At the Maples Group, we recognise that we cannot conduct our business without the trust our clients, staff, and other stakeholders place in our ability to safeguard the privacy of their personal information, and we strive to engender and maintain the trust of all of our stakeholders with respect to our handling of personal information.
Wherever and whenever we handle personal information in connection with the business we conduct, we will do so in accordance with the following principles by paying due regard to the applicable data protection laws, as well as the context in which we handle personal information:
In order to implement these principles, we have adopted a range of policies, procedures, and other forms of controls (including those that relate to handling of data, data-related requests/complaints, security of data, etc.), which are reviewed regularly. We have also allocated the relevant roles and responsibilities to all parts of our business, including our Privacy, Information Security, Risk, and Legal teams, as well as our client-facing teams, so as to ensure that we take a holistic approach in implementing these principles.
For a detailed explanation regarding why and how we handle personal information, please refer to our privacy notices that are listed in the section below. If you have any question or concern regarding the handling of personal information by any part of the Maples Group, you can contact our Privacy team by emailing [email protected], or by writing to:
Group Data Protection Counsel
Maples and Calder
6th Floor, DUO
280 Bishopsgate
London EC2M 4RB
UK
Many countries have data protection laws that protect the privacy of individuals by regulating the way in which businesses handle personal information, including by requiring businesses to be open and transparent about why and how they handle personal information, among other things.
Our Client Privacy Notices, linked below, provide a general explanation of why and how we handle personal information relating to our clients, business contacts and other persons in connection with the client-facing business we conduct:
Our Job Applicant Privacy Notices, linked below, describe how we handle personal information relating to job applicants:
The Privacy Notices linked below explain why and how we handle personal information relating to visitors to our website and web applications:
In European countries, where the General Data Protection Regulation (GDPR) and equivalent legislation applies, businesses that engage a service provider that acts as a ‘processor’ are legally required to ensure that the service contract contains certain contractual assurances. Similar requirement applies in other jurisdictions as well, including the British Virgin Islands (Data Protection Act 2021 or “DPA”), the Cayman Islands (Data Protection Law 2017 or “DPL”), Hong Kong (Personal Data (Privacy) Ordinance or “PDPO”), Singapore (Personal Data Protection Act 2012 or “PDPA”), the Abu Dhabi Global Markets (Data Protection Regulations 2021 or “ADGMDPR”), and the Dubai International Financial Centre (Data Protection Law 2020 or “DIFCDP”).
Our Data Processing Addendum (Europe), linked below, contains the assurances we offer to our clients in accordance with Article 28 of GDPR, and, unless specifically agreed otherwise, it applies to all client engagements of our European entities where we act as a ‘processor’ in providing our services.
Where appropriate and necessary, our Data Processing Addendum (Europe) can be offered to our clients outside Europe who are serviced by our non-European entities. This may be the case, for example, where such clients trigger the extra-territorial effect of GDPR by offering their products / services to European residents.
Our Data Processing Addendum (BVI), linked below, contains the assurances we offer to our clients in accordance with DPA, section 10(2). Unless specifically agreed otherwise, it applies from 1 September 2021 to all client engagements of our entities in the British Virgin Islands where we act as a ‘processor’ in providing our services.
Our Data Processing Addendum (Bermuda), linked below, contains the assurances we offer to our clients, and unless specifically agreed otherwise, it applies from 1 January 2025 to all client engagements of our entities in Bermuda.
Our Data Processing Addendum (Cayman), linked below, contains the assurances we offer to our clients in accordance with DPL, Schedule 1, Part II, paragraph 3. Unless specifically agreed otherwise, it applies from 30 September 2019 to all client engagements of our Cayman entities where we act as a ‘processor’ in providing our services.
Our Data Processing Addendum (Asia), linked below, contains the assurances we offer to our clients in accordance with PDPO / PDPA, and, unless specifically agreed otherwise, it applies from 1 May 2020 to all client engagements of our entities in Hong Kong and Singapore where we act as a ‘data processor’ or ‘data intermediary’ in providing our services.
Our Data Processing Addendum (ADGM+DIFC), linked below, contains the assurances we offer to our clients in accordance with ADGMDPR and DIFCDPL, and, unless specifically agreed otherwise, it applies from 1 July 2020 to all client engagements of our entities in the Dubai International Financial Centre, and from 1 April 2021 to all client engagements of our entities in the Abu Dhabi Global Markets, where we act as a ‘Processor’ in providing our services.
Our Data Processing Addendum (USA), linked below, contains the assurances we offer to our clients in accordance with various US privacy laws, and, unless specifically agreed otherwise, it applies from 1 January 2025 to all client engagements of our entities in the USA.
