Background
The Cayman Islands Data Protection Law, 2017 (the “DPL”) came into force on 30 September 2019. The Law introduces legal requirements based on internationally accepted principles of data privacy and is the principal legislation regulating general data privacy in the Cayman Islands.
The DPL applies directly to Data Controllers, and Data Controllers are required to ensure that the Personal Data which they process (or which are processed on their behalf by any Data Processor) are processed in accordance with the data protection principles (discussed below). For the most part, the DPL does not apply directly to Data Processors, but Data Controllers who wish to appoint Data Processors are required to ensure that Data Processors give certain contractual assurances with respect to the Personal Data that they process.
The DPL creates the function of an “Information Commissioner”, which, in fact, is the Cayman Islands Ombudsman. The Ombudsman has responsibilities/powers to oversee compliance with the regime – the Ombudsman can issue “Information Orders” and refer non-compliance to the investigative and prosecutorial authorities; hear appeals and complaints in relation to data protection issues; carry out public education and awareness (including disseminating guidance as to good practice); and act as international liaison for data protection issues.
The Ombudsman has issued guidance to assist with the practical implementation of the DPL. The current version is “Data Protection Law 2017 Guide for Data Controllers v1.03 January 2018”. Additionally, the Data Protection Regulations, 2018, inter alia, make prescription for dealing with information requests from individuals.
Purpose
The DPL affects any Cayman Islands operating entity of Harmonic Group (currently Harmonic Fund Services, Harmonic Corporate Services Limited, Ancova Limited and Wavelength Financial Technology Ltd) which controls or processes Personal Data (as defined below) in the course of its business (“Harmonic”). In the course of its business activities Harmonic is required to receive and handle a wide range of data and information. Some of that data and information will be Personal Data and accordingly the DPL will apply to the collection, use and retention of that Personal Data. In certain limited circumstances that Personal Data may also be Sensitive Personal Data (as defined below).
Harmonic is categorized under the DPL as Data Processor (as defined below) in certain circumstances and Data Controller (as defined below) in other circumstances, which are as set out in “Scope” below. Where Harmonic controls Personal Data, Harmonic Group is required to have in place a policy to ensure Harmonic meets its obligations under the DPL to ensure the rights of Data Subjects (as defined below), with regard to the way in which their Personal Data is handled.
Scope
This policy applies to Harmonic when acting as Data Controller under the DPL. Harmonic acts as Data Controller in relation to the Personal Data of Data Subjects which are (i) employees of Harmonic; (ii) independent contractors of Harmonic; (iii) vendors of Harmonic; and (iv) certain individuals associated with Harmonic’s client whose Personal Data has been provided by Harmonic’s client in order to enable Harmonic to satisfy its own anti-money laundering, anti-terrorism financing and anti-proliferation financing (“AML/ATF/APF”) obligations to verify identity of its client. Each of (i), (ii), (iii) and (iv) shall be referred to in this policy as a “Relevant Person”. The contractual relationship between Harmonic and each Relevant Person (meaning, for the avoidance of doubt and in this context, in the case of (iv) Harmonic’s client acting on behalf of the aforementioned associated individuals) shall be referred to in this policy as the “Business Relationship” and the legal agreement between Harmonic and the Relevant Person shall be referred to in this policy as the “Business Contract”. For the purposes of this policy Relevant Persons are Data Subjects.
It should be noted that Harmonic acts as Data Processor in respect of Personal Data of its clients (other than Personal Data in relation to the client provided by the client to satisfy Harmonic’s own obligations to verify identity of its client under applicable AML/ATF/APF laws and regulations, as indicated above) received by Harmonic in the performance of Harmonic’s obligations under its services agreement with its client (“Services Contract”). The Services Contract contains data processing/protection obligations on both Harmonic and the client, and the client remains the data controller who determines the purposes, conditions and manner in which the Personal Data transmitted to Harmonic is processed. Harmonic will only use the relevant Personal Data in accordance with written instructions from its client, or pursuant to standing instructions from the client set out in the Services Contract.
