For a better experience on Cayman Islands Monetary Authority, update your browser.
Cayman Islands

Cayman Islands Monetary Authority’s Privacy Notice

 

This Privacy Notice lays out the manner in which Cayman Islands Monetary Authority (“CIMA”) collects, uses, maintains and otherwise process personal data collected from data subjects (i.e. a living individual who can be identified directly or indirectly based on their personal data). This Privacy Notice applies to the website and all products and services offered by CIMA.

This Privacy Notice provides you with the details of how and why CIMA processes personal data.  We will explain how we obtain and handle your personal data, provide you with information about your rights as a data subject, and how to contact us if you have any questions.

Why we collect personal data

We may collect personal information from you in a variety of ways, including, but not limited to, to enable us to carry out our regulatory, monetary, advisory, and co-operative functions, when you visit our website, register on the website, place an order, fill out a form, respond to a survey, subscribe to the newsletter and in connection with other activities, services, features or resources we make available.  You may be asked for, as appropriate, name, email address, mailing address, phone number, credit card information, a government issued identification number.

Table 1 provides some examples of who personal data is collected from and why the personal data is collected:

Table 1 – Collection of Personal Data

Who personal data is collected from

Why personal data is collected

Numismatic coin collectors

To facilitate the sale and redemption of numismatic coins.

Regulated and registered persons and their customers

To authorize persons, assess compliance with regulatory laws and measures, and take appropriate enforcement actions when necessary.

Visitors to CIMA

To employ proper security and safety measures for the benefit of employees and visitors.

Conference participants, participants of public education efforts, survey participants, and other forms of stakeholder engagement.

To enable us to measure impact of content delivery, consider feedback and identify improvement opportunities.

Job applicants, interns, current and former employees, Board members

To enable us to identify and employ suitable candidates, to comply with our obligations as an employer, to participate in community and staff events, and to meet corporate governance requirements.

Complainants or persons who contact us with questions

To address complaints or respond to questions from persons.

Users of the website

To monitor website use to identify areas for improvement and obtain webpage statistics.

Persons using the web portals to submit information

To receive applications, questionnaires, regulatory filings, and other documentation electronically.

Newsletter subscribers and social media followers

To enable us to correspond directly with you.

Vendors and other persons who work on our behalf

To enable us to provide goods and services for regulated persons, our employees, and to the general public.

Beneficiaries of social contributions

To enable us to perform charitable acts.

Scholarship applicants

To process scholarship applications.

What data do we collect? 

We collect personal data from individuals who are involved with a regulated entity, employees, vendors, consultants, our customers, and other individuals who we interact with in order to provide a good or service, employ, to meet our operational needs, or when you interact with us for other reasons.  The amount of data we collect varies and depends on the reason for collecting the personal data.

In some instances, for instance for KYC purposes, we collect your sensitive personal data such as your association memberships or whether you are a Politically Exposed Person (PEP).  We may also collect or store your sensitive personal data such as your health and marital status.

You will either provide us your personal data or some of your personal data will come to us from third parties (such as your employer).  We may have information such as your names, address, and date of birth; personal identification documents; employment details, financial information such as bank accounts, correspondence to and from you, personal data for safety and assurance reasons such as video surveillance.

It is most likely that you or a third party will provide your personal data to CIMA:

  • For employment purposes
  • For audit purposes
  • By completing an application form required for regulated entities or individuals
  • For regulatory purposes
  • For strategic management reasons
  • To deliver products that you have requested from CIMA
  • To register you for surveys, events, or meetings
  • To provide you with newsletters, reports, or announcements
  • For risk management reasons
  • To prevent or detect crime
  • For the assessment or collection of any fees

Web browser cookies and how we use them

Our website may use "cookies" to enhance your experience. “Cookies” are text files placed on your computer to collect standard internet log information and visitor behaviour information.  Your web browsers place cookies on your hard drive for record-keeping purposes and sometimes to track information about you.  You may choose to set your web browser to refuse cookies, or to alert you when cookies are being sent.  If you do so, note that some parts of the website may not function properly.

Cookies can be used to

  • Assist CIMA with our promotional and marketing efforts
  • Assist in your navigation of the website

CIMA will utilize more than one cookie or one type of cookie.  A cookie may be set for the website to function properly, to enable CIMA to track page popularity (or lack thereof), or for advertising or marketing purposes.  In general, we use the following cookies:

  • Examples of the type of cookie: AdWords Re-marketing Tag such as Google AdWords
  • Examples of type of cookie: _ga by Google Analytics

For further information about cookies, visit www.allaboutcookies.org

How we protect your information

We have established and are continuously improving organizational measures to protect your personal data.  Our physical and information and communications technology (ICT) security measures aim to guard against unauthorized access, alteration, disclosure or destruction of your personal data whether stored internally or externally.

