The Cayman Islands Data Protection Law (the “DPL”) became effective on 30 September, 2019. The DPL governs how a “data controller” may process, use and retain personal data.
An investment fund structured as a Cayman Islands company, or a limited liability company, or a partnership, or a foreign company registered under the Cayman Islands that acts as a general partner (“GP”) of an investment fund, will be deemed as a data controller.
Personal identifying information provided by individual investors to the investment fund is generally personal data for the purpose of DPL. If the investor is an entity, personal data includes personal identifying information of contact persons, beneficial owners, directors or members of such entity. The individual to which the personal data relates does not need to be in the Cayman Islands or a citizen of the Cayman Islands in order for the DPL to apply.
As a data controller, an investment fund or a GP must ensure that it comply with the data protection principles set forth in the DPL when it processes any personal data. The investment fund or a GP also must ensure that any third party (e.g., an administrator or an investment manager) who processes personal data on its behalf also comply with the data protection principles set forth in the DPL.
Under the DPL, a Cayman Islands investment fund or a GP must:
send a privacy notice to investors;
update subscription documents to include a privacy notice for new investors as well as obtain certain acknowledgements, representations and warranties;
update offering documents to reflect the new requirements under the DPL; and
update agreements with any third parties who process personal data on behalf of the investment fund to ensure such processing is undertaken in compliance with the DPL.
It is important for fund managers to be aware of this regulatory development and work with Cayman service providers to ensure compliance with the DPL.