Introduction
In the usual course of Harmonic’s business, by virtue of its Business Relationship with the Relevant Person and Harmonic’s associated interactions with the Relevant Person (including the recording of electronic communications or phone calls where applicable) or by virtue of the Relevant Person otherwise providing Harmonic with personal information on it or on individuals connected with the Relevant Person (for example directors, trustees, employees, representatives, shareholders, investors, clients, beneficial owners or agents), the Relevant Person provides Harmonic with certain personal information which constitutes Personal Data. This includes, but is not restricted to, data such as name, residential address, email address, telephone number, place of birth, date of birth, passport number, social security number, tax ID number, bank account details, personal details required to complete background checks and personal details required to complete AML/ATF/APF checks (including but not limited to identification verification information).
Further, in the usual course of business Harmonic and its agents, delegates and affiliates may from time to time use Personal Data for other activities that meet the legitimate interest grounds for processing under the DPL.
The DPL contains specific requirements concerning protection of Sensitive Personal Data.
Additional Definitions
Data Controller – means a natural or legal person who, alone or jointly with others determines the purposes, conditions and manner in which any Personal Data are, or are to be, processed. In practice, this means that a person who dictates what Personal Data should be handled why and how will be considered a Data Controller for the purposes of the DPL.
Data Processor means a natural or legal person who processes Personal Data on behalf of a Data Controller but, for the avoidance of doubt, does not include an employee of the Data Controller. In practice, this means that a person who handles Personal Data on behalf of someone else by following instruction and without deciding what Personal Data should be handled why/how will be considered a Data Processor for the purposes of the DPL.
Data Subject means (a) an identified living individual; or (b) a living individual who can be identified directly or indirectly by means reasonably likely to be used by the Data Controller or by any other person, who is the subject of Personal Data. Put simply, a Data Subject is the living individual to whom Personal Data relates.
Personal Data means data relating to a living individual who can be identified and includes data such as (a) the living individual’s location data, online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the living individual; (b) an expression of opinion about the living individual; or (c) any indication of the intentions of the Data Controller or any other person in respect of the living individual. In practice, this means that any information which can in any way be used to identify a living individual (directly or indirectly, either on its own or in conjunction with any other information) will constitute Personal Data for the purposes of the DPL.
Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or, access to, Personal Data transmitted, stored or otherwise processed.
Processing in relation to data, means obtaining, recording or holding data, or carrying out any operation or set of operations on Personal Data, including (a) organizing, adapting or altering the Personal Data; (b) retrieving, consulting or using the Personal Data; (c) disclosing the Personal Data by transmission, dissemination or otherwise making it available; or (d) aligning, combining, blocking, erasing or destroying the Personal Data.
Sensitive Personal Data means, in relation to a Data Subject, Personal Data consisting of any types of data specified in the DPL, of which those types most relevant are (a) the Data Subject’s physical or mental health or condition and medical data (e.g. of Harmonic’s Staff Members which may form part of Human Resources records); and (b) any criminal history of the Data Subject (e.g. which may be obtained as part of routine background and screening checks into Harmonic Staff Members).
Harmonic as Data Controller and the Eight Data Protection Principles
In relation to the Relevant Persons and Harmonic’s use of their Personal Data Harmonic is a Data Controller and is committed to comply with its obligations as such under the DPL. As Data Controller Harmonic complies with the following eight data protection principles in respect of Personal Data which it processes, or which is processed on its behalf:
Harmonic as Local Representative
Generally speaking, a Data Controller (e.g. Cayman fund) will be subject to the DPL only if it is established in the Cayman Islands (including branches or agencies) and it processes Personal Data in connection with such establishment. However, a Data Controller (e.g. Delaware fund, Bermuda fund, BVI fund) which is not established in the Cayman Islands (“Non-Cayman Entity”) could still be subject to the DPL if the Data Controller processes Personal Data in the Cayman Islands for any purpose “other than for purposes of transit through the Cayman Islands”. On current drafting of the DPL as at the date hereof, such foreign Data Controllers need to nominate a local representative in the Cayman Islands (“Local Representative”). As at the date hereof it is not clear who would be eligible to act as a Local Representative or what such role would involve. It is likely that the person acting as Local Representative would be required to enter into an agreement with the Non-Cayman Entity to document roles and responsibilities. We understand that it is proposed that further details in relation to eligibility for and requirements of the Local Representative role will be clarified shortly by the Cayman Islands Government. If we are eligible to do so once such details are published, Harmonic Group should be able to provide Local Representative for Non-Cayman Entities.
