CAYMAN TENNIS ACADEMY DATA PROTECTION POLICY NOTICE
The Cayman Islands Data Protection Law, 2017 (the “DPL”) came into force on 30 September 2019. The DPL introduces legal requirements based on internationally accepted principles of data privacy and is the principal legislation regulating general data privacy in the Cayman Islands. This Data Protection Policy Notice (“Policy” or “Notice”) lets you know what happens to any personal data that you give us, or any information that we may collect from you or about you from other organizations. Please read this Notice carefully, as it contains important information.
The DPL applies directly to Data Controllers, and Data Controllers are required to ensure that the Personal Data which they process (or which is processed on their behalf by any Data Processor) is processed in accordance with the data protection principles detailed below). For the most part, the DPL does not apply directly to Data Processors, but Data Controllers who wish to appoint Data Processors are required to ensure that Data Processors give certain contractual assurances with respect to the Personal Data that they process.
The DPL creates the function of an Information Commissioner also known as the Cayman Islands Ombudsman who has responsibilities/powers to oversee compliance with the regime and act as international liaison for data protection issues.
PURPOSE
The DPL affects Cayman Tennis Academy (CTA) because it controls or processes Personal Data in the course of its business. We may collect details from our clients such as e-mail addresses, phone numbers, bank account details, etc.
CTA is categorized under the DPL as Data Processor in certain circumstances and Data Controller in other circumstances, which are as set out in “Scope” below. Where CTA controls Personal Data, it is required to have in place a policy to ensure it meets its obligations under the DPL to ensure the rights of Data Subjects (as defined below), with regard to the way in which their Personal Data is handled.
SCOPE
This Policy applies to CTA when acting as Data Controller under the DPL. CTA acts as Data Controller in relation to the Personal Data of Data Subjects which are;
(i) employees of CTA;
(ii) vendors of CTA; and
(iii) clients whose Personal Data has been provided in the course of their business relationship with CTA.
Each of (i), (ii) and (iii) shall be referred to in this Policy as a “Relevant Person”. There is a contractual relationship between CTA and each Relevant Person (in the case of (iii) the contractual relationship shall be referred to in this Policy as the “Business Relationship”). For the purposes of this Policy Relevant Persons are Data Subjects.
It should be noted that CTA acts as Data Processor in respect of Personal Data of its clients.
INTRODUCTION
In the usual course of CTA’s business, by virtue of its Business Relationship with the Relevant Person and CTA’s associated interactions with the Relevant Person or by virtue of the Relevant Person otherwise providing CTA with personal information the Relevant Person provides CTA with certain personal information which constitutes Personal Data. This includes, but is not restricted to, data such as name, residential address, email address, telephone number, place of birth, date of birth, passport number, etc Further, in the usual course of business CTA and its agents, delegates and affiliates may from time to time use Personal Data for other activities that meet the legitimate interest grounds for processing under the DPL.
ADDITIONAL DEFINITIONS
“Data Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data;
"Data Processor" means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Data Controller;
"DPL" means the Cayman Islands' Data Protection Law, 2017;
“Data Subject” means an identified living individual or a living individual who can be identified directly or indirectly by means reasonably likely to be used by the data controller or by any other person”
"Personal Data" means any data relating to a living individual who can be identified and includes data such as the living individuals location data, online identifier or one of more factors specific to physical, physiological, genetic, mental, economic, cultural or social identity of the living individual; (b) and expression of opinion about the living individual; or (c) any indication of the intentions of the data controller or any other person in respect of the living individual; information relating to an identified or identifiable natural person;
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or, access to, personal data transmitted, stored or otherwise processed;
“Processing” in relation to data, means obtaining, recording or holding data, or carrying out any operation or set of operations on Personal Data, including (a) organizing, adapting or altering the Personal Data; (b) retrieving, consulting or using the Personal Data; (c) disclosing the Personal Data by transmission, dissemination or otherwise making it available; or (d) combining, blocking, erasing or destroying the Personal Data.
"Relevant Personal Data" means all Personal Data provided to the Counterparty by CTA or otherwise provided to the Counterparty in connection with the Counterparty’s performance of the Services pursuant to this Agreement.
