This Policy applies to any Waystone entity in the Waystone group of companies (each a “Waystone Entity” and together “Waystone”, the “Waystone Group” or the “Waystone Entities”). Waystone must comply with all applicable laws and regulations relating to the Processing of Personal Data and privacy, including the Data Protection Act 1998-2018 (as may be amended or supplemented from time to time), from 25 May 2018, the EU’s General Data Protection Regulation 2016/679 (the “GDPR”), and from 30 September 2019, the Cayman Data Protection Law (the “DPL”) (together the “Data Protection Legislation”).
Under Data Protection Legislation, Waystone is required to implement an appropriate data protection policy as part of the organisational and technical measures it puts in place to demonstrate compliance with applicable Data Protection Legislation.
This Policy describes how Personal Data must be collected, handled, stored, disclosed and otherwise “Processed” to meet the Waystone’s data protection standards and to comply with Data Protection Legislation.
Waystone is responsible for and shall be in a position to demonstrate compliance with this Policy. This includes ensuring that Third Parties and Service Providers who Process Personal Data on its behalf are acting in accordance with Data Protection Legislation.
This Policy applies to Waystone Entities where they act as a Controller of Personal Data and Waystone Entities acting as a Processor of Personal Data in the following scenarios:
- in the context of the business activities of Waystone Entities;
- for the provision or offer of goods or services to individuals (including those provided or offered free-of-charge) by a Waystone Entity; and
- in the context of Human Resources where a Waystone Entity has Employee Personal Data.
This Policy applies to all Processing of Personal Data. Personal Data can be in electronic form (including electronic mail and documents created with word Processing software) or manual files that are structured in a way that allows ready access to information about individuals.
This Policy has been designed to demonstrate the minimum standard for the Processing and protection of Personal Data by all Waystone Entities. Where a national law imposes a requirement, which is stricter than imposed by this Policy, the requirements in national law must be followed. Furthermore, where national law imposes a requirement that is not addressed in this Policy, the relevant national law must be adhered to by the relevant Waystone Entity through operational procedures.
1.3 Data Protection Contact
To demonstrate Waystone’ commitment to Data Protection, and to enhance the effectiveness of its compliance efforts, Waystone Regional Compliance Teams (“Compliance Team”) will support the business in Data Protection Legislation compliance.
The Compliance Team reports has direct access to the Waystone Entities’ senior management teams and boards of directors (the “Waystone Entities Boards”) and its duties in this role will include:
- mediation with the relevant Data Protection Authority;
- review of the Waystone Data Protection Policies on an annual basis for compliance with relevant legislation;
- produce Annual Board Report on the Waystone Data Protection Framework;
- annual review and ongoing oversight of the Processors of the Waystone Group ensuring compliance with relevant legislation;
- report and escalate directly to the respective Waystone Entity Boards on data protection related matters;
- act as the point of contact for individuals whose Personal Data is Processed by Waystone;
- facilitation of data protection training and tracking of same;
- ensure that Waystone maintains a record of all Personal Data Processing activities;
- ensure Waystone Service Providers apply appropriate technical and organisational measures when protecting Personal Data;
- ensure Waystone Service Providers apply appropriate security measures to ensure against all unlawful forms of Processing;
- report to the Waystone Entity Boards on measures and Processes to demonstrate that privacy has been factored into new business line processes;
- report to the Waystone Entity Boards on oversight of Waystone Service Providers;
- verify that individuals have given Consent to receive marketing information from a Waystone Entity; and
- verify that Personal Data has been deleted where an individual has withdrawn Consent for direct marketing purposes.
1.4 Board Approval
This Policy shall be approved by the Waystone Entity Boards.
1.5 Governance, Policy Review and Ownership
This Policy will be reviewed at least annually by the Compliance Team to ensure appropriateness. Additional updates and ad-hoc reviews may be performed as and when required to ensure that any changes to the Waystone organisational structures/business practices are properly reflected in this Policy.
All amendments to this Policy will be co-ordinated by the Compliance Team to ensure consistency across the Waystone Group. All new Waystone Entities must adopt and adhere to this Policy.
The management team of each Waystone Entity must ensure that each of that Waystone Entity’s Employees who are responsible for the Processing of Personal Data are aware of and comply with the contents of this Policy.
In addition, each Waystone Entity will make sure all Third Parties engaged to Process Personal Data on their behalf (i.e. their Data Processors) are aware of and comply with the contents of this Policy. Assurance of such compliance, usually through the terms and conditions of their appointment, must be obtained from all Third Parties, whether companies or individuals, prior to granting them access to Personal Data controlled by Waystone.
1.6 Responsibility and Escalation
Considering the circumstances in which a Controller must appoint a Data Protection Officer (“DPO”) the Waystone Board has determined that it is not currently necessary to appoint a DPO. The Waystone Board shall keep this matter under review and should guidance emerge which indicates that any Waystone Entity, should appoint a DPO, the Waystone Board will re-consider the need to appoint a DPO.
This Policy is therefore owned by the Waystone Board, with the Compliance Team being responsible for escalation to the relevant Waystone Entity Boards of any data protection related matters. Where data protection issues arise, these are investigated by the European Head of Compliance and where necessary, input from the relevant Waystone Entity Board may be sought.
The Boards of Directors for Waystone Governance Ltd and Waystone Governance Risk and Compliance Services Ltd.
An individual who works part-time or full-time for Waystone under a contract of employment, whether oral or written, express or implied, and has recognised rights and duties. Includes temporary employees and independent contractors.
