1.1 Prudence is a "controller"under the GDPR. As a controller, Prudence controls the purpose and means of theprocessing of certain personal data of EU Data Subjects.
1.2 To comply with its legal obligations,including the obligations imposed on it by the GDPR, Prudence must ensure thatinformation about EU Data Subjects is "processed" (meaning any use,collection, organisation, storage or other operation performed) lawfully,fairly and in a transparent manner in accordance with the GDPR's dataprotection principles detailed below.
3.1 In accordance with Prudence's obligationsunder the GDPR, we require that personal data of EU Data Subjects be:
(a) processed in a fair, lawful andtransparent manner;
(b) collected for specified, explicit andlegitimate purposes and not further processed in a manner incompatible withthose purposes;
(c) adequate, relevant and limited to whatis necessary in relation to the purposes for which it is processed;
(d) accurate, and where necessary, up todate;
(e) held for no longer than necessary; and
(f) secure and protected against a personaldata breach.
4. PERSONAL DATA
4.1 The obligations under the GDPR apply onlyto information that constitutes "personal data". Personal data has avery broad definition and includes all information relating to an individual,who can be directly or indirectly identified from that information. Examples ofpersonal data include but are not limited to an individual’s name, emailaddress identification number, date of birth, address, financial informationsuch as bank account details, income and tax information. Personal data mayalso include one or more factors specific to the physical, physiological,genetic, mental, economic, cultural or social identity of an individual.
4.2 Personal data can therefore be factual orit can be an opinion about that person, their actions or behaviour. If youcan’t use a piece of data to identify an individual but can combine it withother data held by Prudence to identify an individual then all of that data ispersonal data.
4.3 "Sensitive personal data" isinformation about an individual consisting of racial or ethnic origin,political opinions, religious or philosophical beliefs, or trade unionmembership, genetic data, biometric data, data concerning health or dataconcerning a natural person's sex life or sexual orientation.
4.4 Prudence maintains both manual andelectronic records containing personal data of EU Data Subjects for thepurposes of personnel administration, administration of it funds, products andservices and management of its workforce, business and operations.
4.5 The personal data of EU Data Subjectsheld by Prudence relates to EU Data Subjects who are applying to invest in orwith Prudence or hold investments in or with Prudence.
5. THE USE OF PERSONAL INFORMATION
5.1 The GDPR applies to personal informationof EU Data Subjects that is "processed". This includes any operationperformed on personal data, whether or not by automated means, includingcollection, recording, organisation, structuring, storage, adaption oralteration, retrieval, consultation, use, disclosure by transmission,dissemination or otherwise making available, alignment or combination,restriction, erasure or destruction. The GDPR therefore defines"processing" broadly, and if you are handling personal data in anyway it is likely you will be processing it for the purposes of the GDPR.
5.2 Personal data of EU Data Subjects shouldonly be processed where it is necessary and where Prudence has a valid lawfulbasis to do so. The lawful bases for processing that apply to personal dataprocessed by Prudence are set out below. You must ensure that at least one ofthese bases apply whenever Prudence processes personal data of EU DataSubjects:
(a) Contract: the processing is necessaryfor a contract that Prudence has with an investor or because such person hasasked Prudence to undertake specific steps before entering into a contract withPrudence;
(b) Legal obligation: the processing isnecessary for Prudence to comply with its legal or regulatory obligations;
(c) Legitimate interests: the processing isnecessary for the legitimate interests of Prudence or the legitimate interestsof a third party, and Prudence has concluded that these interests are notoverridden by the investor's or own rights or interests which need protecting.Prudence's legitimate interests are generally:
(i) legal - e.g. to file, enforce or defendagainst legal claims or the collection of outstanding debt;
(ii) commercial - e.g. to avoid breaches ofcontract, to administer investments pursuant to contractual arrangements; or
(iii) financial – e.g. to meet financialobligations;
(iv) Consent: the relevant EU Data Subject hasfreely given clear, informed and unambiguous consent by an affirmative actionto Prudence to process their personal data for a specific purpose that has beeninformed to them.
5.3 Examples of lawful processing carried outby Prudence include:
(a) Assessing applications: Prudenceprocesses contact details, financial details and other personal data containedon application forms of applicants who wish to invest in products and purchaseservices provided by Prudence for its legitimate interest in assessing thesuitability of applicants.
(b) Verifying applicant's and investor'sidentities: Prudence will process the personal data of applicants and investorsto verify their identities for the purpose of preventing fraud or otherfinancial crime, complying with statutory, regulatory and internal compliancerequirements for on-boarding in relation to anti-money laundering.
(c) Administering investments and compliancewith legal obligations: Prudence processes the personal data of investorspursuant to contractual obligations between investors, Prudence and otherintermediaries and functionaries. Prudence also processes personal data ofinvestors in order to comply with legal, taxation, regulatory, reporting and/orfinancial obligations.
(d) Data processing for marketing purposes:Prudence may process other business contact information for marketing andadvertising purposes. This involves contacting specific people in connectionwith products (including the promotion of funds) and services which may be ofinterest based on either express consent (including a request to receiveinformation about a particular type of business issue) or where Prudence'sbusinesses have an on-going or previous contractual relationship with theperson (legitimate interest).
