A decision by the Office of the Ombudsman could have far-reaching implications for personal data protection in the Cayman Islands.
The Ombudsman has ordered the Registrar of Companies to stop collecting personal data from individuals who hold company shares or voting rights in circumstances where it has no legal basis to do so.
According to a statement from the Office of the Ombudsman on Thursday, the Ombudsman was made aware via a complaint that the Registrar requested personal information about individuals who were 1% shareholders in a company.
Under the Companies Law (2020 Revision), a person who would be required to provide information for the company register - a beneficial owner - is someone who holds more than 25% of shares or voting rights in a company, or any individual who is able to vote to remove a majority of the company’s board of directors.
The statement goes on to say that the Ombudsman noted that there may be specific circumstances where personal information could be requested about someone holding fewer than 25% of a company’s shares.
However, it was determined that the Registrar cannot apply a “blanket” requirement to do so without establishing a legal basis and informing the person of the reason for the data collection.
“The Registrar was using a blunt instrument to collect data on all company shareholders rather than the lancet the law requires,” said Ombudsman Sandy Hermiston.
“All entities collecting personal data must respect the data protection principles, which include the requirement that processing personal data must have a legal basis and that the person whose data is being processed is informed of the purposes for the processing.”
In addition to the order to stop processing data of individuals who are not considered registerable shareholders under the Companies Law, the Registrar was ordered to develop a suitable privacy notice to include on the Cayman Business Portal where companies are registered.
The Ombudsman also recommended that the Registrar develop a policy setting out fair and reasonable criteria in circumstances where additional data collection for non-registrable shareholders is sought.
The case arose from a complaint made to the Office of the Ombudsman on the basis that the Registrar of Companies (Registrar) did not have a legal basis to process certain personal data requested on its online payment platform relating to non-registrable persons.
The complainant believed that it was unnecessary for the Registrar to request this personal data and asked the Ombudsman to require that the Registrar amend its policies and procedures accordingly.
With this decision made directly against the Registrar of Companies, it was not immediately clear if it could or would impact the pending Public Register of Beneficial Ownership of companies in the financial sector being pushed by the British government.