TYPE OF INFORMATION CTA MAY COLLECT
· Name
· Address
· Telephone number
· Employment Information
· Next of Kin information
· Health Information (eg allergies, etc)
· Financial Information (debit and credit card information)
How We Collect Information
We collect information in various ways, such as over the phone, in writing, in person at CTA tennis courts or over the internet if you transact with us online.
How We Use and Disclose Your Information
We collect and hold data about you for the purpose of providing tennis instruction to you, keeping you up to date on our classes and events, and to process payments being made by you. We will treat your personal information as strictly private and confidential.
We may be required to share your information to third parties. This includes the Police, the Courts, attorneys, Government regulatory bodies. Whenever possible we will pass this information on in an anonymized format. We may disclose information about you to outside contractors to carry out activities on our behalf such as an IT service provider, solicitor or debt collection agent. We impose security and confidentiality requirements on how they handle your personal information.
Accuracy of Information
We will make every effort and take all reasonable steps to ensure that the data we process is accurate and up to date. However, it is your responsibility to advise CTA of any change in your information, particularly your name, mailing address, telephone number, email address, etc. You have the right to request that CTA rectifies, blocks, erases or destroys inaccurate data without delay. You can make a request for rectification verbally or in writing. The request does not have to be to a specific person or contact point.
CTA AS DATA CONTROLLER AND THE EIGHT DATA PROTECTION PRINCIPLES
In relation to the Relevant Persons and CTA’s use of their Personal Data CTA is a Data Controller and is committed to comply with its obligations as such under the DPL. As Data Controller CTA complies with the following eight data protection principles in respect of Personal Data which it processes, or which is processed on its behalf:
· First Principle: Personal Data shall be processed fairly. In addition, Personal Data may be processed only if certain conditions are met, for example the Data Subject has consented to the processing, the processing is necessary for the performance of a contract to which the Data Subject is a party, or processing is required under a law or to protect the individual’s vital interests.
· Second Principle: Personal Data shall be obtained only for one or more specified lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
· Third Principle: Personal Data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are collected or processed.
· Fourth Principle: Personal Data shall be accurate and, where necessary, kept up to date.
· Fifth Principle: Personal Data processed for any purpose shall not be kept for longer than is necessary for that purpose.
· Sixth Principle: Personal Data shall be processed in accordance with the rights of Data Subjects under the DPL, for example subject access.
· Seventh Principle: Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data.
· Eighth Principle: Personal Data shall not be transferred to a country or territory unless that country or territory ensures an adequate level of protection for the rights and freedoms of Data Subjects in relation to the processing of Personal Data. The eighth principle does not apply where the Data Subject has consented to the transfer or where the transfer is necessary for the performance of an obligation imposed by law on the Data Controller in connection with the Data Subject’s employment.
PURPOSE LIMITATION
CTA will only collect and process Personal Data for purposes that have been communicated to the Data Subject and are for lawful purposes. CTA will process data for the following purposes:
· where this is necessary for the performance of the service being provided to the client;
· where this is necessary for compliance with a legal obligation to which CTA is subject; and/or
· where this is necessary for the purposes of the legitimate interests of CTA or a third party (such as direct marketing and analyzing personal data for quality control, business and statistical analysis, tracking fees and costs, training and related purposes) except if the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the Data Subject.
CTA will not process Personal Data in a manner that is incompatible with the purposes communicated to Data Subjects.
CTA will send to all clients, employees/independent contractors, and vendors this document entitled “CTA Data Protection Policy Notice” which sets out disclosure required to be made under the DPL describing CTA’s purposes for collection of data, its processing, disclosure, and retention activities, and the rights of data subjects. This Notice will also be placed on CTA’s website. This Notice may be amended from time to time and any amended version will be made available as above.
DATA MINIMISATION
The Personal Data collected will be adequate, relevant and not excessive, meaning it will be limited to what is necessary in relation to the purposes for which it is being processed.
KEEP IT ACCURATE AND UP-TO-DATE
CTA will ensure that the Personal Data held is accurate and kept up to date. The accuracy of any Personal Data will be checked at the time of collection and at regular intervals or triggers thereafter. CTA will take all reasonable steps to amend inaccurate or out-of-date Personal Data without delay.
