Starting from 2018, the GDPR has been applicable to all offshore investment funds where European investors are present. In 2019, the DPL, whose main purpose was to govern the processing of personal information in the Caymans, had been enacted. With a few minor differences, its provisions are almost identical to those of the GDPR.
Pursuant to the DPL, investors are required to furnish a photo ID, proof of income, contact information, tax return, employment data, marital status, information about their next of kin, data on investment s that are going to be made on behalf of/for investment funds & funds’ service providers. All this data is necessary to ensure effective protection of personal data in the Caymans.
Ensuring compliance with DPL/GDPR provisions requires investment funds’ BoDs review contracts with the said parties & hire staff responsible for protection of data in the Cayman Islands. BoDs must also oversee performance of providers of services & ensure protection of the personal information of investors in the Caymans. Funds’ documentation must indicate that their investors are perfectly aware of how their personal information is being processed, who it is processed by & what it is processed for.
Please, see the table below for differences between the data protection in the EU & Cayman Islands.
|
GDPR (EU) |
DPL (Cayman Islands) |
|
|
Personal Info |
Any data related to individuals that may be directly or indirectly identified because of it (including IPs & cookies) may be designated as personal info if it’s associated with those individuals. |
No differences |
|
Controllers of Data |
Individuals independently or together with other individuals determine the goals, terms & ways of processing personal information. |
Applicable to any controllers of personal info a) that’s processed in the Caymans; b) that’s processed in the Caymans for the purpose of its subsequent transfer. |
|
Privacy Statement |
When their data is collected, individuals should be informed about why it’ll be processed, how it’s going to be transferred & what security steps will be taken Normally, such information is available in a privacy statement. |
No differences |
|
Right to Access Data |
Individuals are entitled to get a confirmation that their personal info was processed & access it. A response to their request must be made within 30 days after its receipt. No money must be charged for making a copy of the info. |
No differences; however, a fee can be charged for making a copy of the info. |
|
Duration of Retention |
Individuals’ personal information mustn’t be stored longer than its’ necessary to achieve the goal for which it has been retrieved. |
No information retention requirements. |
|
Destruction of Information |
Information must be destroyed if individuals specifically requested for it. |
No differences |
|
Transferring Information |
3rd parties are allowed to transfer information. |
No differences |
|
Protecting Information |
Information is protected by taking special security measures, providing the possibility of restoring access to information & running regular tests & evaluations. |
Preventing unauthorized access to personal information requires taking security steps aimed at prevention of accidental deletion or loss of personal data. |
|
Information Leaks |
Regulators must be informed of unauthorized access to personal information within 3 days after its occurrence. |
Regulators & individuals affected by unauthorized access to information must be informed within 120 hours after its occurrence. |
|
Processing of Information |
Processors & controllers of information must ensure compliance with requirements for data security. |
Controllers of information bear no responsibility for it; however, they may be held accountable as per a signed contract or civil law provisions. |
|
Notification of Unauthorized Access |
A notification is to contain info on: 1) unauthorized access 2) repercussions 3) steps taken; 4) proposed measures to offset potentially negative consequences. |
No differences |
|
Right to Forget |
Unless there’s convincing proof for subsequent use of information, it can be destroyed at the request of its owners. |
No differences |
|
Right to Disagree |
Individuals can request that their personal information not be used. Nobody can deny them this right. |
No differences |
|
Penalties/fines |
There’s two fines of up to twenty million euros or four percent of the annual global turnover. |
There’s a fine of up to one hundred thousand dollars or a five year prison term; in some cases two penalties are applied at once. |
Looking to protect personal data in the EU & Caymans? Need advice on data protection regulation in the EU & Cayman Islands? Please consider contacting IQ Decision UK.
