Data Protection Policy
1.1 This Data Protection Policy (“Policy”) applies to Mirae Asset ETF ICAV (the “Fund”) in accordance with the General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”) and applicable supplemental national data protection laws in Ireland, which consist primarily of the Data Protection Acts 1988 to 2018, will be collectively referred to as the “Data Protection Legislation” that apply to the Fund.
1.2 As a regulated entity, the Fund and its delegates and affiliates have to collect, store and process certain Personal Data about investors, beneficial owners, directors, employees, trustees, service providers and other third parties for the purposes of its operations and adhering to its legal and regulatory obligations. Such data is collected from employees, investors, service providers and includes (but is not limited to), any information relating to an identified or identifiable natural person. For example, ‘Know Your Client’ documentation which may include personal data such as residential addresses, email addresses, places of birth, dates of birth, bank account details and details relating to investor investment activity, including business and personal information of individuals to the extent relevant to such activity, name, address, email address, data of birth, IP address, identification numbers, private and confidential information, sensitive information and bank details.
1.3 The Fund operates on a delegated model under which the Fund’s Service Providers are appointed to provide certain services to the Fund. In the provision of the services to the Fund, the Fund Service Providers process personal data on behalf of the Fund and as a result constitute “processors” of the Fund. It is the Fund’s policy to ensure that such Processors have implemented appropriate technical and organisational measures to ensure there are appropriate safeguards to comply with the GDPR.
1.4 This Policy with guidelines for processing of personal data, constitutes the overall framework for processing of personal data with the Fund.
2. POLICY STATEMENT
2.1 The Fund has developed policies, procedures, controls and measures to ensure maximum and continued compliance with the data protection laws and principles, including staff training, procedure documents, and ongoing monitoring. Ensuring and maintaining the security and confidentiality of personal data is one of our top priorities.
2.2 The Data Protection Manager to the Fund is Sinead Phelan. The Data Protection Manager will work to ensure that all processes, systems, key Processors engaged by the Fund and staff are operating compliantly and within the requirements of the data protection laws and its principles.
The purpose of this policy is to protect the rights and freedoms of natural persons (i.e. living individuals) and to ensure that personal data is not processed without their knowledge and ensure the Fund meets its legal, statutory and regulatory requirements under the data protection laws.
3.1 The data protection laws include provisions that promote accountability and governance and as such the Fund has put comprehensive and effective governance measures into place to meet these provisions. The aim of such measures is to ultimately minimise the risk of breaches and uphold the protection of personal data.
4.1 General Definitions:
a. “Controller” means any natural or legal person, which, alone or jointly with others, determines the purposes and means of the processing of personal data. The Fund generally acts as a Controller of personal data.
b. “Processor” means a natural or legal person who processes personal data on behalf of the controller, such as a fund administrator, distributor and/or other delegates of the Fund.
c. “Data Subject” means an individual who is the subject of personal data, such as an investor in the Fund.
d. “Processing” means performing any operation or set of operations on personal data, whether or not by automatic means, including collecting, recording, organising, structuring, storing, amending, using, retrieving, disclosing, erasing or destroying it.
4.2 Personal Data
4.2.1 Information protected under the GDPR is known as “personal data” and is defined as:
Any information relating to an identified or identifiable natural person; For example, ‘Know Your Client’ documentation which may include personal data such as residential addresses, email addresses, places of birth, dates of birth, bank account details and details relating to investor investment activity, including business and personal information of individuals to the extent relevant to such activity.
4.2.2 The Fund will ensure that any Personal Data collected will be adequate, relevant and limited to what is necessary in relation to the purposes for which it is being processed.
4.2.3 Under Article 9 of the GDPR, where the Fund processes any special categories of Personal Data (such as health data), it must have a legitimising condition for doing so under Article 9 or relevant provisions of the Data Protection Act 2018. The Fund generally does not collect or process any special categories of Personal Data, except limited quantities of health data in relation to the Fund’s own personnel to the extent that this is relevant to their relationship with the Fund (e.g. in connection with absence from work due to illness). Where the Fund processes special categories of Personal Data, it does so incompliance with applicable provisions in the GDPR and the Data Protection Act 2018.
