1.3 To comply with its legalobligations, including the obligations imposed on it by the GDPR, Prudence mustensure that information about EU Data Subjects is "processed" (meaning any use, collection, organisation,storage or other operation performed) lawfully, fairly and in a transparentmanner in accordance with the GDPR's data protection principles detailed below.
(a) processed in a fair,lawful and transparent manner;
(b) collected for specified,explicit and legitimate purposes and not further processed in a mannerincompatible with those purposes;
(c) adequate, relevant andlimited to what is necessary in relation to the purposes for which it isprocessed;
(d) accurate, and wherenecessary, up to date;
(e) held for no longer thannecessary; and
(f) secure and protectedagainst a personal data breach.
4.1 The obligations under theGDPR apply only to information that constitutes "personal data". Personal data has a very broaddefinition and includes all information relating to an individual, who can bedirectly or indirectly identified from that information. Examples of personaldata include but are not limited to an individual’s name, email addressidentification number, date of birth, address, financial information such asbank account details, income and tax information. Personal data may alsoinclude one or more factors specific to the physical, physiological, genetic,mental, economic, cultural or social identity of an individual.
4.2 Personal data cantherefore be factual or it can be an opinion about that person, their actionsor behaviour. If you can’t use a piece of data to identify an individual butcan combine it with other data held by Prudence to identify an individual thenall of that data is personal data.
4.3 "Sensitivepersonal data" is information about an individual consisting of racial or ethnic origin,political opinions, religious or philosophical beliefs, or trade unionmembership, genetic data, biometric data, data concerning health or dataconcerning a natural person's sex life or sexual orientation.
4.4 Prudence maintains bothmanual and electronic records containing personal data of EU Data Subjects forthe purposes of personnel administration, administration of it funds, productsand services and management of its workforce, business and operations.
4.5 The personal data of EUData Subjects held by Prudence relates to EU DataSubjects who are applying to invest in or with Prudence or hold investments inor with Prudence.
5.1 The GDPR applies topersonal information of EU Data Subjects that is "processed". This includes any operation performed onpersonal data, whether or not by automated means, including collection,recording, organisation, structuring, storage, adaption or alteration,retrieval, consultation, use, disclosure by transmission, dissemination orotherwise making available, alignment or combination, restriction, erasure ordestruction. The GDPR therefore defines "processing" broadly, and if you are handling personal data in any way it is likely you willbe processing it for the purposes of the GDPR.
5.2 Personaldata of EU Data Subjects should only be processed where it is necessary and wherePrudence has a valid lawful basis to do so. The lawful bases forprocessing that apply to personal data processed by Prudence are set out below.You must ensure that at least one of these bases apply whenever Prudence processespersonal data of EU Data Subjects:
(a) Contract: the processing is necessary for a contract that Prudence has with an investor orbecause such person has asked Prudence to undertake specific steps beforeentering into a contract with Prudence;
(b) Legalobligation: the processing is necessary for Prudenceto comply with its legal or regulatory obligations;
(c) Legitimateinterests: the processing is necessary for thelegitimate interests of Prudence or the legitimate interests of a third party,and Prudence has concluded that these interests are not overridden by the investor'sor own rights or interests which need protecting. Prudence's legitimateinterests are generally:
(i) legal - e.g. to file,enforce or defend against legal claims or the collection of outstanding debt;
(ii) commercial - e.g. to avoidbreaches of contract, to administer investments pursuant to contractualarrangements; or
(iii) financial – e.g. to meetfinancial obligations;
(d) Consent: the relevant EU Data Subject has freely given clear, informed and unambiguousconsent by an affirmative action to Prudence to process their personal data fora specific purpose that has been informed to them.
(a) Assessing applications: Prudenceprocesses contact details, financial details and other personal data containedon application forms of applicants who wish to invest in products and purchaseservices provided by Prudence for its legitimate interest in assessing thesuitability of applicants.
(b) Verifying applicant's andinvestor's identities: Prudence will process thepersonal data of applicants and investors to verify their identities for the purposeof preventing fraud or other financial crime, complying with statutory,regulatory and internal compliance requirements for on-boarding in relation toanti-money laundering.
(c) Administering investmentsand compliance with legal obligations: Prudenceprocesses the personal data of investors pursuant to contractual obligationsbetween investors, Prudence and other intermediaries and functionaries.Prudence also processes personal data of investors in order to comply withlegal, taxation, regulatory, reporting and/or financial obligations.
