Content

 

  1. Introduction

1.1 Context

This Policy applies to any Fund Recs entity in the Fund Recs group of companies (each a “Fund Recs Entity” and together “Fund Recs”, the “Fund Recs Group” or the “Fund Recs Entities”). Fund Recs must comply with all applicable laws and regulations relating to the Processing of Personal Data and privacy, including the Data Protection Act 1998-2018 (as may be amended or supplemented from time to time), from 25 May 2018, the EU’s General Data Protection Regulation 2016/679 (the “GDPR”).

Under Data Protection Legislation, Fund Recs is required to implement an appropriate data protection policy as part of the organisational and technical measures it puts in place to demonstrate compliance with applicable Data Protection Legislation.

This Policy describes how Personal Data must be collected, handled, stored, disclosed and otherwise “Processed” to meet the Fund Recs’s data protection standards and to comply with Data Protection Legislation.

Fund Recs is responsible for and shall be in a position to demonstrate compliance with this Policy. This includes ensuring that Third Parties and Service Providers who Process Personal Data on its behalf are acting in accordance with Data Protection Legislation.

1.2 Scope

This Policy applies to Fund Recs Entities where they act as a Controller of Personal Data and Fund Recs Entities acting as a Processor of Personal Data in the following scenarios:

  • in the context of the business activities of Fund Recs Entities;
  • for the provision or offer of goods or services to individuals (including those provided or offered free-of-charge) by a Fund Recs Entity; and
  • in the context of Human Resources where a Fund Recs Entity has Employee Personal Data.

This Policy applies to all Processing of Personal Data. Personal Data can be in electronic form (including electronic mail and documents created with word Processing software) or manual files that are structured in a way that allows ready access to information about individuals.

This Policy has been designed to demonstrate the minimum standard for the Processing and protection of Personal Data by all Fund Recs Entities. Where a national law imposes a requirement, which is stricter than imposed by this Policy, the requirements in national law must be followed. Furthermore, where national law imposes a requirement that is not addressed in this Policy, the relevant national law must be adhered to by the relevant Fund Recs Entity through operational procedures.

1.3 Data Protection Contact

To demonstrate Fund Recs’ commitment to Data Protection, and to enhance the effectiveness of its compliance efforts, Fund Recs Regional Compliance Teams (“Compliance Team”) will support the business in Data Protection Legislation compliance.

The Compliance Team reports has direct access to the Fund Recs Entities’ senior management teams and boards of directors (the “Fund Recs Entities Boards”) and its duties in this role will include:

  • mediation with the relevant Data Protection Authority;
  • review of the Fund Recs Data Protection Policies on an annual basis for compliance with relevant legislation;
  • produce Annual Board Report on the Fund Recs Data Protection Framework;
  • annual review and ongoing oversight of the Processors of the Fund Recs Group ensuring compliance with relevant legislation;
  • report and escalate directly to the respective Fund Recs Entity Boards on data protection related matters;
  • act as the point of contact for individuals whose Personal Data is Processed by Fund Recs;
  • facilitation of data protection training and tracking of same;
  • ensure that Fund Recs maintains a record of all Personal Data Processing activities;
  • ensure Fund Recs Service Providers apply appropriate technical and organisational measures when protecting Personal Data;
  • ensure Fund Recs Service Providers apply appropriate security measures to ensure against all unlawful forms of Processing;
  • report to the Fund Recs Entity Boards on measures and Processes to demonstrate that privacy has been factored into new business line processes;
  • report to the Fund Recs Entity Boards on oversight of Fund Recs Service Providers;
  • verify that individuals have given Consent to receive marketing information from a Fund Recs Entity; and
  • verify that Personal Data has been deleted where an individual has withdrawn Consent for direct marketing purposes.

1.4 Board Approval

This Policy shall be approved by the Fund Recs Entity Boards.

1.5 Governance, Policy Review and Ownership

This Policy will be reviewed at least annually by the Compliance Team to ensure appropriateness. Additional updates and ad-hoc reviews may be performed as and when required to ensure that any changes to the Fund Recs organisational structures/business practices are properly reflected in this Policy.

All amendments to this Policy will be co-ordinated by the Compliance Team to ensure consistency across the Fund Recs Group. All new Fund Recs Entities must adopt and adhere to this Policy.

The management team of each Fund Recs Entity must ensure that each of that Fund Recs Entity’s Employees who are responsible for the Processing of Personal Data are aware of and comply with the contents of this Policy.

In addition, each Fund Recs Entity will make sure all Third Parties engaged to Process Personal Data on their behalf (i.e. their Data Processors) are aware of and comply with the contents of this Policy. Assurance of such compliance, usually through the terms and conditions of their appointment, must be obtained from all Third Parties, whether companies or individuals, prior to granting them access to Personal Data controlled by Fund Recs.

1.6 Responsibility and Escalation

Considering the circumstances in which a Controller must appoint a Data Protection Officer (“DPO”) the Fund Recs Board has determined that it is not currently necessary to appoint a DPO. The Fund Recs Board shall keep this matter under review and should guidance emerge which indicates that any Fund Recs Entity, should appoint a DPO, the Fund Recs Board will re-consider the need to appoint a DPO.

This Policy is therefore owned by the Fund Recs Board, with the Compliance Team being responsible for escalation to the relevant Fund Recs Entity Boards of any data protection related matters. Where data protection issues arise, these are investigated by the European Head of Compliance and where necessary, input from the relevant Fund Recs Entity Board may be sought.

