{{ languageVal }}
  • English
 

Privacy

Peace of Mind

WHY AND HOW WE HANDLE PERSONAL INFORMATION

Many countries have data protection laws that protect the privacy of individuals by regulating the way in which businesses handle personal information, as well as requiring businesses to be open and transparent about why and how they handle personal information, among other things.

Our Client Privacy Notices, linked below, provide a general explanation of why and how we handle personal information relating to our clients, business contacts and other persons in connection with the client-facing business we conduct:

  • Client Privacy Notice – Fiduciary Services (Cayman). This notice applies to the fiduciary services and related services, such as entity formation / registration services, registered office services and corporate secretarial services we provide through our entities in the Cayman Islands.
  • Client Privacy Notice – Fiduciary Services (Europe). This notice applies to the fiduciary services and related services, such as entity formation / registration services, registered office services and corporate secretarial services we provide through our European entities.
  • Client Privacy Notice – Fund and Fiduciary Services (ADGM+DIFC). This notice applies to the fund administration service, entity formation / registration service, registered office service and corporate secretarial service, and other related services we provide in the Abu Dhabi Global Markets and the Dubai International Financial Centre.

Our Job Applicant Privacy Notice, linked below, describes how we handle personal information relating to job applicants:

  • Job Applicant Privacy Notice (Asia). This notice applies to those applying for a job, summer internship or a work experience placement with one of our entities in Hong Kong or Singapore.
  • Job Applicant Privacy Notice (Europe). This notice applies to those applying for a job, summer internship or a work experience placement with one of our European, Jersey or UK entities.
  • Job Applicant Privacy Notice (Cayman+BVI). This notice applies to those applying for a job, summer internship or a work experience placement with one of our entities in the Cayman Islands or the British Virgin Islands.
  • Job Applicant Privacy Notice (DIFC). This notice applies to those applying for a job, summer internship or a work experience placement with one of our entities in the Dubai International Financial Centre. 

The Privacy Notices linked below explain why and how we handle personal information relating to visitors to our website and web applications:

THE ASSURANCES WE OFFER WHERE WE ACT AS A 'PROCESSOR'

In European countries, where the General Data Protection Regulation (GDPR) and equivalent legislation applies, businesses that engage a service provider that acts as a 'processor' are legally required to ensure that the service contract contains certain contractual assurances.  Similar requirement applies in other jurisdictions as well, including the British Virgin Islands (Data Protection Act 2021 or "DPA"), the Cayman Islands (Data Protection Law 2017 or "DPL"), Hong Kong (Personal Data (Privacy) Ordinance or "PDPO"), Singapore (Personal Data Protection Act 2012 or "PDPA"), the Abu Dhabi Global Markets (Data Protection Regulations 2021 or "ADGMDPR"), and the Dubai International Financial Centre (Data Protection Law 2020 or "DIFCDP").

Our Data Processing Addendum (Europe), linked below, contains the assurances we offer to our clients in accordance with Article 28 of GDPR, and, unless specifically agreed otherwise, it applies to all client engagements of our European entities where we act as a 'processor' in providing our services.

Where appropriate and necessary, our Data Processing Addendum (Europe) can be offered to our clients outside Europe who are serviced by our non-European entities.  This may be the case, for example, where such clients trigger the extra-territorial effect of GDPR by offering their products / services to European residents.

Our Data Processing Addendum (BVI), linked below, contains the assurances we offer to our clients in accordance with DPA, section 10(2).  Unless specifically agreed otherwise, it applies from 1 September 2021 to all client engagements of our entities in the British Virgin Islands where we act as a 'processor' in providing our services.

Our Data Processing Addendum (Cayman), linked below, contains the assurances we offer to our clients in accordance with DPL, Schedule 1, Part II, paragraph 3.  Unless specifically agreed otherwise, it applies from 30 September 2019 to all client engagements of our Cayman entities where we act as a 'processor' in providing our services.

Our Data Processing Addendum (Asia), linked below, contains the assurances we offer to our clients in accordance with PDPO / PDPA, and, unless specifically agreed otherwise, it applies from 1 May 2020 to all client engagements of our entities in Hong Kong and Singapore where we act as a 'data processor' or 'data intermediary' in providing our services.

Our Data Processing Addendum (ADGM+DIFC), linked below, contains the assurances we offer to our clients in accordance with ADGMDPR and DIFCDPL, and, unless specifically agreed otherwise, it applies from 1 July 2020 to all client engagements of our entities in the Dubai International Financial Centre, and from 1 April 2021 to all client engagements of our entities in the Abu Dhabi Global Markets, where we act as a 'Processor' in providing our services.

