SUBMIT A COMPLAINT Complaint Icon
×

Select a language:

Privacy & Cookies

Privacy & Cookies Statement (Privacy Notice September 2025)

This privacy notice sets out how you can expect us to use your personal data when you visit our website and when you use our services as the Channel Islands Financial Ombudsman (‘CIFO’, ‘we’ or ‘us’).
We reserve the right to update this privacy statement at any time.

About us

CIFO is the Financial Services Ombudsman for the Islands of the Channel Islands. For data protection enquiries you can contact us at DPO@ci-fo.org. Our Data Protection Officer is Alison Finn (DPO).

As a pan-island authority, we are registered as a controller with the Jersey Office of the Information Commissioner (Registration No. 53967) and the Office of the Data Protection Authority in Guernsey (Registration No. 53968) for the processing of personal data.

At CIFO we are committed to protecting your privacy and safeguarding your personal data.

What is Personal Data?

“Personal Data” is any information that relates to an individual. This information may include but is not limited to your name, mailing address, telephone number, and e-mail address. If you are making a complaint about a Financial Service Provider (FSP), we may also collect Personal Data relevant to your complaint, such as your financial, health records and telephone calls with our office.

Where we get personal data information from

Most of the Personal Data that we process is given to us directly by you for one of the following reasons:

  • You have made an enquiry or otherwise made contact with us.
  • You have brought a complaint against an FSP for us to investigate and resolve.
  • You are an individual connected to one of the FSPs where we are handling a complaint.
  • You wish to attend or have attended one of our events.
  • You subscribe to our newsletter and email updates.
  • You have applied for a job with us.
  • You are one of the stakeholders we engage or have engaged with as part of our stakeholder engagement outreach, including being a respondent of a CIFO consultation.
  • You have taken part in a procurement process or supply services to us as a sole trader or as an individual consultant.
  • You have made a service complaint to us.

We may get some Personal Data relating to you from third parties, most commonly when you have brought a complaint to be investigated by CIFO against an FSP, and this information forms part of the disclosure made in relation to your complaint.

Your data rights

Under the data protection law, you have rights we are required to make you aware of. The rights available to you depend on the reason for processing your Personal Data and are subject to the restrictions set out in the Data Protection (Jersey) Law 2018 and the Data Protection (Bailiwick of Guernsey) Law 2017. These are in summary form:

Right of access

You have the right to ask us for copies of your Personal Data. There are some exemptions, however, which may mean you will not receive all the information we process. The principal exemption which applies is where the disclosure of such information may be likely to prejudice the proper performance of CIFO’s statutory functions.

Right of rectification

You have the right to rectification of inaccurate Personal Data relating to you. This includes the right to have incomplete Personal Data completed. This only applies to factual information and not to opinions.Right of erasure
You have the right to ask us to erase your Personal Data in certain circumstances.

Right of restriction

You have the right to ask us to restrict the processing of your Personal Data in certain circumstances.

Right to object

You have the right to object to processing of your Personal Data in certain circumstances.

Right to data portability

You have the right to ask for your Personal Data to be provided to you, or another organisation. This only applies to the Personal Data you have given us. This right is limited to certain Personal Data and does not apply if we are processing your Personal Data as part of our public functions.

Right regarding automated decision-making

You have the right to not have decisions made about you solely based on automated decision-making processes.

You can find out more about the law and your rights on the websites of the Jersey and Guernsey Regulators for Data Protection.

What if I’m unhappy with how you’ve handled my Personal Data?

If your concerns are not related to data protection, for example you’re unhappy with CIFO’s delivery of its complaint resolution service or the evidence shared with you as part of your complaint against an FSP, please contact your case handler in the first instance.

If you’re not happy with how we’ve handled your Personal Data, we have a two-stage process for responding to enquiries and complaints relating to data protection.

If you have a dedicated case handler, then please contact them in the first instance. Your complaint will first be dealt with by the appropriate case handler or CIFO’s Head of Case Management.