5. GDPR PRINCIPLES
5.1 The Fund collects and uses personal data for the purposes of its operations and adhering to its legal and regulatory obligations.
5.2 As per Article 5 of the GDPR the Fund adheres to core data protection principles, namely that Personal Data shall be:
a) processed fairly, lawfully and transparently;
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
c) limited to what is required for the stated purpose or purposes;
d) accurate, complete and up to date;
e) retained for not longer than is necessary for the stated purpose or purposes;
f) kept confidential, safe and secure;
g) provided to a Data Subject on request; and
h) not transferred to people or organisations situated in countries without adequate protection.
5.3 The Fund adheres to the accountability principle, by taking responsibility for, and being able to demonstrate compliance with, obligations under applicable Data Protection Legislation.
6. LEGAL BASIS FOR PROCESSING PERSONAL DATA
6.1 Pursuant to Article 6 of the GDPR, the Fund can process Personal Data lawfully to the extent that at least one of the following applies:
a) where the Data Subject has given consent to the Processing;
b) where this is necessary for the performance of the contract with the Data Subject;
c) where this is necessary in order to protect the vital interests of the Data Subject or another natural person;
d) where this is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;
e) where this is necessary for compliance with a legal obligation to which the Fund is subject; and/or
f) where this is necessary for the purposes of the legitimate interests of the Fund or a third party and such legitimate interests are not overridden by the Data Subject’s interests, fundamental rights or freedoms.
6.2 The Fund generally relies on performance of a contract, legal obligation and legitimate interests as its main lawful bases for Processing of Personal Data. Where relying on legitimate interests, the Fund will conduct a balancing exercise to ensure that the legitimate interests pursued should not be overridden by the Data Subject’s interests, fundamental rights or freedoms. The Fund generally does not intend to rely upon consent as the lawful basis for the processing of personal data.
6.3 The Fund will only collect and process Personal Data for purposes that are specific, explicit and for legitimate purposes. The Fund generally processes Personal Data for the following purposes;
a) where this is necessary for the performance of the contract to purchase shares in the Fund;
b) where this is necessary for compliance with a legal obligation to which the Fund is subject (such as the anti-money laundering obligation to verify the identity of the Fund’s customers (and, if applicable their beneficial owners) or the prevention of fraud); and/or
c) where this is necessary for the purposes of the legitimate interests of the Fund or a third party (such as direct marketing and analysing Personal Data for quality control, business and statistical analysis, tracking fees and costs, training and related purposes). Such legitimate interests are not overridden by a Data Subject’s interests, fundamental rights or freedoms.
6.4 The Fund will not process Personal Data in a manner that is incompatible with those communicated with Data Subjects. If the Fund is considering any new activity or implementing any new initiative that will involve changing the way that the Fund processes Personal Data, it will decide whether a data protection impact assessment or privacy impact assessment should be carried out in accordance with Data Protection Legislation and related guidance.
7. DISCLOSURE AND TRANSFER OF PERSONAL DATA
7.1 The Fund as Controller
7.1.1 The Fund is a Controller and takes appropriate measures to comply with its obligations as such under Data Protection Legislation. The Fund often engages third parties to process Personal Data on behalf of the Fund and when they do so, such third parties generally act as Processors. When Processing Personal Data, there may also be times where service providers to the Fund (for example, the administrator) will be required to use Personal Data for their own purposes, in which case they will be characterised as other Controllers of that Personal Data
7.2 Other Data Controllers
7.2.1 The Administrator and Depositary shall each be separate data controllers of the personal data of shareholders, applicants for shares, beneficial owners, directors and officers of shareholders and applicants for shares which they obtain as a result of their respective contracts with the Fund:
(i) to the extent that it is necessary for either of them, respectively, to comply with their own obligations under anti-money laundering legislation (on the basis of their respective legal obligations); and
(ii) in the case of the Depositary, in the discharge of its statutory oversight and monitoring obligations (on the basis of its legal obligations)
7.3 Company Service Providers
7.3.1 The Fund operates on a delegated model under which the Fund’s Service Providers are appointed to provide certain services to the Fund. In the provision of the services to the Fund, the Fund Service Providers process personal data on behalf of the Fund and as a result constitute “processors” of the Fund.
