THUNDER VALLEY ADMINISTRATION LIMITED
(the “Company”)
Your privacy is important to us. The Applicable Laws to this Privacy Policy are the Data Protection (Jersey) Law 2018 as the GDPR (Regulation (EU) 2016/79 of the European Parliament and of the Council of 27 April 2016) (the “Law”). The Company acknowledges that for the purposes of the Law, the Company is both the data controller and the data processor.
Our contact details:
Name: Aaron Pipon at Thunder Valley Administration
Address: Floor 1, Liberation Station, Esplanade, St. Helier, JE2 3AS, Jersey
Phone Number: 07797869908
E-Mail: tva@thundervalleyadministration.com
1. What type of information we have:
1.1. We currently collect and process the following information:
1.1.1. Personal identifiers, contacts and characteristics for you (for example, name, date of birth, location, telephone number, and email address);
1.1.2. Demographic information such as post code, preferences, interests, and employment data; and
1.1.3.Digital information, such as website use data and social media posts and comments.
2. How we get the information and why we have it:
2.1. Most of the personal information we process is provided to us directly or indirectly by you via email, phone or our website (tva@thundervalleyadministration.com), for one of the following reasons:
2.1.1. In performing the Services outlined in our standard terms and conditions;
2.1.2. Internal record keeping;
2.1.3. Consultation and support;
2.1.4. We may use the information to improve our product and services; and
2.1.5. We may periodically send promotional emails about our new products, special offers or other information which we think you may find interesting.
2.2. Under the Law, the bases we rely on for processing this information are:
2.2.1. Your consent. You are able to remove your consent at any time. You can do this by contacting tva@thundervalleyadministration.com;
2.2.2. We have a contractual obligation;
2.2.3. We have a legal obligation;
2.2.4. We have a vital interest;
2.2.5. We need it to perform a public task; and
2.2.6. We have a legitimate interest.
3. How we store your information:
3.1. Your information is securely stored electronically with adequate controls and higher levels of security around special categories of personal data.
3.2. We keep the personal information listed in Clause 1 for no longer than necessary in relation to the purposes for which it was originally collected, or for which it was further processed. Once the information is no longer required by the Company, we will then dispose of your information by deleting it from all network drives and disposing securely of any paper copy versions by shredding any copied which contain personal or sensitive information.
4. What we do with your information:
4.1. We will use the information that you provide in order to:
4.1.1. Create internal record keeping;
4.1.2. Perform the Services;
4.1.3. Improve our products or services; and
4.1.4. Send promotional emails about our new products, services and special offers.
4.2. In some circumstances we may share this information with third party agents, suppliers, or contractors, in connection with the processing of your personal information for the purposes described in this policy, which may include, but is not limited to:
4.2.1. IT, software and communications service providers; and
4.2.2. Our advisers, such as accountants and any legal advisors which we may instruct from time to time.
5. Your data protection rights:
5.1. Under the Law, you have rights including:
5.1.1. Your right of access - You have the right to ask us for copies of your personal information;
5.1.2. Your right to rectification -You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete;
5.1.3. Your right to erasure - You have the right to ask us to erase your personal information in certain circumstances;
5.1.4. Your right to restriction of processing - You have the right to ask us to restrict the processing of your information in certain circumstances;
5.1.5. Your right to object to processing - You have the right to object to the processing of your personal data in certain circumstances; and
5.1.6. Your right to data portability - You have the right to ask that we transfer the information you gave us to another organisation, or to you, in certain circumstances.
5.2. You are not required to pay any charge for exercising your rights. If you make a request, we have four weeks to respond to you. Please contact us at tva@thundervalleyadministration.com if you wish to make a request.
5.3. You can also complain to the Jersey Office of the Information Commissioner (JOIC) if you are unhappy with how we have used your personal data.
JOIC’s address:
2nd Floor
5 Castle Street St. Helier Jersey
JE2 3BT
+44 (0) 1534 716530
1. Terms and Definitions
Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Data Breach Register: a register used to record the details of all Data Breaches that have occurred within the Company and the actions taken to mitigate future breaches occurring.
Data Controller: the entity that determines the purposes, conditions and means of the processing of Personal Data.
Data Processor: the entity that processes data on behalf of the Data Controller.
DPL: the individual responsible for the implementation of the policies and procedures set forth in the Data Protection (Jersey) Law 2018 and who ensures that data protection concepts are embedded throughout the Company.
Data Subject: a natural person whose personal data is processed by a controller or processor.
Personal Data: any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person.
Privacy Impact Assessment: a tool used to identify and reduce the privacy risks of entities by analysing the Personal Data that is processed and the policies in place to protect the Personal Data.
Processing: any operation performed on personal data, whether or not by automated means, including collection, use, recording, etc.
Risk: a risk to the rights and freedoms of data subjects (e.g. financial loss, breach of confidentiality, discrimination, reputational damage, or other significant social or economic damage). This is described under Article 20 of the Data Protection (Jersey) Law 2018 and must be reported to the supervisory authorities.
Office of the Information Commissioner: the Supervisory Authority located in Jersey tasked with regulating and enforcing compliance with the Data Protection (Jersey) Law 2018.
