H&C Corporate Services Limited. (“H&C”)
Personal Data Protection Policy
1. INTRODUCTION AND SCOPE
This Personal Data Protection Policy ("Policy") describes the privacy practices of H&C regarding the Processing of Personal Data of the directors, officers and employees and – to the extent applicable – the customers of the Client and/or the relevant Client Affiliates, as part of the provision of H&C Services to its Clients. This Personal Data can be stored on H&C systems, Client systems or third-party systems to which H&C is provided access to for the provision of Services. Where H&C provides Services to its Clients, H&C will be acting as Processor and the Client will be acting as Controller. H&C Processes Personal Data on behalf of the Client in accordance with Data Protection Laws. Insofar necessary, the Service Agreement will be supplemented with an Addendum to set out any additional matters that are specific to the Client and cannot be regulated in this Policy. H&C reserves the right to update this Policy without consulting or pre-informing its clients.
2. DEFINITIONS
The capitalized terms listed below have the follow meaning in this Policy:
a) “Client” means the counterparty to the Service Agreement with H&C;
b) “Client Affiliate” means any legal entity affiliated to the Client;
c) “Client Data Subjects” shall mean the former and current directors, officers and employees and customers of the Client and Client Affiliates;
d) “Controller” shall mean the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data;
e) “Data Protection Laws” means in relation to any Personal Data which is Processed in the performance of the Service Agreement, the Cayman Islands Data Protection Act ("DPA");
f) “Personal Data” means any information through which a Client Data Subject can be identified directly or indirectly;
g) “Processing” means any operation or set of operations which is performed upon Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
h) “Processor” shall mean the party, which Processes Personal Data on behalf of the Controller;
i) “Services” means services H&C provides to the Client under the Service Agreement;
j) “Service Agreement” means any written contract, any written statement of work, or any other written binding agreement, including any annexes thereto, between H&C and the Client;
k) “Sub processor” means any data processor appointed by Processor to process Personal Data on behalf of the Controller;
l) “H&C Affiliate” means with respect to any specified person or entity, any other person or entity directly or indirectly controlling or controlled by or under direct or indirect common control with such specified person or entity. For the purpose of this definition, “control”, when used with respect of any specified person or entity means the power to direct or cause the direction of the management or policies of such person or entity, whether through ownership of voting securities or by contract or otherwise. The terms “controlling” and “control” have meaning correlative to the foregoing.
m) “Corporate clients” refers to individuals who are employed or otherwise engaged by legal entities which receive services from us and interact with us in the course of our business.
Nothing in this Privacy Notice creates a new relationship between you and H&C or alters any existing relationship between you and us. Nothing in this Privacy Notice affects any right you have under any applicable law, including the DPA and any other data protection law that applies to you.
3. PERSONAL DATA PROCESSED BY H&C
a) What sort of personal information does H&C collect?
The types of personal data which we collect will vary depending on a variety of factors, including your personal circumstances, the nature of your relationship with H&C, and the nature of the services we are contracted to perform.
b) The personal information we obtain can be grouped into the following categories:
a. Contact Details: Contact details such as title, name, postal address, email address, and phone number.
b. KYC Records: Information about you which we (or the Corporate Clients who receive our services) are obliged to check for legal or regulatory reasons, such as your date of birth, country of residence, nationality, tax status, any ownership interest in any entity or asset you hold, and other like information concerning your identity and background (which may include, where applicable, sensitive information such as any criminal record you have and any sanction or embargo enacted against you).
c. Service Records: Information about you which we obtain to provide services to our clients. Depending on the circumstances and the nature of your relationship with us, such information may include, without limitation, your assets and liabilities, investments you make in (or redeem from).
c) Why does H&C collect my personal information and what are the legal justifications?