  1. Definitions:

Fund Recs Board
The Boards of Directors for Fund Recs

Employee
An individual who works part-time or full-time for Fund Recs under a contract of employment, whether oral or written, express or implied, and has recognised rights and duties. Includes temporary employees and independent contractors.

Third Party/Service Providers
An external organisation with which Fund Recs conducts business and is also authorised, under the direct authority of Fund Recs, to Process the Personal Data provided by a Fund Recs Entity.

Personal Data
Any information (including opinions and intentions) which relates to an identified or Identifiable Natural Person.

Identifiable Natural Person
Anyone living who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Data Controller
A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

Fund Recs Entity
A Fund Recs establishment, including subsidiaries and joint ventures over which Fund Recs exercise management control.

Data Subject
A natural person to whom Personal Data refers.

Process, Processed, Processing
Any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means. Operations performed may include collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Data Protection
The Process of safeguarding Personal Data from unauthorised or unlawful disclosure, access, alteration, Processing, transfer or destruction.

Data Protection Authority or DPA
An independent public authority responsible for monitoring the application of the relevant Data Protection regulation set forth in national law.

Data Processors
A natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of a Data Controller.

Consent
Any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the Processing of Personal Data relating to him or her.

Special Categories of Data
Personal Data pertaining to or revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data.

Third Country
Any country not recognised as having an adequate level of legal protection for the rights and freedoms of Data Subjects in relation to the Processing of Personal Data.

Profiling
Any form of automated Processing of Personal Data Where Personal Data is used to evaluate specific or general characteristics relating to an Identifiable Natural Person. In particular to analyse or predict certain aspects concerning that natural person’s performance at work, economic situations, health, personal preferences, interests, reliability, behaviour, location or movement.

Personal Data Breach
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.

Legitimate Interests
Processing necessary for the purposes of the legitimate interests pursued by a Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require protection of Personal Data.

  1. Data Protection Principles

When Processing Personal Data, Fund Recs must comply with the following core Data Protection principles.

A. Lawfulness, fairness and transparency

Personal Data must be Processed fairly, transparently and lawfully. An individual’s Personal Data must not be Processed unless there are lawful grounds for doing so and the Data Subject must be informed as to how and why their Personal Data is being Processed either upon or before collecting it.

B. Purpose Limitation

Personal Data must be Processed only for specified and lawful purposes. Personal Data must not be Processed in any manner which is incompatible with the specified and lawful purpose.

C. Data Minimisation

Personal Data that is Processed must be adequate, relevant and limited to the minimum data necessary for the lawful purposes for which it is Processed.

D. Accuracy

Personal Data must be accurate and, where appropriate, kept up-to-date. Any Personal Data which is incorrect must be rectified as soon as possible

E. Data Retention

Personal Data must be kept for no longer than is necessary considering the lawful purpose(s) for which it is Processed.

F. Security

Personal Data must be protected against unauthorised or unlawful Processing, including transmission, accidental loss, destruction or damage through appropriate technical and organisational measures.

  1. Personal Data

4.1 Definition of Personal Data

“Personal Data” includes any data which relates to a living individual who can be identified:

  • from that data; or
  • from that data and other piece of information which is in the possession of Fund Recs.

Certain categories of Personal Data are particularly sensitive (“Sensitive Personal Data”) and cannot be Processed unless certain conditions are met.

It is Fund Recs policy to only hold Personal Data of a given Data Subject where we are legally or contractually required or permitted. All Personal Data will be held and Processed in accordance with the Data Protection Legislation and this Policy.

4.2 Processing Personal Data

Processing Personal Data includes any operation that is carried out in respect of Personal Data, including, but not limited to, collecting, storing, using, recording, disclosing, transferring or deleting Personal Data.

Personal Data collected by Fund Recs is generally collected for the purposes set out in its Privacy Notices including, but not limited to, the following:

  • to comply with legal, tax or regulatory obligations imposed on Fund Recs under applicable law;
  • to efficiently manage its directors and its relationship with its Service Providers;
  • to carry out statistical analysis and market research;
  • to transfer Personal Data to third parties such as auditors, regulatory or tax authorities and technology providers in the context of the day to day operations of Fund Recs in the conduct of its services provided globally; and
  • for the purposes outlined in the Employee Privacy Notice.

4.3 Grounds for Processing Personal Data

Personal Data must only be Processed if the purpose of the Processing satisfies one of the legal bases permitted under the Data Protection Legislation.

The below details the legal bases for Processing which are most commonly relevant to Fund Recs Processing activities.

4.3.1 Legal Grounds for Processing Personal Data

The legal grounds for Processing Personal Data include:

  • where the Processing is in Fund Recs’s Legitimate Interests or the Legitimate Interests of a third party and the proposed Processing does not cause unwarranted infringement on the Data Subject’s rights;
  • where the Processing is necessary for the performance of a contract to which the Data Subject is a party, or for the taking of steps with a view to entering into or exiting a contract at the request of the Data Subject;
  • where the Processing is required by law or other regulation to which the Fund Recs is subject to, for example, the Central Bank of Ireland or another relevant regulator’s regulations/anti-money laundering and terrorist financing legislation etc; and
  • where the Data Subject has provided its Consent to the Processing for the specific purpose in accordance with this Policy.

4.3.2 Sensitive Personal Data

As detailed previously, Sensitive Personal Data is subject to stricter controls and the circumstances in which it can be Processed are significantly more limited than Personal Data.