(d) Dataprocessing for marketing purposes: Prudence mayprocess other business contact information for marketing and advertisingpurposes. This involves contacting specific people in connection with products (includingthe promotion of funds) and services which may be of interest based on eitherexpress consent (including a request to receive information about a particulartype of business issue) or where Prudence's businesses have an on-going orprevious contractual relationship with the person (legitimate interest).
5.4 Prudence may processpersonal data of EU Data Subjects where Prudence has a genuine and legitimate businessneed to do so (including where there is commercial benefit to Prudence). Thiscommercial benefit must be balanced against any harm to the rights andinterests of the individual in question. Where Prudence relies on legitimateinterests, a record of the balancing assessment performed must be retained todemonstrate compliance with the GDPR.
5.5 If Prudence does not relyany of the other lawful bases for processing set out above, Prudence mayprocess personal data on the basis of an individual's consent. Please note relianceon consent should be avoided where it is not practicable for Prudence to stopprocessing the personal data if an individual were to withdraw their consent(i.e. in relation to the provision of a service).
5.6 If you intend to useconsent or legitimate interests for your intended processing activity, or are unsure whether an alternative lawfulbasis can be applied to your processing of personal data, you must speak to theSenior Management or Data Compliance Officer.
(a) The right to be informed about how Prudence uses personal data and an EU Data Subject's rights relatingto such personal data. Prudence is required to provide this information in aclear, transparent and easily understandable format;
(b) The right of access to the personal data which is processed and informationabout how it is being used;
(c) The right to rectification if personal data is inaccurate or incomplete;
(d) The right to erasure in certain circumstances where there is no reasonfor Prudence to continue to process the data;
(e) The right to restrict further processing of personal data;
(f) The right to data portability of personal data between differentservice providers;
(g) The right to object to certain types of processing, such as directmarketing;
(h) The right not to besubject to decisions based solely on automated decision-making, includingprofiling.
6.3 All Prudence privacynotices are available in writing and must be in electronic form, for example,on our website. If requested by anindividual, notices should be made available orally or in such format which isreasonably accessible to them.
6.4 The appropriate privacynotice should be made available to the relevant EU Data Subject at the timepersonal data is collected from the EU Data Subject. For example, a privacynotice should be made available to aEuropean investor on signing up the new investor to the fund. Our normalpractice is to include the privacy notice in the subscription form as well asmaking it available on our website.
6.5 For new processingactivities (i.e. any additional purposes other than those for which Prudence originallycollected the personal data), you must notify the relevant EU Data Subject beforeany personal data is used for the new processing activity.
6.7 A Subject Access Request can be very broad, such as "please supply a copy of all the informationyou have about me", or it can be more specific, such as "pleasesupply a copy of the emails you sent about me last week".
6.9 Prudence requires thatall Subject Access Requests are in writing (via email is acceptable). If anindividual calls to make a Subject Access Request, you should ask them to putit in writing.
6.10 An EU Data Subject has aright to access and receive a copy of all personal data held by Prudence. Ifthe information requested does not constitute personal data, we may not have todisclose it (however we can choose to do so at our discretion).
6.11 Prudence will provideaccess to personal data which it holds, upon request, subject to checking thatthe personal data may legally be provided and verifying the identity of theindividual. If Prudence refuses a request for personal data, it will inform theindividual of the reasons why and that they have the right to complain to thesupervisory authority and to a judicial remedy. Prudencehas a legal obligation to provide personal data if an individual requests andcan only refuse a request in limited circumstances. If a member of Staff is unsureabout responding to a Subject Access Request they should contact the Seniormanagement or Data Compliance Officer.
6.12 Prudence will ensure thatthe information is made available without undue delay, and in any case within 30days, although it may require further time (up to a maximum of 2 furthermonths) if the request for information is complex – in this case, we willinform the data subject accordingly.
Other Data Subject Requests
(a) delete personal data wehold about them;
(b) freeze our processing oftheir personal data under certain circumstances;
(c) correct any inaccuratepersonal data we hold about them; or
(d) stop processing theirpersonal data as they are withdrawing their consent,
pleaseescalate to the Manager-in-Charge of Marketing core function, who will providefurther information on how to manage and respond to this request.
7.1 All departmentsresponsible for third party service providers will need to ensure that suchparties sign a written contract which includes appropriate data protectionobligations in line with the GDPR that have been approved by the Senior Management.
(a) the disclosure is tocomply with Prudence's legal or regulatory obligations; and
(b) an employee has actedadversely to Prudence's interest and disclosure is required in order to protectPrudence's interests.