7.3.2 It is the Fund’s policy to ensure that such Processors have implemented appropriate technical and organisational measures to ensure there are appropriate safeguards to comply with the GDPR.
7.3.3 The Fund ensures that it has a written agreement with each Company Service Provider that acts as a Processor on behalf of the Fund which contains appropriate contractual provisions governing the processing of Personal Data by that Company Service Provider on behalf of the Fund as required under Data Protection Legislation. These provisions include a contractual right to obtain all relevant information from that Company Service Provider which is necessary in order for the Fund Service Provider to demonstrate its compliance with the data protection obligations set down in the contract. Furthermore, the Fund may carry out an audit or inspection of the relevant Company Service Provider for such purposes.
7.4 Transferring Personal Data to a country outside the EEA
7.4.1 Under Data Protection Legislation, Personal Data generally may not be transferred outside the European Economic Area unless an exception to this general prohibition can be relied on. The permitted exceptions include: (a) where the third country to which the Personal Data is to be transferred is the subject of an adequacy decision by the European Commission, which allows the free flow of Personal Data from the EEA to that third country, or (b) where the transferring Controller or Processor has provided appropriate safeguards for Personal Data and there are enforceable Data Subject rights and effective legal remedies available to Data Subjects; or (c) where limited derogations apply, such as where the explicit consent of the Data Subject has been obtained, or where the transfer is necessary for the performance of a contract with the Data Subject, or for the exercise of legal claims or for important reasons of public interest.
7.4.2 The Fund anticipates transferring Personal Data to entities located both within and outside of the EEA and authorised delegates such as the Fund’s administrator, investment manager, distributor and their respective affiliates, some of which may include entities located outside of the EEA. Any transmission of Personal Data by the Fund outside the EEA shall be in accordance with the requirements of the Data Protection Legislation.
8. RIGHTS OF The DATA SUBJECTS and rights to access
8.1 Rights to Access
8.1.1 A Data Subject has the right to obtain confirmation from the Fund as to whether or not Personal Data concerning them is being processed. Where the Fund is Processing their Personal Data, the Data Subject has the right to access such Personal Data and the following information:
a) the purpose of the Processing;
b) the categories of Personal Data concerned;
c) the persons or categories of persons to whom the Personal Data may be disclosed, in particular recipients in third countries or international organisations;
d) the envisaged period for which the Personal Data will be stored, or, if not possible, the criteria used to determine that period;
e) the existence of the right to request rectification or erasure of the Personal Data or restriction of Processing of Personal Data concerning the Data Subject or to object to such Processing;
f) the right to lodge a complaint with the Data Protection Commission or another competent data protection authority;
g) where the Personal Data is not collected for the Data Subject, any available information as to their source; and
h) the existence of automated decision-making, including profiling and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such Processing for the Data Subject.
8.1.2 Where Personal Data is transferred to a third country outside of the EEA or an international organisation, the Data Subject has the right to be informed of the appropriate safeguards relating to the transfer.
8.1.3 The Fund will not charge a fee for complying with a Data Subject’s access request, unless it can be demonstrated that the cost will be excessive. In such cases, a reasonable fee may be applied.
8.1.4 The information shall be provided without delay and within one month. Where requests are complex, the Fund may extend the deadline for providing the information to three months. However, it shall in any event respond to the request within a month, explaining why the extension is necessary.
8.1.5 A request may be made by an individual, such as an investor or a director of a Company and may be made in electronic format as well as by written request to the privacy contact at the Fund.
