Hyperion Wealth Management Limited delivers wealth management advice and services to individuals, trusts and businesses. It may operate in conjunction with Hyperion Solution Partners Limited and Hyperion Solution Partners International Limited, who, as part of the Hyperion Group offer a fully holistic service.

1.2 Why your privacy matters to us

The Hyperion Group is committed to protecting the privacy of all individuals with which it interacts. We therefore ask that you please read this notice carefully as it explains how the companies within the Hyperion Group use your personal information.

‘Hyperion’ will collect personal information about you in normal discharge of their duties and obligations to you, ensuring that it is fully compliant with applicable financial and data protection regulations.

1.3 What this privacy notice covers

Hyperion Group (“We”), gather, store and process personal information in accordance with the General Data Protection Regulations, which came into force 25^th May 2018.

In the following Privacy Notice “We” refers to (as applicable):

Hyperion Group Limited
Hyperion Wealth Management Limited
Hyperion Solution Partners Limited
Hyperion Solution Partners Limited (T/A Just Real Estate)
Hyperion Solution Partners International Limited

As such this Privacy Notice applies to all existing and prospective clients of Hyperion Group (“You”) and covers ‘Personal Information’ that is held electronically and also applies to well-structured, secured paper-based filing systems.

1.4 Explanation of terms used in this privacy notice

1.4.1 Personal Information

‘Personal Information’ refers to any information about an individual from which that person is able to be identified. It does not include data where the identity has been removed i.e. ‘anonymised’. Examples of ‘Personal Information’ include:

Name
Date of Birth
Address
Telephone Number
IP Address
Account Number
Email Address

1.4.2 Special Category Personal Information

‘Special Category Personal Information’ refers to any information which reveals;

Racial or ethnic origin
Political opinions
Religious beliefs
Trade union membership
Physical or mental health issues
Sexual life / orientation
Biometric / genetic data

2 Information and Data Security

It remains the policy of ‘Hyperion’ to protect and maintain your right to privacy. We will therefore take all reasonable steps to ensure that adequate technical and operational security measures, confidentiality obligations and compliance procedures are in place to prevent inappropriate access to, disclosure, alteration or deletion of, Personal Information.

We limit access to your Personal Information to those staff members who have a business ‘need to know’, and such persons will only process your Personal Information on receipt of our explicit instructions, being subject to a current signed NDA (Non-Disclosure Agreement) and hence a duty of confidentiality.

We have in place procedures to deal with any suspected data security breach and will notify you and the appropriate regulatory body of a suspected breach where we are legally required to do so.

3 Types of Personal Information Collected

We will collect and use different personal information about you for different reasons, depending on our relationship with you.

Where you provide personal information to us about other individuals (for example, members of your family or other dependents), we will also be data controller of their personal information and we are responsible for protecting their personal information and using it appropriately. This notice is therefore similarly applicable to those individuals.

In the process of providing investment services to you (on a Discretionary and Advisory basis), we may process Personal Information and Sensitive Personal Information. Typically, this may include the following information relating to you:

3.1 Prospective or existing client enquiring or receiving wealth management services

3.1.1 What personal information may we collect?

Information collected from any communications with you, and
Information obtained through audits or processed in the process of ensuring compliance with regulatory obligations
Information stored on our client relationship and portfolio management system
Information collected when dealing with any complaints you may have

This will include the following personal information:

