Sniper Capital respects the confidentiality of Personal Data and privacy of individuals and is committed to complying with current data protection legislation.
1.1 Sniper Capital Limited has adopted this data-protection policy to ensure it meets its obligations under the current data protection legislation and to the extent that goods or services are offered to individuals within the EU, the EU data protection regime introduced by the General Data Protection Regulation (Regulation 2016/679), hereinafter referred to as the “DPL”.
1.2 This Policy describes how Personal Data must be collected, handled, stored, disclosed and otherwise “Processed” to meet the Company’s data protection obligations and to comply with the DPL.
1.3 The purpose of this Policy is to ensure that everyone involved in the processing of Personal Data is fully aware of, and complies with, the requirements of the DPL.
1.4 In preparing the Policy, the Company has taken into account the nature, scale and complexity of its business. As the Company does not regularly and systematically monitor Data Subjects on a large scale, it has not appointed a data protection officer. The Company’s directors are ultimately responsible for ensuring that the Company meets its legal obligations and operates in full compliance with the DPL.
2.1 “Data Controller” means any natural or legal person, which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data (in this case, the investment companies managed by Sniper Capital (the “Investment Companies” i.e. Sniper Macau Heritage Properties I Limited, Sniper Macau Heritage Properties II Limited, Sniper Macau Heritage Properties III Limited and Macau Property Opportunities Fund Limited).
2.2 “Data Processor” means a natural or legal person who processes Personal Data on behalf of the Data Controller such as an administrator, distributor and/or other delegates that receive Personal Data.
2.3 “Data Subject” means an identified or identifiable natural person who is the subject of Personal Data.
2.4 “Personal Data” means any personal information relating to a Data Subject, such as name, residential address, email address, contact details, corporate contact information, signature, nationality, place of birth, date of birth, tax identification, credit history, correspondence records, passport number, bank account details, any other information about you that you disclose to us when registering your interest via our website, your IP address, your browser type and language and other information about your visit to our website, cookies and online identifiers.
2.5 “Privacy Notice” means the data protection disclosure statement prepared in respect of the Investment Companies, outlining the Investment Companies’ data protection obligations and the data protection rights of Data Subjects, as required under the DPL.
2.6 “Processing” means performing any operation or set of operations on Personal Data, whether or not by automatic means, including collecting, recording, organising, storing, amending, using, retrieving, disclosing erasing or destroying it. The rules around the Processing of Personal Data apply whether the activity takes place in the European Union (“EU”) or not, where the Processing activities are related to (i) the offering of goods and services to Data Subjects that are in the EU; or (ii) the monitoring of their behaviour which takes place within the EU. Furthermore, as the Company will process data as relating to Data Subjects, such as Directors, it will be required to process in accordance with the DPL.
3. Sniper Capital as Data Processor
3.1 Sniper Capital is a Data Processor and shall comply with its obligations as such under the DPL.
3.2 When Processing Personal Data, there may also be times where other service providers to the Company will to the extent they determine the purpose and the means of processing, may also be characterised as Data Controllers or Data Processors under the DPL. This however, does not exonerate the Company from its responsibilities and obligations. It is important that if there is any risk of the Company acting jointly with a service provider, a review of the contractual arrangements as to the determination of the purpose and means of data processing and the attribution of responsibilities between the two, be comprehensively considered for governance and legal reasons.
4. Data Protection Principles
4.1 Personal Data shall be:
(a) processed fairly, lawfully and transparently;
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
(c) limited to what is required for the stated purpose or purposes;
(d) accurate, complete and up to date;
(e) retained for not longer than is necessary for the stated purpose or purposes;
(f) kept safe and secure;
(g) provided to a Data Subject on request (please see Section 5); and
(h) not transferred to people or organisations situated in countries without adequate protection.