5.4 Prudence may process personal data of EUData Subjects where Prudence has a genuine and legitimate business need to doso (including where there is commercial benefit to Prudence). This commercialbenefit must be balanced against any harm to the rights and interests of theindividual in question. Where Prudence relies on legitimate interests, a recordof the balancing assessment performed must be retained to demonstratecompliance with the GDPR.
5.5 If Prudence does not rely any of theother lawful bases for processing set out above, Prudence may process personaldata on the basis of an individual's consent. Please note reliance on consentshould be avoided where it is not practicable for Prudence to stop processingthe personal data if an individual were to withdraw their consent (i.e. inrelation to the provision of a service).
5.6 If you intend to use consent orlegitimate interests for your intended processing activity, or are unsurewhether an alternative lawful basis can be applied to your processing ofpersonal data, you must speak to the Senior Management or Data ComplianceOfficer.
6. RIGHTS OF THE INDIVIDUAL
6.1 Any EU Data Subject who has theirpersonal data processed by Prudence has the following rights in relation tosuch processing:
(a) The right to be informed about howPrudence uses personal data and an EU Data Subject's rights relating to suchpersonal data. Prudence is required to provide this information in a clear,transparent and easily understandable format;
(b) The right of access to the personal datawhich is processed and information about how it is being used;
(c) The right to rectification if personaldata is inaccurate or incomplete;
(d) The right to erasure in certaincircumstances where there is no reason for Prudence to continue to process thedata;
(e) The right to restrict further processingof personal data;
(f) The right to data portability ofpersonal data between different service providers;
(g) The right to object to certain types ofprocessing, such as direct marketing;
(h) The right not to be subject to decisionsbased solely on automated decision-making, including profiling.
Informingthe individual – Privacy Notices
6.2 Prudence is required to provide EU DataSubjects with a clear and transparent notice which sets out the way in whichPrudence processes their personal data.
6.3 All Prudence privacy notices areavailable in writing and must be in electronic form, for example, on our website. If requested by an individual, notices shouldbe made available orally or in such format which is reasonably accessible tothem.
6.4 The appropriate privacy notice should bemade available to the relevant EU Data Subject at the time personal data is collectedfrom the EU Data Subject. For example, a privacy notice should be madeavailable to a European investor on signing up the new investor to the fund.Our normal practice is to include the privacy notice in the subscription formas well as making it available on our website.
6.5 For new processing activities (i.e. anyadditional purposes other than those for which Prudence originally collectedthe personal data), you must notify the relevant EU Data Subject before anypersonal data is used for the new processing activity.
6.6 Any EU Data Subject has the right toaccess their personal data that is being processed by Prudence.
6.7 A Subject Access Request can be verybroad, such as "please supply a copy of all the information you have aboutme", or it can be more specific, such as "please supply a copy of theemails you sent about me last week".
6.9 Prudence requires that all Subject AccessRequests are in writing (via email is acceptable). If an individual calls tomake a Subject Access Request, you should ask them to put it in writing.
6.10 An EU Data Subject has a right to accessand receive a copy of all personal data held by Prudence. If the informationrequested does not constitute personal data, we may not have to disclose it(however we can choose to do so at our discretion).
6.11 Prudence will provide access to personaldata which it holds, upon request, subject to checking that the personal datamay legally be provided and verifying the identity of the individual. IfPrudence refuses a request for personal data, it will inform the individual ofthe reasons why and that they have the right to complain to the supervisoryauthority and to a judicial remedy. Prudence has a legal obligation to providepersonal data if an individual requests and can only refuse a request inlimited circumstances. If a member of Staff is unsure about responding to aSubject Access Request they should contact the Senior management or DataCompliance Officer.
6.12 Prudence will ensure that the informationis made available without undue delay, and in any case within 30 days, althoughit may require further time (up to a maximum of 2 further months) if therequest for information is complex – in this case, we will inform the datasubject accordingly.
OtherData Subject Requests
6.13 If you receive a request from an EU DataSubject where they request that Prudence:
(a) delete personal data we hold about them;
(b) freeze our processing of their personaldata under certain circumstances;
(c) correct any inaccurate personal data wehold about them; or
(d) stop processing their personal data asthey are withdrawing their consent,
pleaseescalate to the Manager-in-Charge of Marketing core function, who will providefurther information on how to manage and respond to this request.
6.14 Prudence does not charge for carrying outdata subject requests unless they are manifestly unfounded or excessive, inwhich case Prudence may be entitled to charge a reasonable fee.
7. THIRD PARTIES AND INTERNATIONALTRANSFERS
7.1 All departments responsible for thirdparty service providers will need to ensure that such parties sign a writtencontract which includes appropriate data protection obligations in line withthe GDPR that have been approved by the Senior Management.
7.2 Prudence shall not otherwise disclosepersonal data to third parties unless:
(a) the disclosure is to comply withPrudence's legal or regulatory obligations; and
(b) an employee has acted adversely toPrudence's interest and disclosure is required in order to protect Prudence'sinterests.