We collect your personal information for one or more of the following purposes:
a. Service Delivery: To facilitate the provisions of our services for our clients.
b. Service Development: To improve and devise new services for our clients.
c. Client Relationship Management: To manage, maintain, and develop our relationships with our clients.
d. Business Administration: To facilitate the effective management and administration of our business, including in relation to matters such as business planning, budgeting, and forecasting, as well as enforcement of our terms and conditions of service and collection of our fees.
e. Legal and Regulatory Compliance: To ensure that we (and our clients) comply with all relevant legal and regulatory requirements, including, without limitation, legal requirements relating to money laundering, bribery and corruption, tax evasion, sanctions / embargoes, and export control.
Important Note: If you are a Private Client or a Business Owner, we will use your personal information to conduct various checks to ensure that we comply with all applicable legal and regulatory requirements before we formally accept you (or your business) as a client and from time to time after you (or your business) is accepted as our client. For example, we might run background checks to assess whether you or a related entity are on a sanctioned by authorities which lists persons with whom we are by law not allowed to do business. Or we might check if you are a politically exposed person in respect of whom we are required to undertake enhanced due diligence.
We may collect personal information from you directly, but however in the normal course of interactions with corporate clients we may collect from the following third parties including those who provide ancillary services which complement the services we provide, for example those who provide legal entity formation/registration services, fiduciary services, legal advice, and other such services. However, we endeavour to collect your personal information directly from you wherever possible.
Additionally, there may be circumstances where we are required to seek your personal information from independent sources (for example where we need to use your personal information to comply with legal requirement to validate your identity and background).
Sources from which we may obtain your personal information can be described as follows:
a) Those who have referred you to us, such as your business contact or existing H&C clients.
b) Your lawyer, accountant, tax advisor, wealth manager, and other such advisors who provide your personal information to us on your behalf (corporate client)
c) Publicly accessible websites, registers, and databases, including official registers of companies and businesses, database of journals and news articles, and social media such as LinkedIn.
d) Providers of background check and business risk screening services, such as credit reference agencies, operators of fraud and financial crime databases, and operators of sanctions / embargoes databases (in some cases they can include authorities such as government departments and the police).
e) The relevant Corporate Client to whom we provide the service and who entrusts us with your personal information. Depending on the context, this could be, for example, the business which is owned or controlled by you, the business for which you work, or the investment fund in which you have invested.
4. USE OF PERSONAL DATA
H&C shall not process, transfer, modify, amend or alter the Personal Data or disclose or permit the disclosure of the Personal Data to any third party other than:
• as necessary to process Personal Data to provide the Services and/or otherwise in accordance with the documented instructions of Client, or
• as required to comply with Data Protection Laws or other laws to which H&C is subject, in which case H&C shall (to the extent permitted by law) inform Client of that legal requirement before processing the Personal Data.
In addition, H&C is allowed to use aggregated data – to the extent this can no longer be considered Personal Data - for analysing purposes, for website and for internal operations, including troubleshooting, data analysis, testing, research, for statistical purposes and for improving the quality of its Services.
Important Note: Where we share your personal information with the authorities, we may, depending on the circumstances, be forbidden from advising you of the fact that your personal information was disclosed to, or requested by the authorities (e.g. when doing so is illegal or might prejudice an on-going investigation).
5. SUB PROCESSING
H&C may be required to appoint certain third parties to provide part of the Services to the Client or assist with providing technical support, such as IT service providers or other suppliers. By signing the Service Agreement, the Client authorizes H&C to subcontract the Processing of Personal Data to Sub processors. Sub processors are in each case subject to the terms between H&C and the Sub processor which are no less protective than those set out in this Policy and the Service Agreement. H&C will inform the Client of the details of such Sub processor(s) upon written request from the Client. H&C will inform the Client in advance of any intended changes concerning the addition or replacement of Sub processors and thereby give the Client the opportunity to object to such changes. If the Client does not object in writing within five (5) days of receipt of the notice, the Client is deemed to have accepted the new Sub processor. If the Client does object in writing within five (5) days of receipt of the notice, H&C and the Client will discuss possible resolutions.