This Policy shall be updated once the details regarding the Local Representative role are published.
Purpose Limitation
Harmonic will only collect and process Personal Data for purposes that have been communicated to the Data Subject and are lawful purposes. Harmonic will process data for the following purposes:
Harmonic will not process Personal Data in a manner that is incompatible with the purposes communicated to Data Subjects.
Harmonic will send to all clients, employees/independent contractors, and vendors a document entitled “Harmonic Group Disclosure Notice Regarding Compliance with Data Protection Law, 2017 Of The Cayman Islands” which sets out disclosure required to be made under the DPL describing Harmonic’s purposes for collection of data, its processing, disclosure, and retention activities, and the rights of data subjects. Such Disclosure Notice will also be placed on Harmonic’s website, in the Harmonic Cayman Staff Manual and in the welcome pack for new Harmonic Cayman Staff Members. The Disclosure Notice may be amended from time to time and any amended version will be made available as above.
Data Minimisation
The Personal Data collected will be adequate, relevant and not excessive, meaning it will be limited to what is necessary in relation to the purposes for which it is being processed.
Keep It Accurate and Up-To-Date
Harmonic will ensure that the Personal Data held is accurate and kept up to date. The accuracy of any Personal Data will be checked at the time of collection and at regular intervals or triggers thereafter. Harmonic will take all reasonable steps to amend inaccurate or out-of-date Personal Data without delay.
Storage Limitation
Harmonic will not keep Personal Data longer than is necessary for the purpose or purposes for which it was collected. Subject to compliance with local retention laws Harmonic will take all reasonable steps to erase all Personal Data which is no longer required. Harmonic will be clear when informing the Data Subject about the length of time for which Personal Data will be kept and the reason why the information is being retained. Harmonic is aware of any required statutory retention periods where an obligation exists to retain a Data Subject’s Personal Data for fixed periods and ensure that Personal Data is retained in line with such statutory requirement(s) and that the Data Subject is aware of this retention period.
Rights of Data Subjects
Right of Access
A person is entitled to be informed by Harmonic whether the Personal Data of which the person is the Data Subject are being processed by or on behalf of Harmonic, and, if that is the case, to be given by Harmonic a description of –
A Data Subject is entitled to communication in an intelligible form, by Harmonic, of the Data Subject’s Personal Data, and any information available to Harmonic as to the source of the Personal Data.
If the processing by automatic means of the Data Subject’s Personal Data for the purpose of evaluating matters relating to the Data Subject, including the Data Subject’s performance at work, creditworthiness, reliability or conduct, has constituted or is likely to constitute the sole basis for any decision significantly affecting the Data Subject, the Data Subject is entitled to be informed by Harmonic of the reasons for that decision.
Harmonic shall not be obliged to supply any Personal Data unless Harmonic has received a request in writing, and any fee that Harmonic may require, such fee being within the limits prescribed by regulations. Currently, Harmonic does not propose to charge a fee unless a data access request is uncommonly large or time-consuming to comply with, such that it would unreasonably divert Harmonic’s resources. There is a template subject access request form on the Ombudsman’s website. If Harmonic reasonably requires further information in order to be satisfied as to the identity of the Data Subject making the request or to locate the information that the Data Subject seeks, and has informed the Data Subject in writing of the requirement, Harmonic is not obliged to comply with the request unless supplied with that information, during which period the time specified in subsection below shall automatically stand suspended.