2. Purpose
This policy establishes an effective, accountable, and transparent framework for ensuring compliance with the requirements of the Data Protection (Jersey) Law 2018.
3. Scope
3.1. This policy applies to the provision of services by Thunder Valley Administration Limited (the “Company”), registered with the Jersey Office of the Information Commissioner (the “JOIC”) under the Company registration number No 102505 and renewal due 31 December 2025.
3.2. The Company processes personal identifier data, demographic data (including employment data) and digital information as more particularly set out in the Company’s Privacy Policy.
4. Policy Statement
4.1. We are committed to conducting our business in accordance with all applicable data protection requirements and in line with the highest standards of ethical conduct.
4.2. This policy sets forth the expected behaviours of our employees and third parties in relation to the collection, use, retention, transfer, disclosure and destruction of any Personal Data belonging to a client / supplier / employee (i.e. the Data Subject).
4.3. Personal Data is any information (including opinions and intentions) which relates to an identified or identifiable natural person. Personal Data is subject to certain legal safeguards, which impose restrictions on how organisations may process Personal Data. An organisation that handles Personal Data and makes decisions about its use is known as a Data Controller. We, as a Data Controller, are responsible for ensuring compliance with the data protection requirements outlined in this policy. Non-compliance may expose us to complaints, regulatory action, fines and/or reputational damage.
4.4. Our team is fully committed to ensuring continued and effective implementation of this policy and expects all our employees and third parties to share in this commitment. Any breach of this policy will be taken seriously and may result in disciplinary action or business sanction.
5. Governance
5.1. To demonstrate our commitment to data protection, and to enhance the effectiveness of our compliance efforts, we have appointed a DPL for the Company to oversee all data protection day to day matters. Our DPL is Aaron Pipon.
5.2. The duties of the DPL include but are not limited to:
5.2.1. being available to give support and guidance to the Company when required;
5.2.2. providing written advice to data protection situations that need clarity;
5.2.3. providing guidance with regards to carrying out Data Protection Impact Assessments (the “DPIAs”);
5.2.4. acting as a point of contact for and cooperating with the JOIC;
5.2.5. ensuring establishment of procedures and standard contractual provisions for obtaining compliance with this policy by any third party who:
5.2.5.1. provides Personal Data to us;
5.2.5.2. receives Personal Data from us; and
5.2.5.3. has access to Personal Data collected or processed by us.
5.3. The DPL duties include, but not limited to:
5.3.1. acting as the first point of contact to go to for day-to-day data protection issues;
5.3.2. monitoring and collating any Data Subject Access Requests received by the Company; and
5.3.3. monitoring and identifying any risks associated with data protection issues.
5.4. Data Protection by Design: To ensure that all data protection requirements are identified and addressed when designing new systems or processes and/or when reviewing or expanding existing systems or processes, each of them must go through an approval process before continuing. We must ensure that a DPIA is conducted, in cooperation with the DPL, for all new and/or revised systems or processes for which it has responsibility.
5.5. Compliance Monitoring: To confirm that an adequate level of compliance that is being achieved the DPL will carry out an annual data protection compliance audit for all such services. Each audit will, as a minimum, assess:
5.5.1. Compliance with this policy in relation to the protection of Personal Data, including:
5.5.2. The effectiveness of data protection related operational practices, including;
5.5.2.1. Data Subject rights;
5.5.2.2. Personal Data transfers;
5.5.2.3. Personal Data incident management;
5.5.2.4. Personal Data complaints handling;
5.5.2.5. the level of understanding of data protection policies and privacy notices;
5.5.2.6. the currency of data protection policies and privacy notices;
5.5.2.7. the accuracy of Personal Data being stored;
5.5.2.8. the conformity of data processor activities; and
5.5.2.9. the adequacy of procedures for redressing poor compliance and Data Breach
6. Data Protection Principles
6.1. We have adopted the following principles to govern our collection, use, retention, transfer, disclosure and destruction of Personal Data:
6.1.1. Principle 1: Lawfulness, Fairness and Transparency: Personal Data shall be processed lawfully, fairly and in a transparent manner in relation to the Data Subject. This means, we must tell the Data Subject what processing will occur (transparency), the processing must match the description given to the Data Subject (fairness), and it must be for one of the purposes specified in the applicable data protection laws (lawfulness).
6.1.2. Principle 2: Purpose Limitation: Personal Data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. This means we must specify exactly what the Personal Data collected will be used for and limit the processing of that Personal Data to only what is necessary to meet the specified purpose.
6.1.3. Principle 3: Data Minimisation: Personal Data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. This means we must not store any Personal Data beyond what is strictly required.
6.1.4. Principle 4: Accuracy: Personal Data shall be accurate and, kept up to date. This means we must have in place processes for identifying and addressing out-of-date, incorrect and redundant Personal Data.
6.1.5. Principle 5: Storage Limitation: Personal Data shall be kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data is processed. This means we must, wherever possible, store Personal Data in a way that limits or prevents identification of the Data Subject.