Third Party/Service Providers
An external organisation with which Waystone conducts business and is also authorised, under the direct authority of Waystone, to Process the Personal Data provided by a Waystone Entity.
Any information (including opinions and intentions) which relates to an identified or Identifiable Natural Person.
Identifiable Natural Person
Anyone living who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
A Waystone establishment, including subsidiaries and joint ventures over which Waystone exercise management control.
A natural person to whom Personal Data refers.
Process, Processed, Processing
Any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means. Operations performed may include collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
The Process of safeguarding Personal Data from unauthorised or unlawful disclosure, access, alteration, Processing, transfer or destruction.
Data Protection Authority or DPA
An independent public authority responsible for monitoring the application of the relevant Data Protection regulation set forth in national law.
A natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of a Data Controller.
Any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the Processing of Personal Data relating to him or her.
Special Categories of Data
Personal Data pertaining to or revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data.
Any country not recognised as having an adequate level of legal protection for the rights and freedoms of Data Subjects in relation to the Processing of Personal Data.
Any form of automated Processing of Personal Data Where Personal Data is used to evaluate specific or general characteristics relating to an Identifiable Natural Person. In particular to analyse or predict certain aspects concerning that natural person’s performance at work, economic situations, health, personal preferences, interests, reliability, behaviour, location or movement.
Personal Data Breach
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
Processing necessary for the purposes of the legitimate interests pursued by a Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require protection of Personal Data.
3. Data Protection Principles
When Processing Personal Data, Waystone must comply with the following core Data Protection principles.
A. Lawfulness, fairness and transparency
Personal Data must be Processed fairly, transparently and lawfully. An individual’s Personal Data must not be Processed unless there are lawful grounds for doing so and the Data Subject must be informed as to how and why their Personal Data is being Processed either upon or before collecting it.
B. Purpose Limitation
Personal Data must be Processed only for specified and lawful purposes. Personal Data must not be Processed in any manner which is incompatible with the specified and lawful purpose.
C. Data Minimisation
Personal Data that is Processed must be adequate, relevant and limited to the minimum data necessary for the lawful purposes for which it is Processed.
Personal Data must be accurate and, where appropriate, kept up-to-date. Any Personal Data which is incorrect must be rectified as soon as possible.
E. Data Retention
Personal Data must be kept for no longer than is necessary considering the lawful purpose(s) for which it is Processed.
Personal Data must be protected against unauthorised or unlawful Processing, including transmission, accidental loss, destruction or damage through appropriate technical and organisational measures.
4. Personal Data
4.1 Definition of Personal Data
“Personal Data” includes any data which relates to a living individual who can be identified:
- from that data; or
- from that data and other piece of information which is in the possession of Waystone.
Certain categories of Personal Data are particularly sensitive (“Sensitive Personal Data”) and cannot be Processed unless certain conditions are met.
It is Waystone policy to only hold Personal Data of a given Data Subject where we are legally or contractually required or permitted. All Personal Data will be held and Processed in accordance with the Data Protection Legislation and this Policy.
4.2 Processing Personal Data
Processing Personal Data includes any operation that is carried out in respect of Personal Data, including, but not limited to, collecting, storing, using, recording, disclosing, transferring or deleting Personal Data.
Personal Data collected by Waystone is generally collected for the purposes set out in its Privacy Notices including, but not limited to, the following:
- to comply with legal, tax or regulatory obligations imposed on Waystone under applicable law;
- to efficiently manage its directors and its relationship with its Service Providers;
- to carry out statistical analysis and market research;
- to transfer Personal Data to third parties such as auditors, regulatory or tax authorities and technology providers in the context of the day to day operations of the Waystone in the conduct of its services provided globally; and
- for the purposes outlined in the Employee Privacy Notice.
4.3 Grounds for Processing Personal Data
Personal Data must only be Processed if the purpose of the Processing satisfies one of the legal bases permitted under the Data Protection Legislation.
The below details the legal bases for Processing which are most commonly relevant to Waystone Processing activities.
4.3.1 Legal Grounds for Processing Personal Data
The legal grounds for Processing Personal Data include:
- where the Processing is in Waystone’s Legitimate Interests or the Legitimate Interests of a third party and the proposed Processing does not cause unwarranted infringement on the Data Subject’s rights;
- where the Processing is necessary for the performance of a contract to which the Data Subject is a party, or for the taking of steps with a view to entering into or exiting a contract at the request of the Data Subject;
- where the Processing is required by law or other regulation to which the Waystone is subject to, for example, the Central Bank of Ireland, Cayman Islands Monetary Authority or another relevant regulator’s regulations/anti-money laundering and terrorist financing legislation etc; and
- where the Data Subject has provided its Consent to the Processing for the specific purpose in accordance with this Policy.
4.3.2 Sensitive Personal Data
As detailed previously, Sensitive Personal Data is subject to stricter controls and the circumstances in which it can be Processed are significantly more limited than Personal Data.
Waystone will only Process Sensitive Personal Data where the Data Subject expressly Consents to such Processing or where one of the following conditions apply:
- Processing relates to Personal Data which has already been made public by the Data Subject;
- Processing is necessary for the establishment, exercise or defence of legal claims;
- Processing is specifically authorised or required by law;
- Processing is necessary to protect the vital interests of the Data Subject or of another natural person where the Data Subject is physically or legally incapable of giving Consent; or
- further conditions, including limitations, based upon national law related to the Processing of genetic data, biometric data or data concerning health.
