Group Data Protection Information Notices

This Notice applies to the following legal entities and subsidiaries:

Ireland

• Sigma Irish AcquiCo Limited
• Sigma Irish TopCo Limited
• Sigma Irish HoldCo 1 Limited
• Waystone Management Company (IE) Limited
• Information Security Assurance Services Limited trading as Waystone Compliance Solutions (IE) Limited
• Waystone Administration Solutions (IE) Limited
• Waystone Centralised Services (IE) Limited
• Waystone Investment Management (IE) Limited

Luxembourg

• Waystone Management Company (Lux) A
• Waystone Services (Lux) SARL
• Waystone Administration Solutions (Lux) A

Bermuda

• Waystone Administration Solutions (BDA) Limited

Canada

• Waystone Administration Solutions (CA) Inc

USA

• Waystone Administration Solutions (US) Inc
• Waystone Compliance Solutions (USA) Ltd
• Waystone Asset Management (USA) LLC

United Arab Emirates

• Waystone Compliance Solutions (Middle East) Limited
• Waystone Holding Company (Middle East) Limited
• Waystone ME Managing Investments of Investments Funds L.L.C
• Waystone ME Corporate Services Provider L.L.C

Singapore

• Waystone Compliance Solutions (Singapore) Pte Limited
• Waystone Corporate Solutions (Singapore) Pte Limited

Hong Kong

• Waystone Governance (HK) Limited

Cayman Islands

• Waystone Governance Ltd
• Waystone Corporate Services (Cayman) Ltd
• Waystone Regulatory Compliance Services Ltd
• Waystone Asset Management (Cayman) Ltd.

Philippines

• Waystone Centralised Services (Philippines) Inc

India

• Waystone Technology Solutions Private Limited

This Notice contains information on the Personal Data processed by the listed Waystone legal entities, where we are a data controller. There are separate notices for:

• All Waystone UK entities
• Waystone Fund Services (Switzerland) SA
• Waystone Employees and Candidates

This Notice provides information on the Personal Data processed by Waystone, the source of Personal Data, purpose for processing, the legal basis relied on for processing, the retention of the Personal Data, the recipients, and transfers of Personal Data. In addition, this Notice will provide information on data subject rights.

This Notice reflects, primarily, the requirements as set out in Article 13 and 14 of the General Data Protection Regulation (2016/2016/679) (‘GDPR’). However, we have also taken into consideration the data protection transparency requirements in other locations where we have a presence. A list of other applicable data protection legislation in other jurisdictions outside Europe is set out further down this Notice.

Out of scope:

Where Waystone is appointed by clients to provide services, and where we are not the data controller, we process Personal Data of individuals as a data processor, acting solely upon the instructions of our clients, who are the data controllers. Such activity is outside the scope of this Notice. The Personal Data collected, the purpose of collecting, the means of collecting, and the retention period are all determined by our clients, the data controllers and outlined in their respective Data Protection Information Notices or similar documents.

Personal Data is defined in the GDPR as information relating to an identified or identifiable natural person (a ‘Data Subject’). In certain jurisdictions outside the EEA and the UK, such information may also be known as Personal Information.

The Personal Data processed by Waystone depends on the purpose for such processing.

Clients and potential clients:

