PART I. INTRODUCTORY COMMENTS
- Resilience Cayman . (“we” or “us”) is a “data controller” for the purposes of the The Data Protection Law, 2017 (“DPL”) of the Cayman Islands
- A data controller is a person who determines how “personal data” with respect to a living individual (data subject”) is to be “processed” (collected or obtained, recorded, held or be subject to other operations).
- Personal data of a data subject consists of “sensitive personal data” and non-sensitive personal data. Sensitive personal data consists of personal data such as the racial or ethnic origin of the data subject, the political opinions of the data subject, etc. (a full list is at section 3 of the DPL).
- A data controller has to comply with the “data protection principles” stated in the DPL which are as follows:
(1) Personal data shall be processed fairly. In addition, generally, personal data may be processed only if the data subject has consented to the processing or where one of the conditions necessary for processing personal data is present, such as:
(a) the entry into or the performance of a contract to which the data subject is or will be a party;
(b) to comply with a legal obligation of the data subject;
(c) to protect the vital interests of the data subject;
(d) the administration of justice; or
(e) the exercise of a public function in the public interest.
(2) Personal data shall be obtained only for one or more specified lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes.
(3) Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are collected or processed.
(4) Personal data shall be accurate and, where necessary, kept up to date.
(5) Personal data processed for any purpose shall not be kept for longer than is necessary for that purpose.
(6) Personal data shall be processed in accordance with the rights of data subjects under the DPL.
(7) Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data; and
(8) Personal data shall not be transferred to a country or territory unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”
- We are committed to being a responsible data controller, in accordance with the data protection principles, of the personal data which you provide to us and the personal data which we may process in the course of operating our business and providing services.
- You, as the data subject, have certain rights with respect to the personal data held and processed by or for us a data controller; these rights are described in PART VII below.
PART II. THE PURPOSE OF THIS POLICY
- This Policy sets out how we may process personal data about you and “individuals connected to you” (see paragraph 8 below for the list of such individuals). Whenever we say “you”, “individuals connected to you” should be read as included as well.
- An “individual connected to you” could be any guarantor, a director, officer or employee of a company, partners or members of a partnership, any substantial owner, controlling person, or beneficial owner, trustee, settlor or protector of a trust, account holder of a designated account, recipient of a designated payment, your attorney or representative (for example, an authorised signatory), agent or nominee, or any other person or entity with whom you have a relationship that is relevant to your relationship with us.
- Please ensure that any individuals connected to you are made aware of this Policy, and the individual rights and information it sets out, prior to their providing their personal data to us or our obtaining such data from another source. If you, or anyone else on your behalf, has provided or provides personal data with respect to an individual connected to you, you or they must first ensure that you or they have the authority and appropriate legal basis to do so.
PART III. THE REASONS FOR AND THE TYPES OF PERSONAL DATA WHICH WE WILL PROCESS
- The reasons for and the types of personal data which we will process are those which:
(1) we may need for our compliance obligations (e.g. a copy of your passport or national identity card with you name, gender, date and place of birth, national insurance number, utility bills, financial details, occupation and/or source of wealth etc.);
(2) consist of contact details (e.g. address, email address, position in company, landline and mobile numbers);
(3) you may have provided us with during the course of our relationship with you, for example, by filling out forms, during face-to-face contact, telephone, email, website registration, information about the browser or device you use to access our website, how you use the site and the pages you visit, traffic and location data;
(4) financial information and information about your relationship with us, including your ways of interacting with us, sort code and account numbers;
(5) are derived from complaints or disputes you may have had with us and details of the underlying transaction (where applicable);
(6) are a matter of public record or readily obtainable and which we deem relevant (media, court judgements etc.);
(7) consist of sales and marketing information (for example, offers you have received from us and how you reacted to them);
(8) consist of correspondence and other communications between you and your representatives and us, including email, telephone calls, letters and the like;
(10) we obtain from third party providers who assist us to combat fraud, money laundering and other crimes and
(11) we need in order to:
(a) contact you in connection with performance of a contract or to provide you with support in connection with the contract;
(b) provide you with the information and services which you request from us;
(c) permit selected third parties to assist us in the improvement and optimization of advertising, marketing material and content, our services and the website;
(d) send you updates, marketing communications and other information or materials which may be of interest you or which you have expressed an interest in receiving;
(e) notify you about changes to our services;
(f) verify your identity;
(g) keep our website safe and secure and to prevent or detect fraud;
(h) facilitate and enable you to partake in a property viewing, open house event or visits to property marketing suites;
(i) comply with the requirements imposed on us by law or any court order; or
(j) comply with your consent or request for personal data;
PART IV. THE PURPOSES FOR WHICH OR THE CIRCUMSTANCES IN WHICH WE MAY SHARE YOUR PERSONAL DATA WITH OTHERS
- We do not sell, rent or otherwise share any personal data with unaffiliated entities except as expressly described in this Policy or with your prior consent.
