Ombudsman orders the Registrar of Companies to stop collecting personal data from individuals holding company shares or voting rights
The Ombudsman has ordered the Registrar of Companies to stop collecting personal data from individuals who hold company shares or voting rights in circumstances where it has no legal basis to do so.
The Ombudsman was made aware via a complaint that the Registrar requested personal information about individuals who were 1% shareholders in a company. Under the Companies Law (2020 Revision), a person who would be required to provide information for the company register – a beneficial owner – is someone who holds more than 25% of shares or voting rights in a company, or any individual who is able to vote to remove a majority of the company’s board of directors.
The Ombudsman noted that there may be specific circumstances where personal information could be requested about someone holding fewer than 25% of a company’s shares, but the Registrar cannot apply a “blanket” requirement to do so without establishing a legal basis and informing the person of the reason for the data collection.
“The Registrar was using a blunt instrument to collect data on all company shareholders rather than the lancet the law requires,” said Ombudsman Sandy Hermiston. “All entities collecting personal data must respect the data protection principles, which include the requirement that processing personal data must have a legal basis and that the person whose data is being processed is informed of the purposes for the processing..”
In addition to the order to stop processing data of individuals who are not considered registerable shareholders under the Companies Law, the Registrar was ordered to develop a suitable privacy notice to include on the Cayman Business Portal where companies are registered. The Ombudsman also recommended that the Registrar develop a policy setting out fair and reasonable criteria in circumstances where additional data collection for non-registerable shareholders is sought.
As with all enforcement orders made under the Data Protection Law, the entity against which the order is made has 45 days to seek judicial review of the Ombudsman’s decision.
The decision is not yet available on our website but will be posted shortly.
[For the benefit of our readers IEYENEWS has posted the DECISION under Case 202000507]
Anyone with questions about Cayman’s Data Protection Law, which took effect on 30 September 2019, should go to our website www.ombudsman.ky for further information. Data protection complaints can be made to the Ombudsman’s office at 946-6283 or via email at [email protected].
Case 202000507
Enforcement Order Registrar of Companies 12 August 2020
EXECUTIVE SUMMARY
This enforcement order records the conclusions of an investigation into a complaint made to the Ombudsman under section 43 of the Data Protection Law, 2017 (DPL).
The complainant asserted that the Registrar of Companies (Registrar) did not have a legal basis to process certain personal data requested on the Registrar’s online payment platform relating to non-registrable persons. The complainant believed that it was unnecessary for the Registrar to request this personal data and asked the Ombudsman to require that the Registrar amend its policies and procedures accordingly.
The Ombudsman considered legislation and regulations relating to the submission of beneficial ownership information, a delegation letter that confers the responsibilities and powers of a beneficial ownership competent authority to the Registrar as well as detailed correspondence communicated before and after the filing of this complaint.
The Ombudsman found that the Registrar did not have a legal basis for processing the personal data of non-registrable individuals in a blanket fashion and must therefore immediately cease gathering and further processing such data. The Ombudsman also required that the Registrar make available a privacy notice to inform individuals who submit personal data using the online platform of the purpose for which this information will be processed.
The Ombudsman recommended that the Registrar develop policies and procedures for requesting information under section 279A of the Companies Law and make them available to the public.
INTRODUCTION
1.1 On 24 February 2020, the complainant communicated with the Cayman Islands General Registry (the General Registry) regarding issues he had experienced while completing an application for the Beneficial Ownership Register (BOR) for a limited company (the Company) using the Cayman Business Portal (CBP).
1.2 The CBP is a national service delivered by the General Registry that allows business owners to manage their government-related licences, permits and registrations using an online platform. The complainant indicated that, while submitting an application using the CBP, the platform rejected the application on two occasions because he had not entered the details of two individuals who each own one share (or 1% of the shares) of the Company.
1.3 The complainant argued that the beneficial ownership provisions in the Companies Law (2020 Revision) (Companies Law) require only registrable persons to be entered in the BOR. A registrable person is an individual or relevant legal entity that is a registrable person under section 251 of the Companies Law. The complainant believes that there is no legal requirement for the details of the two persons each owning one share of the Company to be provided to the Registrar because these persons are not deemed registerable under the Companies Law.
1.4 Furthermore, the complainant argued that, under the DPL, personal data must only be obtained for one or more specified lawful purposes and must not be further processed in any manner incompatible with that purpose or those purposes. The complainant queried the lawful purpose relied on by the Registrar for collecting the personal data of individuals who are not registrable persons under the beneficial ownership regime.
1.5 In response, the General Registry explained that the beneficial ownership protocols and the submission of the requested personal data form part of the General Registry’s compliance framework. Both serve the purpose of mitigating any potential risk related to terrorist financing, money laundering, targeted financial sanctions and proliferation financing. This also includes mitigating potential risks concerning legal, reputational or financial exposure to the Cayman Islands.