STORAGE LIMITATION
CTA will not keep Personal Data longer than is necessary for the purpose or purposes for which it was collected. Subject to compliance with local retention laws CTA will take all reasonable steps to erase all Personal Data that is no longer required. CTA will be clear when informing the Data Subject about the reason why the information is being retained. CTA is aware of any required statutory retention periods where an obligation exists to retain a Data Subject’s Personal Data for fixed periods and ensure that Personal Data is retained in line with such statutory requirement(s) and that the Data Subject is aware of this retention period.
RIGHTS OF DATA SUBJECTS
RIGHT OF ACCESS
A person is entitled to be informed by CTA whether the Personal Data of which the person is the Data Subject are being processed by or on behalf of CTA, and, if that is the case, to be given by CTA a description of –
· the Data Subject’s Personal Data;
· the purposes for which they are being or are to be processed by or on behalf of CTA;
· the recipients or classes of recipients to whom the data are or may be disclosed by or on behalf of CTA;
· any countries or territories outside the Cayman Islands to which CTA, whether directly or indirectly, transfers, intends to transfer or wishes to transfer the data;
· general measures to be taken for the purpose of complying with the seventh data protection principle; and
· such other information as the Ombudsman may require CTA to provide.
A Data Subject is entitled to communication in an intelligible form, by CTA, of the Data Subject’s Personal Data, and any information available to CTA as to the source of the Personal Data.
If the processing by automatic means of the Data Subject’s Personal Data for the purpose of evaluating matters relating to the Data Subject, including the Data Subject’s performance at work, creditworthiness, reliability or conduct, has constituted or is likely to constitute the sole basis for any decision significantly affecting the Data Subject, the Data Subject is entitled to be informed by CTA of the reasons for that decision.
CTA shall not be obliged to supply any Personal Data unless CTA has received a request in writing, and any fee that CTA may require, such fee being within the limits prescribed by regulations. There is a template subject access request form on the Ombudsman’s website. If CTA reasonably requires further information in order to be satisfied as to the identity of the Data Subject making the request or to locate the information that the Data Subject seeks, and has informed the Data Subject in writing of the requirement, CTA is not obliged to comply with the request unless supplied with that information, during which period the time specified in subsection below shall automatically stand suspended.
CTA shall comply with a request within thirty days (or such other period as may be prescribed by regulations) of the date on which CTA receives both the request and fee referred to above, but where CTA has requested further information, the period shall not resume until the information has been supplied.
If CTA cannot comply with the request without disclosing Personal Data relating to another Data Subject who can be identified from that Personal Data, CTA is not obliged to comply with the request unless-
· the other Data Subject has consented to the disclosure of the Personal Data to the person making the request; or
· it is reasonable in all the circumstances to comply with the request without the consent of the other Data Subject.
The reference (above) to Personal Data relating to another Data Subject includes a reference to Personal Data identifying that other Data Subject as the source of the Personal Data sought in the request. CTA will still be expected to communicate so much of the Personal Data sought in the request as can be communicated without disclosing the identity of the other Data Subject concerned, whether by the omission of names or other identifying particulars or otherwise. In determining whether it is reasonable in all the circumstances to comply with the request without the consent of the other Data Subject concerned, CTA shall have regard to, in particular –
· any duty of confidentiality owed to the other Data Subject;
· any steps taken by CTA to seek the consent of the other Data Subject;
· whether the other Data Subject is capable of giving consent; and
· any express refusal of consent by the other Data Subject.
If Personal Data is being processed by or on behalf of CTA who receives a request under this section from the Data Subject, the obligation to supply the Personal Data under this section includes an obligation to give the Data Subject a statement of the Data Subject’s rights under the DPL in such form, and to such extent, as may be prescribed by regulations.
CTA shall supply the Data Subject with a copy of the Personal Data in the format requested unless the supply of such a copy is not possible or would involve disproportionate effort; or the Data Subject agrees otherwise. If any of the Personal Data is expressed in terms that are not intelligible without explanation the copy shall be accompanied by an adequate explanation.
