Why and How We Handle Personal Information

Many countries have data protection laws that protect the privacy of individuals by regulating the way in which businesses handle personal information, as well as requiring businesses to be open and transparent about why and how they handle personal information, among other things.

Our Client Privacy Notices, linked below, provide a general explanation of why and how we handle personal information relating to our clients, business contacts and other persons in connection with the client-facing business we conduct:

  • Client Privacy Notice – Fiduciary Services (Cayman). This notice applies to the fiduciary services and related services, such as entity formation / registration services, registered office services and corporate secretarial services we provide through our entities in the Cayman Islands.
  • Client Privacy Notice – Fiduciary Services (Europe). This notice applies to the fiduciary services and related services, such as entity formation / registration services, registered office services and corporate secretarial services we provide through our European entities.

Our Job Applicant Privacy Notice, linked below, describes how we handle personal information relating to job applicants:

The Privacy Notices linked below explain why and how we handle personal information relating to visitors to our website and web applications:

The Assurances We Offer Where We Act As A 'Processor'

In European countries, where the General Data Protection Regulation (GDPR) and equivalent legislation applies, businesses that engage a service provider that acts as a 'processor' are legally required to ensure that the service contract contains certain contractual assurances.  Similar requirement applies in the Cayman Islands as well, under the Data Protection Law 2017 (DPL).

Our Data Processing Addendum (Europe), linked below, contains the assurances we offer to our clients in accordance with Article 28 of GDPR, and, unless specifically agreed otherwise, it applies from 25 May 2018 to all client engagements of our European entities where we act as a 'processor' in providing our services.

Where appropriate and necessary, our Data Processing Addendum (Europe) can be offered to our clients outside Europe who are serviced by our non-European entities.  This may be the case, for example, where such clients trigger the extra-territorial effect of GDPR by offering their products / services to European residents.

Our Data Processing Addendum (Cayman), linked below, contains the assurances we offer to our clients in accordance with DPL, Schedule 1, Part II, paragraph 3.  Unless specifically agreed otherwise, it applies from 30 September 2019 to all client engagements of our Cayman entities where we act as a 'processor' in providing our services.

Please note that when we provide legal services, director services, AML services, fund management services and similar services where we act as a 'controller' in our own right for the purposes of GDPR or other equivalent legislation (including DPL), we will not enter into addendums or agreements that seek to impose the requirements of Article 28 of GDPR or other equivalent requirement (including DPL, Schedule 1, Part II, paragraph 3) on us.

Restriction on Cross-Border Data Transfer

In European countries where GDPR and equivalent legislation applies, businesses that allow personal information to be handled outside Europe are generally required to take steps to ensure that the personal information sent outside Europe (or accessed from outside Europe) continues to be protected to the same European standard.

We can offer to enter into the relevant, prevailing form of EU standard contractual clauses (either the 'controller-to-controller' form or the 'controller-to-processor' form) to address this restriction, where it is appropriate and necessary to do so.  This may be the case where our clients inside Europe need to share personal information with our non-European entities, or where our clients outside Europe need to share personal information that was sourced from Europe with our non-European entities.  

In the Cayman Islands, DPL imposes a similar restriction on businesses that allow personal information to be handled outside the Cayman Islands, and the Cayman Islands’ Ombudsman endorses the use of EU standard contractual clauses.  Accordingly, where it is appropriate and necessary to do so, we can offer to enter into the relevant, prevailing form of EU standard contractual clauses with our clients based in the Cayman Islands as well.  

Clarification Regarding KYC

The nature of the services we provide means that we frequently encounter situations where we have to conduct the same due diligence checks (also known as KYC or ‘Know-Your-Customer’) multiple times in respect of the same person (e.g. a director/beneficial owner of a client entity, a private client, or an investor).  For example:

  • An investor subscribes to an investment fund that receives fund administration/AML compliance service from us (fund X) and subsequently subscribes to another investment fund that also receives fund administration/AML compliance service from us (fund Y).  Because fund X and fund Y each has its own legal requirement to conduct investor KYC, Maples has to repeat the KYC on behalf of fund Y, even if Maples has already completed the KYC in relation to the same investor on behalf of fund X.
  • A director is newly appointed to the board of a SPV which was established by a client of Maples and which receives a range of services from Maples (SPV1).  The same director is subsequently appointed to the board of a new SPV which Maples incorporates on behalf of a different client (SPV2).  Because SPV1 and SPV2 each has its own legal requirement to conduct director KYC, Maples has to repeat the KYC on behalf of SPV2, even if Maples has already completed the KYC in relation to the same director on behalf of SPV1. 
 
This can result in directors/beneficial owners of client entities, private clients, investors, and other relevant persons receiving identical or very similar KYC requests from us, repeatedly.  In turn, this can inconvenience such persons, reduce our operational efficiency, and result in unnecessary and excess collection of personal information by us, without providing any additional benefit to our clients.

In order to address these issues, from August 2019 onwards, the Maples Group will start sharing the KYC documentation supplied by the relevant individuals across different clients and service lines of the Maples Group, provided that we have secured the prior consent of the relevant individuals.  

We will revise the relevant documentation and business processes to ensure that the relevant individuals who interact with us are given the opportunity to opt into have their KYC documentation reused for the purpose of additional due diligence we may be required to conduct on them on behalf of our clients.  We will also be looking to reach out to those relevant individuals who already benefit from the services we provide.

As a general rule, we do not rely on 'consent' as a legal basis to handle personal information which our clients entrust to us and this is reflected in our various Client Private Notices.  The reuse of KYC documentation for the purpose of performing additional KYC on behalf of our clients will be an exception to this general rule, as it will be performed only where the relevant individuals give their consent.

Please note that where we conduct KYC to fulfil our own legal obligations, we reserve the right to share the KYC documentation we obtain, internally for our own compliance purposes (provided that there is no legal or contractual restriction which prevents us from doing so), and we will not be relying on 'consent' in doing so.  For example, if a client receiving legal services from Maples and Calder requests that we provide fund services as well, then Maples Fund Services may reuse the KYC documentation previously obtained from the client by Maples and Calder.

Connect

Want to get in touch ?

Contact Us