Fund Recs will only Process Sensitive Personal Data where the Data Subject expressly Consents to such Processing or where one of the following conditions apply:

  • Processing relates to Personal Data which has already been made public by the Data Subject;
  • Processing is necessary for the establishment, exercise or defence of legal claims;
  • Processing is specifically authorised or required by law;
  • Processing is necessary to protect the vital interests of the Data Subject or of another natural person where the Data Subject is physically or legally incapable of giving Consent; or
  • further conditions, including limitations, based upon national law related to the Processing of genetic data, biometric data or data concerning health.

4.4.3 Children’s Data

In general terms Fund Recs will not process any Personal Data in relation to a child or minor. Should any Fund Recs Entity ever be required to Process Personal Data relating to a child, in the first instance the relevant Fund Recs Entity must obtain guidance and approval from the Compliance Team before any Processing of a child’s Personal Data may commence. If it is deemed appropriate the Fund Recs Entity will be required to obtain parental Consent.

4.4 Processing of Personal Data relating to criminal convictions and offences

The Processing of Personal Data relating to criminal convictions and offences or related security measures may take place subject to appropriate safeguards for the rights and freedoms of Data Subjects. There are certain conditions under which this information may be inadvertently Processed including:

  • the Data Subject has given explicit Consent to the Processing for one or more specified purposes except where applicable law prohibits such;
  • Processing is necessary and proportionate for the performance of a contract to which the Data Subject is a party or to take steps at the request of the Data Subject prior to entering into a contract;
  • Processing is:
    • necessary for the purpose of providing or obtaining legal advice or for the purposes of, or in connection with, legal claims, prospective legal claims, legal proceedings or prospective legal proceedings, or
    • otherwise necessary for the purposes of establishing, exercising or defending legal rights;
  • Processing is necessary to prevent injury or other damage to the Data Subject or another person or loss in respect of, or damage to, property or otherwise to protect the vital interests of the Data Subject or another person; or
  • Processing in relation to screening of potential employees. Fund Recs conducts background checks including checking for any criminal convictions of senior Employees to assess the risk of fraud or prevent fraud. Employees are notified of this in the Privacy Notice and consent to it in the initial screening form.

4.5 Higher Risk Processing Activities

The Data Protection Legislation provides that wherever the Processing of Personal Data is likely to result in increased risk to the Data Subject, Fund Recs as a Data Controller will need to, before carrying out the Processing activity, perform an assessment of the potential impact of the intended Processing on the rights and freedoms of the Data Subject (a “Data Protection Impact Assessment” or “DPIA”).

Fund Recs has identified where the Processing of Personal Data takes place globally. Following this assessment Fund Recs has not identified any activities that would be considered as posing a high risk to Data Subjects.

Fund Recs has also determined that it is unlikely that any other Service Providers will be engaging in higher risk Processing activities on behalf of Fund Recs but will keep this matter under review.

4.6 Fair Processing Information

Any Process which involves the gathering of Personal Data on an individual should contain a Privacy Notice explaining among other things what the Personal Data is to be used for and to whom it may be disclosed.

Regardless of how Personal Data is obtained (whether it is obtained from the Data Subject or from a Service Provider) the Data Subject will be provided with certain information about the Processing of their Personal Data by Fund Recs. This information will be provided either before or upon collection of the Personal Data. If the Personal Data is obtained from a Service Provider, then the Privacy Notice must be provided within a reasonable time period from obtaining the Personal Data or at the time of the first communication with the Data Subject, whichever is earlier.

This information will be provided in the form of Privacy Notice (please refer to Appendix I for a GDPR specific Privacy Notice).

Where applicable, the Fund Recs Entity, shall ensure that the Privacy Notices are kept under review annually and shall be updated as necessary to reflect non-material changes. Material changes notified to a Fund Recs Entity by any Service Providers or which otherwise come to the attention of Fund Recs shall be made on an ad-hoc basis and the Compliance Team shall instruct the provision of an updated data Privacy Notice to Data Subjects as applicable.

4.7 Data Register

Fund Recs maintains an up to date Data Register of all activities it conducts that require the Processing of Personal Data, a copy of which shall be made available to the DPA upon request. The Data Register consists of the following elements:

  • categories of Data Subjects;
  • categories of Personal Data;
  • Processing activity;
  • the grounds for Processing the Personal Data;
  • in which jurisdiction the Processing is conducted;
  • whether the Personal Data is transferred to a third party;
  • whether the Personal Data is transferred outside the European Economic Area; and
  • the retention period.

The Data Register is maintained by the Compliance Team.

  1. Consent

While not currently anticipated, where there is no other lawful basis for Processing Personal Data then it should not be Processed unless the Data Subject has given their Consent.

For Consent to be valid, it must satisfy the following criteria:

  • it must be limited to specific Processing activities;
  • Data Subject must have been informed about the Processing activities in sufficient detail so as to be able to fully understand what they are consenting to;
  • it must be freely given which means that the Data Subject must have a genuine free choice as to whether they give the Consent;
  • the performance of a contract cannot be made conditional upon the Data Subject giving their Consent to the data Processing, unless the data Processing is required to perform the contract; and
  • it must be given by way of an unambiguous statement of some other clear active communication by the Data Subject, such as signing a form. Consent cannot be inferred from silence or inactivity such as the use of pre-selected boxes; and
  • Details of the Processing of Personal Data must be clearly distinguished from other matters that the Data Subject is asked to agree to.

Equally, where the Processing relates to Sensitive Personal Data and Fund Recs cannot rely on any other lawful ground for Processing such Sensitive Personal Data, the Data Subject’s explicit Consent shall be obtained, by way of a signed statement.

It is important to note that a Data Subject must be informed of their right to withdraw their Consent at any time. Fund Recs Entities shall put in place appropriate Processes to promptly action any withdrawal of Consent. Where a Data Subject wishes to exercise this right, they may contact the designated contact for this purpose via the contact details provided in the Privacy Notices.

  1. Legitimate Interests

Where a Fund Recs Entity seeks to rely on Legitimate Interests to legitimise certain Processing activities, the Compliance Team must be satisfied that those Legitimate Interests are not outweighed by the interests or fundamental rights and freedoms of the relevant Data Subject.

The Fund Recs Entity must conduct a Legitimate Interests assessment (“LIA”) when relying on Legitimate Interests as a lawful basis for Processing.

This LIA will:

  1. identify the Legitimate Interest for which Fund Recs intends Processing the Personal Data;
  2. consider whether the Processing is necessary for the pursuit of its objectives; and
  3. (involve the completion of a balancing test which assesses whether or not the Data Subject’s interests override the Legitimate Interests of Fund Recs.

Factors taken into account by the Fund Recs Entity in conducting the balancing test include:

  1. the nature of the Legitimate Interests and the Data Subject’s reasonable expectations about what will happen to their data;
  2. the impact of Processing on the Data Subject; and
  3. any safeguards which are or could be put in place in order to limit undue impact on the Data Subject.

Where Legitimate Interests are relied upon this will be notified to the Compliance Team who will review and record the basis of reliance in line with the foregoing LIA.

The Fund Recs Entity shall provide information on any balancing test conducted by it to affected Data Subjects on request. In the event that a Data Subject objects to the Processing of Personal Data by Fund Recs on grounds of Legitimate Interests, Fund Recs shall stop the Processing of such Personal Data unless, having re-conducted the balancing test, the Compliance Team is satisfied that the Data Subject’s interests should not prevail over those of Fund Recs. Furthermore, Fund Recs will carry out a new LIA if the purpose of the Processing changes or if it becomes aware of a change in the factors relating to the outcome of the LIA previously conducted.

  1. Transfers to Third Parties/Service Providers

Where a Fund Recs Entity is required to transfer Personal Data to, or allow access by, a Service Provider, it must be assured that Personal Data will be Processed legitimately and protected appropriately by the recipient.

Where a Service Provider is deemed to be a Data Controller, the Fund Recs Entity will enter into an appropriate agreement with the Data Controller to clarify each party’s responsibilities in respect to the Personal Data transferred.

Where a Service Provider is deemed to be a Data Processor, the Fund Recs Entity will enter into, an adequate Processing agreement with the Data Processor. The agreement will require the Data Processor to protect the Personal Data from further disclosure and to only Process Personal Data in compliance with Fund Recs’ instructions. In addition, the agreement will require the Data Processor to implement appropriate technical and organisational measures to protect the Personal Data as well as procedures for providing notification mechanism of Personal Data Breaches. Fund Recs has a Standard Data Processing Clause document that should be used as a baseline template, including the provisions detailed below.

When a Fund Recs Entity is outsourcing services to a Service Provider (including Cloud Computing services), it will identify whether the Service Provider will Process Personal Data on its behalf and whether the outsourcing will entail any Third Country transfers of Personal Data. In either case, it will make sure to include, adequate provisions in the agreement for such Processing and Third Country transfers.

8.1 Article 28(3) Data Processing Agreements

Each Fund Recs Entity must ensure that it enters into a written agreement with any such Data Processors which includes provisions imposing the specific obligations set down in Article 28(3) on the relevant Third Parties.

8.2 Right of Audit and Inspection

Under its agreement with the relevant Service Provider, the Fund Recs Entity shall have a contractual right to obtain all relevant information from that Service Provider which is necessary for the Service Provider to demonstrate its compliance with the data protection obligations set down in the contract. Furthermore, the Fund Recs Entity shall have the contractual right to carry out an audit or inspection of the relevant Service Provider for such purposes.

  1. Disclosure of Data

Each Fund Recs Entity will ensure that Personal Data is not disclosed to unauthorised third parties. All personnel acting on behalf of Fund Recs must exercise caution when asked to disclose any Personal Data to a third party and prior to completing any such transfer. Fund Recs Global Data Protection Procedure will document this and regular staff training ensures that each individual acting on behalf of Fund Recs understands their obligations in this regard.

Disclosure to third parties may be permitted where this is:

  • necessary to safeguard national security;
  • necessary for the prevention or detection of crime, in the substantial public interest and where obtaining Consent from the Data Subject would prejudice that purpose;
  • necessary for the administration of justice;
  • necessary to comply with applicable laws or regulation; or
  • necessary to protect the vital interests of the Data Subject, such as life and death situations, but only where their Consent cannot be obtained.

Any instances of uncertainty regarding the sharing or transfer of Personal Data should be referred to the Compliance Team.

  1. Transferring Personal Data

10.1 Transferring outside the European Economic Area

Specific legal requirements apply to the transfer of Personal Data out of the European Economic Area (“EEA”), where transfers of data include sending data to another country or allowing that data to be accessed remotely from another country.

Personal Data must not be transferred outside the EEA unless the recipient country ensures an adequate level of protection for the rights and freedoms of Data Subjects as determined by the European Commission or alternatively one of the following safeguards have been put in place by or on behalf of Fund Recs:

  • the existence of binding corporate rules; or
  • the entry into a data transfer agreement between the Fund Recs Entity (or a Fund Service Provider acting as its agent) and the non-EEA recipient of the Personal Data which contains standard contractual clauses that have been approved by the European Commission.