If CTA has previously complied with a request for access by the Data Subject referred to therein, CTA is not obliged to comply with a subsequent identical or similar request for access by the Data Subject unless the interval between compliance with the previous request and the making of the current request is reasonable. In determining whether the interval is reasonable, regard shall be had to the nature of the Personal Data, the purpose for which the Personal Data is processed and the frequency with which the Personal Data is altered.
Personal Data and other information supplied shall be supplied by reference to the data in question at the time when the request for the Personal Data is received, except that account may be taken of any amendment or deletion made between that time and the time when the information is supplied, the amendment or deletion being such that would have been made regardless of the receipt of the request.
RIGHT TO REQUIRE CTA TO CEASE PROCESSING
A Data Subject is entitled at any time, by notice in writing to CTA, to require CTA to cease processing, or not to begin processing, or to cease processing for a specified purpose or in a specified manner, the Data Subject’s Personal Data.
CTA shall, as soon as practicable, but in any case within twenty-one days of receiving a notice, comply with that notice unless –
· the processing is necessary for the performance of a contract to which the Data Subject is a party or the taking of steps at the request of the Data Subject with a view to entering into a contract;
· the processing is necessary for compliance with any legal obligation to which CTAis subject, other than an obligation imposed by contract;
· the processing is necessary in order to protect the vital interests of the Data Subject; or
· the processing is necessary in such other circumstances as may be prescribed by regulations
and CTA shall state to the Data Subject the reasons for the non- compliance with the notice.
The DPL also contains specific rights of the Data Subject to request CTA to stop processing for direct marketing and in relation to automated decision- making.
RIGHT TO REQUEST CTA TO RECTIFY, BLOCK, ERASE OR DESTROY
If the Ombudsman is satisfied on a complaint made under section 43 of the DPL that Personal Data is inaccurate, the Ombudsman may order CTA to rectify, block, erase or destroy this data and any other Personal Data in respect of which CTA is Data Controller and that contain an expression of opinion that appears to the Ombudsman to be based on the inaccurate data.
This right applies whether or not the Personal Data accurately record information received or obtained by CTA from the Data Subject or a third party, but, if the data accurately records such information, then the Commissioner may instead of making an order as above –
· make an order requiring the Personal Data to be supplemented by a statement of the facts relating to the matters dealt with by the data as the Ombudsman may approve;
· make such order as the Ombudsman thinks fit to ensure the accuracy of the data, having regard to the purpose or purposes for which the data was obtained and further processed, with or without a further order requiring the data to be supplemented by a statement of the facts relating to the matters dealt with by the data as the Ombudsman may approve; or
· make an order requiring CTA to ensure that the data indicates that, in the Data Subject’s view, the data is inaccurate.
If the Ombudsman makes an order as above, or is satisfied on a complaint made under section 43 that Personal Data that has been rectified, blocked, erased or destroyed was inaccurate, the Ombudsman may, if it is considered reasonably practicable, order CTA to notify third parties to whom the data has been disclosed of the rectification, blocking, erasure or destruction.
RIGHT TO BE KEPT SAFE AND SECURE
Processing will be conducted in a manner that ensures appropriate security and confidentiality of the Personal Data. CTA takes all commercially reasonable steps to secure the Personal Data from unauthorized or unlawful processing by third parties, alteration, disclosure, accidental loss, destruction, damage or any form of computer corruption. CTA has implemented the following information security measures:
· Access to IT servers is restricted in a secure location to a limited number of staff;
· Access to systems is password protected;
· A back up procedure is in operation;
· Manual files containing Personal Data, financial information or confidential information are kept in a secure locked location with restricted access to staff; and
· A strong emphasis is placed on the security of Personal Data when it is held on portable devices.
LIMITS ON HOW PERSONAL DATA MAY BE USED OR SHARED WITH THIRD PARTIES
Personal Data may be processed by CTA itself or it may be processed by others on its behalf. The overriding principle is that where CTA uses a Data Processor to undertake processing of Personal Data on its behalf it will ensure that the engagement is evidenced in a written contract which requires the Data Processor to act only on instruction given by CTA and which also requires the Data Processor to comply with obligations equivalent to those imposed on CTA by the seventh principle.
