This policy explains how Sovereign’s Capital Management LLC (“Sovereign’s”) complies with the General Data Protection Regulation (GDPR) when processing personal data.
This policy applies to all personal data we process (wholly or partly) regardless of whether data is stored electronically, on paper, or on any other media. It applies to:
- All staff of Sovereign’s
- All contractors working on behalf of Sovereign’s;
Protecting the integrity and confidentiality of personal data is a critical responsibility which we take seriously at all times. We are exposed to potential fines of up to €20 million or 4% of total worldwide annual turnover (whichever is higher) depending of the nature of the breach if we fail to comply with the GDPR.
You must read, understand and comply with this policy when processing personal data on our behalf and complete any training necessary to meet the requirements. This policy sets out what we expect from you in order for us to comply with applicable law. Your compliance with this policy is mandatory and any breach may result in disciplinary action.
If you have any questions about this policy please contact the Chief Compliance Officer via email at firstname.lastname@example.org.
What is personal data?
Personal data is ‘any information relating to an identified or identifiable natural person’ (the data subject).
What does processing of personal data mean?
The GDPR applies to the processing of personal data. Processing covers anything which we do to, or with, personal data such as when we collect, record, organise, store, disclose, and delete it. It covers processing which is undertaken wholly or partly by automated means and where the data forms part of a filing system.
What personal data do we process?
We have identified that we process personal data relating to the following:
- Third parties;
- Portfolio investments;
- Professional contacts;
Processors and controllers
The GDPR applies to those who act as a controller and/or a processor. A controller is someone who determines the purpose and means of processing personal data. A processor is someone who is responsible for processing the personal data on behalf of a controller. Different requirements will apply depending on whether we are the controller or the processor.
The GDPR applies to the processing of personal data by a controller or processor in the European Union (EU), regardless of whether the processing takes place in the EU or not.
The GDPR requirements also apply to a controller or processor who is based outside of the EU, where they process the personal data of an individual within the EU, and where the processing activity is related to:
- The offering of goods or services (irrespective of payment) to an individual in the EU; or
- The monitoring of their behavior, if the behavior takes place within the EU.
Principles relating to the processing of personal data
The GDPR sets out a number of principles which firms must comply with when they process personal data. These principles are central to our data protection obligations and sit at the heart of our policies and procedures – we are accountable and must be able to demonstrate our compliance with these. The six principles state that personal data must be:
- Processed lawfully, fairly and in a transparent manner (lawful processing);
- collected for specified, explicit and legitimate purposes (purpose limitation);
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimization);
- Accurate, and where necessary, kept up to date (data accuracy);
- Kept in a form which permits identification of data subjects for no longer than is necessary (storage limitation); and
- Processed in a manner that ensures appropriate security of personal data (security).
Fair and lawful processing
We must process personal data in a lawful, fair and transparent way. The GDPR sets out specific legal grounds which we can use to process personal data. If we cannot meet one or more of those legal reasons we cannot process the personal data.
We must also ensure that personal data is processed fairly, for example we only use it for a specified purpose, and that we are transparent in what we are doing. This means that we must provide the individual with information about how we process their personal data in a concise and intelligible manner using clear and plain language.
In line with GDPR, we will only process personal data, where we have a clear and legitimate purpose for doing so. The personal data that we collect must be relevant, and limited to our data processing activities. If we wish to process personal data for another purpose later on we need to consider whether we can use an existing lawful basis or consent unless the new purpose is compatible with the original purpose. It is also important that we are transparent and can explain to individuals the reason(s) why we are processing their data.
We must ensure that the personal data we process is accurate and kept up to date. We regularly review, and require users update to reflect any changes to their circumstances, where necessary.
Where we identify personal data which is inaccurate we must take steps to erase or update that information as soon as possible.
Data security and integrity
We must process personal data in a way which keeps it secure, ensuring that any information that we collect from individuals isn’t lost, destroyed or damaged. We must also protect the data we process from unauthorized or unlawful processing by another party.
A fundamental principle of the GDPR states that we can only process personal data where we have a lawful basis to do so. If there are no lawful bases available, our processing will be unlawful and in breach of the first principle. Individuals also have the right to erase personal data which has been processed unlawfully.
There are six lawful bases available:
- The individual has given their consent (consent);
- The processing is necessary for the performance of a contract with the individual (contract);
- Processing is necessary to comply with a legal obligation to which we are subject (legal obligation);
- Processing is necessary to protect the vital interests of the individual or another natural person (vital interests);
- Processing is necessary for performance of a task carried out in the public interest or by a public authority (public task); and
- The processing is necessary for our legitimate interests or those of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests (legitimate interests).