 

10.2 Transfers between Fund Recs Entities

For Fund Recs to carry out its operations effectively across its global Fund Recs Entities, there may be occasions when it is necessary to transfer Personal Data from one Fund Recs Entity to another, or to allow access to the Personal Data. Should this occur, the Fund Recs Entity sending the Personal Data remains responsible for ensuring protection for that Personal Data.

Fund Recs handles the transfer of Personal Data between Fund Recs Entities, where the Personal Data is being transferred from the European Economic Area and the location of the recipient Fund Recs Entity is a Third Country, by using the Commission approved data transfer agreements supported by detailed SLAs. These agreements impose standard clauses which govern the Processing of Data Subjects’ Personal Data and must be enforced by each approved Fund Recs Entity, and their Employees.

  1. Profiling & Automated Decision-Making

Fund Recs does not currently engage nor does it plan to engage in Profiling and Automated Decision making.

Fund Recs will only engage in Profiling and automated decision-making where it is necessary to enter into, or to perform, a contract with the Data Subject or where it is authorised by law. Where a Fund Recs Entity utilises Profiling and automated decision-making, this will be disclosed to the relevant Data Subjects.

  1. Data Protection by Design

To ensure that all Data Protection requirements are identified, considered and addressed, each Fund Recs Entity will ensure that material changes such as new systems or processes go through a DPIA before launch in collaboration with the Compliance Team. The subsequent findings of the DPIA must then be submitted to the Fund Recs Entity’s Chief Risk Officer and the Head of Compliance Europe for review and approval.

Where applicable, the Information Technology (IT) department, as part of its IT system and application design review Process, will cooperate with the Fund Recs Entity and the Compliance Team to assess the impact of any new technology uses on the security of Personal Data.

  1. Data Security, Data Retention and Disposal

Each Fund Recs Entity will adopt all necessary measures to ensure that the Personal Data it collects and Processes is complete and accurate in the first instance, and is updated to reflect the current situation of the Data Subject.

The measures adopted by Fund Recs to ensure Personal Data quality include:

  • facilitating amendments to Personal Data known to be incorrect, inaccurate, incomplete, ambiguous, misleading or outdated, even if the Data Subject does not request rectification;
  • keeping Personal Data only for the period necessary to satisfy the permitted uses or applicable statutory retention period;
  • the removal of Personal Data, if not compliant with any of the Data Protection principles or if the Personal Data is no longer required; and
  • restriction, rather than deletion of Personal Data, insofar as:
    • a legal or regulatory requirement or matter prohibits erasure;
    • erasure would impair Legitimate Interests of the Data Subject; or
    • the Data Subject disputes that their Personal Data is correct and it cannot be clearly ascertained whether their information is correct or incorrect.

Personal Data must not be retained for longer than is necessary for the lawful purposes for which it is Processed. To achieve this, each category of Personal Data Processed by Fund Recs Entities shall be subject to a retention period which can be justified by reference to those lawful grounds. For this purpose, this Policy should be read in conjunction with related operational procedures and Data Classification Policy.

The length of time for which Fund Recs Entities need to retain Personal Data is set out in the Fund Recs Group Data Retention Policy. This requires all Fund Recs Entities to consider the legal and contractual requirements, both minimum and maximum, that influence the retention periods.

All Personal Data should be deleted or destroyed as soon as possible where it has been confirmed that there is no longer a need to retain it.
Personal Data must be disposed of securely in a way that protects the rights and privacy of Data Subjects and ensures the permanent erasure of the Personal Data. This might include shredding, disposal as confidential waste, or secure electronic deletion.

A Service Provider, acting as a Data Processor, will be contractually obliged to implement appropriate technical and organisational measures which seek to ensure that Personal Data is appropriately protected against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or unauthorised access.

  1. Data Subject Rights

Data Subjects are entitled to exercise certain rights in respect of their Personal Data. These are detailed within the relevant Privacy Notice and include:

  • the right to be informed at the time or before the Personal Data is obtained as to how their Personal Data will be Processed;
  • the right to obtain information regarding the Processing of their Personal Data and access to the Personal Data which Fund Recs holds about them or which is held on Fund Recs’s behalf;
  • the right to receive a copy of any Personal Data which Fund Recs Processes about them, including the right to receive Personal Data in a structured, commonly used electronic format and/or request that this data is transmitted to a third party where this is technically feasible;
  • the right to request that Fund Recs rectify their Personal Data if it is inaccurate or incomplete;
  • the right to withdraw Consent to Processing at any time;
  • the right to request that Fund Recs erase their Personal Data in certain circumstances. This may include, but is not limited to circumstances in which:
    • it is no longer necessary for Fund Recs to retain their Personal Data for the purpose for which we collected it;
    • Fund Recs is only entitled to Process the Data Subject’s Personal Data with their Consent and the Data Subject withdraws their Consent;
  • where Fund Recs is Processing a Data Subject’s Personal Data on Legitimate Interest grounds, the right of the Data Subject to object to such Processing; and
  • the right to lodge a complaint with a supervisory authority, if the Data Subject thinks that any of their rights have been infringed by a Fund Recs Entity.

Whilst the Data Protection Legislation affords Data Subjects these rights, in some instances Fund Recs may not be in a position to fulfil a request.

