1 POLICY STATEMENT
1.1 Everyone has rights with regard to the way in which their personal data in handled. During the course of the Group’s activities, the Group may collect, store and process personal data about the investors, officers and other third parties, and the Group recognises that the correct and lawful treatment of this data will maintain confidence in the organisation and will provide for successful business operations.
1.2 This document sets out the principles that the Group must follow when processing personal data to help ensure compliance with the General Data Protection Regulation (GDPR) EU 2016/679 and other applicable regulations including The Personal Data (Privacy) Ordinance of Hong Kong. Data Users are obliged to comply with this policy when processing personal data on the Group’s behalf.
2 ABOUT THIS POLICY
2.1 The types of personal data that the Group may be required to handle include information about current, past and prospective investors, officers and others with whom the Group transacts or communicates. The personal data, which may be held on paper or on a computer or other media, is subject to certain legal safeguards specified in the GDPR.
2.2 This policy and any other documents referred to in it sets out the basis on which the Group will process any personal data the Group collects from data subjects, or that is provided to the Group by data subjects or other sources.
2.3 This policy sets out rules on data protection and the legal conditions that must be satisfied when the Group collects, handles, processes, transfers and stores personal data.
2.4 The directors of the Group are collectively responsible for ensuring compliance with the GDPR, other applicable local privacy regulations and with this policy. The Board of the Group has concluded that a Data Protection Officer is not merited in this instance and has documented its reasons, as required by the GDPR. Any questions about the operation of this policy or any concerns that the policy has not been followed should be referred in the first instance to the Chairman of the Group.
3 DEFINITION OF TERMS USED IN THIS POLICY
3.1 Data is information which is stored electronically, on a computer, or in paper-based structured filing systems.
3.2 Data Subjects for the purpose of this policy include all living individuals about whom the Group holds personal data. All data subjects have legal rights in relation to their personal data.
3.3 Personal Data means data relating to a living individual who can be identified directly from that data, or indirectly from that data in conjunction with other information.
3.4 Data Controllers are the people who, or organisations who, alone or jointly with others, determine the purposes for which, and the manner in which, any personal data is processed. They are responsible for, and must be able to demonstrate compliance with, the data protection principles. The Group is the data controller of all personal data used in the Group’s business for the Group’s own commercial purposes.
3.5 Data Users are those of the Group’s board members, officers or delegates whose work involves processing personal data. Data users must protect the data they handle in accordance with this data protection policy and any applicable data security procedures at all times.
3.6 Data Processors include any person or organisation that processes personal data on the Group’s behalf and on the Group’s instructions.
3.7 Processing is any activity that involves use of the personal data. It means carrying out any operation or set of operations on the data including collecting, recording, organising, structuring, storing, amending, retrieving, using, consulting, disclosing by transmission, disseminating or otherwise making available, combining, restricting, erasing or destroying it.
3.8 Sensitive Personal Data includes information about a person’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or sexual life.
4 DATA PROTECTION PRINCIPLES
4.1 As a data controller, the Group is responsible for, and must be able to demonstrate compliance with, the six data protection principles. These principles provide that personal data must be:
4.1.1 Obtained and processed fairly, transparently and lawfully
4.1.2 Collected for specific, explicit and legitimate purposes, and not further processed in a manner incompatible with those purposes
4.1.3 Adequate, relevant and not excessive
4.1.4 Accurate and up-to-date
4.1.5 Not kept for longer than necessary
4.1.6 Kept safe and secure
5 FAIR, TRANSPARENT AND LAWFUL PROCESSING
5.1 The GDPR is not intended to prevent the processing of personal data, but to ensure that it is done fairly and transparently.