General Information, such as;
Name
Title
Addresses
Telephone numbers
Personal email addresses
Date of birth and place of birth
Identification Information including;
Nationality, tax residence and country of residence
Passport
Driving licence
National identity card (for non-UK nationals)
National Insurance number, social security number or another national/tax identifier.
Tax Identification Number (TIN)
Address verification documents such as council tax letters, bank statements or evidence of benefit entitlement
Employment Information such as;
Job title
Employment history
Professional accreditations
Financial Information;
Bank details
Financial reviews
Information relating to your personal finances such as your financial assets and liabilities, income and outgoings
Source of funds and wealth
Information obtained from carrying out identification checks and checking sanction lists and politically exposed persons (PEP) screening, including bankruptcy orders.
Information relevant to the services that your Relationship Manager provides to you, including;
Previous and current investments
Information about your lifestyle
Attitude to investment risk
Existing plan details
Objectives
Information about any trusts you have.
Information about your family including;
Marital status
Dependants (name and age) and relation
Information obtained during telephone recordings
Information which we have gathered from publicly available sources such as the electoral roll, internet search engines and social media sites where you have been flagged as a PEP and according to which we are required to carry out enhanced due diligence
Information from financial intermediaries

3.2 Information specific to our investment and advisory Services

We collect and store certain information generated by your use of our services and in our relationships with your custodian bank, which includes:

Account numbers
Balances
Investment Holdings
Transaction Data
Reports and Statements

4 How Will We Collect Your Personal Information?

We collect your Personal Information directly from you when;

You contact us by email, telephone and through other written and verbal communications
You seek, or are provided with, information on our services
You enter into an agreement with Hyperion for the provision of services in either a discretionary or advisory capacity
Throughout the duration of your relationship with us, as and when the need arises.

We will also collect personal information from;

Your Relationship Manager directly
The Hyperion client relationship management system and hosted platforms
Publicly available sources such as the electoral roll, court judgments, insolvency registers, internet search engines and social media sites.

5 Sources of Personal Information

We collect your Personal Information:

Directly from you, e.g. in application forms and information provided during the client onboarding process and hence the normal course of Client Due Diligence (CDD)
When it is provided to us by a third party, such as in the provision of enhanced due diligence reports and from financial intermediaries
When information is created as a result of your use of the various banking and investment platforms available to you, including Private ebanking services made available by your custodian banks

6 How We Use Personal Information

We as a data controller, are responsible for deciding how we hold and use Personal Information about you and as such we may use your Personal Information before, during and after our relationship with you.

There are a number of reasons we use your personal information and for each use we need have a ‘lawful basis’ to do so.

We will only use your Personal Information when the law permits us to do so. Most commonly we may use your Personal Information in the following circumstances:

Where we need to perform the contract, we have entered into with you
Where we need to comply with a legal obligation
Where is it deemed necessary for our legitimate interests, and your interests and fundamental rights do not override those interests

We may also use your Personal Information in the following situations, which are likely to be rare:

Where we need to protect your interests
Where it is needed in the public interest
Where you have given your consent

6.1 Situations in which we will use your Personal Information

We will rely on the following “lawful basis” when we process your “personal information”:

We have a legal or regulatory obligation to use such personal information. For example, our regulators require us to hold certain records of our dealings with you.
We have a valid business reason to use your personal information and which is necessary for our everyday business operations and activities, for example to respond to any queries relating to our discretionary/advisory services that we receive.
To confirm and verify your identity and credit status in relation to your account opening application, and where applicable to conduct an appropriate assessment. This may involve the use of third parties or their agents for screening against publicly available information (sanctions list etc)
To open, administer and operate your account and to manage our relationship with you
To monitor and analyse the conduct of your accounts and your relationship with Hyperion, ensuring compliance with our internal policies and/or procedures and enabling us to monitor risks and report on them
To carry out business operational and administrative activities, including record keeping and audits
To carry out statistical and other analysis, to enable us to manage our business and provide the best possible service to you
To comply with any applicable laws and regulations or industry best practice we may reasonably decide to adopt
To comply with the request or requirement of any court of any relevant jurisdiction or any relevant tribunal, mediator, arbitrator, ombudsman, taxation authority or regulatory or governmental authority
As is reasonably necessary to trace you (for example, if the contact details you have provided to us are no longer correct), trace debtors and enforce or seek to obtain settlement of amounts owing to us due to a default under your account(s) (with us or with other companies in the Hyperion Group)
Additional processing of your Personal Information may be needed, if, for example, you have changed residence without telling us
To carry out the detection, investigation and prevention of fraud, tax evasion, money laundering, bribery, corruption, terrorist financing and other crime or malpractice and oversee and report on such detection, investigation and prevention activities over such matters by us, other companies in the Hyperion Group or other third parties.
In order to protect us and others from any crime or malpractice we need to be able to process your Personal Information. This may include conducting call backs to confirm instructions and automated and manual transaction monitoring to prevent fraud and identity theft.
For use in connection with any legal proceedings or regulatory action (including prospective legal proceedings/regulatory action) and for obtaining legal advice or for establishing, exercising or defending legal rights
In order to protect our position in relation to any legal proceedings or regulatory action we may need to analyse records including your Personal Information and share it with our professional advisors, third parties, the courts and regulators
To give you information and marketing (by post, telephone, email or other medium using the contact details you have given us) about events, products and services which we believe may be of interest to you.
It is in our interests to promote our services to you in order to grow our business. This is balanced against your interests and freedoms and we will always give you the option to stop receiving such communications

