The Cayman Islands Data Protection Law
The Cayman Islands, as many other jurisdictions which treat privacy as a constitutional right and have enacted data protection laws that protect privacy by regulating the handling of personal information, has adopted the new Cayman Data Protection Law, 2017 (the “DPL“) which will come into force on September 30, 2019. The main principles of the DPL are as follows:
- Applicability:
- The DPL applies to data controllers (the person who determines the purposes, conditions and manner in which any personal data is processed). Data controllers are required to ensure that the personal data which they process (or which are processed on their behalf by any data processor, i.e., any person who processes the data on behalf of a data controller, other than the data controller’s employees) are processed in accordance with the data protection principles included under the DPL. We note that the term “personal data” is defined under the DPL very broadly and includes any data relating to a living individual who can be directly or indirectly identified. The DPL explicitly recognizes certain types of data as being “sensitive personal data” and stipulates certain obligations with respect to the processing of this type of data. The DPL applies to personal data in any format, including in automated and manual (paper) filing systems.
- A data controller who engages a data processor must ensure that the engagement is based on a written contract which (i) contains certain prescribed assurances regarding the processing of personal data, and (ii) specifies that data processors must only act in accordance with the instructions of the controller.
- The DPL applies to data controller if:
- the data controller is established in the Cayman Islands, and the personal data is processed in the context of that establishment; or
- the data controller is not established in the Cayman Islands but the data is being processed in the Cayman Islands (otherwise than for transit purposes), such as where an overseas entity targets and collects personal data of Cayman Islands residents. Under these circumstances, such foreign data controllers need to nominate a representative in the Cayman Islands.
- The main data protection principles (which are generally very similar to the internationally recognized privacy principles and the EU General Data Protection Regulation – GDPR):
- Fair processing and the right to be informed. Whether processing is fair will depend on the method by which the personal data was obtained, and especially whether the data subject was deceived or misled in regard to the purposes for which the data is to be processed. Fairness depends on whether the data controller has made the data subject aware of the identity of the data controller, and the purpose of the data processing.In addition, personal data may be processed only under certain legal grounds for processing, for example the data subject has given consent to the processing, the processing is necessary for the performance of a contract to which the data subject is a party, or processing is necessary for the data controller’s compliance with a legal requirement it is subject to, required under a law or in order to protect the individual’s vital interests.
- Purpose limitation. Personal data shall be obtained only for one or more specified lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. It is required to be clear about what are the data controller’s purposes for processing the personal data, and avoid reusing personal data for different purposes.
- Data minimization. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are collected or processed. The data controller should ensure that the personal data it processes is: (a) adequate – sufficient to properly fulfil its stated purpose; (b) relevant – has a rational link to that purpose; and (c) limited to what is necessary – the data controller cannot hold more than is need for that purpose.
- Data Accuracy. Data shall be accurate and, where necessary, kept up to date. The data controller should take all reasonable steps to ensure the personal data it handles is not incorrect or misleading. If the data controller discovers that personal data is incorrect or misleading, it must take reasonable steps to correct or erase it as soon as possible.
- Storage limitation. Personal data processed for any purpose shall not be kept for longer than is necessary for that purpose. The data controller should not keep personal data for longer than it needs it. The data controller should adopt a policy setting standard retention periods wherever possible, to comply with documentation requirements.
- Respect for the individual’s rights. Personal data shall be processed in accordance with the rights of data subjects under the DPL. The data controller should process all personal data in accordance with the rights of individuals. The data controller should be prepared for responding to each of the likely requests it may receive and meet the statutory timelines. This main rights of individuals under the DPL are: the right to be informed; the right of access; the right to rectification; the right to stop/restrict processing; the right to stop direct marketing; the right in relation to automated decision making; and the right to complain to the Ombudsman and seek compensation.
- Security – integrity and confidentiality. Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- International transfers. Personal data shall not be transferred to a country or territory unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
- Personal data breaches – The DPL introduces a duty on all data controllers to report personal data breaches to the Information Commissioner and the individual(s) whose data was breached (without undue delay, but no later than 5 days after it should, with the exercise of reasonable due diligence, have been aware of the breach), unless the breach is unlikely to prejudice their rights and freedoms.
- Breaches under the DPL could result in a fine of CI $100,000 (US $122,000) and certain offences are punishable by imprisonment. Other monetary penalties of up to Cl $250,000 (US $305,000) are also possible in certain circumstances.
What does this mean for investment funds incorporated or established in the Cayman Islands?
An investment fund incorporated or established in the Cayman Island will be defined as a data controller under the DPL with respect to personal data processed by the fund, such as personal data collected as part of the subscription process in relation to an individual who is connected to a corporate investor. As such, the fund will be responsible for complying with the requirements of the DPL and the data protection principles with respect to personal data processed by the fund or on behalf of the fund by any third party processors (such as its administrators and other service providers ,each a data processor, regardless the location in which the service providers are established). Recommended actions items include, inter alia, (i) preparing a privacy notice, or amending the form of the current privacy notice (which should include, inter alia, information regarding; the legal identity of the fund, the purposes for which the fund processes personal data, legal grounds for such processing, and the associated transfer of personal data overseas), and circulate the same notice to existing investors, (ii) assessing which of the fund’s service providers that process personal data on behalf of the fund are defined as data processors and which as joint data controllers, (iii) ensuring that the fund has contracts with such service providers which include the requirements under the DPL; and (iv) examining whether the fund can rely on the ground of legal obligation for processing certain data (such as information gathered as part of KYC procedures) or whether it is required to rely on other grounds, such as consent.
* Since we are not licensed to practice law outside of Israel, this document is served only as a general guideline with respect to the new provisions of the DPL and shall not be regarded as binding legal advice. Specialist advice should be sought about your specific circumstances. GKH’s IP and Privacy Group is available to assist clients prepare for the impact of DPL on their business.
For further information regarding this update, please contact Adv. Ella Tevet, Partner, Head of IP and Privacy Practice, at ellat@gkh-law.com or 03-6074588.