EU GDPR PRIVACY NOTICE

Effective Date: 24th May 2018

This is the European Union General Data Protection Regulation (EU GDPR) Privacy Notice of MB Fund Administrators Inc. (“MB”), a company registered in United States of America, having its office at 575, Madison Avenue, 10th Floor, New York, NY 10022-2511 (USA), on behalf of itself, its affiliates and subsidiaries.

MB (“we”, “us”, “our”) is an international provider of fiduciary and administration services. The privacy and security of our clients’ data is of critical importance to us. This global privacy notice (“notice”) explains how we collect, manage and protect your personal data if you are an officer or employee of one of our corporate/institutional clients or we provide you with financial services on behalf of your employer. It also sets out your rights as a data subject.

References in this notice to “you” or “your” are references to you as an officer or employee of one of our clients or as individual to whom we provide financial services on behalf of your employer.

Who we are

MB provides corporate, trust, fund and accounting services to clients across the globe. We operate in multiple jurisdictions through our local, regulated, group entities. The contact details for the MB office in each jurisdiction are available on our website. You can also contact our group Data Protection Officer using the contact details provided on our website.

Data we collect and hold about you

We collect and process your data for various purposes connected with our services, including, for instance, data we require to manage our provision of services to you or your employer and to meet our legal and regulatory obligations.

What personal data we collect and for what purpose will depend on the nature of our relationship with you. For instance, if you are a director of private corporate client, then we may need to collect detailed information for due diligence and regulatory purposes. In comparison, if you are an employee participating in a share plan or you are simply interacting with us on behalf of your employer then we will collect much less information.

The types of data we may collect, and process includes:
  • Name and Contact Details: Information we require for the purposes of managing our relationship, generally including your name, job title, postal addresses, country of residence, email addresses and telephone numbers.
  • Due Diligence & Regulatory Details: Information we require from directors of private corporate client’s companies to meet our legal and regulatory obligations, particularly anti-money laundering legislation, including:
  • Identity information including your current and former names, aliases, date of birth, country of birth, place of birth, gender, nationality and a copy of your valid passport and/or birth certificate (including issue date and expiry date, where applicable).
  • Documents providing proof of your identity and address, such as copies of government issued documents, bank statements, utility bills and similar documents.
  • Detailed tax status information, including your tax domicile, tax identification number, copies of tax returns and tax advice received.
  • Other due diligence information gathered from checking tools we use and from searching information in the public domain.
  • Share Plan Details: If you participate in an employee share plan which we administer on behalf of your employer, then we will collect information such as the number of shares that you own and their value at any particular point of time.
  • Records of Correspondence: We keep records of communications that take place between you and us, including emails, letters, meetings and telephone calls.
  • Other information: Additional information you provide to us or created by us when providing services to you.

We collect personal data when you give it to us and from information we learn about you through our relationship. We also collect data about you from third parties, including your employer, your professional advisers, due diligence and risk assessment screening service providers and from the public domain, including from internet searches.

Purposes for which we use the data and the legal basis for doing so

When providing services to you, we may use data about you for the following purposes and on the following lawful bases:

Purpose

Carrying out due diligence on directors of private corporate clients and performing risk assessments. Including carrying out standard due diligence checks, enhanced due diligence checks, politically exposed person checks and performing risk assessments in relation to your financial standing and eligibility for our services.

To provide services to you or your employer. Including share option plan services and all other services we provide to you.

Sending you marketing about our services, our news and events. Including sending you our news emails, information about our services, related information which may be of interest to you and to invite you to our events.

Internal management, administrative and organisational purposes. This includes maintaining internal records and carrying out other business administration tasks.

To provide services to you or your employer. Including share option plan services and all other services we provide to you.

Statistics and other data analysis. This includes creating forecasts and business plans, improving our services and developing new services.

Sharing data with entities in our group. Including sharing client records and results of due diligence exercises with our global entities.

Sharing data with other third parties. Including third parties who process personal data on our behalf.

Lawful basis for Processing

Necessary to comply with legal obligations to which we are subject.
Our legitimate business interest to assess the risk associated with providing you with our services.
When processing sensitive personal data, we do so with your explicit consent.

Our legitimate business interests to provide you with share plan and other services at the request of your employer.