Please note that when we provide legal services, director services, AML services, fund management services, and other like services which we provide by exercising our professional autonomy and discretion, we will not enter into addendums or agreements that seek to impose the requirements of Article 28 of GDPR or other equivalent requirements (including those that are imposed under DPL, PDPO, PDPA, or DIFCDPL) on us.
In European countries where GDPR and equivalent legislation applies, businesses that allow personal information to be handled outside Europe are generally required to take steps to ensure that the personal information sent outside Europe (or accessed from outside Europe) continues to be protected to the same European standard.
We can offer to enter into the relevant, prevailing form of EU standard contractual clauses (either the ‘controller-to-controller’ form or the ‘controller-to-processor’ form) to address this restriction, where it is appropriate and necessary to do so. This may be the case where our clients inside Europe need to share personal information with our non-European entities, or where our clients outside Europe need to share personal information that was sourced from Europe with our non-European entities.
In some non-European jurisdictions, the applicable data protection law imposes a similar restriction on the cross-border transfer of personal information, and the local regulators sometimes endorses the use of EU standard contractual clauses. Accordingly, we can also offer to enter into the relevant, prevailing form of EU standard contractual clauses where this is appropriate and necessary to address the requirements of a non-European data protection law.
The nature of the services we provide means that we regularly have to conduct due diligence checks on individuals who are directly or indirectly affected by the services we provide. Such checks can, depending on the context, include the so-called “KYC Checks” (which are mandated by laws that tackle money laundering, terrorist financing etc. and typically involves checking someone’s identity, source of wealth, any legal restriction applicable, etc.), the so-called “FATCA/CRS Checks” (which are mandated by laws that tackle tax evasion and typically involves checking someone’s identity, nationality/residency, tax status, accounts details, etc.), or both.
The nature of the services we provide also means that we frequently encounter situations where we have to conduct the same due diligence checks (KYC Checks, FATCA/CRS Checks, or both) multiple times in respect of the same KYC subject (e.g. a client that receives our services, or an investor that invests in investment funds we administer on behalf of our clients), in connection with the services we provide to our clients. Set out below are typical examples of such scenarios.
This can result in KYC Subjects receiving identical or very similar requests for due diligence checks from us, repeatedly. In turn, this can inconvenience the KYC Subjects, reduce our operational efficiency, and result in unnecessary and excess collection of personal/confidential information by us whilst increasing operational risks, without providing any additional benefit to our clients or the KYC Subjects.
In order to address these issues, in August 2019, the Maples Group started sharing due diligence information/documentation supplied by the relevant KYC Subjects (or compiled in respect of the relevant KYC Subjects based on such information/documentation) across different clients and service lines of the Maples Group, provided that we have secured the prior consent of the relevant KYC Subjects. However, it has proven to be difficult to obtain, track, and validate such consents consistently in a timely and reliable manner, and the consent has turned out to be a barrier to achieving the intended gain in efficiency and avoidance of unnecessary collection of due diligence information/documentation.
For this reason, we have decided to revise our approach to due diligence checks, and from March 2024 onwards, where due diligence information/documentation are obtained in relation to any given KYC Subject in connection with non-legal services any given client has contracted to receive from a Maples Group entity domiciled in Abu Dhabi Global Market, Bermuda, British Virgin Islands, Canada, Cayman Islands, Dubai International Financial Centre, Hong Kong, Singapore, or USA, we will reuse and share such due diligence information/documentation for the benefit of other clients of the Maples Group without seeking the consent of the relevant KYC Subject, if and to the extent this is necessary to enable us to perform due diligence checks for the benefit of those other clients or to validate such due diligence checks we have performed (provided that there is no legal or contractual restriction which prevents us from doing so).
This change will most notably affect our clients domiciled in the British Virgin Islands and Cayman Islands that have contracted with Maples to receive fund administration services, AML/compliance services, or registered office services, and we have revised the relevant Client Privacy Notices as well as our service agreements (where necessary) to reflect this change in our approach to due diligence checks we perform as part of the services we provide to our clients. For the avoidance of any doubt, this change will not affect our approach to information security, and we remain committed to ensuring the security of all information entrusted to us by our clients and KYC Subjects.
Please note that where we conduct due diligence checks to fulfil our own legal obligations, we have always reserved and continue to reserve the right to share the due diligence information/documentation we obtain, internally for our own compliance purposes (provided that there is no legal or contractual restriction which prevents us from doing so), and we have never relied and will not in the future be relying on any ‘consent’ in doing so.
For example, if a client receiving legal services from Maples and Calder requests that we provide fund services as well, then Maples Fund Services may reuse the due diligence information documentation previously obtained from the client by Maples and Calder in order to perform the due diligence checks Maples Fund Services itself is legally required to perform.