- We may share, but only as permitted by applicable law, anonymized information that does not reasonably identify you or your organization.
- We may share relevant personal data of yours with other parties (see paragraph 14 below) where it is lawful to do so, including where:
(1) it is necessary to comply with our contractual obligations or with your instructions;
(2) we have a public or legal duty to do so (for example, to assist with detecting and preventing fraud, tax evasion and financial crime or compliance with a court order);
(3) we are under a duty to do so in connection with regulatory reporting, litigation or asserting or defending legal rights and interests;
(4) we have a legitimate business reason for doing so (for example, to manage risk or verify identity); or
(5) we asked you if we could share it and you gave your consent.
- Parties with whom we might share your personal data can include:
(1) service providers acting as processors who provide IT and system administration services, anti-money laundering service providers and services to enable us to perform our contract with you;
(2) agents or brokers who process your personal data in order to arrange and facilitate your visits to properties;
(3) managers of properties for the purposes of managing the development, organising repairs, contacting owners in the event of an emergency, and collecting/making payment to/from owners of units in our properties as required;
(4) other professional advisers acting as processors or joint controllers including lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accountancy services;
(5) licensor entities, if we have a licence to use a third party name or brand;
(6) banks to which you instruct us to make payments or from which you wish to receive payments;
(7) third parties who host our website or provide services related to it, including IT security providers;
(8) any persons or companies, where required in connection with potential or actual corporate restructuring, merger, acquisition or takeover, including any transfer or potential transfer of any of our rights or duties under our agreement with you;
(9) law enforcement, government, courts, dispute resolution bodies, our regulators, auditors and any party appointed or requested by our regulators to carry out investigations or audits of our activities;
(10) other parties involved in any disputes, including disputed transactions, involving you and/or us;
(11) fraud prevention agencies who may use your personal data to detect and prevent fraud and other financial crime and to verify your identity;
(12) anyone who provides instructions to us on your behalf (for example, under a Power of Attorney, solicitors, intermediaries, investment managers etc.); or
(13) anyone else with whom you have instructed us to share your information.
PART V. HOW LONG YOUR PERSONAL DATA WILL BE KEPT
- We will keep your personal data only for as long as it is necessary for the specific purpose for which the personal data was processed or for as long as we are required to keep it by applicable laws and regulations.
- Generally, we are required to retain records for at least six (6) years from the date on which the contractual relationship with you ends or, depending on the kind of personal data and relevant laws and regulations applicable to it, we may have to keep the personal data for a longer period.
- We may also have to keep your personal data for a longer period where we have a legitimate interest for doing so, for example, to address complaints, assert or defend our rights in litigation or other dispute resolution procedures or to respond to requests from regulators or to assist judicial authorities.
- Any personal data which we are not required to hold for any minimum period, or for which there is no purpose in us holding it any longer, will be, at our discretion, deleted, destroyed or returned to you promptly.
- Where we share your personal data with third parties, the privacy policies and laws and regulations of the third party will determine how long they will have to retain your personal data.