7.3 Prudence only permits transfers ofbusiness-related personal data outside of the EEA if each of the followingapplies:
(a) it is done on a valid lawful basis;
(b) an adequate level of data protection canbe ensured in the recipient country; and
(c) certain prescribed information isdefined and documented clearly between the parties (such as the categories ofpersonal data involved and purposes for which it is being transferred, to whomthe personal data may be forwarded and applicable data security standards to beapplied).
7.4 If transferring any personal data tothird parties outside of the EEA or to third party service providers whoseservers are located outside the EEA, Prudence requires a data processingcontract to be entered into with the third party prior to any transferring ofpersonal data, which details the terms around the transfer and the subsequentprocessing of personal data. Anycontracts being entered into which relate to the transfer of personal data mustbe reviewed and approved by the Senior Management.
8. RETENTION OF DATA
8.1 Prudence will not retain personal datafor longer than it is needed for its authorised purpose. Where Prudenceprocesses data on the basis of an EU Data Subject’s consent, once consent hasbeen withdrawn, our systems will be updated immediately and the personal datawill be removed from use (as defined within the request for the withdrawal ofconsent) and will be deleted. For the performance of contracts, retention ofdata will be in accordance with each party's legal or regulatory requirements.
8.2 Staff must review the data held aboutother individuals with whom Prudence maintains a business relationship toensure that it is still relevant to Prudence's business needs.
9. SECURITY OF PERSONAL DATA
9.1 Prudence requires that all processing ofpersonal data (including by its third party service providers) is carried outin a way that ensures the personal data's security and implements Prudence'sinformation security requirements.
9.2 Prudence's security requirements compriseappropriate technical and organisational measures to protect personal dataagainst accidental or unlawful destruction or loss, alteration, unauthoriseddisclosure or access, including, where appropriate, the following types ofmeasure:
(a) encryption of the personal data;
(b) on-going reviews of security measures;
(c) redundancy and back-up facilities; and
(d) regular security testing.
10. DATA BREACHES
10.1 Prudence may be required to notify an EUdata protection supervisory authority (including the UK InformationCommissioner's Office, if applicable) in the jurisdiction in which the datasubjects have been impacted and, in some cases, the EU Data Subjects of anyactual or suspected breach of security which leads to any of the followingevents:
(a) the accidental or unauthorised loss of,destruction of, or loss of access to, personal data of an EU Data Subject;
(b) the alteration of, or unauthorised disclosureof or access to, personal data of an EU Data Subject; or
(c) other misuse involving personal data ofan EU Data Subject (together a "Data Breach").
10.2 Data Breaches, are not limited to:
(a) where portable devices, such as laptopsor smartphones which store business-related personal data are lost, stolen ornot disposed of appropriately;
(b) emails are inadvertently sent to anincorrect recipient;
(c) malicious actions such as hacking ofsystems, virus infection or theft of electronic data; or
(d) internal errors or failure to followinformation handling policies that cause accidental loss or disclosure.
10.3 Prudence has a legal obligation to notifythe relevant EU data protection supervisory authority within 72 hours ofbecoming aware of reportable Data Breaches. It is therefore critical that when you become aware of a Data Breach,you immediately report it to the Senior Management or Data Compliance Officerwho will assess and make the notification if appropriate.
10.4 You must therefore report any actual orpotential breaches of personal data to the Data Compliance Officer or SeniorManagement as soon as you become aware of them.
Preventingand detecting Data Breaches
AllStaff are responsible for the prevention and detection of Data Breaches. Staffshould look out for:
(a) Investors notifying you that theyreceived information which does not belong to them;
(b) Investors telling you that they havebeen contacted by third parties and are wondering where these third parties gottheir contact details from;
(c) contractors or other Staff asking foraccess to, or being in possession of, information they do not need to know;
(d) locked out IT accounts or multiple failedlogin attempts;
(e) unexpected software installs;
(f) unexplained changes to files;
(g) large number of requests for the sameobjects or files or requests for a large number of objects or files;
(h) unknown/unauthorised IP addresses onwireless networks;
(i) unexplained system reboots orshutdowns; and
(j) services and applications configured tolaunch automatically.
10.5 If you become aware of any of these orsimilar suspicious circumstances, please report these to Compliance Departmentor the Manager-in-Charge of your functions.
11. PRIVACY IMPACT ASSESSMENTS
11.1 Before any new processing activities,including engaging with new suppliers or implementing new technologies whichinvolve the processing of personal data of EU Data Subjects, Prudence requiresthat there is a proper and full consideration of the privacy impact of suchactivities.
11.2 Prudence requires that at the start of aproject which involves processing the personal data of EU Data Subjects, andwhere appropriate, you will need to ensure that a privacy impact assessment("PIA") is carried out and that the project commences with a privacyplan. If you need further guidance or believe a PIA is required for yourproject please contact the Data Compliance Officer or the Senior Management.
12.1 Prudence will provide mandatory data protectiontraining for all Prudence employees who are involved in the processing thepersonal data of EU Data Subjects.
12.2 Prudence will provide new joiners withappropriate data protection training as part of the induction process whererelevant. Refresher training will be provided regularly or whenever there is asubstantial change in the law or our policy and procedure.