4.4.3 Children’s Data
In general terms Waystone will not process any Personal Data in relation to a child or minor. Should any Waystone Entity ever be required to Process Personal Data relating to a child, in the first instance the relevant Waystone Entity must obtain guidance and approval from the Compliance Team before any Processing of a child’s Personal Data may commence. If it is deemed appropriate the Waystone Entity will be required to obtain parental Consent.
4.4 Processing of Personal Data relating to criminal convictions and offences
The Processing of Personal Data relating to criminal convictions and offences or related security measures may take place subject to appropriate safeguards for the rights and freedoms of Data Subjects. There are certain conditions under which this information may be inadvertently Processed including:
- the Data Subject has given explicit Consent to the Processing for one or more specified purposes except where applicable law prohibits such;
- Processing is necessary and proportionate for the performance of a contract to which the Data Subject is a party or to take steps at the request of the Data Subject prior to entering into a contract;
- Processing is:
- necessary for the purpose of providing or obtaining legal advice or for the purposes of, or in connection with, legal claims, prospective legal claims, legal proceedings or prospective legal proceedings, or
- otherwise necessary for the purposes of establishing, exercising or defending legal rights;
- Processing is necessary to prevent injury or other damage to the Data Subject or another person or loss in respect of, or damage to, property or otherwise to protect the vital interests of the Data Subject or another person; or
- Processing in relation to screening of potential employees. Waystone conducts background checks including checking for any criminal convictions of senior Employees to assess the risk of fraud or prevent fraud. Employees are notified of this in the Privacy Notice and consent to it in the initial screening form.
4.5 Higher Risk Processing Activities
The Data Protection Legislation provides that wherever the Processing of Personal Data is likely to result in increased risk to the Data Subject, Waystone as a Data Controller will need to, before carrying out the Processing activity, perform an assessment of the potential impact of the intended Processing on the rights and freedoms of the Data Subject (a “Data Protection Impact Assessment” or “DPIA”).
Waystone has identified where the Processing of Personal Data takes place globally. Following this assessment Waystone has not identified any activities that would be considered as posing a high risk to Data Subjects.
Waystone has also determined that it is unlikely that any other Service Providers will be engaging in higher risk Processing activities on behalf of Waystone but will keep this matter under review.
4.6 Fair Processing Information
Any Process which involves the gathering of Personal Data on an individual should contain a Privacy Notice explaining among other things what the Personal Data is to be used for and to whom it may be disclosed.
Regardless of how Personal Data is obtained (whether it is obtained from the Data Subject or from a Service Provider) the Data Subject will be provided with certain information about the Processing of their Personal Data by Waystone. This information will be provided either before or upon collection of the Personal Data. If the Personal Data is obtained from a Service Provider, then the Privacy Notice must be provided within a reasonable time period from obtaining the Personal Data or at the time of the first communication with the Data Subject, whichever is earlier.
This information will be provided in the form of Privacy Notice (please refer to Appendix I for a GDPR specific Privacy Notice).
Where applicable, the Waystone Entity, shall ensure that the Privacy Notices are kept under review annually and shall be updated as necessary to reflect non-material changes. Material changes notified to a Waystone Entity by any Service Providers or which otherwise come to the attention of Waystone shall be made on an ad-hoc basis and the Compliance Team shall instruct the provision of an updated data Privacy Notice to Data Subjects as applicable.
4.7 Data Register
Waystone maintains an up to date Data Register of all activities it conducts that require the Processing of Personal Data, a copy of which shall be made available to the DPA upon request. The Data Register consists of the following elements:
- categories of Data Subjects;
- categories of Personal Data;
- Processing activity;
- the grounds for Processing the Personal Data;
- in which jurisdiction the Processing is conducted;
- whether the Personal Data is transferred to a third party;
- whether the Personal Data is transferred outside the European Economic Area; and
- the retention period.
The Data Register is maintained by the Compliance Team.
While not currently anticipated, where there is no other lawful basis for Processing Personal Data then it should not be Processed unless the Data Subject has given their Consent.
For Consent to be valid, it must satisfy the following criteria:
- it must be limited to specific Processing activities;
- Data Subject must have been informed about the Processing activities in sufficient detail so as to be able to fully understand what they are consenting to;
- it must be freely given which means that the Data Subject must have a genuine free choice as to whether they give the Consent;
- the performance of a contract cannot be made conditional upon the Data Subject giving their Consent to the data Processing, unless the data Processing is required to perform the contract; and
- it must be given by way of an unambiguous statement of some other clear active communication by the Data Subject, such as signing a form. Consent cannot be inferred from silence or inactivity such as the use of pre-selected boxes; and
- Details of the Processing of Personal Data must be clearly distinguished from other matters that the Data Subject is asked to agree to.
Equally, where the Processing relates to Sensitive Personal Data and Waystone cannot rely on any other lawful ground for Processing such Sensitive Personal Data, the Data Subject’s explicit Consent shall be obtained, by way of a signed statement.
It is important to note that a Data Subject must be informed of their right to withdraw their Consent at any time. Waystone Entities shall put in place appropriate Processes to promptly action any withdrawal of Consent. Where a Data Subject wishes to exercise this right, they may contact the designated contact for this purpose via the contact details provided in the Privacy Notices.
6. Legitimate Interests
Where a Waystone Entity seeks to rely on Legitimate Interests to legitimise certain Processing activities, the Compliance Team must be satisfied that those Legitimate Interests are not outweighed by the interests or fundamental rights and freedoms of the relevant Data Subject.
The Waystone Entity must conduct a Legitimate Interests assessment (“LIA”) when relying on Legitimate Interests as a lawful basis for Processing.