Furthermore, Service Providers may Process Personal Data on behalf of Fund Recs, and it may (in limited circumstances) also deem itself a Data Controller of such Personal Data where it uses the Personal Data for its own purposes. In these circumstances, all Data Subject rights shall be exercisable by the Data Subject against the Third-Party Service Provider alone.

14.1 Data Subject Rights & Requests

The Data Subject therefore has the right to:

  • object to Processing of their Personal Data;
  • lodge a complaint with the DPA;
  • request rectification or erasure of their Personal Data; and
  • request restriction of Processing of their Personal Data.

All requests received for exercise of Data Subject rights including access to or rectification of Personal Data must be directed to the Compliance Team, who will log each request as it is received.
A response to each request will be provided within one month of the receipt of the written request from the Data Subject. Appropriate verification must confirm that the requestor is the Data Subject or their authorised legal representative. Data Subjects shall have the right to require Fund Recs to correct or supplement erroneous, misleading, outdated, or incomplete Personal Data.
If Fund Recs cannot respond fully to the request within one month, the Compliance Team shall nevertheless provide the following information (to the extent relevant) to the Data Subject, or their authorised legal representative within the specified time:

  • an acknowledgement of receipt of the request;
  • any information located to date;
  • an estimated date by which any remaining responses will be provided;
  • details of any requested information or modifications which will not be provided to the Data Subject, the reason(s) for the refusal, and any procedures available for appealing the decision;
  • the reasons for which it cannot comply with the request and confirmation of the potential to:
    • lodge a complaint with a supervisory body; and
    • seek a judicial remedy;
  • an estimate of any costs to be paid by the Data Subject (e.g. where the request is excessive in nature); and
  • the name and contact information of the Fund Recs individual who the Data Subject should contact for follow up.

As noted above Fund Recs cannot generally charge a fee for dealing with any Data Subject requests. However, where requests from a Data Subject are manifestly unfounded or excessive, in particular because of their repetitive character, Fund Recs may either:

  • charge a reasonable fee considering the administrative costs of providing the information or communication or taking the action requested; or
  • refuse to act on the request.

In such circumstances, Fund Recs shall maintain all necessary records to demonstrate the manifestly unfounded or excessive character of the Data Subject’s request.

  1. Law Enforcement Requests & Disclosures

In certain circumstances, it is permitted that Personal Data be shared without the knowledge or Consent of a Data Subject. This is the case where the disclosure of the Personal Data is necessary for any of the following purposes:

  • the prevention or detection of crime;
  • the apprehension or prosecution of offenders;
  • the assessment or collection of a tax or duty; or
  • by the order of a court or by any rule of law.

If a Fund Recs Entity Processes Personal Data for one of these purposes, then it may apply an exception to the Processing rules outlined in this Policy but only to the extent that not doing so would be likely to prejudice the case in question.

If any Fund Recs Entity receives a request from a court or any regulatory or law enforcement authority for information relating to a Data Subject known to Fund Recs it must immediately notify the Compliance Team and the appropriate member of the Legal Team who will provide comprehensive guidance and assistance.

  1. Notification Process

Any individual or Fund Recs Entity who suspects that a Data Breach has occurred due to the theft or exposure of Personal Data must immediately notify the Compliance Team providing a description of what occurred. Notification of the incident can be made via e-mail to des@fundrecs.com

The Compliance Team will investigate all reported incidents to confirm if a Data Breach has occurred. If a Data Breach is confirmed, the Compliance Team will follow the relevant authorised procedure based on the criticality and quantity of the Personal Data involved.

The Compliance Team will also promptly notify the Board of Directors of any relevant Fund Recs Entity of the Data breach and shall, if considered necessary, convene a board meeting to consider the matter further.

16.1 Immediate Notification to the DPC of Data Protection Breaches

Fund Recs via the Compliance Team must report all Personal Data protection breaches to the relevant DPA e.g. Irish Data Protection Commission (“DPC”) within the applicable time period, for example:

Under GDPR, notification must be made to the DPC no later than 72 hours after the becoming aware of the Data breach. If a report is not made within 72 hours then an explanation as to the delay needs to accompany the report.

Fund Recs will follow any guidance issued by the relevant DPA, in relation to reporting Data Breaches. Prior to submitting a notification to the relevant DPA, the notification should be approved by the Board of Directors of the Fund Recs Entity which is responsible for the Data breach, where possible.

16.2 Immediate Notification to the DPC of Data Protection Breaches

The Fund Recs Entity or the Compliance Team will make an assessment regarding notification of a Data Breach to affected Data Subjects, considering the criteria and timing requirements in the relevant Data Protection Legislation.

For example, where the Data Breach falls within the scope of GDPR, the Fund Recs Entity or the Compliance Team will make an assessment regarding notification of a Data Breach to affected Data Subjects considering the criteria set down in Article 34 of the GDPR.

Where it has been determined that notification to a Data Subject is required, notification should occur promptly, without undue delay.

  1. Logging Issues and Breaches

The Compliance Teams shall maintain a central log as set out in Appendix II containing details on all Data Breaches. Issues and resolution of Data Breaches are managed by the Compliance Team.

  1. Data Protection Training

All Fund Recs Employees will have their responsibilities under this Policy outlined to them as part of their staff induction training. In addition, each Fund Recs Entity will be required to provide procedural guidance for their Employees.