In each case we assess our need to use this personal information for these purposes against your rights to privacy to ensure we are protecting your rights.

6.2 Special category personal information

Data processing may include the processing of Special Category Personal Information, which would require a higher level of protection and enhanced due diligence.

When we use your “special categories of personal information”, we must have an additional “lawful basis” and we will rely on the following lawful basis in these circumstances:

It is in the substantial public interest to comply with regulatory requirements relating to unlawful acts and dishonesty – such as carrying out fraud, credit and anti-money laundering checks.
You have given your explicit consent to our use of your special categories of personal information. In some cases, we are not able to review a complaint in respect of the service you have received unless we have all the information we need, which could include your health information for example.
We need to use such special categories of personal information to establish, exercise or defend legal rights, such as when we are facing legal proceedings or want to bring legal proceedings ourselves.
There is a substantial public interest in the prevention and detection of unlawful acts such as where we suspect fraud.

We will need to have further justification for collecting, storing and using this type of Personal Information. We may process special categories of Personal Information in the following circumstances:

In limited circumstances, with your explicit written consent
Where we need to carry out our legal obligations and in line with our data protection policy
Where it is needed in the public interest and in line with our data protection policy.

Less commonly, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.

6.2.1 Information about criminal convictions

Details about any criminal convictions and any related information which have been obtained from our sanctions checks and PEP screening. This will include information relating to any offences or alleged offences you have committed or any court sentences which you are subject to.

We may only use information relating to criminal convictions and offences where the law allows us to do so. This will usually be where such processing is necessary to carry out our obligations and provided we do so in line with our data protection policy.

The most common processing of information about criminal convictions and offences by us occurs when we share it for the purposes of the prevention or detection of crime and anti-fraud purposes, including the making of suspicious activity reports to the appropriate crime agency. We also collect publicly available information on criminal convictions and offences as part of our assessment of your application and ongoing monitoring.

6.2.2 Information about health

Details about your health which are relevant to the service you are receiving, for example where you have disclosed such information to us because it explains your risk appetite for investments.

6.2.3 Other special category personal Information

In limited circumstances and where relevant to the advice being provided, we may also collect information which relates to your trade union membership, ethnicity or political opinions where you have disclosed it to your Relationship Manager.

6.3 If you fail to provide Personal Information

If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you, or we may be prevented from complying with our legal obligations (such as to complete our “know your client” checks).

6.4 Change of purpose

We will only use your Personal Information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your Personal Information for an unrelated purpose, we will notify you in writing and update this Privacy Notice on our website at: www.hyperion.gi and we will explain the legal basis which allows us to do so.

