DATA PROTECTION

DATA PROTECTION

MCGRATH TONNER – DATA PROTECTION AND PRIVACY POLICY

1. McGrath Tonner is a partnership formed under the laws of the Cayman Islands. References in this Data Protection and Privacy Policy to “we” or “us” are references to McGrath Tonner.

2. McGrath Tonner is committed to protecting the privacy of our clients and maintaining the confidentiality and security of our clients’ personal information. Any personal information processed by us is controlled by us and we are the data controller of our clients’ personal information.

3. Reference in this Privacy Notice to “personal data” means any information that identifies, or could reasonably be used to identify, a living individual, either on its own or together with other information.

4. The collection and management of personal data in the Cayman Islands is governed by the Data Protection Act (2021 Revision) (“the DPA”).

How we obtain personal data
5. As a provider of legal services, we regularly receive personal data to enable us to provide our services and to comply with various regulatory requirements, particularly in relation to anti-money laundering, and the combatting of terrorist and proliferation financing. We also collect and hold personal data in respect of individuals employed by us.

6. We may collect personal data:

• As part of our business onboarding procedures;
• As part of our invoicing and billing procedures;
• When a person seeks employment from us;
• When a person or organisation contacts us via the ‘contact us’ page of our website;
• When a person or organisation emails us, or provides such data to us in other circumstances, such as when requesting details of our services, or attending a firm sponsored event.

7. In some cases, we may collect personal data from a third-party source, such as an information or service provider, or from public records.

8. Where details are provided to us in consequence of our appointment to provide services to an individual client or to an entity with which an individual client is connected, we may process that personal information or, if the client is an entity, we may collect and process personal information of:

(i) the entity’s beneficial or legal owner(s);
(ii) the entity’s employees; and
(iii) the entity’s directors, officers, trustees, general partners, managers, or other persons serving in a similar capacity (the foregoing collectively referred to as “personal information”).

The personal data we collect and process
9. The personal information that we collect and process may include, without limitation, the following:

• Identification and background information provided by the client or collected by us as part of our business acceptance procedures, such as passport or other national identifier details;
• Basic information, such as name, employer, title or position and relationship to a person or entity;
• Contact information, such as physical address, email address and telephone/fax number(s);
• Financial information, such as bank account details and the source of funds used to pay our bill or that will pass through our client account as part of a transaction;
• Information we are required by our regulator to hold on clients and parties to transactions;
• Information provided to us for the purposes of travel/attending meetings and events;
• Personal information provided to us by or on behalf of our clients, partners and employees or generated by us in the course or providing services and employment, which may include special categories of data (such as sickness records for employees or past employees);
• Details of visits to our offices; and
• Any other information relating to clients which may be provided to us.

How we use personal information
10. Whether we receive personal information directly or from a third-party source, we will only use personal information in connection with our ordinary business activities (including the fulfilment of our legal or regulatory obligations).

11. These “Permitted Uses” may include:

• Providing services to our clients, which includes notifying clients of legal or regulatory developments and requirements, of which it is necessary to inform them to ensure that the entities and persons to which we provide services continue to be in compliance with the relevant laws and regulations;
• Managing our business relationship with clients or their organisations, whether in connection with the provision or procurement of goods and services or as an employer or former employer, including processing payments, accounting, auditing, billing and collection and related support services;
• Acting in compliance with our legal obligations, including (but not limited to) anti-money laundering, combatting terrorism and proliferation financing and sanctions checks;
• Managing and securing the access to our offices and systems;
• Complying with court orders and other legal and regulatory requirements;
• Processing that is necessary for purposes of the legitimate interests of McGrath Tonner or third parties provided that such interests are not overridden by the interests of the client or the client’s human rights; and
• For any purpose related to the foregoing or for any purpose for which the client provided the personal data to McGrath Tonner.

12. If we require the client’s consent (and have received this consent), we may process personal data for additional purposes. Clients may withdraw consent for such additional processing at any time. Such additional purposes may include:

• Communicating with respect to announcements, events and McGrath Tonner products and services which may be of interest;
• Distributing surveys or marketing materials; or
• Any other purpose for which consent has been given.