This LIA will:
- identify the Legitimate Interest for which Waystone intends Processing the Personal Data;
- consider whether the Processing is necessary for the pursuit of its objectives; and
- (involve the completion of a balancing test which assesses whether or not the Data Subject’s interests override the Legitimate Interests of Waystone.
Factors taken into account by the Waystone Entity in conducting the balancing test include:
- the nature of the Legitimate Interests and the Data Subject’s reasonable expectations about what will happen to their data;
- the impact of Processing on the Data Subject; and
- any safeguards which are or could be put in place in order to limit undue impact on the Data Subject.
Where Legitimate Interests are relied upon this will be notified to the Compliance Team who will review and record the basis of reliance in line with the foregoing LIA.
The Waystone Entity shall provide information on any balancing test conducted by it to affected Data Subjects on request. In the event that a Data Subject objects to the Processing of Personal Data by Waystone on grounds of Legitimate Interests, Waystone shall stop the Processing of such Personal Data unless, having re-conducted the balancing test, the Compliance Team is satisfied that the Data Subject’s interests should not prevail over those of Waystone. Furthermore, Waystone will carry out a new LIA if the purpose of the Processing changes or if it becomes aware of a change in the factors relating to the outcome of the LIA previously conducted.
8. Transfers to Third Parties/Service Providers
Where a Waystone Entity is required to transfer Personal Data to, or allow access by, a Service Provider, it must be assured that Personal Data will be Processed legitimately and protected appropriately by the recipient.
Where a Service Provider is deemed to be a Data Controller, the Waystone Entity will enter into an appropriate agreement with the Data Controller to clarify each party’s responsibilities in respect to the Personal Data transferred.
Where a Service Provider is deemed to be a Data Processor, the Waystone Entity will enter into, an adequate Processing agreement with the Data Processor. The agreement will require the Data Processor to protect the Personal Data from further disclosure and to only Process Personal Data in compliance with Waystone’ instructions. In addition, the agreement will require the Data Processor to implement appropriate technical and organisational measures to protect the Personal Data as well as procedures for providing notification mechanism of Personal Data Breaches. Waystone has a Standard Data Processing Clause document that should be used as a baseline template, including the provisions detailed below.
When a Waystone Entity is outsourcing services to a Service Provider (including Cloud Computing services), it will identify whether the Service Provider will Process Personal Data on its behalf and whether the outsourcing will entail any Third Country transfers of Personal Data. In either case, it will make sure to include, adequate provisions in the agreement for such Processing and Third Country transfers.
8.1 Article 28(3) Data Processing Agreements
Each Waystone Entity must ensure that it enters into a written agreement with any such Data Processors which includes provisions imposing the specific obligations set down in Article 28(3) on the relevant Third Parties.
8.2 Right of Audit and Inspection
Under its agreement with the relevant Service Provider, the Waystone Entity shall have a contractual right to obtain all relevant information from that Service Provider which is necessary for the Service Provider to demonstrate its compliance with the data protection obligations set down in the contract. Furthermore, the Waystone Entity shall have the contractual right to carry out an audit or inspection of the relevant Service Provider for such purposes.
9. Disclosure of Data
Each Waystone Entity will ensure that Personal Data is not disclosed to unauthorised third parties. All personnel acting on behalf of Waystone must exercise caution when asked to disclose any Personal Data to a third party and prior to completing any such transfer. Waystone Global Data Protection Procedure will document this and regular staff training ensures that each individual acting on behalf of Waystone understands their obligations in this regard.
Disclosure to third parties may be permitted where this is:
- necessary to safeguard national security;
- necessary for the prevention or detection of crime, in the substantial public interest and where obtaining Consent from the Data Subject would prejudice that purpose;
- necessary for the administration of justice;
- necessary to comply with applicable laws or regulation; or
- necessary to protect the vital interests of the Data Subject, such as life and death situations, but only where their Consent cannot be obtained.
Any instances of uncertainty regarding the sharing or transfer of Personal Data should be referred to the Compliance Team.
10. Transferring Personal Data
10.1 Transferring outside the European Economic Area
Specific legal requirements apply to the transfer of Personal Data out of the European Economic Area (“EEA”), where transfers of data include sending data to another country or allowing that data to be accessed remotely from another country.
Personal Data must not be transferred outside the EEA unless the recipient country ensures an adequate level of protection for the rights and freedoms of Data Subjects as determined by the European Commission or alternatively one of the following safeguards have been put in place by or on behalf of Waystone:
- the existence of binding corporate rules; or
- the entry into a data transfer agreement between the Waystone Entity (or a Fund Service Provider acting as its agent) and the non-EEA recipient of the Personal Data which contains standard contractual clauses that have been approved by the European Commission.
10.2 Transfers outside the Cayman Islands
Specified legal requirements apply to the transfer of Personal Data outside the Cayman Islands under the DPL.
Personal Data shall not be transferred outside of the Cayman Islands to a country or territory unless that country or territory ensures an adequate level of protection for the rights and freedoms of Data Subjects in relation to the Processing of Personal Data, as determined by the Cayman Islands DPA (the “Ombudsman”), or where Waystone has in place appropriate safeguards.
10.2 Transfers between Waystone Entities
For Waystone to carry out its operations effectively across its global Waystone Entities, there may be occasions when it is necessary to transfer Personal Data from one Waystone Entity to another, or to allow access to the Personal Data. Should this occur, the Waystone Entity sending the Personal Data remains responsible for ensuring protection for that Personal Data.