It may be necessary for CTA to transfer Personal Data for processing, back-up or storage to an agent, delegate, subcontractor or other representative of CTA appointed by CTA to carry out sub-processing activities on behalf of CTA(each a “Permitted Processor”) under an appropriate written agreement between the Permitted Processor and CTA.
CTA and/or Permitted Processors may be legally obliged to share Personal Data and other financial information with respect to a Data Subject with their local authorities including regulatory, law enforcement or other governmental authorities (including tax authorities) or courts (collectively “Government Bodies”) and the local Government Bodies, in turn, may exchange this information with foreign Government Bodies including Government Bodies located inside or outside the Cayman Islands through automatic reporting, information exchange or otherwise.
Certain Permitted Processors are located within the Cayman Islands and in that case Personal Data will be stored on servers in the Cayman Islands. Where CTA entities and Permitted Processors are located outside the Cayman Islands Personal Data will be stored on servers outside the Cayman Islands.
Personal Data may be transmitted, stored and processed on systems located outside of CTA’s operating jurisdiction (the Cayman Islands), which systems are or may be operated by a Permitted Processor (and therefore authorities including regulatory or governmental authorities or courts in a jurisdiction (including jurisdictions where these parties are established or hold or process Personal Data) may obtain access to Personal Data which may be held or processed in such a jurisdiction or accessed through automatic reporting, information exchange or otherwise in accordance with the laws and regulations applicable in such jurisdiction).
Subject to applicable provisions of the DPL, the Personal Data shall not be shared other than as described herein.
EXEMPTIONS
The DPL provides certain exemptions from the data protection principles and restrictions on individual rights to information. Pertinent examples include exemptions from non-disclosure provisions as required by any enactment, law or court order.
KEEPING RECORDS OF ALL PROCESSING
CTA maintains records of all its processing activities. This requires that CTA determine what Personal Data it holds, where it came from and who it shares it with.
CTA and its duly authorized agents/delegates will refrain from collecting any further Personal Data following the point from when the Data Subject’s relationship with CTA has ceased and CTA will, if required by applicable retention laws, retain Personal Data for such period from the termination of the relationship as is specified by such applicable retention laws. After expiry of the retention period, subject to applicable retention laws, CTA shall take appropriate steps to dispose of any records containing the Data Subject’s Personal Data, to the extent this is operationally feasible and proportionate.
TRAINING
All CTA staff will receive regular training to ensure they are aware of:
· The provisions of the DPL;
· The approach CTA takes to ensure compliance with its obligations; and
· Recent developments and guidance in the area.
CO-OPERATION WITH CAYMAN ISLANDS AUTHORITIES
CTA and, where applicable, its representatives, shall cooperate, on request, with the Cayman Islands Ombudsman in the performance of its tasks.
REPORTING OF DATA BREACHES
In the case of a Personal Data Breach, CTA is required to notify the Ombudsman and the relevant Data Subject of the Personal Data Breach and the mitigating steps in respect of it within five days of when CTA should have been aware of the breach.
Each Data Processor is required to notify CTA without undue delay after becoming aware of a Personal Data Breach.
Relevant details for notifying the Ombudsman of a Personal Data Breach are set out on the Ombudsman’s website http://ombudsman.ky/get-in-touch.
REMEDIES, ENFORCEMENT AND PENALTIES
Breach of the DPL can lead (variously) to remedial action by the Ombudsman, the imposition of penalties and criminal sanctions. If, following receipt of a complaint by a Data Subject, the Ombudsman is satisfied that Personal Data held by a Data Controller is inaccurate, the Ombudsman may order the Data Controller to rectify, block, erase, destroy or update the Personal Data.
DESIGNATION OF RESPONSIBLE PERSON FOR DATA PROTECTION QUERIES AND REGULATORY COMMUNICATIONS
As CTA does not control or process Personal Data on a large scale, CTA Group is not required to designate a data protection officer. However, a member of staff has been designated as Responsible Person for each of (i) the receipt of any queries relating to data protection or in the event a Data Subject wishes to discuss his/her data protection rights with CTA(“General Queries”), and (ii) communicating with the Cayman Islands Ombudsman. As at the date of this Policy the following is the email address for General Queries; contact@caymantennisacademy.com