4.2 Fair and transparent processing
Fairly obtained Personal Data requires that the Data Controller, either before or at the time the Personal Data is collected, makes the Data Subject aware of the following:
(a) the identity and contact details of the Data Controller;
(b) the purpose in collecting the Personal Data as well as the legal basis for processing;
(c) if one such legal basis, is the legitimate interests of the Data Controller, the legitimate interests of the Data Controller or third party and an explanation of those interests (where processing is based on this ground);
(d) the persons or categories to whom the Personal Data may be disclosed;
(e) details of any transfers outside of the European Economic Area (“EEA”) and a description of the safeguards in place and the means by which to obtain a copy of them;
(f) the period for which the Personal Data will be stored;
(g) the Data Subject’s right to access Personal Data;
(h) the Data Subject’s right to rectify Personal Data if inaccurate;
(i) the Data Subject’s right to erasure of Personal Data;
(j) the Data Subject’s right to the portability of their Personal Data;
(k) the Data Subject’s right to limit processing;
(l) the Data Subject’s right to withdraw consent;
(m) the Data Subject’s right to object to processing, in certain circumstances; and
(n) the Data Subject’s right to lodge a complaint with The Office of the Data Protection Commissioner.
The Company will ensure that all information and communications relating to the processing of Personal Data will be clear, concise, transparent, intelligible, easily accessible and easy to understand using clear and plain language. The Company will ensure that these transparency requirements are adhered to at all stages of the collection and processing of Personal Data.
If any of the information described above changes after it has been provided to the Data Subject, the Data Subject shall be provided with an update to the information.
4.3 Lawful Processing
The Company can process Personal Data lawfully to the extent that at least one of the following applies:
(a) where the Data Subject has given consent to the processing (although it is preferred wherever possible that alternate grounds of processing be utilised and that the Company only rely on consent to process as a last resort);
(b) where processing is necessary for the performance of the contract with the Company;
(c) where processing is necessary in order to protect the vital interests of the Data Subject or another natural person;
(d) where processing is necessary for compliance with a legal obligation to which the Company is subject; and/or
(e) where processing is necessary for the purposes of the legitimate interests of the Company or a third party and such legitimate interests are not overridden by the Data Subject’s interests, fundamental rights or freedoms.
4.4 Purpose Limitation
The Company will only collect and process Personal Data for purposes that are specific, explicit and for legitimate purposes. The Company as a fund manager will process Personal Data for the following purposes:
(a) to determine and reflect an investor’s ownership of shares in any managed funds (i.e. where this is necessary for the performance of the contract to purchase shares in the fund or to process redemption, conversion, transfer and additional subscription requests or the payment of distributions);
(b) to discharge its anti-money laundering and terrorist financing/sourcing of funds obligations to verify the identity of the investors (and, if applicable their beneficial owners) or for prevention of fraud or for regulatory or tax reporting purposes or in response to legal requests or requests from regulatory authorities (i.e. where this is necessary for compliance with a legal obligation); and/or
(c) for direct marketing purposes (that is, the provision of information to Data Subjects on products and services) or for quality control, business and statistical analysis or for tracking fees and costs or for customer service, training and related purposes (i.e. where this is necessary for the purposes of the legitimate interests of the Company or a third party and such legitimate interests are not overridden by the Data Subject’s interests, fundamental rights or freedoms and provided that the Company is acting in a fair, transparent and accountable manner and has taken appropriate steps to prevent such activity having any unwarranted impact on the Data Subject, noting the right of the Data Subject to object to such uses, as discussed below).
The Company will not process Personal Data in a manner that is incompatible with the purposes communicated to Data Subjects without first advising the Data Subjects of any other purpose and the applicable basis upon which Processing is conducted.
4.5 Personal Data Minimisation
The Personal Data collected will be adequate, relevant and limited to what is necessary in relation to the purposes for which it is being processed.
4.6 Accurate Records
The Company will ensure that the Personal Data held is accurate and kept up to date. The accuracy of any Personal Data will be checked at the time of collection and at regular intervals or triggers thereafter. The Company will take all reasonable steps to amend inaccurate or out-of-date Personal Data.