We develop and maintain security policies and procedures applicable to all staff regarding use of software and hardware, access security, and data breaches. Where we use third parties to provide a service involving personal data, our contract with third parties specifies the confidentiality and protection of personal data.

In certain circumstances, we may transfer your personal data to countries outside of the Cayman Islands, whether or not they have adequate data protection laws and measures in place.  Such circumstances where transfers may take place include where the transfer is required under international cooperation agreements of which CIMA is a party, with your consent, the transfer is necessary for reasons of substantial public interest, the transfer is necessary or the performance of a contract, or other relevant reasons as listed in Schedule 4 of the Data Protection Law (DPL) or as prescribed in the regulations.

Sharing your personal information

Your information will be shared with our employees, consultants, agents, and other service providers where it is necessary for the performance of their duties and in accordance with the reasons for processing your personal data. In some instances, we make the decision to disclose personal data on a case-by-case basis whether as a result of relevant legislation or by a court order.

CIMA is subject to the National Archive and Public Records Law (NAPRL), which governs the preservation of public record.  Therefore, it may be possible that records of historical or cultural significance that may contain your personal data, will be transferred to the Cayman Islands National Archive.  Such records may contain your personal data and unless exempted or excluded by legislation, may be retained permanently by the Cayman Islands National Archive.

Where we share information with data controllers or data processors outside the Cayman Islands, and subject to any exclusions as per the DPL, we will ensure that they have the appropriate safeguards in place to protect your personal data.

We may share generic aggregated demographic information not linked to any personal identification information with our business partners, trusted affiliates and advertisers for the purposes outlined above. We may use third party service providers to help us operate our business on our behalf, such as sending out newsletters or surveys.

We do not sell, trade, rent or otherwise share your personal data unless as described or with your consent.

Table 2 summarizes some instances where we may share your personal data and some of the reasons for doing so.

Table 2 - Sharing personal data

Personal data may be shared with

So that we are able to

Consultants, special project managers, and other contractual arrangements

Fulfil our functions by providing them the information required.

Other regulatory authorities in or outside the Cayman Islands

Fulfil our principal functions by providing assistance to or receiving assistance from overseas regulatory authorities or by conducting fit and proper assessments on regulated and registered persons.

Government agencies in or outside the Cayman Islands

Carry out our functions and meet legal requirements.

Law enforcement agencies in or outside the Cayman Islands

Facilitate the conduct of investigations about persons suspected of criminal activities.

Industry associations, educational institutions, or other professional bodies

To facilitate the fit and proper assessment of persons doing business with or regulated by CIMA.

CIMA’s vendors/suppliers or others who work on our behalf

Operate in an effective and efficient manner regarding all products and services provided.

How long we retain your information

We will keep your personal data for as long as necessary to fulfil our purposes and as required by law.

Our legal basis for collecting personal data

We rely on several legal bases for processing your personal information.  The legal basis on which personal data may be processed is covered by the DPL and we will process your personal data under a lawful basis only some of which are:

  • To carry out our public functions – We will process your personal information for the purposes of carrying out our regulatory, monitoring or inspection functions.  We are required, under relevant legislation, to collect, hold, and share information in specific circumstances, which may include personal information including personal information to law enforcement agencies and other regulatory authorities.
  • For the performance of a contract – We will process your personal data when entering into a contract with you or to perform a contract you have entered with us such as an employment contract or vendor contract.

  • Consent – We may rely on your consent for processing your personal data such as for the purposes of direct marketing or our public education efforts. You may withdraw your consent at any time.

  • Legal Obligation – we may process your personal data in order to comply with a common law or statutory obligation. For instance, we may be required to disclose employee salaries for national statistical purposes or to provide your personal data as per a court order.

  • Legitimate Interest – if we are processing your personal data for a reason other than to carry out our public functions, we may rely on processing for the purposes of legitimate interest but only where the processing of your personal data is necessary to achieve the task at hand and where your interests, rights, and freedoms are protected. The processing of legitimate interests may be for our benefit, the benefit of a third party, or the benefit of society. For instance, for the purpose of workplace surveillance, fraud prevention, IT systems monitoring, etc. The legitimate interest condition will be used only where appropriate and if there are no other legal basis under which the personal data can be processed.

  • Vital Interest – Though it is unlikely we will process personal data under this legal basis, this may be necessary in the event of a natural disaster, epidemic, or other life or death unforeseen circumstances where it becomes necessary for us to process personal data.

