- Macau Property Opportunities Fund Limited (the “Fund“) is regulated by the Guernsey Financial Services Commission and has adopted this data-protection policy (the “Policy“) to ensure it meets its obligations under the Data Protection (Bailiwick of Guernsey) Law, 2001 until midnight on 24 May 2018 and thereafter the Data Protection (Bailiwick of Guernsey) Law, 2017 (as the same may be amended, varied or replaced) (the “DPL“) and to the extent that goods or services are offered to individuals within the EU, the EU data protection regime introduced by the General Data Protection Regulation (Regulation 2016/679, collectively with the DPL, hereinafter referred to as the “Data Protection Legislation“).
- This Policy describes how Personal Data must be collected, handled, stored, disclosed and otherwise “Processed” to meet the Fund’s data protection obligations and to comply with the Data Protection Legislation.
- The purpose of this Policy is to ensure that everyone involved in the processing of Personal Data at the Fund is fully aware of, and complies with, the requirements of the Data Protection Legislation.
- A “Privacy Notice” exists which provides information for external individuals as to how their Personal Data is being processed.
- In preparing the Policy, the Fund has taken into account the nature, scale and complexity of its business and in particular the fact that it relies broadly on an outsourced model and the support of its delegates and affiliates for the performance of its functions. As the Fund does not regularly and systematically monitor Data Subjects on a large scale, it has not appointed a data protection officer. The Fund’s board of directors (the “Board“) is ultimately responsible for ensuring that the Fund meets its legal obligations and operates in full compliance with the Data Protection Legislation.
- “Data Controller” means any natural or legal person, which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data (in this case, the Fund).
- “Data Processor” means a natural or legal person who processes Personal Data on behalf of the Data Controller such as a fund administrator, distributor and/or other delegates that receive Personal Data.
- “Data Subject” means an identified or identifiable natural person who is the subject of Personal Data.
- “Personal Data” means any personal information relating to a Data Subject, such as name, residential address, email address, contact details, corporate contact information, signature, nationality, place of birth, date of birth, tax identification, credit history, correspondence records, passport number, bank account details, source of funds details and details relating to an investor’s investment activity, any other information about you that you disclose to us when registering your interest via our website, your IP address, your browser type and language and other information about your visit to our website, cookies and online identifiers.
- “Privacy Notice” means the data protection disclosure statement prepared in respect of the Fund outlining the Fund’s data protection obligations and the data protection rights of Data Subjects investing in the Fund, as required under the Data Protection Legislation.
- “Processing” means performing any operation or set of operations on Personal Data, whether or not by automatic means, including collecting, recording, organising, storing, amending, using, retrieving, disclosing erasing or destroying it. The rules around the Processing of Personal Data apply whether the activity takes place in the European Union (“EU“) or not, where the Processing activities are related to (i) the offering of goods and services to Data Subjects that are in the EU; or (ii) the monitoring of their behaviour which takes place within the EU. Furthermore, as the Fund will process data as relating to Data Subjects, such as Directors, it will be required to process in accordance with the DPL.
3. The Fund as Data Controller
- The Fund is a Data Controller and shall comply with its obligations as such under the Data Protection Legislation.
- When Processing Personal Data, there may also be times where other service providers to the Fund (including the Administrator, Manager and Registrar) will to the extent they determine the purpose and the means of processing, may also be characterised as Data Controllers under the Data Protection Legislation. This however, does not exonerate the Fund from its responsibilities as a Controller. It is important that if there is any risk of the Fund acting as a Controller jointly with a service provider, a review of the contractual arrangements as to the determination of the purpose and means of data processing and the attribution of responsibilities between the two, be comprehensively considered for governance and legal reasons.
4. Data Protection Principles
- Personal Data shall be:
- processed fairly, lawfully and transparently;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- limited to what is required for the stated purpose or purposes;
- accurate, complete and up to date;
- retained for not longer than is necessary for the stated purpose or purposes;
- kept safe and secure;
- provided to a Data Subject on request (please see Section 5); and
- not transferred to people or organisations situated in countries without adequate protection.