4.7 Storage Limitation
The Company will not keep Personal Data longer than is necessary for the purpose or purposes for which it was collected. It will take all reasonable steps to erase all Personal Data which is no longer required. The Company will be clear when informing the Data Subject about the length of time for which Personal Data will be kept or the criteria for determining such length of time and the reason why the information is being retained.
In processing Personal Data, the Company shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. In particular, the Company shall take all appropriate security, technical security and organisational measures to address the risks of accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed.
The Company will seek assurances from any service providers that act as Data Processors for the Company that they have implemented appropriate information security measures which comply with the relevant conditions of the DPL.
4.9 Transferring Personal Data to a country outside the EEA
Data Processors may only transfer Personal Data outside of the EEA (a) with the written consent of the Company (which will only be provided subject to certain conditions being satisfied); (b) where required to do so by EU or the law of an EU member state to which the relevant Data Processor is subject or (c) in certain limited circumstances, set out in the DPL e.g. in pursuance of compliance with decisions of public authorities of the Bailiwick based on an international agreement improving international obligations on the Bailiwick.
Subject to the provision by the Data Processor of appropriate safeguards in compliance with the DPL and subject to the availability of rights and effective legal remedies for Data Subjects, or shall otherwise be in accordance with the requirements of the DPL.
5. Data Subject Rights
5.1 Right to Access
The Data Subject shall have the right to obtain confirmation from the Company as to whether or not Personal Data concerning them is being processed.
Where the Company is processing their Personal Data, the Data Subject will have the right to access such Personal Data and the following information (without limitation):
(a) the purpose of the processing;
(b) the categories of Personal Data concerned;
(c) the persons or categories of persons to whom the Personal Data may be disclosed, in particular recipients in third countries or international organisations;
(d) the envisaged period for which the Personal Data will be stored, or, if not possible, the criteria used to determine that period;
(e) the existence of the right to request from the Company rectification or erasure of the Personal Data or restriction of Processing of Personal Data concerning the Data Subject or to object to such Processing;
(f) the right to lodge a complaint with the Data Protection Commission;
(g) where the Personal Data is not collected for the Data Subject, any available information as to their source; and
(h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the Data Subject.
Where Personal Data is transferred to a third country or an international organisation, the Data Subject shall have the right to be informed of the appropriate safeguards relating to the transfer.
The right to obtain a copy of the Personal Data undergoing processing will not adversely affect the rights and freedoms of others, meaning the relevant information will be redacted where necessary.
The Company will not charge a fee for complying with the Data Subject’s access request unless it can demonstrate that the request is excessive in nature, having regard to the number of requests made by the Data Subject. In such cases a reasonable fee based on administrative costs may be charged.
The information must be provided without delay and within at least one month. Where requests are complex, the Company will be able to extend the deadline for providing the information to three months. However, it must still respond to the request within a month, explaining why the extension is necessary.
The Company may refuse to act upon a request that is manifestly unfounded or excessive in nature, in which case it will inform the Data Subject of its reasons as soon as practicable in writing and inform the Data Subject of their right to lodge a complaint with the supervisory authority.
A request may be made by an individual, such as an investor or a director, and may be made in electronic format as well as by written request.
5.2 Right to be forgotten/erasure of Personal Data
The Data Subject shall have the right for Personal Data to be erased without undue delay in certain contexts including, but not limited to, where the Personal Data has been processed unlawfully or where the Personal Data is no longer necessary in relation to the purposes for which it was collected or otherwise.
Given the specific nature for which the Company uses the Personal Data it collects, this is not likely to be applicable to the Data Subjects of the Company.
5.3 Right to the restriction of processing
Data Subjects have the right to require that the Company restrict processing of Personal Data in certain circumstances including, but not limited to, where the Personal Data is inaccurate, is no longer required in light of the purposes of the processing or the Data Subject has exercised their right to object (pending verification of any legitimate grounds of the Company which overrides those of the Data Subject).
