1. Introduction
The term “HIP” refers separately to each of: Hengistbury Investment Partners LLP, Hengistbury Investment Partners (Cayman) Limited, and Hengistbury Service Company.
The UK General Data Protection Regulation (“UK GDPR”) regulates the way in which all personal data is held and processed. This policy describes how personal data must be collected, handled, stored, disclosed and otherwise “processed” to meet HIP’s data protection standards and to comply with UK GDPR.
HIP is a data controller in respect of personal data it obtains and/or has obtained from current and former: (i) investors (including related personnel), (ii) service providers, counterparties and governmental authorities, (iii) directors of the Fund and (iv) website users. HIP is responsible for ensuring that it uses the personal data of such persons in compliance with UK GDPR. HIP regards the lawful and correct treatment of personal data as integral to the successful operations of HIP, and to maintain the confidence of the people it works with and its investors. To this end, HIP fully endorses and adheres to the principles of UK GDPR.
2. Purpose
As a data controller, HIP is required to implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with UK GDPR. The purpose of this policy is to ensure that:
- Anyone involved in the processing of personal data by HIP is fully aware of, and complies with, the requirements of UK GDPR; and
- Data subjects are aware of their rights under UK GDPR.
3. Scope
All HIP personnel and any other authorised third parties who have access to any personal data held by or on behalf of HIP must adhere to this policy.
4. Personal Data
In this policy, “personal data” includes any data which relates to a living individual who can be identified from that data or from that data and other information which is in the possession of, or is likely to come into the possession of, HIP or its representatives or service providers. In addition to factual information, it includes any expression of opinion about an individual and any indication of the intentions of HIP or any other person in respect of an individual.
Certain personal data is considered to be particularly sensitive and is subject to stricter rules regarding its processing. These categories of personal data are referred to as “sensitive personal data” and include any personal data relating to the racial or ethnic origin of the data subject; their political opinions; their religious (or similar) beliefs; their physical or mental health condition; details of criminal offences or criminal convictions; and genetic and biometric data.
Examples of personal data that HIP might hold include names and addresses, contact details, dates of birth, gender, nationality, photographs, signatures, occupational history, job titles, income, assets, other financial information, bank details, investment history, tax residency and tax identification information, emails, call recordings and website usage data.
5. Processing Personal Data
The word “process” (and any derivative term) includes any operation that is carried out in respect of personal data, including but not limited to collecting, storing, using, disclosing, transferring or deleting personal data.
Personal data collected by HIP is generally collected in order to:
- Respond to reverse solicitation enquiries from potential investors and to assist the investor relations function with various activities including marketing/business development;
- Assist with assessing and processing applications for interests in the Fund and other dealings in respect of interests in the Fund, including to perform know-your-client procedures, issue and redeem interests, receive and make payments, calculate net asset value;
- Carry out general business administration, including communicating with investors and service providers, accountancy and audit services, risk monitoring, administration of IT systems; and
- Comply with legal and regulatory obligations and industry standards, including know-your-client procedures, the automatic exchange of tax information and legal judgments.
6. The Data Protection Principles
Any person processing personal data must comply with the following core principles:
- Lawfulness, fairness and transparency. Personal data must be processed fairly, transparently and lawfully.
- Purpose limitation. Personal data must be processed only for specified and lawful purposes and must not be processed in any manner which is incompatible with those purposes.
- Data minimisation. The personal data that is processed must be adequate, relevant and limited to the minimum data necessary for the lawful purposes for which it is processed.
- Accuracy. Personal data must be accurate and, where appropriate, kept up-to-date. Any personal data which is incorrect must be rectified as soon as possible.
- Data retention. Personal data must be kept for no longer than is necessary in light of the lawful purpose(s) for which it is processed.
- Rights of data subjects. Personal data must be processed in accordance with the rights of data subjects.
- Security. Personal data must be protected against unauthorised or unlawful processing, accidental loss, destruction or damage through appropriate technical and organisational measures.
- International data transfers. Personal data must not be transferred to a country or territory outside of the UK unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects.
- Accountability. HIP and its third party service providers are responsible for and must be able to demonstrate their compliance with this policy.
7. Consent
Personal data must only be processed if the purpose of the processing satisfies one of the lawful grounds permitted under UK GDPR. One such reason is that the individual has consented to the use of their data. HIP will not generally seek or obtain consent to the processing of personal data and will therefore generally only process personal data in accordance with the other grounds listed in section 8 below.
Where consent is relied upon, it must be freely given, specific, informed and unambiguous. It must be as easy for a data subject to withdraw consent as it was to provide it. Where consent is obtained, a record of consents will be retained by HIP to evidence that it has been authorised to carry out the processing.
8. Grounds for Processing Personal Data
The lawful grounds for processing non-sensitive personal data on which HIP will generally seek to rely include:
- Where processing is necessary for the performance of a contract to which the data subject is a party, or for taking steps at the request of the data subject prior to entering into a contract;
- Where processing is necessary to discharge a relevant legal or regulatory obligation;
- Where processing is necessary for the legitimate business interests of HIP or another person, such as carrying out ordinary or reasonable business activities, ensuring compliance with legal and regulatory obligations, establishing or defending legal rights, and ensuring the security of information systems.