Waystone handles the transfer of Personal Data between Waystone Entities, where the Personal Data is being transferred from the European Economic Area and the location of the recipient Waystone Entity is a Third Country, by using the Commission approved data transfer agreements supported by detailed SLAs. These agreements impose standard clauses which govern the Processing of Data Subjects’ Personal Data and must be enforced by each approved Waystone Entity, and their Employees.
Where Personal Data is transferred outside the Cayman Islands to a country or territory which is not an Ombudsman Approved Territory, Waystone will assess the relevant criteria outlined by the Ombudsman guidance to determine whether a transfer would be compliant with the DPL. Where appropriate, Waystone will use Ombudsman approved data transfer agreements based on standard contractual clauses published by the Ombudsman or data transfer agreements which replicate the rights and obligations contained in the EU ‘standard contractual clauses’ pursuant to Article 46 paras (2)(c), (2)(d), or (5) GDPR.
11. Profiling & Automated Decision-Making
Waystone does not currently engage nor does it plan to engage in Profiling and Automated Decision making.
Waystone will only engage in Profiling and automated decision-making where it is necessary to enter into, or to perform, a contract with the Data Subject or where it is authorised by law. Where a Waystone Entity utilises Profiling and automated decision-making, this will be disclosed to the relevant Data Subjects.
12. Data Protection by Design
To ensure that all Data Protection requirements are identified, considered and addressed, each Waystone Entity will ensure that material changes such as new systems or processes go through a DPIA before launch in collaboration with the Compliance Team. The subsequent findings of the DPIA must then be submitted to the Waystone Entity’s Chief Risk Officer and the Head of Compliance Europe for review and approval.
Where applicable, the Information Technology (IT) department, as part of its IT system and application design review Process, will cooperate with the Waystone Entity and the Compliance Team to assess the impact of any new technology uses on the security of Personal Data.
13. Data Security, Data Retention and Disposal
Each Waystone Entity will adopt all necessary measures to ensure that the Personal Data it collects and Processes is complete and accurate in the first instance, and is updated to reflect the current situation of the Data Subject.
The measures adopted by Waystone to ensure Personal Data quality include:
- facilitating amendments to Personal Data known to be incorrect, inaccurate, incomplete, ambiguous, misleading or outdated, even if the Data Subject does not request rectification;
- keeping Personal Data only for the period necessary to satisfy the permitted uses or applicable statutory retention period;
- the removal of Personal Data, if not compliant with any of the Data Protection principles or if the Personal Data is no longer required; and
- restriction, rather than deletion of Personal Data, insofar as:
- a legal or regulatory requirement or matter prohibits erasure;
- erasure would impair Legitimate Interests of the Data Subject; or
- the Data Subject disputes that their Personal Data is correct and it cannot be clearly ascertained whether their information is correct or incorrect.
Personal Data must not be retained for longer than is necessary for the lawful purposes for which it is Processed. To achieve this, each category of Personal Data Processed by Waystone Entities shall be subject to a retention period which can be justified by reference to those lawful grounds. For this purpose, this Policy should be read in conjunction with related operational procedures and Data Classification Policy.
The length of time for which Waystone Entities need to retain Personal Data is set out in the Waystone Group Data Retention Policy. This requires all Waystone Entities to consider the legal and contractual requirements, both minimum and maximum, that influence the retention periods.
All Personal Data should be deleted or destroyed as soon as possible where it has been confirmed that there is no longer a need to retain it.
Personal Data must be disposed of securely in a way that protects the rights and privacy of Data Subjects and ensures the permanent erasure of the Personal Data. This might include shredding, disposal as confidential waste, or secure electronic deletion.
A Service Provider, acting as a Data Processor, will be contractually obliged to implement appropriate technical and organisational measures which seek to ensure that Personal Data is appropriately protected against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or unauthorised access.
14. Data Subject Rights
Data Subjects are entitled to exercise certain rights in respect of their Personal Data. These are detailed within the relevant Privacy Notice and include:
- the right to be informed at the time or before the Personal Data is obtained as to how their Personal Data will be Processed;
- the right to obtain information regarding the Processing of their Personal Data and access to the Personal Data which Waystone holds about them or which is held on Waystone’s behalf;
- the right to receive a copy of any Personal Data which Waystone Processes about them, including the right to receive Personal Data in a structured, commonly used electronic format and/or request that this data is transmitted to a third party where this is technically feasible;
- the right to request that Waystone rectify their Personal Data if it is inaccurate or incomplete;
- the right to withdraw Consent to Processing at any time;
- the right to request that Waystone erase their Personal Data in certain circumstances. This may include, but is not limited to circumstances in which:
- it is no longer necessary for Waystone to retain their Personal Data for the purpose for which we collected it;
- Waystone is only entitled to Process the Data Subject’s Personal Data with their Consent and the Data Subject withdraws their Consent;
- where Waystone is Processing a Data Subject’s Personal Data on Legitimate Interest grounds, the right of the Data Subject to object to such Processing; and
- the right to lodge a complaint with a supervisory authority, if the Data Subject thinks that any of their rights have been infringed by a Waystone Entity.
Whilst the Data Protection Legislation affords Data Subjects these rights, in some instances Waystone may not be in a position to fulfil a request7.
Furthermore, Service Providers may Process Personal Data on behalf of Waystone, and it may (in limited circumstances) also deem itself a Data Controller of such Personal Data where it uses the Personal Data for its own purposes. In these circumstances, all Data Subject rights shall be exercisable by the Data Subject against the Third-Party Service Provider alone.
14.1 Data Subject Rights & Requests
The Data Subject therefore has the right to:
- object to Processing of their Personal Data;
- lodge a complaint with the DPA;
- request rectification or erasure of their Personal Data; and
- request restriction of Processing of their Personal Data.