In most instances, this resolves things. But if you remain unhappy, you can escalate your concerns to the DPO at DPO@ci-fo.org who will then respond to your complaint.

We would like you to give us an opportunity to investigate and resolve your complaint first, but if you’re unhappy with the final response you receive, then you can contact the Guernsey or Jersey data protection authority with whom CIFO is registered (see above).

How do we collect your Personal Data?

We will always collect your Personal Data in compliance with the law. As a public body carrying out those functions vested in CIFO under statute, we are lawfully permitted to process your Personal Data for those purposes.

For any special category data contained in your Personal Data, such as your private health data, we will seek to obtain your consent before this data is processed.

We may collect Personal Data from you directly and/or from third parties, such as from FSPs and their external agents. We may also record calls as part of our public function as an Ombudsman service or where we have obtained your consent to do so or as otherwise required or permitted by law. If you have brought a complaint to CIFO for us to investigate and resolve, you will be advised that your calls with us are recorded.

Where do we store your Personal Data?

We will keep the Personal Data that we collect either at CIFO’s office in Jersey, or on electronic records stored with an information technology service provider in Europe.

From time-to-time we may use a contracted third-party provider to assist us to carry out research and gain feedback from users of our services. We will always ensure appropriate controls and safeguards are in place.

How do we use your Personal Data?

We identify the purposes for which we use your Personal Data at the time we collect such information from you and, where required, obtain your consent, prior to such use. We generally use your Personal Data for the following purposes (the “Purposes”):

  • to respond to enquiries.
  • to investigate and resolve complaints.
  • to garner opinions and comments regarding CIFO’s operations.
  • to administer our business activities and website.
  • to administer CIFO’s mailing list(s).
  • for statistical research and demographic analysis.
  • to administer the physical security of our offices.
  • to recruit for positions in CIFO, and for planning and analysis relating to CIFO’s recruitment efforts.
  • to investigate legal claims.
  • such purposes for which CIFO may obtain consent from time-to-time.
  • such other legitimate purposes and uses as may be permitted or required by applicable law.

If you are making a complaint to CIFO about the provision of financial services in or from within the Channel Islands, your complaint, with personal identifiers removed, may be used to compile statistical data or prepare case studies, which may be made public.

CIFO’s website may place and access cookies when you visit the website.

How will we use Generative AI?

CIFO has adopted a website Generative AI agent, Microsoft 365 Co-pilot Chat, to help facilitate its users navigate its services and its complaint resolution function. This will collect standard log in information and details of visitors’ behaviour patterns. We do this to enhance CIFO’s service delivery for its users. All Personal Data collected in this manner is anonymised and managed in accordance with CIFO’s Generative AI policy.

CIFO will only use GenAI tools for its’ complaint resolution function as a support tool and with the full oversight and review of its output by CIFO’s case handlers and the CIFO operations team. It will not be used for automated decision making. CIFO’s Generative AI policy includes an AI ethics and use policy.

To whom do we provide your Personal Data?

We will only make disclosures of Personal Data to such persons for whom you provide your consent unless the disclosure is otherwise necessary for our public function or for legitimate interests and permitted or required by law.

Where we are conducting an investigation, we will need to share information with the relevant FSP and related parties.

Personal Data will only be processed and disclosed in compliance with the data protection legislation.

When and how do we obtain your consent?

Where we are required to seek your consent to the processing of your Personal Data, we generally do so at or before the time that we collect your Personal Data. However, where the processing of your Personal data is necessary for our public function as an Ombudsman service or for the legitimate interests of a third party, we may not always obtain your consent prior to using or disclosing your Personal Data for any purpose.

You may provide your consent to us either orally, electronically or in writing. The form of consent that we seek, including whether it is express or implied, will largely depend on the nature of the Personal Data, the context of the processing, and the reasonable expectations you might have in the circumstances.

How do we ensure the privacy of your Personal Data when dealing with third parties?