How we share personal information
13. McGrath Tonner is required to ensure a level of data protection as required by Cayman Islands law, specifically the DPA, therefore we will only share personal information with others if and to the extent it is necessary and appropriate for one of the purposes outlined in this policy.

14. We may need to share personal information with those who support our business operations, including but not limited to, administrative support service providers, IT support providers, data processing or storage services, couriers, legal entity formation/registration services, fund administration services, fiduciary services, insurers, accountants, consultants, auditors etc.

15. We may also need to transfer personal data to third parties, sub-contractors, legal counsel, providers of risk intelligence data for AML/CFT/CPF due diligence purposes, regulators, relevant Cayman Islands Government departments or officers, courts, tribunals, law enforcement authorities, and third parties involved in the clients’ matters.

16. We may need to share personal information with any potential buyers of our business, assets or any part thereof, anyone to whom we assign or novate any of our rights and/or obligations.

17. We may need to share personal information with companies and their employees/agents providing services relating to the fulfillment of our regulatory requirements, including, but not limited to, money-laundering, terrorist and proliferation financing checks, credit risk reduction and other fraud and crime prevention purposes and companies providing similar services, including financial institutions, credit reference agencies, intelligence databases, KYC screening databases and regulatory bodies.

18. We may need to share information with others who participate in or contribute to transactions, arrangements, schemes, legal proceedings, public inquiries, regulatory investigators, and other like matters in respect of which we provide services, including those who are the opponents of our client in legal proceedings as well as other lawyers, experts and professional advisers.

19. Our backup and disaster recovery/business continuity servers are securely located in the cloud. All of our data is backed up regularly and encrypted. This service is currently outsourced to, and overseen by, IT Outsource Ltd. in the Cayman Islands.

20. Where we share or transfer personal information, we will do this in accordance with applicable data protection laws and will take appropriate safeguards to ensure its integrity and protection.

The transfer of personal information outside of the Cayman Islands
21. As some of our client engagements, and also the clients themselves, are international, we may need to transfer personal information outside the Cayman Islands to any of the different categories of recipients outlined above, who may be located in or outside the European Economic Area or in any other country in the world.

22. These countries may not have data protection laws equivalent to the DPA, especially if they are outside of European Economic Area. This does not mean personal information is at risk, however it does mean that there may not be as many formal legal protections in place to protect the personal information.

23. Where we do share personal information with recipients who are outside of the Cayman Islands, and where we are aware of there being fewer legal protections in respect of personal information in the recipient’s country, we will take reasonable steps where possible to ensure that personal information is protected. We will do this by seeking contractual assurances, undertakings or similar from the recipient, wherever possible.

24. Where this safeguard is not possible, we will only share personal information where the legal exemptions permit us to do so under the DPA and to the minimum extent necessary.

Keeping personal information secure
25. We take appropriate measures against unauthorised or unlawful processing of personal information and against accidental loss or destruction of, or damage to, personal information in accordance with our procedures regarding its storage, access, and destruction. Information may be stored by us or our sub-contractors or any of the recipients referred to in this policy, either electronically or in paper files or a combination of both.

Retaining the client’s personal information
26. We will delete personal information when it is no longer reasonably required by us in connection with the provision of our products or services or consent is withdrawn (if applicable), provided that we are not required by law or regulatory requirements to continue to hold such information.

27. Additionally, we may retain personal information for an additional period to the extent required by the relevant regulatory bodies with respect to anti-money laundering, terrorist and proliferation financing and the implementation of financial sanctions, or to the extent we deem it necessary to assert or defend legal claims during any relevant retention period.

28. Our current policy is, under normal circumstances, to retain information for a period of at least 5 years after the termination of our relationship with a client.

29. Upon the expiry of the relevant retention period we will destroy personal data in accordance with applicable laws and regulations.

