The Cayman Islands Data Protection Act (the DP Act) governs how a data controller may process, use and retain personal data. Anyone who falls within the definition of a "data controller" (such as a Cayman Islands investment fund) must now comply with eight data protection principles in relation to any personal data processed by the data controller. Where a data controller engages a third party (such as an administrator or investment manager) to process personal data on its behalf, the data controller must ensure the third party complies with the eight data protection principles.
In addition to governing how a data controller processes, uses and retains personal data, the DP Act also sets out the rights of individuals to control their personal data and implements a system to protect against the misuse of personal data. The DP Act is similar to the General Data Protection Regulation (GDPR) of the European Union with which many clients will be familiar.
For a general overview of the Cayman Islands DP Act please see our Guide to data protection in the Cayman Islands.
Application of DP Act to investment funds
In order for investors to invest in an investment fund they must provide certain personal identifying information to the investment fund. Even where the investor is an entity, personal identifying information of contact persons, beneficial owners, directors, employees, partners or members of that entity will be provided to the investment fund. This personal information will be considered personal data under the DP Act.
The individual to which the personal data relates does not need to be in the Cayman Islands or a citizen of the Cayman Islands in order for the DP Act to apply.
Any investment fund structured as a Cayman Islands company or partnership, or any foreign company registered in the Cayman Islands that acts as a general partner of an investment fund will be subject to the DP Act and will be a data controller.
What must an investment fund do to comply with the DP Act?
As a data controller, an investment fund must ensure that it complies with the eight data protection principles when it processes any personal data. It must also ensure that any third party that processes personal data on its behalf also complies with the eight data protection principles.
Cayman Islands investment funds must:
send a privacy notice to existing investors
update their subscription documents to include a privacy notice for new investors as well as obtain certain acknowledgements, representations and warranties
update offering documents to reflect the requirements under the DP Act
update agreements with any third parties that process personal data on behalf of the investment fund to ensure such processing is undertaken in compliance with the DP Act especially where there is transfer of data outside of the Cayman Islands
Privacy notices
If the investment fund is already subject to GDPR then the investment fund may have already adopted a GDPR compliant privacy notice. If that is the case, then a few minor amendments to the privacy notice to reflect the DP Act are all that are needed.
If the investment fund has not yet adopted a privacy notice then it should prepare one in order to communicate the required information to its investors.
In either case the privacy notice should be sent to existing investors and/or made available on an investor or fund administration portal.
Subscription documents
The subscription agreement of the investment fund will also need to be updated to include the privacy notice and certain acknowledgements from the investor. It should also contain representations and warranties from entity investors that they have provided the privacy notice to any person whose data is given to the investment fund (eg beneficial owners, directors etc) and may need to also contain consent provisions for specific activities prescribed under the DP Act, such as the processing of sensitive personal data if applicable.
Offering documents
Offe...

Ver todos los episodios