Where processing has been restricted, such Personal Data shall, with the exception of storage, only be processed with the Data Subject’s consent. The Company will inform the Data Subject before the restriction of processing is lifted.
5.4 Right to object
The Data Subject shall have the right to object, on grounds relating to their particular situation, at any time to processing of Personal Data concerning them where the processing is based on the legitimate interests pursued by the Company.
The Company shall no longer process the Personal Data unless the Company demonstrates compelling legitimate grounds for the Processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of legal claims.
Data Subjects shall have the right to object to the processing of Personal Data for direct marketing purposes at any time. Where the Data Subject objects to processing for direct marketing purposes, the Personal Data shall no longer be processed for such purposes.
5.5 Right to portability
Where the conditions are met in Section 14(1) (b) of the DPL, the Data Subject has the right to request the transmission of its personal data. This right is limited if the transmission were to adversely affect the rights and freedoms of others.
6. Third Party Service Providers
6.1 Where the Company instructs a third party to process personal data on its behalf (a third party Data Processor), the Data Processor must enter into a written agreement with the Company that:
(a) provides details of the processing of Personal Data that they are being instructed to carry out;
(b) requires the third party to process the Personal Data only in accordance with the Company’s written instructions and to the extent necessary for them to fulfil their obligations to the Company under the agreement;
(c) requires the third party to implement appropriate technical and organisational measures and controls to ensure the confidentiality and security of the personal data; and
(d) imposes any additional data processing obligations required by the DPL.
6.2 The data processing agreement should be signed by both parties before any Personal Data is transferred to the Data Processor.
6.3 Any party making amendments or unable to adhere to the data processing agreement should be referred to the Board before the agreement is signed.
6.4 When contracting with a Data Processor, it is important that the Company conducts appropriate due diligence both at the outset of the relationship and on a periodic basis. The due diligence should ensure that the Data Processor is capable of complying with the requirements of the written agreement as detailed above.
7. Co-operation with Supervisory Authorities
7.1 The Company shall cooperate, on request, with the relevant supervisory authority in the performance of its tasks.
7.2 Data Subjects may lodge complaints with the supervising authority in respect of data protection in the jurisdiction of their residence.
8. Keeping Records of All Processing
8.1 The Company shall maintain accurate and complete records of all the processing activities it undertakes directly. This requires that the Company determine what Personal Data it holds, where it came from and who the Company shares it with. Similarly each Data Processor will be required to maintain accurate and complete records of all processing activities it undertakes directly.
8.2 A record of the Company’s processing activities is contained in Appendix I.
8.3 The Company will retain Personal Data for a period of up to seven years following the Data Subject’s disinvestment from the Company or at the point from when the business relationship with the Company has ceased. Information may be retained for a longer period where this is necessary for compliance with a legal obligation or for the establishment, exercise or defence of a legal claim. The Company and its duly authorised delegates will refrain from collecting any further Personal Data and shall take appropriate steps to dispose of any records containing Personal Data, to the extent that this is operationally feasible and proportionate.
9. Reporting of Personal Data Breaches
9.1 If the Company detects and records a Personal Data breach, it shall notify the supervisory authority without delay, and in any case not later than 72 hours, unless the breach is unlikely to result in a risk to the rights of the Data Subject. A notification letter template is set out in Appendix II.
9.2 Each Data Processor shall notify the Company without undue delay after becoming aware of a Personal Data breach and shall include in any such notification the applicable information referred to in the DPL (as set out in Appendix II) and shall provide all reasonable assistance to the Company in connection with any such Personal Data breach, including in particular facilitating the Company communicating details of any Personal Data breach to the relevant Data Subject if required, as described at sub-paragraph 9.4.
9.3 The Company shall document all Personal Data breaches, comprising the facts relating to the Personal Data breach, its effects and the remedial action taken.