6.1.6. Principle 6: Integrity & Confidentiality: Personal Data shall be processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful processing, and against accidental loss, destruction or damage. We must use appropriate technical and organisational measures to ensure the integrity and confidentiality of Personal Data is maintained at all times.
6.1.7. Principle 7: Accountability: The Data Controller shall be responsible for and be able to demonstrate compliance. This means we must demonstrate that the six data protection principles (outlined above) are met for all Personal Data for which it is responsible.
7. External Privacy Notices
Each external website provided by us will include an online ‘Privacy Notice’ and an online ‘Cookie Notice’ fulfilling the requirements of applicable law.
8. Data Use
8.1. We use the Personal Data of our contacts for the following broad purposes:
8.1.1. Create internal record keeping;
8.1.2.Provide consultations;
8.1.3.Improve our products or services; and
8.1.4.Send promotional emails about our new products, services and special offers.
9. Data Retention
To ensure fair processing, Personal Data will not be retained by us for no longer than necessary in relation to the purposes for which it was originally collected, or for which it was further processed. Once the information is no longer required by the Company, we will then dispose of your information by deleting it from all network drives and disposing securely of any paper copy versions by shredding any copy which contain personal or sensitive information.
10. Data Protection
10.1. We will adopt physical, technical, and organisational measures to ensure the security of Personal Data. This includes the prevention of loss or damage, unauthorised alteration, access or processing, and other risks to which it may be exposed by virtue of human action or the physical or natural environment. A summary of the Personal Data related security measures is provided below:
10.1.1. Prevent unauthorised persons from gaining access to data processing systems in which Personal Data are processed.
10.1.2. Prevent persons entitled to use a data processing system from accessing Personal Data beyond their needs and authorisations.
10.1.3. Ensure that Personal Data during electronic transmission during transport cannot be read, copied, modified, or removed without authorisation.
10.1.4. Ensure that Personal Data is protected against undesired destruction or loss.
10.1.5. Ensure that Personal Data is not kept longer than necessary.
11. Data subject Requests
11.1. The DPL will establish a system to enable and facilitate the exercise of Data Subject rights related to:
11.1.1. Information access.
11.1.2. Objection to processing.
11.1.3. Restriction of processing.
11.1.4. Data portability.
11.1.5. Data erasure.
11.2. If an individual makes a request relating to any of the rights listed above, we will consider each such request in accordance with all applicable data protection laws. No administration fee will be charged for considering and/or complying with such a request unless the request is deemed to be unnecessary or excessive in nature. If you make a request, we have four weeks to respond to you. Please contact DPL at tva@thundervalleyadministration.com if you wish to make a request or would like guidance or assistance with a data protection issue.
12. Data Transfers
12.1. We may transfer Personal Data to internal or third-party recipients located in another country where that country is recognised as having an adequate level of legal protection for the rights and freedoms of the relevant data subjects. We may only transfer personal data where one of the transfer scenarios listed below applies:
12.1.1. The Data Subject has given consent to the proposed transfer;
12.1.2. The transfer is necessary for the performance of a contract with the Data Subject;
12.1.3. The transfer is necessary for the implementation of pre-contractual measures taken in response to the Data Subject’s request;
12.1.4. The transfer is necessary for the conclusion or performance of a contract concluded with a third party in the interest of the Data Subject;
12.1.5. The transfer is legally required on important public interest grounds;
12.1.6. The transfer is necessary for the establishment, exercise, or defence of legal claims; and
12.1.7. The transfer is necessary in order to protect the vital interests of the Data Subject.
13. Complaints handling
13.1. Data Subjects with a complaint about the processing of their Personal Data, should put forward the matter in writing to the DPL. The DPL is Aaron Pipon and can be contacted at:
Name: Thunder Valley Administration Limited
Address: Floor 1, Liberation Station, Esplanade, St. Helier, JE2 3AS, Jersey
E-Mail: tva@thundervalleyadministration.com
13.2. An investigation of the complaint will be carried out to the extent that is appropriate based on the merits of the specific case. The DPL will inform the data subject of the progress and the outcome of the complaint within a reasonable period.
13.3. If the issue cannot be resolved through consultation between the Data Subject and the DPL, then the Data Subject may, at their option, seek redress through mediation, binding arbitration, litigation, or via complaint to the JOIC at:
The Jersey Office of the Information Commissionner
2nd Floor
5 Castle Street St. Helier Jersey
JE2 3BT
14. Breach Reporting
14.1. Any individual who suspects that a Data Breach has occurred due to the theft or exposure of Personal Data must notify the DPL immediately, providing a description of what occurred. Notification of the incident can be made via e-mail to: tva@thundervalleyadministration.com
14.2. The DPL will investigate all reported incidents to confirm whether a Data Breach has occurred. If a Data Breach is confirmed, the DPL will follow the relevant authorised procedure based on the severity and quantity of the Personal Data involved.
15. Review
This policy will be reviewed by the DPL every two years, unless there are any changes to Jersey legislation that would require a review earlier. The DPL will keep appraised of changes.
We use cookies to analyze website traffic and optimize your website experience. By accepting our use of cookies, your data will be aggregated with all other user data.