All requests received for exercise of Data Subject rights including access to or rectification of Personal Data must be directed to the Compliance Team, who will log each request as it is received.
A response to each request will be provided within one month of the receipt of the written request from the Data Subject. Appropriate verification must confirm that the requestor is the Data Subject or their authorised legal representative. Data Subjects shall have the right to require Waystone to correct or supplement erroneous, misleading, outdated, or incomplete Personal Data.
If Waystone cannot respond fully to the request within one month, the Compliance Team shall nevertheless provide the following information (to the extent relevant) to the Data Subject, or their authorised legal representative within the specified time:
- an acknowledgement of receipt of the request;
- any information located to date;
- an estimated date by which any remaining responses will be provided;
- details of any requested information or modifications which will not be provided to the Data Subject, the reason(s) for the refusal, and any procedures available for appealing the decision;
- the reasons for which it cannot comply with the request and confirmation of the potential to:
- lodge a complaint with a supervisory body; and
- seek a judicial remedy;
- an estimate of any costs to be paid by the Data Subject (e.g. where the request is excessive in nature); and
- the name and contact information of the Waystone individual who the Data Subject should contact for follow up.
As noted above Waystone cannot generally charge a fee for dealing with any Data Subject requests. However, where requests from a Data Subject are manifestly unfounded or excessive, in particular because of their repetitive character, Waystone may either:
- charge a reasonable fee considering the administrative costs of providing the information or communication or taking the action requested; or
- refuse to act on the request.
In such circumstances, Waystone shall maintain all necessary records to demonstrate the manifestly unfounded or excessive character of the Data Subject’s request.
15. Law Enforcement Requests & Disclosures
In certain circumstances, it is permitted that Personal Data be shared without the knowledge or Consent of a Data Subject. This is the case where the disclosure of the Personal Data is necessary for any of the following purposes:
- the prevention or detection of crime;
- the apprehension or prosecution of offenders;
- the assessment or collection of a tax or duty; or
- by the order of a court or by any rule of law.
If a Waystone Entity Processes Personal Data for one of these purposes, then it may apply an exception to the Processing rules outlined in this Policy but only to the extent that not doing so would be likely to prejudice the case in question.
If any Waystone Entity receives a request from a court or any regulatory or law enforcement authority for information relating to a Data Subject known to Waystone it must immediately notify the Compliance Team and the appropriate member of the Legal Team who will provide comprehensive guidance and assistance.
16. Notification Process
Any individual or Waystone Entity who suspects that a Data Breach has occurred due to the theft or exposure of Personal Data must immediately notify the Compliance Team providing a description of what occurred. Notification of the incident can be made via e-mail to email@example.com.
The Compliance Team will investigate all reported incidents to confirm if a Data Breach has occurred. If a Data Breach is confirmed, the Compliance Team will follow the relevant authorised procedure based on the criticality and quantity of the Personal Data involved.
The Compliance Team will also promptly notify the Board of Directors of any relevant Waystone Entity of the Data breach and shall, if considered necessary, convene a board meeting to consider the matter further.
16.1 Immediate Notification to the DPC of Data Protection Breaches
Waystone via the Compliance Team must report all Personal Data protection breaches to the relevant DPA e.g. Irish Data Protection Commission (“DPC”) or the Cayman Islands Ombudsman within the applicable time period, for example:
Under GDPR, notification must be made to the DPC no later than 72 hours after the becoming aware of the Data breach. If a report is not made within 72 hours then an explanation as to the delay needs to accompany the report.
Under the DPL, notification must be made to the Ombudsman without undue delay, but in any event no longer than five days after Waystone should, with the exercise of reasonable diligence, have been aware of that Data Breach.
Waystone will follow any guidance issued by the relevant DPA, in relation to reporting Data Breaches. Prior to submitting a notification to the relevant DPA, the notification should be approved by the Board of Directors of the Waystone Entity which is responsible for the Data breach, where possible.
16.2 Immediate Notification to the DPC of Data Protection Breaches
The Waystone Entity or the Compliance Team will make an assessment regarding notification of a Data Breach to affected Data Subjects, considering the criteria and timing requirements in the relevant Data Protection Legislation.
For example, where the Data Breach falls within the scope of GDPR, the Waystone Entity or the Compliance Team will make an assessment regarding notification of a Data Breach to affected Data Subjects considering the criteria set down in Article 34 of the GDPR.
Where it has been determined that notification to a Data Subject is required, notification should occur promptly, without undue delay.
17. Logging Issues and Breaches
The Compliance Teams shall maintain a central log as set out in Appendix II containing details on all Data Breaches. Issues and resolution of Data Breaches are managed by the Compliance Team.
18. Data Protection Training
All Waystone Employees will have their responsibilities under this Policy outlined to them as part of their staff induction training. In addition, each Waystone Entity will be required to provide procedural guidance for their Employees.
The training and procedural guidance set forth will consist of, at a minimum, the following elements:
- the Data Protection Principles set forth in Section 3 above;
- each Employee’s duty to use and permit the use of Personal Data only by authorised persons and for authorised purposes;
- the need for, and proper use of, the forms and procedures adopted to implement this Policy;
- the correct use of passwords, security tokens and other access mechanisms in line with respective operational procedures;
- the importance of limiting access to Personal Data;
- securely storing manual files, print outs and electronic storage media;
- the need to obtain appropriate authorisation and utilise appropriate safeguards for all transfers of Personal Data inside and outside of the internal network and physical office premises;
- proper disposal of Personal Data; and
- any special risks associated with specific departmental activities or duties.