Harmonic shall comply with a request within thirty days (or such other period as may be prescribed by regulations) of the date on which Harmonic receives both the request and fee referred to above, but where Harmonic has requested further information, the period shall not resume until the information has been supplied.
If Harmonic cannot comply with the request without disclosing Personal Data relating to another Data Subject who can be identified from that Personal Data, Harmonic is not obliged to comply with the request unless-
The reference (above) to Personal Data relating to another Data Subject includes a reference to Personal Data identifying that other Data Subject as the source of the Personal Data sought in the request. Harmonic will still be expected to communicate so much of the Personal Data sought in the request as can be communicated without disclosing the identity of the other Data Subject concerned, whether by the omission of names or other identifying particulars or otherwise. In determining whether it is reasonable in all the circumstances to comply with the request without the consent of the other Data Subject concerned, Harmonic shall have regard to, in particular –
If Personal Data are being processed by or on behalf of Harmonic who receives a request under this section from the Data Subject, the obligation to supply the Personal Data under this section includes an obligation to give the Data Subject a statement of the Data Subject’s rights under the DPL in such form, and to such extent, as may be prescribed by regulations.
Harmonic shall supply the Data Subject with a copy of the Personal Data in the format requested unless the supply of such a copy is not possible or would involve disproportionate effort; or the Data Subject agrees otherwise. If any of the Personal Data are expressed in terms that are not intelligible without explanation the copy shall be accompanied by an adequate explanation.
If Harmonic has previously complied with a request for access by the Data Subject referred to therein, Harmonic is not obliged to comply with a subsequent identical or similar request for access by the Data Subject unless the interval between compliance with the previous request and the making of the current request is reasonable. In determining whether the interval is reasonable, regard shall be had to the nature of the Personal Data, the purpose for which the Personal Data are processed and the frequency with which the Personal Data are altered.
Personal Data and other information supplied shall be supplied by reference to the data in question at the time when the request for the Personal Data is received, except that account may be taken of any amendment or deletion made between that time and the time when the information is supplied, the amendment or deletion being such that would have been made regardless of the receipt of the request.
Further details of the procedure for responding to a data access request from a Data Subject are set out in the Harmonic Group GDPR and DPL Personal Data Access Policy in this Manual.
Right to Require Harmonic to Cease Processing
A Data Subject is entitled at any time, by notice in writing to Harmonic, to require Harmonic to cease processing, or not to begin processing, or to cease processing for a specified purpose or in a specified manner, the Data Subject’s Personal Data.
Harmonic shall, as soon as practicable, but in any case within twenty-one days of receiving a notice, comply with that notice unless –
and Harmonic shall state to the Data Subject the reasons for the non- compliance with the notice.
The DPL also contains specific rights of the Data Subject to request Harmonic to stop processing for direct marketing and in relation to automated decision- making.
Right to Request Harmonic to Rectify, Block, Erase or Destroy
If the Ombudsman is satisfied on a complaint made under section 43 of the DPL that Personal Data are inaccurate, the Ombudsman may order Harmonic to rectify, block, erase or destroy those data and any other Personal Data in respect of which Harmonic is Data Controller and that contain an expression of opinion that appears to the Ombudsman to be based on the inaccurate data.
This right applies whether or not the Personal Data accurately record information received or obtained by Harmonic from the Data Subject or a third party, but, if the data accurately record such information, then the Commissioner may instead of making an order as above –
If the Ombudsman makes an order as above, or is satisfied on a complaint made under section 43 that Personal Data that have been rectified, blocked, erased or destroyed were inaccurate, the Ombudsman may, if it is considered reasonably practicable, order Harmonic to notify third parties to whom the data have been disclosed of the rectification, blocking, erasure or destruction.