• As part of our due diligence and on boarding processes and to comply with on-going legal obligations on anti-money laundering and counter terrorist financing, taxation, crime- detection, crime prevention, investigation, the prevention of fraud, bribery, anti-corruption, tax evasion; we may process some or all of the following: name, signature, postal address, email address, date and place of birth, nationality, professional or employment related information, source of funds details, tax identification, other contact details, account numbers (or functional equivalent) and transaction details, your tax or social security ID number or equivalent, utility bills for the purposes of address verification, photographic identification such as copies of your passport, passport number and driver’s license, information relating to your status as an ultimate beneficial owner of an entity, a politically exposed person or a designated individual on a sanctions list as well as biometric data for purposes of verifying and authenticating you, remotely.
• We process your Personal Data for the purpose of delivering a service to you, for the purpose of maintaining appropriate business records, including maintaining appropriate registers required under applicable law and regulation, client relationship databases, financial accounting logs, for the purpose of quality control, business and statistical analysis, market research, for the purpose of tracking fees and costs and for the purpose of customer service, provision of regulatory updates, corporate updates, training, and related purposes.
• We may collect and process Personal Data relating to you in connection with our on-going relationship with you, such as via correspondence and calls, and in connection with the administration of our relationship with Telephone calls and remote meetings with you may be recorded for the purposes of record keeping, minute taking, security and training. We may provide you with access to various online portals to enable you access information about funds and our services which require you to log in using your email address and password.

Investors in funds

• Where we are providing certain services to investment funds, we may be legally obliged to process your Personal Data if you invest in such investment funds. Services include management company services, fund administration services or money laundering reporting officer services. We have legal and regulatory obligations in relation to anti-money laundering and counter terrorist financing and the prevention of fraud. Our obligations are separate to those of the investment fund itself and other service providers. In such instances we will process name, signature, postal address, email address, date and place of birth, nationality, professional or employment related information, source of funds details, tax identification,  account numbers (or functional equivalent) and transaction details, your tax or social security ID number or equivalent, utility bills for the purposes of address verification, photographic identification such as copies of your passport, passport number and driver’s license, information relating to your status as an ultimate beneficial owner of an entity, a politically exposed person or a designated individual on a sanctions list as well as biometric data for purposes of verifying and authenticating you, remotely.

Other Service Providers/Delegates

We will process the contact details of employees and representatives of other financial services companies, auditors, advisers and lawyers who also provide services to our clients. We do so for the purpose of negotiating legal contracts, onboarding, preparing reports, arranging and attending meetings, providing access to Waystone IT systems and for the purpose of communicating information.

Website and other social media platform visitors:

When you visit our website, we automatically collect certain technical data including internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.

We also provide you with an option to accept, reject or manage cookies that may be dropped on your device while you navigate our website. Please see Use of Cookies – Waystone for more information on cookies and how to manage, reject and remove them.

• We also invite you to contact us and, in this regard, we request your name, job title, company, contact number, country and email address.
• We process your social media platform account details when you connect with us

Attendees at Waystone offices and events:

• We also collect and process your name, contact details, image, CCTV recording in relation to your attendance at our offices or at an event or seminar organised by Waystone or its business
• We will only process and use special categories of Personal Data about your dietary or access requirements to cater for your needs and to meet any other legal or regulatory obligations we may have.

Vendors:

• If you are the contact person for a company that provides Waystone with a product or a service, your name, job title and work contact details will be processed within our business and finance records. We will also perform KYB checks on directors and owners of vendor companies which may involve additional verification checks of such individuals and business interests.

Recipients of Marketing Communications:

• We use your name and contact details to send you newsletters, updates and information about our products and services, to conduct market research, satisfaction surveys, and event follow up. (If you no longer wish to receive our communications you may unsubscribe at any time by clicking the unsubscribe link at the bottom of all marketing e-mail communications.)
• We use software that places tracking technology on your device when you click on a link in such communications to analyse your interactions with our content and to improve their relevance.

We may obtain Personal Data:

• Directly from you in correspondence, contracts, due diligence documents, business card, feedback forms or where you used the Contact Us functionality on the website
• Indirectly from your company, who are our client /potential client or vendor or other service provider
• Indirectly from an investment fund (or their data processor) that we are contracted to and in which you invest
• Indirectly from third party sources such as public databases and registers, search engines and government entities
• Indirectly from social media platforms you interact with Waystone on
• Indirectly from you through our use of cookies placed on your device, if accepted
• Indirectly from our building management companies in our locations

Waystone relies on the following legal bases for the processing of Personal Data:

