Privacy Policy


Gordon Wilson & Co. Ltd (“GWC”, “we”, “us”, or “our”) controls and processes personal data for numerous purposes related to our business.

This privacy policy describes why and how we collect and use personal data and provides information about our policies and procedures.

The means of collection, basis of processing, use, disclosure, and retention periods of personal data for each business purpose may differ.

This policy applies to personal data provided to us, both by individuals themselves or by others.

Personal data is any information relating to an identified or identifiable living person.

The General Data Protection Regulation (GDPR) seeks to protect and enhance the rights of data subjects. These rights cover the safeguarding of personal data, protection against the unlawful processing of personal data and the movement of personal data within the European Union (“EU”).

GDPR does not apply to information already in the public domain.

Data Security

We have a framework of policies, procedures and training in place covering data protection, confidentiality and security, and we review the appropriateness of these measures annually to ensure that we keep all of the data that we hold safe and secure.

Personal Data

GWC is the data controller and data processor of personal data provided or obtained through our relationship with third parties including our clients and employees.

Personal data includes names and addresses, telephone numbers and email addresses. It may also include tax identification numbers, passport information and bank account details.

We will only control and process personal data where we have a business need to do so related to any of the following:

(i)         providing and improving our services;

(ii)        client identification and vetting;

(iii)       anti-money laundering and countering the financing of terrorism;

(iv)       billing and administration;

(v)        financial management;

(vi)       statistical analysis;

(vii)      training;

(vii)      disaster recovery;

(viii)      marketing our business.

Data Sharing

We do not share personal data with others unless we are legally obliged to do so, and /or we have a business reason for doing so.

Before we share personal data with others, we risk assess and ensure that appropriate arrangements are put in place to protect the data concerned and to ensure that we comply with our data protection, confidentiality, and security standards/obligations.

Electronic Data

We use third parties to support us in providing our services and to help provide, run, and manage our IT systems.  All our third-party vendors (for example, providers of information technology, cloud-based software, identity management, website hosting and management, security, and storage services) are carefully selected by us and have in place high standards of data security.  The servers of our IT providers/contractors are held in the UK and Isle of Man.

Disclosure to Third Parties

Occasionally, we may receive requests from third parties with authority to obtain disclosure of personal data, such as to check that we are complying with applicable law and regulation.  We will only fulfil requests for personal data where we are obliged to do so in accordance with applicable law or regulation.

Transfer outside of the EU

Occasionally, we may need to transfer personal data to countries other than those where we and/or our clients are located.  This may include countries outside of the EU.  Where we have reason to transfer personal data outside the EU, we will assess the risk and ensure that any transfer of personal data will only be done pursuant to an agreement which covers the EU requirements for the transfer of personal data outside the EU, such as European Commission approved standard contractual clauses.

Sensitive Personal Data

We appreciate that personal data may include sensitive information as to racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health or conditions, sexual life, the commission or alleged commission of any offence, proceedings, or the disposal of proceedings for any such offence or any sentence of a court for such proceedings.

It is our policy NOT to control or process such sensitive personal data unless there is a specific business need.

Data Controller and contact information

The data controller is GWC (the company registered in the Isle of Man with company number 129596C and its registered office is at 6th Floor, Victory House, Prospect Hill, Douglas, Isle of Man IM1 1EQ.

If you have any questions about this privacy policy or how and why we process personal data, please contact us at:

Mr Gordon Wilson
Data Protection Officer

Gordon Wilson & Co. Ltd
6th Floor, Victory House
Prospect Hill
Isle of Man


Telephone: 01624 664949

Individual’s rights and how to exercise them

At any point whilst GWC is in possession of or processing personal data, all data subjects have the following rights:

  • Right of access – the right to request a copy of the information that we hold
  • Right of rectification – the right to correct data that we hold that is inaccurate or incomplete
  • Right to be forgotten – in certain circumstances data we hold may be erased from our records
  • Right to restriction of processing – where certain conditions apply, we may restrict the processing
  • Right of portability – data may be transferred to another organisation
  • Right to object – the right to object to certain types of processing such as direct marketing
  • Right to object to automated processing, including profiling – the right not to be subject to the legal effects of automated processing or profiling.

In the event that we refuse a request under rights of access, we will provide a reason as to why, which may be legally challenged.

The following is available on request:

  • Copies of personal data that we control and/or process
  • Details of how we determined why to control and/or process personal data
  • The purpose of the processing as well as the legal basis for processing
  • Recipient(s) or categories of recipients that the personal data is/will be disclosed to
  • How long the personal data will be processed
  • Details of rights to correct, erase, restrict or object to such processing
  • Information about consent or withdrawal of consent
  • How to lodge a complaint with the supervisory authority
  • Whether the control or processing of personal data is a statutory or contractual requirement
  • The source of personal data if it wasn’t collected directly from the individual concerned
  • Any details and information of automated decision making, such as profiling, the logic involved, as well as the significance and expected consequences of such processing.

To access personal data, identification will be required

GWC will accept the following forms of ID when information on personal data is requested:

  • Driving license
  • Passport
  • Birth certificate
  • Utility bill not older than three months

A minimum of one piece of photographic ID listed above and a supporting document is required. If GWC is dissatisfied, further information may be sought before personal data can be released.

All requests should be made to Gordon Wilson.


In the event that you wish to make a complaint about how your personal data is being processed and/or controlled by GWC, you have the right to complain to Gordon Wilson. If you do not get a response within 30 days, you can complain to the Isle of Man Information Commissioner.

The details for each are:

Mr Gordon Wilson
Data Protection Officer

Gordon Wilson & Co. Ltd
6th Floor, Victory House
Prospect Hill
Isle of Man

Telephone: 01624 664949

Isle of Man Information Commissioner
P.O. Box 69
Isle of Man
IM99 1EQ

Telephone: +44 1624 693260