Grand Pavilion Assets Ltd.
1. What does this Privacy Notice do and does it apply to you?
Most countries have data protection laws that protect the privacy of individuals by regulating the way in which businesses handle personal information. Among other things, data protection laws require businesses that handle personal information to be open and transparent about why and how they handle personal information.
The purpose of this Privacy Notice is to inform you why and how Grand Pavilion Assets Ltd. (“Company”, “we”, or “us”) handles personal information about you in connection with our dealings with you in the Cayman Islands. Please read this Privacy Notice carefully to understand what we do. If you are not a natural person, you should bring this Privacy Notice to the attention of the individuals whose personal information you have provided to us.
Nothing in this Privacy Notice creates any new relationship between you and us, or alters any existing relationship between you and us. Nothing in this Privacy Notice affects any right you may have under any applicable law, including the Cayman Islands’ Data Protection Act (As Revised) (“DPA”) and any other data protection law that applies to you.
2. Our commitment to privacy
Your privacy is very important to us and we are committed to maintaining the security, confidentiality and privacy of your personal information in compliance with all relevant laws. As a Data Controller, the Company is responsible for personal information in its possession or control. We have adopted procedures to protect personal information, receive and respond to complaints and inquiries, train staff regarding policies and procedures and communicate our policies to you.
3. Who is responsible for the proper handling of your personal information?
The Company is legally responsible for the proper handling of your personal information however affiliated entities of the Company could also be processing your personal information. Therefore, where we handle your personal information in the context of a particular dealing or relationship, then depending on the context, the actual entity responsible for processing your personal information may differ from your perception or understanding. If you would like more information regarding the handling of your personal information by the Company and potentially its affiliated entities, please get in touch with us so we may assist you in clarifying the position (see paragraph 14 below).
4. What sort of personal information about you does the Company collect?
The types of personal information which we collect will vary significantly depending on numerous factors, including your personal circumstances, the nature of your relationship with us, and the nature of our dealings with you.
Personal information can be also collected by the use of telephone voice recordings, video and audio recordings via online meeting platforms, (i.e. Zoom) and electronic text recordings, which may be used to produce informal and internal notes of any discussions in such recorded meeting. We will not intentionally share your information with any other organisation for marketing, market research or commercial purposes.
Any recordings of personal information captured by the Company will be retained for 60 calendar days, after which period, such recordings will be automatically deleted.
By virtue of entering into a relationship or transacting with the Company (including by requesting information from the Company, and ongoing interactions with the Company and persons engaged by the Company) or by virtue of you otherwise providing us with personal information on individuals connected with you, for example directors, trustees, employees, representatives, shareholders, investors, beneficial owners or agents, you may provide us with certain personal information which constitutes personal data within the meaning of the DPA.
We may also obtain personal data on you from other public accessible directories and sources. These may include websites; bankruptcy registers; tax authorities; governmental agencies and departments, and regulatory authorities, to whom we have regulatory obligations; credit reference agencies; sanctions screening databases; and fraud prevention and detection agencies and organisations, including law enforcement.
This includes information relating to you and/or any individuals connected with you such as: name, residential address, email address, contact details, corporate contact information, signature, nationality, place of birth, date of birth, tax identification, credit history, correspondence records, and identification documents and numbers necessary to meet our legal obligations, such as those related to anti-money laundering and “know-your-customer” requirements.
In some rare circumstances, we might also gather other special categories of personal information about you because you volunteer that data to us or we are required to gather that data as a result of legal requirements imposed on us.
The Company also collects data through the CCTV system for various reasons:
- To control access to the building and to ensure the security of the building, the safety of the Company's and tenants' staff and visitors, as well as property and information located or stored on the premises;
- To prevent, deter, and if necessary, investigate unauthorised physical access, including unauthorized access to secure premises and protected rooms, IT infrastructure, or operational information; and
- To prevent, detect and investigate a theft of equipment or assets owned by the Company, tenants' staff or visitors or threats to the safety of personnel working at the office (e.g. fire, physical assault).
The CCTV system is not used for any other purpose, such as to monitor the work of employees or their attendance or to monitor comings and goings of tenants' staff.
The system is also not used as an investigative tool or to obtain evidence in internal investigations or disciplinary procedures unless a security incident is involved. (In exceptional circumstances, the data may be transferred to investigatory bodies in the framework of a formal disciplinary or criminal investigation).
The CCTV cameras are installed at the entrances, delivery points and other areas of the building, placed and focused in a way that only people who want to access the property or the annexed facilities including parking areas are filmed.
The images can only be accessed by a limited number of staff who have a business need to know (i.e. the contracted security company). The data is stored for a very limited time period.