Our legitimate business interest to send you marketing and promotional materials from time to time.
Where we have obtained your consent to send marketing then we instead rely on consent as the legal basis.
You can tell us to stop sending you marketing information at any time by objecting or withdrawing your consent. You can do so by contacting us at DPO@mbfundadmin.com or by using the Unsubscribe link in any marketing email you receive from us.

Our legitimate business interest to process your personal data in order to manage our business processes.

Our legitimate business interests to provide you with share plan and other services at the request of your employer.

Our legitimate business interest to process your personal data to develop and improve our business through aggregated and anonymised reporting and analysis.

Our legitimate business interest to identify and develop shared clients across our group and the jurisdictions in which we operate and to utilise existing due diligence and risk assessment
information when providing an existing client with services in a new jurisdiction.

Our legitimate business interest to share your data with trusted third parties who provide us with services relevant to our provision of services to you, including professional advisers, screening service providers and IT service providers.

Where we do not base our use of personal data about you on one of the above legal bases, we will ask for your consent before we process the personal data (these cases will be clear from the context).

In some instances, we may use personal data about you in ways that are not described above. Where this is the case, we will provide a supplemental privacy notice that explains such use. You should read any supplemental notice in conjunction with this notice.

To the extent that we rely upon consent as the legal basis under which we use your data, then you are permitted to withdraw your consent at any time.

Sharing your data

We may share your data with:

Other entities in our group. We do this because we are an international organisation and work with clients across multiple jurisdictions. Sharing client records and the results of due diligence and risk assessments enables us to provide our services more efficiently and develop our relationship with you. Access to shared data is limited only to personnel who need access to carry out their assigned duties.

  • Third parties who process data on our behalf to provide us or you with products or services for the purposes outlined above. These third parties include:
    • professional advisers: Including legal advisers.
    • IT service providers: Including hosting and cloud service providers, such as Microsoft.
    • other suppliers and providers of services to us: Including banks, our sub-contractors and agents.
  • Other third parties, where required or permitted by law, for example:
    • Regulatory authorities
    • Government departments.
    • In response to a request from law enforcement authorities or other government officials.
    • When we consider disclosure to be necessary or appropriate to prevent physical harm or financial loss or in connection with an investigation of suspected or actual illegal purpose.
    • In the context of organisational restructuring.

Transferring your data overseas
MB is located in the United States. Personal information we collect from you will be processed in the United States and as applicable, in India, countries which the EU regulators have not determined provide adequate protection to personal data. We collect and transfer your information to the United States and from the United States to India to perform contracts and transfers of personal information pursuant to EU approved standard contractual clauses or, as applicable, the EU–US Privacy Shield. Your information rights entitle you to receive a copy of the clauses by which your personal information is transferred outside of the EU by contacting us.

How long we keep your data
The period for which we may retain your data is generally seven years but will depend on the purposes for which the data was collected, whether you have requested the deletion of the data, and whether any legal obligations require the retention of the data (for example, for regulatory compliance). We will not retain data about you for longer than is necessary to fulfil the purposes for which the data was collected.

How we protect your data
We implement appropriate technical and organisational measures to protect data that we process from unauthorised disclosure, use, alteration or destruction. For more information about the steps we are taking to protect your data, please contact us at DPO@mbfundadmin.com

Your rights and options
Depending on where you are resident, you may have some or all of the following rights under applicable data protection laws in respect of your data that we hold. You have the right of access to your personal data and can request copies of it and information about our processing of it.

  • If the personal data we hold about you is incorrect or incomplete, you can ask us to rectify or add to it.
  • Where we are using your personal data with your consent, you can withdraw your consent at any time.
  • Where we are using your personal data because it is in our legitimate interests to do so, you can object to us using it this way.
  • Where we are using your personal data for direct marketing, including profiling for direct marketing purposes, you can object to us doing so and opt out of all future marketing.
  • You can ask us to restrict the use of your personal data if:
    • It is not accurate.
    • It has been used unlawfully but you do not want us to delete it.
    • We do not need it any-more, but you want us to keep it for use in legal claims; or

If you have already asked us to stop using your data but you are waiting to receive confirmation from us as to whether we can comply with your request.

  • In some circumstances you can compel us to erase your personal data.

Contact us
If you have any questions, or wish to exercise any of your rights, then you can contact our Data Protection Officer by email at DPO@mbfundadmin.com.

Changes to this privacy notice
We may update this notice (and any supplemental privacy notice), from time to time as shown below. We will notify you of the changes where required by applicable law to do so.

Last modified May 24th, 2018