Kept Safe and Secure
Processing will be conducted in a manner that ensures appropriate security and confidentiality of the Personal Data. Harmonic takes all commercially reasonable steps to secure the Personal Data from unauthorised or unlawful processing by third parties, alteration, disclosure, accidental loss, destruction, damage or any form of computer corruption. Harmonic has implemented the following information security measures:
Limits on How Personal Data may be Used or Shared with Third Parties
Personal Data may be processed by Harmonic itself or it may be processed by others on its behalf. The overriding principle is that where Harmonic uses a Data Processor to undertake processing of Personal Data on its behalf it will ensure that the engagement is evidenced in a written contract which requires the Data Processor to act only on instruction given by Harmonic and which also requires the Data Processor to comply with obligations equivalent to those imposed on Harmonic by the seventh principle.
It may be necessary for Harmonic to transfer Personal Data for processing, back-up or storage to an agent, delegate, subcontractor or other representative of Harmonic (which may or may not be an affiliate of Harmonic) appointed by Harmonic (pursuant to authority in the terms of the Business Contract, if applicable) to carry out sub-processing activities on behalf of Harmonic (each a “Permitted Processor”) under an appropriate written agreement between the Permitted Processor and Harmonic. Harmonic may only transmit Personal Data (a) to Permitted Processors with the prior written consent of the counterparty to the Business Relationship Contract (“Counterparty”); or (b) where required to do so under applicable law. The Disclosure Notice sets out current Permitted Processors. They are also listed in an appendix to the Business Relationship Contract. Any addition to the Permitted Processors list shall be notified to Harmonic’s clients, employees/independent contractors and vendors.
For convenience, the current Permitted Processors of each Harmonic Cayman affiliate are set out in Appendix 1 hereto.
In addition, it may be necessary for Harmonic to transfer Personal Data to certain third parties, upon the instruction of the Counterparty, whose involvement is necessary to carry out all or part of Harmonic’s duties and obligations contemplated under the Business Contract and in accordance with Harmonic’s internal written procedures. In such instances any such third party will not be a Permitted Processor of Harmonic and will instead be engaged directly by the Counterparty as a processor. Finally, where Harmonic is required to transfer Personal Data to a legal, regulatory or taxation authority under applicable law any such transfer shall not constitute the engagement of a Permitted Processor by Harmonic.
Harmonic and/or Permitted Processors may be legally obliged to share Personal Data and other financial information with respect to a Business Contract with their local authorities including regulatory, law enforcement or other governmental authorities (including tax authorities) or courts (collectively “Government Bodies”) and the local Government Bodies, in turn, may exchange this information with foreign Government Bodies including Government Bodies located inside or outside the Cayman Islands through automatic reporting, information exchange or otherwise.
Certain Permitted Processors are located within the Cayman Islands and in that case Personal Data will be stored on servers in the Cayman Islands. Where Harmonic entities and Permitted Processors are located outside the Cayman Islands Personal Data will be stored on servers outside the Cayman Islands.
Personal Data may be transmitted, stored and processed on systems located outside of Harmonic’s operating jurisdiction (the Cayman Islands), which systems are or may be operated by a Permitted Processor (and therefore authorities including regulatory or governmental authorities or courts in a jurisdiction (including jurisdictions where these parties are established or hold or process Personal Data) may obtain access to Personal Data which may be held or processed in such a jurisdiction or accessed through automatic reporting, information exchange or otherwise in accordance with the laws and regulations applicable in such jurisdiction).
Subject to applicable provisions of the DPL, the Personal Data shall not be shared other than as described herein.
Exemptions
The DPL provides certain exemptions from the data protection principles and restrictions on individual rights to information. Pertinent examples include exemptions from non-disclosure provisions as required by any enactment, law or court order (thereby permitting disclosure of financial information, for example under the Cayman Islands AEOI regime).
There is also a specific exemption from “subject information provisions” which apply to trust structures and wills. This provides that the requirement to grant Data Subjects access to their own Personal Data does not apply in respect of information relating to the structure or arrangement concerning any trust or will. Accordingly, beneficiaries under a trust will not be able to use the DPL to access information concerning the trust even if they frame it as a request to access their own Personal Data.