How we use your personal data

We use the personal data we collect to carry out our functions in accordance with the Monetary Authority Law and all regulatory laws, the Public Authorities Law and other local legislation including those applicable to Statutory Authorities and Government Companies (SAGCs), obligations required by international standard setters, laws and regulations to combat money laundering, terrorist financing, and proliferation financing (ML/TF/PF). As the financial services regulator for the Cayman Islands, CIMA engages in a number of activities to enable us to carry out our functions and obligations.  The personal data we collect is processed fairly and appropriately and is not excessive. In some instances, we may have to check other sources in an effort to verify accuracy of the personal data you have provided, this means the personal data may be shared or disclosed to other organizations or we may undertake a review of publicly available sources.

The personal data collected will be used for the original purpose for which it was collected. The personal data will only be used for a new purpose if 1) the new purpose is compatible with the original purpose; 2) we have obtained your consent; or 3) we are legally obligated to do so. CIMA will not use the personal data to make decisions about you based solely on an automated decision-making process such as for profiling purposes.

The below table summaries some of what personal data is used for.

Table 3 – Use of personal data

Personal data is used for

So that we are able to

Applications for licensing or registration

Determine whether persons meet the requirements under the regulatory laws to carry on financial services business.

Fitness and propriety assessments

Determine whether persons are fit and proper to carry on or provide services to financial services business, to become vendors or employees of CIMA, etc.

Conducting surveys, outreach, fundraising events, and other activities to engage stakeholders and the general public

Plan, execute, assess, and improve our public education efforts.

Investigations and enforcement of licensed, registered persons or other persons

Prevent, detect, or take action against persons who engage in criminal activities or do not comply with regulatory laws and measures. Such action may include the imposition of administrative fines where appropriate.
Supervising licensed or registered persons

Carry out inspections and other supervision activities to ensure compliance with regulatory laws and measures.

Development of regulatory policies, procedures, rules, and other guidance

Consult with persons for feedback on regulatory measures.

Carrying out our non-regulatory functions

Comply with employment requirements, manage internal software and tools, process accounts receivables and accounts payables, and carry out other internal functions necessary for the functioning of CIMA.

Communicating and responding to enquiries

Provide responses to enquiries and communicate effectively with persons.

Your rights regarding your personal data

You have certain rights regarding your personal data (see Table 4). However, depending on the purposes for which we are processing your personal data, your ability to exercise your rights may be limited and we may not be able to comply with your request. We will be able to advise you further when you seek to exercise your rights.

Table 4 – Rights regarding personal data

Your rights

Brief explanation

Be informed about how we process your personal data

This Privacy Notice explains how we process your personal data including what we collect, why we collect it, and the measures we use to secure your personal data.

Access your personal data and certain information about its use

If you would like a copy of your personal data or obtain specific information about it, you may make a Data Subject Access Request (“DSAR”). Though completion of a DSAR form is optional, we recommend you complete the form for efficiency purposes.

Require that processing of your personal data cease, not begin at all, or cease for a specified purposes or in a specified manner

You can require that we stop processing your personal data. You do not have to provide a reason for your request.

Require that we cease the processing of your personal data for direct marketing purposes 

If we process your personal data for direct marketing purposes, for instance, via you signing up for our newsletter or other notifications, and you wish to withdraw your consent

Require that processing of your personal data cease, if a decision that significantly affects you is made based solely on the processing of your personal data by automatic means.

If there is a situation where we perform automated decision-making based on your personal data we will inform you. You can then inform us to reconsider the decision being made on that basis.

Seek rectification, blocking, erasure or destruction of inaccurate personal data

If the personal data we hold is inaccurate, you state your preference on how this should be handled.

Complain to the Ombudsman regarding your personal data or on behalf of another person regarding their personal data (with proper authorization)

You can make a complaint to the Ombudsman. See www.ombudsman.ky for more details.

Contact us

To make a request relating to your personal data, please contact us using any means convenient to you. To improve efficiency and accuracy, we encourage you to put your requests in writing, though this is not always required. You may contact us at:

Physical address:

SIX, Cricket Square
Elgin Avenue
George Town

dataprotection@cima.ky

1 (345)-949-7089

Mailing address:

Data Privacy Officer
Cayman Islands Monetary Authority
P.O. Box 10052
Grand Cayman, KY1-1001
Cayman Islands

Social media:

Facebook and LinkedIn

Changes to this Privacy Notice

CIMA has the discretion to update this Privacy Notice at any time. We encourage you to frequently check this page for any changes to stay informed about how we are processing your personal data. If any changes are made to this Privacy Notice, we will provide a prominent notice on our website so that you can review the updated Privacy Notice.