At Fidutrust Formations Limited t/a our policy is simple – we understand
the importance of trust in our business. We take great care with personal information that is
provided to us online or otherwise, taking steps to keep it secure and ensure it is used only for
legitimate purposes. This information will not be disclosed to any 3rd party, other than the
Companies Registration Office without your full consent. We are fully compliant with the EU
General Data Protection Regulation (GDPR). The only possible exception to this is in the
unlikely event of a police or Revenue investigation for money laundering, terrorist financing, etc.,
in which case we are legally obliged to disclose our files. We may from time to time, send you an
e-mail to remind you that you have an Annual Return coming up or to inform you of services that
we feel may be of interest to you, but you may opt out of these e-mails at any time.
Any information which is provided by you will be treated in accordance with the terms of the EU
General Data Protection Regulation (GDPR), Data Protection Act 1988, Directive 95/46/EC of
the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals
with regard to the Processing of Personal Data and on the Free Movement of Such Data, and any
implementing and/or amending legislation as may be adopted in Ireland from time to time.
Data Protection Notice

1. Introduction

Fidutrust Formations Limited trading as as the Data Controller in compliance
with Data Protection regulation and as a Trust and Company Service Provider (TCSP) is required
to gather and use a variety of information about individuals and businesses through the course of
our business.
Information gathered includes customers, suppliers, employees and any other person deemed
necessary throughout the course of conducting business.
This policy exists to greater strengthen the compliance displayed by FF, showing good practice
and process with regards to data protection legislation. It will protect the rights of staff, customers
and all other connected parties while being transparent about how individuals’ data is processed
and maintained. This policy should also protect FF from risk of data breach.
The organisation should comply with the requirements of the relevant Irish legislation, namely
the Irish Data Protection Act (1988), and the Irish Data Protection (Amendment) Act (2003).
Along with GPDR regulations being implemented by the EU Data Protection Commission on the
25th of May 2018, FF will adhere to the below broad points throughout with regards to data
• Fair and Lawful Processing
• Obtained only for specific lawful purposes
• To be relevant, adequate, and not excessive
• Be kept up to date and accurate
• Retained no longer than is necessary
• Maintained and managed in accordance with data protection rights and regulations
• To be protected appropriately
• Not to be transferred outside of the European Economic Area (EEA), unless the
country or territory can be confirmed as having an adequate level of protection

2. Policy Scope

When referring to “Fidutrust Formations Limited”, “FF”, “us”, “the company”, “we” or “FF
Limited trading as” within the body of this policy document, encompasses all
trading names, subsidiaries and direct affiliates including but not limited to – Fidutrust
Formations Limited (FF).
All staff associated with any of the above entities or trading names, volunteers, contractors,
suppliers or anyone else acting on behalf of Fidutrust Formations Limited will be covered by this
This policy encompasses the Subject Access Request procedure, the Data Retention and
Destruction Policy, the Data Retention Periods List and the Data Loss Notification procedure all
detailed within.
It will cover any and all information or other data held on any identifiable individuals. This
Names, Dates of Birth, Addresses, Email Addresses, Telephone Numbers, Passport Copies, Proof
of Address Copies, and any other information relating to any individual.

3. Data Protection Risks

This policy exists to cover a wider protection against direct risks the company is to which can be
generally classified as the below:
• Breaches in Confidentiality
• Failing to offer choice
• Reputational Damage

4. Data Collection

FF collects an amount of personal data either through direct means, requested as part of providing
any kind of service within the company or through standard business procedures. We will also
collect data through our websites, social media platforms, market research, discussion forums and
CCTV footage if applicable. Our websites use cookie technology, which is a section of text our
servers place on your device to help make our sites perform better for our clients and visitors.
Any changes to the above methods of data collection will be fully explained in advance of their
To meet our legal obligation as a TCSP and to comply with up-to-date data protection regulation
(GDPR), we collect some personal information and verify it. This information will also be kept
up to date and maintained but will be deleted/appropriately disposed of once the information is no
longer required. In some cases, third parties may be used to obtain further information about
individuals if required. If the appropriate level of information is not received, we may not be able
to provide services to an individual.
No collected data is to be written down unnecessarily or passed informally between employees.
Through the course of business, FF collects data from a variety of sources and types which can
change based on the specific requirements of the service being ordered/enquired about.
When data is collected/obtained, the individual should be made aware of the below:
• FF in any of the above listed forms is the overall Data Controller in all cases.
• Why data is being obtained/collected.
• What parties, internal or external the data will be processed by.
• All or any other relevant information that can be provided to add to the information
surrounding the same should be provided.
In all cases, the individual has the right to a full and transparent explanation as to the reason data
is being collected and the intended use of the data in question.
Data should only be used within the purposes it was acquired for.
The company will have high standards in all cases when it comes to the protection of data. In
tandem with requirements as a TCSP, appropriate protection should be put in place to prevent
unauthorised access to information in any way takes place.
In all cases, access to data should only be granted to the employees who require the same for the
completion of their role.
FF will also ensure:
• All departments conduct regular reviews of admin and IT processes to ensure data
• Reviews of this nature should apply to both personal data or clients/individuals and
employees, sample data should be taken by the DPO and updated where appropriate
every year.
• Review amount of data being obtained relevant to each service/job under the same
time period
All staff and the company as a whole will ensure that data collected is fit for purpose and relevant
to the service being provided to individuals. Where data is not applicable it should not be
collected or if inadvertently provided by an individual be destroyed.
As a Trust and Company Service Provider, we are legally obliged to retain files and personal
information throughout an on-going service period and for five years after a client has cancelled
services with the company.
As soon as the appropriate retention period has expired, all data should be destroyed and/or put
beyond use.
In line with legislation, FF have established a Subject Data Request process, with further
information details below. Requests can be directed to the DPO at