APPENDIX I: PRIVACY NOTICE: GDPR COMPLIANT EXAMPLE
Waystone Group (“Waystone”) Privacy Notice
This notice sets out details of how and why we (“Waystone”, “we”, “us”, “our”) and third parties collect and process personal information in connection with your relationship, or directorship with Waystone, its Funds or associated interactions with us. We do this in compliance with our obligations under applicable data protection law. This notice explains what personal data is collected, the purposes for which it is used, the third parties to whom it may be disclosed and how individuals can exercise their rights in relation to their personal data.
This notice applies to the collection and processing of personal information relating to individuals associated with you, such as directors, shareholders, trustees, beneficial owners, employees, representatives, agents, professional advisers and other personnel. References to “you” and “your” mean the relevant individuals who are the subjects of the personal data to which this notice relates or you. You should ensure that this notice is provided to any individual whose personal data has been provided to us as soon as practicable.
Waystone or a Waystone Funds receives and processes personal data collected as part of your engagement with us or associated interactions with us. Waystone or a Waystone Funds may engage third party service providers to process such personal data on its behalf and those third parties act as Processors. Waystone and Waystone Funds are not required to designate a Data Protection Officer. If you have any questions about the use of your personal data, your data protection rights or if you want to exercise those rights, please contact firstname.lastname@example.org.
Personal Data that we Process
Waystone collects personal data relating to you that is provided to us as part of our due diligence process, both from you and from public sources and in connection with our dealings with you or associated interactions with us, including your name, signature, postal address, email address, fax number, date and place of birth, nationality, curriculum vitae, bank account details, source of funds details, tax identification, credit history, signatures, other contact details, shareholder register, account numbers (or functional equivalent) and transaction details.
We may also collect personal data in relation to you in connection with ensuring compliance with our legal obligations including your tax or social security ID number or equivalent; passport number; utility bills, photographic identification and verification such as copies of your passport, passport number, drivers licence and address verification. For the purposes of meeting our legal obligations or carrying out due diligence, we may also collect information relating to your status as an ultimate beneficial owner of an entity, or as a politically exposed person.
We may collect and process personal data relating to you in connection with our on-going relationship with you, such as via correspondence and calls, and in connection with the administration of our relationship with you. Telephone calls with you may be recorded for the purposes of record keeping, security and training.
In addition, we may collect personal data relating to you from third party sources in connection with complying with requirements relating to anti-money laundering, taxation, and other legislation applicable to the financial services industry or for vetting or screening purposes or fitness and probity assessments or references from previous employers.
How we obtain your personal information
We collect information from you as part of our client on-boarding take on processes as necessary in the course of establishing a relationship with you. We gather information about you when you provide it to us, or interact with us directly, for instance engaging with our staff, providing a business card or registering on one of our digital platforms or applications. We may also collect or receive information about you from other sources, such as keeping the contact details we already hold for you accurate and up to date using publicly available sources.
Purposes of Processing and Legal Basis
Personal data that you provide, or that we otherwise obtain in relation to you, will be processed for the following purposes:
- Processing the application to become a client of Waystone and or to act as a director of a Waystone Fund;
- To manage and administer your relationship with Waystone and or directorship on a Waystone Fund. This is necessary for the performance of the onboarding contract with Waystone.
- Establishing your identity, and providing, servicing and administering your relationship or directorship with Waystone or investment with Waystone Fund;
- to reflect ownership of units in a Waystone Fund and to manage and administer your holdings in the Fund. This is necessary for the performance of the contract to purchase shares in a Waystone Fund and to process redemption, conversion, transfer and additional subscription requests or the payment of distributions or redemption amounts.
- complying with our legislative and regulatory obligations in connection with our dealings with you, including under applicable law regarding anti-money laundering and counter terrorist financing, taxation, the regulation of collective investment schemes, or the provision of financial services, crime-detection, prevention, investigation and prosecution, the prevention of fraud, bribery, anti-corruption, tax evasion, to prevent the provision of financial and other services to those who may be subject to economic or trade sanctions, in response to legal or court requests or requests from regulatory authorities or where it is in the public interest;
- for direct marketing purposes (that is, providing information on products and services) or for quality control, business and statistical analysis, market research or for tracking fees and costs or for customer service, training and related purposes;
- If applicable, processing the fact that you are a politically exposed person, to comply with applicable legal obligations;
- To communicate with you by way of notice pursuant to applicable legislation, The Funds constitutional documents or Waystone’s constitution or circulating reports;
- Maintaining appropriate business records, including maintaining appropriate registers;
- Where required for local and global tax reporting purposes, including FATCA or CRS;
- Internal training and management of personnel;
- To respond to or evaluate any queries or complaints in relation to your directorship, or relationship with us or investment in a Waystone Fund;
- Internal and external audits and, where necessary, investigations;
- Establishing, exercising or defending legal claims.
The legal grounds that we rely on to process your personal data are:
- That it is necessary to comply with Waystone or a Waystone Fund legal and regulatory obligations;
- That it is necessary for the purposes of our legitimate interests8 or the legitimate interests of a third party to whom your personal data is provided. We will not process your personal data for these purposes if our or the third party’s legitimate interests should be overridden by your own interests or fundamental rights and freedoms. The legitimate interests pursued by us in this regard include:
- Conducting our business in a responsible and commercially prudent manner and dealing with any disputes that may arise;
- Preventing, investigating or detecting theft, fraud or other criminal activity;
- Pursuing our corporate and social responsibility objectives.