5.2 For personal data to be processed fairly and transparently, the Group (as a data controller) must inform data subjects, when the Group collects personal data directly from them, about all of the following:
5.2.1 That the Group is the data controller in regard to the Group’s data and the Group’s contact details
5.2.2 The contact details of the Data Protection Officer (if appointed at any stage)
5.2.3 The purpose or purposes for which the Group intends to process the personal data and the legal basis
5.2.4 The legitimate interests pursued by the Group or by a third party and an explanation of those interests (where processing is based on this ground)
5.2.5 Where the processing is based on consent their right to withdraw it at any time
5.2.6 The third parties or categories of third parties, if any, to whom the Fund will disclose the personal data
5.2.7 Details of any transfers out of the EEA or Hong Kong, the safeguards the Group has in place and the means by which to obtain a copy of them
5.2.8 The data retention period or criteria used to determine same
5.2.9 The existence of the right to request access to their data; rectification or erasure of their data; restrict or object to processing, and the right to data portability
5.2.10 The right to complain to the Data Protection Commissioner if they are unhappy with how the Group is handling their data
5.2.11 Details of any automated decision-making, including profiling, and the logic involved, as well as the significance and consequences of such processing for the data subject, and
5.2.12 Whether the provision of personal data is a statutory or contractual requirement, and the consequences of failing to provide such data
5.3 Where the Group intends to process the personal data for a further purpose, other than that for which the personal data were collected, the Group will provide the data subject prior to that further processing with information on that purpose.
5.4 If the Group receives personal data about a data subject from other sources, the Group will provide the data subject with the information at clause 5.2, as well as the categories of personal data concerned, from which source the data originated and, if applicable, whether it came from publicly accessible sources. The Group will provide this information to the data subject within one month of obtaining the data; or at the time of the first communication to the data subject (where applicable), or if a disclosure to another recipient is envisaged, when the data are first disclosed.
5.5 When processing personal data in the course of the Group’s business, the Fund will ensure that these information requirements are met.
5.6 For personal data to be processed lawfully, it must be processed on the basis of one of the legal grounds set out in the GDPR. These grounds include: where the data subject has given his/her free, informed and unambiguous consent; or if necessary for the performance of a contract with the data subject; or for compliance with a legal obligation to which the data controller is subject; or for the legitimate interests of the data controller or a third party to whom the data is disclosed, except where those interests are overridden by the interests of the data subject.
5.7 The processing of Sensitive Personal Data is prohibited unless one of another set of legal grounds set out in the GDPR applies including: the data subject has given his/her explicit consent; or the data have been made public by the data subject; or if necessary for the establishment or defence of legal claims, or to protect the vital interests of the data subject where the data subject is physically or legally incapable of giving his/her consent.
6 PROCESSING FOR LIMITED PURPOSES
6.1 In the course of the Group’s business, the Group may collect and process the personal data set out in the schedule. This may include data the Group receives directly from a data subject (for example, by completing forms or by corresponding with the Group by mail, phone, email or otherwise) and data the Group receives from other sources (including, for example, business partners, counterparties, sub-contractors in technical, payment and delivery services, and others).
6.2 The Fund will only process personal data for the specific purposes set out in the schedule or for any other purposes specifically permitted by the GDPR. The Group will notify those purposes to the data subject when the Group first collects the data or, if the Group collects the data indirectly, as soon as possible thereafter.
7 ADEQUATE, RELEVANT AND NOT EXCESSIVE
The Group will only collect personal data to the extent that it is required for the specific purpose(s) notified to the data subject.
8 ACCURATE AND UP-TO-DATE DATA
The Group will take reasonable steps to ensure that personal data the Group holds is accurate and kept up-to-date. The Group will take reasonable steps to check the accuracy of any personal data at the point of collection and at regular intervals afterwards. The Group will take all reasonable steps to amend or destroy inaccurate or out-of-date data.
9 STORAGE LIMITATION
The Fund will not keep personal data for longer than is necessary for the purpose or purposes for which they were collected. The Fund will take all reasonable steps to destroy, or erase the data from the Fund’s systems when they are no longer required as set out in the Schedule to this Policy.