5. Employee and Potential Employee Data

As part of the standard recruitment process, the FF may collect, CVs, Personal Information from
online and social media sources, Proof of Identity/Address and Proof of Qualifications where
appropriate. When a role has been filled, personal information gathered on an unsuccessful
candidate is destroyed using external shredding facilities.
As a direct employee, all of the above is gathered where required and stored within the company
in the safe located in the head office of FF. As with all information, the company is required to
retain data for five years after it becomes inactive, e.g., ceases employment. Once this
information is no longer required it will be destroyed as above.

6. Internal Processes

While a general overview of staff responsibilities will be discussed below, there are some key
relevant positions:
The Board of Directors
Ultimately responsible for ensuring that FF complies with its legal obligations. All of the sitting
directors are to be considered Representatives for the purposes of Data Protection Legislation.
Data Protection Officer
Tasked with keeping the board up to date with data protection regulation and renewing data
protection procedures and related policies. Arranging training and handling queries in this regard
from staff. To deal with requests from individuals to see data held by FF on them – called
‘subject access requests. Review of contracts, agreements in place with any third party that
maintains or handles any sensitive data associated with FF.
IT Department
Ensuring systems, services and equipment meet acceptable data storage standards. To perform
regular checks and updates to confirm all security software and hardware is functioning correctly.
Evaluation of any third-party data storage provider.
Marketing Department
Review of any data protection statements attached to any communications. Addressing any data
protection queries from media sources, etc. Aid with the implementation of marketing initiatives
where needed, working with other staff to ensure compliance.
General Staff
In all cases, staff are required to undergo full training in compliance with this policy and their
assigned role. Staff will not be allowed handle any information subject to Data Regulation policy
prior to undergoing full training.

7. Consent

Once personal information has been provided to FF through a means of communication or
website with the appropriate consent, marketing materials of a legitimate interest including
related products or services in line with those originally requested may be sent.
If a client does not wish to receive these materials, then they can simply click the ‘unsubscribe’
link in any email or communication. Note, we do not consider unsubscribing the same as the
cancellation of services – this must be communicated separately.
When appropriate consent has not been obtained through a web portal, clients may be asked over
the phone if they wish to receive marketing materials, offers and other content from FF prior to
the same being sent.
In all cases, a client or potential client will not be contacted with marketing materials, etc. where
consent through them being classified as an on-going or professional client, legitimate interest in
services or direct permission cannot be established.
In some situations, the company may have obtained sensitive personal information from a client
directly as part of providing a service. This information will not be shared with any party unless
the express agreement of the client has been obtained.

8. Data Storage

Questions about storing data safety can be directed to the DPO or IT Manager where applicable.
Hard Copy
• Data collected in hard copy, paper format, will be stored in a secured location where
access is restricted to those employees that require access as part of their role only and
the room shall be locked when access is not required.
• When documents/files are not required they are stored in locked/secured areas.
• Where appropriate, documents containing any kind of personal information or client
communications should be disposed of using approved shredding services.
Register Post, Mail Forwarding Services
A specific set of protocols exist for clients who use our services for mail forwarding and scanning
service provided for clients.
• Mail is not to be opened for a client unless expressly requested to do so.
• The exception to the above is if the post is subject to an internal AML review on the
basis of suspicious activity brought to light – this is compliant under our role as a
• All mail is to be stored in a secure location where access by unauthorised persons can
be easily prevented.
• Post is sent out unopened in weekly batches where required.
• As per our terms and conditions for this service, post may not be sent on if payment
for the service has not been confirmed and all items will be sent to the relevant address
once the service is deemed cancelled.
• Where appropriate or requested directly, mail shall be destroyed using paper shredding
Electronic Data
• Electronic data is secured and maintained by our external IT partners and further
information with regards to how this data is managed is available on request.
• Internal policies are also in place to ensure security is maintained once handled by all

9. Data Use

Computers with access to any personal data; each employee should ensure that screens are locked
appropriately before leaving machines unattended.
Personal Data should not be shared informally. Where appropriate data should be encrypted
before being transferred electronically.
No data should be transferred outside of the European Economic Area. The only exception would
be when the transfer is specifically requested by the client.