- where you are an individual it is necessary to take steps at your request prior to entering into our contract with you and for the performance of our contract with you;
- In certain limited circumstances, your consent.
Recipients of Data
Your personal data may be disclosed to various recipients in connection with the above purposes, including:
- The Board of Waystone (and in certain circumstances where there is legitimate interest, performance of a contract or legal obligation), its employees or the Board of a Waystone Fund;
- Third party service providers that may be appointed to any product to be established, or service to be provided, by you or the board of that product;
- Money Laundering Reporting Officer;
- Company Secretary;
- A domestic and other foreign tax authorities as required by applicable law, including FATCA or CRS;
- A Competent Authority in the relevant jurisdiction, the Workplace Relations Commission, Department of Social Protection, Pensions Authority, auditors, or equivalent bodies as requested or required by law;
- Other third parties who we engage to provide services to us, such as professional advisers, legal advisers, auditors and IT service providers;
- To screening and other reference agencies in order to carry out money laundering and identity checks and to comply with legal obligations;
- Other members of our corporate group or the corporate groups of the entities referred to above, as well as affiliates, agents and delegates both within and outside the EEA;
Other Data Controllers
The Fund Administrator may use the information provided by you in order to obtain information it requires in relation to your prospective investment in another fund. The Administrator may consider itself a data controller with respect to this activity.
The Fund Administrator and MLRO may make a report to a relevant authority where it has a suspicion of money laundering or a terrorist financing offence. Where the Administrator makes such a report for itself, not with respect to you, it may consider itself a data controller with respect to this activity. The legal basis for making such disclosure is to comply with a legal requirement.
The Fund Depositary may consider itself a data controller with respect to personal data it receives in the performance of its oversight services with respect to the Fund. The legal basis for obtaining such data is to comply with a legal requirement.
In connection with the above purposes your personal data may be transferred outside the European Economic Area, including to a jurisdiction which is not recognised by the European Commission as providing for an equivalent level of protection for personal data as is provided for in the European Union. These jurisdictions may include the United States of America, the Cayman Islands and Asia. If and to the extent that we do so, we will ensure that appropriate measures are in place to protect the privacy and integrity of such personal data and in particular will comply with our obligations under GDPR9 governing such transfers, which may include:
- entering into a contract governing the transfer which contains the “standard contractual clauses” approved for this purpose by the European Commission;
- in respect of transfers to the United States of America, ensuring that the transfer is covered by the EU-US Privacy Shield framework (for so long as that it meets with the requirements of GDPR as regards reliance on adequacy decisions under Article 45 of the GDPR);
- transferring your personal data pursuant to binding corporate rules; or
- a transfer where the European Commission has determined that the recipient jurisdiction ensures an adequate level of protection.
Further details of the measures that we have taken in this regard and the territories to which your personal data may be transferred are available by contacting us as set out above.
Use of Waystone website
Marketing and other emails
We use personal information to understand whether you read the emails and other materials, such as legal publications, that we send to you, click on the links to the information that we include in them and whether and how you visit our website after you click on that link (immediately and on future visits). We do this by using software that places a cookie on your device which tracks this activity and records it against your email address. Please see ‘Use of Waystone website’ for more information on cookies and how to manage and remove them.
We may also use a relationship management tool, where permitted by applicable law, to track and record the relationship between Waystone and our clients or potential clients based on the frequency of email contact between them. We use that information in order to assess, analyse and improve the services that we provide.
If you receive marketing communications from us and no longer wish to do so, you may unsubscribe at any time by clicking the unsubscribe link at the bottom of all marketing e-mail communications.
Meetings, events and seminars
We also collect and process personal information about you in relation to your attendance at our offices or at an event or seminar organised by Waystone or its business partners. We will only process and use special categories of personal information about your dietary or access requirements in order to cater for your needs and to meet any other legal or regulatory obligations we may have. We may share your information with IT and other service providers or business partners involved in organising or hosting the relevant event.
We will retain your personal data for the duration of your relationship or directorship with Waystone, or investment in a Waystone Fund, for such a period of time after the relationship, directorship or investment ends as is necessary to comply with our obligations under applicable law and, if relevant, to deal with any claim or dispute that might arise.
You have the following rights, in certain circumstances and subject to applicable exemptions, in relation to your personal data as set out in more detail in Chapter 3 of the GDPR:
- the right to access your personal data, together with information about our processing of that personal data;
- the right to rectify any inaccuracies in your personal data;
- the right to have any incomplete personal data completed;
- the right to erase your personal data (in certain specific circumstances).
- the right to request that your personal data is no longer processed for particular purposes (in certain specific circumstances);
- where the legal basis for processing is consent, the right to withdraw your consent at any time;
- the right to object to the use of your personal data or the way in which it is processed where Waystone or the Waystone Fund has determined it to be necessary for the purposes of our legitimate interests;
- the right to data portability (in certain specific circumstances);
- The right to lodge a complaint with a supervisory authority, in particular, in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the requirements of the applicable data protection law.
Links to other sites
Our website may, from time to time, contain links to and from other websites. If you follow a link to any of those websites, please note that those websites have their own privacy policies and we do not accept any responsibility or liability for those policies. Please check those policies before you submit any personal information to those websites.
Changes to this Privacy Statement
We reserve the right to change this Privacy Notice from time to time at our sole discretion. If we make any changes, we will post those changes here and update the “Last Updated” date at the bottom of this Privacy Notice. Your continued use of this website after we make changes is deemed to be acceptance of those changes, so please check this Privacy Notice periodically for updates.