1 POLICY STATEMENT
1.1 Everyone has rights with regard to the way in which their personal data is handled. During the course of the HKB Fund Services Limited and its affiliates (HKB) activities, it may collect, store and process personal data about the investors, officers and other third parties, and HKB recognises that the correct and lawful treatment of this data will maintain confidence in the organisation and will provide for successful business operations.
1.2 This document sets out the principles that HKB follows when processing personal data to help ensure compliance with the General Data Protection Regulation (GDPR) EU 2016/679 and other applicable regulations including The Personal Data (Privacy) Ordinance of Hong Kong. Data Users are obliged to comply with this policy when processing personal data on the Group's behalf.
2 ABOUT THIS POLICY
2.1 The types of personal data that HKB may be required to handle include information about current, past and prospective investors, officers and others with whom HKB transacts or communicates. The personal data, which may be held on paper or on a computer or other media, is subject to certain legal safeguards specified in the GDPR.
2.2 This policy and any other documents referred to in it sets out the basis on which HKB will process any personal data it collects from data subjects, or that is provided to it by data subjects or other sources.
2.3 This policy sets out rules on data protection and the legal conditions that must be satisfied when it collects, handles, processes, transfers and stores personal data.
2.4 The directors of HKB are collectively responsible for ensuring compliance with the GDPR, other applicable local privacy regulations and with this policy. The Board of HKB has concluded that a Data Protection Officer is not merited in this instance and has documented its reasons, as required by the GDPR. Any questions about the operation of this policy or any concerns that the policy has not been followed should be referred in the first instance to HKB compliance.
3 DEFINITION OF TERMS USED IN THIS POLICY
3.1 Data is information which is stored electronically, on a computer, or in paper-based structured filing systems.
3.2 Data Subjects for the purpose of this policy include all living individuals about whom HKB holds personal data. All data subjects have legal rights in relation to their personal data.
3.3 Personal Data means data relating to a living individual who can be identified directly from that data, or indirectly from that data in conjunction with other information.
3.4 Data Controllers are the people who, or organisations who, alone or jointly with others, determine the purposes for which, and the manner in which, any personal data is processed. They are responsible for, and must be able to demonstrate compliance with, the data protection principles. HKB is the data controller of all personal data used in the HKB's business for the HKB's own commercial purposes.
3.5 Data Users are those of the HKB's board members, officers or delegates whose work involves processing personal data. Data users must protect the data they handle in accordance with this data protection policy and any applicable data security procedures at all times.
3.6 Data Processors include any person or organisation that processes personal data on the HKB's behalf and on the HKB's instructions.
3.7 Processing is any activity that involves use of the personal data. It means carrying out any operation or set of operations on the data including collecting, recording, organising, structuring, storing, amending, retrieving, using, consulting, disclosing by transmission, disseminating or otherwise making available, combining, restricting, erasing or destroying it.
3.8 Sensitive Personal Data includes information about a person's racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or sexual life.
4 DATA PROTECTION PRINCIPLES
4.1 As a data controller, HKB is responsible for, and must be able to demonstrate compliance with, the six data protection principles. These principles provide that personal data must be:
4.1.1 Obtained and processed fairly, transparently and lawfully
4.1.2 Collected for specific, explicit and legitimate purposes, and not further processed in a manner incompatible with those purposes
4.1.3 Adequate, relevant and not excessive
4.1.4 Accurate and up-to-date
4.1.5 Not kept for longer than necessary
4.1.6 Kept safe and secure
5 FAIR, TRANSPARENT AND LAWFUL PROCESSING
5.1 The GDPR is not intended to prevent the processing of personal data, but to ensure that it is done fairly and transparently.
5.2 For personal data to be processed fairly and transparently, HKB (as a data controller) must inform data subjects, when HKB collects personal data directly from them, about all of the following:
5.2.1 That HKB is the data controller in regard to the HKB's data and HKB's contact details
5.2.2 The contact details of the Data Protection Officer (if appointed at any stage)
5.2.3 The purpose or purposes for which HKB intends to process the personal data and the legal basis
5.2.4 The legitimate interests pursued by HKB or by a third party and an explanation of those interests (where processing is based on this ground)
5.2.5 Where the processing is based on consent their right to withdraw it at any time
5.2.6 The third parties or categories of third parties, if any, to whom the Fund will disclose the personal data
5.2.7 Details of any transfers out of the EEA or Hong Kong, the safeguards HKB has in place and the means by which to obtain a copy of them
5.2.8 The data retention period or criteria used to determine same
5.2.9 The existence of the right to request access to their data; rectification or erasure of their data; restrict or object to processing, and the right to data portability
5.2.10 The right to complain to the Data Protection Commissioner if they are unhappy with how HKB is handling their data
Details of any automated decision-making, including profiling, and the logic involved, as well as the significance and consequences of such processing for the data subject
5.2.11 Details of any automated decision-making, including profiling, and the logic involved, as well as the significance and consequences of such processing for the data subject,
5.2.12 Whether the provision of personal data is a statutory or contractual requirement, and the consequences of failing to provide such data
5.3 Where HKB intends to process the personal data for a further purpose, other than that for which the personal data were collected, HKB will provide the data subject prior to that further processing with information on that purpose.
