The Data Protection (Jersey) Law, 2018 ("DPJL") was introduced to broadly mirror the EU General Data Protection Regulation, which came into force on 25 May 2018.
The DPJL introduced obligations on those that collect or process data, including:
- Disclosure obligations, including how and what data is processed.
- Maintaining safeguards and standards on processing and maintaining data, including actions to take in cases of a data breach.
- Data subject rights, including objecting to data processing and the right to erasure (in certain circumstances).
Why is this relevant to funds?
Funds will likely be subject to the DPJL as:
- Personal data is likely collected when investors subscribe.
- The fund will likely be considered a data controller.
- Administrators or other service providers will likely be considered data processors.
Funds should be aware of their obligations as:
- Data controllers need to register with the Office of the Information Commissioner in Jersey.
- Data controllers are ultimately responsible for the processing of personal data in accordance with DPJL.
- Breaching DPJL can in some cases result in significant fines, criminal charges and adverse outcomes for the owners of the personal data.
Funds should also consider what other personal data they collect, such as that of their directors, officers, representatives, etc.
- Data subject: an identified or identifiable natural person.
- Personal data: any data relating to data subjects.
- Data controllers: those that determine, alone or jointly, the purposes and means of the processing of personal data.
- Data processors: those that process data on behalf of a data controller (excluding employees of the controller).
What do data subjects need to know?
Data subjects must be informed about (among other things):
- The identity and contact details of the data controller.
- The purposes for which their personal data is processed and the legal basis for the processing.
- The circumstances in which such data may be disclosed or transferred.
- Data subject's rights in respect of their personal data.
The legal basis for processing the personal data may include the following:
- the processing is necessary for compliance with the data controller's legal obligations;
- the processing is necessary for the performance of a contract by the data controller or the taking of steps at the request of the data subject with a view to entering into a contract;
- the processing is necessary for the purposes of legitimate interests pursued by the data controller; or
- the data subject has consented to the processing of their data for a specific purpose (the data subject has the right to withdraw their consent at any time).
These disclosures are typically found in a privacy notice set out in the offering documents.
How must the data be treated?
The collection and treatment of data must adhere to 'good information handling'. It must be:
- Processed in a fair, lawful and transparent way.
- Collected for a specified and legitimate purpose.
- Adequate, relevant and necessary.
- Accurate and kept up to date.
- Stored only as long as necessary.
- Processed in accordance with legislation to ensure security, integrity and confidentiality.
Unnecessary data should therefore not be collected and funds will need to ensure their relevant service providers adhere to the DPJL. Typically this would be covered in the agreements with those service providers.
Special category data
There are additional requirements should special category data be collected, such as race, ethnic background, political opinions, religious beliefs, trade union memberships, genetics, health, sexual orientation and criminal/alleged criminal records.
What rights do data subjects have?
- To be informed about how their data is being used.
- To access, amend and rectify their personal data.
- To have incorrect or incomplete data updated.
- To request erasure of personal information (in certain circumstances).
- To restrict processing.
- To data portability (in certain circumstances).
- To object to how their data is processed, such as marketing.
In cases where personal data is lost, corrupted, improperly disclosed, accessed or distributed, it is necessary to contact the Jersey Office of Information Commissioner within 72 hours. In some cases data subjects will need to be notified.
We would expect service providers to have appropriate plans in place in the event of a data breach, which should include informing the fund.
Data protection is a complicated and potentially high risk area of law and this article only covers some of the relevant areas.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.