Please note that we may process your Personal Information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

Purpose for processing	Lawful basis: Personal Information	Lawful basis Special Category Personal Information
To comply with our legal or regulatory obligations, including ensuring that our Partners are compliant with the appropriate regulatory requirements.	· We need to use your information in order to comply with our legal obligations. · We have a valid business reason (to run our business efficiently and effectively)	· We need to use your information in order to establish, exercise or defend legal rights. · We have a substantial public interest to prevent or detect unlawful acts (where we suspect fraud). · It is in the substantial public interest to comply with regulatory requirements relating to unlawful acts and dishonesty. · We have your explicit consent.
For communications purposes including handling complaints and dealing with any other communications.	· We have a valid business reason to communicate with you about products and services.	· We need to use your information in order to establish, exercise or defend legal rights. · You have given us your explicit consent
For business purposes and activities including managing the Hyperion CRM system and hosting platform, and ensuring the continued improvement of service	· We have a valid business reason (to run our business efficiently and effectively).	· You have given us your explicit consent. · We need to use your information in order to establish, exercise or defend legal rights.

7 Automated Decision-Making & Profiling

7.1 What is automated decision making?

Automated decision making refers to a situation where a decision is taken using personal information that is processed solely by automatic means (i.e. using an algorithm or other computer software) rather than a decision that is made with some form of human involvement. We do not currently use automated decision making as all decisions are reviewed by an individual

8 Who Will We Share your Personal Information With?

We will not sell or transfer your personal information to anyone unless we have a valid purpose and we will only disclose it to the following parties:

8.1 Recipients of Personal Information

To any other companies which are at the time of disclosure in the Hyperion Group of Companies
To third parties who provide services to us or that act as our agents. We will take all reasonable steps to ensure that the service provider or agent is subject to appropriate data processing requirements and that they impose such requirements on any of their service providers or agents
To any court of any relevant jurisdiction or any relevant tribunal, mediator, arbitrator, ombudsman, taxation authority or regulatory or governmental authority
If we or any person to whom your information is disclosed have a right or duty to disclose it or are permitted or compelled by applicable laws and regulations, or if we or any person to whom your information is disclosed wishes to share the information with other financial institutions to assist in the prevention of terrorism, money laundering, tax evasion, and other crimes; to law enforcement agencies and/or fraud prevention agencies
Third parties who have entered into contractual arrangements with us to provide services we need to carry out our everyday business activities such as partner support specialists, document management providers, back office system providers, secure login and email providers, storage warehouses, IT suppliers, actuaries, auditors, lawyers, outsourced business process management providers, our subcontractors and tax advisers.
Data protection authorities
Financial crime and fraud detection agencies
To financial organisations such as SWIFT where required for the transfer of funds and operation of your account
To any third-party service provider which you use for the provision of account information or payment initiation services to you
To any guarantor, where your account is backed by a guarantee;
To insurers and information providers
Otherwise if you consent to such disclosure.

8.2 Transaction reporting (MiFIDII)

We are obliged under applicable laws and regulations to retain certain data relating to orders and other reportable transactions in financial instruments which we have carried out on your behalf and report them daily to the relevant regulatory authority. This means that some of your Personal Information such as your national insurance number (or social security number or other national identifier) or your name and date of birth, together with information relating to the order or transaction will be disclosed to the relevant regulatory authority and ESMA

8.3 Marketing

We will not sell or transfer your Personal Information to any third party for that party to use for direct marketing purposes without your prior consent.

Where you are an existing client, we may use your personal information to provide you with information about our products or services which may be of interest including e-briefings and newsletters, where you have provided your consent for us to do so.

If you wish to opt out of marketing, you may do so by clicking on the “unsubscribe” link that appears in emails which are sent by your Relationship Manager or telling us when we call you.

Please note that, even if you opt out of receiving marketing messages, you may still receive communications from your Relationship Manager in connection with the products we offer you.

9 Consent

We will seek your consent where we wish to invite you to cultural or sporting events or certain events organised by Hyperion Group. You have the right to withdraw your consent at any time and can do so by contacting your Relationship Manager.

10 Monitoring and Recording Communications

All telephone conversations with us may be monitored and/ or recorded without use of a warning tone or message with a view to improving our service to you and to protect both you and us and to help establish facts.

