The Cayman Islands Data Protection Law came into effect on 30 September 2019. All Cayman Islands investment funds need to ensure they are now compliant with the new data protection regime in the Cayman Islands.
The Data Protection Law (the DPL) governs how a data controller may process, use and retain personal data.
Anyone who falls within the definition of a “data controller” (such as a Cayman Islands investment fund) must now comply with eight data protection principles in relation to any personal data processed by the data controller.
Where a data controller engages a third party (such as an administrator or investment manager) to process personal data on its behalf, the data controller must ensure the third party complies with the eight data protection principles.
The DPL also sets out the rights of individuals to control their personal data and implements a system to protect against the misuse of personal data.
The DPL is similar to the General Data Protection Regulation (GDPR) with which many clients will be familiar.
For a general overview of the Cayman Islands DPL please see our Guide to Data Protection in the Cayman Islands.
Application of DPL to investment funds
In order for investors to invest in an investment fund they must provide certain personal identifying information to the investment fund. Even where the investor is a corporate entity, personal identifying information of contact persons, beneficial owners, directors or members of that entity will be provided to the investment fund. This personal information will be considered personal data under the DPL.
The individual to which the personal data relates does not need to be in the Cayman Islands or a citizen of the Cayman Islands in order for the DPL to apply.
Any investment fund structured as a Cayman Islands company or partnership, or any foreign company registered in the Cayman Islands that acts as a general partner of an investment fund will be subject to the DPL and will be a data controller.
What must an investment fund do to comply with the DPL?
As a data controller, an investment fund must ensure that it complies with the eight data protection principles when it processes any personal data. It must also ensure that any third party that processes personal data on its behalf also complies with the eight data protection principles.
Cayman Islands investment funds must:
- Send a privacy notice to existing investors
- Update their subscription documents to include a privacy notice for new investors as well as obtain certain acknowledgements, representations and warranties
- Update offering documents to reflect the new requirements under the DPL
- Update agreements with any third parties that process personal data on behalf of the investment fund to ensure such processing is undertaken in compliance with the DPL especially where there is transfer of data outside of the Cayman Islands
If the investment fund is already subject to GDPR then the investment fund may have already adopted a GDPR compliant privacy notice. If that is the case, then a few minor amendments to the privacy notice to reflect the DPL are all that are needed.
If the investment fund has not yet adopted a privacy notice then it should prepare one in order to communicate the required information to its investors.
In either case the privacy notice should be sent to existing investors and/or made available on an investor or fund administration portal.
The subscription agreement of the investment fund will also need to be updated to include the privacy notice and certain acknowledgements from the investor. It should also contain representations and warranties from investors that they have provided the privacy notice to any person whose data is given to the investment fund (eg beneficial owners, directors etc) and may need to also contain consent provisions for specific activities prescribed under the DPL, such as the processing of sensitive personal data if applicable.
Offering documents should be updated to include a brief disclosure and overview of the DPL. If no update to the offering documents is scheduled or the investment fund is closed then an investor circular with the privacy notice should be prepared and sent to investors or made available on an investor or fund administration portal.
Third party agreements
It is important for the investment fund to update each of their service agreements with third parties who process personal data at the request and under the instructions of the investment fund. The investment fund, as a data controller, must ensure that those third parties process the personal data according to the data protection principles, even if the third party is outside of the Cayman Islands.
Service agreements with the fund administrator and the investment manager will be of key importance to update. Depending on the structure and operations of the investment fund, if there are other service providers, such as distributors, then those agreements will also need to be updated.
Assistance with the necessary updates
Your usual Harneys contact is able to assist the investment fund with these necessary updates and provide advice on compliance with the DPL.
The Office of the Ombudsman has issued a Guide for Data Controllers to explain how the Office of the Ombudsman will likely interpret various provisions of the DPL. The guide is largely based on the United Kingdom’s Information Commissioner’s Office’s Guide to the GDPR and is a very useful starting point for information.