- Fair and transparent Processing
Fairly obtained Personal Data requires that the Data Controller, either before or at the time the Personal Data is collected, makes the Data Subject aware of the following:
- the identity and contact details of the Data Controller;
- the purpose in collecting the Personal Data as well as the legal basis for Processing;
- if one such legal basis, is the legitimate interests of the Data Controller, the legitimate interests of the Data Controller or third party and an explanation of those interests (where Processing is based on this ground);
- the persons or categories to whom the Personal Data may be disclosed;
- details of any transfers outside of the European Economic Area (“EEA“) and a description of the safeguards in place and the means by which to obtain a copy of them;
- the period for which the Personal Data will be stored;
- the Data Subject’s right to access Personal Data;
- the Data Subject’s right to rectify Personal Data if inaccurate;
- the Data Subject’s right to erasure of Personal Data;
- the Data Subject’s right to the portability of their Personal Data;
- the Data Subject’s right to limit Processing;
- the Data Subject’s right to withdraw consent;
- the Data Subject’s right to object to Processing, in certain circumstances; and
- the Data Subject’s right to lodge a complaint with The Office of the Data Protection Commissioner in Guernsey.
The Fund generally meets these requirements through the provision to Data Subjects of the Privacy Notice in shareholder communications.
The Fund will ensure that all information and communications relating to the Processing of Personal Data will be clear, concise, transparent, intelligible, easily accessible and easy to understand using clear and plain language. The Fund will ensure that these transparency requirements are adhered to at all stages of the collection and Processing of Personal Data.
If any of the information described above changes after it has been provided to the Data Subject, the Data Subject shall be provided with an update to the information.
- Lawful Processing
The Fund can process Personal Data lawfully to the extent that at least one of the following applies;
- where the Data Subject has given consent to the Processing (although it is preferred wherever possible that alternate grounds of processing be utilised and that the Fund only rely on consent to Process as a last resort);
- where Processing is necessary for the performance of the contract with the Fund;
- where Processing is necessary in order to protect the vital interests of the Data Subject or another natural person;
- where Processing is necessary for compliance with a legal obligation to which the Fund is subject; and/or
- where Processing is necessary for the purposes of the legitimate interests of the Fund or a third party and such legitimate interests are not overridden by the Data Subject’s interests, fundamental rights or freedoms.
- Purpose Limitation
The Fund will only collect and process Personal Data for purposes that are specific, explicit and for legitimate purposes. The Fund will process Personal Data for the following purposes;
- to reflect an investor’s ownership of shares in the Fund (i.e. where this is necessary for the performance of the contract to purchase shares in the Fund or to process redemption, conversion, transfer and additional subscription requests or the payment of distributions);
- to discharge its anti-money laundering and terrorist financing/sourcing of funds obligations to verify the identity of its customers (and, if applicable their beneficial owners) or for prevention of fraud or for regulatory or tax reporting purposes or in response to legal requests or requests from regulatory authorities (i.e. where this is necessary for compliance with a legal obligation to which the Fund is subject); and/or
- for direct marketing purposes (that is, the provision of information to Data Subjects on products and services) or for quality control, business and statistical analysis or for tracking fees and costs or for customer service, training and related purposes (i.e. where this is necessary for the purposes of the legitimate interests of the Fund or a third party and such legitimate interests are not overridden by the Data Subject’s interests, fundamental rights or freedoms and provided that the Fund is acting in a fair, transparent and accountable manner and has taken appropriate steps to prevent such activity having any unwarranted impact on the Data Subject, noting the right of the Data Subject to object to such uses, as discussed below).
The Fund will not process Personal Data in a manner that is incompatible with the purposes communicated to Data Subjects without first advising the Data Subjects of any other purpose and the applicable basis upon which Processing is conducted.
- Personal Data Minimisation
The Personal Data collected will be adequate, relevant and limited to what is necessary in relation to the purposes for which it is being processed.
- Accurate Records
The Fund will ensure that the Personal Data held is accurate and kept up to date. The accuracy of any Personal Data will be checked at the time of collection and at regular intervals or triggers thereafter. The Fund will take all reasonable steps to amend inaccurate or out-of-date Personal Data.
- Storage Limitation
The Fund will not keep Personal Data longer than is necessary for the purpose or purposes for which it was collected. It will take all reasonable steps to erase all Personal Data which is no longer required. The Fund will be clear when informing the Data Subject about the length of time for which Personal Data will be kept or the criteria for determining such length of time and the reason why the information is being retained.