In particular, we will record all telephone conversations and communications (as well as other communications regardless of their form, e.g. letters, faxes, face-to-face conversations) that take place between us and you which involve investment services or activities and that result or may result in the provision by us of client order services relating to the reception, transmission or execution of your orders. We shall also record information relating to our face-to-face conversations with you where relevant to client order services.

All telephone recordings and other records will remain our property and may be used to help resolve any disagreements between you and us, and to enable us to comply with our obligations under applicable laws and regulations.

11 Retention of Personal Information

We will retain Personal Information for as long as necessary to fulfil the purpose for which it was collected or to comply with legal, regulatory, accounting, reporting or internal policy requirements. To determine the appropriate retention period for Personal Information, we consider the amount, nature, and sensitivity of the Personal Information, the potential risk of harm from unauthorised use or disclosure of your Personal Information, the purposes for which we process your Personal Information and whether we can achieve those purposes through other means, and the applicable legal requirements.

In some circumstances we may anonymise your Personal Information so that it can no longer be associated with you, in which case we may use such information without further notice to you.

We will only keep your personal information for as long as reasonably necessary to comply with our legal and regulatory obligations or for as long as necessary to respond to concerns you raise with the advice you received. As a financial service firm, we are regulated by the Gibraltar Financial Services Authority (the GFSA) who imposes certain record-keeping rules which we must adhere to.

11.1 Client records

The majority of client records are kept for 10 years from the date of account opening.

11.2 Communication records

We will retain the recordings of telephone conversations as well as records of such electronic and other communications for a period of 5 years. A copy of those recordings or records will be available to the relevant regulatory authority and to you on request during the retention period.

11.3 Records of prospective clients

We will retain records of prospective clients who do not become clients for 5 years from the date of the record, save in the case of a complaint where the records shall be kept for 10 years from the date of resolution of the complaint.

Further information on the retention periods of Personal Information can be requested from the Data Protection Officer.

12 Your Rights and Duties

You have several rights which you can exercise at any time relating to the personal information that we hold about you and use in the ways set out in this notice. Please contact us at any time if you wish to exercise these rights; we will not charge you.

We respect your rights and will always consider and assess them but please be aware that there may be some instances where we cannot comply with a request that you make as the consequence might be that:

In doing so we could not comply with our own legal or regulatory requirements for example we are under obligations to hold records of our dealings with you for certain periods of time; or
In doing so we could not provide services to you and would have to cancel your client agreement, for example we could not enter into investments on your behalf if we had deleted your personal information.

We will of course inform you if any of the above situations arise and if we are unable to comply with your request.

12.1 Your duty to inform us of changes

It is important that the Personal Information we hold about you is accurate and current. Please keep us informed if your Personal Information changes during your relationship with us.

12.2 Your rights in connection with Personal Information

Under certain circumstances, by law you have the right to:

12.2.1 Make a complaint to the Gibraltar Regulatory Authority

If you believe that we have breached data protection laws when using your personal information, you have a right to complain to the Gibraltar Regulatory Authority.

You can visit the GRA’s website at http://www.gra.gi/ for more information. Please note that lodging a complaint will not affect any other legal rights or remedies that you have.

Gibraltar

Gibraltar Regulatory Authority

2^nd Floor

Eurotowers 4

1 Europort Road

Gibraltar

GX11 1AA

12.2.2 The right to access your personal information

You are entitled to a copy of the personal information we hold about you and certain details of how we use it.

We are happy to provide you with such details but in the interests of confidentiality, we follow strict disclosure procedures which may mean that we will require proof of identify from you prior to disclosing such information.

We will usually provide your personal information to you in writing unless you request otherwise. Where your request has been made electronically (e.g. by email), a copy of your personal information will be provided to you by electronic means where possible.

It would be helpful if you could please complete the Data Subject Request Form to request a copy of the information we hold and to check that we are lawfully processing it. We can then ensure we have all the relevant information we need to appropriately respond to your request.