Sensitive personal data is subject to stricter legal controls. HIP does not expect to process sensitive personal data in the ordinary course of its business, except that information relating to politically exposed persons may be received in the course of enhanced due diligence. Such processing will only occur where necessary for reasons of substantial public interest.
9. High Risk Processing Activities
It is not expected that the processing of personal data by HIP is likely to result in a “high risk” to the data subject as determined under UK GDPR. The monitoring or profiling of data subjects and the processing of sensitive personal data on a large scale are examples of processing activities that might present a high risk.
10. Fair Processing Information
Regardless of how personal data is obtained, the data subject must be provided with certain information about the processing of their personal data by HIP at or before the time at which the personal data is collected. This information must include: the identity and contact details of HIP; the categories of personal data collected; the purpose(s) and lawful ground for the processing; information about data sharing with third parties; any intention to transfer the personal data outside the UK; the period for which the personal data will be retained; and the existence of the data subject’s rights.
HIP will provide a privacy notice containing this information to any potential investors prior to them performing any due diligence on HIP, existing holders of interests in the Fund, and any other individuals whose personal data is received and processed by HIP.
11. Third Party Service Providers
Where HIP instructs a third party to process personal data on its behalf (a “data processor”), the third party must enter into a written data processing agreement with HIP. That agreement must require the third party to process the personal data only in accordance with HIP’s written instructions, implement appropriate technical and organisational security measures, and impose any additional data processing obligations required by law.
HIP conducts appropriate due diligence on data processors both at the outset of the relationship and on a periodic basis thereafter.
12. Disclosure of Data
HIP must ensure that personal data is not disclosed to unauthorised third parties. Personal data should not be disclosed orally or in writing to third parties without appropriate authorisation. In limited circumstances, UK GDPR permits the disclosure of personal data without needing to obtain the prior consent of the data subject, such as where necessary to comply with applicable law, for the administration of justice, or to protect the vital interests of the data subject.
HIP may from time to time disclose personal data to professional advisers, other service providers of the Fund and Investment Manager, counterparties, and courts and regulatory, tax and governmental authorities.
13. International Transfers of Personal Data
Specific legal requirements apply to the transfer of personal data outside the UK. Personal data must not be transferred outside the UK unless the recipient country ensures an adequate level of protection for the rights and freedoms of data subjects, or appropriate safeguards are in place (such as standard contractual clauses). HIP will ensure that any transfer outside the UK is subject to appropriate safeguards or is otherwise permitted under applicable law.
14. Retention and Disposal of Data
Personal data must not be retained for longer than is necessary for the lawful purposes for which it is processed. Each category of personal data processed by HIP must be subject to a retention period which can be justified by reference to those lawful grounds. Upon expiry of the retention period, the relevant personal data must be deleted or anonymised.
Personal data must be disposed of securely in a way that ensures the permanent erasure of the data (e.g. shredding, disposal as confidential waste, or secure electronic deletion).
15. Data Protection and Data Security
HIP protects the personal data in its possession by applying appropriate technical and organisational security measures. Personal data, whether held electronically or in paper form, must be kept securely at all times. Appropriate measures must be in place to prevent unauthorised or accidental access, use, disclosure, loss or damage.
In the event that personal data has been lost, damaged or become subject to unauthorised third party access, HIP will notify the Information Commissioner’s Office (unless the breach is unlikely to result in a risk to the rights and freedoms of individuals) without undue delay and, where feasible, within 72 hours. Where the breach is likely to result in a high risk to the rights and freedoms of individuals, HIP will also notify the affected individuals without undue delay.
16. Data Subject Rights
Data subjects have a number of legal rights in relation to their personal data, including:
- The right to obtain information regarding the processing of their personal data and access to the personal data which HIP holds about them;
- The right to receive a copy of any personal data which HIP processes about them;
- The right to request that HIP rectify their personal data if it is inaccurate or incomplete;
- The right to request that HIP erase their personal data in certain circumstances; and
- The right to lodge a complaint with the Information Commissioner’s Office (“ICO”) at ico.org.uk.
Requests to exercise these rights will be considered by HIP as soon as practicable following receipt. To exercise any of your rights, please contact us at info@hengistburypartners.com.
17. Record Keeping
Accurate and up to date records of the processing activities carried out by HIP must be maintained within the organisation. These records must include the purposes of the processing, the categories of data subject, the categories of recipients of personal data, any transfers outside the UK, envisaged time limits for erasure, and a general description of the technical and organisational security measures adopted.
18. Roles and Responsibilities
HIP is ultimately responsible for ensuring that the firm meets its legal obligations under UK GDPR. This includes reviewing all data protection procedures and related policies, dealing with requests from individuals to see the data held about them, reviewing and approving contracts with data processors, and ensuring all systems used for storing personal data meet acceptable security standards.