Kerruish Law Privacy Notice

1. Introduction

Kerruish Law Limited respects your privacy and is committed to protecting your personal data. This privacy notice will inform you as to how we look after your personal data and tell you about your privacy rights and how the law protects you.

This privacy notice aims to give you information on how Kerruish Law Limited collects and processes your personal data. It is important that you read this privacy notice so that you are fully aware of how and why we are using your data.

2. Who we are

Kerruish Law Limited is a data controller and responsible for your personal data (collectively referred to as “Kerruish Law”, “we”, “us” or “our” in this privacy notice).

We have appointed a Data Privacy Manager who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact the Data Privacy Manager using the details set out below.

Our full details are:
Company name: Kerruish Law Limited
Company number: 008168V
Postal address: 1st Floor, Bourne Concourse, Peel Street, Ramsey, Isle of Man, IM8 1JJ
Data Privacy Manager: Edward Paul Kerruish
Email address:
Telephone number: 01624 623999

3. Personal data we collect about you

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). We may collect, use, store and transfer different types of personal data about you which is provided by you or which we learn about you from your use of our legal services which we have grouped together as follows:

  • Identity data: including first name, maiden name, last name, marital status, title, date of birth and gender
  • Contact data: including residential address, business address, email address and telephone numbers
  • Financial data: including bank account details, credit and debit card details, employment salary details and other source of wealth information
  • Technical data: including your internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access Kerruish Law’s website

4. Purposes for which we will use your personal data

We require your personal data for the following purposes:

  • To verify your identity and provide the legal services and carry out the scope of work upon which we are instructed by you and to meet our contractual commitments to you in this regard
  • to carry out such other instructions that you may provide to us from time to time
  • to provide you with other information that you may request from us
  • to comply with our legal obligations and professional responsibilities
  • for other legitimate reasons such as for internal compliance and security purposes

For the processing of your personal data to be lawful we rely upon the following legal bases:

  • Contract: whereby the processing of your personal data is necessary for the performance of contract we have with you (i.e. this Letter of Engagement) or because you have asked us to take specific steps prior to entering in to a contract
  • Legal obligation: whereby the processing of your personal data is necessary for us to comply with the law (not including contractual obligations). For example where we are required to provide information to the authorities pursuant to Anti-Money Laundering and Countering the Financing of Terrorism legislation
  • Legitimate interests: legitimate interests of Kerruish Law as a business for example our retention of files over and above statutory periods in case of a need to defend a claim or calculating the demographics of our client base

5. Disclosures of your personal data

We may from time to time have to share your personal data with the third party categories set out below for the purposes set out at section 4 above:

  • Kerruish Law’s Client Account provider which is currently Isle of Man Bank Limited
  • Your Bank or Mortgage Lender
  • All professional firms we need to provide your details to in regard to matters on which we are instructed on your behalf
  • Regulatory authorities including the Isle of Man Financial Services Authority or Financial Intelligence Unit
  • Isle of Man Government Departments
  • Isle of Man Companies Registry
  • Isle of Man Deeds and Land Registry
  • Isle of Man Probate Registry
  • Our IT providers (only as required to maintain service levels expected)

We require all third parties to respect the security of your personal data and to treat it in accordance with the law.

6. International transfers

We should not generally need to transfer your personal data outside the European Economic Area (“EEA”). Should this become necessary, however, for the purposes set out at section 4 above, we will ensure a similar degree of protection is afforded to it by ensuring that we only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.

7. Data retention

We will only retain your personal data for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting or reporting requirements.

By law we have to keep certain information about our clients for at least five (5) years from in certain circumstances the date of completion of the transaction for which we are instructed to act for the client, and in all other cases from the date that the business relationship has ceased, for the purposes of our Anti-Money Laundering and Countering the Financing of Terrorism obligations.

We are also required to retain certain information for six (6) years from the date that the business relationship has ceased for the purposes of prudent record keeping purposes.

In certain circumstances you can ask us to delete your data - please refer to section 8 below for further information.

8. Your legal rights

Under certain circumstances, you have rights under data protection laws in relation to your personal data. Further information about these rights are listed below:

  • The right to be informed - You have the right to ask us for information about the personal data that we hold about you and the rationale for the processing of your personal data.

  • The right of access - You have the right to request access to your personal data. This is known as a “Subject Access Request” and enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.

    We are required by law to respond to Subject Access Requests without undue delay and in any event within one month of the date of the request. Please note that we may extend this period by two further months for complex or numerous requests, provided that we have informed you of the extension and reason for the delay.

    Generally speaking we will not charge you a fee for complying with your Subject Access Request. We are however permitted by law to charge a reasonable fee or refuse to comply with unfounded or excessive requests and where we do not comply with a Subject Access Request we must inform you why this is the case.

    In certain circumstances personal data will be exempt from Subject Access Requests for example where legal professional privilege in legal proceedings applies.

  • The right of rectification - You have the right to ask for the rectification of personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, although please note that we may need to verify the accuracy of the new data that you provide to us.

  • The right to erasure - In certain circumstances you have the right to ask for the deletion of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us to continue to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to its processing (see “The right to object” below), where we may have processed your personal data unlawfully or where we are required to erase your personal data to comply with the law. Please note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.

  • The right to restrict processing - You have the right to request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:

    • i) If you want us to establish the accuracy of the personal data
    • ii) Where our use of the personal data is unlawful but you do not want us to erase it
    • iii) Where you require us to hold your personal data even if we no longer require it as you need it to establish, exercise or defend legal claims
    • iv) Where you have objected to our use of your personal data but we need to verify whether we have overriding legitimate grounds to process it

  • The right to data portability - You have the right to ask for your personal data to be transferred to you in a structured, commonly used, machine-readable format to reuse it for your own purposes or to transfer it upon your request to another data controller. This right only applies to personal data which you have provided to us and where our processing of your personal data is based upon the performance of a contract with you (see section 4 above) and is processed by automated means (i.e. electronically).

  • The right to object - You have the right to object to the processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. In some instances we may demonstrate that we have compelling legitimate grounds to process your personal data which overrides your rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes.

  • The right not to be subjected to automated decision making including profiling - We do not use automated decision making or profiling (i.e. any form of automated processing for evaluating individuals).

    We do however carry out risk screening of all new clients using their identity data via an online compliance portal ( for customer due diligence purposes to comply with the law in this regard.

  • For further information or to discuss any of your legal rights, or should you wish to make a complaint or a Subject Access Request, please contact the Data Privacy Manager in the first instance via the details set out at section 2 above.

    If you are not satisfied with our response, or you believe that we are processing your personal data not in accordance with the law, you also have the right to make a complaint to the Isle of Man Information Commissioner. Their contact details are set out below:

    Postal address: PO Box 69, Douglas, Isle of Man, IM99 1EQ
    Email address:
    Telephone number: 01624 693260

    9. Data security

    We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

    If an email communication relates to a matter of significance on which you wish to rely and you are concerned about the possible effects of electronic transmission, you should request a hard copy of such transmission from us. If you wish us to encrypt or password protect all or certain documents that we will transmit to you electronically, you should discuss this with us and we will make appropriate arrangements.

    We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.