IPAF (UK) Ltd (“IPAF”)
General Data Protection Regulation Policy
(“the Policy”)
This document also constitutes IPAF (UK) Ltd’s Privacy Notice
General Statement of Duties and Scope
IPAF (UK) Ltd is incorporated in England under the laws of England and Wales. IPAF’s business is the introduction of its Panel Members to serve as non-executive directors on the boards of alternative funds.
IPAF currently has 18 Panel Members from a range of jurisdictions (a mixture of EU and non-EU). The Panel Members are not employed by IPAF, but do have a close relationship with IPAF and appear on IPAF’s website and in IPAF’s marketing literature.
In the course of IPAF’s business activities, it processes relevant personal data on Panel Members and on other people who are interested in joining the IPAF panel.
In addition, IPAF processes information on the companies and associated individuals seeking directors (“Clients”) and some third parties who perform services for those companies and/or introduce Clients.
IPAF also sends newsletters on its corporate business to people (potential Clients and others in the industry) who, if in the EU/UK have consented to receive them.
The Principles
IPAF will use all reasonable endeavours to comply with the following principles to ensure all data is:
- Fairly and lawfully processed
- Processed for a lawful purpose
- Accurate and current
- Adequate, relevant and not excessive
- Processed in accordance with the Data Subject’s rights
- Secure
- Not kept for longer than necessary
- Not transferred to other countries without adequate protection.
Data Controller
Stella Murrell, Director of IPAF is the Data Controller. Her contact details are as follows:
Email: Stella.Murrell@ipafgroup.com
Telephone: +44 7775 568512
Personal Data held by IPAF
A Data Subject is an individual who is the subject of personal data. Personal data covers both facts and opinions about an individual where that data identifies an individual.
IPAF does not hold Sensitive Personal Data (as defined by the Regulations).
IPAF holds the following personal data:
Panel Members:
- CVs of Panel Members
- Contact details of Panel Members
- Board and other appointments held by Panel Members
- References taken on Panel Members
Potential Panel Members
- CVs of potential Panel Members
- Contact details of potential Panel Members
- Board and other appointments held by potential Panel Members
- References taken on potential Panel Members
Shareholders of IPAF
- N/A. All shareholders are also Panel Members
Other Data Subjects
Contact details of individuals working for Clients and potential Clients; individuals at service providers, peers, industry bodies and regulators; individuals who act as referees for Panel Members.
Processing of Personal Data
Personal data on Data Subjects is processed by IPAF in the following circumstances:
- CVs sent out to Clients and potential Clients.
- Newsletters and emails sent out to individuals working for Clients and potential Clients; individuals at service providers, peers, industry bodies and regulators.
- References taken on Panel Members and potential Panel Members.
- Information on Panel Members set out on IPAF’s website and in IPAF’s marketing literature.
Permission to process data on Data Subjects as above will be obtained before such data is processed.
All data, as set out above, is processed in the furtherance of IPAF’s business.
Rights of the Data Subjects
Data subjects have the following rights:
- to withdraw consent to the processing of their data
- to access their data or to obtain a copy of it in a structured, commonly-used and in machine-readable format
- to request that the Data Controller send a copy of their personal data directly to another Data Controller
- to request the rectification or erasure of their data
- to object to the processing of their data
- to lodge a complaint with the Information Commissioner’s Office (“ICO”)
The Data Controller will provide information requested by the Data Subject without undue delay and in any event within 30 days of the receipt of the request.
Lawful reasons for processing Personal Data
- Consent from the Data Subject
- Contract: the processing is necessary for a contract with the individual or because the individual has requested specific steps to be taken before entering into a contract
- Legal Obligation: the processing is necessary to comply with the law (not including contractual obligations)
- Public task: the processing is necessary to perform a task in the public interest or for official functions and the task or function has a clear basis in law
- Vital interests: the processing is necessary to protect someone’s life
- Legitimate Interests: the processing is necessary for legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
Data Retention
Having obtained consent from the following Data Subjects, the data will be retained as follows, unless such consent is withdrawn earlier than the stated time.
Panel Members:
Data on Panel Members will be retained while they remain on the IPAF Panel and/or continue to serve as directors on any boards to which IPAF has been instrumental in their appointment.
Potential Panel Members:
Data on potential Panel Members will be retained for up to 3 years from its date of receipt.
Shareholders:
Data on Shareholders will be retained while they remain shareholders of IPAF and for one year after ceasing to be a shareholder.
Other Data Subjects:
Data on individuals working for Clients will be retained while they remain associated with/working for the Client.
The following data will be retained for two years from the date of consent: Contact details of individuals working for potential clients; individuals at service providers, peers, industry bodies and regulators; individuals who act as referees for Panel Members. If any of these individuals have consented to IPAF processing their data for the purpose of receiving newsletters and similar material, their data will be retained unless and until consent is withdrawn.
Security
CVs are held on one IPAF-dedicated company computer. The computer is password protected. It is only used by two executive directors and one administrative assistant. It is kept in a secure location. Access is restricted to two executive directors and IPAF’s authorised administrative assistant.
The CVs are also held on Google Drive.
Two-step verification is used on all IPAF email addresses where contact information may be held.
Breaches
Should IPAF become aware of any breach of this policy, the Data Controller will notify the ICO if the breach is likely to result in risk to rights and freedoms of individuals. This notification will be made without undue delay and, where feasible, within 72 hours of becoming aware of the breach.
Records
IPAF will review all personal data held at least once per annum.
IPAF will check with all Panel Members and potential Panel Members once per annum that the CVs held are still current and accurate.
IPAF will keep records of such checking and consent.
All personal data which is to be deleted for any reason will be disposed of in a secure manner.
Transfer outside EU
Should any personal data be transferred out of the EU, IPAF will obtain assurance that the transferee will adhere to the same standards as set out in this Policy.
IPAF (UK) Ltd has a licence arrangement with IPAF (Cayman) Ltd, a company incorporated in the Cayman Islands (“IPAF Cayman”). While IPAF Cayman does not process personal data to the same extent as IPAF, it is possible that circumstances will arise when it does process personal data. In those circumstances, IPAF Cayman will adhere to the same standards as are set out in this Policy and to the Cayman Islands’ Data Protection Law 2017.
Cayman Islands’ Data Protection Law 2017
The Cayman Islands’ Data Protection Law, 2017 (“DPL”) came into force on 30 September 2019. DPL introduces legal requirements that are based on the principles adopted by the EU’s GDPR. Under DPL, the Information Commissioner is defined as the Cayman Islands’ Ombudsman.
This law applies to IPAF (Cayman) Ltd. To the extent that IPAF Cayman processes personal data, IPAF Cayman will adhere to the same standards as IPAF (UK) Ltd and retain information in compliance with GDPR standards or DPL standards, whichever is the higher. If IPAF Cayman is required to transfer data to any third party to carry on processing (a “Permitted Processor”) it will ensure that there exists a suitable written agreement between IPAF Cayman and the Permitted Processor.