5.4 If HKB receives personal data about a data subject from other sources, HKB will provide the data subject with the information at clause 5.2, as well as the categories of personal data concerned, from which source the data originated and, if applicable, whether it came from publicly accessible sources. HKB will provide this information to the data subject within one month of obtaining the data; or at the time of the first communication to the data subject (where applicable), or if a disclosure to another recipient is envisaged, when the data are first disclosed.
5.5 When processing personal data in the course of the HKB's business, the Fund will ensure that these information requirements are met.
5.6 For personal data to be processed lawfully, it must be processed on the basis of one of the legal grounds set out in the GDPR. These grounds include: where the data subject has given his/her free, informed and unambiguous consent; or if necessary for the performance of a contract with the data subject; or for compliance with a legal obligation to which the data controller is subject; or for the legitimate interests of the data controller or a third party to whom the data is disclosed, except where those interests are overridden by the interests of the data subject.
5.7 The processing of Sensitive Personal Data is prohibited unless one of another set of legal grounds set out in the GDPR applies including: the data subject has given his/her explicit consent; or the data have been made public by the data subject; or if necessary for the establishment or defence of legal claims, or to protect the vital interests of the data subject where the data subject is physically or legally incapable of giving his/her consent.
6 PROCESSING FOR LIMITED PURPOSES
6.1 In the course of the HKB's business, HKB may collect and process the personal data set out in the schedule. This may include data HKB receives directly from a data subject (for example, by completing forms or by corresponding with the HKB by mail, phone, email or otherwise) and data HKB receives from other sources (including, for example, business partners, counterparties, sub-contractors in technical, payment and delivery services, and others).
6.2 The Fund will only process personal data for the specific purposes set out in the schedule or for any other purposes specifically permitted by the GDPR. HKB will notify those purposes to the data subject when HKB first collects the data or, if HKB collects the data indirectly, as soon as possible thereafter.
7 ADEQUATE, RELEVANT AND NOT EXCESSIVE
HKB will only collect personal data to the extent that it is required for the specific purpose(s) notified to the data subject.
8 ACCURATE AND UP-TO-DATE DATA
HKB will take reasonable steps to ensure that personal data HKB holds is accurate and kept up-to-date. HKB will take reasonable steps to check the accuracy of any personal data at the point of collection and at regular intervals afterwards. HKB will take all reasonable steps to amend or destroy inaccurate or out-of-date data.
9 STORAGE LIMITATION
The Fund will not keep personal data for longer than is necessary for the purpose or purposes for which they were collected. The Fund will take all reasonable steps to destroy, or erase the data from the Fund's systems when they are no longer required as set out in the Schedule to this Policy.
10 DATA SECURITY
10.1 HKB will or will require that its delegates will take appropriate technical and organisational security measures, taking in account the risks presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, or stored.
10.2 The Fund's security measures include, where appropriate:
10.3 Where processing is to be carried out on the HKB's behalf, HKB shall only engage processors who provide sufficient contractual guarantees to implement appropriate technical and organisational security measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject.
10.4 As a controller, HKB is required to enter into a written contract with the processor (including in electronic form), which will set out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects. The contract shall set out, in particular, the specific mandatory obligations of processors laid down in Article 28 of the GDPR.
11 PROCESSING IN LINE WITH DATA SUBJECT'S RIGHTS
11.1 As a data controller, HKB is required to process personal data in line with data subjects' rights, in particular their right to:
11.1.1 Request access to a copy of any data HKB holds about them (see also clause 13)
11.1.2 Request any inaccurate or incomplete data to be rectified (see also clause 8)
11.1.3 Object to or request erasure or restriction of processing in specified circumstances
11.1.4 Request a copy of the data they have provided to HKB and transmit those data to another controller without hindrance from HKB, or have the personal data transmitted directly from HKB to another controller, where technically feasible (i.e. right to data portability)
11.1.5 Not to be subject to a decision based solely on automated processing, including profiling, which produces a legal effect or other significant effect on the data subject, except where the decision is necessary for the performance of a contract; authorised by EU, Irish or Hong Kong law, or based on the data subject's explicit consent
11.1.6 Prevent the processing of their data for direct-marketing purposes
11.2 HKB will provide the data subject with information on action taken in response to the exercise of any of these rights without undue delay, and at the latest within one month of receipt of the data subject's request. This period may be extended by two further months where requests are numerous or complex.