In processing Personal Data, the Fund shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. In particular, the Fund shall take all appropriate security, technical security and organisational measures to address the risks of accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed.
The Fund will seek assurances from any service providers that act as Data Processors for the Fund that they have implemented appropriate information security measures which comply with the relevant conditions of the Data Protection Legislation.
- Transferring Personal Data to a country outside the EEA
Data Processors may only transfer Personal Data outside of the EEA (a) with the written consent of the Fund (which will only be provided subject to certain conditions being satisfied); (b) where required to do so by EU or the law of an EU member state to which the relevant Data Processor is subject or (c) in certain limited circumstances, set out in the Data Protection Legislation e.g.: in pursuance of compliance with decisions of public authorities of the Bailiwick based on an international agreement improving international obligations on the Bailiwick
Subject to the provision by the Data Processor of appropriate safeguards in compliance with the Data Protection Legislation and subject to the availability of rights and effective legal remedies for Data Subjects, or shall otherwise be in accordance with the requirements of the Data Protection Legislation.
5. Data Subject Rights
- Right to Access
The Data Subject shall have the right to obtain confirmation from the Fund as to whether or not Personal Data concerning them is being processed.
Where the Fund is Processing their Personal Data, the Data Subject will have the right to access such Personal Data and the following information (without limitation);
- the purpose of the Processing;
- the categories of Personal Data concerned;
- the persons or categories of persons to whom the Personal Data may be disclosed, in particular recipients in third countries or international organisations;
- the envisaged period for which the Personal Data will be stored, or, if not possible, the criteria used to determine that period;
- the existence of the right to request from the Fund rectification or erasure of the Personal Data or restriction of Processing of Personal Data concerning the Data Subject or to object to such Processing;
- the right to lodge a complaint with the Data Protection Commission;
- where the Personal Data is not collected for the Data Subject, any available information as to their source; and
- the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such Processing for the Data Subject.
Where Personal Data is transferred to a third country or an international organisation, the Data Subject shall have the right to be informed of the appropriate safeguards relating to the transfer.
The right to obtain a copy of the Personal Data undergoing Processing will not adversely affect the rights and freedoms of others, meaning the relevant information will be redacted where necessary.
The Fund will not charge a fee for complying with the Data Subject’s access request unless it can demonstrate that the request is excessive in nature, having regard to the number of requests made by the Data Subject. In such cases a reasonable fee based on administrative costs may be charged.
The information must be provided without delay and within at least one month. Where requests are complex, the Fund will be able to extend the deadline for providing the information to three months. However, it must still respond to the request within a month, explaining why the extension is necessary.
The Fund may refuse to act upon a request that is manifestly unfounded or excessive in nature, in which case it will inform the Data Subject of its reasons as soon as practicable in writing and inform the Data Subject of their right to lodge a complaint with the Supervisory Authority.
A request may be made by an individual, such as an investor or a director, and may be made in electronic format as well as by written request.
- Right to be forgotten/erasure of Personal Data
The Data Subject shall have the right for Personal Data to be erased without undue delay in certain contexts including, but not limited to, where the Personal Data has been Processed unlawfully or where the Personal Data is no longer necessary in relation to the purposes for which it was collected or otherwise.
Given the specific nature for which the Fund uses the Personal Data it collects, this is not likely to be applicable to the Data Subjects of the Fund.
- Right to the restriction of Processing
Data Subjects have the right to require that the Fund restrict Processing of Personal Data in certain circumstances including, but not limited to, where the Personal Data is inaccurate, is no longer required in light of the purposes of the Processing or the Data Subject has exercised their right to object (pending verification of any legitimate grounds of the Fund which overrides those of the Data Subject).
Where Processing has been restricted, such Personal Data shall, with the exception of storage, only be processed with the Data Subject’s consent. The Fund will inform the Data Subject before the restriction of Processing is lifted.
- Right to object
The Data Subject shall have the right to object, on grounds relating to their particular situation, at any time to Processing of Personal Data concerning them where the Processing is based on the legitimate interests pursued by the Fund.