Rights of data subjects
30. Under the DPA, data subjects have the following rights with respect to the use by McGrath Tonner of their personal information:

• To ask McGrath Tonner to confirm whether we handle the personal information of the data subject:
• To ask McGrath Tonner to provide copies of the personal information we hold;
• To ask McGrath Tonner to correct the accuracy or completeness of the personal information held;
• To ask McGrath Tonner to stop handling the personal information of the data subject, or not to begin handling the personal information;
• To ask McGrath Tonner not to subject the personal information to automated decision-making;
• To object to personal information held about the data subject being used for direct marketing services.

31. In any case in which a data subject chooses not to provide any personal data or where any of the rights set out above are exercised to limit the processing of personal data, we may be unable to provide services, or there may be a restriction on the services which can be provided, or the rights of the data subject may be limited by legislation or regulation applicable to our business.

32. The above rights are not absolute and are subject to various legal conditions and exemptions. If and to the extent a relevant legal condition or exemption applies (including exemptions that preserve legal professional privilege) we reserve the right not to comply with the request of the data subject.

33. These rights may usually be exercised free of charge, however, McGrath Tonner reserves the right to charge a fee if warranted by any request in the exercise of these rights.

Point of Contact for data subjects
34. Any data subject who wishes to:

• Exercise any of their rights under the DPA or this policy;
• Ask any questions in relation to how McGrath Tonner handles personal data; or
• Make a complaint regarding the way in which their personal data is handled

may contact McGrath Tonner via info@mcgrathtonner.com.

35. Any data subject who is unhappy with how their request, query, complaint or any other aspect of McGrath Tonner’s personal data handling, may contact the Cayman Islands’ Ombudsman:

Address: 5th Floor, Anderson Square, 64 Shedden Road, George Town, Grand Cayman
Mail: PO Box 2252, Grand Cayman KY1-1107, CAYMAN ISLANDS
Email: info@ombudsman.ky
Telephone: +1 345 946 6283

Updates
36. We reserve the right to amend this Privacy Notice from time to time to reflect changing legal requirements or our processing practices. Any such changes will be posted on our website and will be effective upon posting.

– LAST REVIEWED AND UPDATED 26 APRIL 2022 –

MCGRATH TONNER CORPORATE SERVICESDATA PROTECTION AND PRIVACY POLICY

1. McGrath Tonner Corporate Services Ltd. (“MTCS”) is a limited liability company incorporated under the laws of the Cayman Islands. References in this Data Protection and Privacy Policy to “we”, “us” or “MTCS” are references to McGrath Tonner Corporate Services Limited.

2. MTCS is committed to protecting the privacy of our clients and maintaining the confidentiality and security of our clients’ personal information. Any personal information processed by us is controlled by us and we are the data controller of our clients’ personal information.

3. Reference in this Privacy Notice to “personal data” means any information that identifies, or could reasonably be used to identify, a living individual, either on its own or together with other information.

4. The collection and management of personal data in the Cayman Islands is governed by the Data Protection Act, 2017 (“the DPA”).

How we obtain personal data
5. As a provider of corporate services, we regularly receive personal data to enable us to provide our services and to comply with various regulatory requirements, particularly in relation to anti-money laundering, and the combatting of terrorist and proliferation financing. We also collect and hold personal data in respect of individuals employed by us.

6. We may collect personal data:

• As part of our business onboarding procedures;
• As part of our invoicing and billing procedures;
• When a person seeks employment from us;
• When a person or organisation contacts us via the ‘contact us’ page of our website;
• When a person or organisation emails us or provides such data to us in other circumstances, such as when requesting details of our services, or attending a firm sponsored event.

7. In some cases, we may collect personal data from a third-party source, such as an information or service provider or from public records.

8. Where details are provided to us as a consequence of our appointment to provide services to an individual client or to an entity with which an individual client is connected, we may process that personal information or, if the client is an entity, we may collect and process personal information of:

(i) the entity’s beneficial or legal owner(s);
(ii) the entity’s employees; and
(iii) the entity’s directors, officers, trustees, general partners, managers, or other persons serving in a similar capacity (the foregoing collectively referred to as “personal information”).