12 DEALING WITH ACCESS REQUESTS.
12.1 Data subjects may make a request for information HKB holds about them. This request may be made in writing or orally.
12.2 When receiving telephone enquiries, HKB will only disclose personal data HKB holds on HKB's systems if the caller's identity can be verified. If their identity cannot be verified, HKB will request the caller to put their request in writing.
12.3 A data subject has a right of access to a copy of the personal data HKB holds about him/her, as well as the following information:
12.3.1 The purposes of the processing
12.3.2 The categories of the personal data concerned
12.3.3 The recipient to whom the personal data have been or will be disclosed
12.3.4 The data retention period or criteria used to determine same
12.3.5 The existence if the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning that data subject or to object to such processing
12.3.6 The right to lodge a complaint with the Data Protection Commissioner
12.3.7 Where the personal data are not collected from the data subject any available information as to their source
12.3.8 The existence of automated decision-making, including profiling; the logic involved, and the envisaged consequences of such processing for the data subject,
12.3.9 Where personal data is transferred out of the EEA, the data subject must be informed of the appropriate safeguards in place
12.4 HKB will provide a copy of the personal data free of charge unless a request is manifestly unfounded or excessive, in particular because of its repetitive character, in which case it may charge a reasonable fee, based on administrative costs.
12.5 Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information will be provided in a commonly used electronic form.
13 TRANSFERRING PERSONAL DATA TO A COUNTRY OUTSIDE THE EEA OR HK
13.1 HKB may transfer any personal data the Fund holds to a country outside the European Economic Area (EEA) or Hong Kong, provided that the Group has informed data subjects of the transfer, the safeguards in place and the means by which to obtain a copy of them, and one of the following conditions applies:
13.1.1 The non-EEA country to which the personal data are transferred ensures an adequate level of protection for the data subjects' rights and freedoms. The European Commission deems the following countries to have an adequate level of data protection: Switzerland, Guernsey, Argentina, Isle of Man, Faroe Islands, Jersey, Andorra, Israel, New Zealand and Uruguay. The US is deemed as providing an adequate level of protection where the US recipient of the data is Privacy Shield certified;
13.1.2 Adequate safeguards are in place, such as the Model clauses; Binding Corporate Rules (BCRs); an approved code of conduct or approved certification mechanism with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects'rights;
13.1.3 The transfer is lawful pursuant to one of the derogations in the GDPR, including the data subject has given their explicit consent; the transfer is necessary for the performance of a contract; for public interest reasons; authorised by law; necessary for the defence of legal claims, or to protect the vital interests of the data subject; or
13.1.4 Where none of the above safeguards or derogations apply, a transfer to a non-EEA country may take place if the transfer is not repetitive, concerns only a limited number of data subjects, and is necessary for the legitimate interest of the controller which are not overridden by the rights of data subjects. The controller must inform the Data Protection Commissioner and the data subject of such a transfer, and the legitimate interests pursued.
14 CHANGES TO THIS POLICY
HKB reserves the right to change this policy at any time. Where appropriate, HKB will notify Data Users and/or data subjects of those changes by mail or email.
SCHEDULE 1 DATA PROCESSING ACTIVITIES
| Retention period | Type of personal data | Purpose of processing | Type of processing | Details of security measures in place | Categories of data subject | Details of any transfers to third countries | Categories of recipient to whom personal data is transferred |
|---|---|---|---|---|---|---|---|
| A minimum period of 7 years after investor ceases to be an investor | Name address, tax number | Complying FATCA/ CRS/ Tax reporting law | Obtaining, reviewing, verifying, storing, submitting reports, keeping records updated | Investor | Tax authorities | ||
| Name address contact details, details of investment | Beneficial Ownership obligations yet to be clarified | Beneficial owner or Board member | |||||
| A minimum period of 7 years after the termination of the office- if CA 2014 permits deletion | Name address (and other directorships for directors) | Complying with legal obligations under Company/ ICAV / Investment Trust law | Obtaining, reviewing, storing, submitting keeping up to date | Investors and officers | Companies Registration Office | ||
| A minimum period of 7 years after the termination of the office- if CA 2014 permits deletion | Name address contact details, tax number. Address | To facilitate payment of fees and expenses and tax and social welfare thereon | Obtaining, reviewing, storing, submitting keeping up to date | Officers | Bank, Depositary | ||
| A minimum period of 7 years after the termination of the office | Name address, bank details | To facilitate payment of distributions (dividends and redemptions) | Obtaining, reviewing, storing, submitting keeping up to date | Investors | Bank, Depositary | ||
| A minimum period of 7 years after the termination of the investment | Name, work address and contact details | The facility operators of the relevant agreements/ trades with the counterparty and otherwise in accordance with such agreements/trades | Obtaining, reviewing, storing, submitting keeping up to date | Contract of counterparties | Investment manager, Administrator Depositary |