• Where necessary for the performance of a contract with you. Failure to provide your Personal Data may affect our ability to provide services to you
• Where necessary for compliance with a legal obligation to which Waystone is subject
• Your consent (e.g., when you sign up for marketing material or ask us to contact you, this consent can be withdrawn at any time)
• Where necessary for the purposes of our legitimate interests or the legitimate interests of a third party to whom your Personal Data is provided. We will not process your Personal Data for these purposes if our or the third party’s legitimate interests should be overridden by your own interests or fundamental rights. The legitimate interests pursued by us in this regard include:
  • Conducting our business in a responsible and commercially prudent manner and dealing with any disputes that may arise
  • Preventing, investigating or detecting theft, fraud or other criminal activity
  • Pursuing our legitimate corporate and ethical, social, and governance responsibility objectives
  • Sending you, as a representative of a company and not on a personal basis, marketing material relating to Waystone services
  • Improving how we deliver services
  • Transferring Personal Data within Waystone Group for internal administrative purposes

We may disclose and share your Personal Data described above to and with other Waystone Group entities and affiliates in various global locations for our business purposes and purposes required to deliver a service to you.

In addition, we may also use or disclose your Personal Data:

• To third party service providers such as those who provide cloud-based SaaS, IaaS, and/or PaaS services and support in relation to cyber and network security, event management, financial management, regulatory reporting, secure data sharing platforms, marketing services, client lifecycle management tools, data protection compliance and risk platforms, AML/KYC monitoring tools, website hosting. Such third parties are appointed our appointed data processors. A comprehensive list of our processors is available upon request
• To investment funds that we are appointed to and/or their other service providers
• To our lawyers, advisors, insurers, and auditors who provide services to Waystone and are subject to confidentiality obligations
• To local regulators, auditors, government agencies, exchanges, tax authorities, self-regulatory organizations or law enforcement authorities, subject to applicable law
• If we are required to do so by law or if we reasonably believe that such disclosure is necessary or appropriate to prevent physical harm or financial loss in connection with an investigation of suspected or actual illegal activity
• In connection with the planning, due diligence, and implementation of commercial transactions, including a reorganization, merger, acquisition, sale of all or a portion of our assets, a joint venture, assignment, transfer or other disposition of all or any portion of our business, assets or stock including in connection with any bankruptcy or similar proceedings in such circumstances your Personal Data may be disclosed to investors or acquiring entities
• To our building management companies, upon valid and legal request

Waystone operates globally, using global systems and platforms. We offer multi-time zone support to our clients. As a result, Personal Data collected in one jurisdiction may be transferred to, stored in, accessed from and processed in another jurisdiction by a member of Waystone or one of our third-party service providers.

International transfers are permitted where:

1. The transfer destination is deemed adequate for data protection by the EU or other relevant jurisdiction where the Waystone entity is established, or
2. The transfer is subject to approved standard contractual clauses, or
3. The transfer is on the basis of a specific derogation

We have put in place appropriate technical and organisational measures to protect against the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored, or otherwise processed. Measures include but are not limited to role-based access controls, strict password protocols, training, encryption, data protection and information security policies and procedures.

Waystone will retain Personal Data only for as long as is necessary for the purpose for which the Personal Data is processed. Retention periods are prescribed by law e.g. financial services, contract, company, tax, anti-money laundering and terrorism financing legislation, in the jurisdictions in which we operate. In general, such periods do not exceed 10 years from the end of our relationship with you or company you represent. Longer periods may be required where we believe it is necessary to establish, defend or protect our legal rights and interests.

Waystone will use Artificial Intelligence(‘AI’) in a responsible manner and in compliance with our legal and regulatory obligations. We will disclose where we use AI assisted tools to create output that has not been reviewed by a human. Where Personal Data is processed in such AI assisted tools, such processing will be in compliance with Waystone Data Protection policies and our legal obligations.