The personal data we collect and process
9. The personal information that we collect and process may include, without limitation, the following:

• Identification and background information provided by the client or collected by us as part of our business acceptance procedures, such as passport or other national identifier details;
• Basic information, such as name, employer, title or position and relationship to a person or entity;
• Contact information, such as physical address, email address and telephone/fax number(s);
• Financial information, such as bank account details and the source of funds used to pay our bill or that will pass through our client account as part of a transaction;
• Information provided to us for the purposes of travel/attending meetings and events;
• Information we are required by our regulator to hold on clients and parties to transactions;
• Personal information provided to us by or on behalf of our clients, partners and employees or generated by us in the course or providing services and employment, which may include special categories of data (such as sickness records for employees or past employees);
• Details of visits to our offices; and
• Any other information relating to clients which may be provided to us.

How we use personal information
10. Whether we receive personal information directly or from a third-party source, we will only use personal information in connection with our ordinary business activities (including the fulfilment of our legal or regulatory obligations).

11. These “Permitted Uses” may include:

• Providing services to our clients, which includes notifying clients of legal or regulatory developments and requirements, of which it is necessary to inform them to ensure that the entities and persons to whom we provide services continue to be in compliance with the relevant laws and regulations;
• Managing our business relationship with clients or their organisations, whether in connection with the provision or procurement of goods and services or as an employer or former employer, including processing payments, accounting, auditing, billing and collection and related support services;
• Acting in compliance with our legal obligations, including (but not limited to) anti-money laundering, combatting terrorism and proliferation financing and sanctions checks;
• Managing and securing the access to our offices and systems;
• Complying with court orders and other legal and regulatory requirements;
• Processing that is necessary for purposes of the legitimate interests of MTCS or third parties provided that such interests are not overridden by the interests of the client or the client’s human rights; and
• For any purpose related to the foregoing or for any purpose for which the client provided the personal data to MTCS.

12. If we require the client’s consent (and have received this consent), we may process personal data for additional purposes. Clients may withdraw consent for such additional processing at any time. Such additional purposes may include:

• Communicating with respect to announcements, events and MTCS products and services which may be of interest;
• Distributing surveys or marketing materials; or
• Any other purpose for which consent has been given.

How we share personal information
13. MTCS is required to ensure a level of data protection as required by Cayman Islands law, specifically the DPA, therefore we will only share personal information with others if and to the extent it is necessary and appropriate for one of the purposes outlined in this policy.

14. We may need to share personal information with those who support our business operations, including but not limited to, administrative support service providers, IT support providers, data processing or storage services, couriers, legal entity formation/registration services, fund administration services, fiduciary services, insurers, accountants, consultants, auditors etc.

15. We may also need to transfer personal data to third parties, sub-contractors, legal counsel, providers of risk intelligence data for AML/CFT/CPF due diligence purposes, regulators, relevant Cayman Islands Government departments or officers, courts, tribunals, law enforcement authorities, and third parties involved in the clients’ matters.

16. We may need to share personal information with any potential buyers of our business, assets or any part thereof, anyone to whom we assign or novate any of our rights and/or obligations.

17. We may need to share personal information with companies and their employees/agents providing services relating to the fulfillment of our regulatory requirements, including, but not limited to, money-laundering, terrorist and proliferation financing checks, credit risk reduction and other fraud and crime prevention purposes and companies providing similar services, including financial institutions, credit reference agencies, intelligence databases, KYC screening databases and regulatory bodies.

18. We may need to share information with others who participate in or contribute to transactions, arrangements, schemes, legal proceedings, public inquiries, regulatory investigators, and other like matters in respect of which we provide services, including those who are the opponents of our client in legal proceedings as well as other lawyers, experts and professional advisers.

19. Our backup and disaster recovery/business continuity servers are securely located in the cloud. All of our data is backed up regularly and encrypted. This service is currently outsourced to, and overseen by, IT Outsource Ltd. in the Cayman Islands.

20. When we share or transfer personal information, we will do this in accordance with applicable data protection laws and will take appropriate safeguards to ensure its integrity and protection.

