The Data Protection Act, 2021 (the “Act”) was brought into force in the BVI with immediate effect on 9 July 2021 and introduces, for the first time in the British Virgin Islands, a legislative framework for data protection based on a set of internationally recognised privacy principles.
The Act provides that its objects are to:
- safeguard personal data processed by public bodies and private bodies by balancing the necessity of processing the personal data and protecting personal data from unlawful processing; and
- promote transparency and accountability in the processing of personal data.
Application of the Act to Private Bodies
A private body is defined as a body that (a) carries on any trade, business or profession, but only in that capacity; or (b) has legal personality.
With respect to a private body the Act applies to (a) a person who processes; or (b) a person who has control over, or authorises the processing of personal data in respect of commercial transactions.
Commercial transactions is interpreted very broadly in the Act and means any transaction of a commercial nature, whether contractual or not, which includes any matters relating to the supply or exchange of goods or services, agency, investments, financing, banking and insurance.
The remainder of this note focuses on the specific effect of the Act on investment funds.
BVI funds should now take the necessary steps to ensure that they understand their obligations under the Act and establish policies and procedures to provide adequate protection for all personal data under their control.
Application of the Act to BVI Funds
Subject to the foregoing, the Act applies to a person in respect of personal data if (a) the person is established in the BVI and processes personal data, or employs or engages any other person to process personal data on his or her behalf, whether or not in the context of that establishment; or (b) the person is not established in the BVI, but uses equipment in the BVI for processing personal data otherwise than for the purposes of transit through the BVI.
Accordingly the Act will apply to all BVI incorporated companies and BVI limited partnerships unless the limited partnership has elected to have no legal personality (although such entities may still be caught under the definition of “establishment”).
The Act provides that a data controller (being a person who either alone or jointly in common with other persons processes any personal data, or has control over, or authorises the processing of any personal data, but does not include a data processor) shall:
- not process data without the data subject’s express consent;
- limit the use of sensitive personal data;
- prohibit the transfer of personal data outside of the BVI, unless there is proof of adequate data protection safeguards or consent from the data subject.
A “data subject” means a natural person, whether living or deceased. Therefore, in the context of an investment fund, this would include an individual serving as director of a corporate investor in a BVI fund, but not the corporate investor itself.
There are exceptions to (1) above if, among other things, the processing is necessary for the performance of a contract to which the data subject is a party or to comply with any legal obligation. However it remains the case that personal data shall not be processed unless (i) the personal data is processed for a lawful purpose directly related to the activity of the data controller; and (ii) it is necessary for, or directly related to that purpose. Furthermore, personal data processed must not be excessive in relation to that purpose.
A BVI fund will generally be regarded as the data controller and will have certain duties with respect to that data including:
- that data subjects are notified of a request for personal data;
- where consent is provided, ensuring that the personal data is used for the purposes that the data subject consented to (save for certain limited circumstances);
- taking practical steps to protect personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction;
- ensuring that personal data shall not be kept for longer than is necessary; and
- that personal data is accurate, complete, not misleading and kept up to date.
The Act also permits data subjects to submit written requests for access to personal data in accordance with the requirements of the Act.
As a data controller, a fund is not only responsible for ensuring that it processes personal data in accordance with the Act, but shall also ensure that any entity or service provider which processes data on the fund’s behalf (a “data processor”):
- provides sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out; and
- takes reasonable steps to comply with those measures,
for the purposes of protecting the personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction.
If the processing of personal data is engaged on behalf of a person established in the BVI, or is not for a person established in the BVI but is processed in the BVI, the Act will apply.
The fund administrator, or registrar and transfer agent, will, in some circumstances, be a data processor (and in other circumstances, be a data controller where it processes personal data, such as know your client information, for its own purposes) as it receives the subscription agreement and supplemental documents which include know your client, FATCA, and other personal data. An investment manager or advisor who reviews fund information related to individuals will also be a data processor for the purposes of the Act.
Data controllers may wish to consider reviewing the existing service agreements in place and making any amendments necessary to ensure that a data processor complies with the relevant data protection principles (e.g. that data is kept secure and not transferred to a jurisdiction that does not ensure an adequate level of protection for the rights of data subjects).
A data processor may have already contractually agreed to comply with data protection requirements of another jurisdiction and, if so, the fund’s board may consider whether this provides adequate protection under the Act.
Documenting the Act for Funds
A fund should:
- Have a privacy notice for investors and subscribers (an outward-facing document).
- Amend any offering memorandum to reference its obligations under the Act.
- Amend any documentation with third parties who may be handling personal data provided to them by the fund to ensure that they, as data processors, will process personal data in accordance with the Act (e.g. the investment management agreement and administration agreement).
- Document and put in place the necessary internal procedures to ensure that it will comply with the Act going forward.
- Pass any corporate resolutions necessary in connection with 1-4 above.
These are each considered in more detail below.
A privacy notice enables a fund to comply with the requirement that data subjects (investors) are entitled to be informed of the identity of the data controller and the purposes for which their personal data are processed. Best practice is to provide additional information such as the legal bases on which data is processed, categories of data obtained, source of the data, the recipients or categories of recipients of the data, details of any international transfers (i.e. transfers outside the BVI), the retention period of the data, the rights available to data subjects (including the right to make a complaint to the Information Commissioner), and (if applicable) the details of any automated decision making. This would be inserted in a fund’s subscription agreement, but should also be available as a standalone document to existing investors.
The offering memorandum should be amended to include a brief description of the Act, investor personal data rights, and lawful purposes for processing. If the fund is not actively offering interests, this step may be undertaken at a later date to include provisions related to data protection.
Third Party Service Providers Handling Personal Data Provided by the Fund
Data processing agreements with third party service providers (data processors), such as the administrator and investment manager, should be amended to explicitly provide for respective obligations under the Act. Funds should check their administration agreements and investment management agreements to determine whether such agreements contain adequate obligations to comply with the Act or similar measures.
A fund’s internal cornerstone data protection procedures should include: a data protection policy which mirrors its privacy notice and details regarding how personal data is obtained, stored, protected, and processed; a data retention policy and data retention schedule to outline storage and destruction protocols; a data subject access request procedure for appropriate and compliant responses to data subject queries and complaints; and a data incident response plan which includes responsibilities, measures, and reporting obligations in the event of a data breach.
The European Union’s General Data Protection Regulation ((EU) 2016/679) (“GDPR”) establishes a regulatory framework for the protection of personal data in European Economic Area (EEA) countries. If the fund or investment manager comply with the GDPR or another adequate national data protection standard such compliance may also suffice for the purposes of the Act, but advice in this regard should be sought.
Every affected fund and investment manager should consider the aforementioned requirements (albeit recognising that so far as internal policies and procedures are concerned, these can be developed over a period of time).
Campbells can advise and assist on these matters including the drafting of all relevant documents and amendments to existing arrangements. For further information, please contact your usual Campbells contact or get in touch with one of the experts below.