PART VI. INTERNATIONAL TRANSFER OF PERSONAL DATA
- If we transfer your personal data to a third party service provider engaged by us who is located outside the Cayman Islands, we will ensure that the transferred personal data is appropriately secure and protected. Where necessary, we will ensure that separate and appropriate legal agreements are put in place with the recipient of that data.
- Where we have a licence to use a third party name or brand, we may be required to share your personal data with that third party who may be located outside the Cayman Islands.
- Some of the reasons for transferring your personal data outside the Cayman Islands may include:
(1) the need to carry out our contract with you;
(2) to fulfil a legal obligation;
(3) to protect the public interest; or
(4) to protect legitimate interests, be they yours or ours.
- In some countries, the law may compel us to share certain information (for example, with tax authorities). We will only share personal data with parties who have the lawful authority and right to see it and only to the extent that such parties are permitted to see it.
PART VIII. YOUR RIGHTS AS A DATA SUBJECT
- As a data subject, you have certain rights in relation to your personal data. These rights include the right to:
(1) provided, as soon as practicable, the identity of the data controller and the purpose for which the personal data is to be processed;
(2) to have personal data processed fairly;
(3) to be informed by the data controller that data is being processed of which you are the data subject;
(4) to have communicated by the data controller, in the format requested, the personal data held by the data controller and its source;
(5) where personal data is supplied under (4) above, the right to be informed by the data controller of your rights under the DPL in such form and with such content as prescribed by regulations;
(6) to be informed by the data controller of your right to complain to the Information Commissioner under section 43 of the DPL;
(7) to be informed by the data controller of the reasons for a decision, significantly affecting you, where the automatic processing of your data has or is likely to constitute the sole basis for evaluating matters relating to you, including your performance at work, creditworthiness, reliability or conduct;
(8) by notice in writing to the data controller, to have the data controller:
(a) not begin processing;
(b) cease processing;
(c) cease processing for a specific purpose; or
(d) cease processing in a specified manner,
your personal data;
(9) to require, by notice in writing, to have the data controller:
(a) not to begin; or
(b) to cease, processing, for direct marketing, personal data relating to you;
(10) to require, by notice in writing, the data controller to ensure that no decision is taken by or on behalf of the data controller, which significantly affects you, is based solely on the processing by automatic means of your personal data for the purpose of evaluating your performance at work, creditworthiness, reliability, conduct or any other matters relating to you;
(11) regardless of a notice in writing, if a decision, referred to in (10) above, is made by or behalf of the data controller, the right to notification by the data controller, as soon as reasonably practicable, that the decision was taken on that basis;
(12) within 21 days of the notification by the data controller to you of the decision in (11) above, the right, by notice in writing to the data controller, to require the data controller to reconsider the decision or to take a new decision otherwise than on that basis;
(13) to sue the data controller for compensation for damage caused by the data controller’s contravention of any of the requirements of the DPL;
(14) to complain to the Information Commissioner about a data controller’s contravention of the DPL and, if the complaint is valid, to have a number of consequential orders; and
(15) to seek redress for any violation of your data protection rights or a decision of the Information Commissioner in the Cayman Islands courts.
PART IV. GENERAL PROVISIONS
- Please ensure that any data which you give us or ask third parties to provide to us is up to date, accurate and complete in all respects. Please inform us about any changes in your personal data as soon as reasonably possible.
- We use a range of measures to keep personal data safe and secure which may include encryption and other forms of security. We require our staff and any third parties who carry out any work on our behalf to comply with appropriate compliance standards including obligations to protect personal data and applying appropriate measures for use and transfer.
- For any further questions or queries in relation to this Policy, please get in touch with your usual contact with us.
- If you access our website, we may collect information about your computer (or mobile device), including where available your IP address, operating system and browser type, for system administration or for our own commercial purposes. This is statistical data about our users’ browsing actions and patterns, and does not identify any individual.