You have the following rights, in certain circumstances and subject to applicable exemptions, in relation to your Personal Data:

• The right to access your Personal Data
• The right to rectify any inaccuracies in your Personal Data
• The right to have any incomplete Personal Data completed
• The right to erase your Personal Data (in certain specific circumstances)
• The right to request that your Personal Data is no longer processed for particular purposes (in certain specific circumstances)
• Where the legal basis for processing is consent, the right to withdraw your consent at any time
• The right to object to the use of your Personal Data or the way in which it is processed where Waystone has determined it to be necessary for the purposes of our legitimate interests
• The right to data portability (in certain specific circumstances)
• The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects

These are the main Data Subject Rights set out in the GDPR, some of which are also recognized in jurisdictions outside the EU/EEA. There are also additional rights in these jurisdictions, the key ones are listed below in the jurisdictional sections.

Waystone takes our responsibilities as regards data protection very seriously and will strive to resolve any issues in an amenable manner with any Data Subject. However, if you are unhappy with the outcome of any request to exercise the above rights or any other data protection matter you can raise a complaint with your local data protection supervisory authority. You will find details of the European Supervisory Authorities here: European SAs. Supervisory authorities in our other jurisdictions are listed below.

We do not seek to collect personal data from individuals under the age of 18. Individuals under the age of 18 should receive permission from their parent or legal guardian before providing any Personal Data to us.

For any data protection related queries and to exercise your Data Subject rights as outlined above, please contact our Global Privacy Team at [email protected] or your usual Waystone contact who will forward to the Global Privacy Team.

Legislation
Personal Information Protection Act 2016 (PIPA)

Supervisory Authority
The Office of Privacy Commissioner for Bermuda

Key differences from GDPR

• The term ‘Personal Information’ is used instead of ‘Personal Data’
• ‘Data Subject’, ‘Data Controller’ and ‘Data Processor’ are not defined terms in PIPA. Instead ‘organization’ and ‘individual’ are used.
• No explicit right to data portability.
• No explicit right not to be subject to automated decision-making including profiling.
• PIPA prohibits an organization from using sensitive information without lawful authority to discriminate against any person contrary to Part II of the Bermuda Human Rights Act 1981

Contact
Roger Davidson House 2nd Fl., 32 Reid St, 2nd Floor, Hamilton HM 11, Bermuda
[email protected] 

Legislation
Personal Information Protection and Electronic Documents Act 2000 (PIPEDA)

Supervisory Authority
Office of the Privacy Commissioner of Canada

Key Differences from GDPR

• The term ‘Personal Information’ is used instead of ‘Personal Data’
• ‘Data Subject’, ‘Data Controller’, and ‘Data Processor’ are not defined terms in PIPEDA. Instead ‘organization’ and ‘individual’.
• No explicit right to erasure but organisations are required to erase personal information when the purpose for the processing has been completed.
• No explicit right to restrict processing.
• No explicit right to object, however PIPEDA provides for the right for individuals to withdraw consent at any time subject to legal or contractual restriction and reasonable notice (Schedule 1, Clause 4.3.8)
• No explicit right to data portability.
• No explicit right to not to be subject to automated decision making.

Contact
609 Kumpf Drive, Unit 200, Waterloo, Ontario ON N2V 1K8, Canada
[email protected]

Legislation
Data Protection Act (2021 Revision) (the Act)
Data Protection Regulations, 2018 (SL 17 of 2019) (the Regulations)

Supervisory Authority
The Office of the Ombudsman

Key differences from GDPR

• No explicit right to data portability

Contact
Suite 101 & 102, SIX Cricket Square, Cayman Islands, KY1-1103
[email protected]

Legislation
Personal Data (Privacy) Ordinance (Cap. 486) as amended in 2021

Supervisory Authority
The Office of the Privacy Commissioner for Personal Data

Key differences from GDPR

• Data controller: Referred to as a ‘data user’, a person who, either alone or jointly or in common with other persons, controls the collection, holding, processing, or use of the data (Section 2(1) of the PDPO)
• No explicit right to erasure but Data Users are required to erase personal data when the purpose for the processing has been completed.
• No explicit right to restrict processing
• No explicit right to object to processing of personal data but data user can request cessation of processing for direct marketing purposes.
• No explicit right to data portability.
• No explicit right not to be subject to automated decision-making including profiling.
• Relevant Persons can make access requests and correction requests on behalf of another person.