(a) it is done on a validlawful basis;
(b) an adequate level of dataprotection can be ensured in the recipient country; and
(c) certain prescribed informationis defined and documented clearly between the parties (such as the categoriesof personal data involved and purposes for which it is being transferred, towhom the personal data may be forwarded and applicable data security standardsto be applied).
7.4 If transferring anypersonal data to third parties outside of the EEA or to third party serviceproviders whose servers are located outside the EEA, Prudence requires a dataprocessing contract to be entered into with the third party prior to any transferringof personal data, which details the terms around the transfer and thesubsequent processing of personal data. Any contracts being entered into which relate to the transfer ofpersonal data must be reviewed and approved by the Senior Management.
8.1 Prudence will not retain personal data forlonger than it is needed for its authorised purpose. Where Prudence processesdata on the basis of an EU Data Subject’s consent, once consent has beenwithdrawn, our systems will be updated immediately and the personal data willbe removed from use (as defined within the request for the withdrawal ofconsent) and will be deleted. For the performance of contracts, retention ofdata will be in accordance with each party's legal or regulatory requirements.
9.1 Prudence requires thatall processing of personal data (including by its third party serviceproviders) is carried out in a way that ensures the personal data's securityand implements Prudence's information security requirements.
9.2 Prudence's securityrequirements comprise appropriate technical and organisational measures toprotect personal data against accidental or unlawful destruction or loss,alteration, unauthorised disclosure or access, including, where appropriate,the following types of measure:
(a) encryption of thepersonal data;
(b) on-going reviews ofsecurity measures;
(c) redundancy and back-upfacilities; and
(d) regular security testing.
10.1 Prudence may be requiredto notify an EU data protection supervisory authority (including the UKInformation Commissioner's Office, if applicable) in the jurisdiction in whichthe data subjects have been impacted and, in some cases, the EU Data Subjectsof any actual or suspected breach of security which leads to any of thefollowing events:
(a) the accidental orunauthorised loss of, destruction of, or loss of access to, personal data of anEU Data Subject;
(b) the alteration of, orunauthorised disclosure of or access to, personal data of an EU Data Subject;or
(c) other misuse involvingpersonal data of an EU Data Subject (together a "Data Breach").
(a) where portable devices,such as laptops or smartphones which store business-related personal data arelost, stolen or not disposed of appropriately;
(b) emails are inadvertentlysent to an incorrect recipient;
(c) malicious actions such ashacking of systems, virus infection or theft of electronic data; or
(d) internal errors orfailure to follow information handling policies that cause accidental loss ordisclosure.
10.3 Prudence has a legalobligation to notify the relevant EU data protection supervisory authority within72 hours of becoming aware of reportable Data Breaches. It is therefore critical that when you becomeaware of a Data Breach, you immediately report it to the Senior Management or DataCompliance Officer who will assess and make the notification if appropriate.
Preventingand detecting Data Breaches
AllStaff are responsible for the prevention and detection of Data Breaches. Staffshould look out for:
(a) Investors notifying youthat they received information which does not belong to them;
(b) Investors telling youthat they have been contacted by third parties and are wondering where thesethird parties got their contact details from;
(c) contractors or otherStaff asking for access to, or being in possession of, information they do notneed to know;
(d) locked out IT accounts ormultiple failed login attempts;
(e) unexpected softwareinstalls;
(f) unexplained changes tofiles;
(g) large number of requestsfor the same objects or files or requests for a large number of objects orfiles;
(h) unknown/unauthorised IPaddresses on wireless networks;
(i) unexplained systemreboots or shutdowns; and
(j) services and applicationsconfigured to launch automatically.
10.5 If you become aware ofany of these or similar suspicious circumstances, please report these to ComplianceDepartment or the Manager-in-Charge of your functions.
11.1 Before any new processingactivities, including engaging with new suppliers or implementing newtechnologies which involve the processing of personal data of EU Data Subjects,Prudence requires that there is a proper and full consideration of the privacyimpact of such activities.
11.2 Prudence requires that atthe start of a project which involves processing the personal data of EU DataSubjects, and where appropriate, you will need to ensure that a privacy impactassessment ("PIA") is carried out and that the project commences witha privacy plan. If you need further guidance or believe a PIA is required foryour project please contact the Data Compliance Officer or the Senior Management.
12.2 Prudence will provide newjoiners with appropriate data protection training as part of the inductionprocess where relevant. Refresher training will be provided regularly orwhenever there is a substantial change in the law or our policy and procedure.
Prudence Investment Management (HongKong) Limited is regulated by the Securities and Futures Commission of HongKong.