The Fund shall no longer process the Personal Data unless the Fund demonstrates compelling legitimate grounds for the Processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of legal claims.
Data Subjects shall have the right to object to the Processing of Personal Data for direct marketing purposes at any time. Where the Data Subject objects to Processing for direct marketing purposes, the Personal Data shall no longer be processed for such purposes.
- Right to portability
Where the conditions are met in Section 14(1) (b) of the DPL the Data Subject has the right to request the transmission of its personal data. This right is limited if the transmission were to adversely affect the rights and freedoms of others.
6. Third Party Service Providers
- Where the Fund instructs a third party to process personal data on its behalf (a third party Data Processor), the Data Processor must enter into a written agreement with the Fund that:
- provides details of the processing of Personal Data that they are being instructed to carry out;
- requires the third party to process the Personal Data only in accordance with the Fund’s written instructions and to the extent necessary for them to fulfil their obligations to the Fund under the agreement;
- requires the third party to implement appropriate technical and organisational measures and controls to ensure the confidentiality and security of the personal data; and
- imposes any additional data processing obligations required by the Data Protection Legislation.
- The data processing agreement should be signed by both parties before any Personal Data is transferred to the Data Processor.
- Any party making amendments or unable to adhere to the data processing agreement should be referred to the Board before the agreement is signed.
- When contracting with a Data Processor, it is important that the Fund conducts appropriate due diligence both at the outset of the relationship and on a periodic basis. The due diligence should ensure that the Data Processor is capable of complying with the requirements of the written agreement as detailed above.
7. Co-operation with supervisory authorities
- The Fund shall cooperate, on request, with the relevant supervisory authority in the performance of its tasks.
7.2 The relevant supervisory authority for the Fund is The Office of the Data Protection Commissioner in Guernsey (the “Supervisory Authority“) although EU resident Data Subjects may lodge complaints with the supervising authority in respect of data protection in the jurisdiction of their residence.
8. Keeping records of all Processing
- The Fund shall maintain accurate and complete records of all the Processing activities it undertakes directly. This requires that the Fund determine what Personal Data it holds, where it came from and who the Fund shares it with. Similarly each Data Processor will be required to maintain accurate and complete records of all Processing activities it undertakes directly.
- A record of the Fund’s Processing activities is contained in Appendix I.
- The Fund will retain Personal Data for a period of up to seven years following the Data Subject’s disinvestment from the Fund or at the point from when the business relationship with the Fund has ceased. Information may be retained for a longer period where this is necessary for compliance with a legal obligation or for the establishment, exercise or defence of a legal claim. The Fund and its duly authorised delegates will refrain from collecting any further Personal Data and shall take appropriate steps to dispose of any records containing Personal Data, to the extent that this is operationally feasible and proportionate.
9. Reporting of Personal Data breaches
- If the Fund detects and records a Personal Data breach, it shall notify the Supervisory Authority without delay, and in any case not later than 72 hours, unless the breach is unlikely to result in a risk to the rights of the Data Subject. A notification template is set out in Appendix II.
- Each Data Processor shall notify the Fund without undue delay after becoming aware of a Personal Data breach and shall include in any such notification the applicable information referred to in the Data Protection Legislation (as set out in Appendix II) and shall provide all reasonable assistance to the Fund in connection with any such Personal Data breach, including in particular facilitating the Fund communicating details of any Personal Data breach to the relevant Data Subject if required, as described at sub-paragraph 9.4.
- The Fund shall document all Personal Data breaches, comprising the facts relating to the Personal Data breach, its effects and the remedial action taken.
- Unless one of the conditions set out in sub-paragraphs (a) to (c) below are met, the Data Subject must also be notified without undue delay if the Personal Data breach is likely to result in a high risk to their rights and freedoms. The notification shall describe in clear and plain language the nature of the breach, the name of the contact point where more information can be obtained, the likely consequences and measures taken to mitigate or a dress the breach.
Notification to the Data Subject is not required in the following circumstances:
- where the relevant Personal Data is encrypted/protected in a manner making it unintelligible to unauthorised persons;
- where the Fund has taken subsequent measures which ensure that the high risk to risks and freedoms of the Data Subject from the breach is no longer likely to materialise;
- where an individual notification would involve disproportionate effort (e.g. public communication or similar is sufficient).