Contact
Unit 1702, Euro Trade Centre, 13-14 Connaught Road, Central Hong Kong
[email protected]

Legislation
Digital Personal Data Protection Act, 2023, to be implemented in stages
Digital Personal Data Rules, 2025, to be implemented in stages
Information Technology Act, 2000
Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011

Supervisory Authority
Data Protection Board of India (To be established by the Government of India)

Key Differences from GDPR

• Data Principal is the individual to whom the personal data relates to.
• Data Controller: Referred to as a “Data Fiduciary”, a person who, alone or in conjunction with other persons, determine the purpose and means of processing of personal data.
• No explicit right to erasure under The SPDI Rules currently, however the DPDP Act will provide for this right when in effect.
• No explicit right to restrict processing.
• No explicit right to data portability.
• No explicit right to not be subject to automated decision making.

Contact
12th floor ,1201-1202, Godrej Two, Pirojshanagar, Eastern Express Highway, Vikhroli (E), Mumbai-400079, Maharashtra, India.
[email protected]

Legislation
Data Privacy Act of 2012 (Republic Act No. 10173)
Implementing Rules and Regulations of Republic Act No. 10173

Supervisory Authority
National Privacy Commission

Key Differences from GDPR

• Personal information is the term used to refer to personal data
• Data Controller: Referred to as “Personal Information Controller”, a personal or organisation who controls the collection, holding, processing, or use of personal information, including a personal or organisation who instructs another person or organisation to collect, hold, process, use, transfer, or disclose personal information on their behalf.
• Data processor: Referred to as ‘Personal information processor’, any natural or juridical person qualified to act as such under the Act, and to whom a personal information controller may outsource the processing of personal data pertaining to a data subject.
• Right of Access: A data subject may only request access to their own personal data, and this would exclude any analysis made by the controller with respect to the data subject’s personal data (i.e. inferred, derived, modelled, or business-generated data)
• No explicit right to restrict to processing.

Contact
Level 40 PBCom Tower, 6795 Ayala Avenue corner V.A. Rufino Street, Barangay Bel-Air, Makati City, Makati 1226 Philippines
[email protected]

Legislation
Personal Data Protection Act 2012 (PDPA’)
Personal Data Protection (Amendment) Act 2020
Personal Data Protection Regulations 2021

Supervisory Authority
Personal Data Protection Commission

Key differences from GDPR

• Individual rather than Data Subject and Individual includes natural persons living or deceased.
• Data Controller: Not a term used in PDPA. Referred to as “Organisations” which collect, use, or disclose personal data. “Organisation” broadly covers any individual, company, association or body of persons, corporate or unincorporated.
• Data processor: Not a term used in PDPA. Referred to as “Data Intermediary” which is an organisation that processes personal data on behalf of another organisation but does not include an employee of that other organisation.
• No explicit right to erasure under the PDPA.
• No explicit right to restrict processing under the PDPA.
• No explicit right to object under the PDPA.
• No explicit right to not be subject to automated decision making.

Contact
#17-06, 6 Battery Road, Singapore, Singapore, 049909
[email protected]

For information on Data Protection in relation to Waystone Fund Services (Switzerland) SA, please read this Notice.

