Data protection for investment funds domiciled in the British Virgin Islands

The Virgin Islands Data Protection Act, 2021 (the Act) is now in force. The Act imposes a number of obligations upon investment funds in relation to the processing of personal data that they will inevitably collect as part of the investor onboarding procedure.

In order to ensure compliance with the Act, investment funds should:

  1. Provide investors with a privacy notice
  2. Update their offering and subscription documentation
  3. Revisit service agreements with third parties, most importantly, the fund administrator

Overview

The Act governs how a data controller may process, use and retain personal data. Anyone who falls within the definition of a “data controller” (of which an investment fund domiciled in the BVI clearly does) must now comply with the seven principles in the Act in relation to any personal data processed by the fund. Where a data controller engages a third party (such as an administrator or investment manager) to process personal data on its behalf (defined in the Act as a “data processor”), the data controller must ensure the data processor has appropriate safeguards in place in respect of the personal data.

In addition to governing how a data controller processes, uses and retains personal data, the Act also sets out the rights of individuals to control their personal data and implements a series of offences and enforcement measures designed to ensure compliance. The Act is broadly designed to reflect the General Data Protection Regulation (GDPR) and the Cayman Islands Data Protection Act (both of with which many clients will already be familiar), however there are a number of differences that you should be aware of.

Application of the Act to investment funds

Any investment fund structured as a BVI company or partnership, or any foreign company registered in the BVI that acts as a general partner of an investment fund will be subject to the Act and will be a data controller.

Investors in a BVI investment fund will routinely provide certain personal identifying information to the investment fund such as their name, address, date of birth, bank details etc and this is to be regarded as “personal data”.

Although the persons whose data is gathered under the Act (“data subjects”) have to be natural individuals, the Act will still apply in connection with corporate investors who provide personal data for their beneficial owners, directors and members.

The individual to which the personal data relates does not need to be in the BVI or a citizen of the BVI in order for the Act to apply.

What must an investment fund do to comply with the Act?

As a data controller, an investment fund must ensure that it complies with the seven data protection principles contained in the Act. See our guide BVI introduces data protection regime for further information.

In practical terms, an investment fund can demonstrate compliance with the data protection principles by taking the following actions:

  • Send a privacy notice to existing investors, whether as a separate document or part of an update to the offering document
  • Update subscription documents to include a privacy notice for new investors as well as obtain certain acknowledgements, representations and warranties
  • Update offering documents                                                        
  • Update agreements with any third parties that would be regarded as a data processor on the basis that they process personal data on behalf of the data controller

Privacy notices

If the investment fund is already subject to GDPR then it may have already adopted a GDPR compliant privacy notice. If that is the case, then a few amendments to the privacy notice to reflect the Act are all that are needed.

If the investment fund has not yet adopted a privacy notice, then it should prepare one in order to communicate the required information to its investors and we would be happy to assist with this drafting where required.

In either case, the privacy notice should be sent to existing investors and/or made available on an investor or fund administration portal.

Subscription documents

The subscription agreement of the investment fund will also need to be updated to include the privacy notice and certain acknowledgements from the investor. It should also contain representations and warranties from investors that they have been provided with the privacy notice and they in turn have given it to any person whose data has been supplied. You should also consider whether your documents need consent provisions for specific activities prescribed under the Act, such as the processing of sensitive personal data if applicable.

Importantly, the Act places significant weight on the concept of the data subject’s “express consent” to the processing of their personal data, and subscription documents should be worded accordingly. Funds familiar with the GDPR and/or the Cayman Islands Data Protection Act should note that the Act does not provide a "legitimate interest" basis for processing personal data, and therefore the express consent of the data subject will be required for certain back or middle office functions which involve the processing of personal data. 

Offering documents

Offering documents should be updated to include a brief disclosure and overview of the Act. If no update to the offering documents is scheduled or the investment fund is currently closed to new investment, then an investor circular with the privacy notice should be prepared and sent to investors or made available on an investor or fund administration portal.

Third party agreements

An investment fund’s service providers (such as administrators and investment managers) will usually fall into the Act’s regulatory orbit as data processors. There is a duty on the investment fund, as data controller, to ensure that such third parties:

  1. Provide sufficient guarantees in respect of the technical and organizational security measures governing the processing to be carried out
  2. Take reasonable steps to ensure compliance with those measures

This duty applies regardless of whether the third party provider is outside of the BVI.

Service agreements with the relevant third parties should therefore be updated to ensure that appropriate obligations are imposed on the providers.

Assistance with the necessary updates

Although the Act is in force, the BVI supervisory authority (the Information Commissioner) has not yet been appointed and no formal guidance has been issued. We expect that monitoring and enforcement of the Act will increase over the coming months, and it is therefore important that funds put the relevant documentary framework in place as soon as possible.

Harneys has prepared a suite of documents and riders to ensure your fund will be fully compliant. Please contact Phil Graham or your usual Harneys contact to discuss it further.