10 DATA SECURITY
10.1 The Group will or will require that its delegates will take appropriate technical and organisational security measures, taking in account the risks presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, or stored.
10.2 The Fund’s security measures include, where appropriate:
10.2.1 The ability to ensure the ongoing confidentiality, integrity and availability and resilience of processing systems and services
10.2.2 The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
10.2.3 A process for testing, assessing and evaluating the effectiveness of technical and organismal measures for ensuring the security of the processing
10.3 Where processing is to be carried out on the Group’s behalf, the Group shall only engage processors who provide sufficient contractual guarantees to implement appropriate technical and organisational security measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject.
10.4 As a controller, the Group is required to enter into a written contract with the processor (including in electronic form), which will set out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects. The contract shall set out, in particular, the specific mandatory obligations of processors laid down in Article 28 of the GDPR.
11 PROCESSING IN LINE WITH DATA SUBJECT’S RIGHTS
11.1 As a data controller, the Group is required to process personal data in line with data subjects’ rights, in particular their right to:
11.1.1 Request access to a copy of any data the Group holds about them (see also clause 13)
11.1.2 Request any inaccurate or incomplete data to be rectified (see also clause 8)
11.1.3 Object to or request erasure or restriction of processing in specified circumstances
11.1.4 Request a copy of the data they have provided to the Group and transmit those data to another controller without hindrance from the Group, or have the personal data transmitted directly from the Group to another controller, where technically feasible (i.e. right to data portability)
11.1.5 Not to be subject to a decision based solely on automated processing, including profiling, which produces a legal effect or other significant effect on the data subject, except where the decision is necessary for the performance of a contract; authorised by EU, Irish or Hong Kong law, or based on the data subject’s explicit consent
11.1.6 Prevent the processing of their data for direct-marketing purposes
11.2 The Group will provide the data subject with information on action taken in response to the exercise of any of these rights without undue delay, and at the latest within one month of receipt of the data subject’s request. This period may be extended by two further months where requests are numerous or complex.
12 DEALING WITH ACCESS REQUESTS.
12.1 Data subjects may make a request for information the Group holds about them. This request may be made in writing or orally.
12.2 When receiving telephone enquiries, the Group will only disclose personal data the Group holds on the Group’s systems if the caller’s identity can be verified. If their identity cannot be verified, the Group will request the caller to put their request in writing.
12.3 A data subject has a right of access to a copy of the personal data the Group holds about him/her, as well as the following information:
12.3.1 The purposes of the processing
12.3.2 The categories of the personal data concerned
12.3.3 The recipient to whom the personal data have been or will be disclosed
12.3.4 The data retention period or criteria used to determine same
12.3.5 The existence if the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning that data subject or to object to such processing
12.3.6 The right to lodge a complaint with the Data Protection Commissioner
12.3.7 Where the personal data are not collected from the data subject any available information as to their source
12.3.8 The existence of automated decision-making, including profiling; the logic involved, and the envisaged consequences of such processing for the data subject, and
12.3.9 Where personal data is transferred out of the EEA, the data subject must be informed of the appropriate safeguards in place
12.4 The Group will provide a copy of the personal data free of charge unless a request is manifestly unfounded or excessive, in particular because of its repetitive character, in which case it may charge a reasonable fee, based on administrative costs.
12.5 Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information will be provided in a commonly used electronic form.
13 TRANSFERRING PERSONAL DATA TO A COUNTRY OUTSIDE THE EEA OR HK
13.1 The Group may transfer any personal data the Fund holds to a country outside the European Economic Area (EEA) or Hong Kong, provided that the Group has informed data subjects of the transfer, the safeguards in place and the means by which to obtain a copy of them, and one of the following conditions applies:
13.1.1 The non-EEA country to which the personal data are transferred ensures an adequate level of protection for the data subjects’ rights and freedoms. The European Commission deems the following countries to have an adequate level of data protection: Switzerland, Guernsey, Argentina, Isle of Man, Faroe Islands, Jersey, Andorra, Israel, New Zealand and Uruguay. The US is deemed as providing an adequate level of protection where the US recipient of the data is Privacy Shield certified;
13.1.2 Adequate safeguards are in place, such as the Model clauses; Binding Corporate Rules (BCRs); an approved code of conduct or approved certification mechanism with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights;
13.1.3 The transfer is lawful pursuant to one of the derogations in the GDPR, including the data subject has given their explicit consent; the transfer is necessary for the performance of a contract; for public interest reasons; authorised by law; necessary for the defence of legal claims, or to protect the vital interests of the data subject; or
13.1.4 Where none of the above safeguards or derogations apply, a transfer to a non-EEA country may take place if the transfer is not repetitive, concerns only a limited number of data subjects, and is necessary for the legitimate interest of the controller which are not overridden by the rights of data subjects. The controller must inform the Data Protection Commissioner and the data subject of such a transfer, and the legitimate interests pursued.
14 CHANGES TO THIS POLICY
The Group reserves the right to change this policy at any time. Where appropriate, the Group will notify Data Users and/or data subjects of those changes by mail or email.
SCHEDULE 1 DATA PROCESSING ACTIVITIES
|Type of personal data||Categories of data subject||Type of processing||Purpose of processing||Categories of recipient to whom personal data is transferred||Details of any transfers to third countries||Details of security measures in place||Retention period|
|Name address contact details, tax number and bank details, details of investment, documentation to verify identity and address and bank details||Investor (including officers and signatories of institutional investors)||Obtaining, reviewing, verifying, storing, running Worldcheck, adverse news checks. Keeping records updated||Complying with legal obligations under AML/ CTF/ sanctions regimes, and to prevent fraud, bribery, corruption, tax evasion||Transfer agent/ Administrator/ Depositary/ Distributor||A minimum period of 7 years after investor ceases to be an investor|
|Name address contact details, number. Information on experience, qualifications. employment history and any issues||Officer of the Fund||Obtaining, reviewing, verifying, storing, running searches, adverse news checks. Keeping records updated||Complying with legal obligations under the Central Bank of Ireland Fitness & Probity regime.||The Board of the Fund and the Central Bank of Ireland||A minimum period of 7 years after the termination of the office.|
|Name address, tax number||Investor||Obtaining, reviewing, verifying, storing, submitting reports, keeping records updated||Complying FATCA/ CRS/ Tax reporting law||Tax authorities||A minimum period of 7 years after the termination of the investment|
|Name address contact details, Information on experience, qualifications, employment history||Officer/ Designated Person of the Fund||Obtaining, reviewing, storing, submitting keeping up to date||UCITS Central Bank obligations under UCITS regime||Central Bank of Ireland||A minimum period of 7 years after the termination of the office|
|Name address contact details, details of investment||Beneficial owner or Board member||[Beneficial Ownership obligations yet to be clarified]|
|Name address (and other directorships for directors)||Investors and officers||Obtaining, reviewing, storing, submitting keeping up to date||Complying with legal obligations under Company/ ICAV / Investment Trust law||Companies Registration Office||A minimum period of 7 years after the termination of the office- if CA 2014 permits deletion|
|Name address contact details, tax number. Address||Officers||Obtaining, reviewing, storing, submitting keeping up to date||To facilitate payment of fees and expenses and tax and social welfare thereon||Bank, Depositary||A minimum period of 7 years after the termination of the office|
|Name address, bank details||Investors||Obtaining, reviewing, storing, submitting keeping up to date||To facilitate payment of distributions (dividends and redemptions)||Bank, Depositary||A minimum period of 7 years after the termination of the investment|
|Name, work address and contact details||Contract of counterparties||Obtaining, reviewing, storing, submitting keeping up to date||The facility operators of the relevant agreements/ trades with the counterparty and otherwise in accordance with such agreements/|
|Investment manager, Administrator Depositary||A minimum period of 7 years after the termination of the investment|