We ensure that all third parties with access to Personal Data for which we are a controller, whether they are involved in a complaint, an investigation or otherwise, comply with all requirements of the data protection legislation.

Certain of CIFO’s events, such as its Annual Stakeholder Meeting, are facilitated through EventBrite. For further information on how they process your Personal Data please view their Eventbrite Privacy Policy | Eventbrite Help Centre.

How long will we utilize, disclose or retain your Personal Data?

We retain your Personal Data only for as long as required for the purpose or purposes for which it is processed and in compliance with our Data Retention Policy.

How do you know that the Personal Data we have on you is accurate?

We will ensure that your Personal Data is kept as accurate, complete, and up to date as possible. We will not routinely update your Personal Data, unless such a process is necessary.

If you want to exercise your right to review, verify, correct, withdraw consent, or request erasure of your Personal Data, please contact our DPO.

What if the Personal Data we have on you is inaccurate?

At any time, you can challenge the accuracy or completeness of your Personal Data in our records. If you successfully demonstrate that your Personal Data in our records is inaccurate or incomplete, we will amend the Personal Data as required. Where appropriate, we will transmit the amended information to third parties.

How can you review your Personal Data?

You may make a written or verbal request to review any Personal Data about you that we have collected, utilised, or disclosed. Upon receiving such a request, we will generally provide you with any such Personal Data in accordance with applicable law. We will make such Personal Data available to you in a form that is intelligible and will explain any abbreviations or codes. Information that you have already been given or shared with us will note be duplicated unless you specifically request an additional copy.

CIFO as a public body established under statute is entitled to certain statutory exemptions from sharing this information with you, where the disclosure is likely to prejudice the performance of CIFO’s statutory functions.

How fast will we respond to your written requests?

We will attempt to respond to each of your written requests within the relevant statutory period (4 weeks: Jersey, 1 month: Guernsey) after receipt of such requests. We will advise you in writing if we cannot meet your requests within this time limit.

Are there any costs to you for requesting information about your Personal Data or our privacy practices?

Generally, we will not charge you to access your Personal Data in our records or to access our privacy practices.

How do we know that it is really you requesting your Personal Data?

It is important for us to ensure we do not disclose Personal Data to anyone not authorised to see it. We may therefore request that you provide a form of identification to allow us to verify your request. Any such identifying information shall be used only for this purpose.

What safeguards have we implemented to protect your Personal Data?

We have implemented physical, organisational, contractual, and technological security measures to protect all your Personal Data from loss or theft, unauthorised access, disclosure, copying, use or modification. The only employees, who are granted access to your Personal Data are those who are authorised and have a business ‘need-to-know’ or whose duties reasonably require such information. When we contract with third parties, we ensure high standards of compliance and oversight.

How do you contact CIFO regarding access to your Personal Data?

If you are a complainant who has brought or is bringing a complaint against an FSP to CIFO to resolve and have questions about your Personal Data or you are seeking to see your Personal Data held on your complaint file, please contact your case handler in the first instance. If you are still not happy you can contact the DPO at DPO@ci-fo.org.

For all other requests, you can simply email the Data Protection Team at DPO@ci-fo.org.

How do you contact CIFO regarding CIFO’s privacy practices?

If you have any questions about this Privacy Notice or how we handle your Personal Data, please contact DPO@ci-fo.org.

Your right to complain to Data Protection Regulator:

You have the right to make a complaint at any time to the relevant Data Protection authority either in Jersey or Guernsey with whom we are registered (see above).

 

Office of the Information Commissioner – Jersey

2nd Floor, 5 Castle St, St Helier, Jersey JE2 3BT

Telephone +44 (0) 1534 716530 or Email: enquiries@dataci.org

Office of the Data Protection Authority – Guernsey

St Martin’s House, Le Bordage, St Peter Port, Guernsey, GY1 1BR

Telephone +44 (0) 1481 742074 or Email: enquiries@odpa.gg