The training and procedural guidance set forth will consist of, at a minimum, the following elements:

  • the Data Protection Principles set forth in Section 3 above;
  • each Employee’s duty to use and permit the use of Personal Data only by authorised persons and for authorised purposes;
  • the need for, and proper use of, the forms and procedures adopted to implement this Policy;
  • the correct use of passwords, security tokens and other access mechanisms in line with respective operational procedures;
  • the importance of limiting access to Personal Data;
  • securely storing manual files, print outs and electronic storage media;
  • the need to obtain appropriate authorisation and utilise appropriate safeguards for all transfers of Personal Data inside and outside of the internal network and physical office premises;
  • proper disposal of Personal Data; and
  • any special risks associated with specific departmental activities or duties.

APPENDIX I: PRIVACY NOTICE: GDPR COMPLIANT EXAMPLE

Fund Recs Group (“Fund recs”) Privacy Notice

WEBSITE

Introduction

This notice sets out details of how and why we (“Fund Recs”, “we”, “us”, “our”) and third parties collect and process personal information in connection with your relationship, or directorship with Fund Recs, or associated interactions with us. We do this in compliance with our obligations under applicable data protection law. This notice explains what personal data is collected, the purposes for which it is used, the third parties to whom it may be disclosed and how individuals can exercise their rights in relation to their personal data.

This notice applies to the collection and processing of personal information relating to individuals associated with you, such as directors, shareholders, trustees, beneficial owners, employees, representatives, agents, professional advisers and other personnel. References to “you” and “your” mean the relevant individuals who are the subjects of the personal data to which this notice relates or you. You should ensure that this notice is provided to any individual whose personal data has been provided to us as soon as practicable.

About Us

Fund Recs receives and processes personal data collected as part of your engagement with us or associated interactions with us. Fund Recs may engage third party service providers to process such personal data on its behalf and those third parties act as Processors. Fund Recs are not required to designate a Data Protection Officer. If you have any questions about the use of your personal data, your data protection rights or if you want to exercise those rights, please contact des@fundrecs.com.

Personal Data that we Process

Fund Recs collects personal data relating to you that is provided to us as part of our due diligence process, both from you and from public sources and in connection with our dealings with you or associated interactions with us, including your name, signature, postal address, email address, fax number, date and place of birth, nationality, curriculum vitae, bank account details, source of funds details, tax identification, credit history, signatures, other contact details, shareholder register, account numbers (or functional equivalent) and transaction details.

We may also collect personal data in relation to you in connection with ensuring compliance with our legal obligations including your tax or social security ID number or equivalent; passport number; utility bills, photographic identification and verification such as copies of your passport, passport number, drivers licence and address verification. For the purposes of meeting our legal obligations or carrying out due diligence, we may also collect information relating to your status as an ultimate beneficial owner of an entity, or as a politically exposed person.

We may collect and process personal data relating to you in connection with our on-going relationship with you, such as via correspondence and calls, and in connection with the administration of our relationship with you. Telephone calls with you may be recorded for the purposes of record keeping, security and training.

In addition, we may collect personal data relating to you from third party sources in connection with complying with requirements relating to anti-money laundering, taxation, and other legislation applicable to the financial services industry or for vetting or screening purposes or fitness and probity assessments or references from previous employers.

How we obtain your personal information

We collect information from you as part of our client on-boarding take on processes as necessary in the course of establishing a relationship with you. We gather information about you when you provide it to us, or interact with us directly, for instance engaging with our staff, providing a business card or registering on one of our digital platforms or applications. We may also collect or receive information about you from other sources, such as keeping the contact details we already hold for you accurate and up to date using publicly available sources.

Purposes of Processing and Legal Basis

Personal data that you provide, or that we otherwise obtain in relation to you, will be processed for the following purposes:

  • Processing the application to become a client of Fund Recs;
  • To manage and administer your relationship with Fund Recs. This is necessary for the performance of the onboarding contract with Fund Recs.
  • Establishing your identity, and providing, servicing and administering your relationship or directorship with Fund Recs;
  • complying with our legislative and regulatory obligations in connection with our dealings with you, including under applicable law regarding anti-money laundering and counter terrorist financing, taxation, the regulation of collective investment schemes, or the provision of financial services, crime-detection, prevention, investigation and prosecution, the prevention of fraud, bribery, anti-corruption, tax evasion, to prevent the provision of financial and other services to those who may be subject to economic or trade sanctions, in response to legal or court requests or requests from regulatory authorities or where it is in the public interest;
  • for direct marketing purposes (that is, providing information on products and services) or for quality control, business and statistical analysis, market research or for tracking fees and costs or for customer service, training and related purposes;
  • If applicable, processing the fact that you are a politically exposed person, to comply with applicable legal obligations;
  • To communicate with you by way of notice pursuant to applicable legislation, Fund Recs’s constitution or circulating reports;
  • Maintaining appropriate business records, including maintaining appropriate registers;
  • Where required for local and global tax reporting purposes, including FATCA or CRS;
  • Internal training and management of personnel;
  • To respond to or evaluate any queries or complaints in relation to your directorship, or relationship with us;
  • Internal and external audits and, where necessary, investigations;
  • Establishing, exercising or defending legal claims.

The legal grounds that we rely on to process your personal data are:

  • That it is necessary to comply with Fund Recs legal and regulatory obligations;
  • That it is necessary for the purposes of our legitimate interests8 or the legitimate interests of a third party to whom your personal data is provided. We will not process your personal data for these purposes if our or the third party’s legitimate interests should be overridden by your own interests or fundamental rights and freedoms. The legitimate interests pursued by us in this regard include:
    • Conducting our business in a responsible and commercially prudent manner and dealing with any disputes that may arise;
    • Preventing, investigating or detecting theft, fraud or other criminal activity;
    • Pursuing our corporate and social responsibility objectives.
  • where you are an individual it is necessary to take steps at your request prior to entering into our contract with you and for the performance of our contract with you;
  • In certain limited circumstances, your consent.