1.6 The General Registry referred to section 252 of the Companies Law, which provides companies with the option of engaging either a corporate service provider or the Registrar to establish and maintain registration in the BOR on their behalf. It stated that the Company had the option to engage a corporate service provider if it did not wish to provide the Registrar with the information requested.
1.7 Before being engaged by a company to establish or maintain its registration in the BOR, the Registrar requires a formal agreement. Under this agreement, the Registrar can request additional information if this is deemed necessary for the mitigation of the previously mentioned risks.
1.8 The complainant complained to the Ombudsman regarding the Registrar’s legal basis for processing the requested data. The complainant would like the Registrar to amend its policies requiring this personal data to be provided and update the CBP so that it is no longer necessary for a company to enter the personal details of persons who are not registrable persons.
CONSIDERATION OF ISSUES
1.9 The first data protection principle in Schedule 1 of the DPL stipulates that all processing of personal data must be fair and personal data may be processed only if one of the conditions set out in paragraphs 1 to 6 of Schedule 2 of the DPL is satisfied. The conditions listed in Schedule 2 are legal bases to process personal data. As a data controller, the Registrar must show that it has a legal basis to process the data requested from the complainant.
1.10 The complainant alleges that, when attempting to enter beneficial ownership data for an ordinary company via the Registry’s CBP, additional information was requested in relation to persons who fell below the threshold for a registrable person, as they held only 1% shares in the company, and that in the circumstances of this case the Registrar did not have a legal basis for requesting that personal data.
1.11 The Registrar relies on the fifth legal basis in Schedule 2, which allows processing where it is necessary for the exercise of public functions, specifically subparagraph (b), which allows processing necessary for “the exercise of any functions conferred on any person by or under any enactment”.
1.12 In the circumstances of this case, the question of whether the condition outlined in paragraph 11 had been met depends on who is considered a registrable person under the
applicable beneficial ownership legislation, including the Companies Law and the Beneficial Ownership (Companies) Regulations (2019 Revision) (the BO Regulations).
1.13 Subsection 247(3) of the Companies Law sets the threshold for a beneficial owner as someone who is:
holding, directly or indirectly, more than 25% of the company’s shares; holding, directly or indirectly, more than 25% of voting rights in the company; or, holding the right, directly or indirectly, to appoint or remove a majority of the board of directors of the company.
1.14 Section 251 of the Companies Law establishes the individuals and relevant legal entities that are registrable persons, with reference to section 247 (and 248). In addition, subsection 251(2) brings into effect the BO Regulations to further inform the identification of registrable persons.
1.15 The Registrar has a dual role under the BO Regulations, namely as a direct means for companies to establish and maintain their registration in the BOR, a role that is identical to a service provider’s, and as the competent authority that maintains the overall BOR for all companies. The Registrar was engaged by the complainant on the basis of subsection 252(3) of the Companies Law, which states that: “Ordinary resident companies to which this Part applies shall engage either a corporate services provider or the Registrar to assist them to establish and maintain their beneficial ownership registers.”
1.16 When a company engages a corporate services provider, including the Registrar, section 253 requires that certain particulars be provided. Subsection 253(3) states that “particulars need not be entered concerning an individual or relevant legal entity that is not a registrable person”.
1.17 The Companies (Amendment) Law, 2020, came into effect on 19 February 2020, a few days before the events that led to this complaint took place. Section 10 introduced section 279A of the Companies Law, subsection (1) of which states that: “The competent authority may request by notice in writing, additional information from a company or corporate services provider for the purposes of carrying out its functions under this Part.” Subsections (2) and
(3) provide further details on compliance with the notice, and potential penalties for non- compliance.
1.18 The Registrar’s position is that: (i) the Registrar is the competent authority; (ii) the Registrar has been engaged to establish and maintain the company’s beneficial ownership register pursuant to section 252(3) of the Companies Law; and (iii) the Registrar is now permitted by way of section 10 of the Companies (Amendment) Law 2020 to request additional information of persons, whose shareholdings or voting rights fall below the 25% threshold. The Registrar further justifies this position by reference to general but unspecified anti- money laundering obligations.