Please note that when we provide legal services, director services, AML services, fund management services, and other like services which we provide by exercising our professional autonomy and discretion, we will not enter into addendums or agreements that seek to impose the requirements of Article 28 of GDPR or other equivalent requirements (including those that are imposed under DPL, PDPO, PDPA, or DIFCDPL) on us.

RESTRICTION ON CROSS-BORDER DATA TRANSFER

In European countries where GDPR and equivalent legislation applies, businesses that allow personal information to be handled outside Europe are generally required to take steps to ensure that the personal information sent outside Europe (or accessed from outside Europe) continues to be protected to the same European standard.

We can offer to enter into the relevant, prevailing form of EU standard contractual clauses (either the 'controller-to-controller' form or the 'controller-to-processor' form) to address this restriction, where it is appropriate and necessary to do so.  This may be the case where our clients inside Europe need to share personal information with our non-European entities, or where our clients outside Europe need to share personal information that was sourced from Europe with our non-European entities.  

In some non-European jurisdictions, the applicable data protection law imposes a similar restriction on the cross-border transfer of personal information, and the local regulators sometimes endorses the use of EU standard contractual clauses.  Accordingly, we can also offer to enter into the relevant, prevailing form of EU standard contractual clauses where this is appropriate and necessary to address the requirements of a non-European data protection law. 

CLARIFICATION REGARDING DUE DILIGENCE CHECKS

The nature of the services we provide means that we regularly have to conduct due diligence checks on individuals who are directly or indirectly affected by the services we provide.  Such checks can, depending on the context, include the so-called “KYC Checks” (which are mandated by laws that tackle money laundering, terrorist financing etc. and typically involves checking someone’s identity, source of wealth, any legal restriction applicable, etc.), the so-called “FATCA/CRS Checks” (which are mandated by laws that tackle tax evasion and typically involves checking someone’s identity, nationality/residency, tax status, accounts details, etc.), or both.

The nature of the services we provide also means that we frequently encounter situations where we have to conduct the same due diligence checks (KYC Checks, FATCA/CRS Checks, or both) multiple times in respect of the same person (e.g. a director/beneficial owner of a client entity, a private client, or an investor), in connection with the services we provide to our clients.  

  • An investor subscribes to an investment fund that receives fund administration/AML compliance service from us (fund X) and subsequently subscribes to another investment fund that also receives fund administration/AML compliance service from us (fund Y).  Because fund X and fund Y each has its own legal requirement to conduct investor due diligence, Maples has to repeat the due diligence checks on behalf of fund Y, even if Maples has already completed the due diligence checks in relation to the same investor on behalf of fund X.
  • A director is newly appointed to the board of a SPV which was established by a client of Maples and which receives a range of services from Maples (SPV1).  The same director is subsequently appointed to the board of a new SPV which Maples incorporates on behalf of a different client (SPV2).  Because SPV1 and SPV2 each has its own legal requirement to conduct director due diligence, Maples has to repeat the due diligence checks on behalf of SPV2, even if Maples has already completed the due diligence checks in relation to the same director on behalf of SPV1. 

This can result in directors/beneficial owners of client entities, private clients, investors, and other relevant persons receiving identical or very similar requests for due diligence checks from us, repeatedly.  In turn, this can inconvenience such persons, reduce our operational efficiency, and result in unnecessary and excess collection of personal information by us, without providing any additional benefit to our clients.

In order to address these issues, from August 2019 onwards, the Maples Group will start sharing due diligence information/documentation supplied by the relevant individuals (or compiled in respect of the relevant individuals based on such information/documentation) across different clients and service lines of the Maples Group, provided that we have secured the prior consent of the relevant individuals.  

We will revise the relevant documentation and business processes to ensure that the relevant individuals who interact with us are given the opportunity to opt into have their due diligence information/documentation reused for the purpose of additional due diligence we may be required to conduct on them on behalf of our clients.  We will also be looking to reach out to those relevant individuals who already benefit from the services we provide.

As a general rule, we do not rely on 'consent' as a legal basis to handle personal information which our clients entrust to us and this is reflected in our various Client Private Notices.  The reuse of due diligence information/documentation for the purpose of performing additional due diligence checks on behalf of multiple different clients will be an exception to this general rule, as it will be performed only where the relevant individuals give their consent.

Please note that where we conduct due diligence checks to fulfil our own legal obligations, we reserve the right to share the due diligence information/documentation we obtain, internally for our own compliance purposes (provided that there is no legal or contractual restriction which prevents us from doing so), and we will not be relying on 'consent' in doing so.  For example, if a client receiving legal services from Maples and Calder requests that we provide fund services as well, then Maples Fund Services may reuse the due diligence information documentation previously obtained from the client by Maples and Calder.