The transfer of personal information outside of the Cayman Islands
21. As some of our client engagements, and also the clients themselves, are international, we may need to transfer personal information outside the Cayman Islands to any of the different categories of recipients outlined above, who may be located in or outside the European Economic Area or in any other country in the world.

22. These countries may not have data protection laws equivalent to the DPA, especially if they are outside of European Economic Area. This does not mean personal information is at risk, however it does mean that there may not be as many formal legal protections in place to protect the personal information.

23. Where we do share personal information with recipients who are outside of the Cayman Islands, and where we are aware of there being fewer legal protections in respect of personal information in the recipient’s country, we will take reasonable steps where possible to ensure that personal information is protected. We will do this by seeking contractual assurances, undertakings or similar from the recipient, wherever possible.

24. Where this safeguard is not possible, we will only share personal information where the legal exemptions permit us to do so under the DPA and to the minimum extent necessary.

Keeping personal information secure
25. We take appropriate measures against unauthorised or unlawful processing of personal information and against accidental loss or destruction of, or damage to, personal information in accordance with our procedures regarding its storage, access, and destruction. Information may be stored by us or our sub-contractors or any of the recipients referred to in this policy, either electronically or in paper files or a combination of both.

Retaining the client’s personal information
26. We will delete personal information when it is no longer reasonably required by us in connection with the provision of our products or services or consent is withdrawn (if applicable), provided that we are not required by law or regulatory requirements to continue to hold such information.

27. Additionally, we may retain personal information for an additional period to the extent required by the relevant regulatory bodies with respect to anti-money laundering, terrorist and proliferation financing and the implementation of financial sanctions, or to the extent we deem it necessary to assert or defend legal claims during any relevant retention period.

28. Our current policy is, under normal circumstances, to retain information for a period of at least 5 years after the termination of our relationship with a client.

29. Upon the expiry of the relevant retention period we will destroy personal data in accordance with applicable laws and regulations.

Rights of data subjects
30. Under the DPA, data subjects have the following rights with respect to the use by MTCS of their personal information:

• To ask MTCS to confirm whether we handle the personal information of the data subject:
• To ask MTCS to provide copies of the personal information we hold;
• To ask MTCS to correct the accuracy or completeness of the personal information held;
• To ask MTCS to stop handling the personal information of the data subject, or not to begin handling the personal information;
• To ask MTCS not to subject the personal information to automated decision-making;
• To object to personal information held about the data subject being used for direct marketing services.

31. In any case in which a data subject chooses not to provide any personal data or where any of the rights set out above are exercised to limit the processing of personal data, we may be unable to provide services, or there may be a restriction on the services which can be provided, or the rights of the data subject may be limited by legislation or regulation applicable to our business.

32. The above rights are not absolute and are subject to various legal conditions and exemptions. If and to the extent a relevant legal condition or exemption applies (including exemptions that preserve legal professional privilege) we reserve the right not to comply with the request of the data subject.

33. These rights may usually be exercised free of charge, however, MTCS reserves the right to charge a fee if warranted by any request in the exercise of these rights.

Point of Contact for data subjects
34. Any data subject who wishes to:

• Exercise any of their rights under the DPA or this policy;
• Ask any questions in relation to how MTCS handles personal data; or
• Make a complaint regarding the way in which their personal data is handled;
may contact MTCS via info@mctscayman.com
35. Any data subject who is unhappy with how their request, query, complaint or any other aspect of MTCS personal data handling, may contact the Cayman Islands’ Ombudsman:
Anderson Square, 64 Shedden Road, George Town, Grand Cayman
PO Box 2252, Grand Cayman KY1-1107, Cayman Islands
Email: info@ombudsman.ky
Telephone: +1 345 946 6283

Updates
36. We reserve the right to amend this Privacy Notice from time to time to reflect changing legal requirements or our processing practices. Any such changes will be posted on our website and will be effective upon posting.

LAST REVIEWED AND UPDATED 29 NOVEMBER 2022