. The Registrar is required by law to publish some of your personal data on the register. The register is publicly available and accessible by anyone.

Commercial organisations sometimes use data from the registers to create their own online products. These organisations then become controllers of your personal data. These organisations must establish how they comply with the data protection law as set out in the GDPR. If you have any concerns about company data on third party products and websites, please contact the organisation directly. We are not able to advise other organisations on GDPR compliance, and we cannot advise you on whether other organisations are complying with the law.

Non-public data

All information submitted under a provision within the specified legislation will be included on the respective file which will be available to members of the public.

Data processors

Since the registrar is a controller for personal data appearing on the registers, the registrar is not acting as a data processor (as defined by the GDPR) when maintaining a public register. Individuals, officers, trustee, directors, candidates, legal practitioner, officials or members of an organisation identified within this notice and other representatives provide personal data for the public register because they are required to by law, and not for the registrar to process personal data on their behalf.

Overseas transfers

The registers are freely accessible and available to the public, including overseas. Article 15(1)(g) of the GDPR states that a transfer of personal data overseas can take place in the absence of specific safeguards where the transfer is made from a register intended to provide information to the public. This means we do not need to consider the adequacy of data protection regimes in all countries before making the public register freely available online.

Retention of personal data

Data that has always been a matter of public record may be retained if the registrar considers it is necessary to fulfil a public function and/or crime prevention of money laundering or fraud. The data may also be retained permanently for historical research and statistical purposes under provisions within the Public Records Act 1999.  This includes records of charities etc. that have ceased as legal rights and relations may continue to exist i.e. for restoration, bringing proceedings against former directors.

Complaints

If you have a complaint about the way we are managing your personal data, you can let us know in the first instance by writing to: DPO-DfE@gov.im

If you are still dissatisfied, you can raise your concerns with:

Isle of Man Information Commissioner:

Isle of Man Information Commissioner, 
P.O. Box 69, 
Douglas, 
Isle of Man, 
IM99 1EQ

Tel: +44 1624 693260 
Email: ask@inforights.im  
Web: inforights.im

If you have contacted us with a complaint or enquiry

You may have written to us, or contacted us by phone, because you have a complaint, or to ask a question. This section of the privacy notice sets out how we comply with GDPR in handling your correspondence.

If you contact us by phone or in writing, we have no control over the personal data you include in your correspondence, or that you tell us about. We would always advise you to limit the amount of personal data you include in your correspondence, as much as possible. Once received, your personal data will be handled in line with the following privacy notice. This also applies to the personal data of any third-parties that can be identified from your correspondence.

Identity of controller and Data Protection Officer (DPO-DFE)

The registrar is the controller of your personal data. This means it is the registrar who decides how and why your personal data is processed. As the registrar is responsible for operating the registers, they are also responsible for handling complaints and queries about the register.

Purpose for processing

When you write to us or call us with a complaint or enquiry, your personal data will only be used for the purpose of handling, investigating and resolving your issue. We will use the contact details provided to respond to your correspondence. If you have made a complaint about a third-party, we may use the contact details you have provided for them to investigate your issue.

Call recording

Telephone calls are not recorded by the Central Registry. An answer phone is used during busy periods and any recording is deleted as soon as the enquiry is dealt with.

Lawful basis for processing

Our core public function is to provide a public register that is available for anyone to inspect. We consider the handling of complaints and enquiries about the public register a necessary process for this public function.

Retention of personal data

The Registrar General retains written correspondence from customers but does not make this information available to the public. Correspondence will be associated with the appropriate entities file but in a private folder that is only available to Central registry.  Other correspondence may be retained for a minimum of 6 years and a maximum of 25 years, according to the retention periods defined by our retention schedule.   

Individual rights

The GDPR provides certain rights that individuals may exercise in respect of their own personal data. If you want to exercise any of these rights, you can contact the DPO-DFE.

There may be some circumstances in which we cannot comply with your request. Such as, if we have a legal duty to keep data, or to process it in a particular way. We will handle all requests to exercise GDPR rights on a case-by-case basis.

Complaints

If you have a complaint about the way we are managing your personal data, you can let us know in the first instance by writing to DPO-DfE@gov.im

If you are still dissatisfied, you can raise your concerns with:

Isle of Man Information Commissioner:

Isle of Man Information Commissioner, 
P.O. Box 69, 
Douglas, 
Isle of Man, 
IM99 1EQ

Tel: +44 1624 693260 
Email: ask@inforights.im  
Web: inforights.im

If you are a subscriber to our web services

There are currently no web services to subscribe to.

Conduct searchers of the public registers

A requisition form needs to be completed for any file which may contain your name and telephone number. As soon as the file is made available and the statutory fee is paid the requisition form is destroyed. 

In respect of payment for services supplied to you by the Companies Registry - either to debit the account maintained by you with the search / transaction fees incurred by you, or to debit your debit/credit card if you opt to use same to pay for those services. Companies Registry policy is to retain the minimum amount of information necessary to be able to deal with any subsequent queries regarding the transaction.