1.19 I find the Registrar’s explanation problematic for the following reasons:
a. Section 251 of the Companies Law and the BO Regulations are not capable of expanding the definition of a registrable person to below the 25% threshold defined in section 247. If this were the case, a contradiction would be created between section 247, on the one hand, and section 251 and the BO Regulations, on the other. This would constitute a circumvention of the threshold established in section 247, which, in my opinion, cannot be the intention of the legislation.
b. Subsection 253(3) confirms that particulars need not be entered in the BOR concerning an individual or relevant legal entity that is not a registrable person. Since 1% shareholders are not registrable persons, the Companies Law does not require submission of their information, and the Registrar cannot rely on the BOR as a legal basis for processing their data.
c. Any request from the Registrar for information on additional persons (such as 1% shareholders) should not be conjoined with the request for information on registrable persons. The registration of a company and the provision of information on registrable individuals are not parts of the same process, as heightened due diligence may be required in specific circumstances. Additional information can be sought using the mechanism provided in section 279A of the amended Companies Law, which addresses this point specifically. Rather than requiring the provision of information on non-registrable individuals as a matter of routine, I recommend that the Registrar develop internal policies and procedures to define fair and reasonable criteria for requesting additional
information, which should be made available to the public. While we were advised that the Registrar is developing such policies and procedures, they are not yet complete or in force.
d. The Registrar relies on the legal condition in paragraph 5(b) of Schedule 2, which provides that processing is allowed where it is “necessary” for the exercise of functions conferred by or under any enactment. The necessity of the processing of personal data on the basis of any of the conditions in Schedule 2 must be interpreted narrowly and in conjunction with the fundamental right to privacy, as enshrined in section 9 of the Cayman Islands Bill of Rights. Whether processing personal data is considered necessary will depend on an assessment of the objective pursued and whether it is less intrusive than other options.1 In this respect, the Companies Law and the BO Regulations themselves set limits on the particulars that are necessary for the purpose of registering a company and providing information on beneficial owners. The Registrar has exceeded these limits by implementing a blanket requirement that additional data on non-registrable persons be submitted. This exceeds the legal requirements purportedly relied on and therefore does not form a valid basis for processing personal data.
e. I note that the Registrar engages in a formal agreement with companies who wish it to establish and maintain their registration in the BOR. The Registrar claims that this agreement allows it to request additional information where it is deemed necessary. The part of the agreement that was quoted to us refers to the provision of “information and documents … to support any changes … to the BOR in accordance with the Law”, as well as “any documentation reasonably required by the Registrar in connection with the identification of the Beneficial Owner(s)”. This wording indicates that the agreement applies within the legal framework of the applicable company registration and BO legislation, and does not justify the gathering of personal data beyond what is permitted by law.
1.20 For these reasons, I find that the Registrar does not have a legal basis for gathering the personal data of non-registrable individuals, such as 1% shareholders of a company, as a routine part of its company registration function using the CBP under the Companies Law.
1.21 The Registrar’s approach to gathering the personal data of non-registrable individuals should also be evaluated against the first part of the first data protection principle, which requires that personal data be processed fairly. This principle is further clarified in paragraph 2 of Part 2 of Schedule 1 of the DPL, as follows:
For the purposes of the first principle personal data shall not be treated as processed fairly unless the data subject has, as soon as reasonably practicable, been provided with, at a minimum –
(a) the identity of the data controller; and
(b) the purpose for which the data are to be processed.
1.22 Gathering the personal data of registrable persons (and additional information where appropriate) serves the Registrar’s company registration purpose under the Companies Law and related legislation. However, the Registrar does not explain the purpose(s) of its personal data processing to users of the CBP.
1.23 To ensure the fairness of the data processing, the Registrar must provide users of the CBP with the required information, described above, as soon as is reasonably practicable, i.e. at the time it is being gathered. If any additional personal data is processed for purposes other than the registration of a company or beneficial owners, that should be fully explained.
1.24 Detailed guidance on the topic of the first data protection 2principle and the privacy notice is available on the website of the Office of the Ombudsman.
FINDINGS, RECOMMENDATIONS AND DECISIONS
Under section 45(1) of the DPL, I make the following findings, recommendations and decisions:
1) I find that the Registrar has not established a satisfactory legal basis for its blanket approach to gathering and processing the personal data of non-registrable persons such as 1% shareholders.
2) The Registrar is required to take the following steps to ensure that the General Registry is in compliance with the DPL:
a) Immediately cease gathering and further processing personal data of persons who are not registrable persons under the beneficial ownership provisions as part of its company registration process.
b) Immediately develop and implement a privacy notice for the CBP, to meet the requirements of paragraph 2 of Part 2 of Schedule 1 of the DPL.
3) I recommend that the Registrar develop written policies and procedures to define fair and reasonable criteria for requesting additional information under section 279A of the Companies Law, which should be made available to the public.
Under section 47 of the DPL, a person who has received an enforcement order under this Law may, within 45 days of receipt and upon notice of the Ombudsman, seek judicial review of the order to the Grand Court.
1 European Data Protection Supervisor, Assessing the Necessity of Measures that Limit the Fundamental Right to the Protection of Personal Data: A Toolkit, 11 April 2017, p. 5, available at:
https://edps.europa.eu/sites/edp/files/publication/17-06-01_necessity_toolkit_final_en.pdf
2 See: https://ombudsman.ky/data-protection-organisation/individual-rights/the-right-to-be-informed
(Signed)
Sandy Hermiston
Ombudsman