Recipients of Data

Your personal data may be disclosed to various recipients in connection with the above purposes, including:

  • The Board of Fund Recs (and in certain circumstances where there is legitimate interest, performance of a contract or legal obligation), its employees;
  • Third party service providers that may be appointed to any product to be established, or service to be provided, by you or the board of that product;
  • Money Laundering Reporting Officer;
  • Company Secretary;
  • A domestic and other foreign tax authorities as required by applicable law, including FATCA or CRS;
  • A Competent Authority in the relevant jurisdiction, the Workplace Relations Commission, Department of Social Protection, Pensions Authority, auditors, or equivalent bodies as requested or required by law;
  • Other third parties who we engage to provide services to us, such as professional advisers, legal advisers, auditors and IT service providers;
  • To screening and other reference agencies in order to carry out money laundering and identity checks and to comply with legal obligations;
  • Other members of our corporate group or the corporate groups of the entities referred to above, as well as affiliates, agents and delegates both within and outside the EEA;

Transfers Abroad

In connection with the above purposes your personal data may be transferred outside the European Economic Area, including to a jurisdiction which is not recognised by the European Commission as providing for an equivalent level of protection for personal data as is provided for in the European Union. These jurisdictions may include the United States of America, the Cayman Islands and Asia. If and to the extent that we do so, we will ensure that appropriate measures are in place to protect the privacy and integrity of such personal data and in particular will comply with our obligations under GDPR9 governing such transfers, which may include:

  • entering into a contract governing the transfer which contains the “standard contractual clauses” approved for this purpose by the European Commission;
  • in respect of transfers to the United States of America, ensuring that the transfer is covered by the EU-US Privacy Shield framework (for so long as that it meets with the requirements of GDPR as regards reliance on adequacy decisions under Article 45 of the GDPR);
  • transferring your personal data pursuant to binding corporate rules; or
  • a transfer where the European Commission has determined that the recipient jurisdiction ensures an adequate level of protection.

Further details of the measures that we have taken in this regard and the territories to which your personal data may be transferred are available by contacting us as set out above.

Use of Fund Recs website

Our website uses Google Analytics, a web-based analytics tool that tracks and reports on the manner in which the website is used to help us to improve it. Google Analytics does this by placing small text files called ‘cookies’ on your device. The information that the cookies collect, such as the number of visitors to the site, the pages visited and the length of time spent on the site, is aggregated and therefore anonymous. You may refuse the use of cookies or withdraw your consent at any time by selecting the appropriate settings on your browser but please note that this may affect your use and experience of our website. By continuing to use our website without changing your privacy settings, you are agreeing to our use of cookies.

Marketing and other emails

We use personal information to understand whether you read the emails and other materials, such as legal publications, that we send to you, click on the links to the information that we include in them and whether and how you visit our website after you click on that link (immediately and on future visits). We do this by using software that places a cookie on your device which tracks this activity and records it against your email address. Please see ‘Use of Fund Recs website’ for more information on cookies and how to manage and remove them.

We may also use a relationship management tool, where permitted by applicable law, to track and record the relationship between Fund Recs and our clients or potential clients based on the frequency of email contact between them. We use that information in order to assess, analyse and improve the services that we provide.

If you receive marketing communications from us and no longer wish to do so, you may unsubscribe at any time by clicking the unsubscribe link at the bottom of all marketing e-mail communications.

Meetings, events and seminars

We also collect and process personal information about you in relation to your attendance at our offices or at an event or seminar organised by Fund Recs or its business partners. We will only process and use special categories of personal information about your dietary or access requirements in order to cater for your needs and to meet any other legal or regulatory obligations we may have. We may share your information with IT and other service providers or business partners involved in organising or hosting the relevant event.

Retention

We will retain your personal data for the duration of your relationship or directorship with Fund Recs, for such a period of time after the relationship, directorship or investment ends as is necessary to comply with our obligations under applicable law and, if relevant, to deal with any claim or dispute that might arise.

Your Rights

You have the following rights, in certain circumstances and subject to applicable exemptions, in relation to your personal data as set out in more detail in Chapter 3 of the GDPR:

  • the right to access your personal data, together with information about our processing of that personal data;
  • the right to rectify any inaccuracies in your personal data;
  • the right to have any incomplete personal data completed;
  • the right to erase your personal data (in certain specific circumstances).
  • the right to request that your personal data is no longer processed for particular purposes (in certain specific circumstances);
  • where the legal basis for processing is consent, the right to withdraw your consent at any time;
  • the right to object to the use of your personal data or the way in which it is processed where Fund Recs has determined it to be necessary for the purposes of our legitimate interests;
  • the right to data portability (in certain specific circumstances);
  • The right to lodge a complaint with a supervisory authority, in particular, in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the requirements of the applicable data protection law.

Links to other sites

Our website may, from time to time, contain links to and from other websites. If you follow a link to any of those websites, please note that those websites have their own privacy policies and we do not accept any responsibility or liability for those policies. Please check those policies before you submit any personal information to those websites.

Changes to this Privacy Statement

We reserve the right to change this Privacy Notice from time to time at our sole discretion. If we make any changes, we will post those changes here and update the “Last Updated” date at the bottom of this Privacy Notice. Your continued use of this website after we make changes is deemed to be acceptance of those changes, so please check this Privacy Notice periodically for updates.