Most commonly we use individual’s information in the following ways.
We have asked for, and an individual has provided, consent to use their information.
Special Category Data
Special category data is personal data which is more sensitive and therefore needs more protection. Sovereign’s does not process any special category data. Special category data includes information about an individual’s:
- Ethnic origin;
- Political opinions;
- Religious or philosophical beliefs;
- Trade union membership;
- Biometric data where used for identification purposes;
- Sex life; or
- Sexual orientation.
Principles relating to the processing of criminal offences
Under GDPR, the rules around ‘special category data’ do not apply to criminal offence data, instead separate safeguards have been put in place. Criminal offence data refers to personal data relating to criminal convictions and offences or related security measures. This includes information about criminal allegations, proceedings and convictions as well as security measures. Criminal offence data can only be processed where we have a lawful basis to do so and we are processing the data in an official capacity or we have a specific legal authorization to do so.
Rights of data subjects
The GDPR provides specific rights for individuals in terms of how we process their personal data:
- The right to be informed;
- The right of access;
- The right to rectification;
- The right to erasure;
- The right to restriction;
- The right to data portability;
- The right to object; and
- Rights in relation to automated decision making and profiling.
It’s important that we can demonstrate that we understand and can apply the principles of GDPR to our day to day processing activities. This will include:
- Establishing a data protection compliance programme and governance arrangements
- Implementing privacy controls and maintaining them on an ongoing basis;
Complying with our processing obligations including:
- determining and documenting a lawful basis for processing;
- maintaining a record of our processing activities;
- providing data subjects with a compliant privacy notice;
- satisfying specific requirements when relying on consent;
- processing special categories of data in line with the requirements;
- honouring the rights of individuals; and
- complying with cross border data transfer restrictions and maintaining compliant transfer mechanisms;
- Making explicit arrangements with any joint data controllers and data processors;
- Embedding privacy measures into our day to day policies and processes;
- Using technological measures to require or ensure compliance;
- Maintaining appropriate records of our privacy arrangements and compliance;
- Providing our staff with training on data protection and privacy matters; and
- Regularly testing our privacy measures;
Privacy by design and default
We must show that we are embedding data protection into all our processing activities by design and default. This means that we must implement appropriate technological and organisational measures, such as pseudonymisation, in a way which is effective and ensures compliance.
Data protection impact assessment
A data protection impact assessment (DPIA) is a tool which we can use to identify the risks and the possible impact of our processing activities.
We will ensure all staff are provided with adequate training to enable them to comply with the GDPR requirements.
Data controllers can act alone or with other data controllers. This means that we jointly determine the purposes and means of processing. Any such arrangement will be documented and specifically will set out who takes responsibility for compliance with the rights of data subjects and will act as a contact point.
As part of our compliance with GDPR we will keep an electronic record of our data processing activities.
Security of processing
We have an obligation to process the personal data of individuals securely. This includes protecting it against unauthorised or unlawful processing and against accidental loss, destruction or damage. We have put the following technical and organisational measures in place to do this:
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches which are both accidental and deliberate.
Breach notification requirements
Once a breach has been identified we must establish the likelihood and severity of the resulting risk to people’s rights and freedoms. If there is a high risk we must report it to the Information Commissioners Office (ICO). This assessment will be undertaken by the <DPO/Compliance Team> who will assess each incident on a case by case basis. Breaches can be reported on the ICO website.
Data Protection Officer
Under the GDPR you must appoint a DPO if you:
- Are a public authority (except for courts acting in their judicial capacity);
- Carry out large scale systematic monitoring of individuals; or
- Carry out large scale processing of special categories of data or data relating to criminal convictions and offences.
Note: organisations that are not required to appoint a DPO may do so voluntarily. With the GDPR requiring organisations to implement “data protection by design and by default”, many organisations may consider the appointment of a DPO to ensure that they are implementing appropriate organisational and technical safeguards. However, in making a voluntary appointment, an organization will become liable for ensuring that the designation is consistent with the provisions of the GDPR.
The obligation to appoint a Data Protection Officer (“DPO”) does not apply to Sovereign’s on the basis our processing which is occasional, does not include, on a large scale, processing of special categories of data or processing of personal data relating to criminal convictions and offences, and is unlikely to result in a risk to the rights and freedoms of natural persons.
Transfer of data to third countries
We will ensure that we give full consideration to the GDPR requirements in relation to transfers of personal data outside of the EEA when we make operational changes.
Annex One: Definitions
Binding corporate rules
‘binding corporate rules’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity.
Means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.
Means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Cross border processing
a) ‘processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or
b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.
Means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.
Means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
Means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation.