Jersey Funds Law Series: Data Protection Requirements for Jersey Funds

• Jersey's data protection regime broadly mirrors the EU's GDPR regime and imposes obligations on entities that collect or process data including requirements to register, comply with data subject rights (including access, rectification, data portability and erasure), and report personal data breaches within 72 hours of becoming aware of the breach

• Funds will likely be considered data controllers and be subject to Jersey's data protection regime by virtue of collecting personal data (i.e. data relating to an identified or identifiable person) when investors subscribe for interests in the fund

• Breaches of the data protection regime can result in significant fines, criminal charges and adverse outcomes for controllers of personal data such as funds

The DPJL introduced obligations on those that collect or process data, including:

• disclosure obligations, including how and what data is processed;

• maintaining safeguards and standards on processing and maintaining data, including actions to take in cases of a data breach; and

• data subject rights, including objecting to data processing and the right to erasure (in certain circumstances).

Why is this relevant to funds?

Funds will likely be subject to the DPJL as:

• personal data is likely collected when investors subscribe;

• the fund will likely be considered a data controller; and

• administrators or other service providers will likely be considered data processors.

Funds should be aware of their obligations as:

• data controllers need to register with the Office of the Information Commissioner in Jersey;

• data controllers are ultimately responsible for the processing of personal data in accordance with DPJL; and

• breaching DPJL can in some cases result in significant fines, criminal charges and adverse outcomes for the owners of the personal data.

Funds should also consider what other personal data they collect, such as that of their directors, officers, representatives, etc.

Key definitions

• Data subject: an identified or identifiable natural person.

• Personal data: any data relating to data subjects.

• Data controllers: those that determine, alone or jointly, the purposes and means of the processing of personal data.

• Data processors: those that process data on behalf of a data controller (excluding employees of the controller).

What do data subjects need to know?

Data subjects must be informed about (among other things):

• the identity and contact details of the data controller;

• the purposes for which their personal data is processed and the legal basis for the processing;

• the circumstances in which such data may be disclosed or transferred; and

• data subject’s rights in respect of their personal data.

The legal basis for processing the personal data may include the following:

• the processing is necessary for compliance with the data controller’s legal obligations;

• the processing is necessary for the performance of a contract by the data controller or the taking of steps at the request of the data subject with a view to entering into a contract;

• the processing is necessary for the purposes of legitimate interests pursued by the data controller; or

• the data subject has consented to the processing of their data for a specific purpose (the data subject has the right to withdraw their consent at any time).

These disclosures are typically found in a privacy notice set out in the offering documents.

How must the data be treated?

The collection and treatment of data must adhere to 'good information handling'. It must be:

• processed in a fair, lawful and transparent way;

• collected for a specified and legitimate purpose;

• adequate, relevant and necessary;

• accurate and kept up to date;

• stored only as long as necessary; and

• processed in accordance with legislation to ensure security, integrity and confidentiality.

Unnecessary data should therefore not be collected and funds will need to ensure their relevant service providers adhere to the DPJL. Typically this would be covered in the agreements with those service providers.

Special category data

There are additional requirements should special category data be collected, such as race, ethnic background, political opinions, religious beliefs, trade union memberships, genetics, health, sexual orientation and criminal or alleged criminal records.

What rights do data subjects have?

• to be informed about how their data is being used;

• to access, amend and rectify their personal data;

• to have incorrect or incomplete data updated;

• to request erasure of personal information (in certain circumstances);

• to restrict processing;

• to data portability (in certain circumstances); and

• to object to how their data is processed, such as marketing.

Data breaches

In cases where personal data is lost, corrupted, improperly disclosed, accessed or distributed, it is necessary to contact the Jersey Office of Information Commissioner within 72 hours. In some cases data subjects will need to be notified.

We would expect service providers to have appropriate plans in place in the event of a data breach, which should include informing the fund.

Next steps

Data protection is a complicated and potentially high risk area of law and this article only covers some of the relevant areas. Please reach out to one of the contacts below if you would like to learn more.

The information contained in this guide is necessarily brief and general in nature and does not constitute legal or taxation advice. Appropriate legal or other professional advice should be sought for any specific matter.