9.4 Unless one of the conditions set out in sub-paragraphs (a) to (c) below are met, the Data Subject must also be notified without undue delay if the Personal Data breach is likely to result in a high risk to their rights and freedoms. The notification shall describe in clear and plain language the nature of the breach, the name of the contact point where more information can be obtained, the likely consequences and measures taken to mitigate or address the breach.
Notification to the Data Subject is not required in the following circumstances:
(a) where the relevant Personal Data is encrypted/protected in a manner making it unintelligible to unauthorised persons;
(b) where the Company has taken subsequent measures which ensure that the high risk to risks and freedoms of the Data Subject from the breach is no longer likely to materialise;
(c) where an individual notification would involve disproportionate effort (e.g. public communication or similar is sufficient).
10.1 The Company works with third parties to research certain usage and activities on the website on our behalf. In the course of conducting this research, these third parties may place a unique ‘cookie’ on your browser. Cookies are small text files that websites often store on computer hard drives or mobile devices of visitors to their sites. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the website.
10.3 In addition, we may use two specific types of cookie on this website:
• Session cookies, which are temporary cookies that remain in the cookie file of your computer until you close your browser (at which point they are deleted).
• Persistent or stored cookies that remain permanently on the cookie file of your computer.
10.4 The web browsers of most computers are initially set up to accept cookies. If you prefer, you can set your web browser to disable cookies or to inform you when a website is attempting to add a cookie. You can also delete cookies that have previously been added to your computer’s cookie file.
10.5 You can set your browser to disable persistent cookies and/or session cookies but if you disable session cookies, although you will be able to view this website’s unsecured pages, you may not be able to log onto any authenticated pages. Please visit http://www.allaboutcookies.org/manage-cookies/ to discover how to disable and delete cookies.
11. Web Beacons And Spotlight Tags
This website may also contain electronic images, known as web beacons or spotlight tags. These enable us to count users who have visited certain pages on the website. Web beacons and spotlight tags are simply tools used to obtain generic information about the web pages visited.
12. Your Queries
If you have any questions about our use of your personal data, our retention procedures or our security processes or privacy issues generally, please contact:
Sniper Capital Limited
13. Company Directors Oversight and Updates to this Policy
13.1 The Company’s directors will be responsible for the oversight of compliance with this Policy. They will review the appropriateness of this Policy annually and will ensure that it is operating as intended. They will also review this Policy to ensure that it continues to be compliant with applicable national and international regulations, principles and standards.
13.2 This Policy shall be reviewed and updated as necessary on at least an annual basis or as and when is required or deemed necessary by the Company. Material changes to this Policy will be approved by the directors.
Appendix I – Records of Processing activities in accordance with Article 30 of the Data Protection Legislation
The Data Controller
- Name and contact details of Data Controller: Sniper Capital Limited | firstname.lastname@example.org
- The categories of Data Subjects: Public individuals that visit the company’s website and provide the Company with Personal Data.
- The categories of Personal Data: Name, residential address, email address, contact details, corporate contact information, signature, nationality, place of birth, date of birth, tax identification, credit history, correspondence records, passport number, bank account details, source of Company’s details and details relating to investment activity, any other information about that is disclosed to us when registering interest via our website, your IP address, your browser type and language and other information about your visit to our website, cookies and online identifiers.
- Suitable safeguards in the case of transfers in line with Article 49(1) of the Data Protection Legislation: In line with market standards
Appendix II – Notification Letter Template (required information under Article 33 of the Data Protection Legislation)
Data Protection Commissioner
The Office of the Data Protection Commissioner
Guernsey Information Centre,
St Peter’s Port,
Dear [ ]
Notification of Breach
[Insert a description of the nature of the Personal Data breach including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned].
[Insert the name and contact details of the data protection officer or other contact point where more information can be obtained].
[Insert a description of the likely consequences of the Personal Data breach].
[Insert a description of the measures taken or proposed to be taken by the Data Controller to address the Personal Data breach, including, where appropriate, measures to mitigate its possible adverse effects].