Legislation
Federal Decree-Law No.45 of 2021 Concerning the Protection of Personal Data

Supervisory Authority
UAE Data Office

Key Differences from GDPR

• Legitimate interests is not a valid legal basis
• Does not make available rights concerning automated decision-making protections and right to restriction of processing

Contact
E304, Block B, Saaha Offices, Souk Al Bahar, Downtown Dubai, United Arab Emirates
[email protected]

Legislation
Data Protection Regulations 2021 (as amended)

Supervisory Authority
Office of Data Protection

Contact
You may contact our Data Protection Officer via:
15-118, We Work Hub71, Al Khatem Tower, ADGM, Al Maryah Island, Abu Dhabi, United Arab Emirates
[email protected]

Legislation
DIFC Data Protection Law No. 5 of 2020 (as amended)
DIFC Data Protection Regulations

Supervisory Authority
Commissioner of Data Protection

Key Differences from GDPR

• In addition to the rights listed above, the DIFC provides for the right to non-discrimination.
• In addition to the right to lodge a complaint with a Supervisory Authority, Data Subjects can bring a direct claim before the DIFC Courts for material or non-material damage

Contact
You may contact our Data Protection Officer via:
Office GV07/L2/201, Floor 2 Gate Village Building, 7 Dubai International Financial Centre, 506733, Dubai, United Arab Emirates
[email protected]

For information on Data Protection for Waystone legal entities in the United Kingdom, please read this Notice.

Legislation
Act concerning commercial internet websites, online services, consumers, and personal identifiable information (NJDPA)

Supervisory Authority
New Jersey Office of the Attorney General

Key Differences from GDPR

• ‘Data Subject’ is not defined in NJDPA. Instead ‘Consumer’ is defined as an identified person who is a resident of New Jersey acting only in an individual or household context. It does not include a person acting in a commercial or employment context.
• No explicit right to restrict processing.
• No explicit right to not be subject to automated decision-making but the NJDPA provides consumers with a right to opt out of processing personal data for the purposes of profiling (Section 7(5) of the NJDPA).

Contact
3rd Floor, 16-00 Route, 208 South Fair Lawn, New Jersey, 07410
[email protected]

Legislation
Article 5 of the Civil Rights Law regulates civil right to privacy. The Stop Hacks and Improve Electronic Data Security Act 2019, SHIELD Act regulates data breach and data security matters in New York, including data breach requirements, obligations regarding developing security programs, and enforcement capabilities. The General Business Law of the Consolidated Laws of New York was recently amended in terms of timings of data breach notifications and bodies that must be notified.

Supervisory Authority
New York State AG

Key Differences from GDPR

• A living person’s name, portrait, picture, likeness or voice cannot be used for advertising or trade purposes without their consent

Contact
23rd floor, 461 Fifth Avenue, New York, NY 10017
[email protected]

Legislation
Personal Information Protection Act (PIPA)
Biometric Information Protection Act (BIPA)

Supervisory Authority
Office of the Illinois Attorney General

Key Differences from GDPR

• ‘Data Subject’, ‘Data Controller’, and ‘Data Processor’ are not defined terms in PIPA and BIPA. Instead ‘data collectors’ and ‘individuals’ or ‘consumers’.
• No explicit right to access
• No explicit right to rectification
• No explicit right to object, however under the BIPA, individuals have the right to refuse the collection of their biometric data.
• No explicit right to erasure.
• No explicit right to restrict processing.
• No explicit right to data portability.
• No explicit right to not be subject to automated decision making

Contact
70 W. Madison St, STE 1690, Chicago Illinois, 60602
[email protected]

Our website may, from time to time, and this Notice does, contain links to and from other websites. If you follow a link to any of those websites, please note that those websites have their own data protection information notices and terms of use and we do not accept any responsibility or liability for those notices. Please check those notices before you submit any Personal Data to those websites.

We reserve the right to change this Global Data Protection Information Notice at our sole discretion without advance notice. If we make any changes, we will post those changes here and update the “Last Updated” date at the bottom of this Notice. Your continued use of this website after we make changes is deemed to be acceptance of those changes, so please check this Notice periodically for updates.