6. Why do we collect your personal information and what are the legal justifications
The Company only collects and processes personal information if it is lawful to do so, specifically where:
- It is required to fulfill a contractual obligation to you;
- It is required for us to comply with the law;
- It is necessary for our legitimate business interests, or the legitimate interests of a third party;
- It is necessary for any legal proceedings, obtaining legal advice, or establishing exercising or defending legal rights; or
- You have provided us with your consent.
Your Personal information may be used for the following purposes:
- To meet our regulatory and legal obligations, including undertaking due diligence;
- To establish and manage our relationship with you;
- To monitor and manage the performance of our business operations;
- To assess risks including legal and financial risks;
- To process applications for employment;
- To send updates, information and notices or otherwise corresponding with you in connection with your business with the Company;
- To engage in business transactions;
- To undertake network and information security activities; and
- For any other purposes for which we have your consent, or for which the Company or its affiliates have a legitimate interest.
Important note: We may use your personal information to conduct various checks to ensure that we comply with all applicable legal and regulatory requirements, before we enter into a formal contract or other arrangement with you and from time to time afterwards. For example we might check if you are included in the official list published by the relevant authorities which identifies persons with whom we are by law not allowed to do business (i.e. sanctions screening), or we might check if you are a politically exposed person in respect of whom we are required to undertake enhanced due diligence.
If you decide not to provide us with necessary personal information, this may prevent us from meeting our legal obligations, and therefore prevent us from performing our business activities.
The Company continues to be a data controller even if it has engaged affiliates or third parties to perform certain activities on the Company's behalf. The Company does not have systems or procedures that make a decision without human intervention. Therefore, there are no circumstances where decisions will be taken about you using fully automated means.
7. How does the Company obtain my personal information?
We endeavour to collect your personal information directly from you wherever possible. However, the context in which we handle your personal information can often result in us collecting your personal information indirectly from third party sources. Additionally, there may be circumstances where we are required to seek your personal information from independent sources (for example where we need to use your personal information to comply with a legal requirement to validate your identity and background).
Sources from which we may obtain your personal information can be described as follows:
- Your lawyer, recruiter or other such advisors who provide your personal information to us on your behalf.
- Publicly accessible websites, registers, and databases, including official registers of companies and businesses, database of journals and news articles, and social media such as LinkedIn.
- Providers of background check and business risk screening services, such as credit reference agencies, operators of fraud and financial crime databases, and operators of sanctions/embargoes databases (in some cases they can include authorities such as government departments and the police).
- The relevant corporate entity with whom we have business dealings and who entrusts us with your personal information. Depending on the context, this could be, for example, the business which is owned or controlled by you or the business for which you work.
8. Limits on retention
Typically, the personal information about you which we collect will be retained at least for as long as your personal information continues to be relevant to fulfil the purpose for which we have collected it. For example, where we obtain your personal information in connection with a lease, we will retain your personal information at least for as long as the term of the lease agreement. We do not retain any more of your personal information than we believe is necessary for any of the purposes set out in this Privacy Notice or which is dictated by legal requirements.
Once your personal information ceases to be relevant to the services we provide, we will retain your personal information as part of our business records for the duration of the applicable retention period which will be determined by reference to any legal or regulatory record keeping requirement that applies to us.
In the absence of any specific legal or regulatory record-keeping requirement which applies, we may retain your personal information for an appropriate period where we consider this to be necessary to protect ourselves from any legal claim or dispute that may arise in connection with our prior relationship or dealings. Where we do so, the retention period applied to your personal information will reflect the relevant limitation periods.
We will take reasonable care when destroying personal information so as to prevent unauthorised access.
9. Changes to personal information
You are required to advise us of any changes to your personal information. From time to time, you may be asked to verify or update your personal information.
10. Does the Company share my personal information with others?
We may share your personal data with our affiliates and delegates. In addition, the Company may, from time to time, use third parties in the course of conducting its business. We will share your information with others only in connection with the performance of their function and if and to the extent it is appropriate and necessary to do so for one or more of the purposes outlined in paragraph 5 above. Whenever we share your personal information, whether internally or externally, we will ensure that such sharing is kept to the minimum necessary. We will use reasonable efforts to ensure that third parties meet our standards on processing information and security and are bound by the terms of an equivalent privacy or similar policy.
The extent to which we share your personal information will vary depending on your circumstances and relationship with us, but your personal information may be shared with one or more of the following categories of recipients:
- Companies, trusts, and partnerships that are affiliates of the Company;
- Those who support our business operation, for example data centre operators, IT service providers, administrative support service providers, insurers, accountants, consultants, auditors, etc.;
- Providers of background check and business risk screening services, such as credit reference agencies, operators of fraud and financial crime databases, and operators of sanctions/embargoes databases;
- Third parties with whom we must by necessity interact in order to undertake our business operations. Depending on the context, such third parties can include exchanges, venues, distributors, brokers, fund managers, platform operators, legal advisors, etc. as well as third parties who participate in or contribute to transactions and arrangements in which we become involved; and
- Government departments and agencies, police, regulators, courts, tribunals, and other like authorities with whom we are legally obliged to share your personal information, or with whom we decide to cooperate voluntarily (but only to the extent we are legally permitted to do so).
