that personal data is accurate, complete, not misleading and kept up to date.<\/li>\n<\/ol>\nThe Act also permits data subjects to submit written requests for access to personal data in accordance with the requirements of the Act.<\/p>\n
Data Processors<\/h2>\n
As a data controller, a fund is not only responsible for ensuring that it processes personal data in accordance with the Act, but shall also ensure that any entity or service provider which processes data on the fund\u2019s behalf (a \u201cdata processor<\/strong>\u201d):<\/p>\n\n- provides sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out; and<\/li>\n
- takes reasonable steps to comply with those measures,<\/li>\n<\/ol>\n
for the purposes of protecting the personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction.<\/p>\n
If the processing of personal data is engaged on behalf of a person established in the BVI, or is not for a person established in the BVI but is processed in the BVI, the Act will apply.<\/p>\n
The fund administrator, or registrar and transfer agent, will, in some circumstances, be a data processor (and in other circumstances, be a data controller where it processes personal data, such as know your client information, for its own purposes) as it receives the subscription agreement and supplemental documents which include know your client, FATCA, and other personal data.\u00a0 An investment manager or advisor who reviews fund information related to individuals will also be a data processor for the purposes of the Act.<\/p>\n
Data controllers may wish to consider reviewing the existing service agreements in place and making any amendments necessary to ensure that a data processor complies with the relevant data protection principles (e.g. that data is kept secure and not transferred to a jurisdiction that does not ensure an adequate level of protection for the rights of data subjects).<\/p>\n
A data processor may have already contractually agreed to comply with data protection requirements of another jurisdiction and, if so, the fund\u2019s board may consider whether this provides adequate protection under the Act.<\/p>\n
Documenting the Act for Funds<\/h2>\n
A fund should:<\/p>\n
\n- Have a privacy notice for investors and subscribers (an outward-facing document).<\/li>\n
- Amend any offering memorandum to reference its obligations under the Act.<\/li>\n
- Amend any documentation with third parties who may be handling personal data provided to them by the fund to ensure that they, as data processors, will process personal data in accordance with the Act (e.g. the investment management agreement and administration agreement).<\/li>\n
- Document and put in place the necessary internal procedures to ensure that it will comply with the Act going forward.<\/li>\n
- Pass any corporate resolutions necessary in connection with 1-4 above.<\/li>\n<\/ol>\n
These are each considered in more detail below.<\/p>\n
Privacy Notice<\/h2>\n
A privacy notice enables a fund to comply with the requirement that data subjects (investors) are entitled to be informed of the identity of the data controller and the purposes for which their personal data are processed.\u00a0 Best practice is to provide additional information such as the legal bases on which data is processed, categories of data obtained, source of the data, the recipients or categories of recipients of the data, details of any international transfers (i.e. transfers outside the BVI), the retention period of the data, the rights available to data subjects (including the right to make a complaint to the Information Commissioner), and (if applicable) the details of any automated decision making.\u00a0 This would be inserted in a fund\u2019s subscription agreement, but should also be available as a standalone document to existing investors.<\/p>\n
Offering Memorandum<\/h2>\n
The offering memorandum should be amended to include a brief description of the Act, investor personal data rights, and lawful purposes for processing.\u00a0 If the fund is not actively offering interests, this step may be undertaken at a later date to include provisions related to data protection.<\/p>\n
Third Party Service Providers Handling Personal Data Provided by the Fund<\/h2>\n
Data processing agreements with third party service providers (data processors), such as the administrator and investment manager, should be amended to explicitly provide for respective obligations under the Act.\u00a0 Funds should check their administration agreements and investment management agreements to determine whether such agreements contain adequate obligations to comply with the Act or similar measures.<\/p>\n
Internal Procedures<\/h2>\n
A fund\u2019s internal cornerstone data protection procedures should include: a data protection policy which mirrors its privacy notice and details regarding how personal data is obtained, stored, protected, and processed; a data retention policy and data retention schedule to outline storage and destruction protocols; a data subject access request procedure for appropriate and compliant responses to data subject queries and complaints; and a data incident response plan which includes responsibilities, measures, and reporting obligations in the event of a data breach.<\/p>\n
GDPR<\/h2>\n
The European Union\u2019s General Data Protection Regulation ((EU) 2016\/679<\/em>) (\u201cGDPR<\/strong>\u201d) establishes a regulatory framework for the protection of personal data in European Economic Area (EEA) countries.\u00a0 If the fund or investment manager comply with the GDPR or another adequate national data protection standard such compliance may also suffice for the purposes of the Act, but advice in this regard should be sought.<\/p>\nTiming<\/h2>\n
Every affected fund and investment manager should consider the aforementioned requirements (albeit recognising that so far as internal policies and procedures are concerned, these can be developed over a period of time).<\/p>\n
Further information<\/h2>\n
Campbells can advise and assist on these matters including the drafting of all relevant documents and amendments to existing arrangements.\u00a0 For further information, please contact your usual Campbells contact or get in touch with one of the experts below.<\/p>\n","protected":false},"excerpt":{"rendered":"
The Data Protection Act, 2021 (the \u201cAct\u201d) was brought into force in the BVI with immediate effect on 9 July 2021 and introduces, for the first time in the British Virgin Islands, a legislative framework for data protection based on a set of internationally recognised privacy principles.\u00a0<\/p>\n
The Act provides that its objects are to:<\/p>\n
– safeguard personal data processed by public bodies and private bodies by balancing the necessity of processing the personal data and protecting personal data from unlawful processing; and
\n– promote transparency and accountability in the processing of personal data.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[4],"tags":[],"yst_prominent_words":[1454,3470,3468,1938,1939,3467,3478],"class_list":["post-6906","post","type-post","status-publish","format-standard","hentry","category-client-advisory"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.campbellslegal.com\/wp-json\/wp\/v2\/posts\/6906","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.campbellslegal.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.campbellslegal.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.campbellslegal.com\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.campbellslegal.com\/wp-json\/wp\/v2\/comments?post=6906"}],"version-history":[{"count":5,"href":"https:\/\/www.campbellslegal.com\/wp-json\/wp\/v2\/posts\/6906\/revisions"}],"predecessor-version":[{"id":7050,"href":"https:\/\/www.campbellslegal.com\/wp-json\/wp\/v2\/posts\/6906\/revisions\/7050"}],"wp:attachment":[{"href":"https:\/\/www.campbellslegal.com\/wp-json\/wp\/v2\/media?parent=6906"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.campbellslegal.com\/wp-json\/wp\/v2\/categories?post=6906"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.campbellslegal.com\/wp-json\/wp\/v2\/tags?post=6906"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https:\/\/www.campbellslegal.com\/wp-json\/wp\/v2\/yst_prominent_words?post=6906"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}