12.2.3 The right to rectification

Please help us to keep your personal information accurate and up to date so if you believe that there are any inaccuracies, discrepancies or gaps in the information we hold about you, please contact us and ask us to update or amend it. As such you are able to request correction of the Personal Information that we hold about you, enabling you to have any incomplete or inaccurate information we hold about you corrected

12.2.4 The right to restriction of processing

In certain circumstances, you have the right to ask us to suspend or stop using your personal information, for example where you think that the personal information we hold about you may be inaccurate or where you think that we no longer need to use your personal information.

12.2.5 The right to withdraw your consent

Where we rely on your consent to process your personal information, you have the right to withdraw such consent to the further use of your personal information.

12.2.6 The right to erasure

You are entitled to request your personal information to be deleted in certain circumstances such as where we no longer need your personal information for the purpose we originally collected it. When you exercise this right, we need to consider other factors such as our own regulatory obligation, to assess whether we can comply with your request. You also have the right to ask us to delete or remove your Personal Information where you have exercised your right to object to processing

12.2.7 The right to object to processing

In certain circumstances, where we only process your personal data because we have a legitimate business need to do so, you have the right to object to our processing of your personal data if there is something about your particular situation which makes you want to object to processing on this ground.

12.2.8 The right to object to direct marketing

You have a choice about whether or not you wish to receive marketing information from us and you have the right to request that we stop sending you marketing messages at any time. You can do this either by writing to your Relationship Manager or using any opt-out facility specified by us in the relevant marketing communication

Please note that, even if you opt out of receiving marketing messages, we may still send you communications which are relevant to the nature of services we offer you.

12.2.9 The right to data portability

In certain circumstances, you can request that we transfer personal information that you have provided to us to a third party (also known as “data portability”).

When you exercise this right, we need to consider other factors such as our own regulatory obligations, to assess whether we can comply with your request

Should you wish to exercise any of your rights outlined above, please contact your Relationship Manager or the Data Protection Officer at the address below. The exercise of some of these rights may result in Hyperion no longer being able to provide a product or service to you.

If you want to access your Personal Information, please contact our Data Protection Officer by writing to:

Data Protection Officer

Hyperion Group of Companies

92 Irish Town

Gibraltar

GX11 1AA

13 Keeping Your Information Safe

At Hyperion, we take our responsibility to look after your personal information and privacy seriously. In today’s world, we have all seen a growing trend in cybercrime and security breaches.

If we become aware that a personal data breach has occurred and is likely to result in a high risk to the rights and freedoms of our clients, Partners or employees, we will inform them without undue delay.

13.1 What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights).

This is another appropriate security measure to ensure that Personal Information is not disclosed to any person who has no right to receive it.

13.2 Queries relating to other Hyperion Group Entities

If you have a query regarding the processing of your Personal Information by any other company within the Hyperion Group, please contact your Relationship Manager explaining your query and that your query relates to data protection.

14 Monitoring

Please note that if you communicate with us electronically, including by e-mail, telephone or fax, this communication may be randomly monitored and/or recorded to protect the interests of our business and our customers. This includes for the purposes of maintaining customer/service quality standards, detection of and/or prevention of crime and to ensure that Hyperion complies its with legal obligations, policies and procedures (including our customer relations practices).

15 Changes to this Privacy Notice

We reserve the right to update this Privacy Notice at any time, and we will notify you either in writing or by updating this Privacy Notice on our website at: www.hyperion.gi/important-information when we make any substantial updates.

From time to time we may need to make changes to this notice, for example, as the result of changes to law, technologies, or other developments. We will provide you with the most up-to-date notice and you can check our website periodically to view it.

We may also notify you in other ways from time to time about the processing of your Personal Information.

16 Important Information

Hyperion Wealth Management Limited is licensed, authorised and regulated under (MiFIDII) by the Financial Services Commission Gibraltar. The company is incorporated in Gibraltar under number 104336, and its registered address is Irish House, 1st Floor, 92 Irish Town, Gibraltar.