8.2 Rights to be forgotten
8.2.1 A Data Subject has the right for their Personal Data to be erased without undue delay in certain contexts including, but not limited to, where the Personal Data has been Processed unlawfully or where the Personal Data is no longer necessary in relation to the purposes for which it was collected or otherwise.
8.2.2 The Fund will comply with any valid request for erasure, subject to applicable exemptions provided for in Data Protection Legislation.
8.3 Rights to the restriction of Processing
8.3.1 A Data Subject has the right to require that the Fund restricts Processing of their Personal Data in certain circumstances including, but not limited to, where the Personal Data is inaccurate, is no longer required in light of the purposes of the Processing or the Data Subject has exercised their right to object.
8.3.2 Where Processing has been restricted, such Personal Data shall, with the exception of storage, only be processed with the Data Subject’s consent and the Fund is required to inform the Data Subject before the restriction of Processing is lifted.
8.3.3 The Fund will comply with any valid request for restriction of Processing, subject to applicable exemptions provided for in Data Protection Legislation.
8.4 Rights in relation to automated decision making
8.4.1 Data Subject has the right not to be subjected to processing which is wholly automated and which produces legal effects or otherwise which significantly affects an individual, unless one of a limited number of exemptions applies. The Fund does not envisage engaging in any such automated decision making.
8.5 Rights to object
8.5.1 A Data Subject has the right to object, on grounds relating to their particular situation, at any time to Processing of Personal Data concerning them where the Processing is based on legitimate interests pursued by the Fund or a third party.
8.5.2 In such circumstances the Fund shall no longer process the Personal Data unless it demonstrates compelling legitimate grounds for the Processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of legal claims.
8.5.3 The Fund will comply with any valid objection to the Processing of Personal Data, subject to applicable exemptions provided for in Data Protection Legislation.
9. Personal data Records
9.1 Keep accurate and up-to-date
9.1.1 The Fund will take reasonable steps to ensure that the Personal Data held is accurate and kept up to date. The accuracy of any Personal Data will be checked at the time of collection and at regular intervals or triggers thereafter. The Fund will take all reasonable steps to amend inaccurate or out-of-date Personal Data without delay after becoming aware of this.
9.2. Storage Limitation
9.2.1 The Fund will not keep Personal Data longer than is necessary for the purpose or purposes for which it was collected. It will take all reasonable steps to erase all Personal Data which is no longer required. The Fund will be clear when informing the Data Subject about how it determines the length of time for which Personal Data will be kept and the reason why the information is being retained. The Fund will take into account any required statutory retention periods that give rise to an obligation to retain a Data Subject’s Personal Data for fixed periods and ensure that Personal Data is retained in line with such statutory requirement(s).
9.3 Kept safe and secure
9.3.1 Processing will be conducted in a manner that ensures appropriate security and confidentiality of Personal Data. The Fund must secure Personal Data from unauthorised access by third parties, alteration, disclosure, accidental loss, destruction or any form of computer corruption. The Fund will seek assurances from any service providers that act as Processors for the Fund that they have implemented appropriate information security measures which may include, but are not limited to:
a) Access to IT servers are restricted in a secure location to a limited number of staff;
b) Access to systems are password protected;
c) A back up procedure is in operation;
d) Manual files containing Personal Data, financial information or Company confidential information are not be viewable; and
e) A strong emphasis is placed on the security of Personal Data when it is held on portable devices.
10. Personal Data breaches
10.1 Definition of Personal Data Breach
10.1.1 The GDPR defines a personal data breach as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
10.1.2 Article 34 of the GDPR requires that any Personal Data Breach that is likely to result in a high risk to the rights and freedoms of the affected Data Subjects must be communicated to those individuals without undue delay.
11.1 If you have any questions regarding the content of this Policy, please contact the privacy contact at the Fund (firstname.lastname@example.org).
Cookies are small files that collect anonymous information about how visitors use our site, which is then used to help improve the site. The information collected includes the number of site visitors, where visitors come to the site from and the pages they visited. For further information visit www.aboutcookies.org. Please note that by deleting our cookies or disabling future cookies you may not be able to access certain areas or features of our site.