6. CONFIDENTIALITY AND SECURITY
H&C shall keep the Personal Data confidential and will ensure its staff and Sub processors are bound by the same confidentiality obligation. H&C shall implement appropriate technical and organizational measures to ensure a level of security of the Personal Data appropriate to the risk required pursuant to applicable Data Protection Laws. In assessing the appropriate level of security, H&C shall take account in particular of the risks that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed.
7. CO-OPERATING WITH REQUESTS OF THE CLIENT
H&C shall, upon request and to the extent required under Data Protection Laws, co-operate with requests of the Client that relate to the Processing of Personal Data. H&C shall co-operate as requested by the Client to enable the Client to comply with any exercise of rights by a Client Data Subject in respect of Personal Data and comply with any assessment, enquiry, notice or investigation under Data Protection Laws. Provided in each case that the Client shall reimburse H&C in full for all costs (including for internal resources and any third party costs) reasonably incurred by H&C performing its obligation under this section. Deletion or return of client personal data
H&C will, at the choice of the Client, delete or return the Personal Data at the end of the provision of the Services relating to Processing, unless (i) Data Protection Laws, (ii) any law, statute, order, regulation, rule, requirement, practice and guidelines of any government, regulatory authority or self-regulating organization that applies to the Services in the country where those Services are being provided, or (iii) competent court, supervisory or regulatory body, require the retention of such Personal Data by H&C.
Important Note: The rights you have in respect of your personal information are not absolute and are subject to a range of legal conditions and exemptions. If and to the extent a relevant legal condition or exemption applies, we reserve the right not to comply with your request.
8. INCIDENT MANAGEMENT
H&C shall notify the Client without undue delay after becoming aware of a Personal Data breach, providing the Client with sufficient information which allows the Client to meet any obligations to report a Personal Data breach under Data Protection Laws. Upon request by the Client, H&C shall fully co-operate with the Client and take such reasonable steps as are directed by the Client to assist in the investigation, mitigation and remediation of each Personal Data breach, in order to enable the Client to (i) perform a thorough investigation into the Personal Data breach and provide incident details as required under Data Protection Laws, (ii) formulate a correct response and (iii) take suitable further steps in respect of the Personal Data breach in order to meet any requirement under the Data Protection Laws (“Remediation Measures”). If and to the extent costs incurred by H&C related to the Remediation Measures as directed by the Client are related to the Personal Data breach caused by the Client, the Client shall compensate reasonable costs of the Remediation Measures taken by H&C. The Remediation Measures shall: (i) start without undue delay, (ii) be completed within a reasonable period after H&C has become aware of a Personal Data breach, and (iii) be carried out within the regular business hours of the local office where the Remediation Measures are required to be taken.
9. INTERNATIONAL TRANSFERS OF CLIENT PERSONAL DATA
Always subject to section 4 of this Policy and in the event the Services require international transfers of Personal Data between H&C, H&C Affiliate(s) and/or any Sub processor(s), the following shall apply (insofar relevant):
a) Transfer to Sub processors: The Personal Data may be transferred:
a. to one or more such Sub processors in one or more third countries on the basis of an exception under Data Protection Laws, or
b. on the basis of adequate safeguards added either, insofar as allowed under Data Protection Laws, by H&C to ensure the protection of the Personal Data, or by the Client, in which case H&C shall cooperate with the Client to seek an adequate basis for the cross-border transfer of Personal Data to such Sub processor. At the Client's request, H&C shall inform the Client of the applicable basis for the cross-transfer of the Personal Data.
b) Other transfers: Where the data protection or privacy law of any country outside the EEA or Switzerland applies to the Personal Data, the Client shall ensure that any cross-border transfer of Personal Data from H&C to a Sub processor shall be allowed, by implementing additional safeguards pursuant to Data Protection Laws or as otherwise permitted by Data Protection Laws.
10. LIABILITY
The Client warrants that all Personal Data processed by H&C on behalf of the Client has been and shall be Processed by the Client in accordance with Data Protection Laws including without limitation: (a) ensuring that all notifications to and approvals from regulators which are required by Data Protection Laws are made and maintained by the Client; and (b) ensuring that all Personal Data is Processed fairly and lawfully, is accurate and up to date and that a fair notice is provided to Client Data Subjects which described the processing to be undertaken by H&C pursuant to the Services agreed upon in the Service Agreement.
H&C shall be liable for the damage caused by Processing only where it has not complied with obligations of Data Protection Laws specifically directed to processors or where it has acted outside or contrary to lawful instructions of the Client as indicated in the Service Agreement. Client shall be liable for the damage caused by Processing by Client which infringes Data Protection Laws. Client or Processor shall be exempt from liability under this section 11 if it proves that it is not in any way responsible for the event giving rise to the damage.
Where more than one Controller or Processor, or both a Controller and a Processor, are involved in the same processing and where they are, under the Service Agreement, responsible for any damage caused to Client Data Subject by Processing, each Controller or Processor shall be held liable for the entire damage in order to ensure effective compensation of the Client Data Subject(s). Where a Controller or Processor has paid full compensation for the damage suffered, that Controller or Processor shall be entitled to claim back from the other Controller(s) or Processor(s) involved in the same Processing that part of the compensation corresponding to their part of responsibility for the damage, in accordance with the conditions set out in the previous paragraph.
Save for this section 11 third paragraph, the indemnities, liabilities and exclusions or limitations thereof set out in the Service Agreement, shall also apply to the obligations of the parties pursuant to this Policy and the Service Agreement, and in case of any conflict will prevail.
11. RETENTION OF PERSONAL INFORMATION?
The personal information we collect will be retained at least for as long as your personal information continues to be relevant to the services we provide.
a) Once your personal information ceases to be relevant to the services, we will retain your personal information as part of our business records for the duration of the applicable retention period which will be determined by reference to any legal or regulatory record keeping requirement that applies to the Cayman Islands1
b) In the absence of any specific legal or regulatory record-keeping requirement which applies, we may retain your personal information for an appropriate period where we consider this to be necessary to protect ourselves from any legal claim or dispute that may arise in connection with the relevant services we have provided. Where we do so, the retention period applied to your personal information will reflect the relevant limitation periods.
1 For example, if your personal information forms part of the record of subscription and redemption orders we retain on behalf of an investment fund which is subject to the oversight of the Cayman Islands Monetary Authority, we will typically be required to retain it for at least 5 years.
12. WILL THIS PERSONAL DATA PROTECTION POLICY CHANGE IN THE FUTURE?
This Privacy Notice was last revised in February 2023. We may revise this Privacy Notice from time to time to reflect changes in law or changes in how we run our business, but where such revision becomes necessary in the future, we will announce the changes on our website at https://www.hc-corporateservices.com and bring them to your attention to the extent it is practicable to do so.
13. WHO CAN I CONTACT ABOUT MY PERSONAL INFORMATION?
If you would like to exercise any of the rights you have in respect of your personal information, or if you have any question or concern regarding the way in which we handle your personal information, then please reach out to privacy@hc-corporateservices.com.
a) If you have a complaint regarding the way in which we handle your personal information, please contact our Compliance Manager in the first instance. You can do so by emailing complaint to steve.sims@hc-corporateservices.com.
b) We will endeavor to respond satisfactorily to any request, query, or complaint you may have in respect of your personal information, but if you are dissatisfied with our response and wish to make a formal complaint, or if you simply wish to learn more about your rights, you can contact the Cayman Islands Ombudsman:
Ombudsman
PO Box 2252
Grand Cayman KY1-1107 Cayman Islands
https://ombudsman.ky/data-protection