10. Data Accuracy

In all cases, data should be held in as few places as possible. Hard copy files are stored in secured
location and CRM data and soft copies of files are held on the secure server.
In tandem with FF’s regulation as a Trust and Company Service Provider, an on-going review of
all company files takes place based on a risk-based scoring system. Based on risk, files should be
reviewed on a staggered basis to ensure data is updated and inaccuracies are discovered and
Facilities are in place, through the website general contact section and an appointed account
manager to easily communicate any alterations in personal data of a client in a secure way.

11. Data Retention & Destruction

In all cases, personal data will not be held longer than is necessary and when appropriate
destroyed in a secure manner.
As a Trust and Company Service Provider, we are legally obliged to retain files and personal
information throughout an on-going service period and for five years after a client has cancelled
services with the company. Files no longer considered on-going clients are transferred to the
archive section of our secure file storage area, retained, and appropriately disposed of when no
longer required. Once a client has left, remaining documents, where appropriate are securely sent
to the client. Documents held securely by FF following the cancellation of services are destroyed
using shredding facilities, as below once the tracked time period has expired.
Data is, in all cases to be destroyed in an appropriate manner. All elements of FF use approved
shredding facilities to ensure data integrity. These bins are located through the offices, are locked
at all times with access restricted and cleared for on-site shredding once a month.
Unless where specifically specified in this policy, data will be retained by FF for a period of five
years following the data being classed as inactive. This is represented by client or enquiry no
longer being considered live or on-going. This will be indicated by the cancellation of services
either by the client, any element of FF or if an enquiry received is deemed to be inactive – more
than one year old.

12. Data Loss Notification Procedure

In the event of a breach or any data suspected of being compromised, any member of staff is to
inform both the Data Protection Officer and both company Directors at the earliest possible
Where appropriate, the relevant authorities should be informed of the breach at the earliest
possible instance. The earliest possible timeframe for this report should be as soon as the extent
and nature of the data loss has been confirmed or no more than seven days after the breach. This
should include the nature of the breach, the amount of personal information compromised, and
the action being taken to rectify the issue.
Any individual that has been subject to the breach should be informed as soon as the extent and
nature of the data loss has been confirmed or no more than seven days after the breach, detailing
the steps being taken to rectify the issue and the steps, if any that the individual should take
directly to further secure their information.
In all cases, the relevant authorities and any effected individuals should be kept informed of the
progress of dealing with any breach until a time when the issue is considered closed. A report
should be maintained and made available when required by any effected party.

13. Subject Access Requests

All individuals who have personal data stored by FF and its sister companies are entitled to what
information the company holds about them, why it is retained and how to obtain access to the
Each individual should be informed how their personal data is kept up to date and how FF meets
its data obligations.
Requests for any such information can be submitted to the Data Protection Officer at The aim is to provide information on all requests within 14 days,
however, in exceptional circumstances, this will not be beyond 30 days. Note that, appropriate
measures will be taken to confirm the identity of the requestee prior to providing any
Once a request has been made it is the responsibility of the Data Protection Officer (or when
unavailable a Company Director), to prepare the Subject Access report.
The report should review all email communication and information held on the server in relation
to an individual. In addition, any hard copy documentation or files should be listed, and the
subject made aware of a data contained within.
A report should be presented within the above timeframes, which should include a listing of all
information held by the company on an individual and any relevant third party that information
has been shared with.
The report should be reviewed, verified and signed off on by the DPO and at least one Director of
the company.
In all cases, an individual will have the right for their personal information to be removed
(forgotten) from our system. The sole caveat to this being when it impacts FF in providing or
completing any service which the entity has been contracted to provide.

14. Personal Information and Third Parties

FF does not share personal information with third parties in any ancillary way. Information
may, however, be shared with a third party in direct connection with a service being provided by
a division of the company. In a number of cases, pre-approved agents in various jurisdictions are
used to complete company formations, secretarial services, and other related activities.
In providing personal information in relation to a service, clients should be aware this
information may be shared with a third party in direct support of a service being provided by the
relevant third party.
We are also required to share information with third parties to meet any applicable law,
regulation, or lawful request. When we believe we have been given false or misleading
information, or we suspect criminal activity we must record this and inform appropriate law
enforcement agencies which may be either within or outside of Ireland.
Third Parties
FF use several verified third parties for services not managed internally. These services include,
payment processing, IT support services data transfer and storage.
A full itemised list of the providers that apply to an individual’s data is available on request from
the Data Protection Officer.

15. Internal Communication

All staff communicate internally through email services provided by our IT support services.
Where avoidable personal information on clients should not be shared through email and under
no circumstances should information of a sensitive nature be sent in this way.

16. Making a Complaint

Should any person have a concern with regards to the use of their personal information, a
member of staff can be informed in person and via phone or email. All complaints or concerns
will be fully investigated and reviewed. We would simply ask that as much information is
provided as possible to enable us to resolve the complaint as quickly as possible.

17. Update to Data Policy

From time to time, particularly when how we are required to use information changes or when
our systems are upgraded and in line with future legislation on data protection, changes will be
made to this policy. An up-to-date version of this policy can be found on our website at all times.

Our site uses cookies to optimize content and improve platform performance. By continuing using website - you agree that the website can set cookies on your browser. For more information please visit the page privacy policy