Harmonic will consult with Legal and, if necessary, external Cayman Islands counsel, if it is unsure whether an exemption in the DPL would apply.
Keeping Records of All Processing
Harmonic maintains records of all its processing activities. This requires that Harmonic determine what Personal Data it holds, where it came from and who it shares it with. This is all documented.
Harmonic and its duly authorised agents/delegates will refrain from collecting any further Personal Data following the point from when the Data Subject’s Business Relationship with Harmonic has ceased (“Termination Date”), and Harmonic will, if required by applicable retention laws, retain Personal Data for such period from the Termination Date as is specified by such applicable retention laws. After expiry of the retention period, subject to applicable retention laws, Harmonic shall take appropriate steps to dispose of any records containing the Data Subject’s Personal Data, to the extent this is operationally feasible and proportionate.
Training
All Harmonic staff receive regular training to ensure they are aware of:
Co-operation with Cayman Islands Authorities
Harmonic and, where applicable, its representatives, shall cooperate, on request, with the Cayman Islands Ombudsman in the performance of its tasks.
Reporting of Data Breaches
In the case of a Personal Data Breach, Harmonic is required to notify the Ombudsman and the relevant Data Subject of the Personal Data Breach and the mitigating steps in respect of it within five days of when Harmonic should have been aware of the breach.
Each Data Processor is required to notify Harmonic without undue delay after becoming aware of a Personal Data Breach.
Relevant details for notifying the the Ombudsman of a Personal Data Breach are set out on the Ombudsman’s website http://ombudsman.ky/get-in-touch.
Remedies, Enforcement and Penalties
Breach of the DPL can lead (variously) to remedial action by the Ombudsman, the imposition of penalties, and criminal sanctions. If, following receipt of a complaint by a Data Subject, the Ombudsman is satisfied that Personal Data held by a Data Controller is inaccurate, the Ombudsman may order the Data Controller to rectify, block, erase, destroy or update the Personal Data.
The Ombudsman can make information request orders on any person, and can make enforcement orders in respect of the processing, or cessation of processing, of Personal Data. Contravention of such information or enforcement orders would be a criminal offence and could incur liability on conviction of a fine of up to CI$100,000. The Ombudsman can also obtain entry and search warrants on application to the court.
The Ombudsman may serve a Data Controller with a monetary penalty order of up to CI$250,000 if the Ombudsman is satisfied on a balance of probabilities that:
The DPL also provides that a person who suffers damage due to contravention of the DPL by a Data Controller has a cause of action against the Data Controller for that damage.
Additionally, breach of certain other provisions of the DPL give rise directly, on conviction, to liability to imprisonment and large fines. These include knowingly or recklessly, without the consent of the Data Controller, obtaining or disclosing Personal Data, or procuring the disclosure to another person of the Personal Data. Also, failing to notify the Ombudsman and the relevant Data Subject of a Personal Data Breach and the mitigating steps in respect of it within 5 days of when the Data Controller should have been aware of the breach. Both of these offences may give rise to a fine of up to CI$100,000.
It should be noted that where an offence under the DPL has been committed by a body corporate and is proved to have been committed with the consent or connivance of, or to be attributable to, any neglect on the part of –
the director, secretary, similar officer of the body corporate or any person purporting to act in any such capacity, as well as the body corporate, commit that offence and are liable to be proceeded against and punished accordingly.
Designation of Responsible Person for Data Protection Queries and Regulatory Communications
As Harmonic does not control or process Personal Data on a large scale, Harmonic Group is not required to designate a data protection officer either Group-wide or per operating entity. However, a member of staff has been designated as Responsible Person Group-wide for each of (i) the receipt of any queries relating to data protection or in the event a Data Subject wishes to discuss his/her data protection rights with Harmonic (“General Queries”), and (ii) communicating with the Cayman Islands Ombudsman. As at the date of this policy the following is the email address for General Queries: GDPR@harmonic.ky
Appendix 1 – Standard Harmonic Group Data Protection Laws: Permitted Processors List – (PDF)