Please note that where we share your personal information with the authorities, we may, depending on the circumstances, be forbidden from advising you of the fact that your personal information was disclosed to or requested by the authorities e.g. when doing so is illegal or might prejudice an on-going investigation.
11. International transfers
As of part of the transfers of personal information as outlined above, personal information may also be transferred to or accessed from countries, whose laws provide a level of protection for personal information not always equivalent to that of the DPA. This does not mean that your personal information is inevitably put at risk but it can mean that there is less formal legal protection for your personal information.
Where we share your personal information with recipients who are located outside the Cayman Islands, we will, wherever possible, take all appropriate steps that are within our control to ensure that adequate legal safeguards are in place for such personal information (for example, by obtaining contractual assurances from the recipients to protect the information to the same standards applicable to the data being transferred). Additionally, if we agree contractually with you to restrict the cross-border transfer of your personal information in any particular way, we will comply with such restriction.
Where we are unable to put in place such adequate safeguards, we may (in the absence of any agreement to the contrary with you) nevertheless share your personal information with such recipients but we will do so only to the extent the applicable legal exemptions permit, and we will ensure that any of your personal information we share with such recipients is kept to the minimum necessary.
12. Safeguarding personal information
We take information security very seriously and we use a broad range of tools and techniques to prevent and detect incidents that might adversely affect information we hold, such as unauthorised access or disclosure, and accidental change or loss, whether they are caused by external factors or internal factors.
The tools and techniques we use include technical measures such as firewalls, backup and disaster recovery systems, antimalware, and encryption, as well as other measures such as vetting of suppliers who are entrusted with our information, awareness training for our workforce, and the continuous evaluation and enhancement of our information security controls. We also conduct a broad range of monitoring over our IT and communication systems.
Confidentiality and security are not assured when information is transmitted through e-mail or other wireless communication. The Company will not be responsible for any loss or damage suffered as a result of a breach of security and/or confidentiality when information is transmitted by e-mail or wireless communication. We will take your use of a particular mode of communication as permission for us to communicate with you using the same mode of communication unless otherwise instructed by you.
13. What would Company do if a data breach happens?
In the unlikely and unfortunate event your personal information under our control becomes compromised due to a breach of our security, we will act promptly to identify the cause and take the necessary steps to contain and mitigate the consequences of the breach. Where appropriate, we will also notify you of the breach in accordance with the DPA and any other applicable law which requires us to notify you of the breach.
14. Your rights
Under the DPA, you have certain legal rights in respect of your personal information handled by us. These include the following:
- The right to ask us to confirm whether or not we handle any personal information about you (a “data subject access request”).
- The right to ask us to provide you with copies of your personal information we hold.
- The right to ask us to correct any inaccuracy or incompleteness in your personal information we hold.
- The right to ask us to stop handling your personal information or to not begin the handling of your personal information.
- The right to ask us to transfer your personal information to another party.
“Right to be forgotten”. In certain circumstances you are entitled to have personal information erased, including where this is no longer necessary for the purposes for which it was collected and/or processed; or you withdraw consent to our use of the information. We may nevertheless continue processing the information in certain circumstances, including: if there are grounds other than consent for processing the information; for example, where processing is in compliance with a legal obligation or for the exercise or defence of a legal claim. If you request that we erase your personal information we shall advise you if we consider that there are ongoing grounds permitting us to continue processing your information.
Where third party service providers process personal information on behalf of the Company, they may also deem themselves “Data Controllers” of such personal information where they use the personal information for their own purposes. In these circumstances, all the “data subject rights” described above are exercisable by you directly against that third party alone.
15. Contact information and complaints
If you would like to exercise any of the rights you have in respect of your personal information, or if you have any question or concern regarding the way in which we handle your personal information, then please reach out to your usual contact person within the Company in the first instance.
If you have a complaint regarding the way in which we handle your personal information, please email your complaint to email@example.com.
We will endeavour to respond satisfactorily to any request, query, or complaint you may have in respect of your personal information, but if you are dissatisfied with our response and wish to make a formal complaint, or if you simply wish to learn more about your rights, you can contact the Cayman Islands Ombudsman:
PO Box 2252
Grand Cayman KY1-1107
16. Updates and change log
The Company may modify or amend this privacy statement from time to time to reflect changes in law or changes in how we run our business.