- The Fund works with third parties to research certain usage and activities on the website on our behalf. In the course of conducting this research these third parties may place a unique ‘cookie’ on your browser. Cookies are small text files that websites often store on computer hard drives or mobile devices of visitors to their sites. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the website.
- In addition, we use two specific types of cookie on this website:
- Session cookies, which are temporary cookies that remain in the cookie file of your computer until you close your browser (at which point they are deleted).
- Persistent or stored cookies that remain permanently on the cookie file of your computer.
- The web browsers of most computers are initially set up to accept cookies. If you prefer, you can set your web browser to disable cookies or to inform you when a website is attempting to add a cookie. You can also delete cookies that have previously been added to your computer’s cookie file.
- You can set your browser to disable persistent cookies and/or session cookies but if you disable session cookies, although you will be able to view this website’s unsecured pages, you may not be able to log onto any authenticated pages. Please visit http://www.allaboutcookies.org/manage-cookies/ to discover how to disable and delete cookies.
11. Web Beacons And Spotlight Tags
This website may also contain electronic images, known as web beacons or spotlight tags. These enable us to count users who have visited certain pages on the website. Web beacons and spotlight tags are simply tools used to obtain generic information about the web pages visited.
12. Your queries
If you have any questions about our use of your personal data, our retention procedures or our security processes or privacy issues generally, please contact:
Macau Property Opportunities Fund Limited
c/o Estera International Fund Managers (Guernsey) Limited
PO Box 255
Le Marchant Street
St Peter Port
Telephone: 00 44 1481 724724
13. Board Oversight and Updates to this Policy
- The Board will be responsible for the oversight of compliance with this Policy. It will review the appropriateness of this Policy annually and will ensure that it is operating as intended. It will also review this Policy to ensure that it continues to be compliant with applicable national and international regulations, principles and standards.
- This Policy shall be reviewed and updated as necessary on at least an annual basis or as and when is required or deemed necessary by the Fund. Material changes to this Policy will be approved by the Board.
Appendix I – Records of Processing activities in accordance with Article 30 of the Data Protection Legislation
The Data Controller
|Name and contact details of Data Controller||Macau Property Opportunities Fund Limited mpofteam-GG@estera.com|
|The purposes of Processing||As outlined in the Privacy Notice|
|The categories of Data Subjects||Individual investors and individuals connected to institutional investors that provide the Fund with Personal Data (for example directors, trustees, employees, representatives, shareholders, investors, clients, beneficial owners or agents), directors and visitors to the company web-site.|
|The categories of Personal Data||Name, residential address, email address, contact details, corporate contact information, signature, nationality, place of birth, date of birth, tax identification, credit history, correspondence records, passport number, bank account details, source of funds details and details relating to investment activity, any other information about that is disclosed to us when registering interest via our website, your IP address, your browser type and language and other information about your visit to our website, cookies and online identifiers.|
|The categories of recipients in the EU||– the administrator (Estera International Fund Managers (Guernsey) Limited); and
– the registrar (Link Market Services (Guernsey) Limited), and their respective affiliates and delegates.
|The categories of recipients in third countries||– the manager (Sniper Capital Limited).|
|The categories of recipients who are international organisations||N/A|
|Suitable safeguards in the case of transfers in line with Article 49(1) of the Data Protection Legislation||In line with market standards|
|Time limits for erasure of Personal Data||Refer to the Privacy Notice, “Retention of personal data”|
|A general description of the technical and organisational security measures in place||N/A – no data held directly by the Fund.|
Appendix II – Notification Letter Template (required information under Article 33 of the Data Protection Legislation)
Data Protection Commissioner
The Office of the Data Protection Commissioner
Guernsey Information Centre,
St Peter’s Port,
Dear [ ]
Notification of Breach
[Insert a description of the nature of the Personal Data breach including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned].
[Insert the name and contact details of the data protection officer or other contact point where more information can be obtained].
[Insert a description of the likely consequences of the Personal Data breach].
[Insert a description of the measures taken or proposed to be taken by the Data Controller to address the Personal Data breach, including, where appropriate, measures to mitigate its possible adverse effects].